2 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/sha.h>
11 #include "cipher_tdes_default.h"
12 #include "internal/evp_int.h"
13 #include "internal/rand_int.h"
14 #include "internal/provider_algs.h"
15 #include "internal/providercommonerr.h"
17 /* TODO (3.0) Figure out what flags are requred */
18 #define TDES_WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV \
19 | EVP_CIPH_FLAG_CUSTOM_CIPHER \
20 | EVP_CIPH_FLAG_DEFAULT_ASN1)
23 static OSSL_OP_cipher_update_fn tdes_wrap_update
;
24 static OSSL_OP_cipher_cipher_fn tdes_wrap_cipher
;
26 static const unsigned char wrap_iv
[8] =
28 0x4a, 0xdd, 0xa2, 0x2c, 0x79, 0xe8, 0x21, 0x05
31 static int des_ede3_unwrap(PROV_CIPHER_CTX
*ctx
, unsigned char *out
,
32 const unsigned char *in
, size_t inl
)
34 unsigned char icv
[8], iv
[TDES_IVLEN
], sha1tmp
[SHA_DIGEST_LENGTH
];
42 memcpy(ctx
->iv
, wrap_iv
, 8);
43 /* Decrypt first block which will end up as icv */
44 ctx
->hw
->cipher(ctx
, icv
, in
, 8);
45 /* Decrypt central blocks */
47 * If decrypting in place move whole output along a block so the next
48 * des_ede_cbc_cipher is in place.
51 memmove(out
, out
+ 8, inl
- 8);
54 ctx
->hw
->cipher(ctx
, out
, in
+ 8, inl
- 16);
55 /* Decrypt final block which will be IV */
56 ctx
->hw
->cipher(ctx
, iv
, in
+ inl
- 8, 8);
57 /* Reverse order of everything */
58 BUF_reverse(icv
, NULL
, 8);
59 BUF_reverse(out
, NULL
, inl
- 16);
60 BUF_reverse(ctx
->iv
, iv
, 8);
61 /* Decrypt again using new IV */
62 ctx
->hw
->cipher(ctx
, out
, out
, inl
- 16);
63 ctx
->hw
->cipher(ctx
, icv
, icv
, 8);
64 /* Work out SHA1 hash of first portion */
65 SHA1(out
, inl
- 16, sha1tmp
);
67 if (!CRYPTO_memcmp(sha1tmp
, icv
, 8))
69 OPENSSL_cleanse(icv
, 8);
70 OPENSSL_cleanse(sha1tmp
, SHA_DIGEST_LENGTH
);
71 OPENSSL_cleanse(iv
, 8);
72 OPENSSL_cleanse(ctx
->iv
, sizeof(ctx
->iv
));
74 OPENSSL_cleanse(out
, inl
- 16);
79 static int des_ede3_wrap(PROV_CIPHER_CTX
*ctx
, unsigned char *out
,
80 const unsigned char *in
, size_t inl
)
82 unsigned char sha1tmp
[SHA_DIGEST_LENGTH
];
83 size_t ivlen
= TDES_IVLEN
;
84 size_t icvlen
= TDES_IVLEN
;
85 size_t len
= inl
+ ivlen
+ icvlen
;
90 /* Copy input to output buffer + 8 so we have space for IV */
91 memmove(out
+ ivlen
, in
, inl
);
93 SHA1(in
, inl
, sha1tmp
);
94 memcpy(out
+ inl
+ ivlen
, sha1tmp
, icvlen
);
95 OPENSSL_cleanse(sha1tmp
, SHA_DIGEST_LENGTH
);
96 /* Generate random IV */
97 if (rand_bytes_ex(ctx
->libctx
, ctx
->iv
, ivlen
) <= 0)
99 memcpy(out
, ctx
->iv
, ivlen
);
100 /* Encrypt everything after IV in place */
101 ctx
->hw
->cipher(ctx
, out
+ ivlen
, out
+ ivlen
, inl
+ ivlen
);
102 BUF_reverse(out
, NULL
, len
);
103 memcpy(ctx
->iv
, wrap_iv
, ivlen
);
104 ctx
->hw
->cipher(ctx
, out
, out
, len
);
108 static int tdes_wrap_cipher_internal(PROV_CIPHER_CTX
*ctx
, unsigned char *out
,
109 const unsigned char *in
, size_t inl
)
112 * Sanity check input length: we typically only wrap keys so EVP_MAXCHUNK
113 * is more than will ever be needed. Also input length must be a multiple
116 if (inl
>= EVP_MAXCHUNK
|| inl
% 8)
119 return des_ede3_wrap(ctx
, out
, in
, inl
);
121 return des_ede3_unwrap(ctx
, out
, in
, inl
);
124 static int tdes_wrap_cipher(void *vctx
,
125 unsigned char *out
, size_t *outl
, size_t outsize
,
126 const unsigned char *in
, size_t inl
)
128 PROV_CIPHER_CTX
*ctx
= (PROV_CIPHER_CTX
*)vctx
;
133 PROVerr(0, PROV_R_OUTPUT_BUFFER_TOO_SMALL
);
137 ret
= tdes_wrap_cipher_internal(ctx
, out
, in
, inl
);
145 static int tdes_wrap_update(void *vctx
, unsigned char *out
, size_t *outl
,
146 size_t outsize
, const unsigned char *in
,
151 PROVerr(0, PROV_R_OUTPUT_BUFFER_TOO_SMALL
);
155 if (!tdes_wrap_cipher(vctx
, out
, outl
, outsize
, in
, inl
)) {
156 PROVerr(0, PROV_R_CIPHER_OPERATION_FAILED
);
163 # define IMPLEMENT_WRAP_CIPHER(flags, kbits, blkbits, ivbits) \
164 static OSSL_OP_cipher_newctx_fn tdes_wrap_newctx; \
165 static void *tdes_wrap_newctx(void *provctx) \
167 return tdes_newctx(provctx, EVP_CIPH_WRAP_MODE, kbits, blkbits, ivbits, \
168 flags, PROV_CIPHER_HW_tdes_wrap_cbc()); \
170 static OSSL_OP_cipher_get_params_fn tdes_wrap_get_params; \
171 static int tdes_wrap_get_params(OSSL_PARAM params[]) \
173 return cipher_generic_get_params(params, EVP_CIPH_WRAP_MODE, flags, \
174 kbits, blkbits, ivbits); \
176 const OSSL_DISPATCH tdes_wrap_cbc_functions[] = \
178 { OSSL_FUNC_CIPHER_ENCRYPT_INIT, (void (*)(void)) tdes_einit }, \
179 { OSSL_FUNC_CIPHER_DECRYPT_INIT, (void (*)(void)) tdes_dinit }, \
180 { OSSL_FUNC_CIPHER_CIPHER, (void (*)(void))tdes_wrap_cipher }, \
181 { OSSL_FUNC_CIPHER_NEWCTX, (void (*)(void))tdes_wrap_newctx }, \
182 { OSSL_FUNC_CIPHER_FREECTX, (void (*)(void))tdes_freectx }, \
183 { OSSL_FUNC_CIPHER_UPDATE, (void (*)(void))tdes_wrap_update }, \
184 { OSSL_FUNC_CIPHER_FINAL, (void (*)(void))cipher_generic_stream_final }, \
185 { OSSL_FUNC_CIPHER_GET_PARAMS, (void (*)(void))tdes_wrap_get_params }, \
186 { OSSL_FUNC_CIPHER_GETTABLE_PARAMS, \
187 (void (*)(void))cipher_generic_gettable_params }, \
188 { OSSL_FUNC_CIPHER_GET_CTX_PARAMS, (void (*)(void))tdes_get_ctx_params }, \
189 { OSSL_FUNC_CIPHER_GETTABLE_CTX_PARAMS, \
190 (void (*)(void))tdes_gettable_ctx_params }, \
191 { OSSL_FUNC_CIPHER_SET_CTX_PARAMS, \
192 (void (*)(void))cipher_generic_set_ctx_params }, \
193 { OSSL_FUNC_CIPHER_SETTABLE_CTX_PARAMS, \
194 (void (*)(void))cipher_generic_settable_ctx_params }, \
198 /* tdes_wrap_cbc_functions */
199 IMPLEMENT_WRAP_CIPHER(TDES_WRAP_FLAGS
, 64*3, 64, 0);