xref: /freebsd/crypto/openssl/engines/e_ossltest.c (revision 1719886f6d08408b834d270c59ffcfd821c8f63a)
1 /*
2  * Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * This is the OSSLTEST engine. It provides deliberately crippled digest
12  * implementations for test purposes. It is highly insecure and must NOT be
13  * used for any purpose except testing
14  */
15 
16 /* We need to use some engine deprecated APIs */
17 #define OPENSSL_SUPPRESS_DEPRECATED
18 
19 /*
20  * SHA low level APIs are deprecated for public use, but still ok for
21  * internal use.  Note, that due to symbols not being exported, only the
22  * #defines and type definitions can be accessed, function calls are not
23  * available.  The digest lengths, block sizes and sizeof(CTX) are used herein
24  * for several different digests.
25  */
26 #include "internal/deprecated.h"
27 
28 #include <stdio.h>
29 #include <string.h>
30 
31 #include <openssl/engine.h>
32 #include <openssl/sha.h>
33 #include <openssl/md5.h>
34 #include <openssl/rsa.h>
35 #include <openssl/evp.h>
36 #include <openssl/modes.h>
37 #include <openssl/aes.h>
38 #include <openssl/rand.h>
39 #include <openssl/crypto.h>
40 #include <openssl/pem.h>
41 #include <crypto/evp.h>
42 
43 #include "e_ossltest_err.c"
44 
45 /* Engine Id and Name */
46 static const char *engine_ossltest_id = "ossltest";
47 static const char *engine_ossltest_name = "OpenSSL Test engine support";
48 
49 
50 /* Engine Lifetime functions */
51 static int ossltest_destroy(ENGINE *e);
52 static int ossltest_init(ENGINE *e);
53 static int ossltest_finish(ENGINE *e);
54 void ENGINE_load_ossltest(void);
55 
56 
57 /* Set up digests */
58 static int ossltest_digests(ENGINE *e, const EVP_MD **digest,
59                           const int **nids, int nid);
60 static const RAND_METHOD *ossltest_rand_method(void);
61 
62 /* MD5 */
63 static int digest_md5_init(EVP_MD_CTX *ctx);
64 static int digest_md5_update(EVP_MD_CTX *ctx, const void *data,
65                              size_t count);
66 static int digest_md5_final(EVP_MD_CTX *ctx, unsigned char *md);
67 
68 static EVP_MD *_hidden_md5_md = NULL;
69 static const EVP_MD *digest_md5(void)
70 {
71     if (_hidden_md5_md == NULL) {
72         EVP_MD *md;
73 
74         if ((md = EVP_MD_meth_new(NID_md5, NID_md5WithRSAEncryption)) == NULL
75             || !EVP_MD_meth_set_result_size(md, MD5_DIGEST_LENGTH)
76             || !EVP_MD_meth_set_input_blocksize(md, MD5_CBLOCK)
77             || !EVP_MD_meth_set_app_datasize(md,
78                                              sizeof(EVP_MD *) + sizeof(MD5_CTX))
79             || !EVP_MD_meth_set_flags(md, 0)
80             || !EVP_MD_meth_set_init(md, digest_md5_init)
81             || !EVP_MD_meth_set_update(md, digest_md5_update)
82             || !EVP_MD_meth_set_final(md, digest_md5_final)) {
83             EVP_MD_meth_free(md);
84             md = NULL;
85         }
86         _hidden_md5_md = md;
87     }
88     return _hidden_md5_md;
89 }
90 
91 /* SHA1 */
92 static int digest_sha1_init(EVP_MD_CTX *ctx);
93 static int digest_sha1_update(EVP_MD_CTX *ctx, const void *data,
94                               size_t count);
95 static int digest_sha1_final(EVP_MD_CTX *ctx, unsigned char *md);
96 
97 static EVP_MD *_hidden_sha1_md = NULL;
98 static const EVP_MD *digest_sha1(void)
99 {
100     if (_hidden_sha1_md == NULL) {
101         EVP_MD *md;
102 
103         if ((md = EVP_MD_meth_new(NID_sha1, NID_sha1WithRSAEncryption)) == NULL
104             || !EVP_MD_meth_set_result_size(md, SHA_DIGEST_LENGTH)
105             || !EVP_MD_meth_set_input_blocksize(md, SHA_CBLOCK)
106             || !EVP_MD_meth_set_app_datasize(md,
107                                              sizeof(EVP_MD *) + sizeof(SHA_CTX))
108             || !EVP_MD_meth_set_flags(md, EVP_MD_FLAG_DIGALGID_ABSENT)
109             || !EVP_MD_meth_set_init(md, digest_sha1_init)
110             || !EVP_MD_meth_set_update(md, digest_sha1_update)
111             || !EVP_MD_meth_set_final(md, digest_sha1_final)) {
112             EVP_MD_meth_free(md);
113             md = NULL;
114         }
115         _hidden_sha1_md = md;
116     }
117     return _hidden_sha1_md;
118 }
119 
120 /* SHA256 */
121 static int digest_sha256_init(EVP_MD_CTX *ctx);
122 static int digest_sha256_update(EVP_MD_CTX *ctx, const void *data,
123                                 size_t count);
124 static int digest_sha256_final(EVP_MD_CTX *ctx, unsigned char *md);
125 
126 static EVP_MD *_hidden_sha256_md = NULL;
127 static const EVP_MD *digest_sha256(void)
128 {
129     if (_hidden_sha256_md == NULL) {
130         EVP_MD *md;
131 
132         if ((md = EVP_MD_meth_new(NID_sha256, NID_sha256WithRSAEncryption)) == NULL
133             || !EVP_MD_meth_set_result_size(md, SHA256_DIGEST_LENGTH)
134             || !EVP_MD_meth_set_input_blocksize(md, SHA256_CBLOCK)
135             || !EVP_MD_meth_set_app_datasize(md,
136                                              sizeof(EVP_MD *) + sizeof(SHA256_CTX))
137             || !EVP_MD_meth_set_flags(md, EVP_MD_FLAG_DIGALGID_ABSENT)
138             || !EVP_MD_meth_set_init(md, digest_sha256_init)
139             || !EVP_MD_meth_set_update(md, digest_sha256_update)
140             || !EVP_MD_meth_set_final(md, digest_sha256_final)) {
141             EVP_MD_meth_free(md);
142             md = NULL;
143         }
144         _hidden_sha256_md = md;
145     }
146     return _hidden_sha256_md;
147 }
148 
149 /* SHA384/SHA512 */
150 static int digest_sha384_init(EVP_MD_CTX *ctx);
151 static int digest_sha384_update(EVP_MD_CTX *ctx, const void *data,
152                                 size_t count);
153 static int digest_sha384_final(EVP_MD_CTX *ctx, unsigned char *md);
154 
155 static int digest_sha512_init(EVP_MD_CTX *ctx);
156 static int digest_sha512_update(EVP_MD_CTX *ctx, const void *data,
157                                 size_t count);
158 static int digest_sha512_final(EVP_MD_CTX *ctx, unsigned char *md);
159 
160 static EVP_MD *_hidden_sha384_md = NULL;
161 static const EVP_MD *digest_sha384(void)
162 {
163     if (_hidden_sha384_md == NULL) {
164         EVP_MD *md;
165 
166         if ((md = EVP_MD_meth_new(NID_sha384, NID_sha384WithRSAEncryption)) == NULL
167             || !EVP_MD_meth_set_result_size(md, SHA384_DIGEST_LENGTH)
168             || !EVP_MD_meth_set_input_blocksize(md, SHA512_CBLOCK)
169             || !EVP_MD_meth_set_app_datasize(md,
170                                              sizeof(EVP_MD *) + sizeof(SHA512_CTX))
171             || !EVP_MD_meth_set_flags(md, EVP_MD_FLAG_DIGALGID_ABSENT)
172             || !EVP_MD_meth_set_init(md, digest_sha384_init)
173             || !EVP_MD_meth_set_update(md, digest_sha384_update)
174             || !EVP_MD_meth_set_final(md, digest_sha384_final)) {
175             EVP_MD_meth_free(md);
176             md = NULL;
177         }
178         _hidden_sha384_md = md;
179     }
180     return _hidden_sha384_md;
181 }
182 static EVP_MD *_hidden_sha512_md = NULL;
183 static const EVP_MD *digest_sha512(void)
184 {
185     if (_hidden_sha512_md == NULL) {
186         EVP_MD *md;
187 
188         if ((md = EVP_MD_meth_new(NID_sha512, NID_sha512WithRSAEncryption)) == NULL
189             || !EVP_MD_meth_set_result_size(md, SHA512_DIGEST_LENGTH)
190             || !EVP_MD_meth_set_input_blocksize(md, SHA512_CBLOCK)
191             || !EVP_MD_meth_set_app_datasize(md,
192                                              sizeof(EVP_MD *) + sizeof(SHA512_CTX))
193             || !EVP_MD_meth_set_flags(md, EVP_MD_FLAG_DIGALGID_ABSENT)
194             || !EVP_MD_meth_set_init(md, digest_sha512_init)
195             || !EVP_MD_meth_set_update(md, digest_sha512_update)
196             || !EVP_MD_meth_set_final(md, digest_sha512_final)) {
197             EVP_MD_meth_free(md);
198             md = NULL;
199         }
200         _hidden_sha512_md = md;
201     }
202     return _hidden_sha512_md;
203 }
204 static void destroy_digests(void)
205 {
206     EVP_MD_meth_free(_hidden_md5_md);
207     _hidden_md5_md = NULL;
208     EVP_MD_meth_free(_hidden_sha1_md);
209     _hidden_sha1_md = NULL;
210     EVP_MD_meth_free(_hidden_sha256_md);
211     _hidden_sha256_md = NULL;
212     EVP_MD_meth_free(_hidden_sha384_md);
213     _hidden_sha384_md = NULL;
214     EVP_MD_meth_free(_hidden_sha512_md);
215     _hidden_sha512_md = NULL;
216 }
217 static int ossltest_digest_nids(const int **nids)
218 {
219     static int digest_nids[6] = { 0, 0, 0, 0, 0, 0 };
220     static int pos = 0;
221     static int init = 0;
222 
223     if (!init) {
224         const EVP_MD *md;
225         if ((md = digest_md5()) != NULL)
226             digest_nids[pos++] = EVP_MD_get_type(md);
227         if ((md = digest_sha1()) != NULL)
228             digest_nids[pos++] = EVP_MD_get_type(md);
229         if ((md = digest_sha256()) != NULL)
230             digest_nids[pos++] = EVP_MD_get_type(md);
231         if ((md = digest_sha384()) != NULL)
232             digest_nids[pos++] = EVP_MD_get_type(md);
233         if ((md = digest_sha512()) != NULL)
234             digest_nids[pos++] = EVP_MD_get_type(md);
235         digest_nids[pos] = 0;
236         init = 1;
237     }
238     *nids = digest_nids;
239     return pos;
240 }
241 
242 /* Setup ciphers */
243 static int ossltest_ciphers(ENGINE *, const EVP_CIPHER **,
244                             const int **, int);
245 
246 static int ossltest_cipher_nids[] = {
247     NID_aes_128_cbc, NID_aes_128_gcm,
248     NID_aes_128_cbc_hmac_sha1, 0
249 };
250 
251 /* AES128 */
252 
253 static int ossltest_aes128_init_key(EVP_CIPHER_CTX *ctx,
254                                     const unsigned char *key,
255                                     const unsigned char *iv, int enc);
256 static int ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
257                                       const unsigned char *in, size_t inl);
258 static int ossltest_aes128_gcm_init_key(EVP_CIPHER_CTX *ctx,
259                                         const unsigned char *key,
260                                         const unsigned char *iv, int enc);
261 static int ossltest_aes128_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
262                                       const unsigned char *in, size_t inl);
263 static int ossltest_aes128_gcm_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
264                                     void *ptr);
265 static int ossltest_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
266                                                   const unsigned char *key,
267                                                   const unsigned char *iv,
268                                                   int enc);
269 static int ossltest_aes128_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx,
270                                                 unsigned char *out,
271                                                 const unsigned char *in,
272                                                 size_t inl);
273 static int ossltest_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type,
274                                               int arg, void *ptr);
275 
276 typedef struct {
277     size_t payload_length;      /* AAD length in decrypt case */
278     unsigned int tls_ver;
279 } EVP_AES_HMAC_SHA1;
280 
281 static EVP_CIPHER *_hidden_aes_128_cbc = NULL;
282 static const EVP_CIPHER *ossltest_aes_128_cbc(void)
283 {
284     if (_hidden_aes_128_cbc == NULL
285         && ((_hidden_aes_128_cbc = EVP_CIPHER_meth_new(NID_aes_128_cbc,
286                                                        16 /* block size */,
287                                                        16 /* key len */)) == NULL
288             || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_128_cbc,16)
289             || !EVP_CIPHER_meth_set_flags(_hidden_aes_128_cbc,
290                                           EVP_CIPH_FLAG_DEFAULT_ASN1
291                                           | EVP_CIPH_CBC_MODE)
292             || !EVP_CIPHER_meth_set_init(_hidden_aes_128_cbc,
293                                          ossltest_aes128_init_key)
294             || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_cbc,
295                                               ossltest_aes128_cbc_cipher)
296             || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_128_cbc,
297                     EVP_CIPHER_impl_ctx_size(EVP_aes_128_cbc())))) {
298         EVP_CIPHER_meth_free(_hidden_aes_128_cbc);
299         _hidden_aes_128_cbc = NULL;
300     }
301     return _hidden_aes_128_cbc;
302 }
303 
304 static EVP_CIPHER *_hidden_aes_128_gcm = NULL;
305 
306 #define AES_GCM_FLAGS   (EVP_CIPH_FLAG_DEFAULT_ASN1 \
307                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
308                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
309                 | EVP_CIPH_CUSTOM_COPY |EVP_CIPH_FLAG_AEAD_CIPHER \
310                 | EVP_CIPH_GCM_MODE)
311 
312 static const EVP_CIPHER *ossltest_aes_128_gcm(void)
313 {
314     if (_hidden_aes_128_gcm == NULL
315         && ((_hidden_aes_128_gcm = EVP_CIPHER_meth_new(NID_aes_128_gcm,
316                                                        1 /* block size */,
317                                                        16 /* key len */)) == NULL
318             || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_128_gcm,12)
319             || !EVP_CIPHER_meth_set_flags(_hidden_aes_128_gcm, AES_GCM_FLAGS)
320             || !EVP_CIPHER_meth_set_init(_hidden_aes_128_gcm,
321                                          ossltest_aes128_gcm_init_key)
322             || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_gcm,
323                                               ossltest_aes128_gcm_cipher)
324             || !EVP_CIPHER_meth_set_ctrl(_hidden_aes_128_gcm,
325                                               ossltest_aes128_gcm_ctrl)
326             || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_128_gcm,
327                     EVP_CIPHER_impl_ctx_size(EVP_aes_128_gcm())))) {
328         EVP_CIPHER_meth_free(_hidden_aes_128_gcm);
329         _hidden_aes_128_gcm = NULL;
330     }
331     return _hidden_aes_128_gcm;
332 }
333 
334 static EVP_CIPHER *_hidden_aes_128_cbc_hmac_sha1 = NULL;
335 
336 static const EVP_CIPHER *ossltest_aes_128_cbc_hmac_sha1(void)
337 {
338     if (_hidden_aes_128_cbc_hmac_sha1 == NULL
339         && ((_hidden_aes_128_cbc_hmac_sha1
340              = EVP_CIPHER_meth_new(NID_aes_128_cbc_hmac_sha1,
341                                    16 /* block size */,
342                                    16 /* key len */)) == NULL
343             || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_128_cbc_hmac_sha1,16)
344             || !EVP_CIPHER_meth_set_flags(_hidden_aes_128_cbc_hmac_sha1,
345                    EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1 |
346                    EVP_CIPH_FLAG_AEAD_CIPHER)
347             || !EVP_CIPHER_meth_set_init(_hidden_aes_128_cbc_hmac_sha1,
348                    ossltest_aes128_cbc_hmac_sha1_init_key)
349             || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_128_cbc_hmac_sha1,
350                    ossltest_aes128_cbc_hmac_sha1_cipher)
351             || !EVP_CIPHER_meth_set_ctrl(_hidden_aes_128_cbc_hmac_sha1,
352                                          ossltest_aes128_cbc_hmac_sha1_ctrl)
353             || !EVP_CIPHER_meth_set_set_asn1_params(_hidden_aes_128_cbc_hmac_sha1,
354                    EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_set_asn1_iv)
355             || !EVP_CIPHER_meth_set_get_asn1_params(_hidden_aes_128_cbc_hmac_sha1,
356                    EVP_CIPH_FLAG_DEFAULT_ASN1 ? NULL : EVP_CIPHER_get_asn1_iv)
357             || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_128_cbc_hmac_sha1,
358                    sizeof(EVP_AES_HMAC_SHA1)))) {
359         EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1);
360         _hidden_aes_128_cbc_hmac_sha1 = NULL;
361     }
362     return _hidden_aes_128_cbc_hmac_sha1;
363 }
364 
365 static void destroy_ciphers(void)
366 {
367     EVP_CIPHER_meth_free(_hidden_aes_128_cbc);
368     EVP_CIPHER_meth_free(_hidden_aes_128_gcm);
369     EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1);
370     _hidden_aes_128_cbc = NULL;
371     _hidden_aes_128_gcm = NULL;
372     _hidden_aes_128_cbc_hmac_sha1 = NULL;
373 }
374 
375 /* Key loading */
376 static EVP_PKEY *load_key(ENGINE *eng, const char *key_id, int pub,
377                           UI_METHOD *ui_method, void *ui_data)
378 {
379     BIO *in;
380     EVP_PKEY *key;
381 
382     if (OPENSSL_strncasecmp(key_id, "ot:", 3) != 0)
383         return NULL;
384     key_id += 3;
385 
386     fprintf(stderr, "[ossltest]Loading %s key %s\n",
387             pub ? "Public" : "Private", key_id);
388     in = BIO_new_file(key_id, "r");
389     if (!in)
390         return NULL;
391     if (pub)
392         key = PEM_read_bio_PUBKEY(in, NULL, 0, NULL);
393     else
394         key = PEM_read_bio_PrivateKey(in, NULL, 0, NULL);
395     BIO_free(in);
396     return key;
397 }
398 
399 static EVP_PKEY *ossltest_load_privkey(ENGINE *eng, const char *key_id,
400                                        UI_METHOD *ui_method, void *ui_data)
401 {
402     return load_key(eng, key_id, 0, ui_method, ui_data);
403 }
404 
405 static EVP_PKEY *ossltest_load_pubkey(ENGINE *eng, const char *key_id,
406                                       UI_METHOD *ui_method, void *ui_data)
407 {
408     return load_key(eng, key_id, 1, ui_method, ui_data);
409 }
410 
411 
412 static int bind_ossltest(ENGINE *e)
413 {
414     /* Ensure the ossltest error handling is set up */
415     ERR_load_OSSLTEST_strings();
416 
417     if (!ENGINE_set_id(e, engine_ossltest_id)
418         || !ENGINE_set_name(e, engine_ossltest_name)
419         || !ENGINE_set_digests(e, ossltest_digests)
420         || !ENGINE_set_ciphers(e, ossltest_ciphers)
421         || !ENGINE_set_RAND(e, ossltest_rand_method())
422         || !ENGINE_set_destroy_function(e, ossltest_destroy)
423         || !ENGINE_set_load_privkey_function(e, ossltest_load_privkey)
424         || !ENGINE_set_load_pubkey_function(e, ossltest_load_pubkey)
425         || !ENGINE_set_init_function(e, ossltest_init)
426         || !ENGINE_set_finish_function(e, ossltest_finish)) {
427         OSSLTESTerr(OSSLTEST_F_BIND_OSSLTEST, OSSLTEST_R_INIT_FAILED);
428         return 0;
429     }
430 
431     return 1;
432 }
433 
434 #ifndef OPENSSL_NO_DYNAMIC_ENGINE
435 static int bind_helper(ENGINE *e, const char *id)
436 {
437     if (id && (strcmp(id, engine_ossltest_id) != 0))
438         return 0;
439     if (!bind_ossltest(e))
440         return 0;
441     return 1;
442 }
443 
444 IMPLEMENT_DYNAMIC_CHECK_FN()
445     IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
446 #endif
447 
448 static ENGINE *engine_ossltest(void)
449 {
450     ENGINE *ret = ENGINE_new();
451     if (ret == NULL)
452         return NULL;
453     if (!bind_ossltest(ret)) {
454         ENGINE_free(ret);
455         return NULL;
456     }
457     return ret;
458 }
459 
460 void ENGINE_load_ossltest(void)
461 {
462     /* Copied from eng_[openssl|dyn].c */
463     ENGINE *toadd = engine_ossltest();
464     if (!toadd)
465         return;
466     ENGINE_add(toadd);
467     ENGINE_free(toadd);
468     ERR_clear_error();
469 }
470 
471 
472 static int ossltest_init(ENGINE *e)
473 {
474     return 1;
475 }
476 
477 
478 static int ossltest_finish(ENGINE *e)
479 {
480     return 1;
481 }
482 
483 
484 static int ossltest_destroy(ENGINE *e)
485 {
486     destroy_digests();
487     destroy_ciphers();
488     ERR_unload_OSSLTEST_strings();
489     return 1;
490 }
491 
492 static int ossltest_digests(ENGINE *e, const EVP_MD **digest,
493                           const int **nids, int nid)
494 {
495     int ok = 1;
496     if (!digest) {
497         /* We are returning a list of supported nids */
498         return ossltest_digest_nids(nids);
499     }
500     /* We are being asked for a specific digest */
501     switch (nid) {
502     case NID_md5:
503         *digest = digest_md5();
504         break;
505     case NID_sha1:
506         *digest = digest_sha1();
507         break;
508     case NID_sha256:
509         *digest = digest_sha256();
510         break;
511     case NID_sha384:
512         *digest = digest_sha384();
513         break;
514     case NID_sha512:
515         *digest = digest_sha512();
516         break;
517     default:
518         ok = 0;
519         *digest = NULL;
520         break;
521     }
522     return ok;
523 }
524 
525 static int ossltest_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
526                           const int **nids, int nid)
527 {
528     int ok = 1;
529     if (!cipher) {
530         /* We are returning a list of supported nids */
531         *nids = ossltest_cipher_nids;
532         return (sizeof(ossltest_cipher_nids) - 1)
533                / sizeof(ossltest_cipher_nids[0]);
534     }
535     /* We are being asked for a specific cipher */
536     switch (nid) {
537     case NID_aes_128_cbc:
538         *cipher = ossltest_aes_128_cbc();
539         break;
540     case NID_aes_128_gcm:
541         *cipher = ossltest_aes_128_gcm();
542         break;
543     case NID_aes_128_cbc_hmac_sha1:
544         *cipher = ossltest_aes_128_cbc_hmac_sha1();
545         break;
546     default:
547         ok = 0;
548         *cipher = NULL;
549         break;
550     }
551     return ok;
552 }
553 
554 static void fill_known_data(unsigned char *md, unsigned int len)
555 {
556     unsigned int i;
557 
558     for (i=0; i<len; i++) {
559         md[i] = (unsigned char)(i & 0xff);
560     }
561 }
562 
563 /*
564  * MD5 implementation. We go through the motions of doing MD5 by deferring to
565  * the standard implementation. Then we overwrite the result with a will defined
566  * value, so that all "MD5" digests using the test engine always end up with
567  * the same value.
568  */
569 static int digest_md5_init(EVP_MD_CTX *ctx)
570 {
571    return EVP_MD_meth_get_init(EVP_md5())(ctx);
572 }
573 
574 static int digest_md5_update(EVP_MD_CTX *ctx, const void *data,
575                              size_t count)
576 {
577     return EVP_MD_meth_get_update(EVP_md5())(ctx, data, count);
578 }
579 
580 static int digest_md5_final(EVP_MD_CTX *ctx, unsigned char *md)
581 {
582     int ret = EVP_MD_meth_get_final(EVP_md5())(ctx, md);
583 
584     if (ret > 0) {
585         fill_known_data(md, MD5_DIGEST_LENGTH);
586     }
587     return ret;
588 }
589 
590 /*
591  * SHA1 implementation.
592  */
593 static int digest_sha1_init(EVP_MD_CTX *ctx)
594 {
595     return EVP_MD_meth_get_init(EVP_sha1())(ctx);
596 }
597 
598 static int digest_sha1_update(EVP_MD_CTX *ctx, const void *data,
599                               size_t count)
600 {
601     return EVP_MD_meth_get_update(EVP_sha1())(ctx, data, count);
602 }
603 
604 static int digest_sha1_final(EVP_MD_CTX *ctx, unsigned char *md)
605 {
606     int ret = EVP_MD_meth_get_final(EVP_sha1())(ctx, md);
607 
608     if (ret > 0) {
609         fill_known_data(md, SHA_DIGEST_LENGTH);
610     }
611     return ret;
612 }
613 
614 /*
615  * SHA256 implementation.
616  */
617 static int digest_sha256_init(EVP_MD_CTX *ctx)
618 {
619     return EVP_MD_meth_get_init(EVP_sha256())(ctx);
620 }
621 
622 static int digest_sha256_update(EVP_MD_CTX *ctx, const void *data,
623                                 size_t count)
624 {
625     return EVP_MD_meth_get_update(EVP_sha256())(ctx, data, count);
626 }
627 
628 static int digest_sha256_final(EVP_MD_CTX *ctx, unsigned char *md)
629 {
630     int ret = EVP_MD_meth_get_final(EVP_sha256())(ctx, md);
631 
632     if (ret > 0) {
633         fill_known_data(md, SHA256_DIGEST_LENGTH);
634     }
635     return ret;
636 }
637 
638 /*
639  * SHA384 implementation.
640  */
641 static int digest_sha384_init(EVP_MD_CTX *ctx)
642 {
643     return EVP_MD_meth_get_init(EVP_sha384())(ctx);
644 }
645 
646 static int digest_sha384_update(EVP_MD_CTX *ctx, const void *data,
647                                 size_t count)
648 {
649     return EVP_MD_meth_get_update(EVP_sha384())(ctx, data, count);
650 }
651 
652 static int digest_sha384_final(EVP_MD_CTX *ctx, unsigned char *md)
653 {
654     int ret = EVP_MD_meth_get_final(EVP_sha384())(ctx, md);
655 
656     if (ret > 0) {
657         fill_known_data(md, SHA384_DIGEST_LENGTH);
658     }
659     return ret;
660 }
661 
662 /*
663  * SHA512 implementation.
664  */
665 static int digest_sha512_init(EVP_MD_CTX *ctx)
666 {
667     return EVP_MD_meth_get_init(EVP_sha512())(ctx);
668 }
669 
670 static int digest_sha512_update(EVP_MD_CTX *ctx, const void *data,
671                                 size_t count)
672 {
673     return EVP_MD_meth_get_update(EVP_sha512())(ctx, data, count);
674 }
675 
676 static int digest_sha512_final(EVP_MD_CTX *ctx, unsigned char *md)
677 {
678     int ret = EVP_MD_meth_get_final(EVP_sha512())(ctx, md);
679 
680     if (ret > 0) {
681         fill_known_data(md, SHA512_DIGEST_LENGTH);
682     }
683     return ret;
684 }
685 
686 /*
687  * AES128 Implementation
688  */
689 
690 static int ossltest_aes128_init_key(EVP_CIPHER_CTX *ctx,
691                                     const unsigned char *key,
692                                     const unsigned char *iv, int enc)
693 {
694     return EVP_CIPHER_meth_get_init(EVP_aes_128_cbc()) (ctx, key, iv, enc);
695 }
696 
697 static int ossltest_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
698                                       const unsigned char *in, size_t inl)
699 {
700     unsigned char *tmpbuf;
701     int ret;
702 
703     tmpbuf = OPENSSL_malloc(inl);
704 
705     /* OPENSSL_malloc will return NULL if inl == 0 */
706     if (tmpbuf == NULL && inl > 0)
707         return -1;
708 
709     /* Remember what we were asked to encrypt */
710     if (tmpbuf != NULL)
711         memcpy(tmpbuf, in, inl);
712 
713     /* Go through the motions of encrypting it */
714     ret = EVP_CIPHER_meth_get_do_cipher(EVP_aes_128_cbc())(ctx, out, in, inl);
715 
716     /* Throw it all away and just use the plaintext as the output */
717     if (tmpbuf != NULL)
718         memcpy(out, tmpbuf, inl);
719     OPENSSL_free(tmpbuf);
720 
721     return ret;
722 }
723 
724 static int ossltest_aes128_gcm_init_key(EVP_CIPHER_CTX *ctx,
725                                         const unsigned char *key,
726                                         const unsigned char *iv, int enc)
727 {
728     return EVP_CIPHER_meth_get_init(EVP_aes_128_gcm()) (ctx, key, iv, enc);
729 }
730 
731 static int ossltest_aes128_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
732                                       const unsigned char *in, size_t inl)
733 {
734     unsigned char *tmpbuf = OPENSSL_malloc(inl);
735 
736     /* OPENSSL_malloc will return NULL if inl == 0 */
737     if (tmpbuf == NULL && inl > 0)
738         return -1;
739 
740     /* Remember what we were asked to encrypt */
741     if (tmpbuf != NULL)
742         memcpy(tmpbuf, in, inl);
743 
744     /* Go through the motions of encrypting it */
745     EVP_CIPHER_meth_get_do_cipher(EVP_aes_128_gcm())(ctx, out, in, inl);
746 
747     /* Throw it all away and just use the plaintext as the output */
748     if (tmpbuf != NULL && out != NULL)
749         memcpy(out, tmpbuf, inl);
750     OPENSSL_free(tmpbuf);
751 
752     return inl;
753 }
754 
755 static int ossltest_aes128_gcm_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
756                                     void *ptr)
757 {
758     /* Pass the ctrl down */
759     int ret = EVP_CIPHER_meth_get_ctrl(EVP_aes_128_gcm())(ctx, type, arg, ptr);
760 
761     if (ret <= 0)
762         return ret;
763 
764     switch(type) {
765     case EVP_CTRL_AEAD_GET_TAG:
766         /* Always give the same tag */
767         memset(ptr, 0, EVP_GCM_TLS_TAG_LEN);
768         break;
769 
770     default:
771         break;
772     }
773 
774     return 1;
775 }
776 
777 #define NO_PAYLOAD_LENGTH       ((size_t)-1)
778 # define data(ctx) ((EVP_AES_HMAC_SHA1 *)EVP_CIPHER_CTX_get_cipher_data(ctx))
779 
780 static int ossltest_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
781                                                   const unsigned char *inkey,
782                                                   const unsigned char *iv,
783                                                   int enc)
784 {
785     EVP_AES_HMAC_SHA1 *key = data(ctx);
786     key->payload_length = NO_PAYLOAD_LENGTH;
787     return 1;
788 }
789 
790 static int ossltest_aes128_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx,
791                                                 unsigned char *out,
792                                                 const unsigned char *in,
793                                                 size_t len)
794 {
795     EVP_AES_HMAC_SHA1 *key = data(ctx);
796     unsigned int l;
797     size_t plen = key->payload_length;
798 
799     key->payload_length = NO_PAYLOAD_LENGTH;
800 
801     if (len % AES_BLOCK_SIZE)
802         return 0;
803 
804     if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
805         if (plen == NO_PAYLOAD_LENGTH)
806             plen = len;
807         else if (len !=
808                  ((plen + SHA_DIGEST_LENGTH +
809                    AES_BLOCK_SIZE) & -AES_BLOCK_SIZE))
810             return 0;
811 
812         memmove(out, in, plen);
813 
814         if (plen != len) {      /* "TLS" mode of operation */
815             /* calculate HMAC and append it to payload */
816             fill_known_data(out + plen, SHA_DIGEST_LENGTH);
817 
818             /* pad the payload|hmac */
819             plen += SHA_DIGEST_LENGTH;
820             for (l = len - plen - 1; plen < len; plen++)
821                 out[plen] = l;
822         }
823     } else {
824         /* decrypt HMAC|padding at once */
825         memmove(out, in, len);
826 
827         if (plen != NO_PAYLOAD_LENGTH) { /* "TLS" mode of operation */
828             unsigned int maxpad, pad;
829 
830             if (key->tls_ver >= TLS1_1_VERSION) {
831                 if (len < (AES_BLOCK_SIZE + SHA_DIGEST_LENGTH + 1))
832                     return 0;
833 
834                 /* omit explicit iv */
835                 in += AES_BLOCK_SIZE;
836                 out += AES_BLOCK_SIZE;
837                 len -= AES_BLOCK_SIZE;
838             } else if (len < (SHA_DIGEST_LENGTH + 1))
839                 return 0;
840 
841             /* figure out payload length */
842             pad = out[len - 1];
843             maxpad = len - (SHA_DIGEST_LENGTH + 1);
844             if (pad > maxpad)
845                 return 0;
846             for (plen = len - pad - 1; plen < len; plen++)
847                 if (out[plen] != pad)
848                     return 0;
849         }
850     }
851 
852     return 1;
853 }
854 
855 static int ossltest_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type,
856                                               int arg, void *ptr)
857 {
858     EVP_AES_HMAC_SHA1 *key = data(ctx);
859 
860     switch (type) {
861     case EVP_CTRL_AEAD_SET_MAC_KEY:
862         return 1;
863 
864     case EVP_CTRL_AEAD_TLS1_AAD:
865         {
866             unsigned char *p = ptr;
867             unsigned int len;
868 
869             if (arg != EVP_AEAD_TLS1_AAD_LEN)
870                 return -1;
871 
872             len = p[arg - 2] << 8 | p[arg - 1];
873             key->tls_ver = p[arg - 4] << 8 | p[arg - 3];
874 
875             if (EVP_CIPHER_CTX_is_encrypting(ctx)) {
876                 key->payload_length = len;
877                 if (key->tls_ver >= TLS1_1_VERSION) {
878                     if (len < AES_BLOCK_SIZE)
879                         return 0;
880                     len -= AES_BLOCK_SIZE;
881                     p[arg - 2] = len >> 8;
882                     p[arg - 1] = len;
883                 }
884 
885                 return (int)(((len + SHA_DIGEST_LENGTH +
886                                AES_BLOCK_SIZE) & -AES_BLOCK_SIZE)
887                              - len);
888             } else {
889                 key->payload_length = arg;
890 
891                 return SHA_DIGEST_LENGTH;
892             }
893         }
894     default:
895         return -1;
896     }
897 }
898 
899 static int ossltest_rand_bytes(unsigned char *buf, int num)
900 {
901     unsigned char val = 1;
902 
903     while (--num >= 0)
904         *buf++ = val++;
905     return 1;
906 }
907 
908 static int ossltest_rand_status(void)
909 {
910     return 1;
911 }
912 
913 static const RAND_METHOD *ossltest_rand_method(void)
914 {
915 
916     static RAND_METHOD osslt_rand_meth = {
917         NULL,
918         ossltest_rand_bytes,
919         NULL,
920         NULL,
921         ossltest_rand_bytes,
922         ossltest_rand_status
923     };
924 
925     return &osslt_rand_meth;
926 }
927