src/crypto_openssl.c

   1 /*
   2 ** SQLCipher
   3 ** http://sqlcipher.net
   4 **
   5 ** Copyright (c) 2008 - 2013, ZETETIC LLC
   6 ** All rights reserved.
   7 **
   8 ** Redistribution and use in source and binary forms, with or without
   9 ** modification, are permitted provided that the following conditions are met:
  10 **     * Redistributions of source code must retain the above copyright
  11 **       notice, this list of conditions and the following disclaimer.
  12 **     * Redistributions in binary form must reproduce the above copyright
  13 **       notice, this list of conditions and the following disclaimer in the
  14 **       documentation and/or other materials provided with the distribution.
  15 **     * Neither the name of the ZETETIC LLC nor the
  16 **       names of its contributors may be used to endorse or promote products
  17 **       derived from this software without specific prior written permission.
  18 **
  19 ** THIS SOFTWARE IS PROVIDED BY ZETETIC LLC ''AS IS'' AND ANY
  20 ** EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  21 ** WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  22 ** DISCLAIMED. IN NO EVENT SHALL ZETETIC LLC BE LIABLE FOR ANY
  23 ** DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
  24 ** (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  25 ** LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
  26 ** ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  27 ** (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  28 ** SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29 **
  30 */
  31 /* BEGIN SQLCIPHER */
  32 #ifdef SQLITE_HAS_CODEC
  33 #ifdef SQLCIPHER_CRYPTO_OPENSSL
  34 #include "sqliteInt.h"
  35 #include "crypto.h"
  36 #include "sqlcipher.h"
  37 #include <openssl/rand.h>
  38 #include <openssl/evp.h>
  39 #include <openssl/objects.h>
  40 #include <openssl/hmac.h>
  41 #include <openssl/err.h>
  42
  43 typedef struct {
  44   EVP_CIPHER *evp_cipher;
  45 } openssl_ctx;
  46
  47 static unsigned int openssl_external_init = 0;
  48 static unsigned int openssl_init_count = 0;
  49 static sqlite3_mutex* openssl_rand_mutex = NULL;
  50
  51 #if (defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
  52 static HMAC_CTX *HMAC_CTX_new(void)
  53 {
  54   HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
  55   if (ctx != NULL) {
  56     HMAC_CTX_init(ctx);
  57   }
  58   return ctx;
  59 }
  60
  61 /* Per 1.1.0 (https://wiki.openssl.org/index.php/1.1_API_Changes)
  62    HMAC_CTX_free should call HMAC_CTX_cleanup, then EVP_MD_CTX_Cleanup.
  63    HMAC_CTX_cleanup internally calls EVP_MD_CTX_cleanup so these
  64    calls are not needed. */
  65 static void HMAC_CTX_free(HMAC_CTX *ctx)
  66 {
  67   if (ctx != NULL) {
  68     HMAC_CTX_cleanup(ctx);
  69     OPENSSL_free(ctx);
  70   }
  71 }
  72 #endif
  73
  74 static int sqlcipher_openssl_add_random(void *ctx, void *buffer, int length) {
  75 #ifndef SQLCIPHER_OPENSSL_NO_MUTEX_RAND
  76   CODEC_TRACE_MUTEX("sqlcipher_openssl_add_random: entering openssl_rand_mutex %p\n", openssl_rand_mutex);
  77   sqlite3_mutex_enter(openssl_rand_mutex);
  78   CODEC_TRACE_MUTEX("sqlcipher_openssl_add_random: entered openssl_rand_mutex %p\n", openssl_rand_mutex);
  79 #endif
  80   RAND_add(buffer, length, 0);
  81 #ifndef SQLCIPHER_OPENSSL_NO_MUTEX_RAND
  82   CODEC_TRACE_MUTEX("sqlcipher_openssl_add_random: leaving openssl_rand_mutex %p\n", openssl_rand_mutex);
  83   sqlite3_mutex_leave(openssl_rand_mutex);
  84   CODEC_TRACE_MUTEX("sqlcipher_openssl_add_random: left openssl_rand_mutex %p\n", openssl_rand_mutex);
  85 #endif
  86   return SQLITE_OK;
  87 }
  88
  89 #define OPENSSL_CIPHER "aes-256-cbc"
  90
  91
  92 /* activate and initialize sqlcipher. Most importantly, this will automatically
  93    intialize OpenSSL's EVP system if it hasn't already be externally. Note that
  94    this function may be called multiple times as new codecs are intiialized.
  95    Thus it performs some basic counting to ensure that only the last and final
  96    sqlcipher_openssl_deactivate() will free the EVP structures.
  97 */
  98 static int sqlcipher_openssl_activate(void *ctx) {
  99   /* initialize openssl and increment the internal init counter
 100      but only if it hasn't been initalized outside of SQLCipher by this program
 101      e.g. on startup */
 102   CODEC_TRACE_MUTEX("sqlcipher_openssl_activate: entering static master mutex");
 103   sqlite3_mutex_enter(sqlite3_mutex_alloc(SQLITE_MUTEX_STATIC_MASTER));
 104   CODEC_TRACE_MUTEX("sqlcipher_openssl_activate: entered static master mutex");
 105
 106   if(openssl_init_count == 0 && EVP_get_cipherbyname(OPENSSL_CIPHER) != NULL) {
 107     /* if openssl has not yet been initialized by this library, but
 108        a call to get_cipherbyname works, then the openssl library
 109        has been initialized externally already. */
 110     openssl_external_init = 1;
 111   }
 112
 113 #ifdef SQLCIPHER_FIPS
 114   if(!FIPS_mode()){
 115     if(!FIPS_mode_set(1)){
 116       ERR_load_crypto_strings();
 117       ERR_print_errors_fp(stderr);
 118     }
 119   }
 120 #endif
 121
 122   if(openssl_init_count == 0 && openssl_external_init == 0)  {
 123     /* if the library was not externally initialized, then should be now */
 124 #if (defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
 125     OpenSSL_add_all_algorithms();
 126 #endif
 127   }
 128
 129 #ifndef SQLCIPHER_OPENSSL_NO_MUTEX_RAND
 130   if(openssl_rand_mutex == NULL) {
 131     /* allocate a mutex to guard against concurrent calls to RAND_bytes() */
 132     CODEC_TRACE_MUTEX("sqlcipher_openssl_activate: allocating openssl_rand_mutex");
 133     openssl_rand_mutex = sqlite3_mutex_alloc(SQLITE_MUTEX_FAST);
 134     CODEC_TRACE_MUTEX("sqlcipher_openssl_activate: allocated openssl_rand_mutex %p", openssl_rand_mutex);
 135   }
 136 #endif
 137
 138   openssl_init_count++;
 139   CODEC_TRACE_MUTEX("sqlcipher_openssl_activate: leaving static master mutex");
 140   sqlite3_mutex_leave(sqlite3_mutex_alloc(SQLITE_MUTEX_STATIC_MASTER));
 141   CODEC_TRACE_MUTEX("sqlcipher_openssl_activate: left static master mutex");
 142   return SQLITE_OK;
 143 }
 144
 145 /* deactivate SQLCipher, most imporantly decremeting the activation count and
 146    freeing the EVP structures on the final deactivation to ensure that
 147    OpenSSL memory is cleaned up */
 148 static int sqlcipher_openssl_deactivate(void *ctx) {
 149   CODEC_TRACE_MUTEX("sqlcipher_openssl_deactivate: entering static master mutex");
 150   sqlite3_mutex_enter(sqlite3_mutex_alloc(SQLITE_MUTEX_STATIC_MASTER));
 151   CODEC_TRACE_MUTEX("sqlcipher_openssl_deactivate: entered static master mutex");
 152   openssl_init_count--;
 153
 154   if(openssl_init_count == 0) {
 155     if(openssl_external_init == 0) {
 156     /* if OpenSSL hasn't be initialized externally, and the counter reaches zero
 157        after it's decremented, release EVP memory
 158        Note: this code will only be reached if OpensSSL_add_all_algorithms()
 159        is called by SQLCipher internally. This should prevent SQLCipher from
 160        "cleaning up" openssl when it was initialized externally by the program */
 161 #if (defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
 162       EVP_cleanup();
 163 #endif
 164     } else {
 165       openssl_external_init = 0;
 166     }
 167 #ifndef SQLCIPHER_OPENSSL_NO_MUTEX_RAND
 168     CODEC_TRACE_MUTEX("sqlcipher_openssl_deactivate: freeing openssl_rand_mutex %p", openssl_rand_mutex);
 169     sqlite3_mutex_free(openssl_rand_mutex);
 170     CODEC_TRACE_MUTEX("sqlcipher_openssl_deactivate: freed openssl_rand_mutex %p", openssl_rand_mutex);
 171     openssl_rand_mutex = NULL;
 172 #endif
 173   }
 174   CODEC_TRACE_MUTEX("sqlcipher_openssl_deactivate: leaving static master mutex");
 175   sqlite3_mutex_leave(sqlite3_mutex_alloc(SQLITE_MUTEX_STATIC_MASTER));
 176   CODEC_TRACE_MUTEX("sqlcipher_openssl_deactivate: left static master mutex");
 177   return SQLITE_OK;
 178 }
 179
 180 static const char* sqlcipher_openssl_get_provider_name(void *ctx) {
 181   return "openssl";
 182 }
 183
 184 static const char* sqlcipher_openssl_get_provider_version(void *ctx) {
 185   return OPENSSL_VERSION_TEXT;
 186 }
 187
 188 /* generate a defined number of random bytes */
 189 static int sqlcipher_openssl_random (void *ctx, void *buffer, int length) {
 190   int rc = 0;
 191   /* concurrent calls to RAND_bytes can cause a crash under some openssl versions when a
 192      naive application doesn't use CRYPTO_set_locking_callback and
 193      CRYPTO_THREADID_set_callback to ensure openssl thread safety.
 194      This is simple workaround to prevent this common crash
 195      but a more proper solution is that applications setup platform-appropriate
 196      thread saftey in openssl externally */
 197 #ifndef SQLCIPHER_OPENSSL_NO_MUTEX_RAND
 198   CODEC_TRACE_MUTEX("sqlcipher_openssl_random: entering openssl_rand_mutex %p", openssl_rand_mutex);
 199   sqlite3_mutex_enter(openssl_rand_mutex);
 200   CODEC_TRACE_MUTEX("sqlcipher_openssl_random: entered openssl_rand_mutex %p", openssl_rand_mutex);
 201 #endif
 202   rc = RAND_bytes((unsigned char *)buffer, length);
 203 #ifndef SQLCIPHER_OPENSSL_NO_MUTEX_RAND
 204   CODEC_TRACE_MUTEX("sqlcipher_openssl_random: leaving openssl_rand_mutex %p", openssl_rand_mutex);
 205   sqlite3_mutex_leave(openssl_rand_mutex);
 206   CODEC_TRACE_MUTEX("sqlcipher_openssl_random: left openssl_rand_mutex %p", openssl_rand_mutex);
 207 #endif
 208   return (rc == 1) ? SQLITE_OK : SQLITE_ERROR;
 209 }
 210
 211 static int sqlcipher_openssl_hmac(void *ctx, int algorithm, unsigned char *hmac_key, int key_sz, unsigned char *in, int in_sz, unsigned char *in2, int in2_sz, unsigned char *out) {
 212   unsigned int outlen;
 213   int rc = SQLITE_OK;
 214   HMAC_CTX* hctx = NULL;
 215
 216   if(in == NULL) goto error;
 217
 218   hctx = HMAC_CTX_new();
 219   if(hctx == NULL) goto error;
 220
 221   switch(algorithm) {
 222     case SQLCIPHER_HMAC_SHA1:
 223       if(!HMAC_Init_ex(hctx, hmac_key, key_sz, EVP_sha1(), NULL)) goto error;
 224       break;
 225     case SQLCIPHER_HMAC_SHA256:
 226       if(!HMAC_Init_ex(hctx, hmac_key, key_sz, EVP_sha256(), NULL)) goto error;
 227       break;
 228     case SQLCIPHER_HMAC_SHA512:
 229       if(!HMAC_Init_ex(hctx, hmac_key, key_sz, EVP_sha512(), NULL)) goto error;
 230       break;
 231     default:
 232       goto error;
 233   }
 234
 235   if(!HMAC_Update(hctx, in, in_sz)) goto error;
 236   if(in2 != NULL) {
 237     if(!HMAC_Update(hctx, in2, in2_sz)) goto error;
 238   }
 239   if(!HMAC_Final(hctx, out, &outlen)) goto error;
 240
 241   goto cleanup;
 242 error:
 243   rc = SQLITE_ERROR;
 244 cleanup:
 245   if(hctx) HMAC_CTX_free(hctx);
 246   return rc;
 247 }
 248
 249 static int sqlcipher_openssl_kdf(void *ctx, int algorithm, const unsigned char *pass, int pass_sz, unsigned char* salt, int salt_sz, int workfactor, int key_sz, unsigned char *key) {
 250   int rc = SQLITE_OK;
 251
 252   switch(algorithm) {
 253     case SQLCIPHER_HMAC_SHA1:
 254       if(!PKCS5_PBKDF2_HMAC((const char *)pass, pass_sz, salt, salt_sz, workfactor, EVP_sha1(), key_sz, key)) goto error;
 255       break;
 256     case SQLCIPHER_HMAC_SHA256:
 257       if(!PKCS5_PBKDF2_HMAC((const char *)pass, pass_sz, salt, salt_sz, workfactor, EVP_sha256(), key_sz, key)) goto error;
 258       break;
 259     case SQLCIPHER_HMAC_SHA512:
 260       if(!PKCS5_PBKDF2_HMAC((const char *)pass, pass_sz, salt, salt_sz, workfactor, EVP_sha512(), key_sz, key)) goto error;
 261       break;
 262     default:
 263       return SQLITE_ERROR;
 264   }
 265
 266   goto cleanup;
 267 error:
 268   rc = SQLITE_ERROR;
 269 cleanup:
 270   return rc;
 271 }
 272
 273 static int sqlcipher_openssl_cipher(void *ctx, int mode, unsigned char *key, int key_sz, unsigned char *iv, unsigned char *in, int in_sz, unsigned char *out) {
 274   int tmp_csz, csz, rc = SQLITE_OK;
 275   EVP_CIPHER_CTX* ectx = EVP_CIPHER_CTX_new();
 276   if(ectx == NULL) goto error;
 277   if(!EVP_CipherInit_ex(ectx, ((openssl_ctx *)ctx)->evp_cipher, NULL, NULL, NULL, mode)) goto error;
 278   if(!EVP_CIPHER_CTX_set_padding(ectx, 0)) goto error; /* no padding */
 279   if(!EVP_CipherInit_ex(ectx, NULL, NULL, key, iv, mode)) goto error;
 280   if(!EVP_CipherUpdate(ectx, out, &tmp_csz, in, in_sz)) goto error;
 281   csz = tmp_csz;
 282   out += tmp_csz;
 283   if(!EVP_CipherFinal_ex(ectx, out, &tmp_csz)) goto error;
 284   csz += tmp_csz;
 285   assert(in_sz == csz);
 286
 287   goto cleanup;
 288 error:
 289   rc = SQLITE_ERROR;
 290 cleanup:
 291   if(ectx) EVP_CIPHER_CTX_free(ectx);
 292   return rc;
 293 }
 294
 295 static const char* sqlcipher_openssl_get_cipher(void *ctx) {
 296   return OBJ_nid2sn(EVP_CIPHER_nid(((openssl_ctx *)ctx)->evp_cipher));
 297 }
 298
 299 static int sqlcipher_openssl_get_key_sz(void *ctx) {
 300   return EVP_CIPHER_key_length(((openssl_ctx *)ctx)->evp_cipher);
 301 }
 302
 303 static int sqlcipher_openssl_get_iv_sz(void *ctx) {
 304   return EVP_CIPHER_iv_length(((openssl_ctx *)ctx)->evp_cipher);
 305 }
 306
 307 static int sqlcipher_openssl_get_block_sz(void *ctx) {
 308   return EVP_CIPHER_block_size(((openssl_ctx *)ctx)->evp_cipher);
 309 }
 310
 311 static int sqlcipher_openssl_get_hmac_sz(void *ctx, int algorithm) {
 312   switch(algorithm) {
 313     case SQLCIPHER_HMAC_SHA1:
 314       return EVP_MD_size(EVP_sha1());
 315       break;
 316     case SQLCIPHER_HMAC_SHA256:
 317       return EVP_MD_size(EVP_sha256());
 318       break;
 319     case SQLCIPHER_HMAC_SHA512:
 320       return EVP_MD_size(EVP_sha512());
 321       break;
 322     default:
 323       return 0;
 324   }
 325 }
 326
 327 static int sqlcipher_openssl_ctx_init(void **ctx) {
 328   openssl_ctx *o_ctx;
 329
 330   *ctx = sqlcipher_malloc(sizeof(openssl_ctx));
 331   if(*ctx == NULL) return SQLITE_NOMEM;
 332   sqlcipher_openssl_activate(*ctx);
 333
 334   o_ctx = (openssl_ctx *)*ctx;
 335   o_ctx->evp_cipher = (EVP_CIPHER *) EVP_get_cipherbyname(OPENSSL_CIPHER);
 336   return o_ctx->evp_cipher != NULL ? SQLITE_OK : SQLITE_ERROR;
 337 }
 338
 339 static int sqlcipher_openssl_ctx_free(void **ctx) {
 340   sqlcipher_openssl_deactivate(*ctx);
 341   sqlcipher_free(*ctx, sizeof(openssl_ctx));
 342   return SQLITE_OK;
 343 }
 344
 345 static int sqlcipher_openssl_fips_status(void *ctx) {
 346 #ifdef SQLCIPHER_FIPS
 347   return FIPS_mode();
 348 #else
 349   return 0;
 350 #endif
 351 }
 352
 353 static int sqlcipher_openssl_id(void *ctx) {
 354   return 2678498;
 355 }
 356
 357 static void* sqlcipher_openssl_status(void *ctx) {
 358   return NULL;
 359 }
 360
 361 int sqlcipher_openssl_setup(sqlcipher_provider *p) {
 362   p->activate = sqlcipher_openssl_activate;
 363   p->deactivate = sqlcipher_openssl_deactivate;
 364   p->get_provider_name = sqlcipher_openssl_get_provider_name;
 365   p->random = sqlcipher_openssl_random;
 366   p->hmac = sqlcipher_openssl_hmac;
 367   p->kdf = sqlcipher_openssl_kdf;
 368   p->cipher = sqlcipher_openssl_cipher;
 369   p->get_cipher = sqlcipher_openssl_get_cipher;
 370   p->get_key_sz = sqlcipher_openssl_get_key_sz;
 371   p->get_iv_sz = sqlcipher_openssl_get_iv_sz;
 372   p->get_block_sz = sqlcipher_openssl_get_block_sz;
 373   p->get_hmac_sz = sqlcipher_openssl_get_hmac_sz;
 374   p->ctx_init = sqlcipher_openssl_ctx_init;
 375   p->ctx_free = sqlcipher_openssl_ctx_free;
 376   p->add_random = sqlcipher_openssl_add_random;
 377   p->fips_status = sqlcipher_openssl_fips_status;
 378   p->get_provider_version = sqlcipher_openssl_get_provider_version;
 379   p->id = sqlcipher_openssl_id;
 380   p->status = sqlcipher_openssl_status;
 381   return SQLITE_OK;
 382 }
 383
 384 #endif
 385 #endif
 386 /* END SQLCIPHER */