1 /*
2 * FIPS-46-3 compliant Triple-DES implementation
3 *
4 * Copyright (C) 2006-2013, Brainspark B.V.
5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8 *
9 * All rights reserved.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25 /*
26 * DES, on which TDES is based, was originally designed by Horst Feistel
27 * at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
28 *
29 * http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
30 */
31
32 #include "des.h"
33
34 #if !defined(POLARSSL_DES_ALT)
35
36 /*
37 * 32-bit integer manipulation macros (big endian)
38 */
39 #ifndef GET_UINT32_BE
40 #define GET_UINT32_BE(n,b,i) \
41 { \
42 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
43 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
44 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
45 | ( (uint32_t) (b)[(i) + 3] ); \
46 }
47 #endif
48
49 #ifndef PUT_UINT32_BE
50 #define PUT_UINT32_BE(n,b,i) \
51 { \
52 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
53 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
54 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
55 (b)[(i) + 3] = (unsigned char) ( (n) ); \
56 }
57 #endif
58
59 /*
60 * Expanded DES S-boxes
61 */
62 static const uint32_t SB1[64] =
63 {
64 0x01010400, 0x00000000, 0x00010000, 0x01010404,
65 0x01010004, 0x00010404, 0x00000004, 0x00010000,
66 0x00000400, 0x01010400, 0x01010404, 0x00000400,
67 0x01000404, 0x01010004, 0x01000000, 0x00000004,
68 0x00000404, 0x01000400, 0x01000400, 0x00010400,
69 0x00010400, 0x01010000, 0x01010000, 0x01000404,
70 0x00010004, 0x01000004, 0x01000004, 0x00010004,
71 0x00000000, 0x00000404, 0x00010404, 0x01000000,
72 0x00010000, 0x01010404, 0x00000004, 0x01010000,
73 0x01010400, 0x01000000, 0x01000000, 0x00000400,
74 0x01010004, 0x00010000, 0x00010400, 0x01000004,
75 0x00000400, 0x00000004, 0x01000404, 0x00010404,
76 0x01010404, 0x00010004, 0x01010000, 0x01000404,
77 0x01000004, 0x00000404, 0x00010404, 0x01010400,
78 0x00000404, 0x01000400, 0x01000400, 0x00000000,
79 0x00010004, 0x00010400, 0x00000000, 0x01010004
80 };
81
82 static const uint32_t SB2[64] =
83 {
84 0x80108020, 0x80008000, 0x00008000, 0x00108020,
85 0x00100000, 0x00000020, 0x80100020, 0x80008020,
86 0x80000020, 0x80108020, 0x80108000, 0x80000000,
87 0x80008000, 0x00100000, 0x00000020, 0x80100020,
88 0x00108000, 0x00100020, 0x80008020, 0x00000000,
89 0x80000000, 0x00008000, 0x00108020, 0x80100000,
90 0x00100020, 0x80000020, 0x00000000, 0x00108000,
91 0x00008020, 0x80108000, 0x80100000, 0x00008020,
92 0x00000000, 0x00108020, 0x80100020, 0x00100000,
93 0x80008020, 0x80100000, 0x80108000, 0x00008000,
94 0x80100000, 0x80008000, 0x00000020, 0x80108020,
95 0x00108020, 0x00000020, 0x00008000, 0x80000000,
96 0x00008020, 0x80108000, 0x00100000, 0x80000020,
97 0x00100020, 0x80008020, 0x80000020, 0x00100020,
98 0x00108000, 0x00000000, 0x80008000, 0x00008020,
99 0x80000000, 0x80100020, 0x80108020, 0x00108000
100 };
101
102 static const uint32_t SB3[64] =
103 {
104 0x00000208, 0x08020200, 0x00000000, 0x08020008,
105 0x08000200, 0x00000000, 0x00020208, 0x08000200,
106 0x00020008, 0x08000008, 0x08000008, 0x00020000,
107 0x08020208, 0x00020008, 0x08020000, 0x00000208,
108 0x08000000, 0x00000008, 0x08020200, 0x00000200,
109 0x00020200, 0x08020000, 0x08020008, 0x00020208,
110 0x08000208, 0x00020200, 0x00020000, 0x08000208,
111 0x00000008, 0x08020208, 0x00000200, 0x08000000,
112 0x08020200, 0x08000000, 0x00020008, 0x00000208,
113 0x00020000, 0x08020200, 0x08000200, 0x00000000,
114 0x00000200, 0x00020008, 0x08020208, 0x08000200,
115 0x08000008, 0x00000200, 0x00000000, 0x08020008,
116 0x08000208, 0x00020000, 0x08000000, 0x08020208,
117 0x00000008, 0x00020208, 0x00020200, 0x08000008,
118 0x08020000, 0x08000208, 0x00000208, 0x08020000,
119 0x00020208, 0x00000008, 0x08020008, 0x00020200
120 };
121
122 static const uint32_t SB4[64] =
123 {
124 0x00802001, 0x00002081, 0x00002081, 0x00000080,
125 0x00802080, 0x00800081, 0x00800001, 0x00002001,
126 0x00000000, 0x00802000, 0x00802000, 0x00802081,
127 0x00000081, 0x00000000, 0x00800080, 0x00800001,
128 0x00000001, 0x00002000, 0x00800000, 0x00802001,
129 0x00000080, 0x00800000, 0x00002001, 0x00002080,
130 0x00800081, 0x00000001, 0x00002080, 0x00800080,
131 0x00002000, 0x00802080, 0x00802081, 0x00000081,
132 0x00800080, 0x00800001, 0x00802000, 0x00802081,
133 0x00000081, 0x00000000, 0x00000000, 0x00802000,
134 0x00002080, 0x00800080, 0x00800081, 0x00000001,
135 0x00802001, 0x00002081, 0x00002081, 0x00000080,
136 0x00802081, 0x00000081, 0x00000001, 0x00002000,
137 0x00800001, 0x00002001, 0x00802080, 0x00800081,
138 0x00002001, 0x00002080, 0x00800000, 0x00802001,
139 0x00000080, 0x00800000, 0x00002000, 0x00802080
140 };
141
142 static const uint32_t SB5[64] =
143 {
144 0x00000100, 0x02080100, 0x02080000, 0x42000100,
145 0x00080000, 0x00000100, 0x40000000, 0x02080000,
146 0x40080100, 0x00080000, 0x02000100, 0x40080100,
147 0x42000100, 0x42080000, 0x00080100, 0x40000000,
148 0x02000000, 0x40080000, 0x40080000, 0x00000000,
149 0x40000100, 0x42080100, 0x42080100, 0x02000100,
150 0x42080000, 0x40000100, 0x00000000, 0x42000000,
151 0x02080100, 0x02000000, 0x42000000, 0x00080100,
152 0x00080000, 0x42000100, 0x00000100, 0x02000000,
153 0x40000000, 0x02080000, 0x42000100, 0x40080100,
154 0x02000100, 0x40000000, 0x42080000, 0x02080100,
155 0x40080100, 0x00000100, 0x02000000, 0x42080000,
156 0x42080100, 0x00080100, 0x42000000, 0x42080100,
157 0x02080000, 0x00000000, 0x40080000, 0x42000000,
158 0x00080100, 0x02000100, 0x40000100, 0x00080000,
159 0x00000000, 0x40080000, 0x02080100, 0x40000100
160 };
161
162 static const uint32_t SB6[64] =
163 {
164 0x20000010, 0x20400000, 0x00004000, 0x20404010,
165 0x20400000, 0x00000010, 0x20404010, 0x00400000,
166 0x20004000, 0x00404010, 0x00400000, 0x20000010,
167 0x00400010, 0x20004000, 0x20000000, 0x00004010,
168 0x00000000, 0x00400010, 0x20004010, 0x00004000,
169 0x00404000, 0x20004010, 0x00000010, 0x20400010,
170 0x20400010, 0x00000000, 0x00404010, 0x20404000,
171 0x00004010, 0x00404000, 0x20404000, 0x20000000,
172 0x20004000, 0x00000010, 0x20400010, 0x00404000,
173 0x20404010, 0x00400000, 0x00004010, 0x20000010,
174 0x00400000, 0x20004000, 0x20000000, 0x00004010,
175 0x20000010, 0x20404010, 0x00404000, 0x20400000,
176 0x00404010, 0x20404000, 0x00000000, 0x20400010,
177 0x00000010, 0x00004000, 0x20400000, 0x00404010,
178 0x00004000, 0x00400010, 0x20004010, 0x00000000,
179 0x20404000, 0x20000000, 0x00400010, 0x20004010
180 };
181
182 static const uint32_t SB7[64] =
183 {
184 0x00200000, 0x04200002, 0x04000802, 0x00000000,
185 0x00000800, 0x04000802, 0x00200802, 0x04200800,
186 0x04200802, 0x00200000, 0x00000000, 0x04000002,
187 0x00000002, 0x04000000, 0x04200002, 0x00000802,
188 0x04000800, 0x00200802, 0x00200002, 0x04000800,
189 0x04000002, 0x04200000, 0x04200800, 0x00200002,
190 0x04200000, 0x00000800, 0x00000802, 0x04200802,
191 0x00200800, 0x00000002, 0x04000000, 0x00200800,
192 0x04000000, 0x00200800, 0x00200000, 0x04000802,
193 0x04000802, 0x04200002, 0x04200002, 0x00000002,
194 0x00200002, 0x04000000, 0x04000800, 0x00200000,
195 0x04200800, 0x00000802, 0x00200802, 0x04200800,
196 0x00000802, 0x04000002, 0x04200802, 0x04200000,
197 0x00200800, 0x00000000, 0x00000002, 0x04200802,
198 0x00000000, 0x00200802, 0x04200000, 0x00000800,
199 0x04000002, 0x04000800, 0x00000800, 0x00200002
200 };
201
202 static const uint32_t SB8[64] =
203 {
204 0x10001040, 0x00001000, 0x00040000, 0x10041040,
205 0x10000000, 0x10001040, 0x00000040, 0x10000000,
206 0x00040040, 0x10040000, 0x10041040, 0x00041000,
207 0x10041000, 0x00041040, 0x00001000, 0x00000040,
208 0x10040000, 0x10000040, 0x10001000, 0x00001040,
209 0x00041000, 0x00040040, 0x10040040, 0x10041000,
210 0x00001040, 0x00000000, 0x00000000, 0x10040040,
211 0x10000040, 0x10001000, 0x00041040, 0x00040000,
212 0x00041040, 0x00040000, 0x10041000, 0x00001000,
213 0x00000040, 0x10040040, 0x00001000, 0x00041040,
214 0x10001000, 0x00000040, 0x10000040, 0x10040000,
215 0x10040040, 0x10000000, 0x00040000, 0x10001040,
216 0x00000000, 0x10041040, 0x00040040, 0x10000040,
217 0x10040000, 0x10001000, 0x10001040, 0x00000000,
218 0x10041040, 0x00041000, 0x00041000, 0x00001040,
219 0x00001040, 0x00040040, 0x10000000, 0x10041000
220 };
221
222 /*
223 * PC1: left and right halves bit-swap
224 */
225 static const uint32_t LHs[16] =
226 {
227 0x00000000, 0x00000001, 0x00000100, 0x00000101,
228 0x00010000, 0x00010001, 0x00010100, 0x00010101,
229 0x01000000, 0x01000001, 0x01000100, 0x01000101,
230 0x01010000, 0x01010001, 0x01010100, 0x01010101
231 };
232
233 static const uint32_t RHs[16] =
234 {
235 0x00000000, 0x01000000, 0x00010000, 0x01010000,
236 0x00000100, 0x01000100, 0x00010100, 0x01010100,
237 0x00000001, 0x01000001, 0x00010001, 0x01010001,
238 0x00000101, 0x01000101, 0x00010101, 0x01010101,
239 };
240
241 /*
242 * Initial Permutation macro
243 */
244 #define DES_IP(X,Y) \
245 { \
246 T = ((X >> 4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T << 4); \
247 T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16); \
248 T = ((Y >> 2) ^ X) & 0x33333333; X ^= T; Y ^= (T << 2); \
249 T = ((Y >> 8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T << 8); \
250 Y = ((Y << 1) | (Y >> 31)) & 0xFFFFFFFF; \
251 T = (X ^ Y) & 0xAAAAAAAA; Y ^= T; X ^= T; \
252 X = ((X << 1) | (X >> 31)) & 0xFFFFFFFF; \
253 }
254
255 /*
256 * Final Permutation macro
257 */
258 #define DES_FP(X,Y) \
259 { \
260 X = ((X << 31) | (X >> 1)) & 0xFFFFFFFF; \
261 T = (X ^ Y) & 0xAAAAAAAA; X ^= T; Y ^= T; \
262 Y = ((Y << 31) | (Y >> 1)) & 0xFFFFFFFF; \
263 T = ((Y >> 8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T << 8); \
264 T = ((Y >> 2) ^ X) & 0x33333333; X ^= T; Y ^= (T << 2); \
265 T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16); \
266 T = ((X >> 4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T << 4); \
267 }
268
269 /*
270 * DES round macro
271 */
272 #define DES_ROUND(X,Y) \
273 { \
274 T = *SK++ ^ X; \
275 Y ^= SB8[ (T ) & 0x3F ] ^ \
276 SB6[ (T >> 8) & 0x3F ] ^ \
277 SB4[ (T >> 16) & 0x3F ] ^ \
278 SB2[ (T >> 24) & 0x3F ]; \
279 \
280 T = *SK++ ^ ((X << 28) | (X >> 4)); \
281 Y ^= SB7[ (T ) & 0x3F ] ^ \
282 SB5[ (T >> 8) & 0x3F ] ^ \
283 SB3[ (T >> 16) & 0x3F ] ^ \
284 SB1[ (T >> 24) & 0x3F ]; \
285 }
286
287 #define SWAP(a,b) { uint32_t t = a; a = b; b = t; t = 0; }
288
289 static const unsigned char odd_parity_table[128] = { 1, 2, 4, 7, 8,
290 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 35, 37, 38, 41, 42, 44,
291 47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 70, 73, 74, 76, 79, 81,
292 82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 104, 107, 109, 110, 112,
293 115, 117, 118, 121, 122, 124, 127, 128, 131, 133, 134, 137, 138, 140,
294 143, 145, 146, 148, 151, 152, 155, 157, 158, 161, 162, 164, 167, 168,
295 171, 173, 174, 176, 179, 181, 182, 185, 186, 188, 191, 193, 194, 196,
296 199, 200, 203, 205, 206, 208, 211, 213, 214, 217, 218, 220, 223, 224,
297 227, 229, 230, 233, 234, 236, 239, 241, 242, 244, 247, 248, 251, 253,
298 254 };
299
des_key_set_parity(unsigned char key[DES_KEY_SIZE])300 void des_key_set_parity( unsigned char key[DES_KEY_SIZE] )
301 {
302 int i;
303
304 for( i = 0; i < DES_KEY_SIZE; i++ )
305 key[i] = odd_parity_table[key[i] / 2];
306 }
307
308 /*
309 * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
310 */
des_key_check_key_parity(const unsigned char key[DES_KEY_SIZE])311 int des_key_check_key_parity( const unsigned char key[DES_KEY_SIZE] )
312 {
313 int i;
314
315 for( i = 0; i < DES_KEY_SIZE; i++ )
316 if ( key[i] != odd_parity_table[key[i] / 2] )
317 return( 1 );
318
319 return( 0 );
320 }
321
322 /*
323 * Table of weak and semi-weak keys
324 *
325 * Source: http://en.wikipedia.org/wiki/Weak_key
326 *
327 * Weak:
328 * Alternating ones + zeros (0x0101010101010101)
329 * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
330 * '0xE0E0E0E0F1F1F1F1'
331 * '0x1F1F1F1F0E0E0E0E'
332 *
333 * Semi-weak:
334 * 0x011F011F010E010E and 0x1F011F010E010E01
335 * 0x01E001E001F101F1 and 0xE001E001F101F101
336 * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
337 * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
338 * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
339 * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
340 *
341 */
342
343 #define WEAK_KEY_COUNT 16
344
345 static const unsigned char weak_key_table[WEAK_KEY_COUNT][DES_KEY_SIZE] =
346 {
347 { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
348 { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
349 { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
350 { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
351
352 { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
353 { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
354 { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
355 { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
356 { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
357 { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
358 { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
359 { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
360 { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
361 { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
362 { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
363 { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
364 };
365
des_key_check_weak(const unsigned char key[DES_KEY_SIZE])366 int des_key_check_weak( const unsigned char key[DES_KEY_SIZE] )
367 {
368 int i;
369
370 for( i = 0; i < WEAK_KEY_COUNT; i++ )
371 if( memcmp( weak_key_table[i], key, DES_KEY_SIZE) == 0)
372 return( 1 );
373
374 return( 0 );
375 }
376
des_setkey(uint32_t SK[32],const unsigned char key[DES_KEY_SIZE])377 static void des_setkey( uint32_t SK[32], const unsigned char key[DES_KEY_SIZE] )
378 {
379 int i;
380 uint32_t X, Y, T;
381
382 GET_UINT32_BE( X, key, 0 );
383 GET_UINT32_BE( Y, key, 4 );
384
385 /*
386 * Permuted Choice 1
387 */
388 T = ((Y >> 4) ^ X) & 0x0F0F0F0F; X ^= T; Y ^= (T << 4);
389 T = ((Y ) ^ X) & 0x10101010; X ^= T; Y ^= (T );
390
391 X = (LHs[ (X ) & 0xF] << 3) | (LHs[ (X >> 8) & 0xF ] << 2)
392 | (LHs[ (X >> 16) & 0xF] << 1) | (LHs[ (X >> 24) & 0xF ] )
393 | (LHs[ (X >> 5) & 0xF] << 7) | (LHs[ (X >> 13) & 0xF ] << 6)
394 | (LHs[ (X >> 21) & 0xF] << 5) | (LHs[ (X >> 29) & 0xF ] << 4);
395
396 Y = (RHs[ (Y >> 1) & 0xF] << 3) | (RHs[ (Y >> 9) & 0xF ] << 2)
397 | (RHs[ (Y >> 17) & 0xF] << 1) | (RHs[ (Y >> 25) & 0xF ] )
398 | (RHs[ (Y >> 4) & 0xF] << 7) | (RHs[ (Y >> 12) & 0xF ] << 6)
399 | (RHs[ (Y >> 20) & 0xF] << 5) | (RHs[ (Y >> 28) & 0xF ] << 4);
400
401 X &= 0x0FFFFFFF;
402 Y &= 0x0FFFFFFF;
403
404 /*
405 * calculate subkeys
406 */
407 for( i = 0; i < 16; i++ )
408 {
409 if( i < 2 || i == 8 || i == 15 )
410 {
411 X = ((X << 1) | (X >> 27)) & 0x0FFFFFFF;
412 Y = ((Y << 1) | (Y >> 27)) & 0x0FFFFFFF;
413 }
414 else
415 {
416 X = ((X << 2) | (X >> 26)) & 0x0FFFFFFF;
417 Y = ((Y << 2) | (Y >> 26)) & 0x0FFFFFFF;
418 }
419
420 *SK++ = ((X << 4) & 0x24000000) | ((X << 28) & 0x10000000)
421 | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
422 | ((X << 6) & 0x01000000) | ((X << 9) & 0x00200000)
423 | ((X >> 1) & 0x00100000) | ((X << 10) & 0x00040000)
424 | ((X << 2) & 0x00020000) | ((X >> 10) & 0x00010000)
425 | ((Y >> 13) & 0x00002000) | ((Y >> 4) & 0x00001000)
426 | ((Y << 6) & 0x00000800) | ((Y >> 1) & 0x00000400)
427 | ((Y >> 14) & 0x00000200) | ((Y ) & 0x00000100)
428 | ((Y >> 5) & 0x00000020) | ((Y >> 10) & 0x00000010)
429 | ((Y >> 3) & 0x00000008) | ((Y >> 18) & 0x00000004)
430 | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
431
432 *SK++ = ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
433 | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
434 | ((X >> 2) & 0x02000000) | ((X << 1) & 0x01000000)
435 | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
436 | ((X << 3) & 0x00080000) | ((X >> 6) & 0x00040000)
437 | ((X << 15) & 0x00020000) | ((X >> 4) & 0x00010000)
438 | ((Y >> 2) & 0x00002000) | ((Y << 8) & 0x00001000)
439 | ((Y >> 14) & 0x00000808) | ((Y >> 9) & 0x00000400)
440 | ((Y ) & 0x00000200) | ((Y << 7) & 0x00000100)
441 | ((Y >> 7) & 0x00000020) | ((Y >> 3) & 0x00000011)
442 | ((Y << 2) & 0x00000004) | ((Y >> 21) & 0x00000002);
443 }
444 }
445
446 /*
447 * DES key schedule (56-bit, encryption)
448 */
des_setkey_enc(des_context * ctx,const unsigned char key[DES_KEY_SIZE])449 int des_setkey_enc( des_context *ctx, const unsigned char key[DES_KEY_SIZE] )
450 {
451 des_setkey( ctx->sk, key );
452
453 return( 0 );
454 }
455
456 /*
457 * DES key schedule (56-bit, decryption)
458 */
des_setkey_dec(des_context * ctx,const unsigned char key[DES_KEY_SIZE])459 int des_setkey_dec( des_context *ctx, const unsigned char key[DES_KEY_SIZE] )
460 {
461 int i;
462
463 des_setkey( ctx->sk, key );
464
465 for( i = 0; i < 16; i += 2 )
466 {
467 SWAP( ctx->sk[i ], ctx->sk[30 - i] );
468 SWAP( ctx->sk[i + 1], ctx->sk[31 - i] );
469 }
470
471 return( 0 );
472 }
473
des3_set2key(uint32_t esk[96],uint32_t dsk[96],const unsigned char key[DES_KEY_SIZE * 2])474 static void des3_set2key( uint32_t esk[96],
475 uint32_t dsk[96],
476 const unsigned char key[DES_KEY_SIZE*2] )
477 {
478 int i;
479
480 des_setkey( esk, key );
481 des_setkey( dsk + 32, key + 8 );
482
483 for( i = 0; i < 32; i += 2 )
484 {
485 dsk[i ] = esk[30 - i];
486 dsk[i + 1] = esk[31 - i];
487
488 esk[i + 32] = dsk[62 - i];
489 esk[i + 33] = dsk[63 - i];
490
491 esk[i + 64] = esk[i ];
492 esk[i + 65] = esk[i + 1];
493
494 dsk[i + 64] = dsk[i ];
495 dsk[i + 65] = dsk[i + 1];
496 }
497 }
498
499 /*
500 * Triple-DES key schedule (112-bit, encryption)
501 */
des3_set2key_enc(des3_context * ctx,const unsigned char key[DES_KEY_SIZE * 2])502 int des3_set2key_enc( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 2] )
503 {
504 uint32_t sk[96];
505
506 des3_set2key( ctx->sk, sk, key );
507 memset( sk, 0, sizeof( sk ) );
508
509 return( 0 );
510 }
511
512 /*
513 * Triple-DES key schedule (112-bit, decryption)
514 */
des3_set2key_dec(des3_context * ctx,const unsigned char key[DES_KEY_SIZE * 2])515 int des3_set2key_dec( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 2] )
516 {
517 uint32_t sk[96];
518
519 des3_set2key( sk, ctx->sk, key );
520 memset( sk, 0, sizeof( sk ) );
521
522 return( 0 );
523 }
524
des3_set3key(uint32_t esk[96],uint32_t dsk[96],const unsigned char key[24])525 static void des3_set3key( uint32_t esk[96],
526 uint32_t dsk[96],
527 const unsigned char key[24] )
528 {
529 int i;
530
531 des_setkey( esk, key );
532 des_setkey( dsk + 32, key + 8 );
533 des_setkey( esk + 64, key + 16 );
534
535 for( i = 0; i < 32; i += 2 )
536 {
537 dsk[i ] = esk[94 - i];
538 dsk[i + 1] = esk[95 - i];
539
540 esk[i + 32] = dsk[62 - i];
541 esk[i + 33] = dsk[63 - i];
542
543 dsk[i + 64] = esk[30 - i];
544 dsk[i + 65] = esk[31 - i];
545 }
546 }
547
548 /*
549 * Triple-DES key schedule (168-bit, encryption)
550 */
des3_set3key_enc(des3_context * ctx,const unsigned char key[DES_KEY_SIZE * 3])551 int des3_set3key_enc( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 3] )
552 {
553 uint32_t sk[96];
554
555 des3_set3key( ctx->sk, sk, key );
556 memset( sk, 0, sizeof( sk ) );
557
558 return( 0 );
559 }
560
561 /*
562 * Triple-DES key schedule (168-bit, decryption)
563 */
des3_set3key_dec(des3_context * ctx,const unsigned char key[DES_KEY_SIZE * 3])564 int des3_set3key_dec( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 3] )
565 {
566 uint32_t sk[96];
567
568 des3_set3key( sk, ctx->sk, key );
569 memset( sk, 0, sizeof( sk ) );
570
571 return( 0 );
572 }
573
574 /*
575 * DES-ECB block encryption/decryption
576 */
des_crypt_ecb(des_context * ctx,const unsigned char input[8],unsigned char output[8])577 int des_crypt_ecb( des_context *ctx,
578 const unsigned char input[8],
579 unsigned char output[8] )
580 {
581 int i;
582 uint32_t X, Y, T, *SK;
583
584 SK = ctx->sk;
585
586 GET_UINT32_BE( X, input, 0 );
587 GET_UINT32_BE( Y, input, 4 );
588
589 DES_IP( X, Y );
590
591 for( i = 0; i < 8; i++ )
592 {
593 DES_ROUND( Y, X );
594 DES_ROUND( X, Y );
595 }
596
597 DES_FP( Y, X );
598
599 PUT_UINT32_BE( Y, output, 0 );
600 PUT_UINT32_BE( X, output, 4 );
601
602 return( 0 );
603 }
604
605 /*
606 * DES-CBC buffer encryption/decryption
607 */
des_crypt_cbc(des_context * ctx,int mode,size_t length,unsigned char iv[8],const unsigned char * input,unsigned char * output)608 int des_crypt_cbc( des_context *ctx,
609 int mode,
610 size_t length,
611 unsigned char iv[8],
612 const unsigned char *input,
613 unsigned char *output )
614 {
615 int i;
616 unsigned char temp[8];
617
618 if( length % 8 )
619 return( POLARSSL_ERR_DES_INVALID_INPUT_LENGTH );
620
621 if( mode == DES_ENCRYPT )
622 {
623 while( length > 0 )
624 {
625 for( i = 0; i < 8; i++ )
626 output[i] = (unsigned char)( input[i] ^ iv[i] );
627
628 des_crypt_ecb( ctx, output, output );
629 memcpy( iv, output, 8 );
630
631 input += 8;
632 output += 8;
633 length -= 8;
634 }
635 }
636 else /* DES_DECRYPT */
637 {
638 while( length > 0 )
639 {
640 memcpy( temp, input, 8 );
641 des_crypt_ecb( ctx, input, output );
642
643 for( i = 0; i < 8; i++ )
644 output[i] = (unsigned char)( output[i] ^ iv[i] );
645
646 memcpy( iv, temp, 8 );
647
648 input += 8;
649 output += 8;
650 length -= 8;
651 }
652 }
653
654 return( 0 );
655 }
656 #endif /* POLARSSL_CIPHER_MODE_CBC */
657
658 /*
659 * 3DES-ECB block encryption/decryption
660 */
des3_crypt_ecb(des3_context * ctx,const unsigned char input[8],unsigned char output[8])661 int des3_crypt_ecb( des3_context *ctx,
662 const unsigned char input[8],
663 unsigned char output[8] )
664 {
665 int i;
666 uint32_t X, Y, T, *SK;
667
668 SK = ctx->sk;
669
670 GET_UINT32_BE( X, input, 0 );
671 GET_UINT32_BE( Y, input, 4 );
672
673 DES_IP( X, Y );
674
675 for( i = 0; i < 8; i++ )
676 {
677 DES_ROUND( Y, X );
678 DES_ROUND( X, Y );
679 }
680
681 for( i = 0; i < 8; i++ )
682 {
683 DES_ROUND( X, Y );
684 DES_ROUND( Y, X );
685 }
686
687 for( i = 0; i < 8; i++ )
688 {
689 DES_ROUND( Y, X );
690 DES_ROUND( X, Y );
691 }
692
693 DES_FP( Y, X );
694
695 PUT_UINT32_BE( Y, output, 0 );
696 PUT_UINT32_BE( X, output, 4 );
697
698 return( 0 );
699 }
700
701 /*
702 * 3DES-CBC buffer encryption/decryption
703 */
des3_crypt_cbc(des3_context * ctx,int mode,size_t length,unsigned char iv[8],const unsigned char * input,unsigned char * output)704 int des3_crypt_cbc( des3_context *ctx,
705 int mode,
706 size_t length,
707 unsigned char iv[8],
708 const unsigned char *input,
709 unsigned char *output )
710 {
711 int i;
712 unsigned char temp[8];
713
714 if( length % 8 )
715 return( POLARSSL_ERR_DES_INVALID_INPUT_LENGTH );
716
717 if( mode == DES_ENCRYPT )
718 {
719 while( length > 0 )
720 {
721 for( i = 0; i < 8; i++ )
722 output[i] = (unsigned char)( input[i] ^ iv[i] );
723
724 des3_crypt_ecb( ctx, output, output );
725 memcpy( iv, output, 8 );
726
727 input += 8;
728 output += 8;
729 length -= 8;
730 }
731 }
732 else /* DES_DECRYPT */
733 {
734 while( length > 0 )
735 {
736 memcpy( temp, input, 8 );
737 des3_crypt_ecb( ctx, input, output );
738
739 for( i = 0; i < 8; i++ )
740 output[i] = (unsigned char)( output[i] ^ iv[i] );
741
742 memcpy( iv, temp, 8 );
743
744 input += 8;
745 output += 8;
746 length -= 8;
747 }
748 }
749
750 return( 0 );
751 }
752
753 #if defined(POLARSSL_SELF_TEST)
754
755 #include <stdio.h>
756
757 /*
758 * DES and 3DES test vectors from:
759 *
760 * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
761 */
762 static const unsigned char des3_test_keys[24] =
763 {
764 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
765 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
766 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
767 };
768
769 static const unsigned char des3_test_iv[8] =
770 {
771 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
772 };
773
774 static const unsigned char des3_test_buf[8] =
775 {
776 0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
777 };
778
779 static const unsigned char des3_test_ecb_dec[3][8] =
780 {
781 { 0xCD, 0xD6, 0x4F, 0x2F, 0x94, 0x27, 0xC1, 0x5D },
782 { 0x69, 0x96, 0xC8, 0xFA, 0x47, 0xA2, 0xAB, 0xEB },
783 { 0x83, 0x25, 0x39, 0x76, 0x44, 0x09, 0x1A, 0x0A }
784 };
785
786 static const unsigned char des3_test_ecb_enc[3][8] =
787 {
788 { 0x6A, 0x2A, 0x19, 0xF4, 0x1E, 0xCA, 0x85, 0x4B },
789 { 0x03, 0xE6, 0x9F, 0x5B, 0xFA, 0x58, 0xEB, 0x42 },
790 { 0xDD, 0x17, 0xE8, 0xB8, 0xB4, 0x37, 0xD2, 0x32 }
791 };
792
793 static const unsigned char des3_test_cbc_dec[3][8] =
794 {
795 { 0x12, 0x9F, 0x40, 0xB9, 0xD2, 0x00, 0x56, 0xB3 },
796 { 0x47, 0x0E, 0xFC, 0x9A, 0x6B, 0x8E, 0xE3, 0x93 },
797 { 0xC5, 0xCE, 0xCF, 0x63, 0xEC, 0xEC, 0x51, 0x4C }
798 };
799
800 static const unsigned char des3_test_cbc_enc[3][8] =
801 {
802 { 0x54, 0xF1, 0x5A, 0xF6, 0xEB, 0xE3, 0xA4, 0xB4 },
803 { 0x35, 0x76, 0x11, 0x56, 0x5F, 0xA1, 0x8E, 0x4D },
804 { 0xCB, 0x19, 0x1F, 0x85, 0xD1, 0xED, 0x84, 0x39 }
805 };
806
807 /*
808 * Checkup routine
809 */
des_self_test(int verbose)810 int des_self_test( int verbose )
811 {
812 int i, j, u, v;
813 des_context ctx;
814 des3_context ctx3;
815 unsigned char key[24];
816 unsigned char buf[8];
817 #if defined(POLARSSL_CIPHER_MODE_CBC)
818 unsigned char prv[8];
819 unsigned char iv[8];
820 #endif
821
822 memset( key, 0, 24 );
823
824 /*
825 * ECB mode
826 */
827 for( i = 0; i < 6; i++ )
828 {
829 u = i >> 1;
830 v = i & 1;
831
832 if( verbose != 0 )
833 printf( " DES%c-ECB-%3d (%s): ",
834 ( u == 0 ) ? ' ' : '3', 56 + u * 56,
835 ( v == DES_DECRYPT ) ? "dec" : "enc" );
836
837 memcpy( buf, des3_test_buf, 8 );
838
839 switch( i )
840 {
841 case 0:
842 des_setkey_dec( &ctx, des3_test_keys );
843 break;
844
845 case 1:
846 des_setkey_enc( &ctx, des3_test_keys );
847 break;
848
849 case 2:
850 des3_set2key_dec( &ctx3, des3_test_keys );
851 break;
852
853 case 3:
854 des3_set2key_enc( &ctx3, des3_test_keys );
855 break;
856
857 case 4:
858 des3_set3key_dec( &ctx3, des3_test_keys );
859 break;
860
861 case 5:
862 des3_set3key_enc( &ctx3, des3_test_keys );
863 break;
864
865 default:
866 return( 1 );
867 }
868
869 for( j = 0; j < 10000; j++ )
870 {
871 if( u == 0 )
872 des_crypt_ecb( &ctx, buf, buf );
873 else
874 des3_crypt_ecb( &ctx3, buf, buf );
875 }
876
877 if( ( v == DES_DECRYPT &&
878 memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) ||
879 ( v != DES_DECRYPT &&
880 memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) )
881 {
882 if( verbose != 0 )
883 printf( "failed\n" );
884
885 return( 1 );
886 }
887
888 if( verbose != 0 )
889 printf( "passed\n" );
890 }
891
892 if( verbose != 0 )
893 printf( "\n" );
894
895 #if defined(POLARSSL_CIPHER_MODE_CBC)
896 /*
897 * CBC mode
898 */
899 for( i = 0; i < 6; i++ )
900 {
901 u = i >> 1;
902 v = i & 1;
903
904 if( verbose != 0 )
905 printf( " DES%c-CBC-%3d (%s): ",
906 ( u == 0 ) ? ' ' : '3', 56 + u * 56,
907 ( v == DES_DECRYPT ) ? "dec" : "enc" );
908
909 memcpy( iv, des3_test_iv, 8 );
910 memcpy( prv, des3_test_iv, 8 );
911 memcpy( buf, des3_test_buf, 8 );
912
913 switch( i )
914 {
915 case 0:
916 des_setkey_dec( &ctx, des3_test_keys );
917 break;
918
919 case 1:
920 des_setkey_enc( &ctx, des3_test_keys );
921 break;
922
923 case 2:
924 des3_set2key_dec( &ctx3, des3_test_keys );
925 break;
926
927 case 3:
928 des3_set2key_enc( &ctx3, des3_test_keys );
929 break;
930
931 case 4:
932 des3_set3key_dec( &ctx3, des3_test_keys );
933 break;
934
935 case 5:
936 des3_set3key_enc( &ctx3, des3_test_keys );
937 break;
938
939 default:
940 return( 1 );
941 }
942
943 if( v == DES_DECRYPT )
944 {
945 for( j = 0; j < 10000; j++ )
946 {
947 if( u == 0 )
948 des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
949 else
950 des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
951 }
952 }
953 else
954 {
955 for( j = 0; j < 10000; j++ )
956 {
957 unsigned char tmp[8];
958
959 if( u == 0 )
960 des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
961 else
962 des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
963
964 memcpy( tmp, prv, 8 );
965 memcpy( prv, buf, 8 );
966 memcpy( buf, tmp, 8 );
967 }
968
969 memcpy( buf, prv, 8 );
970 }
971
972 if( ( v == DES_DECRYPT &&
973 memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) ||
974 ( v != DES_DECRYPT &&
975 memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) )
976 {
977 if( verbose != 0 )
978 printf( "failed\n" );
979
980 return( 1 );
981 }
982
983 if( verbose != 0 )
984 printf( "passed\n" );
985 }
986 #endif /* POLARSSL_CIPHER_MODE_CBC */
987
988 if( verbose != 0 )
989 printf( "\n" );
990
991 return( 0 );
992 }
993
994 #endif