From 894422022113152fdf0d87b894a16e4d9863957c Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 1 Jul 2007 17:58:15 +0000 Subject: [PATCH] Move 3DES EVP inside FIPS module and modify algorithm tests to use it. --- CHANGES | 6 +- Makefile.org | 1 + crypto/evp/e_des3.c | 28 +++--- fips-1.0/des/fips_desmovs.c | 178 +++++------------------------------- 4 files changed, 41 insertions(+), 172 deletions(-) diff --git a/CHANGES b/CHANGES index f14f78f6e2..5f4ea05d0a 100644 --- a/CHANGES +++ b/CHANGES @@ -6,9 +6,9 @@ *) New flag in EVP_CIPHER: EVP_CIPH_FLAG_DEFAULT_ASN1. This will automatically use EVP_CIPHER_{get,set}_asn1_iv and avoid the - need for any ASN1 dependencies in FIPS library. Move AES cipher - definitions to fips library and modify AES algorithm test to use - EVP. + need for any ASN1 dependencies in FIPS library. Move AES and 3DES + cipher definitions to fips library and modify AES and 3DES algorithm + tests to use EVP. [Steve Henson] *) Move EVP cipher code into enc_min.c to support a minimal implementation diff --git a/Makefile.org b/Makefile.org index 96ebd119c1..f7c8aa9eb3 100644 --- a/Makefile.org +++ b/Makefile.org @@ -300,6 +300,7 @@ FIPS_EX_OBJ= ../crypto/aes/aes_cbc.o \ ../crypto/evp/digest.o \ ../crypto/evp/enc_min.o \ ../crypto/evp/e_aes.o \ + ../crypto/evp/e_des3.o \ ../crypto/evp/p_sign.o \ ../crypto/evp/p_verify.o \ ../crypto/mem_clr.o \ diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c index 54fc6ba51a..b7d1adec67 100644 --- a/crypto/evp/e_des3.c +++ b/crypto/evp/e_des3.c @@ -164,10 +164,9 @@ static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, } BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64, - EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS, - des_ede_init_key, NULL, - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, + EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1, + des_ede_init_key, + NULL, NULL, NULL, des3_ctrl) #define des_ede3_cfb64_cipher des_ede_cfb64_cipher @@ -176,24 +175,21 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64, #define des_ede3_ecb_cipher des_ede_ecb_cipher BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64, - EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS, - des_ede3_init_key, NULL, - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, + EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1, + des_ede3_init_key, + NULL, NULL, NULL, des3_ctrl) BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1, - EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS, - des_ede3_init_key,NULL, - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, + EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1, + des_ede3_init_key, + NULL, NULL, NULL, des3_ctrl) BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8, - EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS, - des_ede3_init_key,NULL, - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, + EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1, + des_ede3_init_key, + NULL, NULL, NULL, des3_ctrl) static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, diff --git a/fips-1.0/des/fips_desmovs.c b/fips-1.0/des/fips_desmovs.c index 074f18d32a..4e6c9a78e5 100644 --- a/fips-1.0/des/fips_desmovs.c +++ b/fips-1.0/des/fips_desmovs.c @@ -87,142 +87,28 @@ int main(int argc, char *argv[]) #define VERBOSE 0 -typedef struct - { - DES_key_schedule ks1, ks2, ks3; - unsigned char tiv[DES_BLOCK_SIZE]; - int dir, cmode, cbits, num, akeysz; - } DES_CTX; - -/*-----------------------------------------------*/ - -int DES_Cipher(DES_CTX *ctx, - unsigned char *out, - unsigned char *in, - int inl) - { - - unsigned long len = inl; - - DES_cblock *iv = (DES_cblock *)ctx->tiv; - - switch(ctx->cmode) - { - case EVP_CIPH_ECB_MODE: - while (len > 0) - { - if (ctx->akeysz == 64) - DES_ecb_encrypt((DES_cblock *)in, - (DES_cblock *)out, - &ctx->ks1, ctx->dir); - else - DES_ecb3_encrypt((const_DES_cblock *)in, - (DES_cblock *)out, - &ctx->ks1, - &ctx->ks2, - &ctx->ks3, - ctx->dir); - in += DES_BLOCK_SIZE; - out += DES_BLOCK_SIZE; - len -= DES_BLOCK_SIZE; - } - break; - - case EVP_CIPH_CBC_MODE: - if (ctx->akeysz == 64) - DES_ncbc_encrypt(in, out, len, &ctx->ks1, iv, ctx->dir); - else - DES_ede3_cbc_encrypt(in, out, len, - &ctx->ks1, &ctx->ks2, &ctx->ks3, - iv, ctx->dir); - break; - - case EVP_CIPH_CFB_MODE: -#if 0 - if (ctx->cbits == 1) - { - if (ctx->akeysz == 64) - DES_cfb64_encrypt(in, out, len, - &ctx->ks1, iv, - &ctx->num, ctx->dir); - else - DES_ede3_cfb64_encrypt(in, out, len, - &ctx->ks1, - &ctx->ks2, - &ctx->ks3, iv, - &ctx->num, ctx->dir); - } - else -#endif - if (ctx->cbits == 8) - { - if (ctx->akeysz == 64) - DES_cfb_encrypt(in, out, 8, len, - &ctx->ks1, iv, ctx->dir); - else - DES_ede3_cfb_encrypt(in, out, 8, len, - &ctx->ks1, - &ctx->ks2, - &ctx->ks3, iv, ctx->dir); - } - else if (ctx->cbits == 64) - { - if (ctx->akeysz == 64) - DES_cfb64_encrypt(in, out, len, - &ctx->ks1, iv, - &ctx->num, ctx->dir); - else - DES_ede3_cfb64_encrypt(in, out, len, - &ctx->ks1, - &ctx->ks2, - &ctx->ks3, iv, - &ctx->num, ctx->dir); - } - break; - - case EVP_CIPH_OFB_MODE: - if (ctx->akeysz == 64) - DES_ofb64_encrypt(in, out, len, &ctx->ks1, iv, - &ctx->num); - else - DES_ede3_ofb64_encrypt(in, out, len, - &ctx->ks1, &ctx->ks2, &ctx->ks3, - iv, &ctx->num); - - break; - - default: - return 0; - - } - - return 1; - - } - -int DESTest(DES_CTX *ctx, +int DESTest(EVP_CIPHER_CTX *ctx, char *amode, int akeysz, unsigned char *aKey, unsigned char *iVec, int dir, /* 0 = decrypt, 1 = encrypt */ unsigned char *out, unsigned char *in, int len) { - DES_cblock *deskey = (DES_cblock *)aKey; - ctx->cmode = -1; - ctx->cbits = -1; - ctx->dir = dir; - ctx->num = 0; + const EVP_CIPHER *cipher = NULL; + + if (akeysz != 192) + { + printf("Invalid key size: %d\n", akeysz); + EXIT(1); + } if (strcasecmp(amode, "CBC") == 0) - ctx->cmode = EVP_CIPH_CBC_MODE; + cipher = EVP_des_ede3_cbc(); else if (strcasecmp(amode, "ECB") == 0) - ctx->cmode = EVP_CIPH_ECB_MODE; + cipher = EVP_des_ede3_ecb(); else if (strcasecmp(amode, "CFB64") == 0) - { - ctx->cbits = 64; - ctx->cmode = EVP_CIPH_CFB_MODE; - } + cipher = EVP_des_ede3_cfb64(); else if (strncasecmp(amode, "OFB", 3) == 0) - ctx->cmode = EVP_CIPH_OFB_MODE; + cipher = EVP_des_ede3_ofb(); #if 0 else if(!strcasecmp(amode,"CFB1")) { @@ -231,33 +117,17 @@ int DESTest(DES_CTX *ctx, } #endif else if(!strcasecmp(amode,"CFB8")) - { - ctx->cbits = 8; - ctx->cmode = EVP_CIPH_CFB_MODE; - } + cipher = EVP_des_ede3_cfb8(); else { printf("Unknown mode: %s\n", amode); EXIT(1); } - if (akeysz != 64 && akeysz != 192) - { - printf("Invalid key size: %d\n", akeysz); - EXIT(1); - } - else - { - ctx->akeysz = akeysz; - DES_set_key_unchecked(deskey, &ctx->ks1); - if(ctx->akeysz == 192) - { - DES_set_key_unchecked(deskey + 1, &ctx->ks2); - DES_set_key_unchecked(deskey + 2, &ctx->ks3); - } - if (iVec) - memcpy(ctx->tiv, iVec, DES_BLOCK_SIZE); - DES_Cipher(ctx, out, in, len); - } + + if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0) + return 0; + EVP_Cipher(ctx, out, in, len); + return 1; } @@ -311,9 +181,10 @@ void do_mct(char *amode, { int j; int n; - DES_CTX ctx; int kp=akeysz/64; unsigned char old_iv[8]; + EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX_init(&ctx); fprintf(rfp,"\nCOUNT = %d\n",i); if(kp == 1) @@ -347,8 +218,8 @@ void do_mct(char *amode, } else { - memcpy(old_iv,ctx.tiv,8); - DES_Cipher(&ctx,text,text,len); + memcpy(old_iv,ctx.iv,8); + EVP_Cipher(&ctx,text,text,len); } if(j == 9999) { @@ -384,7 +255,7 @@ void do_mct(char *amode, DES_set_odd_parity((DES_cblock *)akey); DES_set_odd_parity((DES_cblock *)(akey+8)); DES_set_odd_parity((DES_cblock *)(akey+16)); - memcpy(ivec,ctx.tiv,8); + memcpy(ivec,ctx.iv,8); /* pointless exercise - the final text doesn't depend on the initial text in OFB mode, so who cares what it is? (Who @@ -409,8 +280,9 @@ int proc_file(char *rqfile) unsigned char plaintext[2048]; unsigned char ciphertext[2048]; char *rp; - DES_CTX ctx; + EVP_CIPHER_CTX ctx; int numkeys=1; + EVP_CIPHER_CTX_init(&ctx); if (!rqfile || !(*rqfile)) {