/src/openssl/providers/implementations/ciphers/cipher_tdes_common.c

Source
/*
 * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * DES low level APIs are deprecated for public use, but still ok for internal
 * use.
 */
#include "internal/deprecated.h"

#include <openssl/rand.h>
#include <openssl/proverr.h>
#include "prov/ciphercommon.h"
#include "cipher_tdes.h"
#include "prov/implementations.h"
#include "prov/providercommon.h"

void *ossl_tdes_newctx(void *provctx, int mode, size_t kbits, size_t blkbits,
    size_t ivbits, uint64_t flags, const PROV_CIPHER_HW *hw)
{
    PROV_TDES_CTX *tctx;

    CIPHER_PROV_CHECK(provctx, DES_EDE3_ECB);

    tctx = OPENSSL_zalloc(sizeof(*tctx));
    if (tctx != NULL) {
        OSSL_FIPS_IND_INIT(tctx)
        ossl_cipher_generic_initkey(tctx, kbits, blkbits, ivbits, mode, flags,
            hw, provctx);
    }
    return tctx;
}

void *ossl_tdes_dupctx(void *ctx)
{
    PROV_TDES_CTX *in = (PROV_TDES_CTX *)ctx;
    PROV_TDES_CTX *ret;

    if (!ossl_prov_is_running())
        return NULL;

    ret = OPENSSL_malloc(sizeof(*ret));
    if (ret == NULL)
        return NULL;
    OSSL_FIPS_IND_COPY(ret, in)
    in->base.hw->copyctx(&ret->base, &in->base);

    return ret;
}

void ossl_tdes_freectx(void *vctx)
{
    PROV_TDES_CTX *ctx = (PROV_TDES_CTX *)vctx;

    ossl_cipher_generic_reset_ctx((PROV_CIPHER_CTX *)vctx);
    OPENSSL_clear_free(ctx, sizeof(*ctx));
}

#ifdef FIPS_MODULE
static int tdes_encrypt_check_approved(PROV_TDES_CTX *ctx, int enc)
{
    /* Triple-DES encryption is not approved in FIPS 140-3 */
    if (enc && !OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, ctx->base.libctx, "Triple-DES", "Encryption", ossl_fips_config_tdes_encrypt_disallowed))
        return 0;
    return 1;
}
#endif

static int tdes_init(void *vctx, const unsigned char *key, size_t keylen,
    const unsigned char *iv, size_t ivlen,
    const OSSL_PARAM params[], int enc)
{
    PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;

    if (!ossl_prov_is_running())
        return 0;

    ctx->num = 0;
    ctx->bufsz = 0;
    ctx->enc = enc;

    if (iv != NULL) {
        if (!ossl_cipher_generic_initiv(ctx, iv, ivlen))
            return 0;
    } else if (ctx->iv_set
        && (ctx->mode == EVP_CIPH_CBC_MODE
            || ctx->mode == EVP_CIPH_CFB_MODE
            || ctx->mode == EVP_CIPH_OFB_MODE)) {
        /* reset IV to keep compatibility with 1.1.1 */
        memcpy(ctx->iv, ctx->oiv, ctx->ivlen);
    }

    if (key != NULL) {
        if (keylen != ctx->keylen) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
            return 0;
        }
        if (!ctx->hw->init(ctx, key, ctx->keylen))
            return 0;
        ctx->key_set = 1;
    }
    if (!ossl_tdes_set_ctx_params(ctx, params))
        return 0;
#ifdef FIPS_MODULE
    if (!tdes_encrypt_check_approved((PROV_TDES_CTX *)ctx, enc))
        return 0;
#endif
    return 1;
}

int ossl_tdes_einit(void *vctx, const unsigned char *key, size_t keylen,
    const unsigned char *iv, size_t ivlen,
    const OSSL_PARAM params[])
{
    return tdes_init(vctx, key, keylen, iv, ivlen, params, 1);
}

int ossl_tdes_dinit(void *vctx, const unsigned char *key, size_t keylen,
    const unsigned char *iv, size_t ivlen,
    const OSSL_PARAM params[])
{
    return tdes_init(vctx, key, keylen, iv, ivlen, params, 0);
}

CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_START(ossl_tdes)
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_RANDOM_KEY, NULL, 0),
    OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
        CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_END(ossl_tdes)

            static int tdes_generatekey(PROV_CIPHER_CTX *ctx, void *ptr)
{
    DES_cblock *deskey = ptr;
    size_t kl = ctx->keylen;

    if (kl == 0 || RAND_priv_bytes_ex(ctx->libctx, ptr, kl, 0) <= 0)
        return 0;
    DES_set_odd_parity(deskey);
    if (kl >= 16) {
        DES_set_odd_parity(deskey + 1);
        if (kl >= 24)
            DES_set_odd_parity(deskey + 2);
    }
    return 1;
}

int ossl_tdes_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
    PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
    OSSL_PARAM *p;

    if (!ossl_cipher_generic_get_ctx_params(vctx, params))
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_RANDOM_KEY);
    if (p != NULL && !tdes_generatekey(ctx, p->data)) {
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GENERATE_KEY);
        return 0;
    }
    if (!OSSL_FIPS_IND_GET_CTX_PARAM((PROV_TDES_CTX *)vctx, params))
        return 0;
    return 1;
}

CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_START(ossl_tdes)
OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK)
CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_END(ossl_tdes)

int ossl_tdes_set_ctx_params(void *vctx, const OSSL_PARAM params[])
{
    if (!OSSL_FIPS_IND_SET_CTX_PARAM((PROV_TDES_CTX *)vctx,
            OSSL_FIPS_IND_SETTABLE0, params,
            OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK))
        return 0;
    return ossl_cipher_generic_set_ctx_params(vctx, params);
}

int ossl_tdes_get_params(OSSL_PARAM params[], unsigned int md, uint64_t flags,
    size_t kbits, size_t blkbits, size_t ivbits)
{
#ifdef FIPS_MODULE
    const int decrypt_only = 1;
#else
    const int decrypt_only = 0;
#endif
    OSSL_PARAM *p;

    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_DECRYPT_ONLY);
    if (p != NULL && !OSSL_PARAM_set_int(p, decrypt_only)) {
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
        return 0;
    }

    return ossl_cipher_generic_get_params(params, md, flags,
        kbits, blkbits, ivbits);
}

Coverage Report

Created: 2026-02-22 06:11

Line	Count	Source
1		/*
2		* Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* DES low level APIs are deprecated for public use, but still ok for internal
12		* use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <openssl/rand.h>
17		#include <openssl/proverr.h>
18		#include "prov/ciphercommon.h"
19		#include "cipher_tdes.h"
20		#include "prov/implementations.h"
21		#include "prov/providercommon.h"
22
23		void ossl_tdes_newctx(void provctx, int mode, size_t kbits, size_t blkbits,
24		size_t ivbits, uint64_t flags, const PROV_CIPHER_HW *hw)
25	0	{
26	0	PROV_TDES_CTX *tctx;
27
28	0	CIPHER_PROV_CHECK(provctx, DES_EDE3_ECB);
29
30	0	tctx = OPENSSL_zalloc(sizeof(*tctx));
31	0	if (tctx != NULL) {
32	0	OSSL_FIPS_IND_INIT(tctx)
33	0	ossl_cipher_generic_initkey(tctx, kbits, blkbits, ivbits, mode, flags,
34	0	hw, provctx);
35	0	}
36	0	return tctx;
37	0	}
38
39		void ossl_tdes_dupctx(void ctx)
40	0	{
41	0	PROV_TDES_CTX in = (PROV_TDES_CTX )ctx;
42	0	PROV_TDES_CTX *ret;
43
44	0	if (!ossl_prov_is_running())
45	0	return NULL;
46
47	0	ret = OPENSSL_malloc(sizeof(*ret));
48	0	if (ret == NULL)
49	0	return NULL;
50	0	OSSL_FIPS_IND_COPY(ret, in)
51	0	in->base.hw->copyctx(&ret->base, &in->base);
52
53	0	return ret;
54	0	}
55
56		void ossl_tdes_freectx(void *vctx)
57	0	{
58	0	PROV_TDES_CTX ctx = (PROV_TDES_CTX )vctx;
59
60	0	ossl_cipher_generic_reset_ctx((PROV_CIPHER_CTX *)vctx);
61	0	OPENSSL_clear_free(ctx, sizeof(*ctx));
62	0	}
63
64		#ifdef FIPS_MODULE
65		static int tdes_encrypt_check_approved(PROV_TDES_CTX *ctx, int enc)
66		{
67		/* Triple-DES encryption is not approved in FIPS 140-3 */
68		if (enc && !OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0, ctx->base.libctx, "Triple-DES", "Encryption", ossl_fips_config_tdes_encrypt_disallowed))
69		return 0;
70		return 1;
71		}
72		#endif
73
74		static int tdes_init(void vctx, const unsigned char key, size_t keylen,
75		const unsigned char *iv, size_t ivlen,
76		const OSSL_PARAM params[], int enc)
77	0	{
78	0	PROV_CIPHER_CTX ctx = (PROV_CIPHER_CTX )vctx;
79
80	0	if (!ossl_prov_is_running())
81	0	return 0;
82
83	0	ctx->num = 0;
84	0	ctx->bufsz = 0;
85	0	ctx->enc = enc;
86
87	0	if (iv != NULL) {
88	0	if (!ossl_cipher_generic_initiv(ctx, iv, ivlen))
89	0	return 0;
90	0	} else if (ctx->iv_set
91	0	&& (ctx->mode == EVP_CIPH_CBC_MODE
92	0	\|\| ctx->mode == EVP_CIPH_CFB_MODE
93	0	\|\| ctx->mode == EVP_CIPH_OFB_MODE)) {
94		/* reset IV to keep compatibility with 1.1.1 */
95	0	memcpy(ctx->iv, ctx->oiv, ctx->ivlen);
96	0	}
97
98	0	if (key != NULL) {
99	0	if (keylen != ctx->keylen) {
100	0	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
101	0	return 0;
102	0	}
103	0	if (!ctx->hw->init(ctx, key, ctx->keylen))
104	0	return 0;
105	0	ctx->key_set = 1;
106	0	}
107	0	if (!ossl_tdes_set_ctx_params(ctx, params))
108	0	return 0;
109		#ifdef FIPS_MODULE
110		if (!tdes_encrypt_check_approved((PROV_TDES_CTX *)ctx, enc))
111		return 0;
112		#endif
113	0	return 1;
114	0	}
115
116		int ossl_tdes_einit(void vctx, const unsigned char key, size_t keylen,
117		const unsigned char *iv, size_t ivlen,
118		const OSSL_PARAM params[])
119	0	{
120	0	return tdes_init(vctx, key, keylen, iv, ivlen, params, 1);
121	0	}
122
123		int ossl_tdes_dinit(void vctx, const unsigned char key, size_t keylen,
124		const unsigned char *iv, size_t ivlen,
125		const OSSL_PARAM params[])
126	0	{
127	0	return tdes_init(vctx, key, keylen, iv, ivlen, params, 0);
128	0	}
129
130		CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_START(ossl_tdes)
131		OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_RANDOM_KEY, NULL, 0),
132		OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
133		CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_END(ossl_tdes)
134
135		static int tdes_generatekey(PROV_CIPHER_CTX ctx, void ptr)
136	0	{
137	0	DES_cblock *deskey = ptr;
138	0	size_t kl = ctx->keylen;
139
140	0	if (kl == 0 \|\| RAND_priv_bytes_ex(ctx->libctx, ptr, kl, 0) <= 0)
141	0	return 0;
142	0	DES_set_odd_parity(deskey);
143	0	if (kl >= 16) {
144	0	DES_set_odd_parity(deskey + 1);
145	0	if (kl >= 24)
146	0	DES_set_odd_parity(deskey + 2);
147	0	}
148	0	return 1;
149	0	}
150
151		int ossl_tdes_get_ctx_params(void *vctx, OSSL_PARAM params[])
152	0	{
153	0	PROV_CIPHER_CTX ctx = (PROV_CIPHER_CTX )vctx;
154	0	OSSL_PARAM *p;
155
156	0	if (!ossl_cipher_generic_get_ctx_params(vctx, params))
157	0	return 0;
158
159	0	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_RANDOM_KEY);
160	0	if (p != NULL && !tdes_generatekey(ctx, p->data)) {
161	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GENERATE_KEY);
162	0	return 0;
163	0	}
164	0	if (!OSSL_FIPS_IND_GET_CTX_PARAM((PROV_TDES_CTX *)vctx, params))
165	0	return 0;
166	0	return 1;
167	0	}
168
169		CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_START(ossl_tdes)
170		OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK)
171		CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_END(ossl_tdes)
172
173		int ossl_tdes_set_ctx_params(void *vctx, const OSSL_PARAM params[])
174	0	{
175	0	if (!OSSL_FIPS_IND_SET_CTX_PARAM((PROV_TDES_CTX *)vctx,
176	0	OSSL_FIPS_IND_SETTABLE0, params,
177	0	OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK))
178	0	return 0;
179	0	return ossl_cipher_generic_set_ctx_params(vctx, params);
180	0	}
181
182		int ossl_tdes_get_params(OSSL_PARAM params[], unsigned int md, uint64_t flags,
183		size_t kbits, size_t blkbits, size_t ivbits)
184	11	{
185		#ifdef FIPS_MODULE
186		const int decrypt_only = 1;
187		#else
188	11	const int decrypt_only = 0;
189	11	#endif
190	11	OSSL_PARAM *p;
191
192	11	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_DECRYPT_ONLY);
193	11	if (p != NULL && !OSSL_PARAM_set_int(p, decrypt_only)) {
194	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
195	0	return 0;
196	0	}
197
198	11	return ossl_cipher_generic_get_params(params, md, flags,
199	11	kbits, blkbits, ivbits);
200	11	}