luna - wolfssl/src/ssl

   1/* ssl_crypto.c
   2 *
   3 * Copyright (C) 2006-2026 wolfSSL Inc.
   4 *
   5 * This file is part of wolfSSL.
   6 *
   7 * wolfSSL is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License as published by
   9 * the Free Software Foundation; either version 3 of the License, or
  10 * (at your option) any later version.
  11 *
  12 * wolfSSL is distributed in the hope that it will be useful,
  13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 * GNU General Public License for more details.
  16 *
  17 * You should have received a copy of the GNU General Public License
  18 * along with this program; if not, write to the Free Software
  19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
  20 */
  21
  22#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
  23
  24#ifndef WOLFSSL_SSL_CRYPTO_INCLUDED
  25    #ifndef WOLFSSL_IGNORE_FILE_WARN
  26        #warning ssl_crypto.c does not need to be compiled separately from ssl.c
  27    #endif
  28#else
  29
  30/*******************************************************************************
  31 * START OF Digest APIs
  32 ******************************************************************************/
  33
  34#ifdef OPENSSL_EXTRA
  35#ifndef NO_MD4
  36/* Initialize MD4 hash operation.
  37 *
  38 * @param [in, out] md4  MD4 context object.
  39 */
  40void wolfSSL_MD4_Init(WOLFSSL_MD4_CTX* md4)
  41{
  42    /* Ensure WOLFSSL_MD4_CTX is big enough for wolfCrypt Md4. */
  43    WOLFSSL_ASSERT_SIZEOF_GE(md4->buffer, wc_Md4);
  44
  45    WOLFSSL_ENTER("MD4_Init");
  46
  47    /* Initialize wolfCrypt MD4 object. */
  48    wc_InitMd4((wc_Md4*)md4);
  49}
  50
  51/* Update MD4 hash with data.
  52 *
  53 * @param [in, out] md4   MD4 context object.
  54 * @param [in]      data  Data to be hashed.
  55 * @param [in]      len   Length of data in bytes.
  56 */
  57void wolfSSL_MD4_Update(WOLFSSL_MD4_CTX* md4, const void* data,
  58    unsigned long len)
  59{
  60    WOLFSSL_ENTER("MD4_Update");
  61
  62    /* Update wolfCrypt MD4 object with data. */
  63    wc_Md4Update((wc_Md4*)md4, (const byte*)data, (word32)len);
  64}
  65
  66/* Finalize MD4 hash and return output.
  67 *
  68 * @param [out]     digest  Hash output.
  69 *                          Must be able to hold MD4_DIGEST_SIZE bytes.
  70 * @param [in, out] md4     MD4 context object.
  71 */
  72void wolfSSL_MD4_Final(unsigned char* digest, WOLFSSL_MD4_CTX* md4)
  73{
  74    WOLFSSL_ENTER("MD4_Final");
  75
  76    /* Finalize wolfCrypt MD4 hash into digest. */
  77    wc_Md4Final((wc_Md4*)md4, digest);
  78}
  79
  80#endif /* NO_MD4 */
  81#endif /* OPENSSL_EXTRA */
  82
  83#if defined(OPENSSL_EXTRA) || defined(HAVE_CURL)
  84#ifndef NO_MD5
  85/* Initialize MD5 hash operation.
  86 *
  87 * @param [in, out] md5  MD5 context object.
  88 * @return  1 on success.
  89 * @return  0 when md5 is NULL.
  90 */
  91int wolfSSL_MD5_Init(WOLFSSL_MD5_CTX* md5)
  92{
  93    /* Ensure WOLFSSL_MD5_CTX is big enough for wolfCrypt wc_Md5. */
  94    WOLFSSL_ASSERT_SIZEOF_GE(WOLFSSL_MD5_CTX, wc_Md5);
  95
  96    WOLFSSL_ENTER("MD5_Init");
  97
  98    /* Initialize wolfCrypt MD5 object. */
  99    return wc_InitMd5((wc_Md5*)md5) == 0;
 100}
 101
 102/* Update MD5 hash with data.
 103 *
 104 * @param [in, out] md5    MD5 context object.
 105 * @param [in]      input  Data to be hashed.
 106 * @param [in]      sz     Length of data in bytes.
 107 * @return  1 on success.
 108 * @return  0 when md5 is NULL.
 109 */
 110int wolfSSL_MD5_Update(WOLFSSL_MD5_CTX* md5, const void* input,
 111    unsigned long sz)
 112{
 113    WOLFSSL_ENTER("MD5_Update");
 114
 115    /* Update wolfCrypt MD5 object with data. */
 116    return wc_Md5Update((wc_Md5*)md5, (const byte*)input, (word32)sz) == 0;
 117}
 118
 119/* Finalize MD5 hash and return output.
 120 *
 121 * @param [out]     digest  Hash output.
 122 *                          Must be able to hold MD5_DIGEST_SIZE bytes.
 123 * @param [in, out] md5     MD5 context object.
 124 * @return  1 on success.
 125 * @return  0 when md5 or output is NULL.
 126 */
 127int wolfSSL_MD5_Final(byte* output, WOLFSSL_MD5_CTX* md5)
 128{
 129    int ret;
 130
 131    WOLFSSL_ENTER("MD5_Final");
 132
 133    /* Finalize wolfCrypt MD5 hash into output. */
 134    ret = (wc_Md5Final((wc_Md5*)md5, output) == 0);
 135    /* Free resources here, as OpenSSL API doesn't include MD5_Free(). */
 136    wc_Md5Free((wc_Md5*)md5);
 137
 138    return ret;
 139}
 140
 141/* Apply MD5 transformation to the data.
 142 *
 143 * 'data' has words reversed in this function when big endian.
 144 *
 145 * @param [in, out] md5   MD5 context object.
 146 * @param [in, out] data  One block of data to be hashed.
 147 * @return  1 on success.
 148 * @return  0 when md5 or data is NULL.
 149 */
 150int wolfSSL_MD5_Transform(WOLFSSL_MD5_CTX* md5, const unsigned char* data)
 151{
 152    WOLFSSL_ENTER("MD5_Transform");
 153
 154#if defined(BIG_ENDIAN_ORDER)
 155    /* Byte reversal done outside transform. */
 156    if ((md5 != NULL) && (data != NULL)) {
 157        ByteReverseWords((word32*)data, (word32*)data, WC_MD5_BLOCK_SIZE);
 158    }
 159#endif
 160    /* Transform block of data with wolfCrypt MD5 object. */
 161    return wc_Md5Transform((wc_Md5*)md5, data) == 0;
 162}
 163
 164/* One shot MD5 hash of data.
 165 *
 166 * When hash is null, a static buffer of MD5_DIGEST_SIZE is used.
 167 * When the static buffer is used this function is not thread safe.
 168 *
 169 * @param [in]  data  Data to be hashed.
 170 * @param [in]  len   Length of data in bytes.
 171 * @param [out] hash  Buffer to hold digest. May be NULL.
 172 *                    Must be able to hold MD5_DIGEST_SIZE bytes.
 173 * @return  Buffer holding hash on success.
 174 * @return  NULL when hashing fails.
 175 */
 176unsigned char* wolfSSL_MD5(const unsigned char* data, size_t len,
 177    unsigned char* hash)
 178{
 179    /* Buffer to use when hash is NULL. */
 180    static unsigned char dgst[WC_MD5_DIGEST_SIZE];
 181
 182    WOLFSSL_ENTER("wolfSSL_MD5");
 183
 184    /* Ensure buffer available for digest result. */
 185    if (hash == NULL) {
 186        hash = dgst;
 187    }
 188    /* One shot MD5 hash with wolfCrypt. */
 189    if (wc_Md5Hash(data, (word32)len, hash) != 0) {
 190        WOLFSSL_MSG("wc_Md5Hash error");
 191        hash = NULL;
 192    }
 193
 194    return hash;
 195}
 196#endif /* !NO_MD5 */
 197
 198#ifndef NO_SHA
 199/* Initialize SHA hash operation.
 200 *
 201 * @param [in, out] sha  SHA context object.
 202 * @return  1 on success.
 203 * @return  0 when sha is NULL.
 204 */
 205int wolfSSL_SHA_Init(WOLFSSL_SHA_CTX* sha)
 206{
 207    /* Ensure WOLFSSL_SHA_CTX is big enough for wolfCrypt wc_Sha. */
 208    WOLFSSL_ASSERT_SIZEOF_GE(WOLFSSL_SHA_CTX, wc_Sha);
 209
 210    WOLFSSL_ENTER("SHA_Init");
 211
 212    /* Initialize wolfCrypt SHA object. */
 213    return wc_InitSha((wc_Sha*)sha) == 0;
 214}
 215
 216/* Update SHA hash with data.
 217 *
 218 * @param [in, out] sha    SHA context object.
 219 * @param [in]      input  Data to be hashed.
 220 * @param [in]      sz     Length of data in bytes.
 221 * @return  1 on success.
 222 * @return  0 when md5 is NULL.
 223 */
 224int wolfSSL_SHA_Update(WOLFSSL_SHA_CTX* sha, const void* input,
 225    unsigned long sz)
 226{
 227    WOLFSSL_ENTER("SHA_Update");
 228
 229    /* Update wolfCrypt SHA object with data. */
 230    return wc_ShaUpdate((wc_Sha*)sha, (const byte*)input, (word32)sz) == 0;
 231}
 232
 233/* Finalize SHA hash and return output.
 234 *
 235 * @param [out]     output  Hash output.
 236 *                          Must be able to hold SHA_DIGEST_SIZE bytes.
 237 * @param [in, out] sha     SHA context object.
 238 * @return  1 on success.
 239 * @return  0 when sha or output is NULL.
 240 */
 241int wolfSSL_SHA_Final(byte* output, WOLFSSL_SHA_CTX* sha)
 242{
 243    int ret;
 244
 245    WOLFSSL_ENTER("SHA_Final");
 246
 247    /* Finalize wolfCrypt SHA hash into output. */
 248    ret = (wc_ShaFinal((wc_Sha*)sha, output) == 0);
 249    /* Free resources here, as OpenSSL API doesn't include SHA_Free(). */
 250    wc_ShaFree((wc_Sha*)sha);
 251
 252    return ret;
 253}
 254
 255#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \
 256    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)))
 257/* Apply SHA transformation to the data.
 258 *
 259 * 'data' has words reversed in this function when little endian.
 260 *
 261 * @param [in, out] sha   SHA context object.
 262 * @param [in, out] data  One block of data to be hashed.
 263 * @return  1 on success.
 264 * @return  0 when sha or data is NULL.
 265 */
 266int wolfSSL_SHA_Transform(WOLFSSL_SHA_CTX* sha, const unsigned char* data)
 267{
 268    WOLFSSL_ENTER("SHA_Transform");
 269
 270#if defined(LITTLE_ENDIAN_ORDER)
 271    /* Byte reversal done outside transform. */
 272    if ((sha != NULL) && (data != NULL)) {
 273        ByteReverseWords((word32*)data, (word32*)data, WC_SHA_BLOCK_SIZE);
 274    }
 275#endif
 276    /* Transform block of data with wolfCrypt SHA object. */
 277    return wc_ShaTransform((wc_Sha*)sha, data) == 0;
 278}
 279#endif
 280
 281/* Initialize SHA-1 hash operation.
 282 *
 283 * @param [in, out] sha  SHA context object.
 284 * @return  1 on success.
 285 * @return  0 when sha is NULL.
 286 */
 287int wolfSSL_SHA1_Init(WOLFSSL_SHA_CTX* sha)
 288{
 289    WOLFSSL_ENTER("SHA1_Init");
 290
 291    return wolfSSL_SHA_Init(sha);
 292}
 293
 294
 295/* Update SHA-1 hash with data.
 296 *
 297 * @param [in, out] sha    SHA context object.
 298 * @param [in]      input  Data to be hashed.
 299 * @param [in]      sz     Length of data in bytes.
 300 * @return  1 on success.
 301 * @return  0 when sha is NULL.
 302 */
 303int wolfSSL_SHA1_Update(WOLFSSL_SHA_CTX* sha, const void* input,
 304    unsigned long sz)
 305{
 306    WOLFSSL_ENTER("SHA1_Update");
 307
 308    return wolfSSL_SHA_Update(sha, input, sz);
 309}
 310
 311/* Finalize SHA-1 hash and return output.
 312 *
 313 * @param [out]     output  Hash output.
 314 *                          Must be able to hold SHA_DIGEST_SIZE bytes.
 315 * @param [in, out] sha     SHA context object.
 316 * @return  1 on success.
 317 * @return  0 when sha or output is NULL.
 318 */
 319int wolfSSL_SHA1_Final(byte* output, WOLFSSL_SHA_CTX* sha)
 320{
 321    WOLFSSL_ENTER("SHA1_Final");
 322
 323    return wolfSSL_SHA_Final(output, sha);
 324}
 325
 326#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \
 327    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)))
 328/* Apply SHA-1 transformation to the data.
 329 *
 330 * 'data' has words reversed in this function when little endian.
 331 *
 332 * @param [in, out] sha   SHA context object.
 333 * @param [in, out] data  One block of data to be hashed.
 334 * @return  1 on success.
 335 * @return  0 when sha or data is NULL.
 336 */
 337int wolfSSL_SHA1_Transform(WOLFSSL_SHA_CTX* sha, const unsigned char* data)
 338{
 339   WOLFSSL_ENTER("SHA1_Transform");
 340
 341   return wolfSSL_SHA_Transform(sha, data);
 342}
 343#endif
 344#endif /* !NO_SHA */
 345
 346#ifndef NO_SHA256
 347#ifdef WOLFSSL_SHA224
 348/* Initialize SHA-224 hash operation.
 349 *
 350 * @param [in, out] sha224  SHA-224 context object.
 351 * @return  1 on success.
 352 * @return  0 when sha224 is NULL.
 353 */
 354int wolfSSL_SHA224_Init(WOLFSSL_SHA224_CTX* sha224)
 355{
 356    /* Ensure WOLFSSL_SHA224_CTX is big enough for wolfCrypt wc_Sha224. */
 357    WOLFSSL_ASSERT_SIZEOF_GE(WOLFSSL_SHA224_CTX, wc_Sha224);
 358
 359    WOLFSSL_ENTER("SHA224_Init");
 360
 361    /* Initialize wolfCrypt SHA-224 object. */
 362    return wc_InitSha224((wc_Sha224*)sha224) == 0;
 363}
 364
 365/* Update SHA-224 hash with data.
 366 *
 367 * @param [in, out] sha224  SHA-224 context object.
 368 * @param [in]      input   Data to be hashed.
 369 * @param [in]      sz      Length of data in bytes.
 370 * @return  1 on success.
 371 * @return  0 when sha224 is NULL.
 372 */
 373int wolfSSL_SHA224_Update(WOLFSSL_SHA224_CTX* sha224, const void* input,
 374    unsigned long sz)
 375{
 376    WOLFSSL_ENTER("SHA224_Update");
 377
 378    /* Update wolfCrypt SHA-224 object with data. */
 379    return wc_Sha224Update((wc_Sha224*)sha224, (const byte*)input, (word32)sz)
 380        == 0;
 381}
 382
 383/* Finalize SHA-224 hash and return output.
 384 *
 385 * @param [out]     output  Hash output.
 386 *                          Must be able to hold SHA224_DIGEST_SIZE bytes.
 387 * @param [in, out] sha224  SHA-224 context object.
 388 * @return  1 on success.
 389 * @return  0 when sha224 or output is NULL.
 390 */
 391int wolfSSL_SHA224_Final(byte* output, WOLFSSL_SHA224_CTX* sha224)
 392{
 393    int ret;
 394
 395    WOLFSSL_ENTER("SHA224_Final");
 396
 397    /* Finalize wolfCrypt SHA-224 hash into output. */
 398    ret = (wc_Sha224Final((wc_Sha224*)sha224, output) == 0);
 399    /* Free resources here, as OpenSSL API doesn't include SHA224_Free(). */
 400    wc_Sha224Free((wc_Sha224*)sha224);
 401
 402    return ret;
 403}
 404
 405#endif /* WOLFSSL_SHA224 */
 406
 407/* Initialize SHA-256 hash operation.
 408 *
 409 * @param [in, out] sha256  SHA-256 context object.
 410 * @return  1 on success.
 411 * @return  0 when sha256 is NULL.
 412 */
 413int wolfSSL_SHA256_Init(WOLFSSL_SHA256_CTX* sha256)
 414{
 415    /* Ensure WOLFSSL_SHA256_CTX is big enough for wolfCrypt wc_Sha256. */
 416    WOLFSSL_ASSERT_SIZEOF_GE(WOLFSSL_SHA256_CTX, wc_Sha256);
 417
 418    WOLFSSL_ENTER("SHA256_Init");
 419
 420    /* Initialize wolfCrypt SHA-256 object. */
 421    return wc_InitSha256((wc_Sha256*)sha256) == 0;
 422}
 423
 424/* Update SHA-256 hash with data.
 425 *
 426 * @param [in, out] sha256  SHA-256 context object.
 427 * @param [in]      input   Data to be hashed.
 428 * @param [in]      sz      Length of data in bytes.
 429 * @return  1 on success.
 430 * @return  0 when sha256 is NULL.
 431 */
 432int wolfSSL_SHA256_Update(WOLFSSL_SHA256_CTX* sha256, const void* input,
 433    unsigned long sz)
 434{
 435    WOLFSSL_ENTER("SHA256_Update");
 436
 437    /* Update wolfCrypt SHA-256 object with data. */
 438    return wc_Sha256Update((wc_Sha256*)sha256, (const byte*)input, (word32)sz)
 439        == 0;
 440}
 441
 442/* Finalize SHA-256 hash and return output.
 443 *
 444 * @param [out]     output  Hash output.
 445 *                          Must be able to hold SHA256_DIGEST_SIZE bytes.
 446 * @param [in, out] sha256  SHA-256 context object.
 447 * @return  1 on success.
 448 * @return  0 when sha256 or output is NULL.
 449 */
 450int wolfSSL_SHA256_Final(byte* output, WOLFSSL_SHA256_CTX* sha256)
 451{
 452    int ret;
 453
 454    WOLFSSL_ENTER("SHA256_Final");
 455
 456    /* Finalize wolfCrypt SHA-256 hash into output. */
 457    ret = (wc_Sha256Final((wc_Sha256*)sha256, output) == 0);
 458    /* Free resources here, as OpenSSL API doesn't include SHA256_Free(). */
 459    wc_Sha256Free((wc_Sha256*)sha256);
 460
 461    return ret;
 462}
 463
 464#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \
 465    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) && \
 466    !defined(WOLFSSL_DEVCRYPTO_HASH) && !defined(WOLFSSL_AFALG_HASH) && \
 467    !defined(WOLFSSL_KCAPI_HASH) /* doesn't support direct transform */
 468/* Apply SHA-256 transformation to the data.
 469 *
 470 * 'data' has words reversed in this function when little endian.
 471 *
 472 * @param [in, out] sha256  SHA256 context object.
 473 * @param [in, out] data    One block of data to be hashed.
 474 * @return  1 on success.
 475 * @return  0 when sha256 or data is NULL.
 476 */
 477int wolfSSL_SHA256_Transform(WOLFSSL_SHA256_CTX* sha256,
 478    const unsigned char* data)
 479{
 480    WOLFSSL_ENTER("SHA256_Transform");
 481
 482#if defined(LITTLE_ENDIAN_ORDER)
 483    /* Byte reversal done outside transform. */
 484    if ((sha256 != NULL) && (data != NULL)) {
 485        ByteReverseWords((word32*)data, (word32*)data, WC_SHA256_BLOCK_SIZE);
 486    }
 487#endif
 488    /* Transform block of data with wolfCrypt SHA-256 object. */
 489    return wc_Sha256Transform((wc_Sha256*)sha256, data) == 0;
 490}
 491#endif
 492#endif /* !NO_SHA256 */
 493
 494#ifdef WOLFSSL_SHA384
 495
 496/* Initialize SHA-384 hash operation.
 497 *
 498 * @param [in, out] sha384  SHA-384 context object.
 499 * @return  1 on success.
 500 * @return  0 when sha384 is NULL.
 501 */
 502int wolfSSL_SHA384_Init(WOLFSSL_SHA384_CTX* sha384)
 503{
 504    /* Ensure WOLFSSL_SHA384_CTX is big enough for wolfCrypt wc_Sha384. */
 505    WOLFSSL_ASSERT_SIZEOF_GE(WOLFSSL_SHA384_CTX, wc_Sha384);
 506
 507    WOLFSSL_ENTER("SHA384_Init");
 508
 509    /* Initialize wolfCrypt SHA-384 object. */
 510    return wc_InitSha384((wc_Sha384*)sha384) == 0;
 511}
 512
 513/* Update SHA-384 hash with data.
 514 *
 515 * @param [in, out] sha384  SHA-384 context object.
 516 * @param [in]      input   Data to be hashed.
 517 * @param [in]      sz      Length of data in bytes.
 518 * @return  1 on success.
 519 * @return  0 when sha384 is NULL.
 520 */
 521int wolfSSL_SHA384_Update(WOLFSSL_SHA384_CTX* sha384, const void* input,
 522    unsigned long sz)
 523{
 524    WOLFSSL_ENTER("SHA384_Update");
 525
 526    /* Update wolfCrypt SHA-384 object with data. */
 527    return wc_Sha384Update((wc_Sha384*)sha384, (const byte*)input, (word32)sz)
 528        == 0;
 529}
 530
 531/* Finalize SHA-384 hash and return output.
 532 *
 533 * @param [out]     output  Hash output.
 534 *                          Must be able to hold SHA384_DIGEST_SIZE bytes.
 535 * @param [in, out] sha384  SHA-384 context object.
 536 * @return  1 on success.
 537 * @return  0 when sha384 or output is NULL.
 538 */
 539int wolfSSL_SHA384_Final(byte* output, WOLFSSL_SHA384_CTX* sha384)
 540{
 541    int ret;
 542
 543    WOLFSSL_ENTER("SHA384_Final");
 544
 545    /* Finalize wolfCrypt SHA-384 hash into output. */
 546    ret = (wc_Sha384Final((wc_Sha384*)sha384, output) == 0);
 547    /* Free resources here, as OpenSSL API doesn't include SHA384_Free(). */
 548    wc_Sha384Free((wc_Sha384*)sha384);
 549
 550    return ret;
 551}
 552#endif /* WOLFSSL_SHA384 */
 553
 554#ifdef WOLFSSL_SHA512
 555/* Initialize SHA-512 hash operation.
 556 *
 557 * @param [in, out] sha512  SHA-512 context object.
 558 * @return  1 on success.
 559 * @return  0 when sha512 is NULL.
 560 */
 561int wolfSSL_SHA512_Init(WOLFSSL_SHA512_CTX* sha512)
 562{
 563    /* Ensure WOLFSSL_SHA512_CTX is big enough for wolfCrypt wc_Sha512. */
 564    WOLFSSL_ASSERT_SIZEOF_GE(WOLFSSL_SHA512_CTX, wc_Sha512);
 565
 566    WOLFSSL_ENTER("SHA512_Init");
 567
 568    /* Initialize wolfCrypt SHA-512 object. */
 569    return wc_InitSha512((wc_Sha512*)sha512) == 0;
 570}
 571
 572/* Update SHA-512 hash with data.
 573 *
 574 * @param [in, out] sha512  SHA-512 context object.
 575 * @param [in]      input   Data to be hashed.
 576 * @param [in]      sz      Length of data in bytes.
 577 * @return  1 on success.
 578 * @return  0 when sha512 is NULL.
 579 */
 580int wolfSSL_SHA512_Update(WOLFSSL_SHA512_CTX* sha512, const void* input,
 581    unsigned long sz)
 582{
 583    WOLFSSL_ENTER("SHA512_Update");
 584
 585    /* Update wolfCrypt SHA-512 object with data. */
 586    return wc_Sha512Update((wc_Sha512*)sha512, (const byte*)input, (word32)sz)
 587        == 0;
 588}
 589
 590/* Finalize SHA-512 hash and return output.
 591 *
 592 * @param [out]     output  Hash output.
 593 *                          Must be able to hold SHA512_DIGEST_SIZE bytes.
 594 * @param [in, out] sha512  SHA-512 context object.
 595 * @return  1 on success.
 596 * @return  0 when sha512 or output is NULL.
 597 */
 598int wolfSSL_SHA512_Final(byte* output, WOLFSSL_SHA512_CTX* sha512)
 599{
 600    int ret;
 601
 602    WOLFSSL_ENTER("SHA512_Final");
 603
 604    /* Finalize wolfCrypt SHA-512 hash into output. */
 605    ret = (wc_Sha512Final((wc_Sha512*)sha512, output) == 0);
 606    /* Free resources here, as OpenSSL API doesn't include SHA512_Free(). */
 607    wc_Sha512Free((wc_Sha512*)sha512);
 608
 609    return ret;
 610}
 611
 612#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \
 613    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) && \
 614    !defined(WOLFSSL_KCAPI_HASH) /* doesn't support direct transform */
 615/* Apply SHA-512 transformation to the data.
 616 *
 617 * @param [in, out] sha512  SHA512 context object.
 618 * @param [in]      data    One block of data to be hashed.
 619 * @return  1 on success.
 620 * @return  0 when sha512 or data is NULL.
 621 */
 622int wolfSSL_SHA512_Transform(WOLFSSL_SHA512_CTX* sha512,
 623    const unsigned char* data)
 624{
 625    WOLFSSL_ENTER("SHA512_Transform");
 626
 627    /* Transform block of data with wolfCrypt SHA-512 object. */
 628    return wc_Sha512Transform((wc_Sha512*)sha512, data) == 0;
 629}
 630#endif /* !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \
 631          (HAVE_FIPS_VERSION > 2)) && !WOLFSSL_KCAPI_HASH */
 632
 633#if !defined(WOLFSSL_NOSHA512_224) && \
 634   (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)
 635/* Initialize SHA-512-224 hash operation.
 636 *
 637 * @param [in, out] sha512  SHA-512-224 context object.
 638 * @return  1 on success.
 639 * @return  0 when sha512 is NULL.
 640 */
 641int wolfSSL_SHA512_224_Init(WOLFSSL_SHA512_224_CTX* sha512)
 642{
 643    WOLFSSL_ENTER("SHA512_224_Init");
 644
 645    /* Initialize wolfCrypt SHA-512-224 object. */
 646    return wc_InitSha512_224((wc_Sha512*)sha512) == 0;
 647}
 648
 649/* Update SHA-512-224 hash with data.
 650 *
 651 * @param [in, out] sha512  SHA-512-224 context object.
 652 * @param [in]      input   Data to be hashed.
 653 * @param [in]      sz      Length of data in bytes.
 654 * @return  1 on success.
 655 * @return  0 when sha512 is NULL.
 656 */
 657int wolfSSL_SHA512_224_Update(WOLFSSL_SHA512_224_CTX* sha512, const void* input,
 658    unsigned long sz)
 659{
 660    WOLFSSL_ENTER("SHA512_224_Update");
 661
 662    /* Update wolfCrypt SHA-512-224 object with data. */
 663    return wc_Sha512_224Update((wc_Sha512*)sha512, (const byte*)input,
 664        (word32)sz) == 0;
 665}
 666
 667/* Finalize SHA-512-224 hash and return output.
 668 *
 669 * @param [out]     output  Hash output.
 670 *                          Must be able to hold SHA224_DIGEST_SIZE bytes.
 671 * @param [in, out] sha512  SHA-512-224 context object.
 672 * @return  1 on success.
 673 * @return  0 when sha512 or output is NULL.
 674 */
 675int wolfSSL_SHA512_224_Final(byte* output, WOLFSSL_SHA512_224_CTX* sha512)
 676{
 677    int ret;
 678
 679    WOLFSSL_ENTER("SHA512_224_Final");
 680
 681    /* Finalize wolfCrypt SHA-512-224 hash into output. */
 682    ret = (wc_Sha512_224Final((wc_Sha512*)sha512, output) == 0);
 683    /* Free resources here, as OpenSSL API doesn't include SHA512_224_Free(). */
 684    wc_Sha512_224Free((wc_Sha512*)sha512);
 685
 686    return ret;
 687}
 688
 689#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \
 690    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)))
 691/* Apply SHA-512-224 transformation to the data.
 692 *
 693 * @param [in, out] sha512  SHA512 context object.
 694 * @param [in]      data    One block of data to be hashed.
 695 * @return  1 on success.
 696 * @return  0 when sha512 or data is NULL.
 697 */
 698int wolfSSL_SHA512_224_Transform(WOLFSSL_SHA512_CTX* sha512,
 699    const unsigned char* data)
 700{
 701    WOLFSSL_ENTER("SHA512_224_Transform");
 702
 703    /* Transform block of data with wolfCrypt SHA-512-224 object. */
 704    return wc_Sha512_224Transform((wc_Sha512*)sha512, data) == 0;
 705}
 706#endif /* !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \
 707          (HAVE_FIPS_VERSION > 2)) */
 708
 709#endif /* !WOLFSSL_NOSHA512_224 && !FIPS ... */
 710
 711#if !defined(WOLFSSL_NOSHA512_256) && \
 712   (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)
 713/* Initialize SHA-512-256 hash operation.
 714 *
 715 * @param [in, out] sha512  SHA-512-256 context object.
 716 * @return  1 on success.
 717 * @return  0 when sha512 is NULL.
 718 */
 719int wolfSSL_SHA512_256_Init(WOLFSSL_SHA512_256_CTX* sha)
 720{
 721    WOLFSSL_ENTER("SHA512_256_Init");
 722
 723    /* Initialize wolfCrypt SHA-512-256 object. */
 724    return wc_InitSha512_256((wc_Sha512*)sha) == 0;
 725}
 726
 727/* Update SHA-512-256 hash with data.
 728 *
 729 * @param [in, out] sha512  SHA-512-256 context object.
 730 * @param [in]      input   Data to be hashed.
 731 * @param [in]      sz      Length of data in bytes.
 732 * @return  1 on success.
 733 * @return  0 when sha512 is NULL.
 734 */
 735int wolfSSL_SHA512_256_Update(WOLFSSL_SHA512_256_CTX* sha512, const void* input,
 736    unsigned long sz)
 737{
 738    WOLFSSL_ENTER("SHA512_256_Update");
 739
 740    /* Update wolfCrypt SHA-512-256 object with data. */
 741    return wc_Sha512_256Update((wc_Sha512*)sha512, (const byte*)input,
 742        (word32)sz) == 0;
 743}
 744
 745/* Finalize SHA-512-256 hash and return output.
 746 *
 747 * @param [out]     output  Hash output.
 748 *                          Must be able to hold SHA256_DIGEST_SIZE bytes.
 749 * @param [in, out] sha512  SHA-512-256 context object.
 750 * @return  1 on success.
 751 * @return  0 when sha512 or output is NULL.
 752 */
 753int wolfSSL_SHA512_256_Final(byte* output, WOLFSSL_SHA512_256_CTX* sha512)
 754{
 755    int ret;
 756
 757    WOLFSSL_ENTER("SHA512_256_Final");
 758
 759    /* Finalize wolfCrypt SHA-512-256 hash into output. */
 760    ret = (wc_Sha512_256Final((wc_Sha512*)sha512, output) == 0);
 761    /* Free resources here, as OpenSSL API doesn't include SHA512_256_Free(). */
 762    wc_Sha512_224Free((wc_Sha512*)sha512);
 763
 764    return ret;
 765}
 766
 767#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \
 768    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2)))
 769/* Apply SHA-512-256 transformation to the data.
 770 *
 771 * @param [in, out] sha512  SHA512 context object.
 772 * @param [in]      data    One block of data to be hashed.
 773 * @return  1 on success.
 774 * @return  0 when sha512 or data is NULL.
 775 */
 776int wolfSSL_SHA512_256_Transform(WOLFSSL_SHA512_CTX* sha512,
 777    const unsigned char* data)
 778{
 779    WOLFSSL_ENTER("SHA512_256_Transform");
 780
 781    /* Transform block of data with wolfCrypt SHA-512-256 object. */
 782    return wc_Sha512_256Transform((wc_Sha512*)sha512, data) == 0;
 783}
 784#endif /* !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \
 785          (HAVE_FIPS_VERSION > 2)) */
 786#endif /* !WOLFSSL_NOSHA512_256 && !FIPS ... */
 787#endif /* WOLFSSL_SHA512 */
 788
 789#ifdef WOLFSSL_SHA3
 790#ifndef WOLFSSL_NOSHA3_224
 791/* Initialize SHA3-224 hash operation.
 792 *
 793 * @param [in, out] sha3_224  SHA3-224 context object.
 794 * @return  1 on success.
 795 * @return  0 when sha3_224 is NULL.
 796 */
 797int wolfSSL_SHA3_224_Init(WOLFSSL_SHA3_224_CTX* sha3_224)
 798{
 799    /* Ensure WOLFSSL_SHA3_224_CTX is big enough for wolfCrypt wc_Sha3. */
 800    WOLFSSL_ASSERT_SIZEOF_GE(WOLFSSL_SHA3_224_CTX, wc_Sha3);
 801
 802    WOLFSSL_ENTER("SHA3_224_Init");
 803
 804    /* Initialize wolfCrypt SHA3-224 object. */
 805    return wc_InitSha3_224((wc_Sha3*)sha3_224, NULL, INVALID_DEVID) == 0;
 806}
 807
 808/* Update SHA3-224 hash with data.
 809 *
 810 * @param [in, out] sha3   SHA3-224 context object.
 811 * @param [in]      input  Data to be hashed.
 812 * @param [in]      sz     Length of data in bytes.
 813 * @return  1 on success.
 814 * @return  0 when sha3 is NULL.
 815 */
 816int wolfSSL_SHA3_224_Update(WOLFSSL_SHA3_224_CTX* sha3, const void* input,
 817    unsigned long sz)
 818{
 819    WOLFSSL_ENTER("SHA3_224_Update");
 820
 821    /* Update wolfCrypt SHA3-224 object with data. */
 822    return wc_Sha3_224_Update((wc_Sha3*)sha3, (const byte*)input, (word32)sz)
 823        == 0;
 824}
 825
 826/* Finalize SHA3-224 hash and return output.
 827 *
 828 * @param [out]     output  Hash output.
 829 *                          Must be able to hold SHA3_224_DIGEST_SIZE bytes.
 830 * @param [in, out] sha3    SHA3-224 context object.
 831 * @return  1 on success.
 832 * @return  0 when sha3 or output is NULL.
 833 */
 834int wolfSSL_SHA3_224_Final(byte* output, WOLFSSL_SHA3_224_CTX* sha3)
 835{
 836    int ret;
 837
 838    WOLFSSL_ENTER("SHA3_224_Final");
 839
 840    /* Finalize wolfCrypt SHA3-224 hash into output. */
 841    ret = (wc_Sha3_224_Final((wc_Sha3*)sha3, output) == 0);
 842    /* Free resources here, as OpenSSL API doesn't include SHA3_224_Free(). */
 843    wc_Sha3_224_Free((wc_Sha3*)sha3);
 844
 845    return ret;
 846}
 847#endif /* WOLFSSL_NOSHA3_224 */
 848
 849#ifndef WOLFSSL_NOSHA3_256
 850/* Initialize SHA3-256 hash operation.
 851 *
 852 * @param [in, out] sha3_256  SHA3-256 context object.
 853 * @return  1 on success.
 854 * @return  0 when sha3_256 is NULL.
 855 */
 856int wolfSSL_SHA3_256_Init(WOLFSSL_SHA3_256_CTX* sha3_256)
 857{
 858    /* Ensure WOLFSSL_SHA3_256_CTX is big enough for wolfCrypt wc_Sha3. */
 859    WOLFSSL_ASSERT_SIZEOF_GE(WOLFSSL_SHA3_256_CTX, wc_Sha3);
 860
 861    WOLFSSL_ENTER("SHA3_256_Init");
 862
 863    /* Initialize wolfCrypt SHA3-256 object. */
 864    return wc_InitSha3_256((wc_Sha3*)sha3_256, NULL, INVALID_DEVID) == 0;
 865}
 866
 867/* Update SHA3-256 hash with data.
 868 *
 869 * @param [in, out] sha3   SHA3-256 context object.
 870 * @param [in]      input  Data to be hashed.
 871 * @param [in]      sz     Length of data in bytes.
 872 * @return  1 on success.
 873 * @return  0 when sha3 is NULL.
 874 */
 875int wolfSSL_SHA3_256_Update(WOLFSSL_SHA3_256_CTX* sha3, const void* input,
 876    unsigned long sz)
 877{
 878    WOLFSSL_ENTER("SHA3_256_Update");
 879
 880    /* Update wolfCrypt SHA3-256 object with data. */
 881    return wc_Sha3_256_Update((wc_Sha3*)sha3, (const byte*)input, (word32)sz)
 882        == 0;
 883}
 884
 885/* Finalize SHA3-256 hash and return output.
 886 *
 887 * @param [out]     output  Hash output.
 888 *                          Must be able to hold SHA3_256_DIGEST_SIZE bytes.
 889 * @param [in, out] sha3    SHA3-256 context object.
 890 * @return  1 on success.
 891 * @return  0 when sha3 or output is NULL.
 892 */
 893int wolfSSL_SHA3_256_Final(byte* output, WOLFSSL_SHA3_256_CTX* sha3)
 894{
 895    int ret;
 896
 897    WOLFSSL_ENTER("SHA3_256_Final");
 898
 899    /* Finalize wolfCrypt SHA3-256 hash into output. */
 900    ret = (wc_Sha3_256_Final((wc_Sha3*)sha3, output) == 0);
 901    /* Free resources here, as OpenSSL API doesn't include SHA3_256_Free(). */
 902    wc_Sha3_256_Free((wc_Sha3*)sha3);
 903
 904    return ret;
 905}
 906#endif /* WOLFSSL_NOSHA3_256 */
 907
 908#ifndef WOLFSSL_NOSHA3_384
 909/* Initialize SHA3-384 hash operation.
 910 *
 911 * @param [in, out] sha3_384  SHA3-384 context object.
 912 * @return  1 on success.
 913 * @return  0 when sha3_384 is NULL.
 914 */
 915int wolfSSL_SHA3_384_Init(WOLFSSL_SHA3_384_CTX* sha3_384)
 916{
 917    /* Ensure WOLFSSL_SHA3_384_CTX is big enough for wolfCrypt wc_Sha3. */
 918    WOLFSSL_ASSERT_SIZEOF_GE(WOLFSSL_SHA3_384_CTX, wc_Sha3);
 919
 920    WOLFSSL_ENTER("SHA3_384_Init");
 921
 922    /* Initialize wolfCrypt SHA3-384 object. */
 923    return wc_InitSha3_384((wc_Sha3*)sha3_384, NULL, INVALID_DEVID) == 0;
 924}
 925
 926/* Update SHA3-384 hash with data.
 927 *
 928 * @param [in, out] sha3   SHA3-384 context object.
 929 * @param [in]      input  Data to be hashed.
 930 * @param [in]      sz     Length of data in bytes.
 931 * @return  1 on success.
 932 * @return  0 when sha3 is NULL.
 933 */
 934int wolfSSL_SHA3_384_Update(WOLFSSL_SHA3_384_CTX* sha3, const void* input,
 935    unsigned long sz)
 936{
 937    WOLFSSL_ENTER("SHA3_384_Update");
 938
 939    /* Update wolfCrypt SHA3-384 object with data. */
 940    return wc_Sha3_384_Update((wc_Sha3*)sha3, (const byte*)input, (word32)sz)
 941        == 0;
 942}
 943
 944/* Finalize SHA3-384 hash and return output.
 945 *
 946 * @param [out]     output  Hash output.
 947 *                          Must be able to hold SHA3_384_DIGEST_SIZE bytes.
 948 * @param [in, out] sha3    SHA3-384 context object.
 949 * @return  1 on success.
 950 * @return  0 when sha3 or output is NULL.
 951 */
 952int wolfSSL_SHA3_384_Final(byte* output, WOLFSSL_SHA3_384_CTX* sha3)
 953{
 954    int ret;
 955
 956    WOLFSSL_ENTER("SHA3_384_Final");
 957
 958    /* Finalize wolfCrypt SHA3-384 hash into output. */
 959    ret = (wc_Sha3_384_Final((wc_Sha3*)sha3, output) == 0);
 960    /* Free resources here, as OpenSSL API doesn't include SHA3_384_Free(). */
 961    wc_Sha3_384_Free((wc_Sha3*)sha3);
 962
 963    return ret;
 964}
 965#endif /* WOLFSSL_NOSHA3_384 */
 966
 967#ifndef WOLFSSL_NOSHA3_512
 968/* Initialize SHA3-512 hash operation.
 969 *
 970 * @param [in, out] sha3_512  SHA3-512 context object.
 971 * @return  1 on success.
 972 * @return  0 when sha3_512 is NULL.
 973 */
 974int wolfSSL_SHA3_512_Init(WOLFSSL_SHA3_512_CTX* sha3_512)
 975{
 976    /* Ensure WOLFSSL_SHA3_512_CTX is big enough for wolfCrypt wc_Sha3. */
 977    WOLFSSL_ASSERT_SIZEOF_GE(WOLFSSL_SHA3_512_CTX, wc_Sha3);
 978
 979    WOLFSSL_ENTER("SHA3_512_Init");
 980
 981    /* Initialize wolfCrypt SHA3-512 object. */
 982    return wc_InitSha3_512((wc_Sha3*)sha3_512, NULL, INVALID_DEVID) == 0;
 983}
 984
 985/* Update SHA3-512 hash with data.
 986 *
 987 * @param [in, out] sha3   SHA3-512 context object.
 988 * @param [in]      input  Data to be hashed.
 989 * @param [in]      sz     Length of data in bytes.
 990 * @return  1 on success.
 991 * @return  0 when sha3 is NULL.
 992 */
 993int wolfSSL_SHA3_512_Update(WOLFSSL_SHA3_512_CTX* sha3, const void* input,
 994    unsigned long sz)
 995{
 996    WOLFSSL_ENTER("SHA3_512_Update");
 997
 998    /* Update wolfCrypt SHA3-512 object with data. */
 999    return wc_Sha3_512_Update((wc_Sha3*)sha3, (const byte*)input, (word32)sz)
1000        == 0;
1001}
1002
1003/* Finalize SHA3-512 hash and return output.
1004 *
1005 * @param [out]     output  Hash output.
1006 *                          Must be able to hold SHA3_512_DIGEST_SIZE bytes.
1007 * @param [in, out] sha3    SHA3-512 context object.
1008 * @return  1 on success.
1009 * @return  0 when sha3 or output is NULL.
1010 */
1011int wolfSSL_SHA3_512_Final(byte* output, WOLFSSL_SHA3_512_CTX* sha3)
1012{
1013    int ret;
1014
1015    WOLFSSL_ENTER("SHA3_512_Final");
1016
1017    /* Finalize wolfCrypt SHA3-512 hash into output. */
1018    ret = (wc_Sha3_512_Final((wc_Sha3*)sha3, output) == 0);
1019    /* Free resources here, as OpenSSL API doesn't include SHA3_512_Free(). */
1020    wc_Sha3_512_Free((wc_Sha3*)sha3);
1021
1022    return ret;
1023}
1024#endif /* WOLFSSL_NOSHA3_512 */
1025#endif /* WOLFSSL_SHA3 */
1026#endif /* OPENSSL_EXTRA || HAVE_CURL */
1027
1028#if defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) || \
1029    defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(HAVE_STUNNEL) || \
1030    defined(WOLFSSL_NGINX) || defined(HAVE_POCO_LIB) || \
1031    defined(WOLFSSL_HAPROXY)
1032
1033#ifndef NO_SHA
1034/* One shot SHA1 hash of data.
1035 *
1036 * When hash is null, a static buffer of SHA_DIGEST_SIZE is used.
1037 * When the static buffer is used this function is not thread safe.
1038 *
1039 * @param [in]  data  Data to hash.
1040 * @param [in]  len   Size of data in bytes.
1041 * @param [out] hash  Buffer to hold digest. May be NULL.
1042 *                    Must be able to hold SHA_DIGEST_SIZE bytes.
1043 * @return  Buffer holding hash on success.
1044 * @return  NULL when hashing fails.
1045 */
1046unsigned char* wolfSSL_SHA1(const unsigned char* data, size_t len,
1047    unsigned char* hash)
1048{
1049    /* Buffer to use when hash is NULL. */
1050    static byte dgst[WC_SHA_DIGEST_SIZE];
1051    WC_DECLARE_VAR(sha, wc_Sha, 1, 0);
1052    int ret = 0;
1053
1054    WOLFSSL_ENTER("wolfSSL_SHA1");
1055
1056    /* Use static buffer if none passed in. */
1057    if (hash == NULL) {
1058        WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA1 IS NOT "
1059                    "THREAD SAFE WHEN hash == NULL");
1060        hash = dgst;
1061    }
1062
1063    /* Allocate dynamic memory for a wolfSSL SHA object. */
1064    WC_ALLOC_VAR_EX(sha, wc_Sha, 1, NULL, DYNAMIC_TYPE_DIGEST,
1065        ret=MEMORY_E);
1066
1067    if (ret == 0) {
1068        /* Initialize wolfCrypt SHA object. */
1069        ret = wc_InitSha_ex(sha, NULL, INVALID_DEVID);
1070        if (ret != 0) {
1071            WOLFSSL_MSG("SHA1 Init failed");
1072            hash = NULL;
1073        }
1074    }
1075    if (ret == 0) {
1076        /* Update wolfCrypt SHA object with data. */
1077        ret = wc_ShaUpdate(sha, (const byte*)data, (word32)len);
1078        if (ret != 0) {
1079            WOLFSSL_MSG("SHA1 Update failed");
1080            hash = NULL;
1081        }
1082
1083        if (ret == 0) {
1084            /* Finalize wolfCrypt SHA hash into hash. */
1085            ret = wc_ShaFinal(sha, hash);
1086            if (ret != 0) {
1087                WOLFSSL_MSG("SHA1 Final failed");
1088                hash = NULL;
1089            }
1090        }
1091        /* Dispose of dynamic memory associated with SHA object. */
1092        wc_ShaFree(sha);
1093    }
1094
1095    WC_FREE_VAR_EX(sha, NULL, DYNAMIC_TYPE_DIGEST);
1096    return hash;
1097}
1098#endif /* ! NO_SHA */
1099
1100#ifdef WOLFSSL_SHA224
1101/* One shot SHA-224 hash of data.
1102 *
1103 * When hash is null, a static buffer of SHA224_DIGEST_SIZE is used.
1104 * When the static buffer is used this function is not thread safe.
1105 *
1106 * @param [in]  data  Data to hash.
1107 * @param [in]  len   Size of data in bytes.
1108 * @param [out] hash  Buffer to hold digest. May be NULL.
1109 *                    Must be able to hold SHA224_DIGEST_SIZE bytes.
1110 * @return  Buffer holding hash on success.
1111 * @return  NULL when hashing fails.
1112 */
1113unsigned char* wolfSSL_SHA224(const unsigned char* data, size_t len,
1114    unsigned char* hash)
1115{
1116    /* Buffer to use when hash is NULL. */
1117    static byte dgst[WC_SHA224_DIGEST_SIZE];
1118    WC_DECLARE_VAR(sha224, wc_Sha224, 1, 0);
1119    int ret = 0;
1120
1121    WOLFSSL_ENTER("wolfSSL_SHA224");
1122
1123    /* Use static buffer if none passed in. */
1124    if (hash == NULL) {
1125        WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA224 IS NOT "
1126                    "THREAD SAFE WHEN hash == NULL");
1127        hash = dgst;
1128    }
1129
1130    /* Allocate dynamic memory for a wolfSSL SHA-224 object. */
1131    WC_ALLOC_VAR_EX(sha224, wc_Sha224, 1, NULL, DYNAMIC_TYPE_DIGEST,
1132        ret=MEMORY_E);
1133
1134    if (ret == 0) {
1135        /* Initialize wolfCrypt SHA224 object. */
1136        ret = wc_InitSha224_ex(sha224, NULL, INVALID_DEVID);
1137        if (ret != 0) {
1138            WOLFSSL_MSG("SHA224 Init failed");
1139            hash = NULL;
1140        }
1141    }
1142    if (ret == 0) {
1143        /* Update wolfCrypt SHA-224 object with data. */
1144        ret = wc_Sha224Update(sha224, (const byte*)data, (word32)len);
1145        if (ret != 0) {
1146            WOLFSSL_MSG("SHA224 Update failed");
1147            hash = NULL;
1148        }
1149
1150        if (ret == 0) {
1151            /* Finalize wolfCrypt SHA-224 hash into hash. */
1152            ret = wc_Sha224Final(sha224, hash);
1153            if (ret != 0) {
1154                WOLFSSL_MSG("SHA224 Final failed");
1155                hash = NULL;
1156            }
1157        }
1158        /* Dispose of dynamic memory associated with SHA-224 object. */
1159        wc_Sha224Free(sha224);
1160    }
1161
1162    WC_FREE_VAR_EX(sha224, NULL, DYNAMIC_TYPE_DIGEST);
1163    return hash;
1164}
1165#endif
1166
1167#ifndef NO_SHA256
1168/* One shot SHA-256 hash of data.
1169 *
1170 * When hash is null, a static buffer of SHA256_DIGEST_SIZE is used.
1171 * When the static buffer is used this function is not thread safe.
1172 *
1173 * @param [in]  data  Data to hash.
1174 * @param [in]  len   Size of data in bytes.
1175 * @param [out] hash  Buffer to hold digest. May be NULL.
1176 *                    Must be able to hold SHA256_DIGEST_SIZE bytes.
1177 * @return  Buffer holding hash on success.
1178 * @return  NULL when hashing fails.
1179 */
1180unsigned char* wolfSSL_SHA256(const unsigned char* data, size_t len,
1181    unsigned char* hash)
1182{
1183    /* Buffer to use when hash is NULL. */
1184    static byte dgst[WC_SHA256_DIGEST_SIZE];
1185    WC_DECLARE_VAR(sha256, wc_Sha256, 1, 0);
1186    int ret = 0;
1187
1188    WOLFSSL_ENTER("wolfSSL_SHA256");
1189
1190    /* Use static buffer if none passed in. */
1191    if (hash == NULL) {
1192        WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA256 IS NOT "
1193                    "THREAD SAFE WHEN hash == NULL");
1194        hash = dgst;
1195    }
1196
1197    /* Allocate dynamic memory for a wolfSSL SHA-256 object. */
1198    WC_ALLOC_VAR_EX(sha256, wc_Sha256, 1, NULL, DYNAMIC_TYPE_DIGEST,
1199        ret=MEMORY_E);
1200
1201    if (ret == 0) {
1202        /* Initialize wolfCrypt SHA256 object. */
1203        ret = wc_InitSha256_ex(sha256, NULL, INVALID_DEVID);
1204        if (ret != 0) {
1205            WOLFSSL_MSG("SHA256 Init failed");
1206            hash = NULL;
1207        }
1208    }
1209    if (ret == 0) {
1210        /* Update wolfCrypt SHA-256 object with data. */
1211        ret = wc_Sha256Update(sha256, (const byte*)data, (word32)len);
1212        if (ret != 0) {
1213            WOLFSSL_MSG("SHA256 Update failed");
1214            hash = NULL;
1215        }
1216
1217        if (ret == 0) {
1218            /* Finalize wolfCrypt SHA-256 hash into hash. */
1219            ret = wc_Sha256Final(sha256, hash);
1220            if (ret != 0) {
1221                WOLFSSL_MSG("SHA256 Final failed");
1222                hash = NULL;
1223            }
1224        }
1225        /* Dispose of dynamic memory associated with SHA-256 object. */
1226        wc_Sha256Free(sha256);
1227    }
1228
1229    WC_FREE_VAR_EX(sha256, NULL, DYNAMIC_TYPE_DIGEST);
1230    return hash;
1231}
1232#endif /* ! NO_SHA256 */
1233
1234#ifdef WOLFSSL_SHA384
1235/* One shot SHA-384 hash of data.
1236 *
1237 * When hash is null, a static buffer of SHA384_DIGEST_SIZE is used.
1238 * When the static buffer is used this function is not thread safe.
1239 *
1240 * @param [in]  data  Data to hash.
1241 * @param [in]  len   Size of data in bytes.
1242 * @param [out] hash  Buffer to hold digest. May be NULL.
1243 *                    Must be able to hold SHA384_DIGEST_SIZE bytes.
1244 * @return  Buffer holding hash on success.
1245 * @return  NULL when hashing fails.
1246 */
1247unsigned char* wolfSSL_SHA384(const unsigned char* data, size_t len,
1248    unsigned char* hash)
1249{
1250    /* Buffer to use when hash is NULL. */
1251    static byte dgst[WC_SHA384_DIGEST_SIZE];
1252    WC_DECLARE_VAR(sha384, wc_Sha384, 1, 0);
1253    int ret = 0;
1254
1255    WOLFSSL_ENTER("wolfSSL_SHA384");
1256
1257    /* Use static buffer if none passed in. */
1258    if (hash == NULL) {
1259        WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA384 IS NOT "
1260                    "THREAD SAFE WHEN hash == NULL");
1261        hash = dgst;
1262    }
1263
1264    /* Allocate dynamic memory for a wolfSSL SHA-384 object. */
1265    WC_ALLOC_VAR_EX(sha384, wc_Sha384, 1, NULL, DYNAMIC_TYPE_DIGEST,
1266        ret=MEMORY_E);
1267
1268    if (ret == 0) {
1269        /* Initialize wolfCrypt SHA384 object. */
1270        ret = wc_InitSha384_ex(sha384, NULL, INVALID_DEVID);
1271        if (ret != 0) {
1272            WOLFSSL_MSG("SHA384 Init failed");
1273            hash = NULL;
1274        }
1275    }
1276    if (ret == 0) {
1277        /* Update wolfCrypt SHA-384 object with data. */
1278        ret = wc_Sha384Update(sha384, (const byte*)data, (word32)len);
1279        if (ret != 0) {
1280            WOLFSSL_MSG("SHA384 Update failed");
1281            hash = NULL;
1282        }
1283
1284        if (ret == 0) {
1285            /* Finalize wolfCrypt SHA-384 hash into hash. */
1286            ret = wc_Sha384Final(sha384, hash);
1287            if (ret != 0) {
1288                WOLFSSL_MSG("SHA384 Final failed");
1289                hash = NULL;
1290            }
1291        }
1292        /* Dispose of dynamic memory associated with SHA-384 object. */
1293        wc_Sha384Free(sha384);
1294    }
1295
1296    WC_FREE_VAR_EX(sha384, NULL, DYNAMIC_TYPE_DIGEST);
1297    return hash;
1298}
1299#endif /* WOLFSSL_SHA384  */
1300
1301#if defined(WOLFSSL_SHA512)
1302/* One shot SHA-512 hash of data.
1303 *
1304 * When hash is null, a static buffer of SHA512_DIGEST_SIZE is used.
1305 * When the static buffer is used this function is not thread safe.
1306 *
1307 * @param [in]  data  Data to hash.
1308 * @param [in]  len   Size of data in bytes.
1309 * @param [out] hash  Buffer to hold digest. May be NULL.
1310 *                    Must be able to hold SHA512_DIGEST_SIZE bytes.
1311 * @return  Buffer holding hash on success.
1312 * @return  NULL when hashing fails.
1313 */
1314unsigned char* wolfSSL_SHA512(const unsigned char* data, size_t len,
1315    unsigned char* hash)
1316{
1317    /* Buffer to use when hash is NULL. */
1318    static byte dgst[WC_SHA512_DIGEST_SIZE];
1319    WC_DECLARE_VAR(sha512, wc_Sha512, 1, 0);
1320    int ret = 0;
1321
1322    WOLFSSL_ENTER("wolfSSL_SHA512");
1323
1324    /* Use static buffer if none passed in. */
1325    if (hash == NULL) {
1326        WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA512 IS NOT "
1327                    "THREAD SAFE WHEN hash == NULL");
1328        hash = dgst;
1329    }
1330
1331    /* Allocate dynamic memory for a wolfSSL SHA-512 object. */
1332    WC_ALLOC_VAR_EX(sha512, wc_Sha512, 1, NULL, DYNAMIC_TYPE_DIGEST,
1333        ret=MEMORY_E);
1334
1335    if (ret == 0) {
1336        /* Initialize wolfCrypt SHA512 object. */
1337        ret = wc_InitSha512_ex(sha512, NULL, INVALID_DEVID);
1338        if (ret != 0) {
1339            WOLFSSL_MSG("SHA512 Init failed");
1340            hash = NULL;
1341        }
1342    }
1343    if (ret == 0) {
1344        /* Update wolfCrypt SHA-512 object with data. */
1345        ret = wc_Sha512Update(sha512, (const byte*)data, (word32)len);
1346        if (ret != 0) {
1347            WOLFSSL_MSG("SHA512 Update failed");
1348            hash = NULL;
1349        }
1350
1351        if (ret == 0) {
1352            /* Finalize wolfCrypt SHA-512 hash into hash. */
1353            ret = wc_Sha512Final(sha512, hash);
1354            if (ret != 0) {
1355                WOLFSSL_MSG("SHA512 Final failed");
1356                hash = NULL;
1357            }
1358        }
1359        /* Dispose of dynamic memory associated with SHA-512 object. */
1360        wc_Sha512Free(sha512);
1361    }
1362
1363    WC_FREE_VAR_EX(sha512, NULL, DYNAMIC_TYPE_DIGEST);
1364    return hash;
1365}
1366#endif /* WOLFSSL_SHA512 */
1367#endif /* OPENSSL_EXTRA || HAVE_LIGHTY || WOLFSSL_MYSQL_COMPATIBLE ||
1368        * HAVE_STUNNEL || WOLFSSL_NGINX || HAVE_POCO_LIB || WOLFSSL_HAPROXY */
1369
1370/*******************************************************************************
1371 * END OF Digest APIs
1372 ******************************************************************************/
1373
1374/*******************************************************************************
1375 * START OF HMAC API
1376 ******************************************************************************/
1377
1378/* _Internal Hmac object initialization. */
1379#define _HMAC_Init _InitHmac
1380
1381#if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY)
1382
1383/*
1384 * Helper Functions
1385 */
1386
1387/* Copy a wolfSSL HMAC object.
1388 *
1389 * Requires that hash structures have no dynamic parts to them.
1390 *
1391 * @param [out] dst  Copy into this object.
1392 * @param [in]  src  Copy from this object.
1393 * @return  1 on success.
1394 * @return  0 on failure.
1395 */
1396int wolfSSL_HmacCopy(Hmac* dst, Hmac* src)
1397{
1398    void* heap;
1399    int ret = 1;
1400
1401#ifndef HAVE_FIPS
1402    heap = src->heap;
1403#else
1404    heap = NULL;
1405#endif
1406
1407    /* Initialize the destination object to reset state. */
1408    if (wc_HmacInit(dst, heap, 0) != 0) {
1409        ret = 0;
1410    }
1411
1412    if (ret == 1) {
1413        int rc;
1414
1415        /* Copy the digest object based on the MAC type. */
1416        switch (src->macType) {
1417    #ifndef NO_MD5
1418        case WC_MD5:
1419            rc = wc_Md5Copy(&src->hash.md5, &dst->hash.md5);
1420        #ifdef WOLFSSL_HMAC_COPY_HASH
1421            if (rc == 0) {
1422                rc = wc_Md5Copy(&src->i_hash.md5, &dst->i_hash.md5);
1423            }
1424            if (rc == 0) {
1425                rc = wc_Md5Copy(&src->o_hash.md5, &dst->o_hash.md5);
1426            }
1427        #endif
1428            break;
1429    #endif /* !NO_MD5 */
1430
1431    #ifndef NO_SHA
1432        case WC_SHA:
1433            rc = wc_ShaCopy(&src->hash.sha, &dst->hash.sha);
1434        #ifdef WOLFSSL_HMAC_COPY_HASH
1435            if (rc == 0) {
1436                rc = wc_ShaCopy(&src->i_hash.sha, &dst->i_hash.sha);
1437            }
1438            if (rc == 0) {
1439                rc = wc_ShaCopy(&src->o_hash.sha, &dst->o_hash.sha);
1440            }
1441        #endif
1442            break;
1443    #endif /* !NO_SHA */
1444
1445    #ifdef WOLFSSL_SHA224
1446        case WC_SHA224:
1447            rc = wc_Sha224Copy(&src->hash.sha224, &dst->hash.sha224);
1448        #ifdef WOLFSSL_HMAC_COPY_HASH
1449            if (rc == 0) {
1450                rc = wc_Sha224Copy(&src->i_hash.sha224, &dst->i_hash.sha224);
1451            }
1452            if (rc == 0) {
1453                rc = wc_Sha224Copy(&src->o_hash.sha224, &dst->o_hash.sha224);
1454            }
1455        #endif
1456            break;
1457    #endif /* WOLFSSL_SHA224 */
1458
1459    #ifndef NO_SHA256
1460        case WC_SHA256:
1461            rc = wc_Sha256Copy(&src->hash.sha256, &dst->hash.sha256);
1462        #ifdef WOLFSSL_HMAC_COPY_HASH
1463            if (rc == 0) {
1464                rc = wc_Sha256Copy(&src->i_hash.sha256, &dst->i_hash.sha256);
1465            }
1466            if (rc == 0) {
1467                rc = wc_Sha256Copy(&src->o_hash.sha256, &dst->o_hash.sha256);
1468            }
1469        #endif
1470            break;
1471    #endif /* !NO_SHA256 */
1472
1473    #ifdef WOLFSSL_SHA384
1474        case WC_SHA384:
1475            rc = wc_Sha384Copy(&src->hash.sha384, &dst->hash.sha384);
1476        #ifdef WOLFSSL_HMAC_COPY_HASH
1477            if (rc == 0) {
1478                rc = wc_Sha384Copy(&src->i_hash.sha384, &dst->i_hash.sha384);
1479            }
1480            if (rc == 0) {
1481                rc = wc_Sha384Copy(&src->o_hash.sha384, &dst->o_hash.sha384);
1482            }
1483        #endif
1484            break;
1485    #endif /* WOLFSSL_SHA384 */
1486    #ifdef WOLFSSL_SHA512
1487        case WC_SHA512:
1488            rc = wc_Sha512Copy(&src->hash.sha512, &dst->hash.sha512);
1489        #ifdef WOLFSSL_HMAC_COPY_HASH
1490            if (rc == 0) {
1491                rc = wc_Sha512Copy(&src->i_hash.sha512, &dst->i_hash.sha512);
1492            }
1493            if (rc == 0) {
1494                rc = wc_Sha512Copy(&src->o_hash.sha512, &dst->o_hash.sha512);
1495            }
1496        #endif
1497            break;
1498    #endif /* WOLFSSL_SHA512 */
1499#ifdef WOLFSSL_SHA3
1500    #ifndef WOLFSSL_NOSHA3_224
1501        case WC_SHA3_224:
1502            rc = wc_Sha3_224_Copy(&src->hash.sha3, &dst->hash.sha3);
1503        #ifdef WOLFSSL_HMAC_COPY_HASH
1504            if (rc == 0) {
1505                rc = wc_Sha3_224_Copy(&src->i_hash.sha3, &dst->i_hash.sha3);
1506            }
1507            if (rc == 0) {
1508                rc = wc_Sha3_224_Copy(&src->o_hash.sha3, &dst->o_hash.sha3);
1509            }
1510        #endif
1511            break;
1512    #endif /* WOLFSSL_NO_SHA3_224 */
1513    #ifndef WOLFSSL_NOSHA3_256
1514        case WC_SHA3_256:
1515            rc = wc_Sha3_256_Copy(&src->hash.sha3, &dst->hash.sha3);
1516        #ifdef WOLFSSL_HMAC_COPY_HASH
1517            if (rc == 0) {
1518                rc = wc_Sha3_256_Copy(&src->i_hash.sha3, &dst->i_hash.sha3);
1519            }
1520            if (rc == 0) {
1521                rc = wc_Sha3_256_Copy(&src->o_hash.sha3, &dst->o_hash.sha3);
1522            }
1523        #endif
1524            break;
1525    #endif /* WOLFSSL_NO_SHA3_256 */
1526    #ifndef WOLFSSL_NOSHA3_384
1527        case WC_SHA3_384:
1528            rc = wc_Sha3_384_Copy(&src->hash.sha3, &dst->hash.sha3);
1529        #ifdef WOLFSSL_HMAC_COPY_HASH
1530            if (rc == 0) {
1531                rc = wc_Sha3_384_Copy(&src->i_hash.sha3, &dst->i_hash.sha3);
1532            }
1533            if (rc == 0) {
1534                rc = wc_Sha3_384_Copy(&src->o_hash.sha3, &dst->o_hash.sha3);
1535            }
1536        #endif
1537            break;
1538    #endif /* WOLFSSL_NO_SHA3_384 */
1539    #ifndef WOLFSSL_NOSHA3_512
1540        case WC_SHA3_512:
1541            rc = wc_Sha3_512_Copy(&src->hash.sha3, &dst->hash.sha3);
1542        #ifdef WOLFSSL_HMAC_COPY_HASH
1543            if (rc == 0) {
1544                rc = wc_Sha3_512_Copy(&src->i_hash.sha3, &dst->i_hash.sha3);
1545            }
1546            if (rc == 0) {
1547                rc = wc_Sha3_512_Copy(&src->o_hash.sha3, &dst->o_hash.sha3);
1548            }
1549        #endif
1550            break;
1551    #endif /* WOLFSSL_NO_SHA3_512 */
1552#endif /* WOLFSSL_SHA3 */
1553
1554    #ifdef WOLFSSL_SM3
1555        case WC_SM3:
1556            rc = wc_Sm3Copy(&src->hash.sm3, &dst->hash.sm3);
1557        #ifdef WOLFSSL_HMAC_COPY_HASH
1558            if (rc == 0) {
1559                rc = wc_Sm3Copy(&src->i_hash.sm3, &dst->i_hash.sm3);
1560            }
1561            if (rc == 0) {
1562                rc = wc_Sm3Copy(&src->o_hash.sm3, &dst->o_hash.sm3);
1563            }
1564        #endif
1565            break;
1566    #endif /* WOLFSSL_SM3 */
1567
1568        default:
1569            /* Digest algorithm not supported. */
1570            rc = BAD_FUNC_ARG;
1571        }
1572
1573        /* Check result of digest object copy. */
1574        if (rc != 0) {
1575            ret = 0;
1576        }
1577    }
1578
1579    if (ret == 1) {
1580        /* Copy the pads which are derived from the key. */
1581        XMEMCPY((byte*)dst->ipad, (byte*)src->ipad, WC_HMAC_BLOCK_SIZE);
1582        XMEMCPY((byte*)dst->opad, (byte*)src->opad, WC_HMAC_BLOCK_SIZE);
1583        /* Copy the inner hash that is the current state. */
1584        XMEMCPY((byte*)dst->innerHash, (byte*)src->innerHash,
1585            WC_MAX_DIGEST_SIZE);
1586        /* Copy other fields. */
1587    #ifndef HAVE_FIPS
1588        dst->heap    = heap;
1589    #endif
1590        dst->macType = src->macType;
1591        dst->innerHashKeyed = src->innerHashKeyed;
1592
1593#ifdef WOLFSSL_ASYNC_CRYPT
1594        XMEMCPY(&dst->asyncDev, &src->asyncDev, sizeof(WC_ASYNC_DEV));
1595        dst->keyLen = src->keyLen;
1596    #ifdef HAVE_CAVIUM
1597        /* Copy the dynamic data. */
1598        dst->data = (byte*)XMALLOC(src->dataLen, dst->heap, DYNAMIC_TYPE_HMAC);
1599        if (dst->data == NULL) {
1600            ret = BUFFER_E;
1601        }
1602        else {
1603            XMEMCPY(dst->data, src->data, src->dataLen);
1604            dst->dataLen = src->dataLen;
1605       }
1606    #endif /* HAVE_CAVIUM */
1607#endif /* WOLFSSL_ASYNC_CRYPT */
1608    }
1609
1610    return ret;
1611}
1612
1613
1614/*
1615 * wolfSSL_HMAC_CTX APIs.
1616 */
1617
1618/* Allocate a new HMAC context object and initialize.
1619 *
1620 * @return  A cleared HMAC context object on success.
1621 * @return  NULL on failure.
1622 */
1623WOLFSSL_HMAC_CTX* wolfSSL_HMAC_CTX_new(void)
1624{
1625    WOLFSSL_HMAC_CTX* hmac_ctx;
1626
1627    /* Allocate dynamic memory for HMAC context object. */
1628    hmac_ctx = (WOLFSSL_HMAC_CTX*)XMALLOC(sizeof(WOLFSSL_HMAC_CTX), NULL,
1629        DYNAMIC_TYPE_OPENSSL);
1630    if (hmac_ctx != NULL) {
1631        /* Initialize HMAC context object. */
1632        wolfSSL_HMAC_CTX_Init(hmac_ctx);
1633    }
1634
1635    return hmac_ctx;
1636}
1637
1638/* Initialize a HMAC context object.
1639 *
1640 * Not an OpenSSL compatibility API.
1641 *
1642 * @param [in, out] ctx  HMAC context object.
1643 * @return  1 indicating success.
1644 */
1645int wolfSSL_HMAC_CTX_Init(WOLFSSL_HMAC_CTX* ctx)
1646{
1647    WOLFSSL_MSG("wolfSSL_HMAC_CTX_Init");
1648
1649    if (ctx != NULL) {
1650        /* Clear all fields. */
1651        XMEMSET(ctx, 0, sizeof(WOLFSSL_HMAC_CTX));
1652        /* type field is 0 == WC_HASH_TYPE_NONE. */
1653        /* TODO: for FIPS and selftest 0 == WC_HASH_TYPE_MD5 instead. */
1654    }
1655
1656    return 1;
1657}
1658
1659/* Deep copy of information from one HMAC context object to another.
1660 *
1661 * @param [out] dst  Copy into this object.
1662 * @param [in]  src  Copy from this object.
1663 * @return  1 on success.
1664 * @return  0 on failure.
1665 */
1666int wolfSSL_HMAC_CTX_copy(WOLFSSL_HMAC_CTX* dst, WOLFSSL_HMAC_CTX* src)
1667{
1668    int ret = 1;
1669
1670    WOLFSSL_ENTER("wolfSSL_HMAC_CTX_copy");
1671
1672    /* Validate parameters. */
1673    if ((dst == NULL) || (src == NULL)) {
1674        ret = 0;
1675    }
1676
1677    if (ret == 1) {
1678        /* Copy hash type. */
1679        dst->type = src->type;
1680        /* Move pads derived from key into save space. */
1681        XMEMCPY((byte *)&dst->save_ipad, (byte *)&src->hmac.ipad,
1682            WC_HMAC_BLOCK_SIZE);
1683        XMEMCPY((byte *)&dst->save_opad, (byte *)&src->hmac.opad,
1684            WC_HMAC_BLOCK_SIZE);
1685        /* Copy the wolfSSL Hmac ocbject. */
1686        ret = wolfSSL_HmacCopy(&dst->hmac, &src->hmac);
1687    }
1688
1689    return ret;
1690}
1691
1692/* Cleanup internal state of HMAC context object.
1693 *
1694 * Not an OpenSSL compatibility API.
1695 *
1696 * @param [in, out] ctx  HMAC context object.
1697 */
1698void wolfSSL_HMAC_CTX_cleanup(WOLFSSL_HMAC_CTX* ctx)
1699{
1700    if (ctx != NULL) {
1701        /* Cleanup HMAC operation data. */
1702        wolfSSL_HMAC_cleanup(ctx);
1703    }
1704}
1705
1706/* Free HMAC context object.
1707 *
1708 * ctx is deallocated and can no longer be used after this call.
1709 *
1710 * @param [in] ctx  HMAC context object.
1711 */
1712void wolfSSL_HMAC_CTX_free(WOLFSSL_HMAC_CTX* ctx)
1713{
1714    if (ctx != NULL) {
1715        /* Cleanup HMAC context object, including freeing dynamic data. */
1716        wolfSSL_HMAC_CTX_cleanup(ctx);
1717        /* Dispose of the memory for the HMAC context object. */
1718        XFREE(ctx, NULL, DYNAMIC_TYPE_OPENSSL);
1719    }
1720}
1721
1722/* Get the EVP digest of the HMAC context.
1723 *
1724 * @param [in] ctx  HMAC context object.
1725 * @return  EVP digest object.
1726 * @return  NULL when ctx is NULL or EVP digest not set.
1727 */
1728const WOLFSSL_EVP_MD* wolfSSL_HMAC_CTX_get_md(const WOLFSSL_HMAC_CTX* ctx)
1729{
1730    const WOLFSSL_EVP_MD* ret = NULL;
1731
1732    if (ctx != NULL) {
1733        /* Get EVP digest based on digest type. */
1734        ret = wolfSSL_macType2EVP_md((enum wc_HashType)ctx->type);
1735    }
1736
1737    return ret;
1738}
1739
1740/*
1741 * wolfSSL_HMAC APIs.
1742 */
1743
1744/* Initialize the HMAC operation.
1745 *
1746 * @param [in, out] ctx    HMAC context object.
1747 * @param [in]      key    Array of bytes representing key.
1748 *                         May be NULL indicating to use the same key as
1749 *                         previously.
1750 * @param [in]      keySz  Number of bytes in key.
1751 *                         0+ in non-FIPS, 14+ in FIPS.
1752 * @param [in]      type   EVP digest indicate digest type.
1753 *                         May be NULL if initialized previously.
1754 * @param [in]      e      wolfSSL engine. Ignored.
1755 * @return  1 on success.
1756 * @return  0 on failure.
1757 */
1758int wolfSSL_HMAC_Init_ex(WOLFSSL_HMAC_CTX* ctx, const void* key, int keySz,
1759    const WOLFSSL_EVP_MD* type, WOLFSSL_ENGINE* e)
1760{
1761    WOLFSSL_ENTER("wolfSSL_HMAC_Init_ex");
1762
1763    /* WOLFSSL_ENGINE not used, call wolfSSL_HMAC_Init */
1764    (void)e;
1765
1766    return wolfSSL_HMAC_Init(ctx, key, keySz, type);
1767}
1768
1769/* Initialize the HMAC operation.
1770 *
1771 * @param [in, out] ctx    HMAC context object.
1772 * @param [in]      key    Array of bytes representing key.
1773 *                         May be NULL indicating to use the same key as
1774 *                         previously.
1775 * @param [in]      keySz  Number of bytes in key.
1776 *                         0+ in non-FIPS, 14+ in FIPS.
1777 * @param [in]      type   EVP digest indicate digest type.
1778 *                         May be NULL if initialized previously.
1779 * @return  1 on success.
1780 * @return  0 on failure.
1781 */
1782int wolfSSL_HMAC_Init(WOLFSSL_HMAC_CTX* ctx, const void* key, int keylen,
1783    const WOLFSSL_EVP_MD* type)
1784{
1785    int ret = 1;
1786    void* heap = NULL;
1787    int rc;
1788
1789    WOLFSSL_MSG("wolfSSL_HMAC_Init");
1790
1791    /* Validate parameters. */
1792    if (ctx == NULL) {
1793        WOLFSSL_MSG("no ctx on init");
1794        ret = 0;
1795    }
1796    /* Digest type must have been previously set if not specified. */
1797    if ((ret == 1) && (type == NULL) && (ctx->type == (int)WC_HASH_TYPE_NONE)) {
1798        WOLFSSL_MSG("no hash type");
1799        ret = 0;
1800    }
1801    /* wolfSSL HMAC object must have been setup with a key if not specified. */
1802    if ((ret == 1) && (key == NULL) &&
1803            (ctx->hmac.macType == (int)WC_HASH_TYPE_NONE)) {
1804        WOLFSSL_MSG("wolfCrypt hash not setup");
1805        ret = 0;
1806    }
1807
1808    if (ret == 1) {
1809    #ifndef HAVE_FIPS
1810        heap = ctx->hmac.heap;
1811    #endif
1812
1813        if (type != NULL) {
1814            WOLFSSL_MSG("init has type");
1815            /* Get the digest type based on EVP digest. */
1816            if (wolfssl_evp_md_to_hash_type(type, &ctx->type) != 0) {
1817                WOLFSSL_MSG("bad init type");
1818                ret = 0;
1819            }
1820        }
1821    }
1822
1823    if (ret == 1) {
1824        /* Check if init has been called before */
1825        int inited = (ctx->hmac.macType != WC_HASH_TYPE_NONE);
1826        /* Free if wolfSSL HMAC object when initialized. */
1827        if (inited) {
1828            wc_HmacFree(&ctx->hmac);
1829        }
1830        /* Initialize wolfSSL HMAC object for new HMAC operation. */
1831        rc = wc_HmacInit(&ctx->hmac, NULL, INVALID_DEVID);
1832        if (rc != 0) {
1833            ret = 0;
1834        }
1835    }
1836    if ((ret == 1) && (key != NULL)) {
1837        /* Set the key into wolfSSL HMAC object. */
1838        rc = wc_HmacSetKey(&ctx->hmac, ctx->type, (const byte*)key,
1839            (word32)keylen);
1840        if (rc != 0) {
1841            /* in FIPS mode a key < 14 characters will fail here */
1842            WOLFSSL_MSG("hmac set key error");
1843            WOLFSSL_ERROR(rc);
1844            wc_HmacFree(&ctx->hmac);
1845            ret = 0;
1846        }
1847        if (ret == 1) {
1848            /* Save the pads which are derived from the key. Used to re-init. */
1849            XMEMCPY((byte *)&ctx->save_ipad, (byte *)&ctx->hmac.ipad,
1850                WC_HMAC_BLOCK_SIZE);
1851            XMEMCPY((byte *)&ctx->save_opad, (byte *)&ctx->hmac.opad,
1852                WC_HMAC_BLOCK_SIZE);
1853        }
1854    }
1855    else if (ret == 1) {
1856        WOLFSSL_MSG("recover hmac");
1857        /* Set state of wolfSSL HMAC object. */
1858        ctx->hmac.macType = (byte)ctx->type;
1859        ctx->hmac.innerHashKeyed = 0;
1860        /* Restore key by copying in saved pads. */
1861        XMEMCPY((byte *)&ctx->hmac.ipad, (byte *)&ctx->save_ipad,
1862            WC_HMAC_BLOCK_SIZE);
1863        XMEMCPY((byte *)&ctx->hmac.opad, (byte *)&ctx->save_opad,
1864            WC_HMAC_BLOCK_SIZE);
1865    #ifdef WOLFSSL_HMAC_COPY_HASH
1866        rc = _HmacInitIOHashes(&ctx->hmac);
1867        if (rc != 0) {
1868            WOLFSSL_MSG("hmac init i_hash/o_hash error");
1869            WOLFSSL_ERROR(rc);
1870            ret = 0;
1871        }
1872        if (ret == 1)
1873    #endif
1874        {
1875            /* Initialize the wolfSSL HMAC object. */
1876            rc = _HMAC_Init(&ctx->hmac, ctx->hmac.macType, heap);
1877            if (rc != 0) {
1878                WOLFSSL_MSG("hmac init error");
1879                WOLFSSL_ERROR(rc);
1880                ret = 0;
1881            }
1882        }
1883    }
1884
1885    return ret;
1886}
1887
1888/* Update the HMAC operation with more data.
1889 *
1890 * TODO: 'len' should be a signed type.
1891 *
1892 * @param [in, out] ctx   HMAC context object.
1893 * @param [in]      data  Array of byted to MAC. May be NULL.
1894 * @param [in]      len   Number of bytes to MAC. May be 0.
1895 * @return  1 on success.
1896 * @return  0 when ctx is NULL or HMAC update fails.
1897 */
1898int wolfSSL_HMAC_Update(WOLFSSL_HMAC_CTX* ctx, const unsigned char* data,
1899    int len)
1900{
1901    int ret = 1;
1902
1903    WOLFSSL_MSG("wolfSSL_HMAC_Update");
1904
1905    /* Validate parameters. */
1906    if (ctx == NULL) {
1907        WOLFSSL_MSG("no ctx");
1908        ret = 0;
1909    }
1910
1911    /* Update when there is data to add. */
1912    if ((ret == 1) && (data != NULL) && (len > 0)) {
1913        int rc;
1914
1915        WOLFSSL_MSG("updating hmac");
1916        /* Update wolfSSL HMAC object. */
1917        rc = wc_HmacUpdate(&ctx->hmac, data, (word32)len);
1918        if (rc != 0){
1919            WOLFSSL_MSG("hmac update error");
1920            ret = 0;
1921        }
1922    }
1923
1924    return ret;
1925}
1926
1927/* Finalize HMAC operation.
1928 *
1929 * @param [in, out] ctx   HMAC context object.
1930 * @param [out]     hash  Buffer to hold HMAC result.
1931 *                        Must be able to hold bytes equivalent to digest size.
1932 * @param [out]     len   Length of HMAC result. May be NULL.
1933 * @return  1 on success.
1934 * @return  0 when ctx or hash is NULL.
1935 * @return  0 when HMAC finalization fails.
1936 */
1937int wolfSSL_HMAC_Final(WOLFSSL_HMAC_CTX* ctx, unsigned char* hash,
1938    unsigned int* len)
1939{
1940    int ret = 1;
1941    int rc;
1942
1943    WOLFSSL_MSG("wolfSSL_HMAC_Final");
1944
1945    /* Validate parameters. */
1946    if ((ctx == NULL) || (hash == NULL)) {
1947        WOLFSSL_MSG("invalid parameter");
1948        ret = 0;
1949    }
1950
1951    if (ret == 1) {
1952        WOLFSSL_MSG("final hmac");
1953        /* Finalize wolfSSL HMAC object. */
1954        rc = wc_HmacFinal(&ctx->hmac, hash);
1955        if (rc != 0){
1956            WOLFSSL_MSG("final hmac error");
1957            ret = 0;
1958        }
1959    }
1960    if ((ret == 1) && (len != NULL)) {
1961        WOLFSSL_MSG("setting output len");
1962        /* Get the length of the output based on digest type. */
1963        *len = wolfssl_mac_len((unsigned char)ctx->type);
1964    }
1965
1966    return ret;
1967}
1968
1969
1970/* Cleanup the HMAC operation.
1971 *
1972 * Not an OpenSSL compatibility API.
1973 *
1974 * @param [in, out] ctx  HMAC context object.
1975 * @return  1 indicating success.
1976 */
1977int wolfSSL_HMAC_cleanup(WOLFSSL_HMAC_CTX* ctx)
1978{
1979    WOLFSSL_MSG("wolfSSL_HMAC_cleanup");
1980
1981    if (ctx != NULL) {
1982        /* Free the dynamic data in the wolfSSL HMAC object. */
1983        wc_HmacFree(&ctx->hmac);
1984    }
1985
1986    return 1;
1987}
1988
1989/* HMAC data using the specified EVP digest.
1990 *
1991 * @param [in]  evp_md  EVP digest.
1992 * @param [in]  key     Array of bytes representing key.
1993 * @param [in]  keySz   Number of bytes in key.
1994 *                      0+ in non-FIPS, 14+ in FIPS.
1995 * @param [in]  data    Data to MAC.
1996 * @param [in]  len     Length in bytes of data to MAC.
1997 * @param [out] md      HMAC output.
1998 * @param [out] md_len  Length of HMAC output in bytes. May be NULL.
1999 * @return  Buffer holding HMAC output.
2000 * @return  NULL on failure.
2001 */
2002unsigned char* wolfSSL_HMAC(const WOLFSSL_EVP_MD* evp_md, const void* key,
2003    int key_len, const unsigned char* data, size_t len, unsigned char* md,
2004    unsigned int* md_len)
2005{
2006    unsigned char* ret = NULL;
2007    int rc = 0;
2008    int type = 0;
2009    int hmacLen = 0;
2010    WC_DECLARE_VAR(hmac, Hmac, 1, 0);
2011    void* heap = NULL;
2012
2013    /* Validate parameters. */
2014    if ((evp_md == NULL) || (key == NULL) || (md == NULL)) {
2015        rc = BAD_FUNC_ARG;
2016    }
2017
2018    if (rc == 0) {
2019        /* Get the hash type corresponding to the EVP digest. */
2020        rc = wolfssl_evp_md_to_hash_type(evp_md, &type);
2021    }
2022#ifdef WOLFSSL_SMALL_STACK
2023    if (rc == 0) {
2024        /* Allocate dynamic memory for a wolfSSL HMAC object. */
2025        hmac = (Hmac*)XMALLOC(sizeof(Hmac), heap, DYNAMIC_TYPE_HMAC);
2026        if (hmac == NULL) {
2027            rc = MEMORY_E;
2028        }
2029    }
2030#endif
2031    if (rc == 0)  {
2032        /* Get the HMAC output length. */
2033        hmacLen = (int)wolfssl_mac_len((unsigned char)type);
2034        /* 0 indicates the digest is not supported. */
2035        if (hmacLen == 0) {
2036            rc = BAD_FUNC_ARG;
2037        }
2038    }
2039    /* Initialize the wolfSSL HMAC object. */
2040    if ((rc == 0) && (wc_HmacInit(hmac, heap, INVALID_DEVID) == 0)) {
2041        /* Set the key into the wolfSSL HMAC object. */
2042        rc = wc_HmacSetKey(hmac, type, (const byte*)key, (word32)key_len);
2043        if (rc == 0) {
2044           /* Update the wolfSSL HMAC object with data. */
2045            rc = wc_HmacUpdate(hmac, data, (word32)len);
2046        }
2047        /* Finalize the wolfSSL HMAC object. */
2048        if ((rc == 0) && (wc_HmacFinal(hmac, md) == 0)) {
2049            /* Return the length of the HMAC output if required. */
2050            if (md_len != NULL) {
2051                *md_len = (unsigned int)hmacLen;
2052            }
2053            /* Set the buffer to return. */
2054            ret = md;
2055        }
2056        /* Dispose of dynamic memory associated with the wolfSSL HMAC object. */
2057        wc_HmacFree(hmac);
2058    }
2059
2060    WC_FREE_VAR_EX(hmac, heap, DYNAMIC_TYPE_HMAC);
2061    return ret;
2062}
2063
2064/* Get the HMAC output size.
2065 *
2066 * @param [in] ctx  HMAC context object.
2067 * @return  Size of HMAC output in bytes.
2068 * @return  0 when ctx is NULL or no digest algorithm set.
2069 */
2070size_t wolfSSL_HMAC_size(const WOLFSSL_HMAC_CTX* ctx)
2071{
2072    size_t ret = 0;
2073
2074    if (ctx != NULL) {
2075        /* Look up digest size with wolfSSL. */
2076        ret = (size_t)wc_HashGetDigestSize((enum wc_HashType)ctx->hmac.macType);
2077    }
2078
2079    return ret;
2080}
2081#endif /* OPENSSL_EXTRA */
2082
2083/*******************************************************************************
2084 * END OF HMAC API
2085 ******************************************************************************/
2086
2087/*******************************************************************************
2088 * START OF CMAC API
2089 ******************************************************************************/
2090
2091#if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY)
2092#if defined(WOLFSSL_CMAC) && defined(OPENSSL_EXTRA) && \
2093    defined(WOLFSSL_AES_DIRECT)
2094/* Allocate a new CMAC context object.
2095 *
2096 * TODO: make fields static.
2097 *
2098 * @return  A CMAC context object on success.
2099 * @return  NULL on failure.
2100 */
2101WOLFSSL_CMAC_CTX* wolfSSL_CMAC_CTX_new(void)
2102{
2103    WOLFSSL_CMAC_CTX* ctx = NULL;
2104
2105    /* Allocate memory for CMAC context object. */
2106    ctx = (WOLFSSL_CMAC_CTX*)XMALLOC(sizeof(WOLFSSL_CMAC_CTX), NULL,
2107        DYNAMIC_TYPE_OPENSSL);
2108    if (ctx != NULL) {
2109        /* Memory for wolfSSL CMAC object is allocated in
2110         * wolfSSL_CMAC_Init().
2111         */
2112        ctx->internal = NULL;
2113        /* Allocate memory for EVP cipher context object. */
2114        ctx->cctx = wolfSSL_EVP_CIPHER_CTX_new();
2115        if (ctx->cctx == NULL) {
2116            XFREE(ctx->internal, NULL, DYNAMIC_TYPE_CMAC);
2117            XFREE(ctx, NULL, DYNAMIC_TYPE_OPENSSL);
2118            ctx = NULL;
2119        }
2120    }
2121
2122    return ctx;
2123}
2124
2125/* Free CMAC context object and dynamically allocated fields.
2126 *
2127 * ctx is deallocated and can no longer be used after this call.
2128 *
2129 * @param [in] ctx  CMAC context object.
2130 */
2131void wolfSSL_CMAC_CTX_free(WOLFSSL_CMAC_CTX *ctx)
2132{
2133    if (ctx != NULL) {
2134        /* Deallocate dynamically allocated fields. */
2135        if (ctx->internal != NULL) {
2136#if (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 3)) && !defined(HAVE_SELFTEST)
2137            wc_CmacFree((Cmac*)ctx->internal);
2138#endif
2139            XFREE(ctx->internal, NULL, DYNAMIC_TYPE_CMAC);
2140        }
2141        if (ctx->cctx != NULL) {
2142            wolfSSL_EVP_CIPHER_CTX_cleanup(ctx->cctx);
2143            wolfSSL_EVP_CIPHER_CTX_free(ctx->cctx);
2144        }
2145        /* Deallocate CMAC context object. */
2146        XFREE(ctx, NULL, DYNAMIC_TYPE_OPENSSL);
2147    }
2148}
2149
2150/* Return a reference to the EVP cipher context.
2151 *
2152 * @param [in] ctx  CMAC context object.
2153 * @return  EVP cipher context.
2154 * @return  NULL when ctx is NULL.
2155 */
2156WOLFSSL_EVP_CIPHER_CTX* wolfSSL_CMAC_CTX_get0_cipher_ctx(WOLFSSL_CMAC_CTX* ctx)
2157{
2158    WOLFSSL_EVP_CIPHER_CTX* cctx = NULL;
2159
2160    if (ctx != NULL) {
2161        /* Return EVP cipher context object. */
2162        cctx = ctx->cctx;
2163    }
2164
2165    return cctx;
2166}
2167
2168/* Initialize the CMAC operation.
2169 *
2170 * @param [in, out] cmac    CMAC context object.
2171 * @param [in]      key     Symmetric key to use.
2172 * @param [in]      keySz   Length of key in bytes.
2173 * @param [in]      cipher  EVP cipher object describing encryption algorithm
2174 *                          to use.
2175 * @param [in]      engine  wolfSSL Engine. Not used.
2176 * @return  1 on success.
2177 * @return  0 when ctx or cipher is NULL.
2178 * @return  0 when cipher is not an AES-CBC algorithm.
2179 * @return  0 when key length does not match cipher.
2180 */
2181int wolfSSL_CMAC_Init(WOLFSSL_CMAC_CTX* ctx, const void *key, size_t keySz,
2182    const WOLFSSL_EVP_CIPHER* cipher, WOLFSSL_ENGINE* engine)
2183{
2184    int ret = 1;
2185
2186    (void)engine;
2187
2188    WOLFSSL_ENTER("wolfSSL_CMAC_Init");
2189
2190    /* Validate parameters. */
2191    if ((ctx == NULL) || (cipher == NULL)) {
2192        ret = 0;
2193    }
2194    /* Only AES-CBC ciphers are supported. */
2195    if ((ret == 1)
2196    #ifdef WOLFSSL_AES_128
2197        && (cipher != EVP_AES_128_CBC)
2198    #endif
2199    #ifdef WOLFSSL_AES_192
2200        && (cipher != EVP_AES_192_CBC)
2201    #endif
2202    #ifdef WOLFSSL_AES_256
2203        && (cipher != EVP_AES_256_CBC)
2204    #endif
2205    ) {
2206        WOLFSSL_MSG("wolfSSL_CMAC_Init: requested cipher is unsupported");
2207        ret = 0;
2208    }
2209    /* Key length must match cipher. */
2210    if ((ret == 1) && ((int)keySz != wolfSSL_EVP_Cipher_key_length(cipher))) {
2211        WOLFSSL_MSG("wolfSSL_CMAC_Init: "
2212                    "supplied key size doesn't match requested cipher");
2213        ret = 0;
2214    }
2215
2216    if ((ret == 1) && (ctx->internal == NULL)) {
2217        /* Allocate memory for wolfSSL CMAC object. */
2218        ctx->internal = (Cmac*)XMALLOC(sizeof(Cmac), NULL, DYNAMIC_TYPE_CMAC);
2219        if (ctx->internal == NULL)
2220            ret = 0;
2221    }
2222
2223    /* Initialize the wolfCrypt CMAC object. */
2224    if ((ret == 1) && (wc_InitCmac((Cmac*)ctx->internal, (const byte*)key,
2225            (word32)keySz, WC_CMAC_AES, NULL) != 0)) {
2226        WOLFSSL_MSG("wolfSSL_CMAC_Init: wc_InitCmac() failed");
2227        XFREE(ctx->internal, NULL, DYNAMIC_TYPE_CMAC);
2228        ctx->internal = NULL;
2229        ret = 0;
2230    }
2231    if (ret == 1) {
2232        /* Initialize the EVP cipher context object for encryption. */
2233        ret = wolfSSL_EVP_CipherInit(ctx->cctx, cipher, (const byte*)key, NULL,
2234            1);
2235        if (ret != WOLFSSL_SUCCESS)
2236            WOLFSSL_MSG("wolfSSL_CMAC_Init: wolfSSL_EVP_CipherInit() failed");
2237    }
2238
2239    WOLFSSL_LEAVE("wolfSSL_CMAC_Init", ret);
2240
2241    return ret;
2242}
2243
2244/* Update the CMAC operation with data.
2245 *
2246 * @param [in, out] ctx   CMAC context object.
2247 * @param [in]      data  Data to MAC as a byte array.
2248 * @param [in]      len   Length of data in bytes.
2249 * @return  1 on success.
2250 * @return  0 when ctx is NULL.
2251 */
2252int wolfSSL_CMAC_Update(WOLFSSL_CMAC_CTX* ctx, const void* data, size_t len)
2253{
2254    int ret = 1;
2255
2256    WOLFSSL_ENTER("wolfSSL_CMAC_Update");
2257
2258    /* Validate parameters. */
2259    if (ctx == NULL) {
2260        ret = 0;
2261    }
2262
2263    /* Update the wolfCrypto CMAC object with data. */
2264    if ((ret == 1) && (data != NULL) && (wc_CmacUpdate((Cmac*)ctx->internal,
2265            (const byte*)data, (word32)len) != 0)) {
2266        ret = 0;
2267    }
2268
2269    WOLFSSL_LEAVE("wolfSSL_CMAC_Update", ret);
2270
2271    return ret;
2272}
2273
2274/* Finalize the CMAC operation into output buffer.
2275 *
2276 * @param [in, out] ctx  CMAC context object.
2277 * @param [out]     out  Buffer to place CMAC result into.
2278 *                       Must be able to hold WC_AES_BLOCK_SIZE bytes.
2279 * @param [out]     len  Length of CMAC result. May be NULL.
2280 * @return  1 on success.
2281 * @return  0 when ctx is NULL.
2282 */
2283int wolfSSL_CMAC_Final(WOLFSSL_CMAC_CTX* ctx, unsigned char* out, size_t* len)
2284{
2285    int ret = 1;
2286    int blockSize;
2287    word32 len32;
2288
2289    WOLFSSL_ENTER("wolfSSL_CMAC_Final");
2290
2291    /* Validate parameters. */
2292    if (ctx == NULL) {
2293        ret = 0;
2294    }
2295
2296    if (ret == 1) {
2297        /* Get the expected output size. */
2298        blockSize = wolfSSL_EVP_CIPHER_CTX_block_size(ctx->cctx);
2299        /* Check value is valid. */
2300        if (blockSize <= 0) {
2301            ret = 0;
2302        }
2303        else {
2304            /* wolfCrypt CMAC expects buffer size. */
2305            len32 = (word32)blockSize;
2306            /* Return size if required. */
2307            if (len != NULL) {
2308                *len = (size_t)blockSize;
2309            }
2310        }
2311    }
2312    if ((ret == 1) && (out != NULL)) {
2313        /* Calculate MAC result with wolfCrypt CMAC object. */
2314        if (wc_CmacFinal((Cmac*)ctx->internal, out, &len32) != 0) {
2315            ret = 0;
2316        }
2317        /* TODO: Is this necessary? Length should not change. */
2318        /* Return actual size if required. */
2319        else if (len != NULL) {
2320            *len = (size_t)len32;
2321        }
2322
2323        XFREE(ctx->internal, NULL, DYNAMIC_TYPE_CMAC);
2324        ctx->internal = NULL;
2325    }
2326
2327    WOLFSSL_LEAVE("wolfSSL_CMAC_Final", ret);
2328
2329    return ret;
2330}
2331#endif /* WOLFSSL_CMAC && OPENSSL_EXTRA && WOLFSSL_AES_DIRECT */
2332#endif /* OPENSSL_EXTRA && !WOLFCRYPT_ONLY */
2333
2334/*******************************************************************************
2335 * END OF CMAC API
2336 ******************************************************************************/
2337
2338/*******************************************************************************
2339 * START OF DES API
2340 ******************************************************************************/
2341
2342#ifdef OPENSSL_EXTRA
2343#ifndef NO_DES3
2344/* Set parity of the DES key.
2345 *
2346 * @param [in, out] key  DES key.
2347 */
2348void wolfSSL_DES_set_odd_parity(WOLFSSL_DES_cblock* key)
2349{
2350    int i;
2351
2352    WOLFSSL_ENTER("wolfSSL_DES_set_odd_parity");
2353
2354    for (i = 0; i < DES_KEY_SIZE; i++) {
2355        unsigned char c = (*key)[i];
2356        /* Set bottom bit to odd parity - XOR of each bit is to be 1.
2357         * XOR 1 to XOR of each bit.
2358         * When even parity, the value will be 1 and the bottom bit will be
2359         * flipped.
2360         * When odd parity, the value will be 0 and the bottom bit will be
2361         * unchanged.
2362         */
2363        c ^= ((c >> 0) ^ (c >> 1) ^ (c >> 2) ^ (c >> 3) ^ (c >> 4) ^ (c >> 5) ^
2364              (c >> 6) ^ (c >> 7) ^ 0x01) & 0x01;
2365        (*key)[i] = c;
2366    }
2367}
2368
2369/* Check parity of the DES key.
2370 *
2371 * @param [in] key  DES key.
2372 * @return  1 when odd parity on all bytes.
2373 * @return  0 when even parity on any byte.
2374 */
2375int wolfSSL_DES_check_key_parity(WOLFSSL_DES_cblock *key)
2376{
2377    int i;
2378    /* Assume odd parity. */
2379    unsigned char p = 1;
2380
2381    WOLFSSL_ENTER("wolfSSL_DES_check_key_parity");
2382
2383    for (i = 0; i < DES_KEY_SIZE; i++) {
2384        unsigned char c = (*key)[i];
2385        /* p will be 0 when parity is even (XOR of bits is 0). */
2386        p &= (c >> 0) ^ (c >> 1) ^ (c >> 2) ^ (c >> 3) ^ (c >> 4) ^ (c >> 5) ^
2387             (c >> 6) ^ (c >> 7);
2388    }
2389
2390    /* Only care about bottom bit. */
2391    return p & 1;
2392}
2393
2394/* Check whether key data is the two 32-bit words.
2395 *
2396 * return true in fail case (1)
2397 *
2398 * @param [in] k1   First part of key.
2399 * @param [in] k2   Second part of key.
2400 * @param [in] key  DES key as an array of bytes.
2401 **/
2402static int wolfssl_des_check(word32 k1, word32 k2, unsigned char* key)
2403{
2404    /* Compare the two 32-bit words. */
2405    return (((word32*)key)[0] == k1) && (((word32*)key)[1] == k2);
2406}
2407
2408/* Check key is not weak.
2409 *
2410 * Weak key list from Nist "Recommendation for the Triple Data Encryption
2411 * Algorithm (TDEA) Block Cipher"
2412 *
2413 * @param [in] key  DES key.
2414 * @return  0 when #key is not a weak key.
2415 * @return  1 when #key is a weak key.
2416 */
2417int wolfSSL_DES_is_weak_key(WOLFSSL_const_DES_cblock* key)
2418{
2419    int ret = 0;
2420
2421    WOLFSSL_ENTER("wolfSSL_DES_is_weak_key");
2422
2423    /* Validate parameter. */
2424    if (key == NULL) {
2425        WOLFSSL_MSG("NULL key passed in");
2426        ret = 1;
2427    }
2428
2429    /* Check weak keys - endian doesn't matter. */
2430    if ((ret == 0) && (wolfssl_des_check(0x01010101, 0x01010101, *key) ||
2431                       wolfssl_des_check(0xFEFEFEFE, 0xFEFEFEFE, *key) ||
2432                       wolfssl_des_check(0xE0E0E0E0, 0xF1F1F1F1, *key) ||
2433                       wolfssl_des_check(0x1F1F1F1F, 0x0E0E0E0E, *key))) {
2434        WOLFSSL_MSG("Weak key found");
2435        ret = 1;
2436    }
2437
2438    /* Check semi-weak keys - endian doesn't matter. */
2439    if ((ret == 0) && (wolfssl_des_check(0x011F011F, 0x010E010E, *key) ||
2440                       wolfssl_des_check(0x1F011F01, 0x0E010E01, *key) ||
2441                       wolfssl_des_check(0x01E001E0, 0x01F101F1, *key) ||
2442                       wolfssl_des_check(0xE001E001, 0xF101F101, *key) ||
2443                       wolfssl_des_check(0x01FE01FE, 0x01FE01FE, *key) ||
2444                       wolfssl_des_check(0xFE01FE01, 0xFE01FE01, *key) ||
2445                       wolfssl_des_check(0x1FE01FE0, 0x0EF10EF1, *key) ||
2446                       wolfssl_des_check(0xE01FE01F, 0xF10EF10E, *key) ||
2447                       wolfssl_des_check(0x1FFE1FFE, 0x0EFE0EFE, *key) ||
2448                       wolfssl_des_check(0xFE1FFE1F, 0xFE0EFE0E, *key) ||
2449                       wolfssl_des_check(0xE0FEE0FE, 0xF1FEF1FE, *key) ||
2450                       wolfssl_des_check(0xFEE0FEE0, 0xFEF1FEF1, *key))) {
2451        WOLFSSL_MSG("Semi-weak key found");
2452        ret = 1;
2453    }
2454
2455    return ret;
2456}
2457
2458/* Set key into schedule if key parity is odd and key is not weak.
2459 *
2460 * @param [in]  key       DES key data.
2461 * @param [out] schedule  DES key schedule.
2462 * @return  0 on success.
2463 * @return  -1 when parity is not odd.
2464 * @return  -2 when key or schedule is NULL.
2465 * @return  -2 when key is weak or semi-weak.
2466 */
2467int wolfSSL_DES_set_key_checked(WOLFSSL_const_DES_cblock* key,
2468    WOLFSSL_DES_key_schedule* schedule)
2469{
2470    int ret = 0;
2471
2472    /* Validate parameters. */
2473    if ((key == NULL) || (schedule == NULL)) {
2474        WOLFSSL_MSG("Bad argument passed to wolfSSL_DES_set_key_checked");
2475        ret = -2;
2476    }
2477
2478    /* Check key parity is odd. */
2479    if ((ret == 0) && (!wolfSSL_DES_check_key_parity(key))) {
2480        WOLFSSL_MSG("Odd parity test fail");
2481        ret = WOLFSSL_FATAL_ERROR;
2482    }
2483    /* Check whether key is weak. */
2484    if ((ret == 0) && wolfSSL_DES_is_weak_key(key)) {
2485        WOLFSSL_MSG("Weak key found");
2486        ret = -2;
2487    }
2488    if (ret == 0) {
2489        /* Key data passed checks, now copy key into schedule. */
2490        XMEMCPY(schedule, key, DES_KEY_SIZE);
2491    }
2492
2493    return ret;
2494}
2495
2496/* Set key into schedule - no checks on key data performed.
2497 *
2498 * @param [in]  key       DES key data.
2499 * @param [out] schedule  DES key schedule.
2500 */
2501void wolfSSL_DES_set_key_unchecked(WOLFSSL_const_DES_cblock* key,
2502    WOLFSSL_DES_key_schedule* schedule)
2503{
2504    /* Validate parameters. */
2505    if ((key != NULL) && (schedule != NULL)) {
2506        /* Copy the key data into the schedule. */
2507        XMEMCPY(schedule, key, DES_KEY_SIZE);
2508    }
2509}
2510
2511/* Set key into schedule.
2512 *
2513 * @param [in]  key       DES key data.
2514 * @param [out] schedule  DES key schedule.
2515 * @return  0 on success.
2516 * @return  -1 when parity is not odd.
2517 * @return  -2 when key or schedule is NULL.
2518 * @return  -2 when key is weak or semi-weak.
2519 */
2520int wolfSSL_DES_set_key(WOLFSSL_const_DES_cblock* key,
2521    WOLFSSL_DES_key_schedule* schedule)
2522{
2523#ifdef WOLFSSL_CHECK_DESKEY
2524    return wolfSSL_DES_set_key_checked(key, schedule);
2525#else
2526    wolfSSL_DES_set_key_unchecked(key, schedule);
2527    return 0;
2528#endif
2529}
2530
2531/* Set the key schedule from the DES key.
2532 *
2533 * TODO: OpenSSL checks parity and weak keys.
2534 *
2535 * @param [in]  key       DES key data.
2536 * @param [out] schedule  DES key schedule.
2537 * @return  0 on success.
2538 */
2539int wolfSSL_DES_key_sched(WOLFSSL_const_DES_cblock* key,
2540    WOLFSSL_DES_key_schedule* schedule)
2541{
2542    WOLFSSL_ENTER("wolfSSL_DES_key_sched");
2543
2544    /* Check parameters are usable. */
2545    if ((key == NULL) || (schedule == NULL)) {
2546        WOLFSSL_MSG("Null argument passed in");
2547    }
2548    else {
2549        /* Copy the key data into the schedule. */
2550        XMEMCPY(schedule, key, sizeof(WOLFSSL_const_DES_cblock));
2551    }
2552
2553    return 0;
2554}
2555
2556/* Encrypt with DES-CBC to create a checksum.
2557 *
2558 * Intended to behave similar to Kerberos mit_des_cbc_cksum.
2559 * Returns the last 4 bytes of cipher text.
2560 *
2561 * TODO: Encrypt one block at a time instead of allocating a large amount.
2562 *
2563 * @param [in]  in      Data to encrypt.
2564 * @param [out] out     Last encrypted block.
2565 * @param [in]  length  Length of data to encrypt.
2566 * @param [in]  sc      Key schedule for encryption.
2567 * @param [in]  iv      Initialization vector for CBC.
2568 * @return  Checksum of encryption.
2569 * @return  0 on error.
2570 */
2571WOLFSSL_DES_LONG wolfSSL_DES_cbc_cksum(const unsigned char* in,
2572    WOLFSSL_DES_cblock* out, long length, WOLFSSL_DES_key_schedule* sc,
2573    WOLFSSL_const_DES_cblock* iv)
2574{
2575    WOLFSSL_DES_LONG ret = 0;
2576    int err = 0;
2577    unsigned char* data = (unsigned char*)in;
2578    unsigned char* tmp = NULL;
2579    long dataSz = length;
2580
2581    WOLFSSL_ENTER("wolfSSL_DES_cbc_cksum");
2582
2583    /* Validate parameters. */
2584    if ((in == NULL) || (out == NULL) || (sc == NULL) || (iv == NULL)) {
2585        WOLFSSL_MSG("Bad argument passed in");
2586        err = 1;
2587    }
2588
2589    /* When input length is not a multiple of DES_BLOCK_SIZE pad with 0s. */
2590    if ((!err) && (dataSz % DES_BLOCK_SIZE)) {
2591        /* Allocate a buffer big enough to hold padded input. */
2592        dataSz += DES_BLOCK_SIZE - (dataSz % DES_BLOCK_SIZE);
2593        data = (unsigned char*)XMALLOC((size_t)dataSz, NULL,
2594        DYNAMIC_TYPE_TMP_BUFFER);
2595        if (data == NULL) {
2596            WOLFSSL_MSG("Issue creating temporary buffer");
2597            err = 1;
2598        }
2599        else {
2600            /* Copy input and pad with 0s. */
2601            XMEMCPY(data, in, (size_t)length);
2602            XMEMSET(data + length, 0, (size_t)(dataSz - length));
2603        }
2604    }
2605
2606    if (!err) {
2607        /* Allocate buffer to hold encrypted data. */
2608        tmp = (unsigned char*)XMALLOC((size_t)dataSz, NULL,
2609        DYNAMIC_TYPE_TMP_BUFFER);
2610        if (tmp == NULL) {
2611            WOLFSSL_MSG("Issue creating temporary buffer");
2612            err = 1;
2613        }
2614    }
2615
2616    if (!err) {
2617        /* Encrypt data into temporary. */
2618        wolfSSL_DES_cbc_encrypt(data, tmp, dataSz, sc, (WOLFSSL_DES_cblock*)iv,
2619            WC_DES_ENCRYPT);
2620        /* Copy out last block. */
2621        XMEMCPY((unsigned char*)out, tmp + (dataSz - DES_BLOCK_SIZE),
2622            DES_BLOCK_SIZE);
2623
2624        /* Use the last half of the encrypted block as the checksum. */
2625        ret = (((*((unsigned char*)out + 4) & 0xFF) << 24) |
2626               ((*((unsigned char*)out + 5) & 0xFF) << 16) |
2627               ((*((unsigned char*)out + 6) & 0xFF) <<  8) |
2628                (*((unsigned char*)out + 7) & 0xFF)      );
2629    }
2630
2631    /* Dispose of allocated memory. */
2632    XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
2633    if (data != in) {
2634        XFREE(data, NULL, DYNAMIC_TYPE_TMP_BUFFER);
2635    }
2636    return ret;
2637}
2638
2639/* Encrypt/decrypt data with DES-CBC.
2640 *
2641 * TODO: OpenSSL expects a length that is a multiple of the block size but
2642 *       we are padding the last block. This is not a padding API.
2643 * TODO: Validate parameters?
2644 *
2645 * @param [in]  input     Data to encipher.
2646 * @param [out] output    Enciphered data.
2647 * @param [in]  length    Length of data to encipher.
2648 * @param [in]  schedule  Key schedule.
2649 * @param [in]  ivec      IV for CBC operation.
2650 * @param [in]  enc       Whether to encrypt.
2651 */
2652void wolfSSL_DES_cbc_encrypt(const unsigned char* input, unsigned char* output,
2653    long length, WOLFSSL_DES_key_schedule* schedule, WOLFSSL_DES_cblock* ivec,
2654    int enc)
2655{
2656    WC_DECLARE_VAR(des, Des, 1, 0);
2657    byte lastBlock[DES_BLOCK_SIZE];
2658
2659    WOLFSSL_ENTER("wolfSSL_DES_cbc_encrypt");
2660
2661#ifdef WOLFSSL_SMALL_STACK
2662    des = (Des*)XMALLOC(sizeof(Des3), NULL, DYNAMIC_TYPE_CIPHER);
2663    if (des == NULL) {
2664        WOLFSSL_MSG("Failed to allocate memory for Des object");
2665    }
2666    else
2667#endif
2668    /* OpenSSL compat, no ret */
2669    if (wc_Des_SetKey(des, (const byte*)schedule, (const byte*)ivec,
2670            !enc) != 0) {
2671        WOLFSSL_MSG("wc_Des_SetKey return error.");
2672    }
2673    else {
2674        /* Last incomplete block size. 0 means none over. */
2675        int    lb_sz = length % DES_BLOCK_SIZE;
2676        /* Length of data that is a multiple of a block. */
2677        word32 len   = (word32)(length - lb_sz);
2678
2679        if (enc == WC_DES_ENCRYPT) {
2680            /* Encrypt full blocks into output. */
2681            wc_Des_CbcEncrypt(des, output, input, len);
2682            if (lb_sz != 0) {
2683                /* Create a 0 padded block from remaining bytes. */
2684                XMEMSET(lastBlock, 0, DES_BLOCK_SIZE);
2685                XMEMCPY(lastBlock, input + len, (size_t)lb_sz);
2686                /* Encrypt last block into output. */
2687                wc_Des_CbcEncrypt(des, output + len, lastBlock,
2688                    (word32)DES_BLOCK_SIZE);
2689            }
2690        }
2691        else {
2692            /* Decrypt full blocks into output. */
2693            wc_Des_CbcDecrypt(des, output, input, len);
2694            if (lb_sz != 0) {
2695                /* Decrypt the last block that is not going to be full size. */
2696                wc_Des_CbcDecrypt(des, lastBlock, input + len,
2697                    (word32)DES_BLOCK_SIZE);
2698                /* Copy out the required amount of the decrypted block. */
2699                XMEMCPY(output + len, lastBlock, (size_t)lb_sz);
2700            }
2701        }
2702    }
2703
2704    WC_FREE_VAR_EX(des, NULL, DYNAMIC_TYPE_CIPHER);
2705}
2706
2707/* Encrypt/decrypt data with DES-CBC. Sets the IV for following operation.
2708 *
2709 * TODO: OpenSSL expects a length that is a multiple of the block size but
2710 *       we are padding the last block. This is not a padding API.
2711 * TODO: Validate parameters?
2712 *
2713 * @param [in]      input     Data to encipher.
2714 * @param [out]     output    Enciphered data.
2715 * @param [in]      length    Length of data to encipher.
2716 * @param [in]      schedule  Key schedule.
2717 * @param [in, out] ivec      IV for CBC operation.
2718 * @param [in]      enc       Whether to encrypt.
2719 */
2720void wolfSSL_DES_ncbc_encrypt(const unsigned char* input, unsigned char* output,
2721    long length, WOLFSSL_DES_key_schedule* schedule, WOLFSSL_DES_cblock* ivec,
2722    int enc)
2723{
2724    unsigned char tmp[DES_IV_SIZE];
2725    size_t offset;
2726
2727    WOLFSSL_ENTER("wolfSSL_DES_ncbc_encrypt");
2728
2729    /* Zero/negative length: no block to derive an IV from. The offset math
2730     * below would underflow for length == 0, yielding a wild-pointer read. */
2731    if (length <= 0) {
2732        WOLFSSL_LEAVE("wolfSSL_DES_ncbc_encrypt", 0);
2733        return;
2734    }
2735
2736    /* Calculate length to a multiple of block size. */
2737    offset = (size_t)length;
2738    offset = (offset + DES_BLOCK_SIZE - 1) / DES_BLOCK_SIZE;
2739    offset *= DES_BLOCK_SIZE;
2740    offset -= DES_BLOCK_SIZE;
2741    if (enc == WC_DES_ENCRYPT) {
2742        /* Encrypt data. */
2743        wolfSSL_DES_cbc_encrypt(input, output, length, schedule, ivec, enc);
2744        /* Use last encrypted block as new IV. */
2745        XMEMCPY(ivec, output + offset, DES_IV_SIZE);
2746    }
2747    else {
2748        /* Get last encrypted block for new IV. */
2749        XMEMCPY(tmp, input + offset, DES_IV_SIZE);
2750        /* Decrypt data. */
2751        wolfSSL_DES_cbc_encrypt(input, output, length, schedule, ivec, enc);
2752        /* Use last encrypted block as new IV. */
2753        XMEMCPY(ivec, tmp, DES_IV_SIZE);
2754    }
2755}
2756
2757/* Encrypt/decrypt data with DES-CBC.
2758 *
2759 * WOLFSSL_DES_key_schedule is an unsigned char array of size 8.
2760 *
2761 * TODO: OpenSSL expects a length that is a multiple of the block size but
2762 *       we are padding the last block. This is not a padding API.
2763 * TODO: Validate parameters?
2764 *
2765 * @param [in]      input     Data to encipher.
2766 * @param [out]     output    Enciphered data.
2767 * @param [in]      length    Length of data to encipher.
2768 * @param [in]      schedule  Key schedule.
2769 * @param [in, out] ivec      IV for CBC operation.
2770 * @param [in]      enc       Whether to encrypt.
2771 */
2772void wolfSSL_DES_ede3_cbc_encrypt(const unsigned char* input,
2773    unsigned char* output, long sz, WOLFSSL_DES_key_schedule* ks1,
2774    WOLFSSL_DES_key_schedule* ks2, WOLFSSL_DES_key_schedule* ks3,
2775    WOLFSSL_DES_cblock* ivec, int enc)
2776{
2777    WC_DECLARE_VAR(des3, Des3, 1, 0);
2778
2779    WOLFSSL_ENTER("wolfSSL_DES_ede3_cbc_encrypt");
2780
2781#ifdef WOLFSSL_SMALL_STACK
2782    des3 = (Des3*)XMALLOC(sizeof(Des3), NULL, DYNAMIC_TYPE_CIPHER);
2783    if (des3 == NULL) {
2784        WOLFSSL_MSG("Failed to allocate memory for Des3 object");
2785        sz = 0;
2786    }
2787#endif
2788
2789    if (sz > 0) {
2790        int    ret;
2791        byte   key[DES3_KEY_SIZE];
2792        byte   lastBlock[DES_BLOCK_SIZE];
2793        int    lb_sz;
2794        word32 len;
2795
2796        /* Copy the three keys into the buffer for wolfCrypt DES. */
2797        XMEMCPY(key + 0 * DES_BLOCK_SIZE, *ks1, DES_BLOCK_SIZE);
2798        XMEMCPY(key + 1 * DES_BLOCK_SIZE, *ks2, DES_BLOCK_SIZE);
2799        XMEMCPY(key + 2 * DES_BLOCK_SIZE, *ks3, DES_BLOCK_SIZE);
2800
2801        /* Last incomplete block size. 0 means none over. */
2802        lb_sz = sz % DES_BLOCK_SIZE;
2803        /* Length of data that is a multiple of a block. */
2804        len   = (word32)(sz - lb_sz);
2805
2806        /* Initialize wolfCrypt DES3 object. */
2807        XMEMSET(des3, 0, sizeof(Des3));
2808        ret = wc_Des3Init(des3, NULL, INVALID_DEVID);
2809        (void)ret;
2810
2811        if (enc == WC_DES_ENCRYPT) {
2812            /* Initialize wolfCrypt DES3 object. */
2813            if (wc_Des3_SetKey(des3, key, (const byte*)ivec, DES_ENCRYPTION)
2814                    == 0) {
2815                /* Encrypt full blocks into output. */
2816                ret = wc_Des3_CbcEncrypt(des3, output, input, len);
2817                (void)ret;
2818            #if defined(WOLFSSL_ASYNC_CRYPT)
2819                ret = wc_AsyncWait(ret, &des3->asyncDev, WC_ASYNC_FLAG_NONE);
2820                (void)ret;
2821            #endif
2822                if (lb_sz != 0) {
2823                    /* Create a 0 padded block from remaining bytes. */
2824                    XMEMSET(lastBlock, 0, DES_BLOCK_SIZE);
2825                    XMEMCPY(lastBlock, input + len, (size_t)lb_sz);
2826                    /* Encrypt last block into output. */
2827                    ret = wc_Des3_CbcEncrypt(des3, output + len, lastBlock,
2828                        (word32)DES_BLOCK_SIZE);
2829                    (void)ret;
2830                #if defined(WOLFSSL_ASYNC_CRYPT)
2831                    ret = wc_AsyncWait(ret, &des3->asyncDev,
2832                        WC_ASYNC_FLAG_NONE);
2833                    (void)ret;
2834                #endif
2835                    /* Copy the last encrypted block as IV for next decrypt. */
2836                    XMEMCPY(ivec, output + len, DES_BLOCK_SIZE);
2837                }
2838                else {
2839                    /* Copy the last encrypted block as IV for next decrypt. */
2840                    XMEMCPY(ivec, output + len - DES_BLOCK_SIZE,
2841                        DES_BLOCK_SIZE);
2842                }
2843            }
2844        }
2845        else {
2846            /* Initialize wolfCrypt DES3 object. */
2847            if (wc_Des3_SetKey(des3, key, (const byte*)ivec, DES_DECRYPTION)
2848                    == 0) {
2849                /* Copy the last encrypted block as IV for next decrypt. */
2850                if (lb_sz != 0) {
2851                    XMEMCPY(ivec, input + len, DES_BLOCK_SIZE);
2852                }
2853                else {
2854                    XMEMCPY(ivec, input + len - DES_BLOCK_SIZE, DES_BLOCK_SIZE);
2855                }
2856                /* Decrypt full blocks into output. */
2857                ret = wc_Des3_CbcDecrypt(des3, output, input, len);
2858                (void)ret;
2859            #if defined(WOLFSSL_ASYNC_CRYPT)
2860                ret = wc_AsyncWait(ret, &des3->asyncDev, WC_ASYNC_FLAG_NONE);
2861                (void)ret;
2862            #endif
2863                if (lb_sz != 0) {
2864                   /* Decrypt the last block that is not going to be full size.
2865                    */
2866                    ret = wc_Des3_CbcDecrypt(des3, lastBlock, input + len,
2867                        (word32)DES_BLOCK_SIZE);
2868                    (void)ret;
2869                #if defined(WOLFSSL_ASYNC_CRYPT)
2870                    ret = wc_AsyncWait(ret, &des3->asyncDev,
2871                        WC_ASYNC_FLAG_NONE);
2872                    (void)ret;
2873                #endif
2874                    /* Copy out the required amount of the decrypted block. */
2875                    XMEMCPY(output + len, lastBlock, (size_t)lb_sz);
2876                }
2877            }
2878        }
2879        wc_Des3Free(des3);
2880    }
2881
2882    WC_FREE_VAR_EX(des3, NULL, DYNAMIC_TYPE_CIPHER);
2883}
2884
2885#ifdef WOLFSSL_DES_ECB
2886/* Encrypt or decrypt input message desa with key and get output in desb.
2887 *
2888 * @param [in]  in   Block to encipher with DES-ECB.
2889 * @param [out] out  Enciphered block.
2890 * @param [in]  key  DES key schedule.
2891 * @param [in]  enc  Whether to encrypt.
2892 */
2893void wolfSSL_DES_ecb_encrypt(WOLFSSL_DES_cblock* in, WOLFSSL_DES_cblock* out,
2894    WOLFSSL_DES_key_schedule* key, int enc)
2895{
2896    WC_DECLARE_VAR(des, Des, 1, 0);
2897
2898    WOLFSSL_ENTER("wolfSSL_DES_ecb_encrypt");
2899
2900    /* Validate parameters. */
2901    if ((in == NULL) || (out == NULL) || (key == NULL) ||
2902           ((enc != WC_DES_ENCRYPT) && (enc != WC_DES_DECRYPT))) {
2903        WOLFSSL_MSG("Bad argument passed to wolfSSL_DES_ecb_encrypt");
2904    }
2905#ifdef WOLFSSL_SMALL_STACK
2906    else if ((des = (Des*)XMALLOC(sizeof(Des), NULL, DYNAMIC_TYPE_CIPHER))
2907             == NULL)
2908    {
2909        WOLFSSL_MSG("Failed to allocate memory for Des object");
2910    }
2911#endif
2912    /* Set key in wolfCrypt DES object for encryption or decryption.
2913     * WC_DES_ENCRYPT = 1, wolfSSL DES_ENCRYPTION = 0.
2914     * WC_DES_DECRYPT = 0, wolfSSL DES_DECRYPTION = 1.
2915     */
2916    else if (wc_Des_SetKey(des, (const byte*)key, NULL, !enc) != 0) {
2917        WOLFSSL_MSG("wc_Des_SetKey return error.");
2918    }
2919    else if (enc == WC_DES_ENCRYPT) {
2920        /* Encrypt a block with wolfCrypt DES object. */
2921        if (wc_Des_EcbEncrypt(des, (byte*)out, (const byte*)in, DES_KEY_SIZE)
2922                != 0) {
2923            WOLFSSL_MSG("wc_Des_EcbEncrypt return error.");
2924        }
2925    }
2926    else {
2927        /* Decrypt a block with wolfCrypt DES object. */
2928        if (wc_Des_EcbDecrypt(des, (byte*)out, (const byte*)in, DES_KEY_SIZE)
2929                != 0) {
2930            WOLFSSL_MSG("wc_Des_EcbDecrpyt return error.");
2931        }
2932    }
2933
2934    WC_FREE_VAR_EX(des, NULL, DYNAMIC_TYPE_CIPHER);
2935}
2936#endif
2937#endif /* NO_DES3 */
2938#endif /* OPENSSL_EXTRA */
2939
2940/*******************************************************************************
2941 * END OF DES API
2942 ******************************************************************************/
2943
2944/*******************************************************************************
2945 * START OF AES API
2946 ******************************************************************************/
2947
2948#ifdef OPENSSL_EXTRA
2949
2950#if !defined(NO_AES) && !defined(WOLFSSL_NO_OPENSSL_AES_LOW_LEVEL_API)
2951
2952/* Sets the key into the AES key object for encryption or decryption.
2953 *
2954 * TODO: check bits value?
2955 *
2956 * @param [in]  key   Key data.
2957 * @param [in]  bits  Number of bits in key.
2958 * @param [out] aes   AES key object.
2959 * @param [in]  enc   Whether to encrypt. AES_ENCRYPTION or AES_DECRYPTION.
2960 * @return  0 on success.
2961 * @return  -1 when key or aes is NULL.
2962 * @return  -1 when setting key with wolfCrypt fails.
2963 */
2964static int wolfssl_aes_set_key(const unsigned char *key, const int bits,
2965    WOLFSSL_AES_KEY *aes, int enc)
2966{
2967    wc_static_assert(sizeof(WOLFSSL_AES_KEY) >= sizeof(Aes));
2968
2969    /* Validate parameters. */
2970    if ((key == NULL) || (aes == NULL)) {
2971        WOLFSSL_MSG("Null argument passed in");
2972        return WOLFSSL_FATAL_ERROR;
2973    }
2974
2975    XMEMSET(aes, 0, sizeof(WOLFSSL_AES_KEY));
2976
2977    if (wc_AesInit((Aes*)aes, NULL, INVALID_DEVID) != 0) {
2978        WOLFSSL_MSG("Error in initting AES key");
2979        return WOLFSSL_FATAL_ERROR;
2980    }
2981
2982    if (wc_AesSetKey((Aes*)aes, key, (word32)((bits)/8), NULL, enc) != 0) {
2983        WOLFSSL_MSG("Error in setting AES key");
2984        return WOLFSSL_FATAL_ERROR;
2985    }
2986    return 0;
2987}
2988
2989/* Sets the key into the AES key object for encryption.
2990 *
2991 * @param [in]  key   Key data.
2992 * @param [in]  bits  Number of bits in key.
2993 * @param [out] aes   AES key object.
2994 * @return  0 on success.
2995 * @return  -1 when key or aes is NULL.
2996 * @return  -1 when setting key with wolfCrypt fails.
2997 */
2998int wolfSSL_AES_set_encrypt_key(const unsigned char *key, const int bits,
2999    WOLFSSL_AES_KEY *aes)
3000{
3001    WOLFSSL_ENTER("wolfSSL_AES_set_encrypt_key");
3002
3003    return wolfssl_aes_set_key(key, bits, aes, AES_ENCRYPTION);
3004}
3005
3006/* Sets the key into the AES key object for decryption.
3007 *
3008 * @param [in]  key   Key data.
3009 * @param [in]  bits  Number of bits in key.
3010 * @param [out] aes   AES key object.
3011 * @return  0 on success.
3012 * @return  -1 when key or aes is NULL.
3013 * @return  -1 when setting key with wolfCrypt fails.
3014 */
3015int wolfSSL_AES_set_decrypt_key(const unsigned char *key, const int bits,
3016    WOLFSSL_AES_KEY *aes)
3017{
3018    WOLFSSL_ENTER("wolfSSL_AES_set_decrypt_key");
3019
3020    return wolfssl_aes_set_key(key, bits, aes, AES_DECRYPTION);
3021}
3022
3023#ifdef WOLFSSL_AES_DIRECT
3024/* Encrypt a 16-byte block of data using AES-ECB.
3025 *
3026 * wolfSSL_AES_set_encrypt_key() must have been called.
3027 *
3028 * #input must contain WC_AES_BLOCK_SIZE bytes of data.
3029 * #output must be a buffer at least WC_AES_BLOCK_SIZE bytes in length.
3030 *
3031 * @param [in]  input   Data to encrypt.
3032 * @param [out] output  Encrypted data.
3033 * @param [in]  key     AES key to use for encryption.
3034 */
3035void wolfSSL_AES_encrypt(const unsigned char* input, unsigned char* output,
3036    WOLFSSL_AES_KEY *key)
3037{
3038    WOLFSSL_ENTER("wolfSSL_AES_encrypt");
3039
3040    /* Validate parameters. */
3041    if ((input == NULL) || (output == NULL) || (key == NULL)) {
3042        WOLFSSL_MSG("Null argument passed in");
3043    }
3044    else
3045#if !defined(HAVE_SELFTEST) && \
3046    (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)) \
3047    || defined(WOLFSSL_KERNEL_MODE))
3048    /* Encrypt a block with wolfCrypt AES. */
3049    if (wc_AesEncryptDirect((Aes*)key, output, input) != 0) {
3050        WOLFSSL_MSG("wc_AesEncryptDirect failed");
3051    }
3052#else
3053    {
3054        /* Encrypt a block with wolfCrypt AES. */
3055        wc_AesEncryptDirect((Aes*)key, output, input);
3056    }
3057#endif
3058}
3059
3060
3061/* Decrypt a 16-byte block of data using AES-ECB.
3062 *
3063 * wolfSSL_AES_set_decrypt_key() must have been called.
3064 *
3065 * #input must contain WC_AES_BLOCK_SIZE bytes of data.
3066 * #output must be a buffer at least WC_AES_BLOCK_SIZE bytes in length.
3067 *
3068 * @param [in]  input   Data to decrypt.
3069 * @param [out] output  Decrypted data.
3070 * @param [in]  key     AES key to use for encryption.
3071 */
3072void wolfSSL_AES_decrypt(const unsigned char* input, unsigned char* output,
3073    WOLFSSL_AES_KEY *key)
3074{
3075    WOLFSSL_ENTER("wolfSSL_AES_decrypt");
3076
3077    /* Validate parameters. */
3078    if ((input == NULL) || (output == NULL) || (key == NULL)) {
3079        WOLFSSL_MSG("Null argument passed in");
3080    }
3081    else
3082#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \
3083    (defined(FIPS_VERSION_GE) && FIPS_VERSION3_GE(5,3,0)))
3084    /* Decrypt a block with wolfCrypt AES. */
3085    if (wc_AesDecryptDirect((Aes*)key, output, input) != 0) {
3086        WOLFSSL_MSG("wc_AesDecryptDirect failed");
3087    }
3088#else
3089    {
3090        /* Decrypt a block with wolfCrypt AES. */
3091        wc_AesDecryptDirect((Aes*)key, output, input);
3092    }
3093#endif
3094}
3095#endif /* WOLFSSL_AES_DIRECT */
3096
3097
3098
3099#ifdef HAVE_AES_ECB
3100/* Encrypt/decrypt a 16-byte block of data using AES-ECB.
3101 *
3102 * wolfSSL_AES_set_encrypt_key() or wolfSSL_AES_set_decrypt_key ()must have been
3103 * called.
3104 *
3105 * #input must contain WC_AES_BLOCK_SIZE bytes of data.
3106 * #output must be a buffer at least WC_AES_BLOCK_SIZE bytes in length.
3107 *
3108 * @param [in]  in   Data to encipher.
3109 * @param [out] out  Enciphered data.
3110 * @param [in]  key  AES key to use for encryption/decryption.
3111 * @param [in]  enc  Whether to encrypt.
3112 *                   AES_ENCRPT for encryption, AES_DECRYPTION for decryption.
3113 */
3114void wolfSSL_AES_ecb_encrypt(const unsigned char *in, unsigned char* out,
3115    WOLFSSL_AES_KEY *key, const int enc)
3116{
3117    WOLFSSL_ENTER("wolfSSL_AES_ecb_encrypt");
3118
3119    /* Validate parameters. */
3120    if ((key == NULL) || (in == NULL) || (out == NULL)) {
3121        WOLFSSL_MSG("Error, Null argument passed in");
3122    }
3123    else if (enc == AES_ENCRYPTION) {
3124        /* Encrypt block. */
3125        if (wc_AesEcbEncrypt((Aes*)key, out, in, WC_AES_BLOCK_SIZE) != 0) {
3126            WOLFSSL_MSG("Error with AES CBC encrypt");
3127        }
3128    }
3129    else {
3130    #ifdef HAVE_AES_DECRYPT
3131        /* Decrypt block. */
3132        if (wc_AesEcbDecrypt((Aes*)key, out, in, WC_AES_BLOCK_SIZE) != 0) {
3133            WOLFSSL_MSG("Error with AES CBC decrypt");
3134        }
3135    #else
3136        WOLFSSL_MSG("AES decryption not compiled in");
3137    #endif
3138    }
3139}
3140#endif /* HAVE_AES_ECB */
3141
3142#ifdef HAVE_AES_CBC
3143/* Encrypt/decrypt data with IV using AES-CBC.
3144 *
3145 * wolfSSL_AES_set_encrypt_key() or wolfSSL_AES_set_decrypt_key() must have been
3146 * called.
3147 *
3148 * @param [in]       in   Data to encipher.
3149 * @param [out]      out  Enciphered data.
3150 * @param [in]       len  Length of data to encipher.
3151 * @param [in]       key  AES key to use for encryption/decryption.
3152 * @param [in, out]  iv   Initialization Vector (IV) of CBC mode.
3153 *                        On in, used with first block.
3154 *                        On out, IV for further operations.
3155 * @param [in]       enc  Whether to encrypt.
3156 *                   AES_ENCRPT for encryption, AES_DECRYPTION for decryption.
3157 */
3158void wolfSSL_AES_cbc_encrypt(const unsigned char *in, unsigned char* out,
3159    size_t len, WOLFSSL_AES_KEY *key, unsigned char* iv, const int enc)
3160{
3161    WOLFSSL_ENTER("wolfSSL_AES_cbc_encrypt");
3162
3163    /* Validate parameters. */
3164    if ((key == NULL) || (in == NULL) || (out == NULL) || (iv == NULL) ||
3165            (len == 0)) {
3166        WOLFSSL_MSG("Error, Null argument passed in");
3167    }
3168    /* Set IV for operation. */
3169    else {
3170        int ret;
3171        Aes* aes = (Aes*)key;
3172
3173        if ((ret = wc_AesSetIV(aes, (const byte*)iv)) != 0) {
3174            WOLFSSL_MSG("Error with setting iv");
3175        }
3176        else if (enc == AES_ENCRYPTION) {
3177            /* Encrypt with wolfCrypt AES object. */
3178            if ((ret = wc_AesCbcEncrypt(aes, out, in, (word32)len)) != 0) {
3179                WOLFSSL_MSG("Error with AES CBC encrypt");
3180            }
3181        }
3182        else {
3183            /* Decrypt with wolfCrypt AES object. */
3184            if ((ret = wc_AesCbcDecrypt(aes, out, in, (word32)len)) != 0) {
3185                WOLFSSL_MSG("Error with AES CBC decrypt");
3186            }
3187        }
3188
3189        if (ret == 0) {
3190            /* Get IV for next operation. */
3191            XMEMCPY(iv, (byte*)(aes->reg), WC_AES_BLOCK_SIZE);
3192        }
3193    }
3194}
3195#endif /* HAVE_AES_CBC */
3196
3197
3198/* Encrypt/decrypt data with IV using AES-CFB.
3199 *
3200 * wolfSSL_AES_set_encrypt_key() must have been called.
3201 *
3202 * @param [in]       in   Data to encipher.
3203 * @param [out]      out  Enciphered data.
3204 * @param [in]       len  Length of data to encipher.
3205 * @param [in]       key  AES key to use for encryption/decryption.
3206 * @param [in, out]  iv   Initialization Vector (IV) of CFB mode.
3207 *                        On in, used with first block.
3208 *                        On out, IV for further operations.
3209 * @param [out]      num  Number of bytes used from last incomplete block.
3210 * @param [in]       enc  Whether to encrypt.
3211 *                   AES_ENCRPT for encryption, AES_DECRYPTION for decryption.
3212 */
3213void wolfSSL_AES_cfb128_encrypt(const unsigned char *in, unsigned char* out,
3214    size_t len, WOLFSSL_AES_KEY *key, unsigned char* iv, int* num,
3215    const int enc)
3216{
3217#ifndef WOLFSSL_AES_CFB
3218    WOLFSSL_MSG("CFB mode not enabled please use macro WOLFSSL_AES_CFB");
3219
3220    (void)in;
3221    (void)out;
3222    (void)len;
3223    (void)key;
3224    (void)iv;
3225    (void)num;
3226    (void)enc;
3227#else
3228    WOLFSSL_ENTER("wolfSSL_AES_cfb_encrypt");
3229
3230    /* Validate parameters. */
3231    if ((key == NULL) || (in == NULL) || (out == NULL) || (iv == NULL)) {
3232        WOLFSSL_MSG("Error, Null argument passed in");
3233    }
3234    else {
3235        int ret;
3236        Aes* aes = (Aes*)key;
3237
3238        /* Copy the IV directly into reg here because wc_AesSetIV clears
3239         * leftover bytes field "left", and this function relies on the leftover
3240         * bytes being preserved between calls.
3241         */
3242        XMEMCPY(aes->reg, iv, WC_AES_BLOCK_SIZE);
3243
3244        if (enc == AES_ENCRYPTION) {
3245            /* Encrypt data with AES-CFB. */
3246            if ((ret = wc_AesCfbEncrypt(aes, out, in, (word32)len)) != 0) {
3247                WOLFSSL_MSG("Error with AES CBC encrypt");
3248            }
3249        }
3250        else {
3251            /* Decrypt data with AES-CFB. */
3252            if ((ret = wc_AesCfbDecrypt(aes, out, in, (word32)len)) != 0) {
3253                WOLFSSL_MSG("Error with AES CBC decrypt");
3254            }
3255        }
3256
3257        if (ret == 0) {
3258            /* Copy IV out after operation. */
3259            XMEMCPY(iv, (byte*)(aes->reg), WC_AES_BLOCK_SIZE);
3260
3261            /* Store number of left over bytes to num. */
3262            if (num != NULL) {
3263                *num = (WC_AES_BLOCK_SIZE - aes->left) % WC_AES_BLOCK_SIZE;
3264            }
3265        }
3266    }
3267#endif /* WOLFSSL_AES_CFB */
3268}
3269
3270/* wc_AesKey*Wrap_ex API not available in FIPS and SELFTEST */
3271#if defined(HAVE_AES_KEYWRAP) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
3272/* Wrap (encrypt) a key using RFC3394 AES key wrap.
3273 *
3274 * @param [in, out] key   AES key.
3275 * @param [in]      iv    Initialization vector used by encryption mode.
3276 * @param [out]     out   Wrapped key.
3277 * @param [in]      in    Key data to wrap.
3278 * @param [in]      inSz  Length of key to wrap in bytes.
3279 * @return  Length of encrypted key in bytes.
3280 * @return  0 when key, iv, out or in is NULL.
3281 * @return  0 when key length is not valid.
3282 */
3283int wolfSSL_AES_wrap_key(WOLFSSL_AES_KEY *key, const unsigned char *iv,
3284    unsigned char *out, const unsigned char *in, unsigned int inSz)
3285{
3286    int ret = 0;
3287    int len = 0;
3288
3289    WOLFSSL_ENTER("wolfSSL_AES_wrap_key");
3290
3291    /* Validate parameters. */
3292    if ((out == NULL) || (in == NULL)) {
3293        WOLFSSL_MSG("Error, Null argument passed in");
3294        ret = BAD_FUNC_ARG;
3295    }
3296
3297    /* Wrap key. */
3298    if ((ret == 0) && ((ret = wc_AesKeyWrap_ex((Aes*)key, in, inSz, out,
3299            inSz + KEYWRAP_BLOCK_SIZE, iv)) > 0)) {
3300        /* Get the length of the wrapped key. */
3301        len = ret;
3302    }
3303
3304    return len;
3305}
3306
3307/* Unwrap (decrypt) a key using RFC3394 AES key wrap.
3308 *
3309 * @param [in, out] key   AES key.
3310 * @param [in]      iv    Initialization vector used by decryption mode.
3311 * @param [out]     out   Unwrapped key.
3312 * @param [in]      in    Wrapped key data.
3313 * @param [in]      inSz  Length of wrapped key data in bytes.
3314 * @return  Length of decrypted key in bytes.
3315 * @return  0 when key, iv, out or in is NULL.
3316 * @return  0 when wrapped key data length is not valid.
3317 */
3318int wolfSSL_AES_unwrap_key(WOLFSSL_AES_KEY *key, const unsigned char *iv,
3319    unsigned char *out, const unsigned char *in, unsigned int inSz)
3320{
3321    int ret = 0;
3322    int len = 0;
3323
3324    WOLFSSL_ENTER("wolfSSL_AES_wrap_key");
3325
3326    /* Validate parameters. */
3327    if ((out == NULL) || (in == NULL)) {
3328        WOLFSSL_MSG("Error, Null argument passed in");
3329        ret = BAD_FUNC_ARG;
3330    }
3331
3332    /* Unwrap key. */
3333    if ((ret == 0) && ((ret = wc_AesKeyUnWrap_ex((Aes*)key, in, inSz, out,
3334            inSz + KEYWRAP_BLOCK_SIZE, iv)) > 0)) {
3335        /* Get the length of the unwrapped key. */
3336        len = ret;
3337    }
3338
3339    return len;
3340}
3341#endif /* HAVE_AES_KEYWRAP && !HAVE_FIPS && !HAVE_SELFTEST */
3342
3343#ifdef HAVE_CTS
3344/* Ciphertext stealing encryption compatible with RFC2040 and RFC3962.
3345 *
3346 * @param [in]  in   Data to encrypt.
3347 * @param [out] out  Encrypted data.
3348 * @param [in]  len  Length of data to encrypt.
3349 * @param [in]  key  Symmetric key.
3350 * @param [in]  iv   Initialization Vector for encryption mode.
3351 * @param [in]  cbc  CBC mode encryption function.
3352 * @return  Length of encrypted data in bytes on success.
3353 * @return  0 when in, out, cbc, key or iv are NULL.
3354 * @return  0 when len is less than or equal to 16 bytes.
3355 */
3356size_t wolfSSL_CRYPTO_cts128_encrypt(const unsigned char *in,
3357    unsigned char *out, size_t len, const void *key, unsigned char *iv,
3358    WOLFSSL_CBC128_CB cbc)
3359{
3360    byte lastBlk[WOLFSSL_CTS128_BLOCK_SZ];
3361    int lastBlkLen = len % WOLFSSL_CTS128_BLOCK_SZ;
3362
3363    WOLFSSL_ENTER("wolfSSL_CRYPTO_cts128_encrypt");
3364
3365    /* Validate parameters. */
3366    if ((in == NULL) || (out == NULL) || (len <= WOLFSSL_CTS128_BLOCK_SZ) ||
3367            (cbc == NULL) || (key == NULL) || (iv == NULL)) {
3368        WOLFSSL_MSG("Bad parameter");
3369        len = 0;
3370    }
3371
3372    if (len > 0) {
3373        /* Must have a last block. */
3374        if (lastBlkLen == 0) {
3375            lastBlkLen = WOLFSSL_CTS128_BLOCK_SZ;
3376        }
3377
3378        /* Encrypt data up to last block */
3379        (*cbc)(in, out, len - lastBlkLen, key, iv, AES_ENCRYPTION);
3380
3381        /* Move to last block */
3382        in += len - lastBlkLen;
3383        out += len - lastBlkLen;
3384
3385        /* RFC2040: Pad Pn with zeros at the end to create P of length BB. */
3386        XMEMCPY(lastBlk, in, lastBlkLen);
3387        XMEMSET(lastBlk + lastBlkLen, 0, WOLFSSL_CTS128_BLOCK_SZ - lastBlkLen);
3388        /* RFC2040: Select the first Ln bytes of En-1 to create Cn */
3389        XMEMCPY(out, out - WOLFSSL_CTS128_BLOCK_SZ, lastBlkLen);
3390        /* Encrypt last block. */
3391        (*cbc)(lastBlk, out - WOLFSSL_CTS128_BLOCK_SZ, WOLFSSL_CTS128_BLOCK_SZ,
3392                key, iv, AES_ENCRYPTION);
3393    }
3394
3395    return len;
3396}
3397
3398/* Ciphertext stealing decryption compatible with RFC2040 and RFC3962.
3399 *
3400 * @param [in]  in   Data to decrypt.
3401 * @param [out] out  Decrypted data.
3402 * @param [in]  len  Length of data to decrypt.
3403 * @param [in]  key  Symmetric key.
3404 * @param [in]  iv   Initialization Vector for decryption mode.
3405 * @param [in]  cbc  CBC mode encryption function.
3406 * @return  Length of decrypted data in bytes on success.
3407 * @return  0 when in, out, cbc, key or iv are NULL.
3408 * @return  0 when len is less than or equal to 16 bytes.
3409 */
3410size_t wolfSSL_CRYPTO_cts128_decrypt(const unsigned char *in,
3411    unsigned char *out, size_t len, const void *key, unsigned char *iv,
3412    WOLFSSL_CBC128_CB cbc)
3413{
3414    byte lastBlk[WOLFSSL_CTS128_BLOCK_SZ];
3415    byte prevBlk[WOLFSSL_CTS128_BLOCK_SZ];
3416    int lastBlkLen = len % WOLFSSL_CTS128_BLOCK_SZ;
3417
3418    WOLFSSL_ENTER("wolfSSL_CRYPTO_cts128_decrypt");
3419
3420    /* Validate parameters. */
3421    if ((in == NULL) || (out == NULL) || (len <= WOLFSSL_CTS128_BLOCK_SZ) ||
3422            (cbc == NULL) || (key == NULL) || (iv == NULL)) {
3423        WOLFSSL_MSG("Bad parameter");
3424        len = 0;
3425    }
3426
3427    if (len > 0) {
3428        /* Must have a last block. */
3429        if (lastBlkLen == 0) {
3430            lastBlkLen = WOLFSSL_CTS128_BLOCK_SZ;
3431        }
3432
3433        if (len - lastBlkLen - WOLFSSL_CTS128_BLOCK_SZ != 0) {
3434            /* Decrypt up to last two blocks */
3435            (*cbc)(in, out, len - lastBlkLen - WOLFSSL_CTS128_BLOCK_SZ, key, iv,
3436                    AES_DECRYPTION);
3437
3438            /* Move to last two blocks */
3439            in += len - lastBlkLen - WOLFSSL_CTS128_BLOCK_SZ;
3440            out += len - lastBlkLen - WOLFSSL_CTS128_BLOCK_SZ;
3441        }
3442
3443        /* RFC2040: Decrypt Cn-1 to create Dn.
3444         * Use 0 buffer as IV to do straight decryption.
3445         * This places the Cn-1 block at lastBlk */
3446        XMEMSET(lastBlk, 0, WOLFSSL_CTS128_BLOCK_SZ);
3447        (*cbc)(in, prevBlk, WOLFSSL_CTS128_BLOCK_SZ, key, lastBlk,
3448            AES_DECRYPTION);
3449        /* RFC2040: Append the tail (BB minus Ln) bytes of Xn to Cn
3450         *          to create En. */
3451        XMEMCPY(prevBlk, in + WOLFSSL_CTS128_BLOCK_SZ, lastBlkLen);
3452        /* Cn and Cn-1 can now be decrypted */
3453        (*cbc)(prevBlk, out, WOLFSSL_CTS128_BLOCK_SZ, key, iv, AES_DECRYPTION);
3454        (*cbc)(lastBlk, lastBlk, WOLFSSL_CTS128_BLOCK_SZ, key, iv,
3455            AES_DECRYPTION);
3456        XMEMCPY(out + WOLFSSL_CTS128_BLOCK_SZ, lastBlk, lastBlkLen);
3457    }
3458
3459    return len;
3460}
3461#endif /* HAVE_CTS */
3462#endif /* !NO_AES && !WOLFSSL_NO_OPENSSL_AES_LOW_LEVEL_API */
3463#endif /* OPENSSL_EXTRA */
3464
3465/*******************************************************************************
3466 * END OF AES API
3467 ******************************************************************************/
3468
3469/*******************************************************************************
3470 * START OF RC4 API
3471 ******************************************************************************/
3472
3473#ifdef OPENSSL_EXTRA
3474
3475#ifndef NO_RC4
3476/* Set the key state for Arc4 key.
3477 *
3478 * @param [out] key   Arc4 key.
3479 * @param [in]  len   Length of key in buffer.
3480 * @param [in]  data  Key data buffer.
3481 */
3482void wolfSSL_RC4_set_key(WOLFSSL_RC4_KEY* key, int len,
3483    const unsigned char* data)
3484{
3485    wc_static_assert(sizeof(WOLFSSL_RC4_KEY) >= sizeof(Arc4));
3486
3487    WOLFSSL_ENTER("wolfSSL_RC4_set_key");
3488
3489    /* Validate parameters. */
3490    if ((key == NULL) || (len < 0) || (data == NULL)) {
3491        WOLFSSL_MSG("bad argument passed in");
3492    }
3493    else {
3494        /* Reset wolfCrypt Arc4 object. */
3495        XMEMSET(key, 0, sizeof(WOLFSSL_RC4_KEY));
3496        /* Set key into wolfCrypt Arc4 object. */
3497        wc_Arc4SetKey((Arc4*)key, data, (word32)len);
3498    }
3499}
3500
3501
3502/* Encrypt/decrypt with Arc4 key.
3503 *
3504 * @param [in]  len  Length of data to encrypt/decrypt.
3505 * @param [in]  in   Data to encrypt/decrypt.
3506 * @param [out] out  Enciphered data.
3507 */
3508void wolfSSL_RC4(WOLFSSL_RC4_KEY* key, size_t len, const unsigned char* in,
3509    unsigned char* out)
3510{
3511    WOLFSSL_ENTER("wolfSSL_RC4");
3512
3513    /* Validate parameters. */
3514    if ((key == NULL) || (in == NULL) || (out == NULL)) {
3515        WOLFSSL_MSG("Bad argument passed in");
3516    }
3517    else {
3518        /* Encrypt/decrypt data. */
3519        wc_Arc4Process((Arc4*)key, out, in, (word32)len);
3520    }
3521}
3522#endif /* NO_RC4 */
3523
3524#endif /* OPENSSL_EXTRA */
3525
3526/*******************************************************************************
3527 * END OF RC4 API
3528 ******************************************************************************/
3529
3530#endif /* WOLFSSL_SSL_CRYPTO_INCLUDED */
3531