1 /* 2 * FIPS-46-3 compliant Triple-DES implementation 3 * 4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 5 * SPDX-License-Identifier: GPL-2.0 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License as published by 9 * the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License along 18 * with this program; if not, write to the Free Software Foundation, Inc., 19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * This file is part of mbed TLS (https://tls.mbed.org) 22 */ 23 /* 24 * DES, on which TDES is based, was originally designed by Horst Feistel 25 * at IBM in 1974, and was adopted as a standard by NIST (formerly NBS). 26 * 27 * http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf 28 */ 29 30 #if !defined(MBEDTLS_CONFIG_FILE) 31 #include "mbedtls/config.h" 32 #else 33 #include MBEDTLS_CONFIG_FILE 34 #endif 35 36 #if defined(MBEDTLS_DES_C) 37 38 #include "mbedtls/des.h" 39 40 #include <string.h> 41 42 #if defined(MBEDTLS_SELF_TEST) 43 #if defined(MBEDTLS_PLATFORM_C) 44 #include "mbedtls/platform.h" 45 #else 46 #include <stdio.h> 47 #define mbedtls_printf printf 48 #endif /* MBEDTLS_PLATFORM_C */ 49 #endif /* MBEDTLS_SELF_TEST */ 50 51 #if !defined(MBEDTLS_DES_ALT) 52 53 /* Implementation that should never be optimized out by the compiler */ 54 static void mbedtls_zeroize( void *v, size_t n ) { 55 volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; 56 } 57 58 /* 59 * 32-bit integer manipulation macros (big endian) 60 */ 61 #ifndef GET_UINT32_BE 62 #define GET_UINT32_BE(n,b,i) \ 63 { \ 64 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \ 65 | ( (uint32_t) (b)[(i) + 1] << 16 ) \ 66 | ( (uint32_t) (b)[(i) + 2] << 8 ) \ 67 | ( (uint32_t) (b)[(i) + 3] ); \ 68 } 69 #endif 70 71 #ifndef PUT_UINT32_BE 72 #define PUT_UINT32_BE(n,b,i) \ 73 { \ 74 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \ 75 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \ 76 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \ 77 (b)[(i) + 3] = (unsigned char) ( (n) ); \ 78 } 79 #endif 80 81 /* 82 * Expanded DES S-boxes 83 */ 84 static const uint32_t SB1[64] = 85 { 86 0x01010400, 0x00000000, 0x00010000, 0x01010404, 87 0x01010004, 0x00010404, 0x00000004, 0x00010000, 88 0x00000400, 0x01010400, 0x01010404, 0x00000400, 89 0x01000404, 0x01010004, 0x01000000, 0x00000004, 90 0x00000404, 0x01000400, 0x01000400, 0x00010400, 91 0x00010400, 0x01010000, 0x01010000, 0x01000404, 92 0x00010004, 0x01000004, 0x01000004, 0x00010004, 93 0x00000000, 0x00000404, 0x00010404, 0x01000000, 94 0x00010000, 0x01010404, 0x00000004, 0x01010000, 95 0x01010400, 0x01000000, 0x01000000, 0x00000400, 96 0x01010004, 0x00010000, 0x00010400, 0x01000004, 97 0x00000400, 0x00000004, 0x01000404, 0x00010404, 98 0x01010404, 0x00010004, 0x01010000, 0x01000404, 99 0x01000004, 0x00000404, 0x00010404, 0x01010400, 100 0x00000404, 0x01000400, 0x01000400, 0x00000000, 101 0x00010004, 0x00010400, 0x00000000, 0x01010004 102 }; 103 104 static const uint32_t SB2[64] = 105 { 106 0x80108020, 0x80008000, 0x00008000, 0x00108020, 107 0x00100000, 0x00000020, 0x80100020, 0x80008020, 108 0x80000020, 0x80108020, 0x80108000, 0x80000000, 109 0x80008000, 0x00100000, 0x00000020, 0x80100020, 110 0x00108000, 0x00100020, 0x80008020, 0x00000000, 111 0x80000000, 0x00008000, 0x00108020, 0x80100000, 112 0x00100020, 0x80000020, 0x00000000, 0x00108000, 113 0x00008020, 0x80108000, 0x80100000, 0x00008020, 114 0x00000000, 0x00108020, 0x80100020, 0x00100000, 115 0x80008020, 0x80100000, 0x80108000, 0x00008000, 116 0x80100000, 0x80008000, 0x00000020, 0x80108020, 117 0x00108020, 0x00000020, 0x00008000, 0x80000000, 118 0x00008020, 0x80108000, 0x00100000, 0x80000020, 119 0x00100020, 0x80008020, 0x80000020, 0x00100020, 120 0x00108000, 0x00000000, 0x80008000, 0x00008020, 121 0x80000000, 0x80100020, 0x80108020, 0x00108000 122 }; 123 124 static const uint32_t SB3[64] = 125 { 126 0x00000208, 0x08020200, 0x00000000, 0x08020008, 127 0x08000200, 0x00000000, 0x00020208, 0x08000200, 128 0x00020008, 0x08000008, 0x08000008, 0x00020000, 129 0x08020208, 0x00020008, 0x08020000, 0x00000208, 130 0x08000000, 0x00000008, 0x08020200, 0x00000200, 131 0x00020200, 0x08020000, 0x08020008, 0x00020208, 132 0x08000208, 0x00020200, 0x00020000, 0x08000208, 133 0x00000008, 0x08020208, 0x00000200, 0x08000000, 134 0x08020200, 0x08000000, 0x00020008, 0x00000208, 135 0x00020000, 0x08020200, 0x08000200, 0x00000000, 136 0x00000200, 0x00020008, 0x08020208, 0x08000200, 137 0x08000008, 0x00000200, 0x00000000, 0x08020008, 138 0x08000208, 0x00020000, 0x08000000, 0x08020208, 139 0x00000008, 0x00020208, 0x00020200, 0x08000008, 140 0x08020000, 0x08000208, 0x00000208, 0x08020000, 141 0x00020208, 0x00000008, 0x08020008, 0x00020200 142 }; 143 144 static const uint32_t SB4[64] = 145 { 146 0x00802001, 0x00002081, 0x00002081, 0x00000080, 147 0x00802080, 0x00800081, 0x00800001, 0x00002001, 148 0x00000000, 0x00802000, 0x00802000, 0x00802081, 149 0x00000081, 0x00000000, 0x00800080, 0x00800001, 150 0x00000001, 0x00002000, 0x00800000, 0x00802001, 151 0x00000080, 0x00800000, 0x00002001, 0x00002080, 152 0x00800081, 0x00000001, 0x00002080, 0x00800080, 153 0x00002000, 0x00802080, 0x00802081, 0x00000081, 154 0x00800080, 0x00800001, 0x00802000, 0x00802081, 155 0x00000081, 0x00000000, 0x00000000, 0x00802000, 156 0x00002080, 0x00800080, 0x00800081, 0x00000001, 157 0x00802001, 0x00002081, 0x00002081, 0x00000080, 158 0x00802081, 0x00000081, 0x00000001, 0x00002000, 159 0x00800001, 0x00002001, 0x00802080, 0x00800081, 160 0x00002001, 0x00002080, 0x00800000, 0x00802001, 161 0x00000080, 0x00800000, 0x00002000, 0x00802080 162 }; 163 164 static const uint32_t SB5[64] = 165 { 166 0x00000100, 0x02080100, 0x02080000, 0x42000100, 167 0x00080000, 0x00000100, 0x40000000, 0x02080000, 168 0x40080100, 0x00080000, 0x02000100, 0x40080100, 169 0x42000100, 0x42080000, 0x00080100, 0x40000000, 170 0x02000000, 0x40080000, 0x40080000, 0x00000000, 171 0x40000100, 0x42080100, 0x42080100, 0x02000100, 172 0x42080000, 0x40000100, 0x00000000, 0x42000000, 173 0x02080100, 0x02000000, 0x42000000, 0x00080100, 174 0x00080000, 0x42000100, 0x00000100, 0x02000000, 175 0x40000000, 0x02080000, 0x42000100, 0x40080100, 176 0x02000100, 0x40000000, 0x42080000, 0x02080100, 177 0x40080100, 0x00000100, 0x02000000, 0x42080000, 178 0x42080100, 0x00080100, 0x42000000, 0x42080100, 179 0x02080000, 0x00000000, 0x40080000, 0x42000000, 180 0x00080100, 0x02000100, 0x40000100, 0x00080000, 181 0x00000000, 0x40080000, 0x02080100, 0x40000100 182 }; 183 184 static const uint32_t SB6[64] = 185 { 186 0x20000010, 0x20400000, 0x00004000, 0x20404010, 187 0x20400000, 0x00000010, 0x20404010, 0x00400000, 188 0x20004000, 0x00404010, 0x00400000, 0x20000010, 189 0x00400010, 0x20004000, 0x20000000, 0x00004010, 190 0x00000000, 0x00400010, 0x20004010, 0x00004000, 191 0x00404000, 0x20004010, 0x00000010, 0x20400010, 192 0x20400010, 0x00000000, 0x00404010, 0x20404000, 193 0x00004010, 0x00404000, 0x20404000, 0x20000000, 194 0x20004000, 0x00000010, 0x20400010, 0x00404000, 195 0x20404010, 0x00400000, 0x00004010, 0x20000010, 196 0x00400000, 0x20004000, 0x20000000, 0x00004010, 197 0x20000010, 0x20404010, 0x00404000, 0x20400000, 198 0x00404010, 0x20404000, 0x00000000, 0x20400010, 199 0x00000010, 0x00004000, 0x20400000, 0x00404010, 200 0x00004000, 0x00400010, 0x20004010, 0x00000000, 201 0x20404000, 0x20000000, 0x00400010, 0x20004010 202 }; 203 204 static const uint32_t SB7[64] = 205 { 206 0x00200000, 0x04200002, 0x04000802, 0x00000000, 207 0x00000800, 0x04000802, 0x00200802, 0x04200800, 208 0x04200802, 0x00200000, 0x00000000, 0x04000002, 209 0x00000002, 0x04000000, 0x04200002, 0x00000802, 210 0x04000800, 0x00200802, 0x00200002, 0x04000800, 211 0x04000002, 0x04200000, 0x04200800, 0x00200002, 212 0x04200000, 0x00000800, 0x00000802, 0x04200802, 213 0x00200800, 0x00000002, 0x04000000, 0x00200800, 214 0x04000000, 0x00200800, 0x00200000, 0x04000802, 215 0x04000802, 0x04200002, 0x04200002, 0x00000002, 216 0x00200002, 0x04000000, 0x04000800, 0x00200000, 217 0x04200800, 0x00000802, 0x00200802, 0x04200800, 218 0x00000802, 0x04000002, 0x04200802, 0x04200000, 219 0x00200800, 0x00000000, 0x00000002, 0x04200802, 220 0x00000000, 0x00200802, 0x04200000, 0x00000800, 221 0x04000002, 0x04000800, 0x00000800, 0x00200002 222 }; 223 224 static const uint32_t SB8[64] = 225 { 226 0x10001040, 0x00001000, 0x00040000, 0x10041040, 227 0x10000000, 0x10001040, 0x00000040, 0x10000000, 228 0x00040040, 0x10040000, 0x10041040, 0x00041000, 229 0x10041000, 0x00041040, 0x00001000, 0x00000040, 230 0x10040000, 0x10000040, 0x10001000, 0x00001040, 231 0x00041000, 0x00040040, 0x10040040, 0x10041000, 232 0x00001040, 0x00000000, 0x00000000, 0x10040040, 233 0x10000040, 0x10001000, 0x00041040, 0x00040000, 234 0x00041040, 0x00040000, 0x10041000, 0x00001000, 235 0x00000040, 0x10040040, 0x00001000, 0x00041040, 236 0x10001000, 0x00000040, 0x10000040, 0x10040000, 237 0x10040040, 0x10000000, 0x00040000, 0x10001040, 238 0x00000000, 0x10041040, 0x00040040, 0x10000040, 239 0x10040000, 0x10001000, 0x10001040, 0x00000000, 240 0x10041040, 0x00041000, 0x00041000, 0x00001040, 241 0x00001040, 0x00040040, 0x10000000, 0x10041000 242 }; 243 244 /* 245 * PC1: left and right halves bit-swap 246 */ 247 static const uint32_t LHs[16] = 248 { 249 0x00000000, 0x00000001, 0x00000100, 0x00000101, 250 0x00010000, 0x00010001, 0x00010100, 0x00010101, 251 0x01000000, 0x01000001, 0x01000100, 0x01000101, 252 0x01010000, 0x01010001, 0x01010100, 0x01010101 253 }; 254 255 static const uint32_t RHs[16] = 256 { 257 0x00000000, 0x01000000, 0x00010000, 0x01010000, 258 0x00000100, 0x01000100, 0x00010100, 0x01010100, 259 0x00000001, 0x01000001, 0x00010001, 0x01010001, 260 0x00000101, 0x01000101, 0x00010101, 0x01010101, 261 }; 262 263 /* 264 * Initial Permutation macro 265 */ 266 #define DES_IP(X,Y) \ 267 { \ 268 T = ((X >> 4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T << 4); \ 269 T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16); \ 270 T = ((Y >> 2) ^ X) & 0x33333333; X ^= T; Y ^= (T << 2); \ 271 T = ((Y >> 8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T << 8); \ 272 Y = ((Y << 1) | (Y >> 31)) & 0xFFFFFFFF; \ 273 T = (X ^ Y) & 0xAAAAAAAA; Y ^= T; X ^= T; \ 274 X = ((X << 1) | (X >> 31)) & 0xFFFFFFFF; \ 275 } 276 277 /* 278 * Final Permutation macro 279 */ 280 #define DES_FP(X,Y) \ 281 { \ 282 X = ((X << 31) | (X >> 1)) & 0xFFFFFFFF; \ 283 T = (X ^ Y) & 0xAAAAAAAA; X ^= T; Y ^= T; \ 284 Y = ((Y << 31) | (Y >> 1)) & 0xFFFFFFFF; \ 285 T = ((Y >> 8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T << 8); \ 286 T = ((Y >> 2) ^ X) & 0x33333333; X ^= T; Y ^= (T << 2); \ 287 T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16); \ 288 T = ((X >> 4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T << 4); \ 289 } 290 291 /* 292 * DES round macro 293 */ 294 #define DES_ROUND(X,Y) \ 295 { \ 296 T = *SK++ ^ X; \ 297 Y ^= SB8[ (T ) & 0x3F ] ^ \ 298 SB6[ (T >> 8) & 0x3F ] ^ \ 299 SB4[ (T >> 16) & 0x3F ] ^ \ 300 SB2[ (T >> 24) & 0x3F ]; \ 301 \ 302 T = *SK++ ^ ((X << 28) | (X >> 4)); \ 303 Y ^= SB7[ (T ) & 0x3F ] ^ \ 304 SB5[ (T >> 8) & 0x3F ] ^ \ 305 SB3[ (T >> 16) & 0x3F ] ^ \ 306 SB1[ (T >> 24) & 0x3F ]; \ 307 } 308 309 #define SWAP(a,b) { uint32_t t = a; a = b; b = t; t = 0; } 310 311 void mbedtls_des_init( mbedtls_des_context *ctx ) 312 { 313 memset( ctx, 0, sizeof( mbedtls_des_context ) ); 314 } 315 316 void mbedtls_des_free( mbedtls_des_context *ctx ) 317 { 318 if( ctx == NULL ) 319 return; 320 321 mbedtls_zeroize( ctx, sizeof( mbedtls_des_context ) ); 322 } 323 324 void mbedtls_des3_init( mbedtls_des3_context *ctx ) 325 { 326 memset( ctx, 0, sizeof( mbedtls_des3_context ) ); 327 } 328 329 void mbedtls_des3_free( mbedtls_des3_context *ctx ) 330 { 331 if( ctx == NULL ) 332 return; 333 334 mbedtls_zeroize( ctx, sizeof( mbedtls_des3_context ) ); 335 } 336 337 static const unsigned char odd_parity_table[128] = { 1, 2, 4, 7, 8, 338 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 35, 37, 38, 41, 42, 44, 339 47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 70, 73, 74, 76, 79, 81, 340 82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 104, 107, 109, 110, 112, 341 115, 117, 118, 121, 122, 124, 127, 128, 131, 133, 134, 137, 138, 140, 342 143, 145, 146, 148, 151, 152, 155, 157, 158, 161, 162, 164, 167, 168, 343 171, 173, 174, 176, 179, 181, 182, 185, 186, 188, 191, 193, 194, 196, 344 199, 200, 203, 205, 206, 208, 211, 213, 214, 217, 218, 220, 223, 224, 345 227, 229, 230, 233, 234, 236, 239, 241, 242, 244, 247, 248, 251, 253, 346 254 }; 347 348 void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 349 { 350 int i; 351 352 for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ ) 353 key[i] = odd_parity_table[key[i] / 2]; 354 } 355 356 /* 357 * Check the given key's parity, returns 1 on failure, 0 on SUCCESS 358 */ 359 int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 360 { 361 int i; 362 363 for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ ) 364 if( key[i] != odd_parity_table[key[i] / 2] ) 365 return( 1 ); 366 367 return( 0 ); 368 } 369 370 /* 371 * Table of weak and semi-weak keys 372 * 373 * Source: http://en.wikipedia.org/wiki/Weak_key 374 * 375 * Weak: 376 * Alternating ones + zeros (0x0101010101010101) 377 * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE) 378 * '0xE0E0E0E0F1F1F1F1' 379 * '0x1F1F1F1F0E0E0E0E' 380 * 381 * Semi-weak: 382 * 0x011F011F010E010E and 0x1F011F010E010E01 383 * 0x01E001E001F101F1 and 0xE001E001F101F101 384 * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01 385 * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E 386 * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E 387 * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1 388 * 389 */ 390 391 #define WEAK_KEY_COUNT 16 392 393 static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] = 394 { 395 { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 }, 396 { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE }, 397 { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E }, 398 { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 }, 399 400 { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E }, 401 { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 }, 402 { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 }, 403 { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 }, 404 { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE }, 405 { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 }, 406 { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 }, 407 { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E }, 408 { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE }, 409 { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E }, 410 { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE }, 411 { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 } 412 }; 413 414 int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 415 { 416 int i; 417 418 for( i = 0; i < WEAK_KEY_COUNT; i++ ) 419 if( memcmp( weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0 ) 420 return( 1 ); 421 422 return( 0 ); 423 } 424 425 #if !defined(MBEDTLS_DES_SETKEY_ALT) 426 void mbedtls_des_setkey( uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 427 { 428 int i; 429 uint32_t X, Y, T; 430 431 GET_UINT32_BE( X, key, 0 ); 432 GET_UINT32_BE( Y, key, 4 ); 433 434 /* 435 * Permuted Choice 1 436 */ 437 T = ((Y >> 4) ^ X) & 0x0F0F0F0F; X ^= T; Y ^= (T << 4); 438 T = ((Y ) ^ X) & 0x10101010; X ^= T; Y ^= (T ); 439 440 X = (LHs[ (X ) & 0xF] << 3) | (LHs[ (X >> 8) & 0xF ] << 2) 441 | (LHs[ (X >> 16) & 0xF] << 1) | (LHs[ (X >> 24) & 0xF ] ) 442 | (LHs[ (X >> 5) & 0xF] << 7) | (LHs[ (X >> 13) & 0xF ] << 6) 443 | (LHs[ (X >> 21) & 0xF] << 5) | (LHs[ (X >> 29) & 0xF ] << 4); 444 445 Y = (RHs[ (Y >> 1) & 0xF] << 3) | (RHs[ (Y >> 9) & 0xF ] << 2) 446 | (RHs[ (Y >> 17) & 0xF] << 1) | (RHs[ (Y >> 25) & 0xF ] ) 447 | (RHs[ (Y >> 4) & 0xF] << 7) | (RHs[ (Y >> 12) & 0xF ] << 6) 448 | (RHs[ (Y >> 20) & 0xF] << 5) | (RHs[ (Y >> 28) & 0xF ] << 4); 449 450 X &= 0x0FFFFFFF; 451 Y &= 0x0FFFFFFF; 452 453 /* 454 * calculate subkeys 455 */ 456 for( i = 0; i < 16; i++ ) 457 { 458 if( i < 2 || i == 8 || i == 15 ) 459 { 460 X = ((X << 1) | (X >> 27)) & 0x0FFFFFFF; 461 Y = ((Y << 1) | (Y >> 27)) & 0x0FFFFFFF; 462 } 463 else 464 { 465 X = ((X << 2) | (X >> 26)) & 0x0FFFFFFF; 466 Y = ((Y << 2) | (Y >> 26)) & 0x0FFFFFFF; 467 } 468 469 *SK++ = ((X << 4) & 0x24000000) | ((X << 28) & 0x10000000) 470 | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000) 471 | ((X << 6) & 0x01000000) | ((X << 9) & 0x00200000) 472 | ((X >> 1) & 0x00100000) | ((X << 10) & 0x00040000) 473 | ((X << 2) & 0x00020000) | ((X >> 10) & 0x00010000) 474 | ((Y >> 13) & 0x00002000) | ((Y >> 4) & 0x00001000) 475 | ((Y << 6) & 0x00000800) | ((Y >> 1) & 0x00000400) 476 | ((Y >> 14) & 0x00000200) | ((Y ) & 0x00000100) 477 | ((Y >> 5) & 0x00000020) | ((Y >> 10) & 0x00000010) 478 | ((Y >> 3) & 0x00000008) | ((Y >> 18) & 0x00000004) 479 | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001); 480 481 *SK++ = ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000) 482 | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000) 483 | ((X >> 2) & 0x02000000) | ((X << 1) & 0x01000000) 484 | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000) 485 | ((X << 3) & 0x00080000) | ((X >> 6) & 0x00040000) 486 | ((X << 15) & 0x00020000) | ((X >> 4) & 0x00010000) 487 | ((Y >> 2) & 0x00002000) | ((Y << 8) & 0x00001000) 488 | ((Y >> 14) & 0x00000808) | ((Y >> 9) & 0x00000400) 489 | ((Y ) & 0x00000200) | ((Y << 7) & 0x00000100) 490 | ((Y >> 7) & 0x00000020) | ((Y >> 3) & 0x00000011) 491 | ((Y << 2) & 0x00000004) | ((Y >> 21) & 0x00000002); 492 } 493 } 494 #endif /* !MBEDTLS_DES_SETKEY_ALT */ 495 496 /* 497 * DES key schedule (56-bit, encryption) 498 */ 499 int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 500 { 501 mbedtls_des_setkey( ctx->sk, key ); 502 503 return( 0 ); 504 } 505 506 /* 507 * DES key schedule (56-bit, decryption) 508 */ 509 int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 510 { 511 int i; 512 513 mbedtls_des_setkey( ctx->sk, key ); 514 515 for( i = 0; i < 16; i += 2 ) 516 { 517 SWAP( ctx->sk[i ], ctx->sk[30 - i] ); 518 SWAP( ctx->sk[i + 1], ctx->sk[31 - i] ); 519 } 520 521 return( 0 ); 522 } 523 524 static void des3_set2key( uint32_t esk[96], 525 uint32_t dsk[96], 526 const unsigned char key[MBEDTLS_DES_KEY_SIZE*2] ) 527 { 528 int i; 529 530 mbedtls_des_setkey( esk, key ); 531 mbedtls_des_setkey( dsk + 32, key + 8 ); 532 533 for( i = 0; i < 32; i += 2 ) 534 { 535 dsk[i ] = esk[30 - i]; 536 dsk[i + 1] = esk[31 - i]; 537 538 esk[i + 32] = dsk[62 - i]; 539 esk[i + 33] = dsk[63 - i]; 540 541 esk[i + 64] = esk[i ]; 542 esk[i + 65] = esk[i + 1]; 543 544 dsk[i + 64] = dsk[i ]; 545 dsk[i + 65] = dsk[i + 1]; 546 } 547 } 548 549 /* 550 * Triple-DES key schedule (112-bit, encryption) 551 */ 552 int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx, 553 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] ) 554 { 555 uint32_t sk[96]; 556 557 des3_set2key( ctx->sk, sk, key ); 558 mbedtls_zeroize( sk, sizeof( sk ) ); 559 560 return( 0 ); 561 } 562 563 /* 564 * Triple-DES key schedule (112-bit, decryption) 565 */ 566 int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx, 567 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] ) 568 { 569 uint32_t sk[96]; 570 571 des3_set2key( sk, ctx->sk, key ); 572 mbedtls_zeroize( sk, sizeof( sk ) ); 573 574 return( 0 ); 575 } 576 577 static void des3_set3key( uint32_t esk[96], 578 uint32_t dsk[96], 579 const unsigned char key[24] ) 580 { 581 int i; 582 583 mbedtls_des_setkey( esk, key ); 584 mbedtls_des_setkey( dsk + 32, key + 8 ); 585 mbedtls_des_setkey( esk + 64, key + 16 ); 586 587 for( i = 0; i < 32; i += 2 ) 588 { 589 dsk[i ] = esk[94 - i]; 590 dsk[i + 1] = esk[95 - i]; 591 592 esk[i + 32] = dsk[62 - i]; 593 esk[i + 33] = dsk[63 - i]; 594 595 dsk[i + 64] = esk[30 - i]; 596 dsk[i + 65] = esk[31 - i]; 597 } 598 } 599 600 /* 601 * Triple-DES key schedule (168-bit, encryption) 602 */ 603 int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx, 604 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] ) 605 { 606 uint32_t sk[96]; 607 608 des3_set3key( ctx->sk, sk, key ); 609 mbedtls_zeroize( sk, sizeof( sk ) ); 610 611 return( 0 ); 612 } 613 614 /* 615 * Triple-DES key schedule (168-bit, decryption) 616 */ 617 int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx, 618 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] ) 619 { 620 uint32_t sk[96]; 621 622 des3_set3key( sk, ctx->sk, key ); 623 mbedtls_zeroize( sk, sizeof( sk ) ); 624 625 return( 0 ); 626 } 627 628 /* 629 * DES-ECB block encryption/decryption 630 */ 631 #if !defined(MBEDTLS_DES_CRYPT_ECB_ALT) 632 int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx, 633 const unsigned char input[8], 634 unsigned char output[8] ) 635 { 636 int i; 637 uint32_t X, Y, T, *SK; 638 639 SK = ctx->sk; 640 641 GET_UINT32_BE( X, input, 0 ); 642 GET_UINT32_BE( Y, input, 4 ); 643 644 DES_IP( X, Y ); 645 646 for( i = 0; i < 8; i++ ) 647 { 648 DES_ROUND( Y, X ); 649 DES_ROUND( X, Y ); 650 } 651 652 DES_FP( Y, X ); 653 654 PUT_UINT32_BE( Y, output, 0 ); 655 PUT_UINT32_BE( X, output, 4 ); 656 657 return( 0 ); 658 } 659 #endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */ 660 661 #if defined(MBEDTLS_CIPHER_MODE_CBC) 662 /* 663 * DES-CBC buffer encryption/decryption 664 */ 665 int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx, 666 int mode, 667 size_t length, 668 unsigned char iv[8], 669 const unsigned char *input, 670 unsigned char *output ) 671 { 672 int i; 673 unsigned char temp[8]; 674 675 if( length % 8 ) 676 return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH ); 677 678 if( mode == MBEDTLS_DES_ENCRYPT ) 679 { 680 while( length > 0 ) 681 { 682 for( i = 0; i < 8; i++ ) 683 output[i] = (unsigned char)( input[i] ^ iv[i] ); 684 685 mbedtls_des_crypt_ecb( ctx, output, output ); 686 memcpy( iv, output, 8 ); 687 688 input += 8; 689 output += 8; 690 length -= 8; 691 } 692 } 693 else /* MBEDTLS_DES_DECRYPT */ 694 { 695 while( length > 0 ) 696 { 697 memcpy( temp, input, 8 ); 698 mbedtls_des_crypt_ecb( ctx, input, output ); 699 700 for( i = 0; i < 8; i++ ) 701 output[i] = (unsigned char)( output[i] ^ iv[i] ); 702 703 memcpy( iv, temp, 8 ); 704 705 input += 8; 706 output += 8; 707 length -= 8; 708 } 709 } 710 711 return( 0 ); 712 } 713 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 714 715 /* 716 * 3DES-ECB block encryption/decryption 717 */ 718 #if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT) 719 int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx, 720 const unsigned char input[8], 721 unsigned char output[8] ) 722 { 723 int i; 724 uint32_t X, Y, T, *SK; 725 726 SK = ctx->sk; 727 728 GET_UINT32_BE( X, input, 0 ); 729 GET_UINT32_BE( Y, input, 4 ); 730 731 DES_IP( X, Y ); 732 733 for( i = 0; i < 8; i++ ) 734 { 735 DES_ROUND( Y, X ); 736 DES_ROUND( X, Y ); 737 } 738 739 for( i = 0; i < 8; i++ ) 740 { 741 DES_ROUND( X, Y ); 742 DES_ROUND( Y, X ); 743 } 744 745 for( i = 0; i < 8; i++ ) 746 { 747 DES_ROUND( Y, X ); 748 DES_ROUND( X, Y ); 749 } 750 751 DES_FP( Y, X ); 752 753 PUT_UINT32_BE( Y, output, 0 ); 754 PUT_UINT32_BE( X, output, 4 ); 755 756 return( 0 ); 757 } 758 #endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */ 759 760 #if defined(MBEDTLS_CIPHER_MODE_CBC) 761 /* 762 * 3DES-CBC buffer encryption/decryption 763 */ 764 int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx, 765 int mode, 766 size_t length, 767 unsigned char iv[8], 768 const unsigned char *input, 769 unsigned char *output ) 770 { 771 int i; 772 unsigned char temp[8]; 773 774 if( length % 8 ) 775 return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH ); 776 777 if( mode == MBEDTLS_DES_ENCRYPT ) 778 { 779 while( length > 0 ) 780 { 781 for( i = 0; i < 8; i++ ) 782 output[i] = (unsigned char)( input[i] ^ iv[i] ); 783 784 mbedtls_des3_crypt_ecb( ctx, output, output ); 785 memcpy( iv, output, 8 ); 786 787 input += 8; 788 output += 8; 789 length -= 8; 790 } 791 } 792 else /* MBEDTLS_DES_DECRYPT */ 793 { 794 while( length > 0 ) 795 { 796 memcpy( temp, input, 8 ); 797 mbedtls_des3_crypt_ecb( ctx, input, output ); 798 799 for( i = 0; i < 8; i++ ) 800 output[i] = (unsigned char)( output[i] ^ iv[i] ); 801 802 memcpy( iv, temp, 8 ); 803 804 input += 8; 805 output += 8; 806 length -= 8; 807 } 808 } 809 810 return( 0 ); 811 } 812 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 813 814 #endif /* !MBEDTLS_DES_ALT */ 815 816 #if defined(MBEDTLS_SELF_TEST) 817 /* 818 * DES and 3DES test vectors from: 819 * 820 * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip 821 */ 822 static const unsigned char des3_test_keys[24] = 823 { 824 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 825 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 826 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23 827 }; 828 829 static const unsigned char des3_test_buf[8] = 830 { 831 0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74 832 }; 833 834 static const unsigned char des3_test_ecb_dec[3][8] = 835 { 836 { 0xCD, 0xD6, 0x4F, 0x2F, 0x94, 0x27, 0xC1, 0x5D }, 837 { 0x69, 0x96, 0xC8, 0xFA, 0x47, 0xA2, 0xAB, 0xEB }, 838 { 0x83, 0x25, 0x39, 0x76, 0x44, 0x09, 0x1A, 0x0A } 839 }; 840 841 static const unsigned char des3_test_ecb_enc[3][8] = 842 { 843 { 0x6A, 0x2A, 0x19, 0xF4, 0x1E, 0xCA, 0x85, 0x4B }, 844 { 0x03, 0xE6, 0x9F, 0x5B, 0xFA, 0x58, 0xEB, 0x42 }, 845 { 0xDD, 0x17, 0xE8, 0xB8, 0xB4, 0x37, 0xD2, 0x32 } 846 }; 847 848 #if defined(MBEDTLS_CIPHER_MODE_CBC) 849 static const unsigned char des3_test_iv[8] = 850 { 851 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF, 852 }; 853 854 static const unsigned char des3_test_cbc_dec[3][8] = 855 { 856 { 0x12, 0x9F, 0x40, 0xB9, 0xD2, 0x00, 0x56, 0xB3 }, 857 { 0x47, 0x0E, 0xFC, 0x9A, 0x6B, 0x8E, 0xE3, 0x93 }, 858 { 0xC5, 0xCE, 0xCF, 0x63, 0xEC, 0xEC, 0x51, 0x4C } 859 }; 860 861 static const unsigned char des3_test_cbc_enc[3][8] = 862 { 863 { 0x54, 0xF1, 0x5A, 0xF6, 0xEB, 0xE3, 0xA4, 0xB4 }, 864 { 0x35, 0x76, 0x11, 0x56, 0x5F, 0xA1, 0x8E, 0x4D }, 865 { 0xCB, 0x19, 0x1F, 0x85, 0xD1, 0xED, 0x84, 0x39 } 866 }; 867 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 868 869 /* 870 * Checkup routine 871 */ 872 int mbedtls_des_self_test( int verbose ) 873 { 874 int i, j, u, v, ret = 0; 875 mbedtls_des_context ctx; 876 mbedtls_des3_context ctx3; 877 unsigned char buf[8]; 878 #if defined(MBEDTLS_CIPHER_MODE_CBC) 879 unsigned char prv[8]; 880 unsigned char iv[8]; 881 #endif 882 883 mbedtls_des_init( &ctx ); 884 mbedtls_des3_init( &ctx3 ); 885 /* 886 * ECB mode 887 */ 888 for( i = 0; i < 6; i++ ) 889 { 890 u = i >> 1; 891 v = i & 1; 892 893 if( verbose != 0 ) 894 mbedtls_printf( " DES%c-ECB-%3d (%s): ", 895 ( u == 0 ) ? ' ' : '3', 56 + u * 56, 896 ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" ); 897 898 memcpy( buf, des3_test_buf, 8 ); 899 900 switch( i ) 901 { 902 case 0: 903 mbedtls_des_setkey_dec( &ctx, des3_test_keys ); 904 break; 905 906 case 1: 907 mbedtls_des_setkey_enc( &ctx, des3_test_keys ); 908 break; 909 910 case 2: 911 mbedtls_des3_set2key_dec( &ctx3, des3_test_keys ); 912 break; 913 914 case 3: 915 mbedtls_des3_set2key_enc( &ctx3, des3_test_keys ); 916 break; 917 918 case 4: 919 mbedtls_des3_set3key_dec( &ctx3, des3_test_keys ); 920 break; 921 922 case 5: 923 mbedtls_des3_set3key_enc( &ctx3, des3_test_keys ); 924 break; 925 926 default: 927 return( 1 ); 928 } 929 930 for( j = 0; j < 10000; j++ ) 931 { 932 if( u == 0 ) 933 mbedtls_des_crypt_ecb( &ctx, buf, buf ); 934 else 935 mbedtls_des3_crypt_ecb( &ctx3, buf, buf ); 936 } 937 938 if( ( v == MBEDTLS_DES_DECRYPT && 939 memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) || 940 ( v != MBEDTLS_DES_DECRYPT && 941 memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) ) 942 { 943 if( verbose != 0 ) 944 mbedtls_printf( "failed\n" ); 945 946 ret = 1; 947 goto exit; 948 } 949 950 if( verbose != 0 ) 951 mbedtls_printf( "passed\n" ); 952 } 953 954 if( verbose != 0 ) 955 mbedtls_printf( "\n" ); 956 957 #if defined(MBEDTLS_CIPHER_MODE_CBC) 958 /* 959 * CBC mode 960 */ 961 for( i = 0; i < 6; i++ ) 962 { 963 u = i >> 1; 964 v = i & 1; 965 966 if( verbose != 0 ) 967 mbedtls_printf( " DES%c-CBC-%3d (%s): ", 968 ( u == 0 ) ? ' ' : '3', 56 + u * 56, 969 ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" ); 970 971 memcpy( iv, des3_test_iv, 8 ); 972 memcpy( prv, des3_test_iv, 8 ); 973 memcpy( buf, des3_test_buf, 8 ); 974 975 switch( i ) 976 { 977 case 0: 978 mbedtls_des_setkey_dec( &ctx, des3_test_keys ); 979 break; 980 981 case 1: 982 mbedtls_des_setkey_enc( &ctx, des3_test_keys ); 983 break; 984 985 case 2: 986 mbedtls_des3_set2key_dec( &ctx3, des3_test_keys ); 987 break; 988 989 case 3: 990 mbedtls_des3_set2key_enc( &ctx3, des3_test_keys ); 991 break; 992 993 case 4: 994 mbedtls_des3_set3key_dec( &ctx3, des3_test_keys ); 995 break; 996 997 case 5: 998 mbedtls_des3_set3key_enc( &ctx3, des3_test_keys ); 999 break; 1000 1001 default: 1002 return( 1 ); 1003 } 1004 1005 if( v == MBEDTLS_DES_DECRYPT ) 1006 { 1007 for( j = 0; j < 10000; j++ ) 1008 { 1009 if( u == 0 ) 1010 mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf ); 1011 else 1012 mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf ); 1013 } 1014 } 1015 else 1016 { 1017 for( j = 0; j < 10000; j++ ) 1018 { 1019 unsigned char tmp[8]; 1020 1021 if( u == 0 ) 1022 mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf ); 1023 else 1024 mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf ); 1025 1026 memcpy( tmp, prv, 8 ); 1027 memcpy( prv, buf, 8 ); 1028 memcpy( buf, tmp, 8 ); 1029 } 1030 1031 memcpy( buf, prv, 8 ); 1032 } 1033 1034 if( ( v == MBEDTLS_DES_DECRYPT && 1035 memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) || 1036 ( v != MBEDTLS_DES_DECRYPT && 1037 memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) ) 1038 { 1039 if( verbose != 0 ) 1040 mbedtls_printf( "failed\n" ); 1041 1042 ret = 1; 1043 goto exit; 1044 } 1045 1046 if( verbose != 0 ) 1047 mbedtls_printf( "passed\n" ); 1048 } 1049 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1050 1051 if( verbose != 0 ) 1052 mbedtls_printf( "\n" ); 1053 1054 exit: 1055 mbedtls_des_free( &ctx ); 1056 mbedtls_des3_free( &ctx3 ); 1057 1058 return( ret ); 1059 } 1060 1061 #endif /* MBEDTLS_SELF_TEST */ 1062 1063 #endif /* MBEDTLS_DES_C */ 1064