1 /*
2 * FIPS-46-3 compliant Triple-DES implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46 /*
47 * DES, on which TDES is based, was originally designed by Horst Feistel
48 * at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
49 *
50 * http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
51 */
52
53 #if !defined(MBEDTLS_CONFIG_FILE)
54 #include "mbedtls/config.h"
55 #else
56 #include MBEDTLS_CONFIG_FILE
57 #endif
58
59 #if defined(MBEDTLS_DES_C)
60
61 #include "mbedtls/des.h"
62 #include "mbedtls/platform_util.h"
63
64 #include <string.h>
65
66 #if defined(MBEDTLS_SELF_TEST)
67 #if defined(MBEDTLS_PLATFORM_C)
68 #include "mbedtls/platform.h"
69 #else
70 #include <stdio.h>
71 #define mbedtls_printf printf
72 #endif /* MBEDTLS_PLATFORM_C */
73 #endif /* MBEDTLS_SELF_TEST */
74
75 #if !defined(MBEDTLS_DES_ALT)
76
77 /*
78 * 32-bit integer manipulation macros (big endian)
79 */
80 #ifndef GET_UINT32_BE
81 #define GET_UINT32_BE(n,b,i) \
82 { \
83 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
84 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
85 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
86 | ( (uint32_t) (b)[(i) + 3] ); \
87 }
88 #endif
89
90 #ifndef PUT_UINT32_BE
91 #define PUT_UINT32_BE(n,b,i) \
92 { \
93 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
94 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
95 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
96 (b)[(i) + 3] = (unsigned char) ( (n) ); \
97 }
98 #endif
99
100 /*
101 * Expanded DES S-boxes
102 */
103 static const uint32_t SB1[64] =
104 {
105 0x01010400, 0x00000000, 0x00010000, 0x01010404,
106 0x01010004, 0x00010404, 0x00000004, 0x00010000,
107 0x00000400, 0x01010400, 0x01010404, 0x00000400,
108 0x01000404, 0x01010004, 0x01000000, 0x00000004,
109 0x00000404, 0x01000400, 0x01000400, 0x00010400,
110 0x00010400, 0x01010000, 0x01010000, 0x01000404,
111 0x00010004, 0x01000004, 0x01000004, 0x00010004,
112 0x00000000, 0x00000404, 0x00010404, 0x01000000,
113 0x00010000, 0x01010404, 0x00000004, 0x01010000,
114 0x01010400, 0x01000000, 0x01000000, 0x00000400,
115 0x01010004, 0x00010000, 0x00010400, 0x01000004,
116 0x00000400, 0x00000004, 0x01000404, 0x00010404,
117 0x01010404, 0x00010004, 0x01010000, 0x01000404,
118 0x01000004, 0x00000404, 0x00010404, 0x01010400,
119 0x00000404, 0x01000400, 0x01000400, 0x00000000,
120 0x00010004, 0x00010400, 0x00000000, 0x01010004
121 };
122
123 static const uint32_t SB2[64] =
124 {
125 0x80108020, 0x80008000, 0x00008000, 0x00108020,
126 0x00100000, 0x00000020, 0x80100020, 0x80008020,
127 0x80000020, 0x80108020, 0x80108000, 0x80000000,
128 0x80008000, 0x00100000, 0x00000020, 0x80100020,
129 0x00108000, 0x00100020, 0x80008020, 0x00000000,
130 0x80000000, 0x00008000, 0x00108020, 0x80100000,
131 0x00100020, 0x80000020, 0x00000000, 0x00108000,
132 0x00008020, 0x80108000, 0x80100000, 0x00008020,
133 0x00000000, 0x00108020, 0x80100020, 0x00100000,
134 0x80008020, 0x80100000, 0x80108000, 0x00008000,
135 0x80100000, 0x80008000, 0x00000020, 0x80108020,
136 0x00108020, 0x00000020, 0x00008000, 0x80000000,
137 0x00008020, 0x80108000, 0x00100000, 0x80000020,
138 0x00100020, 0x80008020, 0x80000020, 0x00100020,
139 0x00108000, 0x00000000, 0x80008000, 0x00008020,
140 0x80000000, 0x80100020, 0x80108020, 0x00108000
141 };
142
143 static const uint32_t SB3[64] =
144 {
145 0x00000208, 0x08020200, 0x00000000, 0x08020008,
146 0x08000200, 0x00000000, 0x00020208, 0x08000200,
147 0x00020008, 0x08000008, 0x08000008, 0x00020000,
148 0x08020208, 0x00020008, 0x08020000, 0x00000208,
149 0x08000000, 0x00000008, 0x08020200, 0x00000200,
150 0x00020200, 0x08020000, 0x08020008, 0x00020208,
151 0x08000208, 0x00020200, 0x00020000, 0x08000208,
152 0x00000008, 0x08020208, 0x00000200, 0x08000000,
153 0x08020200, 0x08000000, 0x00020008, 0x00000208,
154 0x00020000, 0x08020200, 0x08000200, 0x00000000,
155 0x00000200, 0x00020008, 0x08020208, 0x08000200,
156 0x08000008, 0x00000200, 0x00000000, 0x08020008,
157 0x08000208, 0x00020000, 0x08000000, 0x08020208,
158 0x00000008, 0x00020208, 0x00020200, 0x08000008,
159 0x08020000, 0x08000208, 0x00000208, 0x08020000,
160 0x00020208, 0x00000008, 0x08020008, 0x00020200
161 };
162
163 static const uint32_t SB4[64] =
164 {
165 0x00802001, 0x00002081, 0x00002081, 0x00000080,
166 0x00802080, 0x00800081, 0x00800001, 0x00002001,
167 0x00000000, 0x00802000, 0x00802000, 0x00802081,
168 0x00000081, 0x00000000, 0x00800080, 0x00800001,
169 0x00000001, 0x00002000, 0x00800000, 0x00802001,
170 0x00000080, 0x00800000, 0x00002001, 0x00002080,
171 0x00800081, 0x00000001, 0x00002080, 0x00800080,
172 0x00002000, 0x00802080, 0x00802081, 0x00000081,
173 0x00800080, 0x00800001, 0x00802000, 0x00802081,
174 0x00000081, 0x00000000, 0x00000000, 0x00802000,
175 0x00002080, 0x00800080, 0x00800081, 0x00000001,
176 0x00802001, 0x00002081, 0x00002081, 0x00000080,
177 0x00802081, 0x00000081, 0x00000001, 0x00002000,
178 0x00800001, 0x00002001, 0x00802080, 0x00800081,
179 0x00002001, 0x00002080, 0x00800000, 0x00802001,
180 0x00000080, 0x00800000, 0x00002000, 0x00802080
181 };
182
183 static const uint32_t SB5[64] =
184 {
185 0x00000100, 0x02080100, 0x02080000, 0x42000100,
186 0x00080000, 0x00000100, 0x40000000, 0x02080000,
187 0x40080100, 0x00080000, 0x02000100, 0x40080100,
188 0x42000100, 0x42080000, 0x00080100, 0x40000000,
189 0x02000000, 0x40080000, 0x40080000, 0x00000000,
190 0x40000100, 0x42080100, 0x42080100, 0x02000100,
191 0x42080000, 0x40000100, 0x00000000, 0x42000000,
192 0x02080100, 0x02000000, 0x42000000, 0x00080100,
193 0x00080000, 0x42000100, 0x00000100, 0x02000000,
194 0x40000000, 0x02080000, 0x42000100, 0x40080100,
195 0x02000100, 0x40000000, 0x42080000, 0x02080100,
196 0x40080100, 0x00000100, 0x02000000, 0x42080000,
197 0x42080100, 0x00080100, 0x42000000, 0x42080100,
198 0x02080000, 0x00000000, 0x40080000, 0x42000000,
199 0x00080100, 0x02000100, 0x40000100, 0x00080000,
200 0x00000000, 0x40080000, 0x02080100, 0x40000100
201 };
202
203 static const uint32_t SB6[64] =
204 {
205 0x20000010, 0x20400000, 0x00004000, 0x20404010,
206 0x20400000, 0x00000010, 0x20404010, 0x00400000,
207 0x20004000, 0x00404010, 0x00400000, 0x20000010,
208 0x00400010, 0x20004000, 0x20000000, 0x00004010,
209 0x00000000, 0x00400010, 0x20004010, 0x00004000,
210 0x00404000, 0x20004010, 0x00000010, 0x20400010,
211 0x20400010, 0x00000000, 0x00404010, 0x20404000,
212 0x00004010, 0x00404000, 0x20404000, 0x20000000,
213 0x20004000, 0x00000010, 0x20400010, 0x00404000,
214 0x20404010, 0x00400000, 0x00004010, 0x20000010,
215 0x00400000, 0x20004000, 0x20000000, 0x00004010,
216 0x20000010, 0x20404010, 0x00404000, 0x20400000,
217 0x00404010, 0x20404000, 0x00000000, 0x20400010,
218 0x00000010, 0x00004000, 0x20400000, 0x00404010,
219 0x00004000, 0x00400010, 0x20004010, 0x00000000,
220 0x20404000, 0x20000000, 0x00400010, 0x20004010
221 };
222
223 static const uint32_t SB7[64] =
224 {
225 0x00200000, 0x04200002, 0x04000802, 0x00000000,
226 0x00000800, 0x04000802, 0x00200802, 0x04200800,
227 0x04200802, 0x00200000, 0x00000000, 0x04000002,
228 0x00000002, 0x04000000, 0x04200002, 0x00000802,
229 0x04000800, 0x00200802, 0x00200002, 0x04000800,
230 0x04000002, 0x04200000, 0x04200800, 0x00200002,
231 0x04200000, 0x00000800, 0x00000802, 0x04200802,
232 0x00200800, 0x00000002, 0x04000000, 0x00200800,
233 0x04000000, 0x00200800, 0x00200000, 0x04000802,
234 0x04000802, 0x04200002, 0x04200002, 0x00000002,
235 0x00200002, 0x04000000, 0x04000800, 0x00200000,
236 0x04200800, 0x00000802, 0x00200802, 0x04200800,
237 0x00000802, 0x04000002, 0x04200802, 0x04200000,
238 0x00200800, 0x00000000, 0x00000002, 0x04200802,
239 0x00000000, 0x00200802, 0x04200000, 0x00000800,
240 0x04000002, 0x04000800, 0x00000800, 0x00200002
241 };
242
243 static const uint32_t SB8[64] =
244 {
245 0x10001040, 0x00001000, 0x00040000, 0x10041040,
246 0x10000000, 0x10001040, 0x00000040, 0x10000000,
247 0x00040040, 0x10040000, 0x10041040, 0x00041000,
248 0x10041000, 0x00041040, 0x00001000, 0x00000040,
249 0x10040000, 0x10000040, 0x10001000, 0x00001040,
250 0x00041000, 0x00040040, 0x10040040, 0x10041000,
251 0x00001040, 0x00000000, 0x00000000, 0x10040040,
252 0x10000040, 0x10001000, 0x00041040, 0x00040000,
253 0x00041040, 0x00040000, 0x10041000, 0x00001000,
254 0x00000040, 0x10040040, 0x00001000, 0x00041040,
255 0x10001000, 0x00000040, 0x10000040, 0x10040000,
256 0x10040040, 0x10000000, 0x00040000, 0x10001040,
257 0x00000000, 0x10041040, 0x00040040, 0x10000040,
258 0x10040000, 0x10001000, 0x10001040, 0x00000000,
259 0x10041040, 0x00041000, 0x00041000, 0x00001040,
260 0x00001040, 0x00040040, 0x10000000, 0x10041000
261 };
262
263 /*
264 * PC1: left and right halves bit-swap
265 */
266 static const uint32_t LHs[16] =
267 {
268 0x00000000, 0x00000001, 0x00000100, 0x00000101,
269 0x00010000, 0x00010001, 0x00010100, 0x00010101,
270 0x01000000, 0x01000001, 0x01000100, 0x01000101,
271 0x01010000, 0x01010001, 0x01010100, 0x01010101
272 };
273
274 static const uint32_t RHs[16] =
275 {
276 0x00000000, 0x01000000, 0x00010000, 0x01010000,
277 0x00000100, 0x01000100, 0x00010100, 0x01010100,
278 0x00000001, 0x01000001, 0x00010001, 0x01010001,
279 0x00000101, 0x01000101, 0x00010101, 0x01010101,
280 };
281
282 /*
283 * Initial Permutation macro
284 */
285 #define DES_IP(X,Y) \
286 do \
287 { \
288 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \
289 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
290 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \
291 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \
292 (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF; \
293 T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T; \
294 (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF; \
295 } while( 0 )
296
297 /*
298 * Final Permutation macro
299 */
300 #define DES_FP(X,Y) \
301 do \
302 { \
303 (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF; \
304 T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T; \
305 (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF; \
306 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \
307 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \
308 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
309 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \
310 } while( 0 )
311
312 /*
313 * DES round macro
314 */
315 #define DES_ROUND(X,Y) \
316 do \
317 { \
318 T = *SK++ ^ (X); \
319 (Y) ^= SB8[ (T ) & 0x3F ] ^ \
320 SB6[ (T >> 8) & 0x3F ] ^ \
321 SB4[ (T >> 16) & 0x3F ] ^ \
322 SB2[ (T >> 24) & 0x3F ]; \
323 \
324 T = *SK++ ^ (((X) << 28) | ((X) >> 4)); \
325 (Y) ^= SB7[ (T ) & 0x3F ] ^ \
326 SB5[ (T >> 8) & 0x3F ] ^ \
327 SB3[ (T >> 16) & 0x3F ] ^ \
328 SB1[ (T >> 24) & 0x3F ]; \
329 } while( 0 )
330
331 #define SWAP(a,b) \
332 do \
333 { \
334 uint32_t t = (a); (a) = (b); (b) = t; t = 0; \
335 } while( 0 )
336
mbedtls_des_init(mbedtls_des_context * ctx)337 void mbedtls_des_init( mbedtls_des_context *ctx )
338 {
339 memset( ctx, 0, sizeof( mbedtls_des_context ) );
340 }
341
mbedtls_des_free(mbedtls_des_context * ctx)342 void mbedtls_des_free( mbedtls_des_context *ctx )
343 {
344 if( ctx == NULL )
345 return;
346
347 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des_context ) );
348 }
349
mbedtls_des3_init(mbedtls_des3_context * ctx)350 void mbedtls_des3_init( mbedtls_des3_context *ctx )
351 {
352 memset( ctx, 0, sizeof( mbedtls_des3_context ) );
353 }
354
mbedtls_des3_free(mbedtls_des3_context * ctx)355 void mbedtls_des3_free( mbedtls_des3_context *ctx )
356 {
357 if( ctx == NULL )
358 return;
359
360 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des3_context ) );
361 }
362
363 static const unsigned char odd_parity_table[128] = { 1, 2, 4, 7, 8,
364 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 35, 37, 38, 41, 42, 44,
365 47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 70, 73, 74, 76, 79, 81,
366 82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 104, 107, 109, 110, 112,
367 115, 117, 118, 121, 122, 124, 127, 128, 131, 133, 134, 137, 138, 140,
368 143, 145, 146, 148, 151, 152, 155, 157, 158, 161, 162, 164, 167, 168,
369 171, 173, 174, 176, 179, 181, 182, 185, 186, 188, 191, 193, 194, 196,
370 199, 200, 203, 205, 206, 208, 211, 213, 214, 217, 218, 220, 223, 224,
371 227, 229, 230, 233, 234, 236, 239, 241, 242, 244, 247, 248, 251, 253,
372 254 };
373
mbedtls_des_key_set_parity(unsigned char key[MBEDTLS_DES_KEY_SIZE])374 void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] )
375 {
376 int i;
377
378 for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
379 key[i] = odd_parity_table[key[i] / 2];
380 }
381
382 /*
383 * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
384 */
mbedtls_des_key_check_key_parity(const unsigned char key[MBEDTLS_DES_KEY_SIZE])385 int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
386 {
387 int i;
388
389 for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
390 if( key[i] != odd_parity_table[key[i] / 2] )
391 return( 1 );
392
393 return( 0 );
394 }
395
396 /*
397 * Table of weak and semi-weak keys
398 *
399 * Source: http://en.wikipedia.org/wiki/Weak_key
400 *
401 * Weak:
402 * Alternating ones + zeros (0x0101010101010101)
403 * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
404 * '0xE0E0E0E0F1F1F1F1'
405 * '0x1F1F1F1F0E0E0E0E'
406 *
407 * Semi-weak:
408 * 0x011F011F010E010E and 0x1F011F010E010E01
409 * 0x01E001E001F101F1 and 0xE001E001F101F101
410 * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
411 * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
412 * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
413 * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
414 *
415 */
416
417 #define WEAK_KEY_COUNT 16
418
419 static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] =
420 {
421 { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
422 { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
423 { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
424 { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
425
426 { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
427 { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
428 { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
429 { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
430 { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
431 { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
432 { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
433 { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
434 { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
435 { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
436 { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
437 { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
438 };
439
mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE])440 int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
441 {
442 int i;
443
444 for( i = 0; i < WEAK_KEY_COUNT; i++ )
445 if( memcmp( weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0 )
446 return( 1 );
447
448 return( 0 );
449 }
450
451 #if !defined(MBEDTLS_DES_SETKEY_ALT)
mbedtls_des_setkey(uint32_t SK[32],const unsigned char key[MBEDTLS_DES_KEY_SIZE])452 void mbedtls_des_setkey( uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
453 {
454 int i;
455 uint32_t X, Y, T;
456
457 GET_UINT32_BE( X, key, 0 );
458 GET_UINT32_BE( Y, key, 4 );
459
460 /*
461 * Permuted Choice 1
462 */
463 T = ((Y >> 4) ^ X) & 0x0F0F0F0F; X ^= T; Y ^= (T << 4);
464 T = ((Y ) ^ X) & 0x10101010; X ^= T; Y ^= (T );
465
466 X = (LHs[ (X ) & 0xF] << 3) | (LHs[ (X >> 8) & 0xF ] << 2)
467 | (LHs[ (X >> 16) & 0xF] << 1) | (LHs[ (X >> 24) & 0xF ] )
468 | (LHs[ (X >> 5) & 0xF] << 7) | (LHs[ (X >> 13) & 0xF ] << 6)
469 | (LHs[ (X >> 21) & 0xF] << 5) | (LHs[ (X >> 29) & 0xF ] << 4);
470
471 Y = (RHs[ (Y >> 1) & 0xF] << 3) | (RHs[ (Y >> 9) & 0xF ] << 2)
472 | (RHs[ (Y >> 17) & 0xF] << 1) | (RHs[ (Y >> 25) & 0xF ] )
473 | (RHs[ (Y >> 4) & 0xF] << 7) | (RHs[ (Y >> 12) & 0xF ] << 6)
474 | (RHs[ (Y >> 20) & 0xF] << 5) | (RHs[ (Y >> 28) & 0xF ] << 4);
475
476 X &= 0x0FFFFFFF;
477 Y &= 0x0FFFFFFF;
478
479 /*
480 * calculate subkeys
481 */
482 for( i = 0; i < 16; i++ )
483 {
484 if( i < 2 || i == 8 || i == 15 )
485 {
486 X = ((X << 1) | (X >> 27)) & 0x0FFFFFFF;
487 Y = ((Y << 1) | (Y >> 27)) & 0x0FFFFFFF;
488 }
489 else
490 {
491 X = ((X << 2) | (X >> 26)) & 0x0FFFFFFF;
492 Y = ((Y << 2) | (Y >> 26)) & 0x0FFFFFFF;
493 }
494
495 *SK++ = ((X << 4) & 0x24000000) | ((X << 28) & 0x10000000)
496 | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
497 | ((X << 6) & 0x01000000) | ((X << 9) & 0x00200000)
498 | ((X >> 1) & 0x00100000) | ((X << 10) & 0x00040000)
499 | ((X << 2) & 0x00020000) | ((X >> 10) & 0x00010000)
500 | ((Y >> 13) & 0x00002000) | ((Y >> 4) & 0x00001000)
501 | ((Y << 6) & 0x00000800) | ((Y >> 1) & 0x00000400)
502 | ((Y >> 14) & 0x00000200) | ((Y ) & 0x00000100)
503 | ((Y >> 5) & 0x00000020) | ((Y >> 10) & 0x00000010)
504 | ((Y >> 3) & 0x00000008) | ((Y >> 18) & 0x00000004)
505 | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
506
507 *SK++ = ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
508 | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
509 | ((X >> 2) & 0x02000000) | ((X << 1) & 0x01000000)
510 | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
511 | ((X << 3) & 0x00080000) | ((X >> 6) & 0x00040000)
512 | ((X << 15) & 0x00020000) | ((X >> 4) & 0x00010000)
513 | ((Y >> 2) & 0x00002000) | ((Y << 8) & 0x00001000)
514 | ((Y >> 14) & 0x00000808) | ((Y >> 9) & 0x00000400)
515 | ((Y ) & 0x00000200) | ((Y << 7) & 0x00000100)
516 | ((Y >> 7) & 0x00000020) | ((Y >> 3) & 0x00000011)
517 | ((Y << 2) & 0x00000004) | ((Y >> 21) & 0x00000002);
518 }
519 }
520 #endif /* !MBEDTLS_DES_SETKEY_ALT */
521
522 /*
523 * DES key schedule (56-bit, encryption)
524 */
mbedtls_des_setkey_enc(mbedtls_des_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE])525 int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
526 {
527 mbedtls_des_setkey( ctx->sk, key );
528
529 return( 0 );
530 }
531
532 /*
533 * DES key schedule (56-bit, decryption)
534 */
mbedtls_des_setkey_dec(mbedtls_des_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE])535 int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
536 {
537 int i;
538
539 mbedtls_des_setkey( ctx->sk, key );
540
541 for( i = 0; i < 16; i += 2 )
542 {
543 SWAP( ctx->sk[i ], ctx->sk[30 - i] );
544 SWAP( ctx->sk[i + 1], ctx->sk[31 - i] );
545 }
546
547 return( 0 );
548 }
549
des3_set2key(uint32_t esk[96],uint32_t dsk[96],const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])550 static void des3_set2key( uint32_t esk[96],
551 uint32_t dsk[96],
552 const unsigned char key[MBEDTLS_DES_KEY_SIZE*2] )
553 {
554 int i;
555
556 mbedtls_des_setkey( esk, key );
557 mbedtls_des_setkey( dsk + 32, key + 8 );
558
559 for( i = 0; i < 32; i += 2 )
560 {
561 dsk[i ] = esk[30 - i];
562 dsk[i + 1] = esk[31 - i];
563
564 esk[i + 32] = dsk[62 - i];
565 esk[i + 33] = dsk[63 - i];
566
567 esk[i + 64] = esk[i ];
568 esk[i + 65] = esk[i + 1];
569
570 dsk[i + 64] = dsk[i ];
571 dsk[i + 65] = dsk[i + 1];
572 }
573 }
574
575 /*
576 * Triple-DES key schedule (112-bit, encryption)
577 */
mbedtls_des3_set2key_enc(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])578 int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx,
579 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
580 {
581 uint32_t sk[96];
582
583 des3_set2key( ctx->sk, sk, key );
584 mbedtls_platform_zeroize( sk, sizeof( sk ) );
585
586 return( 0 );
587 }
588
589 /*
590 * Triple-DES key schedule (112-bit, decryption)
591 */
mbedtls_des3_set2key_dec(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])592 int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx,
593 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
594 {
595 uint32_t sk[96];
596
597 des3_set2key( sk, ctx->sk, key );
598 mbedtls_platform_zeroize( sk, sizeof( sk ) );
599
600 return( 0 );
601 }
602
des3_set3key(uint32_t esk[96],uint32_t dsk[96],const unsigned char key[24])603 static void des3_set3key( uint32_t esk[96],
604 uint32_t dsk[96],
605 const unsigned char key[24] )
606 {
607 int i;
608
609 mbedtls_des_setkey( esk, key );
610 mbedtls_des_setkey( dsk + 32, key + 8 );
611 mbedtls_des_setkey( esk + 64, key + 16 );
612
613 for( i = 0; i < 32; i += 2 )
614 {
615 dsk[i ] = esk[94 - i];
616 dsk[i + 1] = esk[95 - i];
617
618 esk[i + 32] = dsk[62 - i];
619 esk[i + 33] = dsk[63 - i];
620
621 dsk[i + 64] = esk[30 - i];
622 dsk[i + 65] = esk[31 - i];
623 }
624 }
625
626 /*
627 * Triple-DES key schedule (168-bit, encryption)
628 */
mbedtls_des3_set3key_enc(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])629 int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx,
630 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
631 {
632 uint32_t sk[96];
633
634 des3_set3key( ctx->sk, sk, key );
635 mbedtls_platform_zeroize( sk, sizeof( sk ) );
636
637 return( 0 );
638 }
639
640 /*
641 * Triple-DES key schedule (168-bit, decryption)
642 */
mbedtls_des3_set3key_dec(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])643 int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx,
644 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
645 {
646 uint32_t sk[96];
647
648 des3_set3key( sk, ctx->sk, key );
649 mbedtls_platform_zeroize( sk, sizeof( sk ) );
650
651 return( 0 );
652 }
653
654 /*
655 * DES-ECB block encryption/decryption
656 */
657 #if !defined(MBEDTLS_DES_CRYPT_ECB_ALT)
mbedtls_des_crypt_ecb(mbedtls_des_context * ctx,const unsigned char input[8],unsigned char output[8])658 int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx,
659 const unsigned char input[8],
660 unsigned char output[8] )
661 {
662 int i;
663 uint32_t X, Y, T, *SK;
664
665 SK = ctx->sk;
666
667 GET_UINT32_BE( X, input, 0 );
668 GET_UINT32_BE( Y, input, 4 );
669
670 DES_IP( X, Y );
671
672 for( i = 0; i < 8; i++ )
673 {
674 DES_ROUND( Y, X );
675 DES_ROUND( X, Y );
676 }
677
678 DES_FP( Y, X );
679
680 PUT_UINT32_BE( Y, output, 0 );
681 PUT_UINT32_BE( X, output, 4 );
682
683 return( 0 );
684 }
685 #endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */
686
687 #if defined(MBEDTLS_CIPHER_MODE_CBC)
688 /*
689 * DES-CBC buffer encryption/decryption
690 */
mbedtls_des_crypt_cbc(mbedtls_des_context * ctx,int mode,size_t length,unsigned char iv[8],const unsigned char * input,unsigned char * output)691 int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx,
692 int mode,
693 size_t length,
694 unsigned char iv[8],
695 const unsigned char *input,
696 unsigned char *output )
697 {
698 int i;
699 unsigned char temp[8];
700
701 if( length % 8 )
702 return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
703
704 if( mode == MBEDTLS_DES_ENCRYPT )
705 {
706 while( length > 0 )
707 {
708 for( i = 0; i < 8; i++ )
709 output[i] = (unsigned char)( input[i] ^ iv[i] );
710
711 mbedtls_des_crypt_ecb( ctx, output, output );
712 memcpy( iv, output, 8 );
713
714 input += 8;
715 output += 8;
716 length -= 8;
717 }
718 }
719 else /* MBEDTLS_DES_DECRYPT */
720 {
721 while( length > 0 )
722 {
723 memcpy( temp, input, 8 );
724 mbedtls_des_crypt_ecb( ctx, input, output );
725
726 for( i = 0; i < 8; i++ )
727 output[i] = (unsigned char)( output[i] ^ iv[i] );
728
729 memcpy( iv, temp, 8 );
730
731 input += 8;
732 output += 8;
733 length -= 8;
734 }
735 }
736
737 return( 0 );
738 }
739 #endif /* MBEDTLS_CIPHER_MODE_CBC */
740
741 /*
742 * 3DES-ECB block encryption/decryption
743 */
744 #if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
mbedtls_des3_crypt_ecb(mbedtls_des3_context * ctx,const unsigned char input[8],unsigned char output[8])745 int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx,
746 const unsigned char input[8],
747 unsigned char output[8] )
748 {
749 int i;
750 uint32_t X, Y, T, *SK;
751
752 SK = ctx->sk;
753
754 GET_UINT32_BE( X, input, 0 );
755 GET_UINT32_BE( Y, input, 4 );
756
757 DES_IP( X, Y );
758
759 for( i = 0; i < 8; i++ )
760 {
761 DES_ROUND( Y, X );
762 DES_ROUND( X, Y );
763 }
764
765 for( i = 0; i < 8; i++ )
766 {
767 DES_ROUND( X, Y );
768 DES_ROUND( Y, X );
769 }
770
771 for( i = 0; i < 8; i++ )
772 {
773 DES_ROUND( Y, X );
774 DES_ROUND( X, Y );
775 }
776
777 DES_FP( Y, X );
778
779 PUT_UINT32_BE( Y, output, 0 );
780 PUT_UINT32_BE( X, output, 4 );
781
782 return( 0 );
783 }
784 #endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */
785
786 #if defined(MBEDTLS_CIPHER_MODE_CBC)
787 /*
788 * 3DES-CBC buffer encryption/decryption
789 */
mbedtls_des3_crypt_cbc(mbedtls_des3_context * ctx,int mode,size_t length,unsigned char iv[8],const unsigned char * input,unsigned char * output)790 int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx,
791 int mode,
792 size_t length,
793 unsigned char iv[8],
794 const unsigned char *input,
795 unsigned char *output )
796 {
797 int i;
798 unsigned char temp[8];
799
800 if( length % 8 )
801 return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
802
803 if( mode == MBEDTLS_DES_ENCRYPT )
804 {
805 while( length > 0 )
806 {
807 for( i = 0; i < 8; i++ )
808 output[i] = (unsigned char)( input[i] ^ iv[i] );
809
810 mbedtls_des3_crypt_ecb( ctx, output, output );
811 memcpy( iv, output, 8 );
812
813 input += 8;
814 output += 8;
815 length -= 8;
816 }
817 }
818 else /* MBEDTLS_DES_DECRYPT */
819 {
820 while( length > 0 )
821 {
822 memcpy( temp, input, 8 );
823 mbedtls_des3_crypt_ecb( ctx, input, output );
824
825 for( i = 0; i < 8; i++ )
826 output[i] = (unsigned char)( output[i] ^ iv[i] );
827
828 memcpy( iv, temp, 8 );
829
830 input += 8;
831 output += 8;
832 length -= 8;
833 }
834 }
835
836 return( 0 );
837 }
838 #endif /* MBEDTLS_CIPHER_MODE_CBC */
839
840 #endif /* !MBEDTLS_DES_ALT */
841
842 #if defined(MBEDTLS_SELF_TEST)
843 /*
844 * DES and 3DES test vectors from:
845 *
846 * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
847 */
848 static const unsigned char des3_test_keys[24] =
849 {
850 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
851 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
852 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
853 };
854
855 static const unsigned char des3_test_buf[8] =
856 {
857 0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
858 };
859
860 static const unsigned char des3_test_ecb_dec[3][8] =
861 {
862 { 0xCD, 0xD6, 0x4F, 0x2F, 0x94, 0x27, 0xC1, 0x5D },
863 { 0x69, 0x96, 0xC8, 0xFA, 0x47, 0xA2, 0xAB, 0xEB },
864 { 0x83, 0x25, 0x39, 0x76, 0x44, 0x09, 0x1A, 0x0A }
865 };
866
867 static const unsigned char des3_test_ecb_enc[3][8] =
868 {
869 { 0x6A, 0x2A, 0x19, 0xF4, 0x1E, 0xCA, 0x85, 0x4B },
870 { 0x03, 0xE6, 0x9F, 0x5B, 0xFA, 0x58, 0xEB, 0x42 },
871 { 0xDD, 0x17, 0xE8, 0xB8, 0xB4, 0x37, 0xD2, 0x32 }
872 };
873
874 #if defined(MBEDTLS_CIPHER_MODE_CBC)
875 static const unsigned char des3_test_iv[8] =
876 {
877 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
878 };
879
880 static const unsigned char des3_test_cbc_dec[3][8] =
881 {
882 { 0x12, 0x9F, 0x40, 0xB9, 0xD2, 0x00, 0x56, 0xB3 },
883 { 0x47, 0x0E, 0xFC, 0x9A, 0x6B, 0x8E, 0xE3, 0x93 },
884 { 0xC5, 0xCE, 0xCF, 0x63, 0xEC, 0xEC, 0x51, 0x4C }
885 };
886
887 static const unsigned char des3_test_cbc_enc[3][8] =
888 {
889 { 0x54, 0xF1, 0x5A, 0xF6, 0xEB, 0xE3, 0xA4, 0xB4 },
890 { 0x35, 0x76, 0x11, 0x56, 0x5F, 0xA1, 0x8E, 0x4D },
891 { 0xCB, 0x19, 0x1F, 0x85, 0xD1, 0xED, 0x84, 0x39 }
892 };
893 #endif /* MBEDTLS_CIPHER_MODE_CBC */
894
895 /*
896 * Checkup routine
897 */
mbedtls_des_self_test(int verbose)898 int mbedtls_des_self_test( int verbose )
899 {
900 int i, j, u, v, ret = 0;
901 mbedtls_des_context ctx;
902 mbedtls_des3_context ctx3;
903 unsigned char buf[8];
904 #if defined(MBEDTLS_CIPHER_MODE_CBC)
905 unsigned char prv[8];
906 unsigned char iv[8];
907 #endif
908
909 mbedtls_des_init( &ctx );
910 mbedtls_des3_init( &ctx3 );
911 /*
912 * ECB mode
913 */
914 for( i = 0; i < 6; i++ )
915 {
916 u = i >> 1;
917 v = i & 1;
918
919 if( verbose != 0 )
920 mbedtls_printf( " DES%c-ECB-%3d (%s): ",
921 ( u == 0 ) ? ' ' : '3', 56 + u * 56,
922 ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
923
924 memcpy( buf, des3_test_buf, 8 );
925
926 switch( i )
927 {
928 case 0:
929 mbedtls_des_setkey_dec( &ctx, des3_test_keys );
930 break;
931
932 case 1:
933 mbedtls_des_setkey_enc( &ctx, des3_test_keys );
934 break;
935
936 case 2:
937 mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
938 break;
939
940 case 3:
941 mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
942 break;
943
944 case 4:
945 mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
946 break;
947
948 case 5:
949 mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
950 break;
951
952 default:
953 return( 1 );
954 }
955
956 for( j = 0; j < 10000; j++ )
957 {
958 if( u == 0 )
959 mbedtls_des_crypt_ecb( &ctx, buf, buf );
960 else
961 mbedtls_des3_crypt_ecb( &ctx3, buf, buf );
962 }
963
964 if( ( v == MBEDTLS_DES_DECRYPT &&
965 memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) ||
966 ( v != MBEDTLS_DES_DECRYPT &&
967 memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) )
968 {
969 if( verbose != 0 )
970 mbedtls_printf( "failed\n" );
971
972 ret = 1;
973 goto exit;
974 }
975
976 if( verbose != 0 )
977 mbedtls_printf( "passed\n" );
978 }
979
980 if( verbose != 0 )
981 mbedtls_printf( "\n" );
982
983 #if defined(MBEDTLS_CIPHER_MODE_CBC)
984 /*
985 * CBC mode
986 */
987 for( i = 0; i < 6; i++ )
988 {
989 u = i >> 1;
990 v = i & 1;
991
992 if( verbose != 0 )
993 mbedtls_printf( " DES%c-CBC-%3d (%s): ",
994 ( u == 0 ) ? ' ' : '3', 56 + u * 56,
995 ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
996
997 memcpy( iv, des3_test_iv, 8 );
998 memcpy( prv, des3_test_iv, 8 );
999 memcpy( buf, des3_test_buf, 8 );
1000
1001 switch( i )
1002 {
1003 case 0:
1004 mbedtls_des_setkey_dec( &ctx, des3_test_keys );
1005 break;
1006
1007 case 1:
1008 mbedtls_des_setkey_enc( &ctx, des3_test_keys );
1009 break;
1010
1011 case 2:
1012 mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
1013 break;
1014
1015 case 3:
1016 mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
1017 break;
1018
1019 case 4:
1020 mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
1021 break;
1022
1023 case 5:
1024 mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
1025 break;
1026
1027 default:
1028 return( 1 );
1029 }
1030
1031 if( v == MBEDTLS_DES_DECRYPT )
1032 {
1033 for( j = 0; j < 10000; j++ )
1034 {
1035 if( u == 0 )
1036 mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
1037 else
1038 mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
1039 }
1040 }
1041 else
1042 {
1043 for( j = 0; j < 10000; j++ )
1044 {
1045 unsigned char tmp[8];
1046
1047 if( u == 0 )
1048 mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
1049 else
1050 mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
1051
1052 memcpy( tmp, prv, 8 );
1053 memcpy( prv, buf, 8 );
1054 memcpy( buf, tmp, 8 );
1055 }
1056
1057 memcpy( buf, prv, 8 );
1058 }
1059
1060 if( ( v == MBEDTLS_DES_DECRYPT &&
1061 memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) ||
1062 ( v != MBEDTLS_DES_DECRYPT &&
1063 memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) )
1064 {
1065 if( verbose != 0 )
1066 mbedtls_printf( "failed\n" );
1067
1068 ret = 1;
1069 goto exit;
1070 }
1071
1072 if( verbose != 0 )
1073 mbedtls_printf( "passed\n" );
1074 }
1075 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1076
1077 if( verbose != 0 )
1078 mbedtls_printf( "\n" );
1079
1080 exit:
1081 mbedtls_des_free( &ctx );
1082 mbedtls_des3_free( &ctx3 );
1083
1084 return( ret );
1085 }
1086
1087 #endif /* MBEDTLS_SELF_TEST */
1088
1089 #endif /* MBEDTLS_DES_C */
1090