search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
significantly expand logging of error conditions
[sqlcipher.git] / src / crypto_openssl.c
blobd8f22361900f833f9af8c34dcb8605af9320190f
1 /*
2 ** SQLCipher
3 ** http://sqlcipher.net
4 **
5 ** Copyright (c) 2008 - 2013, ZETETIC LLC
6 ** All rights reserved.
7 **
8 ** Redistribution and use in source and binary forms, with or without
9 ** modification, are permitted provided that the following conditions are met:
10 ** * Redistributions of source code must retain the above copyright
11 ** notice, this list of conditions and the following disclaimer.
12 ** * Redistributions in binary form must reproduce the above copyright
13 ** notice, this list of conditions and the following disclaimer in the
14 ** documentation and/or other materials provided with the distribution.
15 ** * Neither the name of the ZETETIC LLC nor the
16 ** names of its contributors may be used to endorse or promote products
17 ** derived from this software without specific prior written permission.
18 **
19 ** THIS SOFTWARE IS PROVIDED BY ZETETIC LLC ''AS IS'' AND ANY
20 ** EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
21 ** WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 ** DISCLAIMED. IN NO EVENT SHALL ZETETIC LLC BE LIABLE FOR ANY
23 ** DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
24 ** (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25 ** LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
26 ** ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 ** (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
28 ** SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 **
30 */
31 /* BEGIN SQLCIPHER */
32 #ifdef SQLITE_HAS_CODEC
33 #ifdef SQLCIPHER_CRYPTO_OPENSSL
34 #include "sqliteInt.h"
35 #include "crypto.h"
36 #include "sqlcipher.h"
37 #include <openssl/rand.h>
38 #include <openssl/evp.h>
39 #include <openssl/objects.h>
40 #include <openssl/hmac.h>
41 #include <openssl/err.h>
42
43 static unsigned int openssl_init_count = 0;
44
45 static void sqlcipher_openssl_log_errors() {
46 unsigned long err = 0;
47 while((err = ERR_get_error()) != 0) {
48 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_log_errors: ERR_get_error() returned %lx: %s", err, ERR_error_string(err, NULL));
49 }
50 }
51
52 #if (defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
53 static HMAC_CTX *HMAC_CTX_new(void)
54 {
55 HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
56 if (ctx != NULL) {
57 HMAC_CTX_init(ctx);
58 }
59 return ctx;
60 }
61
62 /* Per 1.1.0 (https://wiki.openssl.org/index.php/1.1_API_Changes)
63 HMAC_CTX_free should call HMAC_CTX_cleanup, then EVP_MD_CTX_Cleanup.
64 HMAC_CTX_cleanup internally calls EVP_MD_CTX_cleanup so these
65 calls are not needed. */
66 static void HMAC_CTX_free(HMAC_CTX *ctx)
67 {
68 if (ctx != NULL) {
69 HMAC_CTX_cleanup(ctx);
70 OPENSSL_free(ctx);
71 }
72 }
73 #endif
74
75 static int sqlcipher_openssl_add_random(void *ctx, void *buffer, int length) {
76 #ifndef SQLCIPHER_OPENSSL_NO_MUTEX_RAND
77 sqlcipher_log(SQLCIPHER_LOG_TRACE, "sqlcipher_openssl_add_random: entering SQLCIPHER_MUTEX_PROVIDER_RAND");
78 sqlite3_mutex_enter(sqlcipher_mutex(SQLCIPHER_MUTEX_PROVIDER_RAND));
79 sqlcipher_log(SQLCIPHER_LOG_TRACE, "sqlcipher_openssl_add_random: entered SQLCIPHER_MUTEX_PROVIDER_RAND");
80 #endif
81 RAND_add(buffer, length, 0);
82 #ifndef SQLCIPHER_OPENSSL_NO_MUTEX_RAND
83 sqlcipher_log(SQLCIPHER_LOG_TRACE, "sqlcipher_openssl_add_random: leaving SQLCIPHER_MUTEX_PROVIDER_RAND");
84 sqlite3_mutex_leave(sqlcipher_mutex(SQLCIPHER_MUTEX_PROVIDER_RAND));
85 sqlcipher_log(SQLCIPHER_LOG_TRACE, "sqlcipher_openssl_add_random: left SQLCIPHER_MUTEX_PROVIDER_RAND");
86 #endif
87 return SQLITE_OK;
88 }
89
90 #define OPENSSL_CIPHER EVP_aes_256_cbc()
91
92 /* activate and initialize sqlcipher. Most importantly, this will automatically
93 intialize OpenSSL's EVP system if it hasn't already be externally. Note that
94 this function may be called multiple times as new codecs are intiialized.
95 Thus it performs some basic counting to ensure that only the last and final
96 sqlcipher_openssl_deactivate() will free the EVP structures.
97 */
98 static int sqlcipher_openssl_activate(void *ctx) {
99 /* initialize openssl and increment the internal init counter
100 but only if it hasn't been initalized outside of SQLCipher by this program
101 e.g. on startup */
102 int rc = 0;
103
104 sqlcipher_log(SQLCIPHER_LOG_TRACE, "sqlcipher_openssl_activate: entering SQLCIPHER_MUTEX_PROVIDER_ACTIVATE");
105 sqlite3_mutex_enter(sqlcipher_mutex(SQLCIPHER_MUTEX_PROVIDER_ACTIVATE));
106 sqlcipher_log(SQLCIPHER_LOG_TRACE, "sqlcipher_openssl_activate: entered SQLCIPHER_MUTEX_PROVIDER_ACTIVATE");
107
108 #if (defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10100000L)
109 ERR_load_crypto_strings();
110 #endif
111
112 #ifdef SQLCIPHER_FIPS
113 if(!FIPS_mode()){
114 if(!(rc = FIPS_mode_set(1))){
115 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_activate: FIPS_mode_set() returned %d", rc);
116 sqlcipher_openssl_log_errors();
117 }
118 }
119 #endif
120
121 openssl_init_count++;
122 sqlcipher_log(SQLCIPHER_LOG_TRACE, "sqlcipher_openssl_activate: leaving SQLCIPHER_MUTEX_PROVIDER_ACTIVATE");
123 sqlite3_mutex_leave(sqlcipher_mutex(SQLCIPHER_MUTEX_PROVIDER_ACTIVATE));
124 sqlcipher_log(SQLCIPHER_LOG_TRACE, "sqlcipher_openssl_activate: left SQLCIPHER_MUTEX_PROVIDER_ACTIVATE");
125 return SQLITE_OK;
126 }
127
128 /* deactivate SQLCipher, most imporantly decremeting the activation count and
129 freeing the EVP structures on the final deactivation to ensure that
130 OpenSSL memory is cleaned up */
131 static int sqlcipher_openssl_deactivate(void *ctx) {
132 sqlcipher_log(SQLCIPHER_LOG_TRACE, "sqlcipher_openssl_deactivate: entering SQLCIPHER_MUTEX_PROVIDER_ACTIVATE");
133 sqlite3_mutex_enter(sqlcipher_mutex(SQLCIPHER_MUTEX_PROVIDER_ACTIVATE));
134 sqlcipher_log(SQLCIPHER_LOG_TRACE, "sqlcipher_openssl_deactivate: entered SQLCIPHER_MUTEX_PROVIDER_ACTIVATE");
135
136 openssl_init_count--;
137
138 sqlcipher_log(SQLCIPHER_LOG_TRACE, "sqlcipher_openssl_deactivate: leaving SQLCIPHER_MUTEX_PROVIDER_ACTIVATE");
139 sqlite3_mutex_leave(sqlcipher_mutex(SQLCIPHER_MUTEX_PROVIDER_ACTIVATE));
140 sqlcipher_log(SQLCIPHER_LOG_TRACE, "sqlcipher_openssl_deactivate: left SQLCIPHER_MUTEX_PROVIDER_ACTIVATE");
141 return SQLITE_OK;
142 }
143
144 static const char* sqlcipher_openssl_get_provider_name(void *ctx) {
145 return "openssl";
146 }
147
148 static const char* sqlcipher_openssl_get_provider_version(void *ctx) {
149 return OPENSSL_VERSION_TEXT;
150 }
151
152 /* generate a defined number of random bytes */
153 static int sqlcipher_openssl_random (void *ctx, void *buffer, int length) {
154 int rc = 0;
155 /* concurrent calls to RAND_bytes can cause a crash under some openssl versions when a
156 naive application doesn't use CRYPTO_set_locking_callback and
157 CRYPTO_THREADID_set_callback to ensure openssl thread safety.
158 This is simple workaround to prevent this common crash
159 but a more proper solution is that applications setup platform-appropriate
160 thread saftey in openssl externally */
161 #ifndef SQLCIPHER_OPENSSL_NO_MUTEX_RAND
162 sqlcipher_log(SQLCIPHER_LOG_TRACE, "sqlcipher_openssl_random: entering SQLCIPHER_MUTEX_PROVIDER_RAND");
163 sqlite3_mutex_enter(sqlcipher_mutex(SQLCIPHER_MUTEX_PROVIDER_RAND));
164 sqlcipher_log(SQLCIPHER_LOG_TRACE, "sqlcipher_openssl_random: entered SQLCIPHER_MUTEX_PROVIDER_RAND");
165 #endif
166 rc = RAND_bytes((unsigned char *)buffer, length);
167 #ifndef SQLCIPHER_OPENSSL_NO_MUTEX_RAND
168 sqlcipher_log(SQLCIPHER_LOG_TRACE, "sqlcipher_openssl_random: leaving SQLCIPHER_MUTEX_PROVIDER_RAND");
169 sqlite3_mutex_leave(sqlcipher_mutex(SQLCIPHER_MUTEX_PROVIDER_RAND));
170 sqlcipher_log(SQLCIPHER_LOG_TRACE, "sqlcipher_openssl_random: left SQLCIPHER_MUTEX_PROVIDER_RAND");
171 #endif
172 if(!rc) {
173 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_random: RAND_bytes() returned %d", rc);
174 sqlcipher_openssl_log_errors();
175 return SQLITE_ERROR;
176 }
177 return SQLITE_OK;
178 }
179
180 static int sqlcipher_openssl_hmac(void *ctx, int algorithm, unsigned char *hmac_key, int key_sz, unsigned char *in, int in_sz, unsigned char *in2, int in2_sz, unsigned char *out) {
181 int rc = 0;
182 #if (defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x30000000L)
183 unsigned int outlen;
184 HMAC_CTX* hctx = NULL;
185
186 if(in == NULL) goto error;
187
188 hctx = HMAC_CTX_new();
189 if(hctx == NULL) {
190 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_hmac: HMAC_CTX_new() failed");
191 sqlcipher_openssl_log_errors();
192 goto error;
193 }
194
195 switch(algorithm) {
196 case SQLCIPHER_HMAC_SHA1:
197 if(!(rc = HMAC_Init_ex(hctx, hmac_key, key_sz, EVP_sha1(), NULL))) {
198 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_hmac: HMAC_Init_ex() with key size %d and EVP_sha1() returned %d", key_sz, rc);
199 sqlcipher_openssl_log_errors();
200 goto error;
201 }
202 break;
203 case SQLCIPHER_HMAC_SHA256:
204 if(!(rc = HMAC_Init_ex(hctx, hmac_key, key_sz, EVP_sha256(), NULL))) {
205 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_hmac: HMAC_Init_ex() with key size %d and EVP_sha256() returned %d", key_sz, rc);
206 sqlcipher_openssl_log_errors();
207 goto error;
208 }
209 break;
210 case SQLCIPHER_HMAC_SHA512:
211 if(!(rc = HMAC_Init_ex(hctx, hmac_key, key_sz, EVP_sha512(), NULL))) {
212 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_hmac: HMAC_Init_ex() with key size %d and EVP_sha512() returned %d", key_sz, rc);
213 sqlcipher_openssl_log_errors();
214 goto error;
215 }
216 break;
217 default:
218 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_hmac: invalid algorithm %d", algorithm);
219 goto error;
220 }
221
222 if(!(rc = HMAC_Update(hctx, in, in_sz))) {
223 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_hmac: HMAC_Update() on 1st input buffer of %d bytes using algorithm %d returned %d", in_sz, algorithm, rc);
224 sqlcipher_openssl_log_errors();
225 goto error;
226 }
227
228 if(in2 != NULL) {
229 if(!(rc = HMAC_Update(hctx, in2, in2_sz))) {
230 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_hmac: HMAC_Update() on 2nd input buffer of %d bytes using algorithm %d returned %d", in2_sz, algorithm, rc);
231 sqlcipher_openssl_log_errors();
232 goto error;
233 }
234 }
235
236 if(!(rc = HMAC_Final(hctx, out, &outlen))) {
237 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_hmac: HMAC_Final() using algorithm %d returned %d", algorithm, rc);
238 sqlcipher_openssl_log_errors();
239 goto error;
240 }
241
242 #else
243 size_t outlen;
244 EVP_MAC *mac = NULL;
245 EVP_MAC_CTX *hctx = NULL;
246 OSSL_PARAM sha1[] = { { "digest", OSSL_PARAM_UTF8_STRING, "sha1", 4, 0 }, OSSL_PARAM_END };
247 OSSL_PARAM sha256[] = { { "digest", OSSL_PARAM_UTF8_STRING, "sha256", 6, 0 }, OSSL_PARAM_END };
248 OSSL_PARAM sha512[] = { { "digest", OSSL_PARAM_UTF8_STRING, "sha512", 6, 0 }, OSSL_PARAM_END };
249
250 if(in == NULL) goto error;
251
252 mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
253 if(mac == NULL) {
254 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_hmac: EVP_MAC_fetch for HMAC failed");
255 sqlcipher_openssl_log_errors();
256 goto error;
257 }
258
259 hctx = EVP_MAC_CTX_new(mac);
260 if(hctx == NULL) {
261 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_hmac: EVP_MAC_CTX_new() failed");
262 sqlcipher_openssl_log_errors();
263 goto error;
264 }
265
266 switch(algorithm) {
267 case SQLCIPHER_HMAC_SHA1:
268 if(!(rc = EVP_MAC_init(hctx, hmac_key, key_sz, sha1))) {
269 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_hmac: EVP_MAC_init() with key size %d and sha1 returned %d", key_sz, rc);
270 sqlcipher_openssl_log_errors();
271 goto error;
272 }
273 break;
274 case SQLCIPHER_HMAC_SHA256:
275 if(!(rc = EVP_MAC_init(hctx, hmac_key, key_sz, sha256))) {
276 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_hmac: EVP_MAC_init() with key size %d and sha256 returned %d", key_sz, rc);
277 sqlcipher_openssl_log_errors();
278 goto error;
279 }
280 break;
281 case SQLCIPHER_HMAC_SHA512:
282 if(!(rc = EVP_MAC_init(hctx, hmac_key, key_sz, sha512))) {
283 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_hmac: EVP_MAC_init() with key size %d and sha512 returned %d", key_sz, rc);
284 sqlcipher_openssl_log_errors();
285 goto error;
286 }
287 break;
288 default:
289 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_hmac: invalid algorithm %d", algorithm);
290 goto error;
291 }
292
293 if(!(rc = EVP_MAC_update(hctx, in, in_sz))) {
294 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_hmac: EVP_MAC_update() on 1st input buffer of %d bytes using algorithm %d returned %d", in_sz, algorithm, rc);
295 sqlcipher_openssl_log_errors();
296 goto error;
297 }
298
299 if(in2 != NULL) {
300 if(!(rc = EVP_MAC_update(hctx, in2, in2_sz))) {
301 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_hmac: EVP_MAC_update() on 2nd input buffer of %d bytes using algorithm %d returned %d", in_sz, algorithm, rc);
302 sqlcipher_openssl_log_errors();
303 goto error;
304 }
305 }
306
307 if(!(rc = EVP_MAC_final(hctx, NULL, &outlen, 0))) {
308 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_hmac: 1st EVP_MAC_final() for output length calculation using algorithm %d returned %d", algorithm, rc);
309 sqlcipher_openssl_log_errors();
310 goto error;
311 }
312
313 if(!(rc = EVP_MAC_final(hctx, out, &outlen, outlen))) {
314 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_hmac: 2nd EVP_MAC_final() using algorithm %d returned %d", algorithm, rc);
315 sqlcipher_openssl_log_errors();
316 goto error;
317 }
318
319 #endif
320 rc = SQLITE_OK;
321 goto cleanup;
322 error:
323 rc = SQLITE_ERROR;
324 cleanup:
325 #if (defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x30000000L)
326 if(hctx) HMAC_CTX_free(hctx);
327 #else
328 if(hctx) EVP_MAC_CTX_free(hctx);
329 #endif
330 return rc;
331 }
332
333 static int sqlcipher_openssl_kdf(void *ctx, int algorithm, const unsigned char *pass, int pass_sz, unsigned char* salt, int salt_sz, int workfactor, int key_sz, unsigned char *key) {
334 int rc = 0;
335
336 switch(algorithm) {
337 case SQLCIPHER_HMAC_SHA1:
338 if(!(rc = PKCS5_PBKDF2_HMAC((const char *)pass, pass_sz, salt, salt_sz, workfactor, EVP_sha1(), key_sz, key))) {
339 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_kdf: PKCS5_PBKDF2_HMAC() for EVP_sha1() workfactor %d and key size %d returned %d", workfactor, key_sz, rc);
340 sqlcipher_openssl_log_errors();
341 goto error;
342 }
343 break;
344 case SQLCIPHER_HMAC_SHA256:
345 if(!(rc = PKCS5_PBKDF2_HMAC((const char *)pass, pass_sz, salt, salt_sz, workfactor, EVP_sha256(), key_sz, key))) {
346 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_kdf: PKCS5_PBKDF2_HMAC() for EVP_sha256() workfactor %d and key size %d returned %d", workfactor, key_sz, rc);
347 sqlcipher_openssl_log_errors();
348 goto error;
349 }
350 break;
351 case SQLCIPHER_HMAC_SHA512:
352 if(!(rc = PKCS5_PBKDF2_HMAC((const char *)pass, pass_sz, salt, salt_sz, workfactor, EVP_sha512(), key_sz, key))) {
353 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_kdf: PKCS5_PBKDF2_HMAC() for EVP_sha512() workfactor %d and key size %d returned %d", workfactor, key_sz, rc);
354 sqlcipher_openssl_log_errors();
355 goto error;
356 }
357 break;
358 default:
359 return SQLITE_ERROR;
360 }
361
362 rc = SQLITE_OK;
363 goto cleanup;
364 error:
365 rc = SQLITE_ERROR;
366 cleanup:
367 return rc;
368 }
369
370 static int sqlcipher_openssl_cipher(void *ctx, int mode, unsigned char *key, int key_sz, unsigned char *iv, unsigned char *in, int in_sz, unsigned char *out) {
371 int tmp_csz, csz, rc = 0;
372 EVP_CIPHER_CTX* ectx = EVP_CIPHER_CTX_new();
373 if(ectx == NULL) {
374 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_cipher: EVP_CIPHER_CTX_new failed");
375 sqlcipher_openssl_log_errors();
376 goto error;
377 }
378
379 if(!(rc = EVP_CipherInit_ex(ectx, OPENSSL_CIPHER, NULL, NULL, NULL, mode))) {
380 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_cipher: EVP_CipherInit_ex for mode %d returned %d", mode, rc);
381 sqlcipher_openssl_log_errors();
382 goto error;
383 }
384
385 if(!(rc = EVP_CIPHER_CTX_set_padding(ectx, 0))) { /* no padding */
386 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_cipher: EVP_CIPHER_CTX_set_padding 0 returned %d", rc);
387 sqlcipher_openssl_log_errors();
388 goto error;
389 }
390
391 if(!(rc = EVP_CipherInit_ex(ectx, NULL, NULL, key, iv, mode))) {
392 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_cipher: EVP_CipherInit_ex for mode %d returned %d", mode, rc);
393 sqlcipher_openssl_log_errors();
394 goto error;
395 }
396
397 if(!(rc = EVP_CipherUpdate(ectx, out, &tmp_csz, in, in_sz))) {
398 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_cipher: EVP_CipherUpdate returned %d", rc);
399 sqlcipher_openssl_log_errors();
400 goto error;
401 }
402
403 csz = tmp_csz;
404 out += tmp_csz;
405 if(!(rc = EVP_CipherFinal_ex(ectx, out, &tmp_csz))) {
406 sqlcipher_log(SQLCIPHER_LOG_ERROR, "sqlcipher_openssl_cipher: EVP_CipherFinal_ex returned %d", rc);
407 sqlcipher_openssl_log_errors();
408 goto error;
409 }
410
411 csz += tmp_csz;
412 assert(in_sz == csz);
413
414 rc = SQLITE_OK;
415 goto cleanup;
416 error:
417 rc = SQLITE_ERROR;
418 cleanup:
419 if(ectx) EVP_CIPHER_CTX_free(ectx);
420 return rc;
421 }
422
423 static const char* sqlcipher_openssl_get_cipher(void *ctx) {
424 return OBJ_nid2sn(EVP_CIPHER_nid(OPENSSL_CIPHER));
425 }
426
427 static int sqlcipher_openssl_get_key_sz(void *ctx) {
428 return EVP_CIPHER_key_length(OPENSSL_CIPHER);
429 }
430
431 static int sqlcipher_openssl_get_iv_sz(void *ctx) {
432 return EVP_CIPHER_iv_length(OPENSSL_CIPHER);
433 }
434
435 static int sqlcipher_openssl_get_block_sz(void *ctx) {
436 return EVP_CIPHER_block_size(OPENSSL_CIPHER);
437 }
438
439 static int sqlcipher_openssl_get_hmac_sz(void *ctx, int algorithm) {
440 switch(algorithm) {
441 case SQLCIPHER_HMAC_SHA1:
442 return EVP_MD_size(EVP_sha1());
443 break;
444 case SQLCIPHER_HMAC_SHA256:
445 return EVP_MD_size(EVP_sha256());
446 break;
447 case SQLCIPHER_HMAC_SHA512:
448 return EVP_MD_size(EVP_sha512());
449 break;
450 default:
451 return 0;
452 }
453 }
454
455 static int sqlcipher_openssl_ctx_init(void **ctx) {
456 return sqlcipher_openssl_activate(*ctx);
457 }
458
459 static int sqlcipher_openssl_ctx_free(void **ctx) {
460 return sqlcipher_openssl_deactivate(NULL);
461 }
462
463 static int sqlcipher_openssl_fips_status(void *ctx) {
464 #ifdef SQLCIPHER_FIPS
465 return FIPS_mode();
466 #else
467 return 0;
468 #endif
469 }
470
471 int sqlcipher_openssl_setup(sqlcipher_provider *p) {
472 p->activate = sqlcipher_openssl_activate;
473 p->deactivate = sqlcipher_openssl_deactivate;
474 p->get_provider_name = sqlcipher_openssl_get_provider_name;
475 p->random = sqlcipher_openssl_random;
476 p->hmac = sqlcipher_openssl_hmac;
477 p->kdf = sqlcipher_openssl_kdf;
478 p->cipher = sqlcipher_openssl_cipher;
479 p->get_cipher = sqlcipher_openssl_get_cipher;
480 p->get_key_sz = sqlcipher_openssl_get_key_sz;
481 p->get_iv_sz = sqlcipher_openssl_get_iv_sz;
482 p->get_block_sz = sqlcipher_openssl_get_block_sz;
483 p->get_hmac_sz = sqlcipher_openssl_get_hmac_sz;
484 p->ctx_init = sqlcipher_openssl_ctx_init;
485 p->ctx_free = sqlcipher_openssl_ctx_free;
486 p->add_random = sqlcipher_openssl_add_random;
487 p->fips_status = sqlcipher_openssl_fips_status;
488 p->get_provider_version = sqlcipher_openssl_get_provider_version;
489 return SQLITE_OK;
490 }
491
492 #endif
493 #endif
494 /* END SQLCIPHER */
SQLCipher is an SQLite extension that provides 256 bit AES encryption of database files.