1 /* crypto/evp/e_des3.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59 #include <stdio.h> 60 #include "cryptlib.h" 61 #ifndef OPENSSL_NO_DES 62 # include <openssl/evp.h> 63 # include <openssl/objects.h> 64 # include "evp_locl.h" 65 # include <openssl/des.h> 66 # include <openssl/rand.h> 67 68 /* Block use of implementations in FIPS mode */ 69 # undef EVP_CIPH_FLAG_FIPS 70 # define EVP_CIPH_FLAG_FIPS 0 71 72 typedef struct { 73 union { 74 double align; 75 DES_key_schedule ks[3]; 76 } ks; 77 union { 78 void (*cbc) (const void *, void *, size_t, 79 const DES_key_schedule *, unsigned char *); 80 } stream; 81 } DES_EDE_KEY; 82 # define ks1 ks.ks[0] 83 # define ks2 ks.ks[1] 84 # define ks3 ks.ks[2] 85 86 # if defined(AES_ASM) && (defined(__sparc) || defined(__sparc__)) 87 /* ---------^^^ this is not a typo, just a way to detect that 88 * assembler support was in general requested... */ 89 # include "sparc_arch.h" 90 91 extern unsigned int OPENSSL_sparcv9cap_P[]; 92 93 # define SPARC_DES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_DES) 94 95 void des_t4_key_expand(const void *key, DES_key_schedule *ks); 96 void des_t4_ede3_cbc_encrypt(const void *inp, void *out, size_t len, 97 const DES_key_schedule ks[3], unsigned char iv[8]); 98 void des_t4_ede3_cbc_decrypt(const void *inp, void *out, size_t len, 99 const DES_key_schedule ks[3], unsigned char iv[8]); 100 # endif 101 102 static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 103 const unsigned char *iv, int enc); 104 105 static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 106 const unsigned char *iv, int enc); 107 108 static int des3_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr); 109 110 # define data(ctx) ((DES_EDE_KEY *)(ctx)->cipher_data) 111 112 /* 113 * Because of various casts and different args can't use 114 * IMPLEMENT_BLOCK_CIPHER 115 */ 116 117 static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 118 const unsigned char *in, size_t inl) 119 { 120 BLOCK_CIPHER_ecb_loop() 121 DES_ecb3_encrypt((const_DES_cblock *)(in + i), 122 (DES_cblock *)(out + i), 123 &data(ctx)->ks1, &data(ctx)->ks2, 124 &data(ctx)->ks3, ctx->encrypt); 125 return 1; 126 } 127 128 static int des_ede_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 129 const unsigned char *in, size_t inl) 130 { 131 while (inl >= EVP_MAXCHUNK) { 132 DES_ede3_ofb64_encrypt(in, out, (long)EVP_MAXCHUNK, 133 &data(ctx)->ks1, &data(ctx)->ks2, 134 &data(ctx)->ks3, (DES_cblock *)ctx->iv, 135 &ctx->num); 136 inl -= EVP_MAXCHUNK; 137 in += EVP_MAXCHUNK; 138 out += EVP_MAXCHUNK; 139 } 140 if (inl) 141 DES_ede3_ofb64_encrypt(in, out, (long)inl, 142 &data(ctx)->ks1, &data(ctx)->ks2, 143 &data(ctx)->ks3, (DES_cblock *)ctx->iv, 144 &ctx->num); 145 146 return 1; 147 } 148 149 static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 150 const unsigned char *in, size_t inl) 151 { 152 DES_EDE_KEY *dat = data(ctx); 153 154 # ifdef KSSL_DEBUG 155 { 156 int i; 157 fprintf(stderr, "des_ede_cbc_cipher(ctx=%p, buflen=%d)\n", ctx, 158 ctx->buf_len); 159 fprintf(stderr, "\t iv= "); 160 for (i = 0; i < 8; i++) 161 fprintf(stderr, "%02X", ctx->iv[i]); 162 fprintf(stderr, "\n"); 163 } 164 # endif /* KSSL_DEBUG */ 165 if (dat->stream.cbc) { 166 (*dat->stream.cbc) (in, out, inl, dat->ks.ks, ctx->iv); 167 return 1; 168 } 169 170 while (inl >= EVP_MAXCHUNK) { 171 DES_ede3_cbc_encrypt(in, out, (long)EVP_MAXCHUNK, 172 &dat->ks1, &dat->ks2, &dat->ks3, 173 (DES_cblock *)ctx->iv, ctx->encrypt); 174 inl -= EVP_MAXCHUNK; 175 in += EVP_MAXCHUNK; 176 out += EVP_MAXCHUNK; 177 } 178 if (inl) 179 DES_ede3_cbc_encrypt(in, out, (long)inl, 180 &dat->ks1, &dat->ks2, &dat->ks3, 181 (DES_cblock *)ctx->iv, ctx->encrypt); 182 return 1; 183 } 184 185 static int des_ede_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 186 const unsigned char *in, size_t inl) 187 { 188 while (inl >= EVP_MAXCHUNK) { 189 DES_ede3_cfb64_encrypt(in, out, (long)EVP_MAXCHUNK, 190 &data(ctx)->ks1, &data(ctx)->ks2, 191 &data(ctx)->ks3, (DES_cblock *)ctx->iv, 192 &ctx->num, ctx->encrypt); 193 inl -= EVP_MAXCHUNK; 194 in += EVP_MAXCHUNK; 195 out += EVP_MAXCHUNK; 196 } 197 if (inl) 198 DES_ede3_cfb64_encrypt(in, out, (long)inl, 199 &data(ctx)->ks1, &data(ctx)->ks2, 200 &data(ctx)->ks3, (DES_cblock *)ctx->iv, 201 &ctx->num, ctx->encrypt); 202 return 1; 203 } 204 205 /* 206 * Although we have a CFB-r implementation for 3-DES, it doesn't pack the 207 * right way, so wrap it here 208 */ 209 static int des_ede3_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 210 const unsigned char *in, size_t inl) 211 { 212 size_t n; 213 unsigned char c[1], d[1]; 214 215 for (n = 0; n < inl; ++n) { 216 c[0] = (in[n / 8] & (1 << (7 - n % 8))) ? 0x80 : 0; 217 DES_ede3_cfb_encrypt(c, d, 1, 1, 218 &data(ctx)->ks1, &data(ctx)->ks2, 219 &data(ctx)->ks3, (DES_cblock *)ctx->iv, 220 ctx->encrypt); 221 out[n / 8] = (out[n / 8] & ~(0x80 >> (unsigned int)(n % 8))) 222 | ((d[0] & 0x80) >> (unsigned int)(n % 8)); 223 } 224 225 return 1; 226 } 227 228 static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 229 const unsigned char *in, size_t inl) 230 { 231 while (inl >= EVP_MAXCHUNK) { 232 DES_ede3_cfb_encrypt(in, out, 8, (long)EVP_MAXCHUNK, 233 &data(ctx)->ks1, &data(ctx)->ks2, 234 &data(ctx)->ks3, (DES_cblock *)ctx->iv, 235 ctx->encrypt); 236 inl -= EVP_MAXCHUNK; 237 in += EVP_MAXCHUNK; 238 out += EVP_MAXCHUNK; 239 } 240 if (inl) 241 DES_ede3_cfb_encrypt(in, out, 8, (long)inl, 242 &data(ctx)->ks1, &data(ctx)->ks2, 243 &data(ctx)->ks3, (DES_cblock *)ctx->iv, 244 ctx->encrypt); 245 return 1; 246 } 247 248 BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64, 249 EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, 250 des_ede_init_key, NULL, NULL, NULL, des3_ctrl) 251 # define des_ede3_cfb64_cipher des_ede_cfb64_cipher 252 # define des_ede3_ofb_cipher des_ede_ofb_cipher 253 # define des_ede3_cbc_cipher des_ede_cbc_cipher 254 # define des_ede3_ecb_cipher des_ede_ecb_cipher 255 BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64, 256 EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | 257 EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, NULL, 258 des3_ctrl) 259 260 BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1, 261 EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | 262 EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, 263 NULL, des3_ctrl) 264 265 BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8, 266 EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | 267 EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, 268 NULL, des3_ctrl) 269 270 static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 271 const unsigned char *iv, int enc) 272 { 273 DES_cblock *deskey = (DES_cblock *)key; 274 DES_EDE_KEY *dat = data(ctx); 275 276 dat->stream.cbc = NULL; 277 # if defined(SPARC_DES_CAPABLE) 278 if (SPARC_DES_CAPABLE) { 279 int mode = ctx->cipher->flags & EVP_CIPH_MODE; 280 281 if (mode == EVP_CIPH_CBC_MODE) { 282 des_t4_key_expand(&deskey[0], &dat->ks1); 283 des_t4_key_expand(&deskey[1], &dat->ks2); 284 memcpy(&dat->ks3, &dat->ks1, sizeof(dat->ks1)); 285 dat->stream.cbc = enc ? des_t4_ede3_cbc_encrypt : 286 des_t4_ede3_cbc_decrypt; 287 return 1; 288 } 289 } 290 # endif 291 # ifdef EVP_CHECK_DES_KEY 292 if (DES_set_key_checked(&deskey[0], &dat->ks1) 293 || DES_set_key_checked(&deskey[1], &dat->ks2)) 294 return 0; 295 # else 296 DES_set_key_unchecked(&deskey[0], &dat->ks1); 297 DES_set_key_unchecked(&deskey[1], &dat->ks2); 298 # endif 299 memcpy(&dat->ks3, &dat->ks1, sizeof(dat->ks1)); 300 return 1; 301 } 302 303 static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, 304 const unsigned char *iv, int enc) 305 { 306 DES_cblock *deskey = (DES_cblock *)key; 307 DES_EDE_KEY *dat = data(ctx); 308 309 # ifdef KSSL_DEBUG 310 { 311 int i; 312 fprintf(stderr, "des_ede3_init_key(ctx=%p)\n", ctx); 313 fprintf(stderr, "\tKEY= "); 314 for (i = 0; i < 24; i++) 315 fprintf(stderr, "%02X", key[i]); 316 fprintf(stderr, "\n"); 317 if (iv) { 318 fprintf(stderr, "\t IV= "); 319 for (i = 0; i < 8; i++) 320 fprintf(stderr, "%02X", iv[i]); 321 fprintf(stderr, "\n"); 322 } 323 } 324 # endif /* KSSL_DEBUG */ 325 326 dat->stream.cbc = NULL; 327 # if defined(SPARC_DES_CAPABLE) 328 if (SPARC_DES_CAPABLE) { 329 int mode = ctx->cipher->flags & EVP_CIPH_MODE; 330 331 if (mode == EVP_CIPH_CBC_MODE) { 332 des_t4_key_expand(&deskey[0], &dat->ks1); 333 des_t4_key_expand(&deskey[1], &dat->ks2); 334 des_t4_key_expand(&deskey[2], &dat->ks3); 335 dat->stream.cbc = enc ? des_t4_ede3_cbc_encrypt : 336 des_t4_ede3_cbc_decrypt; 337 return 1; 338 } 339 } 340 # endif 341 # ifdef EVP_CHECK_DES_KEY 342 if (DES_set_key_checked(&deskey[0], &dat->ks1) 343 || DES_set_key_checked(&deskey[1], &dat->ks2) 344 || DES_set_key_checked(&deskey[2], &dat->ks3)) 345 return 0; 346 # else 347 DES_set_key_unchecked(&deskey[0], &dat->ks1); 348 DES_set_key_unchecked(&deskey[1], &dat->ks2); 349 DES_set_key_unchecked(&deskey[2], &dat->ks3); 350 # endif 351 return 1; 352 } 353 354 static int des3_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) 355 { 356 357 DES_cblock *deskey = ptr; 358 359 switch (type) { 360 case EVP_CTRL_RAND_KEY: 361 if (RAND_bytes(ptr, c->key_len) <= 0) 362 return 0; 363 DES_set_odd_parity(deskey); 364 if (c->key_len >= 16) 365 DES_set_odd_parity(deskey + 1); 366 if (c->key_len >= 24) 367 DES_set_odd_parity(deskey + 2); 368 return 1; 369 370 default: 371 return -1; 372 } 373 } 374 375 const EVP_CIPHER *EVP_des_ede(void) 376 { 377 return &des_ede_ecb; 378 } 379 380 const EVP_CIPHER *EVP_des_ede3(void) 381 { 382 return &des_ede3_ecb; 383 } 384 385 # ifndef OPENSSL_NO_SHA 386 387 # include <openssl/sha.h> 388 389 static const unsigned char wrap_iv[8] = 390 { 0x4a, 0xdd, 0xa2, 0x2c, 0x79, 0xe8, 0x21, 0x05 }; 391 392 static int des_ede3_unwrap(EVP_CIPHER_CTX *ctx, unsigned char *out, 393 const unsigned char *in, size_t inl) 394 { 395 unsigned char icv[8], iv[8], sha1tmp[SHA_DIGEST_LENGTH]; 396 int rv = -1; 397 if (inl < 24) 398 return -1; 399 if (out == NULL) 400 return inl - 16; 401 memcpy(ctx->iv, wrap_iv, 8); 402 /* Decrypt first block which will end up as icv */ 403 des_ede_cbc_cipher(ctx, icv, in, 8); 404 /* Decrypt central blocks */ 405 /* 406 * If decrypting in place move whole output along a block so the next 407 * des_ede_cbc_cipher is in place. 408 */ 409 if (out == in) { 410 memmove(out, out + 8, inl - 8); 411 in -= 8; 412 } 413 des_ede_cbc_cipher(ctx, out, in + 8, inl - 16); 414 /* Decrypt final block which will be IV */ 415 des_ede_cbc_cipher(ctx, iv, in + inl - 8, 8); 416 /* Reverse order of everything */ 417 BUF_reverse(icv, NULL, 8); 418 BUF_reverse(out, NULL, inl - 16); 419 BUF_reverse(ctx->iv, iv, 8); 420 /* Decrypt again using new IV */ 421 des_ede_cbc_cipher(ctx, out, out, inl - 16); 422 des_ede_cbc_cipher(ctx, icv, icv, 8); 423 /* Work out SHA1 hash of first portion */ 424 SHA1(out, inl - 16, sha1tmp); 425 426 if (!CRYPTO_memcmp(sha1tmp, icv, 8)) 427 rv = inl - 16; 428 OPENSSL_cleanse(icv, 8); 429 OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH); 430 OPENSSL_cleanse(iv, 8); 431 OPENSSL_cleanse(ctx->iv, 8); 432 if (rv == -1) 433 OPENSSL_cleanse(out, inl - 16); 434 435 return rv; 436 } 437 438 static int des_ede3_wrap(EVP_CIPHER_CTX *ctx, unsigned char *out, 439 const unsigned char *in, size_t inl) 440 { 441 unsigned char sha1tmp[SHA_DIGEST_LENGTH]; 442 if (out == NULL) 443 return inl + 16; 444 /* Copy input to output buffer + 8 so we have space for IV */ 445 memmove(out + 8, in, inl); 446 /* Work out ICV */ 447 SHA1(in, inl, sha1tmp); 448 memcpy(out + inl + 8, sha1tmp, 8); 449 OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH); 450 /* Generate random IV */ 451 if (RAND_bytes(ctx->iv, 8) <= 0) 452 return -1; 453 memcpy(out, ctx->iv, 8); 454 /* Encrypt everything after IV in place */ 455 des_ede_cbc_cipher(ctx, out + 8, out + 8, inl + 8); 456 BUF_reverse(out, NULL, inl + 16); 457 memcpy(ctx->iv, wrap_iv, 8); 458 des_ede_cbc_cipher(ctx, out, out, inl + 16); 459 return inl + 16; 460 } 461 462 static int des_ede3_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 463 const unsigned char *in, size_t inl) 464 { 465 /* 466 * Sanity check input length: we typically only wrap keys so EVP_MAXCHUNK 467 * is more than will ever be needed. Also input length must be a multiple 468 * of 8 bits. 469 */ 470 if (inl >= EVP_MAXCHUNK || inl % 8) 471 return -1; 472 if (ctx->encrypt) 473 return des_ede3_wrap(ctx, out, in, inl); 474 else 475 return des_ede3_unwrap(ctx, out, in, inl); 476 } 477 478 static const EVP_CIPHER des3_wrap = { 479 NID_id_smime_alg_CMS3DESwrap, 480 8, 24, 0, 481 EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER 482 | EVP_CIPH_FLAG_DEFAULT_ASN1, 483 des_ede3_init_key, des_ede3_wrap_cipher, 484 NULL, 485 sizeof(DES_EDE_KEY), 486 NULL, NULL, NULL, NULL 487 }; 488 489 const EVP_CIPHER *EVP_des_ede3_wrap(void) 490 { 491 return &des3_wrap; 492 } 493 494 # endif 495 #endif 496