Line data Source code
1 : /* crypto/evp/e_des3.c */
2 : /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 : * All rights reserved.
4 : *
5 : * This package is an SSL implementation written
6 : * by Eric Young (eay@cryptsoft.com).
7 : * The implementation was written so as to conform with Netscapes SSL.
8 : *
9 : * This library is free for commercial and non-commercial use as long as
10 : * the following conditions are aheared to. The following conditions
11 : * apply to all code found in this distribution, be it the RC4, RSA,
12 : * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 : * included with this distribution is covered by the same copyright terms
14 : * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 : *
16 : * Copyright remains Eric Young's, and as such any Copyright notices in
17 : * the code are not to be removed.
18 : * If this package is used in a product, Eric Young should be given attribution
19 : * as the author of the parts of the library used.
20 : * This can be in the form of a textual message at program startup or
21 : * in documentation (online or textual) provided with the package.
22 : *
23 : * Redistribution and use in source and binary forms, with or without
24 : * modification, are permitted provided that the following conditions
25 : * are met:
26 : * 1. Redistributions of source code must retain the copyright
27 : * notice, this list of conditions and the following disclaimer.
28 : * 2. Redistributions in binary form must reproduce the above copyright
29 : * notice, this list of conditions and the following disclaimer in the
30 : * documentation and/or other materials provided with the distribution.
31 : * 3. All advertising materials mentioning features or use of this software
32 : * must display the following acknowledgement:
33 : * "This product includes cryptographic software written by
34 : * Eric Young (eay@cryptsoft.com)"
35 : * The word 'cryptographic' can be left out if the rouines from the library
36 : * being used are not cryptographic related :-).
37 : * 4. If you include any Windows specific code (or a derivative thereof) from
38 : * the apps directory (application code) you must include an acknowledgement:
39 : * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 : *
41 : * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 : * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 : * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 : * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 : * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 : * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 : * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 : * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 : * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 : * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 : * SUCH DAMAGE.
52 : *
53 : * The licence and distribution terms for any publically available version or
54 : * derivative of this code cannot be changed. i.e. this code cannot simply be
55 : * copied and put under another distribution licence
56 : * [including the GNU Public Licence.]
57 : */
58 :
59 : #include <stdio.h>
60 : #include "cryptlib.h"
61 : #ifndef OPENSSL_NO_DES
62 : # include <openssl/evp.h>
63 : # include <openssl/objects.h>
64 : # include "evp_locl.h"
65 : # include <openssl/des.h>
66 : # include <openssl/rand.h>
67 :
68 : /* Block use of implementations in FIPS mode */
69 : # undef EVP_CIPH_FLAG_FIPS
70 : # define EVP_CIPH_FLAG_FIPS 0
71 :
72 : typedef struct {
73 : union {
74 : double align;
75 : DES_key_schedule ks[3];
76 : } ks;
77 : union {
78 : void (*cbc) (const void *, void *, size_t, const void *, void *);
79 : } stream;
80 : } DES_EDE_KEY;
81 : # define ks1 ks.ks[0]
82 : # define ks2 ks.ks[1]
83 : # define ks3 ks.ks[2]
84 :
85 : # if defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
86 : /* ---------^^^ this is not a typo, just a way to detect that
87 : * assembler support was in general requested... */
88 : # include "sparc_arch.h"
89 :
90 : extern unsigned int OPENSSL_sparcv9cap_P[];
91 :
92 : # define SPARC_DES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_DES)
93 :
94 : void des_t4_key_expand(const void *key, DES_key_schedule *ks);
95 : void des_t4_ede3_cbc_encrypt(const void *inp, void *out, size_t len,
96 : DES_key_schedule *ks, unsigned char iv[8]);
97 : void des_t4_ede3_cbc_decrypt(const void *inp, void *out, size_t len,
98 : DES_key_schedule *ks, unsigned char iv[8]);
99 : # endif
100 :
101 : static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
102 : const unsigned char *iv, int enc);
103 :
104 : static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
105 : const unsigned char *iv, int enc);
106 :
107 : static int des3_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr);
108 :
109 : # define data(ctx) ((DES_EDE_KEY *)(ctx)->cipher_data)
110 :
111 : /*
112 : * Because of various casts and different args can't use
113 : * IMPLEMENT_BLOCK_CIPHER
114 : */
115 :
116 0 : static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
117 : const unsigned char *in, size_t inl)
118 : {
119 0 : BLOCK_CIPHER_ecb_loop()
120 0 : DES_ecb3_encrypt((const_DES_cblock *)(in + i),
121 : (DES_cblock *)(out + i),
122 : &data(ctx)->ks1, &data(ctx)->ks2,
123 0 : &data(ctx)->ks3, ctx->encrypt);
124 : return 1;
125 : }
126 :
127 0 : static int des_ede_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
128 : const unsigned char *in, size_t inl)
129 : {
130 0 : while (inl >= EVP_MAXCHUNK) {
131 0 : DES_ede3_ofb64_encrypt(in, out, (long)EVP_MAXCHUNK,
132 : &data(ctx)->ks1, &data(ctx)->ks2,
133 0 : &data(ctx)->ks3, (DES_cblock *)ctx->iv,
134 : &ctx->num);
135 0 : inl -= EVP_MAXCHUNK;
136 0 : in += EVP_MAXCHUNK;
137 0 : out += EVP_MAXCHUNK;
138 : }
139 0 : if (inl)
140 0 : DES_ede3_ofb64_encrypt(in, out, (long)inl,
141 : &data(ctx)->ks1, &data(ctx)->ks2,
142 0 : &data(ctx)->ks3, (DES_cblock *)ctx->iv,
143 : &ctx->num);
144 :
145 0 : return 1;
146 : }
147 :
148 0 : static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
149 : const unsigned char *in, size_t inl)
150 : {
151 0 : DES_EDE_KEY *dat = data(ctx);
152 :
153 : # ifdef KSSL_DEBUG
154 : {
155 : int i;
156 : fprintf(stderr, "des_ede_cbc_cipher(ctx=%p, buflen=%d)\n", ctx,
157 : ctx->buf_len);
158 : fprintf(stderr, "\t iv= ");
159 : for (i = 0; i < 8; i++)
160 : fprintf(stderr, "%02X", ctx->iv[i]);
161 : fprintf(stderr, "\n");
162 : }
163 : # endif /* KSSL_DEBUG */
164 0 : if (dat->stream.cbc) {
165 0 : (*dat->stream.cbc) (in, out, inl, &dat->ks, ctx->iv);
166 0 : return 1;
167 : }
168 :
169 0 : while (inl >= EVP_MAXCHUNK) {
170 0 : DES_ede3_cbc_encrypt(in, out, (long)EVP_MAXCHUNK,
171 : &dat->ks1, &dat->ks2, &dat->ks3,
172 0 : (DES_cblock *)ctx->iv, ctx->encrypt);
173 0 : inl -= EVP_MAXCHUNK;
174 0 : in += EVP_MAXCHUNK;
175 0 : out += EVP_MAXCHUNK;
176 : }
177 0 : if (inl)
178 0 : DES_ede3_cbc_encrypt(in, out, (long)inl,
179 : &dat->ks1, &dat->ks2, &dat->ks3,
180 0 : (DES_cblock *)ctx->iv, ctx->encrypt);
181 : return 1;
182 : }
183 :
184 0 : static int des_ede_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
185 : const unsigned char *in, size_t inl)
186 : {
187 0 : while (inl >= EVP_MAXCHUNK) {
188 0 : DES_ede3_cfb64_encrypt(in, out, (long)EVP_MAXCHUNK,
189 : &data(ctx)->ks1, &data(ctx)->ks2,
190 0 : &data(ctx)->ks3, (DES_cblock *)ctx->iv,
191 : &ctx->num, ctx->encrypt);
192 0 : inl -= EVP_MAXCHUNK;
193 0 : in += EVP_MAXCHUNK;
194 0 : out += EVP_MAXCHUNK;
195 : }
196 0 : if (inl)
197 0 : DES_ede3_cfb64_encrypt(in, out, (long)inl,
198 : &data(ctx)->ks1, &data(ctx)->ks2,
199 0 : &data(ctx)->ks3, (DES_cblock *)ctx->iv,
200 : &ctx->num, ctx->encrypt);
201 0 : return 1;
202 : }
203 :
204 : /*
205 : * Although we have a CFB-r implementation for 3-DES, it doesn't pack the
206 : * right way, so wrap it here
207 : */
208 0 : static int des_ede3_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
209 : const unsigned char *in, size_t inl)
210 : {
211 : size_t n;
212 : unsigned char c[1], d[1];
213 :
214 0 : for (n = 0; n < inl; ++n) {
215 0 : c[0] = (in[n / 8] & (1 << (7 - n % 8))) ? 0x80 : 0;
216 0 : DES_ede3_cfb_encrypt(c, d, 1, 1,
217 : &data(ctx)->ks1, &data(ctx)->ks2,
218 0 : &data(ctx)->ks3, (DES_cblock *)ctx->iv,
219 : ctx->encrypt);
220 0 : out[n / 8] = (out[n / 8] & ~(0x80 >> (unsigned int)(n % 8)))
221 0 : | ((d[0] & 0x80) >> (unsigned int)(n % 8));
222 : }
223 :
224 0 : return 1;
225 : }
226 :
227 0 : static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
228 : const unsigned char *in, size_t inl)
229 : {
230 0 : while (inl >= EVP_MAXCHUNK) {
231 0 : DES_ede3_cfb_encrypt(in, out, 8, (long)EVP_MAXCHUNK,
232 : &data(ctx)->ks1, &data(ctx)->ks2,
233 0 : &data(ctx)->ks3, (DES_cblock *)ctx->iv,
234 : ctx->encrypt);
235 0 : inl -= EVP_MAXCHUNK;
236 0 : in += EVP_MAXCHUNK;
237 0 : out += EVP_MAXCHUNK;
238 : }
239 0 : if (inl)
240 0 : DES_ede3_cfb_encrypt(in, out, 8, (long)inl,
241 : &data(ctx)->ks1, &data(ctx)->ks2,
242 0 : &data(ctx)->ks3, (DES_cblock *)ctx->iv,
243 : ctx->encrypt);
244 0 : return 1;
245 : }
246 :
247 363 : BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
248 : EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
249 : des_ede_init_key, NULL, NULL, NULL, des3_ctrl)
250 : # define des_ede3_cfb64_cipher des_ede_cfb64_cipher
251 : # define des_ede3_ofb_cipher des_ede_ofb_cipher
252 : # define des_ede3_cbc_cipher des_ede_cbc_cipher
253 : # define des_ede3_ecb_cipher des_ede_ecb_cipher
254 484 : BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
255 : EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
256 : EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, NULL,
257 : des3_ctrl)
258 :
259 121 : BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1,
260 : EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
261 : EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL,
262 : NULL, des3_ctrl)
263 :
264 121 : BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8,
265 : EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
266 : EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL,
267 : NULL, des3_ctrl)
268 :
269 0 : static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
270 : const unsigned char *iv, int enc)
271 : {
272 : DES_cblock *deskey = (DES_cblock *)key;
273 0 : DES_EDE_KEY *dat = data(ctx);
274 :
275 0 : dat->stream.cbc = NULL;
276 : # if defined(SPARC_DES_CAPABLE)
277 : if (SPARC_DES_CAPABLE) {
278 : int mode = ctx->cipher->flags & EVP_CIPH_MODE;
279 :
280 : if (mode == EVP_CIPH_CBC_MODE) {
281 : des_t4_key_expand(&deskey[0], &dat->ks1);
282 : des_t4_key_expand(&deskey[1], &dat->ks2);
283 : memcpy(&dat->ks3, &dat->ks1, sizeof(dat->ks1));
284 : dat->stream.cbc = enc ? des_t4_ede3_cbc_encrypt :
285 : des_t4_ede3_cbc_decrypt;
286 : return 1;
287 : }
288 : }
289 : # endif
290 : # ifdef EVP_CHECK_DES_KEY
291 : if (DES_set_key_checked(&deskey[0], &dat->ks1)
292 : ! !DES_set_key_checked(&deskey[1], &dat->ks2))
293 : return 0;
294 : # else
295 0 : DES_set_key_unchecked(&deskey[0], &dat->ks1);
296 0 : DES_set_key_unchecked(&deskey[1], &dat->ks2);
297 : # endif
298 0 : memcpy(&dat->ks3, &dat->ks1, sizeof(dat->ks1));
299 0 : return 1;
300 : }
301 :
302 0 : static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
303 : const unsigned char *iv, int enc)
304 : {
305 : DES_cblock *deskey = (DES_cblock *)key;
306 0 : DES_EDE_KEY *dat = data(ctx);
307 :
308 : # ifdef KSSL_DEBUG
309 : {
310 : int i;
311 : fprintf(stderr, "des_ede3_init_key(ctx=%p)\n", ctx);
312 : fprintf(stderr, "\tKEY= ");
313 : for (i = 0; i < 24; i++)
314 : fprintf(stderr, "%02X", key[i]);
315 : fprintf(stderr, "\n");
316 : if (iv) {
317 : fprintf(stderr, "\t IV= ");
318 : for (i = 0; i < 8; i++)
319 : fprintf(stderr, "%02X", iv[i]);
320 : fprintf(stderr, "\n");
321 : }
322 : }
323 : # endif /* KSSL_DEBUG */
324 :
325 0 : dat->stream.cbc = NULL;
326 : # if defined(SPARC_DES_CAPABLE)
327 : if (SPARC_DES_CAPABLE) {
328 : int mode = ctx->cipher->flags & EVP_CIPH_MODE;
329 :
330 : if (mode == EVP_CIPH_CBC_MODE) {
331 : des_t4_key_expand(&deskey[0], &dat->ks1);
332 : des_t4_key_expand(&deskey[1], &dat->ks2);
333 : des_t4_key_expand(&deskey[2], &dat->ks3);
334 : dat->stream.cbc = enc ? des_t4_ede3_cbc_encrypt :
335 : des_t4_ede3_cbc_decrypt;
336 : return 1;
337 : }
338 : }
339 : # endif
340 : # ifdef EVP_CHECK_DES_KEY
341 : if (DES_set_key_checked(&deskey[0], &dat->ks1)
342 : || DES_set_key_checked(&deskey[1], &dat->ks2)
343 : || DES_set_key_checked(&deskey[2], &dat->ks3))
344 : return 0;
345 : # else
346 0 : DES_set_key_unchecked(&deskey[0], &dat->ks1);
347 0 : DES_set_key_unchecked(&deskey[1], &dat->ks2);
348 0 : DES_set_key_unchecked(&deskey[2], &dat->ks3);
349 : # endif
350 0 : return 1;
351 : }
352 :
353 0 : static int des3_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
354 : {
355 :
356 : DES_cblock *deskey = ptr;
357 :
358 0 : switch (type) {
359 : case EVP_CTRL_RAND_KEY:
360 0 : if (RAND_bytes(ptr, c->key_len) <= 0)
361 : return 0;
362 0 : DES_set_odd_parity(deskey);
363 0 : if (c->key_len >= 16)
364 0 : DES_set_odd_parity(deskey + 1);
365 0 : if (c->key_len >= 24)
366 0 : DES_set_odd_parity(deskey + 2);
367 : return 1;
368 :
369 : default:
370 : return -1;
371 : }
372 : }
373 :
374 121 : const EVP_CIPHER *EVP_des_ede(void)
375 : {
376 121 : return &des_ede_ecb;
377 : }
378 :
379 121 : const EVP_CIPHER *EVP_des_ede3(void)
380 : {
381 121 : return &des_ede3_ecb;
382 : }
383 :
384 : # ifndef OPENSSL_NO_SHA
385 :
386 : # include <openssl/sha.h>
387 :
388 : static const unsigned char wrap_iv[8] =
389 : { 0x4a, 0xdd, 0xa2, 0x2c, 0x79, 0xe8, 0x21, 0x05 };
390 :
391 0 : static int des_ede3_unwrap(EVP_CIPHER_CTX *ctx, unsigned char *out,
392 : const unsigned char *in, size_t inl)
393 : {
394 : unsigned char icv[8], iv[8], sha1tmp[SHA_DIGEST_LENGTH];
395 : int rv = -1;
396 0 : if (inl < 24)
397 : return -1;
398 0 : if (!out)
399 0 : return inl - 16;
400 0 : memcpy(ctx->iv, wrap_iv, 8);
401 : /* Decrypt first block which will end up as icv */
402 0 : des_ede_cbc_cipher(ctx, icv, in, 8);
403 : /* Decrypt central blocks */
404 : /*
405 : * If decrypting in place move whole output along a block so the next
406 : * des_ede_cbc_cipher is in place.
407 : */
408 0 : if (out == in) {
409 0 : memmove(out, out + 8, inl - 8);
410 0 : in -= 8;
411 : }
412 0 : des_ede_cbc_cipher(ctx, out, in + 8, inl - 16);
413 : /* Decrypt final block which will be IV */
414 0 : des_ede_cbc_cipher(ctx, iv, in + inl - 8, 8);
415 : /* Reverse order of everything */
416 0 : BUF_reverse(icv, NULL, 8);
417 0 : BUF_reverse(out, NULL, inl - 16);
418 0 : BUF_reverse(ctx->iv, iv, 8);
419 : /* Decrypt again using new IV */
420 0 : des_ede_cbc_cipher(ctx, out, out, inl - 16);
421 0 : des_ede_cbc_cipher(ctx, icv, icv, 8);
422 : /* Work out SHA1 hash of first portion */
423 0 : SHA1(out, inl - 16, sha1tmp);
424 :
425 0 : if (!CRYPTO_memcmp(sha1tmp, icv, 8))
426 0 : rv = inl - 16;
427 0 : OPENSSL_cleanse(icv, 8);
428 0 : OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH);
429 0 : OPENSSL_cleanse(iv, 8);
430 0 : OPENSSL_cleanse(ctx->iv, 8);
431 0 : if (rv == -1)
432 0 : OPENSSL_cleanse(out, inl - 16);
433 :
434 0 : return rv;
435 : }
436 :
437 0 : static int des_ede3_wrap(EVP_CIPHER_CTX *ctx, unsigned char *out,
438 : const unsigned char *in, size_t inl)
439 : {
440 : unsigned char sha1tmp[SHA_DIGEST_LENGTH];
441 0 : if (!out)
442 0 : return inl + 16;
443 : /* Copy input to output buffer + 8 so we have space for IV */
444 0 : memmove(out + 8, in, inl);
445 : /* Work out ICV */
446 0 : SHA1(in, inl, sha1tmp);
447 0 : memcpy(out + inl + 8, sha1tmp, 8);
448 0 : OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH);
449 : /* Generate random IV */
450 0 : if (RAND_bytes(ctx->iv, 8) <= 0)
451 : return -1;
452 : memcpy(out, ctx->iv, 8);
453 : /* Encrypt everything after IV in place */
454 0 : des_ede_cbc_cipher(ctx, out + 8, out + 8, inl + 8);
455 0 : BUF_reverse(out, NULL, inl + 16);
456 : memcpy(ctx->iv, wrap_iv, 8);
457 0 : des_ede_cbc_cipher(ctx, out, out, inl + 16);
458 0 : return inl + 16;
459 : }
460 :
461 0 : static int des_ede3_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
462 : const unsigned char *in, size_t inl)
463 : {
464 : /*
465 : * Sanity check input length: we typically only wrap keys so EVP_MAXCHUNK
466 : * is more than will ever be needed. Also input length must be a multiple
467 : * of 8 bits.
468 : */
469 0 : if (inl >= EVP_MAXCHUNK || inl % 8)
470 : return -1;
471 0 : if (ctx->encrypt)
472 0 : return des_ede3_wrap(ctx, out, in, inl);
473 : else
474 0 : return des_ede3_unwrap(ctx, out, in, inl);
475 : }
476 :
477 : static const EVP_CIPHER des3_wrap = {
478 : NID_id_smime_alg_CMS3DESwrap,
479 : 8, 24, 0,
480 : EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
481 : | EVP_CIPH_FLAG_DEFAULT_ASN1,
482 : des_ede3_init_key, des_ede3_wrap_cipher,
483 : NULL,
484 : sizeof(DES_EDE_KEY),
485 : NULL, NULL, NULL, NULL
486 : };
487 :
488 121 : const EVP_CIPHER *EVP_des_ede3_wrap(void)
489 : {
490 121 : return &des3_wrap;
491 : }
492 :
493 : # endif
494 : #endif
|