Move 3DES EVP inside FIPS module and modify algorithm tests to use it.

CHANGES

@@ -6,9 +6,9 @@
 
   *) New flag in EVP_CIPHER: EVP_CIPH_FLAG_DEFAULT_ASN1. This will
      automatically use EVP_CIPHER_{get,set}_asn1_iv and avoid the
-     need for any ASN1 dependencies in FIPS library. Move AES cipher
+     need for any ASN1 dependencies in FIPS library. Move AES and 3DES
-     definitions to fips library and modify AES algorithm test to use
+     cipher definitions to fips library and modify AES and 3DES algorithm
-     EVP.
+     tests to use EVP.
      [Steve Henson]
 
   *) Move EVP cipher code into enc_min.c to support a minimal implementation

Makefile.org

@@ -300,6 +300,7 @@ FIPS_EX_OBJ= ../crypto/aes/aes_cbc.o \
 	../crypto/evp/digest.o \
 	../crypto/evp/enc_min.o \
 	../crypto/evp/e_aes.o \
+	../crypto/evp/e_des3.o \
 	../crypto/evp/p_sign.o \
 	../crypto/evp/p_verify.o \
 	../crypto/mem_clr.o \

crypto/evp/e_des3.c

@@ -164,10 +164,9 @@ static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     }
 
 BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
-			EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS,
+		EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
-			des_ede_init_key, NULL, 
+			des_ede_init_key,
-			EVP_CIPHER_set_asn1_iv,
+			NULL, NULL, NULL,
-			EVP_CIPHER_get_asn1_iv,
 			des3_ctrl)
 
 #define des_ede3_cfb64_cipher des_ede_cfb64_cipher
@@ -176,24 +175,21 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
 #define des_ede3_ecb_cipher des_ede_ecb_cipher
 
 BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
-			EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS,
+		EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
-			des_ede3_init_key, NULL, 
+			des_ede3_init_key,
-			EVP_CIPHER_set_asn1_iv,
+			NULL, NULL, NULL,
-			EVP_CIPHER_get_asn1_iv,
 			des3_ctrl)
 
 BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,
-		     EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS,
+		EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
-		     des_ede3_init_key,NULL,
+		     des_ede3_init_key,
-		     EVP_CIPHER_set_asn1_iv,
+		     NULL, NULL, NULL,
-		     EVP_CIPHER_get_asn1_iv,
 		     des3_ctrl)
 
 BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,
-		     EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS,
+		EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
-		     des_ede3_init_key,NULL,
+		     des_ede3_init_key,
-		     EVP_CIPHER_set_asn1_iv,
+		     NULL, NULL, NULL,
-		     EVP_CIPHER_get_asn1_iv,
 		     des3_ctrl)
 
 static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,

fips-1.0/des/fips_desmovs.c

@@ -87,142 +87,28 @@ int main(int argc, char *argv[])
 
 #define VERBOSE 0
 
-typedef struct
+int DESTest(EVP_CIPHER_CTX *ctx,
-	{
-	DES_key_schedule ks1, ks2, ks3;
-	unsigned char tiv[DES_BLOCK_SIZE];
-	int dir, cmode, cbits, num, akeysz;
-	} DES_CTX;
-
-/*-----------------------------------------------*/
-
-int DES_Cipher(DES_CTX *ctx,
-		unsigned char *out,
-		unsigned char *in,
-		int inl)
-	{
-
-	unsigned long len = inl;
-
-	DES_cblock *iv = (DES_cblock *)ctx->tiv;
-
-	switch(ctx->cmode)
-		{
-		case EVP_CIPH_ECB_MODE:
-		while (len > 0)
-			{
-			if (ctx->akeysz == 64)
-				DES_ecb_encrypt((DES_cblock *)in,
-						(DES_cblock *)out,
-							&ctx->ks1, ctx->dir);
-			else
-				DES_ecb3_encrypt((const_DES_cblock *)in,
-					(DES_cblock *)out,
-					&ctx->ks1,
-					&ctx->ks2,
-					&ctx->ks3,
-					ctx->dir);
-			in += DES_BLOCK_SIZE;
-			out += DES_BLOCK_SIZE;
-			len -= DES_BLOCK_SIZE;
-			}
-		break;
-
-		case EVP_CIPH_CBC_MODE:
-		if (ctx->akeysz == 64)
-			DES_ncbc_encrypt(in, out, len, &ctx->ks1, iv, ctx->dir);
-		else
-			DES_ede3_cbc_encrypt(in, out, len,
-				&ctx->ks1, &ctx->ks2, &ctx->ks3,
-				iv, ctx->dir);
-		break;
-
-		case EVP_CIPH_CFB_MODE:
-#if 0
-		if (ctx->cbits == 1)
-			{
-			if (ctx->akeysz == 64)
-				DES_cfb64_encrypt(in, out, len,
-						&ctx->ks1, iv,
-						&ctx->num, ctx->dir);
-			else
-				DES_ede3_cfb64_encrypt(in, out, len,
-						&ctx->ks1,
-						&ctx->ks2,
-						&ctx->ks3, iv,
-						&ctx->num, ctx->dir);
-			}
-		else
-#endif
-		if (ctx->cbits == 8)
-			{
-			if (ctx->akeysz == 64)
-				DES_cfb_encrypt(in, out, 8, len,
-						&ctx->ks1, iv, ctx->dir);
-			else
-				DES_ede3_cfb_encrypt(in, out, 8, len,
-						&ctx->ks1,
-						&ctx->ks2,
-						&ctx->ks3, iv, ctx->dir);
-			}
-		else if (ctx->cbits == 64)
-			{
-			if (ctx->akeysz == 64)
-				DES_cfb64_encrypt(in, out, len,
-						&ctx->ks1, iv,
-						&ctx->num, ctx->dir);
-			else
-				DES_ede3_cfb64_encrypt(in, out, len,
-						&ctx->ks1,
-						&ctx->ks2,
-						&ctx->ks3, iv,
-						&ctx->num, ctx->dir);
-			}
-		break;
-
-		case EVP_CIPH_OFB_MODE:
-		if (ctx->akeysz == 64)
-			DES_ofb64_encrypt(in, out, len, &ctx->ks1, iv,
-								&ctx->num);
-		else
-			DES_ede3_ofb64_encrypt(in, out, len,
-					&ctx->ks1, &ctx->ks2, &ctx->ks3,
-					iv, &ctx->num);
-
-		break;
-
-		default:
-		return 0;
-
-		}
-
-	return 1;
-
-	}
-
-int DESTest(DES_CTX *ctx,
 	    char *amode, int akeysz, unsigned char *aKey, 
 	    unsigned char *iVec, 
 	    int dir,  /* 0 = decrypt, 1 = encrypt */
 	    unsigned char *out, unsigned char *in, int len)
     {
-    DES_cblock *deskey = (DES_cblock *)aKey;
+    const EVP_CIPHER *cipher = NULL;
-    ctx->cmode = -1;
+
-    ctx->cbits = -1;
+    if (akeysz != 192)
-    ctx->dir = dir;
+	{
-    ctx->num = 0;
+	printf("Invalid key size: %d\n", akeysz);
+	EXIT(1);
+	}
 
     if (strcasecmp(amode, "CBC") == 0)
-	ctx->cmode = EVP_CIPH_CBC_MODE;
+	cipher = EVP_des_ede3_cbc();
     else if (strcasecmp(amode, "ECB") == 0)
-	ctx->cmode = EVP_CIPH_ECB_MODE;
+	cipher = EVP_des_ede3_ecb();
     else if (strcasecmp(amode, "CFB64") == 0)
-	{
+	cipher = EVP_des_ede3_cfb64();
-	ctx->cbits = 64;
-	ctx->cmode = EVP_CIPH_CFB_MODE;
-	}
     else if (strncasecmp(amode, "OFB", 3) == 0)
-	ctx->cmode = EVP_CIPH_OFB_MODE;
+	cipher = EVP_des_ede3_ofb();
 #if 0
     else if(!strcasecmp(amode,"CFB1"))
 	{
@@ -231,33 +117,17 @@ int DESTest(DES_CTX *ctx,
 	}
 #endif
     else if(!strcasecmp(amode,"CFB8"))
-	{
+	cipher = EVP_des_ede3_cfb8();
-	ctx->cbits = 8;
-	ctx->cmode = EVP_CIPH_CFB_MODE;
-	}
     else
 	{
 	printf("Unknown mode: %s\n", amode);
 	EXIT(1);
 	}
-    if (akeysz != 64 && akeysz != 192)
+
-	{
+    if (EVP_CipherInit_ex(ctx, cipher, NULL, aKey, iVec, dir) <= 0)
-	printf("Invalid key size: %d\n", akeysz);
+	return 0;
-	EXIT(1);
+    EVP_Cipher(ctx, out, in, len);
-	}
+
-    else
-	{
-	ctx->akeysz = akeysz;
-	DES_set_key_unchecked(deskey, &ctx->ks1);
-	if(ctx->akeysz == 192)
-		{
-		DES_set_key_unchecked(deskey + 1, &ctx->ks2);
-		DES_set_key_unchecked(deskey + 2, &ctx->ks3);
-		}
-	if (iVec)
-		memcpy(ctx->tiv, iVec, DES_BLOCK_SIZE);
-	DES_Cipher(ctx, out, in, len);
-	}
     return 1;
     }
 
@@ -311,9 +181,10 @@ void do_mct(char *amode,
 	{
 	int j;
 	int n;
-	DES_CTX ctx;
 	int kp=akeysz/64;
 	unsigned char old_iv[8];
+	EVP_CIPHER_CTX ctx;
+	EVP_CIPHER_CTX_init(&ctx);
 
 	fprintf(rfp,"\nCOUNT = %d\n",i);
 	if(kp == 1)
@@ -347,8 +218,8 @@ void do_mct(char *amode,
 		}
 	    else
 		{
-		memcpy(old_iv,ctx.tiv,8);
+		memcpy(old_iv,ctx.iv,8);
-		DES_Cipher(&ctx,text,text,len);
+		EVP_Cipher(&ctx,text,text,len);
 		}
 	    if(j == 9999)
 		{
@@ -384,7 +255,7 @@ void do_mct(char *amode,
 	DES_set_odd_parity((DES_cblock *)akey);
 	DES_set_odd_parity((DES_cblock *)(akey+8));
 	DES_set_odd_parity((DES_cblock *)(akey+16));
-	memcpy(ivec,ctx.tiv,8);
+	memcpy(ivec,ctx.iv,8);
 
 	/* pointless exercise - the final text doesn't depend on the
 	   initial text in OFB mode, so who cares what it is? (Who
@@ -409,8 +280,9 @@ int proc_file(char *rqfile)
     unsigned char plaintext[2048];
     unsigned char ciphertext[2048];
     char *rp;
-    DES_CTX ctx;
+    EVP_CIPHER_CTX ctx;
     int numkeys=1;
+    EVP_CIPHER_CTX_init(&ctx);
 
     if (!rqfile || !(*rqfile))
 	{