1 | /* |
2 | * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at |
7 | * https://www.openssl.org/source/license.html |
8 | */ |
9 | |
10 | #include <stdio.h> |
11 | #include "internal/cryptlib.h" |
12 | #ifndef OPENSSL_NO_DES |
13 | # include <openssl/evp.h> |
14 | # include <openssl/objects.h> |
15 | # include "crypto/evp.h" |
16 | # include <openssl/des.h> |
17 | # include <openssl/rand.h> |
18 | # include "evp_local.h" |
19 | |
20 | typedef struct { |
21 | union { |
22 | OSSL_UNION_ALIGN; |
23 | DES_key_schedule ks[3]; |
24 | } ks; |
25 | union { |
26 | void (*cbc) (const void *, void *, size_t, |
27 | const DES_key_schedule *, unsigned char *); |
28 | } stream; |
29 | } DES_EDE_KEY; |
30 | # define ks1 ks.ks[0] |
31 | # define ks2 ks.ks[1] |
32 | # define ks3 ks.ks[2] |
33 | |
34 | # if defined(AES_ASM) && (defined(__sparc) || defined(__sparc__)) |
35 | /* ---------^^^ this is not a typo, just a way to detect that |
36 | * assembler support was in general requested... */ |
37 | # include "sparc_arch.h" |
38 | |
39 | extern unsigned int OPENSSL_sparcv9cap_P[]; |
40 | |
41 | # define SPARC_DES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_DES) |
42 | |
43 | void des_t4_key_expand(const void *key, DES_key_schedule *ks); |
44 | void des_t4_ede3_cbc_encrypt(const void *inp, void *out, size_t len, |
45 | const DES_key_schedule ks[3], unsigned char iv[8]); |
46 | void des_t4_ede3_cbc_decrypt(const void *inp, void *out, size_t len, |
47 | const DES_key_schedule ks[3], unsigned char iv[8]); |
48 | # endif |
49 | |
50 | static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
51 | const unsigned char *iv, int enc); |
52 | |
53 | static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
54 | const unsigned char *iv, int enc); |
55 | |
56 | static int des3_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr); |
57 | |
58 | # define data(ctx) EVP_C_DATA(DES_EDE_KEY,ctx) |
59 | |
60 | /* |
61 | * Because of various casts and different args can't use |
62 | * IMPLEMENT_BLOCK_CIPHER |
63 | */ |
64 | |
65 | static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
66 | const unsigned char *in, size_t inl) |
67 | { |
68 | BLOCK_CIPHER_ecb_loop() |
69 | DES_ecb3_encrypt((const_DES_cblock *)(in + i), |
70 | (DES_cblock *)(out + i), |
71 | &data(ctx)->ks1, &data(ctx)->ks2, |
72 | &data(ctx)->ks3, EVP_CIPHER_CTX_encrypting(ctx)); |
73 | return 1; |
74 | } |
75 | |
76 | static int des_ede_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
77 | const unsigned char *in, size_t inl) |
78 | { |
79 | while (inl >= EVP_MAXCHUNK) { |
80 | int num = EVP_CIPHER_CTX_num(ctx); |
81 | DES_ede3_ofb64_encrypt(in, out, (long)EVP_MAXCHUNK, |
82 | &data(ctx)->ks1, &data(ctx)->ks2, |
83 | &data(ctx)->ks3, |
84 | (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx), |
85 | &num); |
86 | EVP_CIPHER_CTX_set_num(ctx, num); |
87 | inl -= EVP_MAXCHUNK; |
88 | in += EVP_MAXCHUNK; |
89 | out += EVP_MAXCHUNK; |
90 | } |
91 | if (inl) { |
92 | int num = EVP_CIPHER_CTX_num(ctx); |
93 | DES_ede3_ofb64_encrypt(in, out, (long)inl, |
94 | &data(ctx)->ks1, &data(ctx)->ks2, |
95 | &data(ctx)->ks3, |
96 | (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx), |
97 | &num); |
98 | EVP_CIPHER_CTX_set_num(ctx, num); |
99 | } |
100 | return 1; |
101 | } |
102 | |
103 | static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
104 | const unsigned char *in, size_t inl) |
105 | { |
106 | DES_EDE_KEY *dat = data(ctx); |
107 | |
108 | if (dat->stream.cbc != NULL) { |
109 | (*dat->stream.cbc) (in, out, inl, dat->ks.ks, |
110 | EVP_CIPHER_CTX_iv_noconst(ctx)); |
111 | return 1; |
112 | } |
113 | |
114 | while (inl >= EVP_MAXCHUNK) { |
115 | DES_ede3_cbc_encrypt(in, out, (long)EVP_MAXCHUNK, |
116 | &dat->ks1, &dat->ks2, &dat->ks3, |
117 | (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx), |
118 | EVP_CIPHER_CTX_encrypting(ctx)); |
119 | inl -= EVP_MAXCHUNK; |
120 | in += EVP_MAXCHUNK; |
121 | out += EVP_MAXCHUNK; |
122 | } |
123 | if (inl) |
124 | DES_ede3_cbc_encrypt(in, out, (long)inl, |
125 | &dat->ks1, &dat->ks2, &dat->ks3, |
126 | (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx), |
127 | EVP_CIPHER_CTX_encrypting(ctx)); |
128 | return 1; |
129 | } |
130 | |
131 | static int des_ede_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
132 | const unsigned char *in, size_t inl) |
133 | { |
134 | while (inl >= EVP_MAXCHUNK) { |
135 | int num = EVP_CIPHER_CTX_num(ctx); |
136 | DES_ede3_cfb64_encrypt(in, out, (long)EVP_MAXCHUNK, |
137 | &data(ctx)->ks1, &data(ctx)->ks2, |
138 | &data(ctx)->ks3, |
139 | (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx), |
140 | &num, EVP_CIPHER_CTX_encrypting(ctx)); |
141 | EVP_CIPHER_CTX_set_num(ctx, num); |
142 | inl -= EVP_MAXCHUNK; |
143 | in += EVP_MAXCHUNK; |
144 | out += EVP_MAXCHUNK; |
145 | } |
146 | if (inl) { |
147 | int num = EVP_CIPHER_CTX_num(ctx); |
148 | DES_ede3_cfb64_encrypt(in, out, (long)inl, |
149 | &data(ctx)->ks1, &data(ctx)->ks2, |
150 | &data(ctx)->ks3, |
151 | (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx), |
152 | &num, EVP_CIPHER_CTX_encrypting(ctx)); |
153 | EVP_CIPHER_CTX_set_num(ctx, num); |
154 | } |
155 | return 1; |
156 | } |
157 | |
158 | /* |
159 | * Although we have a CFB-r implementation for 3-DES, it doesn't pack the |
160 | * right way, so wrap it here |
161 | */ |
162 | static int des_ede3_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
163 | const unsigned char *in, size_t inl) |
164 | { |
165 | size_t n; |
166 | unsigned char c[1], d[1]; |
167 | |
168 | if (!EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) |
169 | inl *= 8; |
170 | for (n = 0; n < inl; ++n) { |
171 | c[0] = (in[n / 8] & (1 << (7 - n % 8))) ? 0x80 : 0; |
172 | DES_ede3_cfb_encrypt(c, d, 1, 1, |
173 | &data(ctx)->ks1, &data(ctx)->ks2, |
174 | &data(ctx)->ks3, |
175 | (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx), |
176 | EVP_CIPHER_CTX_encrypting(ctx)); |
177 | out[n / 8] = (out[n / 8] & ~(0x80 >> (unsigned int)(n % 8))) |
178 | | ((d[0] & 0x80) >> (unsigned int)(n % 8)); |
179 | } |
180 | |
181 | return 1; |
182 | } |
183 | |
184 | static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
185 | const unsigned char *in, size_t inl) |
186 | { |
187 | while (inl >= EVP_MAXCHUNK) { |
188 | DES_ede3_cfb_encrypt(in, out, 8, (long)EVP_MAXCHUNK, |
189 | &data(ctx)->ks1, &data(ctx)->ks2, |
190 | &data(ctx)->ks3, |
191 | (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx), |
192 | EVP_CIPHER_CTX_encrypting(ctx)); |
193 | inl -= EVP_MAXCHUNK; |
194 | in += EVP_MAXCHUNK; |
195 | out += EVP_MAXCHUNK; |
196 | } |
197 | if (inl) |
198 | DES_ede3_cfb_encrypt(in, out, 8, (long)inl, |
199 | &data(ctx)->ks1, &data(ctx)->ks2, |
200 | &data(ctx)->ks3, |
201 | (DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx), |
202 | EVP_CIPHER_CTX_encrypting(ctx)); |
203 | return 1; |
204 | } |
205 | |
206 | BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64, |
207 | EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, |
208 | des_ede_init_key, NULL, NULL, NULL, des3_ctrl) |
209 | # define des_ede3_cfb64_cipher des_ede_cfb64_cipher |
210 | # define des_ede3_ofb_cipher des_ede_ofb_cipher |
211 | # define des_ede3_cbc_cipher des_ede_cbc_cipher |
212 | # define des_ede3_ecb_cipher des_ede_ecb_cipher |
213 | BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64, |
214 | EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, |
215 | des_ede3_init_key, NULL, NULL, NULL, des3_ctrl) |
216 | |
217 | BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1, |
218 | EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, |
219 | des_ede3_init_key, NULL, NULL, NULL, des3_ctrl) |
220 | |
221 | BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8, |
222 | EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, |
223 | des_ede3_init_key, NULL, NULL, NULL, des3_ctrl) |
224 | |
225 | static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
226 | const unsigned char *iv, int enc) |
227 | { |
228 | DES_cblock *deskey = (DES_cblock *)key; |
229 | DES_EDE_KEY *dat = data(ctx); |
230 | |
231 | dat->stream.cbc = NULL; |
232 | # if defined(SPARC_DES_CAPABLE) |
233 | if (SPARC_DES_CAPABLE) { |
234 | int mode = EVP_CIPHER_CTX_mode(ctx); |
235 | |
236 | if (mode == EVP_CIPH_CBC_MODE) { |
237 | des_t4_key_expand(&deskey[0], &dat->ks1); |
238 | des_t4_key_expand(&deskey[1], &dat->ks2); |
239 | memcpy(&dat->ks3, &dat->ks1, sizeof(dat->ks1)); |
240 | dat->stream.cbc = enc ? des_t4_ede3_cbc_encrypt : |
241 | des_t4_ede3_cbc_decrypt; |
242 | return 1; |
243 | } |
244 | } |
245 | # endif |
246 | DES_set_key_unchecked(&deskey[0], &dat->ks1); |
247 | DES_set_key_unchecked(&deskey[1], &dat->ks2); |
248 | memcpy(&dat->ks3, &dat->ks1, sizeof(dat->ks1)); |
249 | return 1; |
250 | } |
251 | |
252 | static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
253 | const unsigned char *iv, int enc) |
254 | { |
255 | DES_cblock *deskey = (DES_cblock *)key; |
256 | DES_EDE_KEY *dat = data(ctx); |
257 | |
258 | dat->stream.cbc = NULL; |
259 | # if defined(SPARC_DES_CAPABLE) |
260 | if (SPARC_DES_CAPABLE) { |
261 | int mode = EVP_CIPHER_CTX_mode(ctx); |
262 | |
263 | if (mode == EVP_CIPH_CBC_MODE) { |
264 | des_t4_key_expand(&deskey[0], &dat->ks1); |
265 | des_t4_key_expand(&deskey[1], &dat->ks2); |
266 | des_t4_key_expand(&deskey[2], &dat->ks3); |
267 | dat->stream.cbc = enc ? des_t4_ede3_cbc_encrypt : |
268 | des_t4_ede3_cbc_decrypt; |
269 | return 1; |
270 | } |
271 | } |
272 | # endif |
273 | DES_set_key_unchecked(&deskey[0], &dat->ks1); |
274 | DES_set_key_unchecked(&deskey[1], &dat->ks2); |
275 | DES_set_key_unchecked(&deskey[2], &dat->ks3); |
276 | return 1; |
277 | } |
278 | |
279 | static int des3_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) |
280 | { |
281 | |
282 | DES_cblock *deskey = ptr; |
283 | int kl; |
284 | |
285 | switch (type) { |
286 | case EVP_CTRL_RAND_KEY: |
287 | kl = EVP_CIPHER_CTX_key_length(ctx); |
288 | if (kl < 0 || RAND_priv_bytes(ptr, kl) <= 0) |
289 | return 0; |
290 | DES_set_odd_parity(deskey); |
291 | if (kl >= 16) |
292 | DES_set_odd_parity(deskey + 1); |
293 | if (kl >= 24) |
294 | DES_set_odd_parity(deskey + 2); |
295 | return 1; |
296 | |
297 | default: |
298 | return -1; |
299 | } |
300 | } |
301 | |
302 | const EVP_CIPHER *EVP_des_ede(void) |
303 | { |
304 | return &des_ede_ecb; |
305 | } |
306 | |
307 | const EVP_CIPHER *EVP_des_ede3(void) |
308 | { |
309 | return &des_ede3_ecb; |
310 | } |
311 | |
312 | |
313 | # include <openssl/sha.h> |
314 | |
315 | static const unsigned char wrap_iv[8] = |
316 | { 0x4a, 0xdd, 0xa2, 0x2c, 0x79, 0xe8, 0x21, 0x05 }; |
317 | |
318 | static int des_ede3_unwrap(EVP_CIPHER_CTX *ctx, unsigned char *out, |
319 | const unsigned char *in, size_t inl) |
320 | { |
321 | unsigned char icv[8], iv[8], sha1tmp[SHA_DIGEST_LENGTH]; |
322 | int rv = -1; |
323 | if (inl < 24) |
324 | return -1; |
325 | if (out == NULL) |
326 | return inl - 16; |
327 | memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), wrap_iv, 8); |
328 | /* Decrypt first block which will end up as icv */ |
329 | des_ede_cbc_cipher(ctx, icv, in, 8); |
330 | /* Decrypt central blocks */ |
331 | /* |
332 | * If decrypting in place move whole output along a block so the next |
333 | * des_ede_cbc_cipher is in place. |
334 | */ |
335 | if (out == in) { |
336 | memmove(out, out + 8, inl - 8); |
337 | in -= 8; |
338 | } |
339 | des_ede_cbc_cipher(ctx, out, in + 8, inl - 16); |
340 | /* Decrypt final block which will be IV */ |
341 | des_ede_cbc_cipher(ctx, iv, in + inl - 8, 8); |
342 | /* Reverse order of everything */ |
343 | BUF_reverse(icv, NULL, 8); |
344 | BUF_reverse(out, NULL, inl - 16); |
345 | BUF_reverse(EVP_CIPHER_CTX_iv_noconst(ctx), iv, 8); |
346 | /* Decrypt again using new IV */ |
347 | des_ede_cbc_cipher(ctx, out, out, inl - 16); |
348 | des_ede_cbc_cipher(ctx, icv, icv, 8); |
349 | /* Work out SHA1 hash of first portion */ |
350 | SHA1(out, inl - 16, sha1tmp); |
351 | |
352 | if (!CRYPTO_memcmp(sha1tmp, icv, 8)) |
353 | rv = inl - 16; |
354 | OPENSSL_cleanse(icv, 8); |
355 | OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH); |
356 | OPENSSL_cleanse(iv, 8); |
357 | OPENSSL_cleanse(EVP_CIPHER_CTX_iv_noconst(ctx), 8); |
358 | if (rv == -1) |
359 | OPENSSL_cleanse(out, inl - 16); |
360 | |
361 | return rv; |
362 | } |
363 | |
364 | static int des_ede3_wrap(EVP_CIPHER_CTX *ctx, unsigned char *out, |
365 | const unsigned char *in, size_t inl) |
366 | { |
367 | unsigned char sha1tmp[SHA_DIGEST_LENGTH]; |
368 | if (out == NULL) |
369 | return inl + 16; |
370 | /* Copy input to output buffer + 8 so we have space for IV */ |
371 | memmove(out + 8, in, inl); |
372 | /* Work out ICV */ |
373 | SHA1(in, inl, sha1tmp); |
374 | memcpy(out + inl + 8, sha1tmp, 8); |
375 | OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH); |
376 | /* Generate random IV */ |
377 | if (RAND_bytes(EVP_CIPHER_CTX_iv_noconst(ctx), 8) <= 0) |
378 | return -1; |
379 | memcpy(out, EVP_CIPHER_CTX_iv_noconst(ctx), 8); |
380 | /* Encrypt everything after IV in place */ |
381 | des_ede_cbc_cipher(ctx, out + 8, out + 8, inl + 8); |
382 | BUF_reverse(out, NULL, inl + 16); |
383 | memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), wrap_iv, 8); |
384 | des_ede_cbc_cipher(ctx, out, out, inl + 16); |
385 | return inl + 16; |
386 | } |
387 | |
388 | static int des_ede3_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
389 | const unsigned char *in, size_t inl) |
390 | { |
391 | /* |
392 | * Sanity check input length: we typically only wrap keys so EVP_MAXCHUNK |
393 | * is more than will ever be needed. Also input length must be a multiple |
394 | * of 8 bits. |
395 | */ |
396 | if (inl >= EVP_MAXCHUNK || inl % 8) |
397 | return -1; |
398 | |
399 | if (is_partially_overlapping(out, in, inl)) { |
400 | EVPerr(EVP_F_DES_EDE3_WRAP_CIPHER, EVP_R_PARTIALLY_OVERLAPPING); |
401 | return 0; |
402 | } |
403 | |
404 | if (EVP_CIPHER_CTX_encrypting(ctx)) |
405 | return des_ede3_wrap(ctx, out, in, inl); |
406 | else |
407 | return des_ede3_unwrap(ctx, out, in, inl); |
408 | } |
409 | |
410 | static const EVP_CIPHER des3_wrap = { |
411 | NID_id_smime_alg_CMS3DESwrap, |
412 | 8, 24, 0, |
413 | EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER |
414 | | EVP_CIPH_FLAG_DEFAULT_ASN1, |
415 | des_ede3_init_key, des_ede3_wrap_cipher, |
416 | NULL, |
417 | sizeof(DES_EDE_KEY), |
418 | NULL, NULL, NULL, NULL |
419 | }; |
420 | |
421 | const EVP_CIPHER *EVP_des_ede3_wrap(void) |
422 | { |
423 | return &des3_wrap; |
424 | } |
425 | |
426 | #endif |
427 | |