1 /* 2 * FIPS-46-3 compliant Triple-DES implementation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 * 7 * This file is provided under the Apache License 2.0, or the 8 * GNU General Public License v2.0 or later. 9 * 10 * ********** 11 * Apache License 2.0: 12 * 13 * Licensed under the Apache License, Version 2.0 (the "License"); you may 14 * not use this file except in compliance with the License. 15 * You may obtain a copy of the License at 16 * 17 * http://www.apache.org/licenses/LICENSE-2.0 18 * 19 * Unless required by applicable law or agreed to in writing, software 20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 22 * See the License for the specific language governing permissions and 23 * limitations under the License. 24 * 25 * ********** 26 * 27 * ********** 28 * GNU General Public License v2.0 or later: 29 * 30 * This program is free software; you can redistribute it and/or modify 31 * it under the terms of the GNU General Public License as published by 32 * the Free Software Foundation; either version 2 of the License, or 33 * (at your option) any later version. 34 * 35 * This program is distributed in the hope that it will be useful, 36 * but WITHOUT ANY WARRANTY; without even the implied warranty of 37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 38 * GNU General Public License for more details. 39 * 40 * You should have received a copy of the GNU General Public License along 41 * with this program; if not, write to the Free Software Foundation, Inc., 42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 43 * 44 * ********** 45 */ 46 /* 47 * DES, on which TDES is based, was originally designed by Horst Feistel 48 * at IBM in 1974, and was adopted as a standard by NIST (formerly NBS). 49 * 50 * http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf 51 */ 52 53 #if !defined(MBEDTLS_CONFIG_FILE) 54 #include "mbedtls/config.h" 55 #else 56 #include MBEDTLS_CONFIG_FILE 57 #endif 58 59 #if defined(MBEDTLS_DES_C) 60 61 #include "mbedtls/des.h" 62 #include "mbedtls/platform_util.h" 63 64 #include <string.h> 65 66 #if defined(MBEDTLS_SELF_TEST) 67 #if defined(MBEDTLS_PLATFORM_C) 68 #include "mbedtls/platform.h" 69 #else 70 #include <stdio.h> 71 #define mbedtls_printf printf 72 #endif /* MBEDTLS_PLATFORM_C */ 73 #endif /* MBEDTLS_SELF_TEST */ 74 75 #if !defined(MBEDTLS_DES_ALT) 76 77 /* 78 * 32-bit integer manipulation macros (big endian) 79 */ 80 #ifndef GET_UINT32_BE 81 #define GET_UINT32_BE(n,b,i) \ 82 { \ 83 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \ 84 | ( (uint32_t) (b)[(i) + 1] << 16 ) \ 85 | ( (uint32_t) (b)[(i) + 2] << 8 ) \ 86 | ( (uint32_t) (b)[(i) + 3] ); \ 87 } 88 #endif 89 90 #ifndef PUT_UINT32_BE 91 #define PUT_UINT32_BE(n,b,i) \ 92 { \ 93 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \ 94 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \ 95 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \ 96 (b)[(i) + 3] = (unsigned char) ( (n) ); \ 97 } 98 #endif 99 100 /* 101 * Expanded DES S-boxes 102 */ 103 static const uint32_t SB1[64] = 104 { 105 0x01010400, 0x00000000, 0x00010000, 0x01010404, 106 0x01010004, 0x00010404, 0x00000004, 0x00010000, 107 0x00000400, 0x01010400, 0x01010404, 0x00000400, 108 0x01000404, 0x01010004, 0x01000000, 0x00000004, 109 0x00000404, 0x01000400, 0x01000400, 0x00010400, 110 0x00010400, 0x01010000, 0x01010000, 0x01000404, 111 0x00010004, 0x01000004, 0x01000004, 0x00010004, 112 0x00000000, 0x00000404, 0x00010404, 0x01000000, 113 0x00010000, 0x01010404, 0x00000004, 0x01010000, 114 0x01010400, 0x01000000, 0x01000000, 0x00000400, 115 0x01010004, 0x00010000, 0x00010400, 0x01000004, 116 0x00000400, 0x00000004, 0x01000404, 0x00010404, 117 0x01010404, 0x00010004, 0x01010000, 0x01000404, 118 0x01000004, 0x00000404, 0x00010404, 0x01010400, 119 0x00000404, 0x01000400, 0x01000400, 0x00000000, 120 0x00010004, 0x00010400, 0x00000000, 0x01010004 121 }; 122 123 static const uint32_t SB2[64] = 124 { 125 0x80108020, 0x80008000, 0x00008000, 0x00108020, 126 0x00100000, 0x00000020, 0x80100020, 0x80008020, 127 0x80000020, 0x80108020, 0x80108000, 0x80000000, 128 0x80008000, 0x00100000, 0x00000020, 0x80100020, 129 0x00108000, 0x00100020, 0x80008020, 0x00000000, 130 0x80000000, 0x00008000, 0x00108020, 0x80100000, 131 0x00100020, 0x80000020, 0x00000000, 0x00108000, 132 0x00008020, 0x80108000, 0x80100000, 0x00008020, 133 0x00000000, 0x00108020, 0x80100020, 0x00100000, 134 0x80008020, 0x80100000, 0x80108000, 0x00008000, 135 0x80100000, 0x80008000, 0x00000020, 0x80108020, 136 0x00108020, 0x00000020, 0x00008000, 0x80000000, 137 0x00008020, 0x80108000, 0x00100000, 0x80000020, 138 0x00100020, 0x80008020, 0x80000020, 0x00100020, 139 0x00108000, 0x00000000, 0x80008000, 0x00008020, 140 0x80000000, 0x80100020, 0x80108020, 0x00108000 141 }; 142 143 static const uint32_t SB3[64] = 144 { 145 0x00000208, 0x08020200, 0x00000000, 0x08020008, 146 0x08000200, 0x00000000, 0x00020208, 0x08000200, 147 0x00020008, 0x08000008, 0x08000008, 0x00020000, 148 0x08020208, 0x00020008, 0x08020000, 0x00000208, 149 0x08000000, 0x00000008, 0x08020200, 0x00000200, 150 0x00020200, 0x08020000, 0x08020008, 0x00020208, 151 0x08000208, 0x00020200, 0x00020000, 0x08000208, 152 0x00000008, 0x08020208, 0x00000200, 0x08000000, 153 0x08020200, 0x08000000, 0x00020008, 0x00000208, 154 0x00020000, 0x08020200, 0x08000200, 0x00000000, 155 0x00000200, 0x00020008, 0x08020208, 0x08000200, 156 0x08000008, 0x00000200, 0x00000000, 0x08020008, 157 0x08000208, 0x00020000, 0x08000000, 0x08020208, 158 0x00000008, 0x00020208, 0x00020200, 0x08000008, 159 0x08020000, 0x08000208, 0x00000208, 0x08020000, 160 0x00020208, 0x00000008, 0x08020008, 0x00020200 161 }; 162 163 static const uint32_t SB4[64] = 164 { 165 0x00802001, 0x00002081, 0x00002081, 0x00000080, 166 0x00802080, 0x00800081, 0x00800001, 0x00002001, 167 0x00000000, 0x00802000, 0x00802000, 0x00802081, 168 0x00000081, 0x00000000, 0x00800080, 0x00800001, 169 0x00000001, 0x00002000, 0x00800000, 0x00802001, 170 0x00000080, 0x00800000, 0x00002001, 0x00002080, 171 0x00800081, 0x00000001, 0x00002080, 0x00800080, 172 0x00002000, 0x00802080, 0x00802081, 0x00000081, 173 0x00800080, 0x00800001, 0x00802000, 0x00802081, 174 0x00000081, 0x00000000, 0x00000000, 0x00802000, 175 0x00002080, 0x00800080, 0x00800081, 0x00000001, 176 0x00802001, 0x00002081, 0x00002081, 0x00000080, 177 0x00802081, 0x00000081, 0x00000001, 0x00002000, 178 0x00800001, 0x00002001, 0x00802080, 0x00800081, 179 0x00002001, 0x00002080, 0x00800000, 0x00802001, 180 0x00000080, 0x00800000, 0x00002000, 0x00802080 181 }; 182 183 static const uint32_t SB5[64] = 184 { 185 0x00000100, 0x02080100, 0x02080000, 0x42000100, 186 0x00080000, 0x00000100, 0x40000000, 0x02080000, 187 0x40080100, 0x00080000, 0x02000100, 0x40080100, 188 0x42000100, 0x42080000, 0x00080100, 0x40000000, 189 0x02000000, 0x40080000, 0x40080000, 0x00000000, 190 0x40000100, 0x42080100, 0x42080100, 0x02000100, 191 0x42080000, 0x40000100, 0x00000000, 0x42000000, 192 0x02080100, 0x02000000, 0x42000000, 0x00080100, 193 0x00080000, 0x42000100, 0x00000100, 0x02000000, 194 0x40000000, 0x02080000, 0x42000100, 0x40080100, 195 0x02000100, 0x40000000, 0x42080000, 0x02080100, 196 0x40080100, 0x00000100, 0x02000000, 0x42080000, 197 0x42080100, 0x00080100, 0x42000000, 0x42080100, 198 0x02080000, 0x00000000, 0x40080000, 0x42000000, 199 0x00080100, 0x02000100, 0x40000100, 0x00080000, 200 0x00000000, 0x40080000, 0x02080100, 0x40000100 201 }; 202 203 static const uint32_t SB6[64] = 204 { 205 0x20000010, 0x20400000, 0x00004000, 0x20404010, 206 0x20400000, 0x00000010, 0x20404010, 0x00400000, 207 0x20004000, 0x00404010, 0x00400000, 0x20000010, 208 0x00400010, 0x20004000, 0x20000000, 0x00004010, 209 0x00000000, 0x00400010, 0x20004010, 0x00004000, 210 0x00404000, 0x20004010, 0x00000010, 0x20400010, 211 0x20400010, 0x00000000, 0x00404010, 0x20404000, 212 0x00004010, 0x00404000, 0x20404000, 0x20000000, 213 0x20004000, 0x00000010, 0x20400010, 0x00404000, 214 0x20404010, 0x00400000, 0x00004010, 0x20000010, 215 0x00400000, 0x20004000, 0x20000000, 0x00004010, 216 0x20000010, 0x20404010, 0x00404000, 0x20400000, 217 0x00404010, 0x20404000, 0x00000000, 0x20400010, 218 0x00000010, 0x00004000, 0x20400000, 0x00404010, 219 0x00004000, 0x00400010, 0x20004010, 0x00000000, 220 0x20404000, 0x20000000, 0x00400010, 0x20004010 221 }; 222 223 static const uint32_t SB7[64] = 224 { 225 0x00200000, 0x04200002, 0x04000802, 0x00000000, 226 0x00000800, 0x04000802, 0x00200802, 0x04200800, 227 0x04200802, 0x00200000, 0x00000000, 0x04000002, 228 0x00000002, 0x04000000, 0x04200002, 0x00000802, 229 0x04000800, 0x00200802, 0x00200002, 0x04000800, 230 0x04000002, 0x04200000, 0x04200800, 0x00200002, 231 0x04200000, 0x00000800, 0x00000802, 0x04200802, 232 0x00200800, 0x00000002, 0x04000000, 0x00200800, 233 0x04000000, 0x00200800, 0x00200000, 0x04000802, 234 0x04000802, 0x04200002, 0x04200002, 0x00000002, 235 0x00200002, 0x04000000, 0x04000800, 0x00200000, 236 0x04200800, 0x00000802, 0x00200802, 0x04200800, 237 0x00000802, 0x04000002, 0x04200802, 0x04200000, 238 0x00200800, 0x00000000, 0x00000002, 0x04200802, 239 0x00000000, 0x00200802, 0x04200000, 0x00000800, 240 0x04000002, 0x04000800, 0x00000800, 0x00200002 241 }; 242 243 static const uint32_t SB8[64] = 244 { 245 0x10001040, 0x00001000, 0x00040000, 0x10041040, 246 0x10000000, 0x10001040, 0x00000040, 0x10000000, 247 0x00040040, 0x10040000, 0x10041040, 0x00041000, 248 0x10041000, 0x00041040, 0x00001000, 0x00000040, 249 0x10040000, 0x10000040, 0x10001000, 0x00001040, 250 0x00041000, 0x00040040, 0x10040040, 0x10041000, 251 0x00001040, 0x00000000, 0x00000000, 0x10040040, 252 0x10000040, 0x10001000, 0x00041040, 0x00040000, 253 0x00041040, 0x00040000, 0x10041000, 0x00001000, 254 0x00000040, 0x10040040, 0x00001000, 0x00041040, 255 0x10001000, 0x00000040, 0x10000040, 0x10040000, 256 0x10040040, 0x10000000, 0x00040000, 0x10001040, 257 0x00000000, 0x10041040, 0x00040040, 0x10000040, 258 0x10040000, 0x10001000, 0x10001040, 0x00000000, 259 0x10041040, 0x00041000, 0x00041000, 0x00001040, 260 0x00001040, 0x00040040, 0x10000000, 0x10041000 261 }; 262 263 /* 264 * PC1: left and right halves bit-swap 265 */ 266 static const uint32_t LHs[16] = 267 { 268 0x00000000, 0x00000001, 0x00000100, 0x00000101, 269 0x00010000, 0x00010001, 0x00010100, 0x00010101, 270 0x01000000, 0x01000001, 0x01000100, 0x01000101, 271 0x01010000, 0x01010001, 0x01010100, 0x01010101 272 }; 273 274 static const uint32_t RHs[16] = 275 { 276 0x00000000, 0x01000000, 0x00010000, 0x01010000, 277 0x00000100, 0x01000100, 0x00010100, 0x01010100, 278 0x00000001, 0x01000001, 0x00010001, 0x01010001, 279 0x00000101, 0x01000101, 0x00010101, 0x01010101, 280 }; 281 282 /* 283 * Initial Permutation macro 284 */ 285 #define DES_IP(X,Y) \ 286 do \ 287 { \ 288 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \ 289 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \ 290 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \ 291 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \ 292 (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF; \ 293 T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T; \ 294 (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF; \ 295 } while( 0 ) 296 297 /* 298 * Final Permutation macro 299 */ 300 #define DES_FP(X,Y) \ 301 do \ 302 { \ 303 (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF; \ 304 T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T; \ 305 (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF; \ 306 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \ 307 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \ 308 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \ 309 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \ 310 } while( 0 ) 311 312 /* 313 * DES round macro 314 */ 315 #define DES_ROUND(X,Y) \ 316 do \ 317 { \ 318 T = *SK++ ^ (X); \ 319 (Y) ^= SB8[ (T ) & 0x3F ] ^ \ 320 SB6[ (T >> 8) & 0x3F ] ^ \ 321 SB4[ (T >> 16) & 0x3F ] ^ \ 322 SB2[ (T >> 24) & 0x3F ]; \ 323 \ 324 T = *SK++ ^ (((X) << 28) | ((X) >> 4)); \ 325 (Y) ^= SB7[ (T ) & 0x3F ] ^ \ 326 SB5[ (T >> 8) & 0x3F ] ^ \ 327 SB3[ (T >> 16) & 0x3F ] ^ \ 328 SB1[ (T >> 24) & 0x3F ]; \ 329 } while( 0 ) 330 331 #define SWAP(a,b) \ 332 do \ 333 { \ 334 uint32_t t = (a); (a) = (b); (b) = t; t = 0; \ 335 } while( 0 ) 336 337 void mbedtls_des_init( mbedtls_des_context *ctx ) 338 { 339 memset( ctx, 0, sizeof( mbedtls_des_context ) ); 340 } 341 342 void mbedtls_des_free( mbedtls_des_context *ctx ) 343 { 344 if( ctx == NULL ) 345 return; 346 347 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des_context ) ); 348 } 349 350 void mbedtls_des3_init( mbedtls_des3_context *ctx ) 351 { 352 memset( ctx, 0, sizeof( mbedtls_des3_context ) ); 353 } 354 355 void mbedtls_des3_free( mbedtls_des3_context *ctx ) 356 { 357 if( ctx == NULL ) 358 return; 359 360 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des3_context ) ); 361 } 362 363 static const unsigned char odd_parity_table[128] = { 1, 2, 4, 7, 8, 364 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 35, 37, 38, 41, 42, 44, 365 47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 70, 73, 74, 76, 79, 81, 366 82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 104, 107, 109, 110, 112, 367 115, 117, 118, 121, 122, 124, 127, 128, 131, 133, 134, 137, 138, 140, 368 143, 145, 146, 148, 151, 152, 155, 157, 158, 161, 162, 164, 167, 168, 369 171, 173, 174, 176, 179, 181, 182, 185, 186, 188, 191, 193, 194, 196, 370 199, 200, 203, 205, 206, 208, 211, 213, 214, 217, 218, 220, 223, 224, 371 227, 229, 230, 233, 234, 236, 239, 241, 242, 244, 247, 248, 251, 253, 372 254 }; 373 374 void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 375 { 376 int i; 377 378 for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ ) 379 key[i] = odd_parity_table[key[i] / 2]; 380 } 381 382 /* 383 * Check the given key's parity, returns 1 on failure, 0 on SUCCESS 384 */ 385 int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 386 { 387 int i; 388 389 for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ ) 390 if( key[i] != odd_parity_table[key[i] / 2] ) 391 return( 1 ); 392 393 return( 0 ); 394 } 395 396 /* 397 * Table of weak and semi-weak keys 398 * 399 * Source: http://en.wikipedia.org/wiki/Weak_key 400 * 401 * Weak: 402 * Alternating ones + zeros (0x0101010101010101) 403 * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE) 404 * '0xE0E0E0E0F1F1F1F1' 405 * '0x1F1F1F1F0E0E0E0E' 406 * 407 * Semi-weak: 408 * 0x011F011F010E010E and 0x1F011F010E010E01 409 * 0x01E001E001F101F1 and 0xE001E001F101F101 410 * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01 411 * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E 412 * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E 413 * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1 414 * 415 */ 416 417 #define WEAK_KEY_COUNT 16 418 419 static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] = 420 { 421 { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 }, 422 { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE }, 423 { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E }, 424 { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 }, 425 426 { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E }, 427 { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 }, 428 { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 }, 429 { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 }, 430 { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE }, 431 { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 }, 432 { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 }, 433 { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E }, 434 { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE }, 435 { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E }, 436 { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE }, 437 { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 } 438 }; 439 440 int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 441 { 442 int i; 443 444 for( i = 0; i < WEAK_KEY_COUNT; i++ ) 445 if( memcmp( weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0 ) 446 return( 1 ); 447 448 return( 0 ); 449 } 450 451 #if !defined(MBEDTLS_DES_SETKEY_ALT) 452 void mbedtls_des_setkey( uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 453 { 454 int i; 455 uint32_t X, Y, T; 456 457 GET_UINT32_BE( X, key, 0 ); 458 GET_UINT32_BE( Y, key, 4 ); 459 460 /* 461 * Permuted Choice 1 462 */ 463 T = ((Y >> 4) ^ X) & 0x0F0F0F0F; X ^= T; Y ^= (T << 4); 464 T = ((Y ) ^ X) & 0x10101010; X ^= T; Y ^= (T ); 465 466 X = (LHs[ (X ) & 0xF] << 3) | (LHs[ (X >> 8) & 0xF ] << 2) 467 | (LHs[ (X >> 16) & 0xF] << 1) | (LHs[ (X >> 24) & 0xF ] ) 468 | (LHs[ (X >> 5) & 0xF] << 7) | (LHs[ (X >> 13) & 0xF ] << 6) 469 | (LHs[ (X >> 21) & 0xF] << 5) | (LHs[ (X >> 29) & 0xF ] << 4); 470 471 Y = (RHs[ (Y >> 1) & 0xF] << 3) | (RHs[ (Y >> 9) & 0xF ] << 2) 472 | (RHs[ (Y >> 17) & 0xF] << 1) | (RHs[ (Y >> 25) & 0xF ] ) 473 | (RHs[ (Y >> 4) & 0xF] << 7) | (RHs[ (Y >> 12) & 0xF ] << 6) 474 | (RHs[ (Y >> 20) & 0xF] << 5) | (RHs[ (Y >> 28) & 0xF ] << 4); 475 476 X &= 0x0FFFFFFF; 477 Y &= 0x0FFFFFFF; 478 479 /* 480 * calculate subkeys 481 */ 482 for( i = 0; i < 16; i++ ) 483 { 484 if( i < 2 || i == 8 || i == 15 ) 485 { 486 X = ((X << 1) | (X >> 27)) & 0x0FFFFFFF; 487 Y = ((Y << 1) | (Y >> 27)) & 0x0FFFFFFF; 488 } 489 else 490 { 491 X = ((X << 2) | (X >> 26)) & 0x0FFFFFFF; 492 Y = ((Y << 2) | (Y >> 26)) & 0x0FFFFFFF; 493 } 494 495 *SK++ = ((X << 4) & 0x24000000) | ((X << 28) & 0x10000000) 496 | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000) 497 | ((X << 6) & 0x01000000) | ((X << 9) & 0x00200000) 498 | ((X >> 1) & 0x00100000) | ((X << 10) & 0x00040000) 499 | ((X << 2) & 0x00020000) | ((X >> 10) & 0x00010000) 500 | ((Y >> 13) & 0x00002000) | ((Y >> 4) & 0x00001000) 501 | ((Y << 6) & 0x00000800) | ((Y >> 1) & 0x00000400) 502 | ((Y >> 14) & 0x00000200) | ((Y ) & 0x00000100) 503 | ((Y >> 5) & 0x00000020) | ((Y >> 10) & 0x00000010) 504 | ((Y >> 3) & 0x00000008) | ((Y >> 18) & 0x00000004) 505 | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001); 506 507 *SK++ = ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000) 508 | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000) 509 | ((X >> 2) & 0x02000000) | ((X << 1) & 0x01000000) 510 | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000) 511 | ((X << 3) & 0x00080000) | ((X >> 6) & 0x00040000) 512 | ((X << 15) & 0x00020000) | ((X >> 4) & 0x00010000) 513 | ((Y >> 2) & 0x00002000) | ((Y << 8) & 0x00001000) 514 | ((Y >> 14) & 0x00000808) | ((Y >> 9) & 0x00000400) 515 | ((Y ) & 0x00000200) | ((Y << 7) & 0x00000100) 516 | ((Y >> 7) & 0x00000020) | ((Y >> 3) & 0x00000011) 517 | ((Y << 2) & 0x00000004) | ((Y >> 21) & 0x00000002); 518 } 519 } 520 #endif /* !MBEDTLS_DES_SETKEY_ALT */ 521 522 /* 523 * DES key schedule (56-bit, encryption) 524 */ 525 int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 526 { 527 mbedtls_des_setkey( ctx->sk, key ); 528 529 return( 0 ); 530 } 531 532 /* 533 * DES key schedule (56-bit, decryption) 534 */ 535 int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 536 { 537 int i; 538 539 mbedtls_des_setkey( ctx->sk, key ); 540 541 for( i = 0; i < 16; i += 2 ) 542 { 543 SWAP( ctx->sk[i ], ctx->sk[30 - i] ); 544 SWAP( ctx->sk[i + 1], ctx->sk[31 - i] ); 545 } 546 547 return( 0 ); 548 } 549 550 static void des3_set2key( uint32_t esk[96], 551 uint32_t dsk[96], 552 const unsigned char key[MBEDTLS_DES_KEY_SIZE*2] ) 553 { 554 int i; 555 556 mbedtls_des_setkey( esk, key ); 557 mbedtls_des_setkey( dsk + 32, key + 8 ); 558 559 for( i = 0; i < 32; i += 2 ) 560 { 561 dsk[i ] = esk[30 - i]; 562 dsk[i + 1] = esk[31 - i]; 563 564 esk[i + 32] = dsk[62 - i]; 565 esk[i + 33] = dsk[63 - i]; 566 567 esk[i + 64] = esk[i ]; 568 esk[i + 65] = esk[i + 1]; 569 570 dsk[i + 64] = dsk[i ]; 571 dsk[i + 65] = dsk[i + 1]; 572 } 573 } 574 575 /* 576 * Triple-DES key schedule (112-bit, encryption) 577 */ 578 int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx, 579 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] ) 580 { 581 uint32_t sk[96]; 582 583 des3_set2key( ctx->sk, sk, key ); 584 mbedtls_platform_zeroize( sk, sizeof( sk ) ); 585 586 return( 0 ); 587 } 588 589 /* 590 * Triple-DES key schedule (112-bit, decryption) 591 */ 592 int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx, 593 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] ) 594 { 595 uint32_t sk[96]; 596 597 des3_set2key( sk, ctx->sk, key ); 598 mbedtls_platform_zeroize( sk, sizeof( sk ) ); 599 600 return( 0 ); 601 } 602 603 static void des3_set3key( uint32_t esk[96], 604 uint32_t dsk[96], 605 const unsigned char key[24] ) 606 { 607 int i; 608 609 mbedtls_des_setkey( esk, key ); 610 mbedtls_des_setkey( dsk + 32, key + 8 ); 611 mbedtls_des_setkey( esk + 64, key + 16 ); 612 613 for( i = 0; i < 32; i += 2 ) 614 { 615 dsk[i ] = esk[94 - i]; 616 dsk[i + 1] = esk[95 - i]; 617 618 esk[i + 32] = dsk[62 - i]; 619 esk[i + 33] = dsk[63 - i]; 620 621 dsk[i + 64] = esk[30 - i]; 622 dsk[i + 65] = esk[31 - i]; 623 } 624 } 625 626 /* 627 * Triple-DES key schedule (168-bit, encryption) 628 */ 629 int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx, 630 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] ) 631 { 632 uint32_t sk[96]; 633 634 des3_set3key( ctx->sk, sk, key ); 635 mbedtls_platform_zeroize( sk, sizeof( sk ) ); 636 637 return( 0 ); 638 } 639 640 /* 641 * Triple-DES key schedule (168-bit, decryption) 642 */ 643 int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx, 644 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] ) 645 { 646 uint32_t sk[96]; 647 648 des3_set3key( sk, ctx->sk, key ); 649 mbedtls_platform_zeroize( sk, sizeof( sk ) ); 650 651 return( 0 ); 652 } 653 654 /* 655 * DES-ECB block encryption/decryption 656 */ 657 #if !defined(MBEDTLS_DES_CRYPT_ECB_ALT) 658 int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx, 659 const unsigned char input[8], 660 unsigned char output[8] ) 661 { 662 int i; 663 uint32_t X, Y, T, *SK; 664 665 SK = ctx->sk; 666 667 GET_UINT32_BE( X, input, 0 ); 668 GET_UINT32_BE( Y, input, 4 ); 669 670 DES_IP( X, Y ); 671 672 for( i = 0; i < 8; i++ ) 673 { 674 DES_ROUND( Y, X ); 675 DES_ROUND( X, Y ); 676 } 677 678 DES_FP( Y, X ); 679 680 PUT_UINT32_BE( Y, output, 0 ); 681 PUT_UINT32_BE( X, output, 4 ); 682 683 return( 0 ); 684 } 685 #endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */ 686 687 #if defined(MBEDTLS_CIPHER_MODE_CBC) 688 /* 689 * DES-CBC buffer encryption/decryption 690 */ 691 int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx, 692 int mode, 693 size_t length, 694 unsigned char iv[8], 695 const unsigned char *input, 696 unsigned char *output ) 697 { 698 int i; 699 unsigned char temp[8]; 700 701 if( length % 8 ) 702 return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH ); 703 704 if( mode == MBEDTLS_DES_ENCRYPT ) 705 { 706 while( length > 0 ) 707 { 708 for( i = 0; i < 8; i++ ) 709 output[i] = (unsigned char)( input[i] ^ iv[i] ); 710 711 mbedtls_des_crypt_ecb( ctx, output, output ); 712 memcpy( iv, output, 8 ); 713 714 input += 8; 715 output += 8; 716 length -= 8; 717 } 718 } 719 else /* MBEDTLS_DES_DECRYPT */ 720 { 721 while( length > 0 ) 722 { 723 memcpy( temp, input, 8 ); 724 mbedtls_des_crypt_ecb( ctx, input, output ); 725 726 for( i = 0; i < 8; i++ ) 727 output[i] = (unsigned char)( output[i] ^ iv[i] ); 728 729 memcpy( iv, temp, 8 ); 730 731 input += 8; 732 output += 8; 733 length -= 8; 734 } 735 } 736 737 return( 0 ); 738 } 739 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 740 741 /* 742 * 3DES-ECB block encryption/decryption 743 */ 744 #if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT) 745 int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx, 746 const unsigned char input[8], 747 unsigned char output[8] ) 748 { 749 int i; 750 uint32_t X, Y, T, *SK; 751 752 SK = ctx->sk; 753 754 GET_UINT32_BE( X, input, 0 ); 755 GET_UINT32_BE( Y, input, 4 ); 756 757 DES_IP( X, Y ); 758 759 for( i = 0; i < 8; i++ ) 760 { 761 DES_ROUND( Y, X ); 762 DES_ROUND( X, Y ); 763 } 764 765 for( i = 0; i < 8; i++ ) 766 { 767 DES_ROUND( X, Y ); 768 DES_ROUND( Y, X ); 769 } 770 771 for( i = 0; i < 8; i++ ) 772 { 773 DES_ROUND( Y, X ); 774 DES_ROUND( X, Y ); 775 } 776 777 DES_FP( Y, X ); 778 779 PUT_UINT32_BE( Y, output, 0 ); 780 PUT_UINT32_BE( X, output, 4 ); 781 782 return( 0 ); 783 } 784 #endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */ 785 786 #if defined(MBEDTLS_CIPHER_MODE_CBC) 787 /* 788 * 3DES-CBC buffer encryption/decryption 789 */ 790 int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx, 791 int mode, 792 size_t length, 793 unsigned char iv[8], 794 const unsigned char *input, 795 unsigned char *output ) 796 { 797 int i; 798 unsigned char temp[8]; 799 800 if( length % 8 ) 801 return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH ); 802 803 if( mode == MBEDTLS_DES_ENCRYPT ) 804 { 805 while( length > 0 ) 806 { 807 for( i = 0; i < 8; i++ ) 808 output[i] = (unsigned char)( input[i] ^ iv[i] ); 809 810 mbedtls_des3_crypt_ecb( ctx, output, output ); 811 memcpy( iv, output, 8 ); 812 813 input += 8; 814 output += 8; 815 length -= 8; 816 } 817 } 818 else /* MBEDTLS_DES_DECRYPT */ 819 { 820 while( length > 0 ) 821 { 822 memcpy( temp, input, 8 ); 823 mbedtls_des3_crypt_ecb( ctx, input, output ); 824 825 for( i = 0; i < 8; i++ ) 826 output[i] = (unsigned char)( output[i] ^ iv[i] ); 827 828 memcpy( iv, temp, 8 ); 829 830 input += 8; 831 output += 8; 832 length -= 8; 833 } 834 } 835 836 return( 0 ); 837 } 838 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 839 840 #endif /* !MBEDTLS_DES_ALT */ 841 842 #if defined(MBEDTLS_SELF_TEST) 843 /* 844 * DES and 3DES test vectors from: 845 * 846 * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip 847 */ 848 static const unsigned char des3_test_keys[24] = 849 { 850 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 851 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 852 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23 853 }; 854 855 static const unsigned char des3_test_buf[8] = 856 { 857 0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74 858 }; 859 860 static const unsigned char des3_test_ecb_dec[3][8] = 861 { 862 { 0xCD, 0xD6, 0x4F, 0x2F, 0x94, 0x27, 0xC1, 0x5D }, 863 { 0x69, 0x96, 0xC8, 0xFA, 0x47, 0xA2, 0xAB, 0xEB }, 864 { 0x83, 0x25, 0x39, 0x76, 0x44, 0x09, 0x1A, 0x0A } 865 }; 866 867 static const unsigned char des3_test_ecb_enc[3][8] = 868 { 869 { 0x6A, 0x2A, 0x19, 0xF4, 0x1E, 0xCA, 0x85, 0x4B }, 870 { 0x03, 0xE6, 0x9F, 0x5B, 0xFA, 0x58, 0xEB, 0x42 }, 871 { 0xDD, 0x17, 0xE8, 0xB8, 0xB4, 0x37, 0xD2, 0x32 } 872 }; 873 874 #if defined(MBEDTLS_CIPHER_MODE_CBC) 875 static const unsigned char des3_test_iv[8] = 876 { 877 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF, 878 }; 879 880 static const unsigned char des3_test_cbc_dec[3][8] = 881 { 882 { 0x12, 0x9F, 0x40, 0xB9, 0xD2, 0x00, 0x56, 0xB3 }, 883 { 0x47, 0x0E, 0xFC, 0x9A, 0x6B, 0x8E, 0xE3, 0x93 }, 884 { 0xC5, 0xCE, 0xCF, 0x63, 0xEC, 0xEC, 0x51, 0x4C } 885 }; 886 887 static const unsigned char des3_test_cbc_enc[3][8] = 888 { 889 { 0x54, 0xF1, 0x5A, 0xF6, 0xEB, 0xE3, 0xA4, 0xB4 }, 890 { 0x35, 0x76, 0x11, 0x56, 0x5F, 0xA1, 0x8E, 0x4D }, 891 { 0xCB, 0x19, 0x1F, 0x85, 0xD1, 0xED, 0x84, 0x39 } 892 }; 893 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 894 895 /* 896 * Checkup routine 897 */ 898 int mbedtls_des_self_test( int verbose ) 899 { 900 int i, j, u, v, ret = 0; 901 mbedtls_des_context ctx; 902 mbedtls_des3_context ctx3; 903 unsigned char buf[8]; 904 #if defined(MBEDTLS_CIPHER_MODE_CBC) 905 unsigned char prv[8]; 906 unsigned char iv[8]; 907 #endif 908 909 mbedtls_des_init( &ctx ); 910 mbedtls_des3_init( &ctx3 ); 911 /* 912 * ECB mode 913 */ 914 for( i = 0; i < 6; i++ ) 915 { 916 u = i >> 1; 917 v = i & 1; 918 919 if( verbose != 0 ) 920 mbedtls_printf( " DES%c-ECB-%3d (%s): ", 921 ( u == 0 ) ? ' ' : '3', 56 + u * 56, 922 ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" ); 923 924 memcpy( buf, des3_test_buf, 8 ); 925 926 switch( i ) 927 { 928 case 0: 929 mbedtls_des_setkey_dec( &ctx, des3_test_keys ); 930 break; 931 932 case 1: 933 mbedtls_des_setkey_enc( &ctx, des3_test_keys ); 934 break; 935 936 case 2: 937 mbedtls_des3_set2key_dec( &ctx3, des3_test_keys ); 938 break; 939 940 case 3: 941 mbedtls_des3_set2key_enc( &ctx3, des3_test_keys ); 942 break; 943 944 case 4: 945 mbedtls_des3_set3key_dec( &ctx3, des3_test_keys ); 946 break; 947 948 case 5: 949 mbedtls_des3_set3key_enc( &ctx3, des3_test_keys ); 950 break; 951 952 default: 953 return( 1 ); 954 } 955 956 for( j = 0; j < 10000; j++ ) 957 { 958 if( u == 0 ) 959 mbedtls_des_crypt_ecb( &ctx, buf, buf ); 960 else 961 mbedtls_des3_crypt_ecb( &ctx3, buf, buf ); 962 } 963 964 if( ( v == MBEDTLS_DES_DECRYPT && 965 memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) || 966 ( v != MBEDTLS_DES_DECRYPT && 967 memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) ) 968 { 969 if( verbose != 0 ) 970 mbedtls_printf( "failed\n" ); 971 972 ret = 1; 973 goto exit; 974 } 975 976 if( verbose != 0 ) 977 mbedtls_printf( "passed\n" ); 978 } 979 980 if( verbose != 0 ) 981 mbedtls_printf( "\n" ); 982 983 #if defined(MBEDTLS_CIPHER_MODE_CBC) 984 /* 985 * CBC mode 986 */ 987 for( i = 0; i < 6; i++ ) 988 { 989 u = i >> 1; 990 v = i & 1; 991 992 if( verbose != 0 ) 993 mbedtls_printf( " DES%c-CBC-%3d (%s): ", 994 ( u == 0 ) ? ' ' : '3', 56 + u * 56, 995 ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" ); 996 997 memcpy( iv, des3_test_iv, 8 ); 998 memcpy( prv, des3_test_iv, 8 ); 999 memcpy( buf, des3_test_buf, 8 ); 1000 1001 switch( i ) 1002 { 1003 case 0: 1004 mbedtls_des_setkey_dec( &ctx, des3_test_keys ); 1005 break; 1006 1007 case 1: 1008 mbedtls_des_setkey_enc( &ctx, des3_test_keys ); 1009 break; 1010 1011 case 2: 1012 mbedtls_des3_set2key_dec( &ctx3, des3_test_keys ); 1013 break; 1014 1015 case 3: 1016 mbedtls_des3_set2key_enc( &ctx3, des3_test_keys ); 1017 break; 1018 1019 case 4: 1020 mbedtls_des3_set3key_dec( &ctx3, des3_test_keys ); 1021 break; 1022 1023 case 5: 1024 mbedtls_des3_set3key_enc( &ctx3, des3_test_keys ); 1025 break; 1026 1027 default: 1028 return( 1 ); 1029 } 1030 1031 if( v == MBEDTLS_DES_DECRYPT ) 1032 { 1033 for( j = 0; j < 10000; j++ ) 1034 { 1035 if( u == 0 ) 1036 mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf ); 1037 else 1038 mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf ); 1039 } 1040 } 1041 else 1042 { 1043 for( j = 0; j < 10000; j++ ) 1044 { 1045 unsigned char tmp[8]; 1046 1047 if( u == 0 ) 1048 mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf ); 1049 else 1050 mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf ); 1051 1052 memcpy( tmp, prv, 8 ); 1053 memcpy( prv, buf, 8 ); 1054 memcpy( buf, tmp, 8 ); 1055 } 1056 1057 memcpy( buf, prv, 8 ); 1058 } 1059 1060 if( ( v == MBEDTLS_DES_DECRYPT && 1061 memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) || 1062 ( v != MBEDTLS_DES_DECRYPT && 1063 memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) ) 1064 { 1065 if( verbose != 0 ) 1066 mbedtls_printf( "failed\n" ); 1067 1068 ret = 1; 1069 goto exit; 1070 } 1071 1072 if( verbose != 0 ) 1073 mbedtls_printf( "passed\n" ); 1074 } 1075 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1076 1077 if( verbose != 0 ) 1078 mbedtls_printf( "\n" ); 1079 1080 exit: 1081 mbedtls_des_free( &ctx ); 1082 mbedtls_des3_free( &ctx3 ); 1083 1084 return( ret ); 1085 } 1086 1087 #endif /* MBEDTLS_SELF_TEST */ 1088 1089 #endif /* MBEDTLS_DES_C */ 1090