2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 * DES low level APIs are deprecated for public use, but still ok for internal
14 #include "internal/deprecated.h"
17 #include "internal/cryptlib.h"
18 #ifndef OPENSSL_NO_DES
19 # include <openssl/evp.h>
20 # include <openssl/objects.h>
21 # include "crypto/evp.h"
22 # include <openssl/des.h>
23 # include <openssl/rand.h>
24 # include "evp_local.h"
29 DES_key_schedule ks
[3];
32 void (*cbc
) (const void *, void *, size_t,
33 const DES_key_schedule
*, unsigned char *);
40 # if defined(AES_ASM) && (defined(__sparc) || defined(__sparc__))
41 /* ---------^^^ this is not a typo, just a way to detect that
42 * assembler support was in general requested... */
43 # include "sparc_arch.h"
45 extern unsigned int OPENSSL_sparcv9cap_P
[];
47 # define SPARC_DES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_DES)
49 void des_t4_key_expand(const void *key
, DES_key_schedule
*ks
);
50 void des_t4_ede3_cbc_encrypt(const void *inp
, void *out
, size_t len
,
51 const DES_key_schedule ks
[3], unsigned char iv
[8]);
52 void des_t4_ede3_cbc_decrypt(const void *inp
, void *out
, size_t len
,
53 const DES_key_schedule ks
[3], unsigned char iv
[8]);
56 static int des_ede_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
57 const unsigned char *iv
, int enc
);
59 static int des_ede3_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
60 const unsigned char *iv
, int enc
);
62 static int des3_ctrl(EVP_CIPHER_CTX
*c
, int type
, int arg
, void *ptr
);
64 # define data(ctx) EVP_C_DATA(DES_EDE_KEY,ctx)
67 * Because of various casts and different args can't use
68 * IMPLEMENT_BLOCK_CIPHER
71 static int des_ede_ecb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
72 const unsigned char *in
, size_t inl
)
74 BLOCK_CIPHER_ecb_loop()
75 DES_ecb3_encrypt((const_DES_cblock
*)(in
+ i
),
76 (DES_cblock
*)(out
+ i
),
77 &data(ctx
)->ks1
, &data(ctx
)->ks2
,
78 &data(ctx
)->ks3
, EVP_CIPHER_CTX_encrypting(ctx
));
82 static int des_ede_ofb_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
83 const unsigned char *in
, size_t inl
)
85 while (inl
>= EVP_MAXCHUNK
) {
86 int num
= EVP_CIPHER_CTX_num(ctx
);
87 DES_ede3_ofb64_encrypt(in
, out
, (long)EVP_MAXCHUNK
,
88 &data(ctx
)->ks1
, &data(ctx
)->ks2
,
90 (DES_cblock
*)ctx
->iv
,
92 EVP_CIPHER_CTX_set_num(ctx
, num
);
98 int num
= EVP_CIPHER_CTX_num(ctx
);
99 DES_ede3_ofb64_encrypt(in
, out
, (long)inl
,
100 &data(ctx
)->ks1
, &data(ctx
)->ks2
,
102 (DES_cblock
*)ctx
->iv
,
104 EVP_CIPHER_CTX_set_num(ctx
, num
);
109 static int des_ede_cbc_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
110 const unsigned char *in
, size_t inl
)
112 DES_EDE_KEY
*dat
= data(ctx
);
114 if (dat
->stream
.cbc
!= NULL
) {
115 (*dat
->stream
.cbc
) (in
, out
, inl
, dat
->ks
.ks
,
120 while (inl
>= EVP_MAXCHUNK
) {
121 DES_ede3_cbc_encrypt(in
, out
, (long)EVP_MAXCHUNK
,
122 &dat
->ks1
, &dat
->ks2
, &dat
->ks3
,
123 (DES_cblock
*)ctx
->iv
,
124 EVP_CIPHER_CTX_encrypting(ctx
));
130 DES_ede3_cbc_encrypt(in
, out
, (long)inl
,
131 &dat
->ks1
, &dat
->ks2
, &dat
->ks3
,
132 (DES_cblock
*)ctx
->iv
,
133 EVP_CIPHER_CTX_encrypting(ctx
));
137 static int des_ede_cfb64_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
138 const unsigned char *in
, size_t inl
)
140 while (inl
>= EVP_MAXCHUNK
) {
141 int num
= EVP_CIPHER_CTX_num(ctx
);
142 DES_ede3_cfb64_encrypt(in
, out
, (long)EVP_MAXCHUNK
,
143 &data(ctx
)->ks1
, &data(ctx
)->ks2
,
144 &data(ctx
)->ks3
, (DES_cblock
*)ctx
->iv
,
145 &num
, EVP_CIPHER_CTX_encrypting(ctx
));
146 EVP_CIPHER_CTX_set_num(ctx
, num
);
152 int num
= EVP_CIPHER_CTX_num(ctx
);
153 DES_ede3_cfb64_encrypt(in
, out
, (long)inl
,
154 &data(ctx
)->ks1
, &data(ctx
)->ks2
,
155 &data(ctx
)->ks3
, (DES_cblock
*)ctx
->iv
,
156 &num
, EVP_CIPHER_CTX_encrypting(ctx
));
157 EVP_CIPHER_CTX_set_num(ctx
, num
);
163 * Although we have a CFB-r implementation for 3-DES, it doesn't pack the
164 * right way, so wrap it here
166 static int des_ede3_cfb1_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
167 const unsigned char *in
, size_t inl
)
170 unsigned char c
[1], d
[1];
172 if (!EVP_CIPHER_CTX_test_flags(ctx
, EVP_CIPH_FLAG_LENGTH_BITS
))
174 for (n
= 0; n
< inl
; ++n
) {
175 c
[0] = (in
[n
/ 8] & (1 << (7 - n
% 8))) ? 0x80 : 0;
176 DES_ede3_cfb_encrypt(c
, d
, 1, 1,
177 &data(ctx
)->ks1
, &data(ctx
)->ks2
,
178 &data(ctx
)->ks3
, (DES_cblock
*)ctx
->iv
,
179 EVP_CIPHER_CTX_encrypting(ctx
));
180 out
[n
/ 8] = (out
[n
/ 8] & ~(0x80 >> (unsigned int)(n
% 8)))
181 | ((d
[0] & 0x80) >> (unsigned int)(n
% 8));
187 static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
188 const unsigned char *in
, size_t inl
)
190 while (inl
>= EVP_MAXCHUNK
) {
191 DES_ede3_cfb_encrypt(in
, out
, 8, (long)EVP_MAXCHUNK
,
192 &data(ctx
)->ks1
, &data(ctx
)->ks2
,
193 &data(ctx
)->ks3
, (DES_cblock
*)ctx
->iv
,
194 EVP_CIPHER_CTX_encrypting(ctx
));
200 DES_ede3_cfb_encrypt(in
, out
, 8, (long)inl
,
201 &data(ctx
)->ks1
, &data(ctx
)->ks2
,
202 &data(ctx
)->ks3
, (DES_cblock
*)ctx
->iv
,
203 EVP_CIPHER_CTX_encrypting(ctx
));
207 BLOCK_CIPHER_defs(des_ede
, DES_EDE_KEY
, NID_des_ede
, 8, 16, 8, 64,
208 EVP_CIPH_RAND_KEY
| EVP_CIPH_FLAG_DEFAULT_ASN1
,
209 des_ede_init_key
, NULL
, NULL
, NULL
, des3_ctrl
)
210 # define des_ede3_cfb64_cipher des_ede_cfb64_cipher
211 # define des_ede3_ofb_cipher des_ede_ofb_cipher
212 # define des_ede3_cbc_cipher des_ede_cbc_cipher
213 # define des_ede3_ecb_cipher des_ede_ecb_cipher
214 BLOCK_CIPHER_defs(des_ede3
, DES_EDE_KEY
, NID_des_ede3
, 8, 24, 8, 64,
215 EVP_CIPH_RAND_KEY
| EVP_CIPH_FLAG_DEFAULT_ASN1
,
216 des_ede3_init_key
, NULL
, NULL
, NULL
, des3_ctrl
)
218 BLOCK_CIPHER_def_cfb(des_ede3
, DES_EDE_KEY
, NID_des_ede3
, 24, 8, 1,
219 EVP_CIPH_RAND_KEY
| EVP_CIPH_FLAG_DEFAULT_ASN1
,
220 des_ede3_init_key
, NULL
, NULL
, NULL
, des3_ctrl
)
222 BLOCK_CIPHER_def_cfb(des_ede3
, DES_EDE_KEY
, NID_des_ede3
, 24, 8, 8,
223 EVP_CIPH_RAND_KEY
| EVP_CIPH_FLAG_DEFAULT_ASN1
,
224 des_ede3_init_key
, NULL
, NULL
, NULL
, des3_ctrl
)
226 static int des_ede_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
227 const unsigned char *iv
, int enc
)
229 DES_cblock
*deskey
= (DES_cblock
*)key
;
230 DES_EDE_KEY
*dat
= data(ctx
);
232 dat
->stream
.cbc
= NULL
;
233 # if defined(SPARC_DES_CAPABLE)
234 if (SPARC_DES_CAPABLE
) {
235 int mode
= EVP_CIPHER_CTX_mode(ctx
);
237 if (mode
== EVP_CIPH_CBC_MODE
) {
238 des_t4_key_expand(&deskey
[0], &dat
->ks1
);
239 des_t4_key_expand(&deskey
[1], &dat
->ks2
);
240 memcpy(&dat
->ks3
, &dat
->ks1
, sizeof(dat
->ks1
));
241 dat
->stream
.cbc
= enc
? des_t4_ede3_cbc_encrypt
:
242 des_t4_ede3_cbc_decrypt
;
247 DES_set_key_unchecked(&deskey
[0], &dat
->ks1
);
248 DES_set_key_unchecked(&deskey
[1], &dat
->ks2
);
249 memcpy(&dat
->ks3
, &dat
->ks1
, sizeof(dat
->ks1
));
253 static int des_ede3_init_key(EVP_CIPHER_CTX
*ctx
, const unsigned char *key
,
254 const unsigned char *iv
, int enc
)
256 DES_cblock
*deskey
= (DES_cblock
*)key
;
257 DES_EDE_KEY
*dat
= data(ctx
);
259 dat
->stream
.cbc
= NULL
;
260 # if defined(SPARC_DES_CAPABLE)
261 if (SPARC_DES_CAPABLE
) {
262 int mode
= EVP_CIPHER_CTX_mode(ctx
);
264 if (mode
== EVP_CIPH_CBC_MODE
) {
265 des_t4_key_expand(&deskey
[0], &dat
->ks1
);
266 des_t4_key_expand(&deskey
[1], &dat
->ks2
);
267 des_t4_key_expand(&deskey
[2], &dat
->ks3
);
268 dat
->stream
.cbc
= enc
? des_t4_ede3_cbc_encrypt
:
269 des_t4_ede3_cbc_decrypt
;
274 DES_set_key_unchecked(&deskey
[0], &dat
->ks1
);
275 DES_set_key_unchecked(&deskey
[1], &dat
->ks2
);
276 DES_set_key_unchecked(&deskey
[2], &dat
->ks3
);
280 static int des3_ctrl(EVP_CIPHER_CTX
*ctx
, int type
, int arg
, void *ptr
)
283 DES_cblock
*deskey
= ptr
;
287 case EVP_CTRL_RAND_KEY
:
288 kl
= EVP_CIPHER_CTX_key_length(ctx
);
289 if (kl
< 0 || RAND_priv_bytes(ptr
, kl
) <= 0)
291 DES_set_odd_parity(deskey
);
293 DES_set_odd_parity(deskey
+ 1);
295 DES_set_odd_parity(deskey
+ 2);
303 const EVP_CIPHER
*EVP_des_ede(void)
308 const EVP_CIPHER
*EVP_des_ede3(void)
310 return &des_ede3_ecb
;
314 # include <openssl/sha.h>
316 static const unsigned char wrap_iv
[8] =
317 { 0x4a, 0xdd, 0xa2, 0x2c, 0x79, 0xe8, 0x21, 0x05 };
319 static int des_ede3_unwrap(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
320 const unsigned char *in
, size_t inl
)
322 unsigned char icv
[8], iv
[8], sha1tmp
[SHA_DIGEST_LENGTH
];
328 memcpy(ctx
->iv
, wrap_iv
, 8);
329 /* Decrypt first block which will end up as icv */
330 des_ede_cbc_cipher(ctx
, icv
, in
, 8);
331 /* Decrypt central blocks */
333 * If decrypting in place move whole output along a block so the next
334 * des_ede_cbc_cipher is in place.
337 memmove(out
, out
+ 8, inl
- 8);
340 des_ede_cbc_cipher(ctx
, out
, in
+ 8, inl
- 16);
341 /* Decrypt final block which will be IV */
342 des_ede_cbc_cipher(ctx
, iv
, in
+ inl
- 8, 8);
343 /* Reverse order of everything */
344 BUF_reverse(icv
, NULL
, 8);
345 BUF_reverse(out
, NULL
, inl
- 16);
346 BUF_reverse(ctx
->iv
, iv
, 8);
347 /* Decrypt again using new IV */
348 des_ede_cbc_cipher(ctx
, out
, out
, inl
- 16);
349 des_ede_cbc_cipher(ctx
, icv
, icv
, 8);
350 /* Work out SHA1 hash of first portion */
351 SHA1(out
, inl
- 16, sha1tmp
);
353 if (!CRYPTO_memcmp(sha1tmp
, icv
, 8))
355 OPENSSL_cleanse(icv
, 8);
356 OPENSSL_cleanse(sha1tmp
, SHA_DIGEST_LENGTH
);
357 OPENSSL_cleanse(iv
, 8);
358 OPENSSL_cleanse(ctx
->iv
, 8);
360 OPENSSL_cleanse(out
, inl
- 16);
365 static int des_ede3_wrap(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
366 const unsigned char *in
, size_t inl
)
368 unsigned char sha1tmp
[SHA_DIGEST_LENGTH
];
371 /* Copy input to output buffer + 8 so we have space for IV */
372 memmove(out
+ 8, in
, inl
);
374 SHA1(in
, inl
, sha1tmp
);
375 memcpy(out
+ inl
+ 8, sha1tmp
, 8);
376 OPENSSL_cleanse(sha1tmp
, SHA_DIGEST_LENGTH
);
377 /* Generate random IV */
378 if (RAND_bytes(ctx
->iv
, 8) <= 0)
380 memcpy(out
, ctx
->iv
, 8);
381 /* Encrypt everything after IV in place */
382 des_ede_cbc_cipher(ctx
, out
+ 8, out
+ 8, inl
+ 8);
383 BUF_reverse(out
, NULL
, inl
+ 16);
384 memcpy(ctx
->iv
, wrap_iv
, 8);
385 des_ede_cbc_cipher(ctx
, out
, out
, inl
+ 16);
389 static int des_ede3_wrap_cipher(EVP_CIPHER_CTX
*ctx
, unsigned char *out
,
390 const unsigned char *in
, size_t inl
)
393 * Sanity check input length: we typically only wrap keys so EVP_MAXCHUNK
394 * is more than will ever be needed. Also input length must be a multiple
397 if (inl
>= EVP_MAXCHUNK
|| inl
% 8)
400 if (ossl_is_partially_overlapping(out
, in
, inl
)) {
401 ERR_raise(ERR_LIB_EVP
, EVP_R_PARTIALLY_OVERLAPPING
);
405 if (EVP_CIPHER_CTX_encrypting(ctx
))
406 return des_ede3_wrap(ctx
, out
, in
, inl
);
408 return des_ede3_unwrap(ctx
, out
, in
, inl
);
411 static const EVP_CIPHER des3_wrap
= {
412 NID_id_smime_alg_CMS3DESwrap
,
414 EVP_CIPH_WRAP_MODE
| EVP_CIPH_CUSTOM_IV
| EVP_CIPH_FLAG_CUSTOM_CIPHER
415 | EVP_CIPH_FLAG_DEFAULT_ASN1
,
416 des_ede3_init_key
, des_ede3_wrap_cipher
,
419 NULL
, NULL
, NULL
, NULL
422 const EVP_CIPHER
*EVP_des_ede3_wrap(void)