/src/openssl/providers/implementations/ciphers/cipher_tdes_common.c

Source
/*
 * Copyright 2019-2026 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * DES low level APIs are deprecated for public use, but still ok for internal
 * use.
 */
#include "internal/deprecated.h"

#include <openssl/rand.h>
#include <openssl/proverr.h>
#include "prov/ciphercommon.h"
#include "cipher_tdes.h"
#include "prov/implementations.h"
#include "prov/providercommon.h"

void *ossl_tdes_newctx(void *provctx, int mode, size_t kbits, size_t blkbits,
    size_t ivbits, uint64_t flags, const PROV_CIPHER_HW *hw)
{
    PROV_TDES_CTX *tctx;

    CIPHER_PROV_CHECK(provctx, DES_EDE3_ECB);

    tctx = OPENSSL_zalloc(sizeof(*tctx));
    if (tctx != NULL) {
        OSSL_FIPS_IND_INIT(tctx)
        ossl_cipher_generic_initkey(tctx, kbits, blkbits, ivbits, mode, flags,
            hw, provctx);
    }
    return tctx;
}

void *ossl_tdes_dupctx(void *ctx)
{
    PROV_TDES_CTX *in = (PROV_TDES_CTX *)ctx;
    PROV_TDES_CTX *ret;

    if (!ossl_prov_is_running())
        return NULL;

    ret = OPENSSL_malloc(sizeof(*ret));
    if (ret == NULL)
        return NULL;
    OSSL_FIPS_IND_COPY(ret, in)
    in->base.hw->copyctx(&ret->base, &in->base);

    return ret;
}

void ossl_tdes_freectx(void *vctx)
{
    PROV_TDES_CTX *ctx = (PROV_TDES_CTX *)vctx;

    ossl_cipher_generic_reset_ctx((PROV_CIPHER_CTX *)vctx);
    OPENSSL_clear_free(ctx, sizeof(*ctx));
}

#ifdef FIPS_MODULE
static int tdes_encrypt_check_approved(PROV_TDES_CTX *ctx, int enc)
{
    /* Triple-DES encryption is not approved in FIPS 140-3 */
    if (enc
        && !OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
            ctx->base.libctx, "Triple-DES", "Encryption",
            FIPS_CONFIG_TDES_ENCRYPT_DISABLED))
        return 0;
    return 1;
}
#endif

static int tdes_init(void *vctx, const unsigned char *key, size_t keylen,
    const unsigned char *iv, size_t ivlen,
    const OSSL_PARAM params[], int enc)
{
    PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;

    if (!ossl_prov_is_running())
        return 0;

    ctx->num = 0;
    ctx->bufsz = 0;
    ctx->enc = enc;

    if (iv != NULL) {
        if (!ossl_cipher_generic_initiv(ctx, iv, ivlen))
            return 0;
    } else if (ctx->iv_set
        && (ctx->mode == EVP_CIPH_CBC_MODE
            || ctx->mode == EVP_CIPH_CFB_MODE
            || ctx->mode == EVP_CIPH_OFB_MODE)) {
        /* reset IV to keep compatibility with 1.1.1 */
        memcpy(ctx->iv, ctx->oiv, ctx->ivlen);
    }

    if (key != NULL) {
        if (keylen != ctx->keylen) {
            ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
            return 0;
        }
        if (!ctx->hw->init(ctx, key, ctx->keylen))
            return 0;
        ctx->key_set = 1;
    }
    if (!ossl_tdes_set_ctx_params(ctx, params))
        return 0;
#ifdef FIPS_MODULE
    if (!tdes_encrypt_check_approved((PROV_TDES_CTX *)ctx, enc))
        return 0;
#endif
    return 1;
}

int ossl_tdes_einit(void *vctx, const unsigned char *key, size_t keylen,
    const unsigned char *iv, size_t ivlen,
    const OSSL_PARAM params[])
{
    return tdes_init(vctx, key, keylen, iv, ivlen, params, 1);
}

int ossl_tdes_dinit(void *vctx, const unsigned char *key, size_t keylen,
    const unsigned char *iv, size_t ivlen,
    const OSSL_PARAM params[])
{
    return tdes_init(vctx, key, keylen, iv, ivlen, params, 0);
}

CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_START(ossl_tdes)
OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_RANDOM_KEY, NULL, 0),
    OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
        CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_END(ossl_tdes)

            static int tdes_generatekey(PROV_CIPHER_CTX *ctx, void *ptr)
{
    DES_cblock *deskey = ptr;
    size_t kl = ctx->keylen;

    if (kl == 0 || RAND_priv_bytes_ex(ctx->libctx, ptr, kl, 0) <= 0)
        return 0;
    DES_set_odd_parity(deskey);
    if (kl >= 16) {
        DES_set_odd_parity(deskey + 1);
        if (kl >= 24)
            DES_set_odd_parity(deskey + 2);
    }
    return 1;
}

int ossl_tdes_get_ctx_params(void *vctx, OSSL_PARAM params[])
{
    PROV_CIPHER_CTX *ctx = (PROV_CIPHER_CTX *)vctx;
    OSSL_PARAM *p;

    if (!ossl_cipher_generic_get_ctx_params(vctx, params))
        return 0;

    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_RANDOM_KEY);
    if (p != NULL && !tdes_generatekey(ctx, p->data)) {
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GENERATE_KEY);
        return 0;
    }
    if (!OSSL_FIPS_IND_GET_CTX_PARAM((PROV_TDES_CTX *)vctx, params))
        return 0;
    return 1;
}

CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_START(ossl_tdes)
OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK)
CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_END(ossl_tdes)

int ossl_tdes_set_ctx_params(void *vctx, const OSSL_PARAM params[])
{
    if (!OSSL_FIPS_IND_SET_CTX_PARAM((PROV_TDES_CTX *)vctx,
            OSSL_FIPS_IND_SETTABLE0, params,
            OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK))
        return 0;
    return ossl_cipher_generic_set_ctx_params(vctx, params);
}

int ossl_tdes_get_params(OSSL_PARAM params[], unsigned int md, uint64_t flags,
    size_t kbits, size_t blkbits, size_t ivbits)
{
#ifdef FIPS_MODULE
    const int decrypt_only = 1;
#else
    const int decrypt_only = 0;
#endif
    OSSL_PARAM *p;

    p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_DECRYPT_ONLY);
    if (p != NULL && !OSSL_PARAM_set_int(p, decrypt_only)) {
        ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
        return 0;
    }

    return ossl_cipher_generic_get_params(params, md, flags,
        kbits, blkbits, ivbits);
}

Coverage Report

Created: 2026-04-11 06:29

Line	Count	Source
1		/*
2		* Copyright 2019-2026 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		/*
11		* DES low level APIs are deprecated for public use, but still ok for internal
12		* use.
13		*/
14		#include "internal/deprecated.h"
15
16		#include <openssl/rand.h>
17		#include <openssl/proverr.h>
18		#include "prov/ciphercommon.h"
19		#include "cipher_tdes.h"
20		#include "prov/implementations.h"
21		#include "prov/providercommon.h"
22
23		void ossl_tdes_newctx(void provctx, int mode, size_t kbits, size_t blkbits,
24		size_t ivbits, uint64_t flags, const PROV_CIPHER_HW *hw)
25	0	{
26	0	PROV_TDES_CTX *tctx;
27
28	0	CIPHER_PROV_CHECK(provctx, DES_EDE3_ECB);
29
30	0	tctx = OPENSSL_zalloc(sizeof(*tctx));
31	0	if (tctx != NULL) {
32	0	OSSL_FIPS_IND_INIT(tctx)
33	0	ossl_cipher_generic_initkey(tctx, kbits, blkbits, ivbits, mode, flags,
34	0	hw, provctx);
35	0	}
36	0	return tctx;
37	0	}
38
39		void ossl_tdes_dupctx(void ctx)
40	0	{
41	0	PROV_TDES_CTX in = (PROV_TDES_CTX )ctx;
42	0	PROV_TDES_CTX *ret;
43
44	0	if (!ossl_prov_is_running())
45	0	return NULL;
46
47	0	ret = OPENSSL_malloc(sizeof(*ret));
48	0	if (ret == NULL)
49	0	return NULL;
50	0	OSSL_FIPS_IND_COPY(ret, in)
51	0	in->base.hw->copyctx(&ret->base, &in->base);
52
53	0	return ret;
54	0	}
55
56		void ossl_tdes_freectx(void *vctx)
57	0	{
58	0	PROV_TDES_CTX ctx = (PROV_TDES_CTX )vctx;
59
60	0	ossl_cipher_generic_reset_ctx((PROV_CIPHER_CTX *)vctx);
61	0	OPENSSL_clear_free(ctx, sizeof(*ctx));
62	0	}
63
64		#ifdef FIPS_MODULE
65		static int tdes_encrypt_check_approved(PROV_TDES_CTX *ctx, int enc)
66		{
67		/* Triple-DES encryption is not approved in FIPS 140-3 */
68		if (enc
69		&& !OSSL_FIPS_IND_ON_UNAPPROVED(ctx, OSSL_FIPS_IND_SETTABLE0,
70		ctx->base.libctx, "Triple-DES", "Encryption",
71		FIPS_CONFIG_TDES_ENCRYPT_DISABLED))
72		return 0;
73		return 1;
74		}
75		#endif
76
77		static int tdes_init(void vctx, const unsigned char key, size_t keylen,
78		const unsigned char *iv, size_t ivlen,
79		const OSSL_PARAM params[], int enc)
80	0	{
81	0	PROV_CIPHER_CTX ctx = (PROV_CIPHER_CTX )vctx;
82
83	0	if (!ossl_prov_is_running())
84	0	return 0;
85
86	0	ctx->num = 0;
87	0	ctx->bufsz = 0;
88	0	ctx->enc = enc;
89
90	0	if (iv != NULL) {
91	0	if (!ossl_cipher_generic_initiv(ctx, iv, ivlen))
92	0	return 0;
93	0	} else if (ctx->iv_set
94	0	&& (ctx->mode == EVP_CIPH_CBC_MODE
95	0	\|\| ctx->mode == EVP_CIPH_CFB_MODE
96	0	\|\| ctx->mode == EVP_CIPH_OFB_MODE)) {
97		/* reset IV to keep compatibility with 1.1.1 */
98	0	memcpy(ctx->iv, ctx->oiv, ctx->ivlen);
99	0	}
100
101	0	if (key != NULL) {
102	0	if (keylen != ctx->keylen) {
103	0	ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
104	0	return 0;
105	0	}
106	0	if (!ctx->hw->init(ctx, key, ctx->keylen))
107	0	return 0;
108	0	ctx->key_set = 1;
109	0	}
110	0	if (!ossl_tdes_set_ctx_params(ctx, params))
111	0	return 0;
112		#ifdef FIPS_MODULE
113		if (!tdes_encrypt_check_approved((PROV_TDES_CTX *)ctx, enc))
114		return 0;
115		#endif
116	0	return 1;
117	0	}
118
119		int ossl_tdes_einit(void vctx, const unsigned char key, size_t keylen,
120		const unsigned char *iv, size_t ivlen,
121		const OSSL_PARAM params[])
122	0	{
123	0	return tdes_init(vctx, key, keylen, iv, ivlen, params, 1);
124	0	}
125
126		int ossl_tdes_dinit(void vctx, const unsigned char key, size_t keylen,
127		const unsigned char *iv, size_t ivlen,
128		const OSSL_PARAM params[])
129	0	{
130	0	return tdes_init(vctx, key, keylen, iv, ivlen, params, 0);
131	0	}
132
133		CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_START(ossl_tdes)
134		OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_RANDOM_KEY, NULL, 0),
135		OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
136		CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_END(ossl_tdes)
137
138		static int tdes_generatekey(PROV_CIPHER_CTX ctx, void ptr)
139	0	{
140	0	DES_cblock *deskey = ptr;
141	0	size_t kl = ctx->keylen;
142
143	0	if (kl == 0 \|\| RAND_priv_bytes_ex(ctx->libctx, ptr, kl, 0) <= 0)
144	0	return 0;
145	0	DES_set_odd_parity(deskey);
146	0	if (kl >= 16) {
147	0	DES_set_odd_parity(deskey + 1);
148	0	if (kl >= 24)
149	0	DES_set_odd_parity(deskey + 2);
150	0	}
151	0	return 1;
152	0	}
153
154		int ossl_tdes_get_ctx_params(void *vctx, OSSL_PARAM params[])
155	0	{
156	0	PROV_CIPHER_CTX ctx = (PROV_CIPHER_CTX )vctx;
157	0	OSSL_PARAM *p;
158
159	0	if (!ossl_cipher_generic_get_ctx_params(vctx, params))
160	0	return 0;
161
162	0	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_RANDOM_KEY);
163	0	if (p != NULL && !tdes_generatekey(ctx, p->data)) {
164	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_GENERATE_KEY);
165	0	return 0;
166	0	}
167	0	if (!OSSL_FIPS_IND_GET_CTX_PARAM((PROV_TDES_CTX *)vctx, params))
168	0	return 0;
169	0	return 1;
170	0	}
171
172		CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_START(ossl_tdes)
173		OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK)
174		CIPHER_DEFAULT_SETTABLE_CTX_PARAMS_END(ossl_tdes)
175
176		int ossl_tdes_set_ctx_params(void *vctx, const OSSL_PARAM params[])
177	0	{
178	0	if (!OSSL_FIPS_IND_SET_CTX_PARAM((PROV_TDES_CTX *)vctx,
179	0	OSSL_FIPS_IND_SETTABLE0, params,
180	0	OSSL_CIPHER_PARAM_FIPS_ENCRYPT_CHECK))
181	0	return 0;
182	0	return ossl_cipher_generic_set_ctx_params(vctx, params);
183	0	}
184
185		int ossl_tdes_get_params(OSSL_PARAM params[], unsigned int md, uint64_t flags,
186		size_t kbits, size_t blkbits, size_t ivbits)
187	11	{
188		#ifdef FIPS_MODULE
189		const int decrypt_only = 1;
190		#else
191	11	const int decrypt_only = 0;
192	11	#endif
193	11	OSSL_PARAM *p;
194
195	11	p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_DECRYPT_ONLY);
196	11	if (p != NULL && !OSSL_PARAM_set_int(p, decrypt_only)) {
197	0	ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER);
198	0	return 0;
199	0	}
200
201	11	return ossl_cipher_generic_get_params(params, md, flags,
202	11	kbits, blkbits, ivbits);
203	11	}