1/*
2 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <openssl/sha.h>
11#include "cipher_tdes_default.h"
12#include "crypto/evp.h"
13#include "crypto/rand.h"
14#include "prov/implementations.h"
15#include "prov/providercommonerr.h"
16
17/* TODO (3.0) Figure out what flags are required */
18#define TDES_WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV)
19
20
21static OSSL_OP_cipher_update_fn tdes_wrap_update;
22static OSSL_OP_cipher_cipher_fn tdes_wrap_cipher;
23
24static const unsigned char wrap_iv[8] =
25{
26 0x4a, 0xdd, 0xa2, 0x2c, 0x79, 0xe8, 0x21, 0x05
27};
28
29static int des_ede3_unwrap(PROV_CIPHER_CTX *ctx, unsigned char *out,
30 const unsigned char *in, size_t inl)
31{
32 unsigned char icv[8], iv[TDES_IVLEN], sha1tmp[SHA_DIGEST_LENGTH];
33 int rv = -1;
34
35 if (inl < 24)
36 return -1;
37 if (out == NULL)
38 return inl - 16;
39
40 memcpy(ctx->iv, wrap_iv, 8);
41 /* Decrypt first block which will end up as icv */
42 ctx->hw->cipher(ctx, icv, in, 8);
43 /* Decrypt central blocks */
44 /*
45 * If decrypting in place move whole output along a block so the next
46 * des_ede_cbc_cipher is in place.
47 */
48 if (out == in) {
49 memmove(out, out + 8, inl - 8);
50 in -= 8;
51 }
52 ctx->hw->cipher(ctx, out, in + 8, inl - 16);
53 /* Decrypt final block which will be IV */
54 ctx->hw->cipher(ctx, iv, in + inl - 8, 8);
55 /* Reverse order of everything */
56 BUF_reverse(icv, NULL, 8);
57 BUF_reverse(out, NULL, inl - 16);
58 BUF_reverse(ctx->iv, iv, 8);
59 /* Decrypt again using new IV */
60 ctx->hw->cipher(ctx, out, out, inl - 16);
61 ctx->hw->cipher(ctx, icv, icv, 8);
62 /* Work out SHA1 hash of first portion */
63 SHA1(out, inl - 16, sha1tmp);
64
65 if (!CRYPTO_memcmp(sha1tmp, icv, 8))
66 rv = inl - 16;
67 OPENSSL_cleanse(icv, 8);
68 OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH);
69 OPENSSL_cleanse(iv, 8);
70 OPENSSL_cleanse(ctx->iv, sizeof(ctx->iv));
71 if (rv == -1)
72 OPENSSL_cleanse(out, inl - 16);
73
74 return rv;
75}
76
77static int des_ede3_wrap(PROV_CIPHER_CTX *ctx, unsigned char *out,
78 const unsigned char *in, size_t inl)
79{
80 unsigned char sha1tmp[SHA_DIGEST_LENGTH];
81 size_t ivlen = TDES_IVLEN;
82 size_t icvlen = TDES_IVLEN;
83 size_t len = inl + ivlen + icvlen;
84
85 if (out == NULL)
86 return len;
87
88 /* Copy input to output buffer + 8 so we have space for IV */
89 memmove(out + ivlen, in, inl);
90 /* Work out ICV */
91 SHA1(in, inl, sha1tmp);
92 memcpy(out + inl + ivlen, sha1tmp, icvlen);
93 OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH);
94 /* Generate random IV */
95 if (rand_bytes_ex(ctx->libctx, ctx->iv, ivlen) <= 0)
96 return 0;
97 memcpy(out, ctx->iv, ivlen);
98 /* Encrypt everything after IV in place */
99 ctx->hw->cipher(ctx, out + ivlen, out + ivlen, inl + ivlen);
100 BUF_reverse(out, NULL, len);
101 memcpy(ctx->iv, wrap_iv, ivlen);
102 ctx->hw->cipher(ctx, out, out, len);
103 return len;
104}
105
106static int tdes_wrap_cipher_internal(PROV_CIPHER_CTX *ctx, unsigned char *out,
107 const unsigned char *in, size_t inl)
108{
109 /*
110 * Sanity check input length: we typically only wrap keys so EVP_MAXCHUNK
111 * is more than will ever be needed. Also input length must be a multiple
112 * of 8 bits.
113 */
114 if (inl >= EVP_MAXCHUNK || inl % 8)
115 return -1;
116 if (ctx->enc)
117 return des_ede3_wrap(ctx, out, in, inl);
118 else
119 return des_ede3_unwrap(ctx, out, in, inl);
120}
121
122static int tdes_wrap_cipher(void *vctx,
123 unsigned char *out, size_t *outl, size_t outsize,
124 const unsigned char *in, size_t inl)
125{
126 PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
127 int ret;
128
129 *outl = 0;
130 if (outsize < inl) {
131 PROVerr(0, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
132 return 0;
133 }
134
135 ret = tdes_wrap_cipher_internal(ctx, out, in, inl);
136 if (ret <= 0)
137 return 0;
138
139 *outl = ret;
140 return 1;
141}
142
143static int tdes_wrap_update(void *vctx, unsigned char *out, size_t *outl,
144 size_t outsize, const unsigned char *in,
145 size_t inl)
146{
147 *outl = 0;
148 if (inl == 0)
149 return 1;
150 if (outsize < inl) {
151 PROVerr(0, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
152 return 0;
153 }
154
155 if (!tdes_wrap_cipher(vctx, out, outl, outsize, in, inl)) {
156 PROVerr(0, PROV_R_CIPHER_OPERATION_FAILED);
157 return 0;
158 }
159 return 1;
160}
161
162
163# define IMPLEMENT_WRAP_CIPHER(flags, kbits, blkbits, ivbits) \
164static OSSL_OP_cipher_newctx_fn tdes_wrap_newctx; \
165static void *tdes_wrap_newctx(void *provctx) \
166{ \
167 return tdes_newctx(provctx, EVP_CIPH_WRAP_MODE, kbits, blkbits, ivbits, \
168 flags, PROV_CIPHER_HW_tdes_wrap_cbc()); \
169} \
170static OSSL_OP_cipher_get_params_fn tdes_wrap_get_params; \
171static int tdes_wrap_get_params(OSSL_PARAM params[]) \
172{ \
173 return cipher_generic_get_params(params, EVP_CIPH_WRAP_MODE, flags, \
174 kbits, blkbits, ivbits); \
175} \
176const OSSL_DISPATCH tdes_wrap_cbc_functions[] = \
177{ \
178 { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void)) tdes_einit }, \
179 { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void)) tdes_dinit }, \
180 { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))tdes_wrap_cipher }, \
181 { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))tdes_wrap_newctx }, \
182 { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))tdes_freectx }, \
183 { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))tdes_wrap_update }, \
184 { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))cipher_generic_stream_final }, \
185 { OSSL_FUNC_CIPHER_GET_PARAMS, (void (*)(void))tdes_wrap_get_params }, \
186 { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
187 (void (*)(void))cipher_generic_gettable_params }, \
188 { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, (void (*)(void))tdes_get_ctx_params }, \
189 { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \
190 (void (*)(void))tdes_gettable_ctx_params }, \
191 { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \
192 (void (*)(void))cipher_generic_set_ctx_params }, \
193 { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \
194 (void (*)(void))cipher_generic_settable_ctx_params }, \
195 { 0, NULL } \
196}
197
198/* tdes_wrap_cbc_functions */
199IMPLEMENT_WRAP_CIPHER(TDES_WRAP_FLAGS, 64*3, 64, 0);
200