/src/openssl/crypto/evp/e_des3.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* crypto/evp/e_des3.c */ |
2 | | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | | * All rights reserved. |
4 | | * |
5 | | * This package is an SSL implementation written |
6 | | * by Eric Young (eay@cryptsoft.com). |
7 | | * The implementation was written so as to conform with Netscapes SSL. |
8 | | * |
9 | | * This library is free for commercial and non-commercial use as long as |
10 | | * the following conditions are aheared to. The following conditions |
11 | | * apply to all code found in this distribution, be it the RC4, RSA, |
12 | | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
13 | | * included with this distribution is covered by the same copyright terms |
14 | | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
15 | | * |
16 | | * Copyright remains Eric Young's, and as such any Copyright notices in |
17 | | * the code are not to be removed. |
18 | | * If this package is used in a product, Eric Young should be given attribution |
19 | | * as the author of the parts of the library used. |
20 | | * This can be in the form of a textual message at program startup or |
21 | | * in documentation (online or textual) provided with the package. |
22 | | * |
23 | | * Redistribution and use in source and binary forms, with or without |
24 | | * modification, are permitted provided that the following conditions |
25 | | * are met: |
26 | | * 1. Redistributions of source code must retain the copyright |
27 | | * notice, this list of conditions and the following disclaimer. |
28 | | * 2. Redistributions in binary form must reproduce the above copyright |
29 | | * notice, this list of conditions and the following disclaimer in the |
30 | | * documentation and/or other materials provided with the distribution. |
31 | | * 3. All advertising materials mentioning features or use of this software |
32 | | * must display the following acknowledgement: |
33 | | * "This product includes cryptographic software written by |
34 | | * Eric Young (eay@cryptsoft.com)" |
35 | | * The word 'cryptographic' can be left out if the rouines from the library |
36 | | * being used are not cryptographic related :-). |
37 | | * 4. If you include any Windows specific code (or a derivative thereof) from |
38 | | * the apps directory (application code) you must include an acknowledgement: |
39 | | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
40 | | * |
41 | | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
42 | | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
43 | | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
44 | | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
45 | | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
46 | | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
47 | | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
48 | | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
49 | | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 | | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 | | * SUCH DAMAGE. |
52 | | * |
53 | | * The licence and distribution terms for any publically available version or |
54 | | * derivative of this code cannot be changed. i.e. this code cannot simply be |
55 | | * copied and put under another distribution licence |
56 | | * [including the GNU Public Licence.] |
57 | | */ |
58 | | |
59 | | #include <stdio.h> |
60 | | #include "cryptlib.h" |
61 | | #ifndef OPENSSL_NO_DES |
62 | | # include <openssl/evp.h> |
63 | | # include <openssl/objects.h> |
64 | | # include "evp_locl.h" |
65 | | # include <openssl/des.h> |
66 | | # include <openssl/rand.h> |
67 | | |
68 | | /* Block use of implementations in FIPS mode */ |
69 | | # undef EVP_CIPH_FLAG_FIPS |
70 | | # define EVP_CIPH_FLAG_FIPS 0 |
71 | | |
72 | | typedef struct { |
73 | | union { |
74 | | double align; |
75 | | DES_key_schedule ks[3]; |
76 | | } ks; |
77 | | union { |
78 | | void (*cbc) (const void *, void *, size_t, |
79 | | const DES_key_schedule *, unsigned char *); |
80 | | } stream; |
81 | | } DES_EDE_KEY; |
82 | 0 | # define ks1 ks.ks[0] |
83 | 0 | # define ks2 ks.ks[1] |
84 | 0 | # define ks3 ks.ks[2] |
85 | | |
86 | | # if defined(AES_ASM) && (defined(__sparc) || defined(__sparc__)) |
87 | | /* ---------^^^ this is not a typo, just a way to detect that |
88 | | * assembler support was in general requested... */ |
89 | | # include "sparc_arch.h" |
90 | | |
91 | | extern unsigned int OPENSSL_sparcv9cap_P[]; |
92 | | |
93 | | # define SPARC_DES_CAPABLE (OPENSSL_sparcv9cap_P[1] & CFR_DES) |
94 | | |
95 | | void des_t4_key_expand(const void *key, DES_key_schedule *ks); |
96 | | void des_t4_ede3_cbc_encrypt(const void *inp, void *out, size_t len, |
97 | | const DES_key_schedule ks[3], unsigned char iv[8]); |
98 | | void des_t4_ede3_cbc_decrypt(const void *inp, void *out, size_t len, |
99 | | const DES_key_schedule ks[3], unsigned char iv[8]); |
100 | | # endif |
101 | | |
102 | | static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
103 | | const unsigned char *iv, int enc); |
104 | | |
105 | | static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
106 | | const unsigned char *iv, int enc); |
107 | | |
108 | | static int des3_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr); |
109 | | |
110 | 0 | # define data(ctx) ((DES_EDE_KEY *)(ctx)->cipher_data) |
111 | | |
112 | | /* |
113 | | * Because of various casts and different args can't use |
114 | | * IMPLEMENT_BLOCK_CIPHER |
115 | | */ |
116 | | |
117 | | static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
118 | | const unsigned char *in, size_t inl) |
119 | 0 | { |
120 | 0 | BLOCK_CIPHER_ecb_loop() |
121 | 0 | DES_ecb3_encrypt((const_DES_cblock *)(in + i), |
122 | 0 | (DES_cblock *)(out + i), |
123 | 0 | &data(ctx)->ks1, &data(ctx)->ks2, |
124 | 0 | &data(ctx)->ks3, ctx->encrypt); |
125 | 0 | return 1; |
126 | 0 | } |
127 | | |
128 | | static int des_ede_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
129 | | const unsigned char *in, size_t inl) |
130 | 0 | { |
131 | 0 | while (inl >= EVP_MAXCHUNK) { |
132 | 0 | DES_ede3_ofb64_encrypt(in, out, (long)EVP_MAXCHUNK, |
133 | 0 | &data(ctx)->ks1, &data(ctx)->ks2, |
134 | 0 | &data(ctx)->ks3, (DES_cblock *)ctx->iv, |
135 | 0 | &ctx->num); |
136 | 0 | inl -= EVP_MAXCHUNK; |
137 | 0 | in += EVP_MAXCHUNK; |
138 | 0 | out += EVP_MAXCHUNK; |
139 | 0 | } |
140 | 0 | if (inl) |
141 | 0 | DES_ede3_ofb64_encrypt(in, out, (long)inl, |
142 | 0 | &data(ctx)->ks1, &data(ctx)->ks2, |
143 | 0 | &data(ctx)->ks3, (DES_cblock *)ctx->iv, |
144 | 0 | &ctx->num); |
145 | |
|
146 | 0 | return 1; |
147 | 0 | } |
148 | | |
149 | | static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
150 | | const unsigned char *in, size_t inl) |
151 | 0 | { |
152 | 0 | DES_EDE_KEY *dat = data(ctx); |
153 | |
|
154 | | # ifdef KSSL_DEBUG |
155 | | { |
156 | | int i; |
157 | | fprintf(stderr, "des_ede_cbc_cipher(ctx=%p, buflen=%d)\n", ctx, |
158 | | ctx->buf_len); |
159 | | fprintf(stderr, "\t iv= "); |
160 | | for (i = 0; i < 8; i++) |
161 | | fprintf(stderr, "%02X", ctx->iv[i]); |
162 | | fprintf(stderr, "\n"); |
163 | | } |
164 | | # endif /* KSSL_DEBUG */ |
165 | 0 | if (dat->stream.cbc) { |
166 | 0 | (*dat->stream.cbc) (in, out, inl, dat->ks.ks, ctx->iv); |
167 | 0 | return 1; |
168 | 0 | } |
169 | | |
170 | 0 | while (inl >= EVP_MAXCHUNK) { |
171 | 0 | DES_ede3_cbc_encrypt(in, out, (long)EVP_MAXCHUNK, |
172 | 0 | &dat->ks1, &dat->ks2, &dat->ks3, |
173 | 0 | (DES_cblock *)ctx->iv, ctx->encrypt); |
174 | 0 | inl -= EVP_MAXCHUNK; |
175 | 0 | in += EVP_MAXCHUNK; |
176 | 0 | out += EVP_MAXCHUNK; |
177 | 0 | } |
178 | 0 | if (inl) |
179 | 0 | DES_ede3_cbc_encrypt(in, out, (long)inl, |
180 | 0 | &dat->ks1, &dat->ks2, &dat->ks3, |
181 | 0 | (DES_cblock *)ctx->iv, ctx->encrypt); |
182 | 0 | return 1; |
183 | 0 | } |
184 | | |
185 | | static int des_ede_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
186 | | const unsigned char *in, size_t inl) |
187 | 0 | { |
188 | 0 | while (inl >= EVP_MAXCHUNK) { |
189 | 0 | DES_ede3_cfb64_encrypt(in, out, (long)EVP_MAXCHUNK, |
190 | 0 | &data(ctx)->ks1, &data(ctx)->ks2, |
191 | 0 | &data(ctx)->ks3, (DES_cblock *)ctx->iv, |
192 | 0 | &ctx->num, ctx->encrypt); |
193 | 0 | inl -= EVP_MAXCHUNK; |
194 | 0 | in += EVP_MAXCHUNK; |
195 | 0 | out += EVP_MAXCHUNK; |
196 | 0 | } |
197 | 0 | if (inl) |
198 | 0 | DES_ede3_cfb64_encrypt(in, out, (long)inl, |
199 | 0 | &data(ctx)->ks1, &data(ctx)->ks2, |
200 | 0 | &data(ctx)->ks3, (DES_cblock *)ctx->iv, |
201 | 0 | &ctx->num, ctx->encrypt); |
202 | 0 | return 1; |
203 | 0 | } |
204 | | |
205 | | /* |
206 | | * Although we have a CFB-r implementation for 3-DES, it doesn't pack the |
207 | | * right way, so wrap it here |
208 | | */ |
209 | | static int des_ede3_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
210 | | const unsigned char *in, size_t inl) |
211 | 0 | { |
212 | 0 | size_t n; |
213 | 0 | unsigned char c[1], d[1]; |
214 | |
|
215 | 0 | if (!EVP_CIPHER_CTX_test_flags(ctx, EVP_CIPH_FLAG_LENGTH_BITS)) |
216 | 0 | inl *= 8; |
217 | 0 | for (n = 0; n < inl; ++n) { |
218 | 0 | c[0] = (in[n / 8] & (1 << (7 - n % 8))) ? 0x80 : 0; |
219 | 0 | DES_ede3_cfb_encrypt(c, d, 1, 1, |
220 | 0 | &data(ctx)->ks1, &data(ctx)->ks2, |
221 | 0 | &data(ctx)->ks3, (DES_cblock *)ctx->iv, |
222 | 0 | ctx->encrypt); |
223 | 0 | out[n / 8] = (out[n / 8] & ~(0x80 >> (unsigned int)(n % 8))) |
224 | 0 | | ((d[0] & 0x80) >> (unsigned int)(n % 8)); |
225 | 0 | } |
226 | |
|
227 | 0 | return 1; |
228 | 0 | } |
229 | | |
230 | | static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
231 | | const unsigned char *in, size_t inl) |
232 | 0 | { |
233 | 0 | while (inl >= EVP_MAXCHUNK) { |
234 | 0 | DES_ede3_cfb_encrypt(in, out, 8, (long)EVP_MAXCHUNK, |
235 | 0 | &data(ctx)->ks1, &data(ctx)->ks2, |
236 | 0 | &data(ctx)->ks3, (DES_cblock *)ctx->iv, |
237 | 0 | ctx->encrypt); |
238 | 0 | inl -= EVP_MAXCHUNK; |
239 | 0 | in += EVP_MAXCHUNK; |
240 | 0 | out += EVP_MAXCHUNK; |
241 | 0 | } |
242 | 0 | if (inl) |
243 | 0 | DES_ede3_cfb_encrypt(in, out, 8, (long)inl, |
244 | 0 | &data(ctx)->ks1, &data(ctx)->ks2, |
245 | 0 | &data(ctx)->ks3, (DES_cblock *)ctx->iv, |
246 | 0 | ctx->encrypt); |
247 | 0 | return 1; |
248 | 0 | } |
249 | | |
250 | | BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64, |
251 | | EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, |
252 | | des_ede_init_key, NULL, NULL, NULL, des3_ctrl) |
253 | | # define des_ede3_cfb64_cipher des_ede_cfb64_cipher |
254 | | # define des_ede3_ofb_cipher des_ede_ofb_cipher |
255 | | # define des_ede3_cbc_cipher des_ede_cbc_cipher |
256 | | # define des_ede3_ecb_cipher des_ede_ecb_cipher |
257 | | BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64, |
258 | | EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | |
259 | | EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, NULL, |
260 | | des3_ctrl) |
261 | | |
262 | | BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1, |
263 | | EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | |
264 | | EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, |
265 | | NULL, des3_ctrl) |
266 | | |
267 | | BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8, |
268 | | EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | |
269 | | EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, |
270 | | NULL, des3_ctrl) |
271 | | |
272 | | static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
273 | | const unsigned char *iv, int enc) |
274 | 0 | { |
275 | 0 | DES_cblock *deskey = (DES_cblock *)key; |
276 | 0 | DES_EDE_KEY *dat = data(ctx); |
277 | |
|
278 | 0 | dat->stream.cbc = NULL; |
279 | | # if defined(SPARC_DES_CAPABLE) |
280 | | if (SPARC_DES_CAPABLE) { |
281 | | int mode = ctx->cipher->flags & EVP_CIPH_MODE; |
282 | | |
283 | | if (mode == EVP_CIPH_CBC_MODE) { |
284 | | des_t4_key_expand(&deskey[0], &dat->ks1); |
285 | | des_t4_key_expand(&deskey[1], &dat->ks2); |
286 | | memcpy(&dat->ks3, &dat->ks1, sizeof(dat->ks1)); |
287 | | dat->stream.cbc = enc ? des_t4_ede3_cbc_encrypt : |
288 | | des_t4_ede3_cbc_decrypt; |
289 | | return 1; |
290 | | } |
291 | | } |
292 | | # endif |
293 | | # ifdef EVP_CHECK_DES_KEY |
294 | | if (DES_set_key_checked(&deskey[0], &dat->ks1) |
295 | | || DES_set_key_checked(&deskey[1], &dat->ks2)) |
296 | | return 0; |
297 | | # else |
298 | 0 | DES_set_key_unchecked(&deskey[0], &dat->ks1); |
299 | 0 | DES_set_key_unchecked(&deskey[1], &dat->ks2); |
300 | 0 | # endif |
301 | 0 | memcpy(&dat->ks3, &dat->ks1, sizeof(dat->ks1)); |
302 | 0 | return 1; |
303 | 0 | } |
304 | | |
305 | | static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, |
306 | | const unsigned char *iv, int enc) |
307 | 0 | { |
308 | 0 | DES_cblock *deskey = (DES_cblock *)key; |
309 | 0 | DES_EDE_KEY *dat = data(ctx); |
310 | |
|
311 | | # ifdef KSSL_DEBUG |
312 | | { |
313 | | int i; |
314 | | fprintf(stderr, "des_ede3_init_key(ctx=%p)\n", ctx); |
315 | | fprintf(stderr, "\tKEY= "); |
316 | | for (i = 0; i < 24; i++) |
317 | | fprintf(stderr, "%02X", key[i]); |
318 | | fprintf(stderr, "\n"); |
319 | | if (iv) { |
320 | | fprintf(stderr, "\t IV= "); |
321 | | for (i = 0; i < 8; i++) |
322 | | fprintf(stderr, "%02X", iv[i]); |
323 | | fprintf(stderr, "\n"); |
324 | | } |
325 | | } |
326 | | # endif /* KSSL_DEBUG */ |
327 | |
|
328 | 0 | dat->stream.cbc = NULL; |
329 | | # if defined(SPARC_DES_CAPABLE) |
330 | | if (SPARC_DES_CAPABLE) { |
331 | | int mode = ctx->cipher->flags & EVP_CIPH_MODE; |
332 | | |
333 | | if (mode == EVP_CIPH_CBC_MODE) { |
334 | | des_t4_key_expand(&deskey[0], &dat->ks1); |
335 | | des_t4_key_expand(&deskey[1], &dat->ks2); |
336 | | des_t4_key_expand(&deskey[2], &dat->ks3); |
337 | | dat->stream.cbc = enc ? des_t4_ede3_cbc_encrypt : |
338 | | des_t4_ede3_cbc_decrypt; |
339 | | return 1; |
340 | | } |
341 | | } |
342 | | # endif |
343 | | # ifdef EVP_CHECK_DES_KEY |
344 | | if (DES_set_key_checked(&deskey[0], &dat->ks1) |
345 | | || DES_set_key_checked(&deskey[1], &dat->ks2) |
346 | | || DES_set_key_checked(&deskey[2], &dat->ks3)) |
347 | | return 0; |
348 | | # else |
349 | 0 | DES_set_key_unchecked(&deskey[0], &dat->ks1); |
350 | 0 | DES_set_key_unchecked(&deskey[1], &dat->ks2); |
351 | 0 | DES_set_key_unchecked(&deskey[2], &dat->ks3); |
352 | 0 | # endif |
353 | 0 | return 1; |
354 | 0 | } |
355 | | |
356 | | static int des3_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) |
357 | 0 | { |
358 | |
|
359 | 0 | DES_cblock *deskey = ptr; |
360 | |
|
361 | 0 | switch (type) { |
362 | 0 | case EVP_CTRL_RAND_KEY: |
363 | 0 | if (RAND_bytes(ptr, c->key_len) <= 0) |
364 | 0 | return 0; |
365 | 0 | DES_set_odd_parity(deskey); |
366 | 0 | if (c->key_len >= 16) |
367 | 0 | DES_set_odd_parity(deskey + 1); |
368 | 0 | if (c->key_len >= 24) |
369 | 0 | DES_set_odd_parity(deskey + 2); |
370 | 0 | return 1; |
371 | | |
372 | 0 | default: |
373 | 0 | return -1; |
374 | 0 | } |
375 | 0 | } |
376 | | |
377 | | const EVP_CIPHER *EVP_des_ede(void) |
378 | 19 | { |
379 | 19 | return &des_ede_ecb; |
380 | 19 | } |
381 | | |
382 | | const EVP_CIPHER *EVP_des_ede3(void) |
383 | 19 | { |
384 | 19 | return &des_ede3_ecb; |
385 | 19 | } |
386 | | |
387 | | # ifndef OPENSSL_NO_SHA |
388 | | |
389 | | # include <openssl/sha.h> |
390 | | |
391 | | static const unsigned char wrap_iv[8] = |
392 | | { 0x4a, 0xdd, 0xa2, 0x2c, 0x79, 0xe8, 0x21, 0x05 }; |
393 | | |
394 | | static int des_ede3_unwrap(EVP_CIPHER_CTX *ctx, unsigned char *out, |
395 | | const unsigned char *in, size_t inl) |
396 | 0 | { |
397 | 0 | unsigned char icv[8], iv[8], sha1tmp[SHA_DIGEST_LENGTH]; |
398 | 0 | int rv = -1; |
399 | 0 | if (inl < 24) |
400 | 0 | return -1; |
401 | 0 | if (out == NULL) |
402 | 0 | return inl - 16; |
403 | 0 | memcpy(ctx->iv, wrap_iv, 8); |
404 | | /* Decrypt first block which will end up as icv */ |
405 | 0 | des_ede_cbc_cipher(ctx, icv, in, 8); |
406 | | /* Decrypt central blocks */ |
407 | | /* |
408 | | * If decrypting in place move whole output along a block so the next |
409 | | * des_ede_cbc_cipher is in place. |
410 | | */ |
411 | 0 | if (out == in) { |
412 | 0 | memmove(out, out + 8, inl - 8); |
413 | 0 | in -= 8; |
414 | 0 | } |
415 | 0 | des_ede_cbc_cipher(ctx, out, in + 8, inl - 16); |
416 | | /* Decrypt final block which will be IV */ |
417 | 0 | des_ede_cbc_cipher(ctx, iv, in + inl - 8, 8); |
418 | | /* Reverse order of everything */ |
419 | 0 | BUF_reverse(icv, NULL, 8); |
420 | 0 | BUF_reverse(out, NULL, inl - 16); |
421 | 0 | BUF_reverse(ctx->iv, iv, 8); |
422 | | /* Decrypt again using new IV */ |
423 | 0 | des_ede_cbc_cipher(ctx, out, out, inl - 16); |
424 | 0 | des_ede_cbc_cipher(ctx, icv, icv, 8); |
425 | | /* Work out SHA1 hash of first portion */ |
426 | 0 | SHA1(out, inl - 16, sha1tmp); |
427 | |
|
428 | 0 | if (!CRYPTO_memcmp(sha1tmp, icv, 8)) |
429 | 0 | rv = inl - 16; |
430 | 0 | OPENSSL_cleanse(icv, 8); |
431 | 0 | OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH); |
432 | 0 | OPENSSL_cleanse(iv, 8); |
433 | 0 | OPENSSL_cleanse(ctx->iv, 8); |
434 | 0 | if (rv == -1) |
435 | 0 | OPENSSL_cleanse(out, inl - 16); |
436 | |
|
437 | 0 | return rv; |
438 | 0 | } |
439 | | |
440 | | static int des_ede3_wrap(EVP_CIPHER_CTX *ctx, unsigned char *out, |
441 | | const unsigned char *in, size_t inl) |
442 | 0 | { |
443 | 0 | unsigned char sha1tmp[SHA_DIGEST_LENGTH]; |
444 | 0 | if (out == NULL) |
445 | 0 | return inl + 16; |
446 | | /* Copy input to output buffer + 8 so we have space for IV */ |
447 | 0 | memmove(out + 8, in, inl); |
448 | | /* Work out ICV */ |
449 | 0 | SHA1(in, inl, sha1tmp); |
450 | 0 | memcpy(out + inl + 8, sha1tmp, 8); |
451 | 0 | OPENSSL_cleanse(sha1tmp, SHA_DIGEST_LENGTH); |
452 | | /* Generate random IV */ |
453 | 0 | if (RAND_bytes(ctx->iv, 8) <= 0) |
454 | 0 | return -1; |
455 | 0 | memcpy(out, ctx->iv, 8); |
456 | | /* Encrypt everything after IV in place */ |
457 | 0 | des_ede_cbc_cipher(ctx, out + 8, out + 8, inl + 8); |
458 | 0 | BUF_reverse(out, NULL, inl + 16); |
459 | 0 | memcpy(ctx->iv, wrap_iv, 8); |
460 | 0 | des_ede_cbc_cipher(ctx, out, out, inl + 16); |
461 | 0 | return inl + 16; |
462 | 0 | } |
463 | | |
464 | | static int des_ede3_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, |
465 | | const unsigned char *in, size_t inl) |
466 | 0 | { |
467 | | /* |
468 | | * Sanity check input length: we typically only wrap keys so EVP_MAXCHUNK |
469 | | * is more than will ever be needed. Also input length must be a multiple |
470 | | * of 8 bits. |
471 | | */ |
472 | 0 | if (inl >= EVP_MAXCHUNK || inl % 8) |
473 | 0 | return -1; |
474 | 0 | if (ctx->encrypt) |
475 | 0 | return des_ede3_wrap(ctx, out, in, inl); |
476 | 0 | else |
477 | 0 | return des_ede3_unwrap(ctx, out, in, inl); |
478 | 0 | } |
479 | | |
480 | | static const EVP_CIPHER des3_wrap = { |
481 | | NID_id_smime_alg_CMS3DESwrap, |
482 | | 8, 24, 0, |
483 | | EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER |
484 | | | EVP_CIPH_FLAG_DEFAULT_ASN1, |
485 | | des_ede3_init_key, des_ede3_wrap_cipher, |
486 | | NULL, |
487 | | sizeof(DES_EDE_KEY), |
488 | | NULL, NULL, NULL, NULL |
489 | | }; |
490 | | |
491 | | const EVP_CIPHER *EVP_des_ede3_wrap(void) |
492 | 19 | { |
493 | 19 | return &des3_wrap; |
494 | 19 | } |
495 | | |
496 | | # endif |
497 | | #endif |