e_des3.c source code [ClickHouse/contrib/openssl/crypto/evp/e_des3.c]

1	/*
2	* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
3	*
4	* Licensed under the Apache License 2.0 (the "License"). You may not use
5	* this file except in compliance with the License. You can obtain a copy
6	* in the file LICENSE in the source distribution or at
7	* https://www.openssl.org/source/license.html
8	*/
9
10	#include <stdio.h>
11	#include "internal/cryptlib.h"
12	#ifndef OPENSSL_NO_DES
13	# include <openssl/evp.h>
14	# include <openssl/objects.h>
15	# include "crypto/evp.h"
16	# include <openssl/des.h>
17	# include <openssl/rand.h>
18	# include "evp_local.h"
19
20	typedef struct {
21	union {
22	OSSL_UNION_ALIGN;
23	DES_key_schedule ks[`3`];
24	} ks;
25	union {
26	void (cbc) (const* void , void* *, size_t,
27	const DES_key_schedule , unsigned* char *);
28	} stream;
29	} DES_EDE_KEY;
30	# define ks1 ks.ks[0]
31	# define ks2 ks.ks[1]
32	# define ks3 ks.ks[2]
33
34	# if defined(AES_ASM) && (defined(__sparc) \|\| defined(__sparc__))
35	/ ---------^^^ this is not a typo, just a way to detect that*
36	* assembler support was in general requested... */
37	# include "sparc_arch.h"
38
39	extern unsigned int OPENSSL_sparcv9cap_P[];
40
41	# define SPARC_DES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_DES)
42
43	void des_t4_key_expand(const void key, DES_key_schedule ks);
44	void des_t4_ede3_cbc_encrypt(const void inp, void* *out, size_t len,
45	const DES_key_schedule ks[`3`], unsigned char iv[`8`]);
46	void des_t4_ede3_cbc_decrypt(const void inp, void* *out, size_t len,
47	const DES_key_schedule ks[`3`], unsigned char iv[`8`]);
48	# endif
49
50	static int des_ede_init_key(EVP_CIPHER_CTX ctx, const* unsigned char *key,
51	const unsigned char iv, int* enc);
52
53	static int des_ede3_init_key(EVP_CIPHER_CTX ctx, const* unsigned char *key,
54	const unsigned char iv, int* enc);
55
56	static int des3_ctrl(EVP_CIPHER_CTX c, int* type, int arg, void *ptr);
57
58	# define data(ctx) EVP_C_DATA(DES_EDE_KEY,ctx)
59
60	/*
61	* Because of various casts and different args can't use
62	* IMPLEMENT_BLOCK_CIPHER
63	*/
64
65	static int des_ede_ecb_cipher(EVP_CIPHER_CTX ctx, unsigned* char *out,
66	const unsigned char *in, size_t inl)
67	{
68	BLOCK_CIPHER_ecb_loop()
69	DES_ecb3_encrypt((const_DES_cblock *)(in + i),
70	(DES_cblock *)(out + i),
71	&data(ctx)->ks1, &data(ctx)->ks2,
72	&data(ctx)->ks3, EVP_CIPHER_CTX_encrypting(ctx));
73	return `1`;
74	}
75
76	static int des_ede_ofb_cipher(EVP_CIPHER_CTX ctx, unsigned* char *out,
77	const unsigned char *in, size_t inl)
78	{
79	while (inl >= EVP_MAXCHUNK) {
80	int num = EVP_CIPHER_CTX_num(ctx);
81	DES_ede3_ofb64_encrypt(in, out, (long)EVP_MAXCHUNK,
82	&data(ctx)->ks1, &data(ctx)->ks2,
83	&data(ctx)->ks3,
84	(DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
85	&num);
86	EVP_CIPHER_CTX_set_num(ctx, num);
87	inl -= EVP_MAXCHUNK;
88	in += EVP_MAXCHUNK;
89	out += EVP_MAXCHUNK;
90	}
91	if (inl) {
92	int num = EVP_CIPHER_CTX_num(ctx);
93	DES_ede3_ofb64_encrypt(in, out, (long)inl,
94	&data(ctx)->ks1, &data(ctx)->ks2,
95	&data(ctx)->ks3,
96	(DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
97	&num);
98	EVP_CIPHER_CTX_set_num(ctx, num);
99	}
100	return `1`;
101	}
102
103	static int des_ede_cbc_cipher(EVP_CIPHER_CTX ctx, unsigned* char *out,
104	const unsigned char *in, size_t inl)
105	{
106	DES_EDE_KEY *dat = data(ctx);
107
108	if (dat->stream.cbc != NULL) {
109	(*dat->stream.cbc) (in, out, inl, dat->ks.ks,
110	EVP_CIPHER_CTX_iv_noconst(ctx));
111	return `1`;
112	}
113
114	while (inl >= EVP_MAXCHUNK) {
115	DES_ede3_cbc_encrypt(in, out, (long)EVP_MAXCHUNK,
116	&dat->ks1, &dat->ks2, &dat->ks3,
117	(DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
118	EVP_CIPHER_CTX_encrypting(ctx));
119	inl -= EVP_MAXCHUNK;
120	in += EVP_MAXCHUNK;
121	out += EVP_MAXCHUNK;
122	}
123	if (inl)
124	DES_ede3_cbc_encrypt(in, out, (long)inl,
125	&dat->ks1, &dat->ks2, &dat->ks3,
126	(DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
127	EVP_CIPHER_CTX_encrypting(ctx));
128	return `1`;
129	}
130
131	static int des_ede_cfb64_cipher(EVP_CIPHER_CTX ctx, unsigned* char *out,
132	const unsigned char *in, size_t inl)
133	{
134	while (inl >= EVP_MAXCHUNK) {
135	int num = EVP_CIPHER_CTX_num(ctx);
136	DES_ede3_cfb64_encrypt(in, out, (long)EVP_MAXCHUNK,
137	&data(ctx)->ks1, &data(ctx)->ks2,
138	&data(ctx)->ks3,
139	(DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
140	&num, EVP_CIPHER_CTX_encrypting(ctx));
141	EVP_CIPHER_CTX_set_num(ctx, num);
142	inl -= EVP_MAXCHUNK;
143	in += EVP_MAXCHUNK;
144	out += EVP_MAXCHUNK;
145	}
146	if (inl) {
147	int num = EVP_CIPHER_CTX_num(ctx);
148	DES_ede3_cfb64_encrypt(in, out, (long)inl,
149	&data(ctx)->ks1, &data(ctx)->ks2,
150	&data(ctx)->ks3,
151	(DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
152	&num, EVP_CIPHER_CTX_encrypting(ctx));
153	EVP_CIPHER_CTX_set_num(ctx, num);
154	}
155	return `1`;
156	}
157
158	/*
159	* Although we have a CFB-r implementation for 3-DES, it doesn't pack the
160	* right way, so wrap it here
161	*/
162	static int des_ede3_cfb1_cipher(EVP_CIPHER_CTX ctx, unsigned* char *out,
163	const unsigned char *in, size_t inl)
164	{
165	size_t n;
166	unsigned char c[`1`], d[`1`];
167
168	if (!EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS))
169	inl *= `8`;
170	for (n = `0`; n < inl; ++n) {
171	c[`0`] = (in[n / `8`] & (`1` << (`7` - n % `8`))) ? `0x80` : `0`;
172	DES_ede3_cfb_encrypt(c, d, `1`, `1`,
173	&data(ctx)->ks1, &data(ctx)->ks2,
174	&data(ctx)->ks3,
175	(DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
176	EVP_CIPHER_CTX_encrypting(ctx));
177	out[n / `8`] = (out[n / `8`] & ~(`0x80` >> (unsigned int)(n % `8`)))
178	\| ((d[`0`] & `0x80`) >> (unsigned int)(n % `8`));
179	}
180
181	return `1`;
182	}
183
184	static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX ctx, unsigned* char *out,
185	const unsigned char *in, size_t inl)
186	{
187	while (inl >= EVP_MAXCHUNK) {
188	DES_ede3_cfb_encrypt(in, out, `8`, (long)EVP_MAXCHUNK,
189	&data(ctx)->ks1, &data(ctx)->ks2,
190	&data(ctx)->ks3,
191	(DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
192	EVP_CIPHER_CTX_encrypting(ctx));
193	inl -= EVP_MAXCHUNK;
194	in += EVP_MAXCHUNK;
195	out += EVP_MAXCHUNK;
196	}
197	if (inl)
198	DES_ede3_cfb_encrypt(in, out, `8`, (long)inl,
199	&data(ctx)->ks1, &data(ctx)->ks2,
200	&data(ctx)->ks3,
201	(DES_cblock *)EVP_CIPHER_CTX_iv_noconst(ctx),
202	EVP_CIPHER_CTX_encrypting(ctx));
203	return `1`;
204	}
205
206	BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, `8`, `16`, `8`, `64`,
207	EVP_CIPH_RAND_KEY \| EVP_CIPH_FLAG_DEFAULT_ASN1,
208	des_ede_init_key, NULL, NULL, NULL, des3_ctrl)
209	# define des_ede3_cfb64_cipher des_ede_cfb64_cipher
210	# define des_ede3_ofb_cipher des_ede_ofb_cipher
211	# define des_ede3_cbc_cipher des_ede_cbc_cipher
212	# define des_ede3_ecb_cipher des_ede_ecb_cipher
213	BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, `8`, `24`, `8`, `64`,
214	EVP_CIPH_RAND_KEY \| EVP_CIPH_FLAG_DEFAULT_ASN1,
215	des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
216
217	BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, `24`, `8`, `1`,
218	EVP_CIPH_RAND_KEY \| EVP_CIPH_FLAG_DEFAULT_ASN1,
219	des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
220
221	BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, `24`, `8`, `8`,
222	EVP_CIPH_RAND_KEY \| EVP_CIPH_FLAG_DEFAULT_ASN1,
223	des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
224
225	static int des_ede_init_key(EVP_CIPHER_CTX ctx, const* unsigned char *key,
226	const unsigned char iv, int* enc)
227	{
228	DES_cblock deskey = (DES_cblock )key;
229	DES_EDE_KEY *dat = data(ctx);
230
231	dat->stream.cbc = NULL;
232	# if defined(SPARC_DES_CAPABLE)
233	if (SPARC_DES_CAPABLE) {
234	int mode = EVP_CIPHER_CTX_mode(ctx);
235
236	if (mode == EVP_CIPH_CBC_MODE) {
237	des_t4_key_expand(&deskey[`0`], &dat->ks1);
238	des_t4_key_expand(&deskey[`1`], &dat->ks2);
239	memcpy(&dat->ks3, &dat->ks1, sizeof(dat->ks1));
240	dat->stream.cbc = enc ? des_t4_ede3_cbc_encrypt :
241	des_t4_ede3_cbc_decrypt;
242	return `1`;
243	}
244	}
245	# endif
246	DES_set_key_unchecked(&deskey[`0`], &dat->ks1);
247	DES_set_key_unchecked(&deskey[`1`], &dat->ks2);
248	memcpy(&dat->ks3, &dat->ks1, sizeof(dat->ks1));
249	return `1`;
250	}
251
252	static int des_ede3_init_key(EVP_CIPHER_CTX ctx, const* unsigned char *key,
253	const unsigned char iv, int* enc)
254	{
255	DES_cblock deskey = (DES_cblock )key;
256	DES_EDE_KEY *dat = data(ctx);
257
258	dat->stream.cbc = NULL;
259	# if defined(SPARC_DES_CAPABLE)
260	if (SPARC_DES_CAPABLE) {
261	int mode = EVP_CIPHER_CTX_mode(ctx);
262
263	if (mode == EVP_CIPH_CBC_MODE) {
264	des_t4_key_expand(&deskey[`0`], &dat->ks1);
265	des_t4_key_expand(&deskey[`1`], &dat->ks2);
266	des_t4_key_expand(&deskey[`2`], &dat->ks3);
267	dat->stream.cbc = enc ? des_t4_ede3_cbc_encrypt :
268	des_t4_ede3_cbc_decrypt;
269	return `1`;
270	}
271	}
272	# endif
273	DES_set_key_unchecked(&deskey[`0`], &dat->ks1);
274	DES_set_key_unchecked(&deskey[`1`], &dat->ks2);
275	DES_set_key_unchecked(&deskey[`2`], &dat->ks3);
276	return `1`;
277	}
278
279	static int des3_ctrl(EVP_CIPHER_CTX ctx, int* type, int arg, void *ptr)
280	{
281
282	DES_cblock *deskey = ptr;
283	int kl;
284
285	switch (type) {
286	case EVP_CTRL_RAND_KEY:
287	kl = EVP_CIPHER_CTX_key_length(ctx);
288	if (kl < `0` \|\| RAND_priv_bytes(ptr, kl) <= `0`)
289	return `0`;
290	DES_set_odd_parity(deskey);
291	if (kl >= `16`)
292	DES_set_odd_parity(deskey + `1`);
293	if (kl >= `24`)
294	DES_set_odd_parity(deskey + `2`);
295	return `1`;
296
297	default:
298	return -`1`;
299	}
300	}
301
302	const EVP_CIPHER EVP_des_ede(void*)
303	{
304	return &des_ede_ecb;
305	}
306
307	const EVP_CIPHER EVP_des_ede3(void*)
308	{
309	return &des_ede3_ecb;
310	}
311
312
313	# include <openssl/sha.h>
314
315	static const unsigned char wrap_iv[`8`] =
316	{ `0x4a`, `0xdd`, `0xa2`, `0x2c`, `0x79`, `0xe8`, `0x21`, `0x05` };
317
318	static int des_ede3_unwrap(EVP_CIPHER_CTX ctx, unsigned* char *out,
319	const unsigned char *in, size_t inl)
320	{
321	unsigned char icv[`8`], iv[`8`], sha1tmp[SHA_DIGEST_LENGTH];
322	int rv = -`1`;
323	if (inl < `24`)
324	return -`1`;
325	if (out == NULL)
326	return inl - `16`;
327	memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), wrap_iv, `8`);
328	/ Decrypt first block which will end up as icv /
329	des_ede_cbc_cipher(ctx, icv, in, `8`);
330	/ Decrypt central blocks /
331	/*
332	* If decrypting in place move whole output along a block so the next
333	* des_ede_cbc_cipher is in place.
334	*/
335	if (out == in) {
336	memmove(out, out + `8`, inl - `8`);
337	in -= `8`;
338	}
339	des_ede_cbc_cipher(ctx, out, in + `8`, inl - `16`);
340	/ Decrypt final block which will be IV /
341	des_ede_cbc_cipher(ctx, iv, in + inl - `8`, `8`);
342	/ Reverse order of everything /
343	BUF_reverse(icv, NULL, `8`);
344	BUF_reverse(out, NULL, inl - `16`);
345	BUF_reverse(EVP_CIPHER_CTX_iv_noconst(ctx), iv, `8`);
346	/ Decrypt again using new IV /
347	des_ede_cbc_cipher(ctx, out, out, inl - `16`);
348	des_ede_cbc_cipher(ctx, icv, icv, `8`);
349	/ Work out SHA1 hash of first portion /
350	SHA1(out, inl - `16`, sha1tmp);
351
352	if (!CRYPTO_memcmp(sha1tmp, icv, `8`))
353	rv = inl - `16`;
354	OPENSSL_cleanse(icv, `8`);
355	OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH);
356	OPENSSL_cleanse(iv, `8`);
357	OPENSSL_cleanse(EVP_CIPHER_CTX_iv_noconst(ctx), `8`);
358	if (rv == -`1`)
359	OPENSSL_cleanse(out, inl - `16`);
360
361	return rv;
362	}
363
364	static int des_ede3_wrap(EVP_CIPHER_CTX ctx, unsigned* char *out,
365	const unsigned char *in, size_t inl)
366	{
367	unsigned char sha1tmp[SHA_DIGEST_LENGTH];
368	if (out == NULL)
369	return inl + `16`;
370	/ Copy input to output buffer + 8 so we have space for IV /
371	memmove(out + `8`, in, inl);
372	/ Work out ICV /
373	SHA1(in, inl, sha1tmp);
374	memcpy(out + inl + `8`, sha1tmp, `8`);
375	OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH);
376	/ Generate random IV /
377	if (RAND_bytes(EVP_CIPHER_CTX_iv_noconst(ctx), `8`) <= `0`)
378	return -`1`;
379	memcpy(out, EVP_CIPHER_CTX_iv_noconst(ctx), `8`);
380	/ Encrypt everything after IV in place /
381	des_ede_cbc_cipher(ctx, out + `8`, out + `8`, inl + `8`);
382	BUF_reverse(out, NULL, inl + `16`);
383	memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), wrap_iv, `8`);
384	des_ede_cbc_cipher(ctx, out, out, inl + `16`);
385	return inl + `16`;
386	}
387
388	static int des_ede3_wrap_cipher(EVP_CIPHER_CTX ctx, unsigned* char *out,
389	const unsigned char *in, size_t inl)
390	{
391	/*
392	* Sanity check input length: we typically only wrap keys so EVP_MAXCHUNK
393	* is more than will ever be needed. Also input length must be a multiple
394	* of 8 bits.
395	*/
396	if (inl >= EVP_MAXCHUNK \|\| inl % `8`)
397	return -`1`;
398
399	if (is_partially_overlapping(out, in, inl)) {
400	EVPerr(EVP_F_DES_EDE3_WRAP_CIPHER, EVP_R_PARTIALLY_OVERLAPPING);
401	return `0`;
402	}
403
404	if (EVP_CIPHER_CTX_encrypting(ctx))
405	return des_ede3_wrap(ctx, out, in, inl);
406	else
407	return des_ede3_unwrap(ctx, out, in, inl);
408	}
409
410	static const EVP_CIPHER des3_wrap = {
411	NID_id_smime_alg_CMS3DESwrap,
412	`8`, `24`, `0`,
413	EVP_CIPH_WRAP_MODE \| EVP_CIPH_CUSTOM_IV \| EVP_CIPH_FLAG_CUSTOM_CIPHER
414	\| EVP_CIPH_FLAG_DEFAULT_ASN1,
415	des_ede3_init_key, des_ede3_wrap_cipher,
416	NULL,
417	sizeof(DES_EDE_KEY),
418	NULL, NULL, NULL, NULL
419	};
420
421	const EVP_CIPHER EVP_des_ede3_wrap(void*)
422	{
423	return &des3_wrap;
424	}
425
426	#endif
427

Browse the source code of ClickHouse/contrib/openssl/crypto/evp/e_des3.c