1 /*
2 * FIPS-46-3 compliant Triple-DES implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7 /*
8 * DES, on which TDES is based, was originally designed by Horst Feistel
9 * at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
10 *
11 * http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
12 */
13
14 #include "common.h"
15
16 #if defined(MBEDTLS_DES_C)
17
18 #include "mbedtls/des.h"
19 #include "mbedtls/error.h"
20 #include "mbedtls/platform_util.h"
21
22 #include <string.h>
23
24 #include "mbedtls/platform.h"
25
26 #if !defined(MBEDTLS_DES_ALT)
27
28 /*
29 * Expanded DES S-boxes
30 */
31 static const uint32_t SB1[64] =
32 {
33 0x01010400, 0x00000000, 0x00010000, 0x01010404,
34 0x01010004, 0x00010404, 0x00000004, 0x00010000,
35 0x00000400, 0x01010400, 0x01010404, 0x00000400,
36 0x01000404, 0x01010004, 0x01000000, 0x00000004,
37 0x00000404, 0x01000400, 0x01000400, 0x00010400,
38 0x00010400, 0x01010000, 0x01010000, 0x01000404,
39 0x00010004, 0x01000004, 0x01000004, 0x00010004,
40 0x00000000, 0x00000404, 0x00010404, 0x01000000,
41 0x00010000, 0x01010404, 0x00000004, 0x01010000,
42 0x01010400, 0x01000000, 0x01000000, 0x00000400,
43 0x01010004, 0x00010000, 0x00010400, 0x01000004,
44 0x00000400, 0x00000004, 0x01000404, 0x00010404,
45 0x01010404, 0x00010004, 0x01010000, 0x01000404,
46 0x01000004, 0x00000404, 0x00010404, 0x01010400,
47 0x00000404, 0x01000400, 0x01000400, 0x00000000,
48 0x00010004, 0x00010400, 0x00000000, 0x01010004
49 };
50
51 static const uint32_t SB2[64] =
52 {
53 0x80108020, 0x80008000, 0x00008000, 0x00108020,
54 0x00100000, 0x00000020, 0x80100020, 0x80008020,
55 0x80000020, 0x80108020, 0x80108000, 0x80000000,
56 0x80008000, 0x00100000, 0x00000020, 0x80100020,
57 0x00108000, 0x00100020, 0x80008020, 0x00000000,
58 0x80000000, 0x00008000, 0x00108020, 0x80100000,
59 0x00100020, 0x80000020, 0x00000000, 0x00108000,
60 0x00008020, 0x80108000, 0x80100000, 0x00008020,
61 0x00000000, 0x00108020, 0x80100020, 0x00100000,
62 0x80008020, 0x80100000, 0x80108000, 0x00008000,
63 0x80100000, 0x80008000, 0x00000020, 0x80108020,
64 0x00108020, 0x00000020, 0x00008000, 0x80000000,
65 0x00008020, 0x80108000, 0x00100000, 0x80000020,
66 0x00100020, 0x80008020, 0x80000020, 0x00100020,
67 0x00108000, 0x00000000, 0x80008000, 0x00008020,
68 0x80000000, 0x80100020, 0x80108020, 0x00108000
69 };
70
71 static const uint32_t SB3[64] =
72 {
73 0x00000208, 0x08020200, 0x00000000, 0x08020008,
74 0x08000200, 0x00000000, 0x00020208, 0x08000200,
75 0x00020008, 0x08000008, 0x08000008, 0x00020000,
76 0x08020208, 0x00020008, 0x08020000, 0x00000208,
77 0x08000000, 0x00000008, 0x08020200, 0x00000200,
78 0x00020200, 0x08020000, 0x08020008, 0x00020208,
79 0x08000208, 0x00020200, 0x00020000, 0x08000208,
80 0x00000008, 0x08020208, 0x00000200, 0x08000000,
81 0x08020200, 0x08000000, 0x00020008, 0x00000208,
82 0x00020000, 0x08020200, 0x08000200, 0x00000000,
83 0x00000200, 0x00020008, 0x08020208, 0x08000200,
84 0x08000008, 0x00000200, 0x00000000, 0x08020008,
85 0x08000208, 0x00020000, 0x08000000, 0x08020208,
86 0x00000008, 0x00020208, 0x00020200, 0x08000008,
87 0x08020000, 0x08000208, 0x00000208, 0x08020000,
88 0x00020208, 0x00000008, 0x08020008, 0x00020200
89 };
90
91 static const uint32_t SB4[64] =
92 {
93 0x00802001, 0x00002081, 0x00002081, 0x00000080,
94 0x00802080, 0x00800081, 0x00800001, 0x00002001,
95 0x00000000, 0x00802000, 0x00802000, 0x00802081,
96 0x00000081, 0x00000000, 0x00800080, 0x00800001,
97 0x00000001, 0x00002000, 0x00800000, 0x00802001,
98 0x00000080, 0x00800000, 0x00002001, 0x00002080,
99 0x00800081, 0x00000001, 0x00002080, 0x00800080,
100 0x00002000, 0x00802080, 0x00802081, 0x00000081,
101 0x00800080, 0x00800001, 0x00802000, 0x00802081,
102 0x00000081, 0x00000000, 0x00000000, 0x00802000,
103 0x00002080, 0x00800080, 0x00800081, 0x00000001,
104 0x00802001, 0x00002081, 0x00002081, 0x00000080,
105 0x00802081, 0x00000081, 0x00000001, 0x00002000,
106 0x00800001, 0x00002001, 0x00802080, 0x00800081,
107 0x00002001, 0x00002080, 0x00800000, 0x00802001,
108 0x00000080, 0x00800000, 0x00002000, 0x00802080
109 };
110
111 static const uint32_t SB5[64] =
112 {
113 0x00000100, 0x02080100, 0x02080000, 0x42000100,
114 0x00080000, 0x00000100, 0x40000000, 0x02080000,
115 0x40080100, 0x00080000, 0x02000100, 0x40080100,
116 0x42000100, 0x42080000, 0x00080100, 0x40000000,
117 0x02000000, 0x40080000, 0x40080000, 0x00000000,
118 0x40000100, 0x42080100, 0x42080100, 0x02000100,
119 0x42080000, 0x40000100, 0x00000000, 0x42000000,
120 0x02080100, 0x02000000, 0x42000000, 0x00080100,
121 0x00080000, 0x42000100, 0x00000100, 0x02000000,
122 0x40000000, 0x02080000, 0x42000100, 0x40080100,
123 0x02000100, 0x40000000, 0x42080000, 0x02080100,
124 0x40080100, 0x00000100, 0x02000000, 0x42080000,
125 0x42080100, 0x00080100, 0x42000000, 0x42080100,
126 0x02080000, 0x00000000, 0x40080000, 0x42000000,
127 0x00080100, 0x02000100, 0x40000100, 0x00080000,
128 0x00000000, 0x40080000, 0x02080100, 0x40000100
129 };
130
131 static const uint32_t SB6[64] =
132 {
133 0x20000010, 0x20400000, 0x00004000, 0x20404010,
134 0x20400000, 0x00000010, 0x20404010, 0x00400000,
135 0x20004000, 0x00404010, 0x00400000, 0x20000010,
136 0x00400010, 0x20004000, 0x20000000, 0x00004010,
137 0x00000000, 0x00400010, 0x20004010, 0x00004000,
138 0x00404000, 0x20004010, 0x00000010, 0x20400010,
139 0x20400010, 0x00000000, 0x00404010, 0x20404000,
140 0x00004010, 0x00404000, 0x20404000, 0x20000000,
141 0x20004000, 0x00000010, 0x20400010, 0x00404000,
142 0x20404010, 0x00400000, 0x00004010, 0x20000010,
143 0x00400000, 0x20004000, 0x20000000, 0x00004010,
144 0x20000010, 0x20404010, 0x00404000, 0x20400000,
145 0x00404010, 0x20404000, 0x00000000, 0x20400010,
146 0x00000010, 0x00004000, 0x20400000, 0x00404010,
147 0x00004000, 0x00400010, 0x20004010, 0x00000000,
148 0x20404000, 0x20000000, 0x00400010, 0x20004010
149 };
150
151 static const uint32_t SB7[64] =
152 {
153 0x00200000, 0x04200002, 0x04000802, 0x00000000,
154 0x00000800, 0x04000802, 0x00200802, 0x04200800,
155 0x04200802, 0x00200000, 0x00000000, 0x04000002,
156 0x00000002, 0x04000000, 0x04200002, 0x00000802,
157 0x04000800, 0x00200802, 0x00200002, 0x04000800,
158 0x04000002, 0x04200000, 0x04200800, 0x00200002,
159 0x04200000, 0x00000800, 0x00000802, 0x04200802,
160 0x00200800, 0x00000002, 0x04000000, 0x00200800,
161 0x04000000, 0x00200800, 0x00200000, 0x04000802,
162 0x04000802, 0x04200002, 0x04200002, 0x00000002,
163 0x00200002, 0x04000000, 0x04000800, 0x00200000,
164 0x04200800, 0x00000802, 0x00200802, 0x04200800,
165 0x00000802, 0x04000002, 0x04200802, 0x04200000,
166 0x00200800, 0x00000000, 0x00000002, 0x04200802,
167 0x00000000, 0x00200802, 0x04200000, 0x00000800,
168 0x04000002, 0x04000800, 0x00000800, 0x00200002
169 };
170
171 static const uint32_t SB8[64] =
172 {
173 0x10001040, 0x00001000, 0x00040000, 0x10041040,
174 0x10000000, 0x10001040, 0x00000040, 0x10000000,
175 0x00040040, 0x10040000, 0x10041040, 0x00041000,
176 0x10041000, 0x00041040, 0x00001000, 0x00000040,
177 0x10040000, 0x10000040, 0x10001000, 0x00001040,
178 0x00041000, 0x00040040, 0x10040040, 0x10041000,
179 0x00001040, 0x00000000, 0x00000000, 0x10040040,
180 0x10000040, 0x10001000, 0x00041040, 0x00040000,
181 0x00041040, 0x00040000, 0x10041000, 0x00001000,
182 0x00000040, 0x10040040, 0x00001000, 0x00041040,
183 0x10001000, 0x00000040, 0x10000040, 0x10040000,
184 0x10040040, 0x10000000, 0x00040000, 0x10001040,
185 0x00000000, 0x10041040, 0x00040040, 0x10000040,
186 0x10040000, 0x10001000, 0x10001040, 0x00000000,
187 0x10041040, 0x00041000, 0x00041000, 0x00001040,
188 0x00001040, 0x00040040, 0x10000000, 0x10041000
189 };
190
191 /*
192 * PC1: left and right halves bit-swap
193 */
194 static const uint32_t LHs[16] =
195 {
196 0x00000000, 0x00000001, 0x00000100, 0x00000101,
197 0x00010000, 0x00010001, 0x00010100, 0x00010101,
198 0x01000000, 0x01000001, 0x01000100, 0x01000101,
199 0x01010000, 0x01010001, 0x01010100, 0x01010101
200 };
201
202 static const uint32_t RHs[16] =
203 {
204 0x00000000, 0x01000000, 0x00010000, 0x01010000,
205 0x00000100, 0x01000100, 0x00010100, 0x01010100,
206 0x00000001, 0x01000001, 0x00010001, 0x01010001,
207 0x00000101, 0x01000101, 0x00010101, 0x01010101,
208 };
209
210 /*
211 * Initial Permutation macro
212 */
213 #define DES_IP(X, Y) \
214 do \
215 { \
216 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \
217 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
218 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \
219 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \
220 (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF; \
221 T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T; \
222 (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF; \
223 } while (0)
224
225 /*
226 * Final Permutation macro
227 */
228 #define DES_FP(X, Y) \
229 do \
230 { \
231 (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF; \
232 T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T; \
233 (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF; \
234 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \
235 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \
236 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
237 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \
238 } while (0)
239
240 /*
241 * DES round macro
242 */
243 #define DES_ROUND(X, Y) \
244 do \
245 { \
246 T = *SK++ ^ (X); \
247 (Y) ^= SB8[(T) & 0x3F] ^ \
248 SB6[(T >> 8) & 0x3F] ^ \
249 SB4[(T >> 16) & 0x3F] ^ \
250 SB2[(T >> 24) & 0x3F]; \
251 \
252 T = *SK++ ^ (((X) << 28) | ((X) >> 4)); \
253 (Y) ^= SB7[(T) & 0x3F] ^ \
254 SB5[(T >> 8) & 0x3F] ^ \
255 SB3[(T >> 16) & 0x3F] ^ \
256 SB1[(T >> 24) & 0x3F]; \
257 } while (0)
258
259 #define SWAP(a, b) \
260 do \
261 { \
262 uint32_t t = (a); (a) = (b); (b) = t; t = 0; \
263 } while (0)
264
mbedtls_des_init(mbedtls_des_context * ctx)265 void mbedtls_des_init(mbedtls_des_context *ctx)
266 {
267 memset(ctx, 0, sizeof(mbedtls_des_context));
268 }
269
mbedtls_des_free(mbedtls_des_context * ctx)270 void mbedtls_des_free(mbedtls_des_context *ctx)
271 {
272 if (ctx == NULL) {
273 return;
274 }
275
276 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_des_context));
277 }
278
mbedtls_des3_init(mbedtls_des3_context * ctx)279 void mbedtls_des3_init(mbedtls_des3_context *ctx)
280 {
281 memset(ctx, 0, sizeof(mbedtls_des3_context));
282 }
283
mbedtls_des3_free(mbedtls_des3_context * ctx)284 void mbedtls_des3_free(mbedtls_des3_context *ctx)
285 {
286 if (ctx == NULL) {
287 return;
288 }
289
290 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_des3_context));
291 }
292
293 static const unsigned char odd_parity_table[128] = { 1, 2, 4, 7, 8,
294 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32,
295 35, 37, 38, 41, 42, 44,
296 47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69,
297 70, 73, 74, 76, 79, 81,
298 82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103,
299 104, 107, 109, 110, 112,
300 115, 117, 118, 121, 122, 124, 127, 128, 131,
301 133, 134, 137, 138, 140,
302 143, 145, 146, 148, 151, 152, 155, 157, 158,
303 161, 162, 164, 167, 168,
304 171, 173, 174, 176, 179, 181, 182, 185, 186,
305 188, 191, 193, 194, 196,
306 199, 200, 203, 205, 206, 208, 211, 213, 214,
307 217, 218, 220, 223, 224,
308 227, 229, 230, 233, 234, 236, 239, 241, 242,
309 244, 247, 248, 251, 253,
310 254 };
311
mbedtls_des_key_set_parity(unsigned char key[MBEDTLS_DES_KEY_SIZE])312 void mbedtls_des_key_set_parity(unsigned char key[MBEDTLS_DES_KEY_SIZE])
313 {
314 int i;
315
316 for (i = 0; i < MBEDTLS_DES_KEY_SIZE; i++) {
317 key[i] = odd_parity_table[key[i] / 2];
318 }
319 }
320
321 /*
322 * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
323 */
mbedtls_des_key_check_key_parity(const unsigned char key[MBEDTLS_DES_KEY_SIZE])324 int mbedtls_des_key_check_key_parity(const unsigned char key[MBEDTLS_DES_KEY_SIZE])
325 {
326 int i;
327
328 for (i = 0; i < MBEDTLS_DES_KEY_SIZE; i++) {
329 if (key[i] != odd_parity_table[key[i] / 2]) {
330 return 1;
331 }
332 }
333
334 return 0;
335 }
336
337 /*
338 * Table of weak and semi-weak keys
339 *
340 * Source: http://en.wikipedia.org/wiki/Weak_key
341 *
342 * Weak:
343 * Alternating ones + zeros (0x0101010101010101)
344 * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
345 * '0xE0E0E0E0F1F1F1F1'
346 * '0x1F1F1F1F0E0E0E0E'
347 *
348 * Semi-weak:
349 * 0x011F011F010E010E and 0x1F011F010E010E01
350 * 0x01E001E001F101F1 and 0xE001E001F101F101
351 * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
352 * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
353 * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
354 * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
355 *
356 */
357
358 #define WEAK_KEY_COUNT 16
359
360 static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] =
361 {
362 { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
363 { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
364 { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
365 { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
366
367 { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
368 { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
369 { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
370 { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
371 { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
372 { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
373 { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
374 { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
375 { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
376 { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
377 { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
378 { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
379 };
380
mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE])381 int mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE])
382 {
383 int i;
384
385 for (i = 0; i < WEAK_KEY_COUNT; i++) {
386 if (memcmp(weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0) {
387 return 1;
388 }
389 }
390
391 return 0;
392 }
393
394 #if !defined(MBEDTLS_DES_SETKEY_ALT)
mbedtls_des_setkey(uint32_t SK[32],const unsigned char key[MBEDTLS_DES_KEY_SIZE])395 void mbedtls_des_setkey(uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE])
396 {
397 int i;
398 uint32_t X, Y, T;
399
400 X = MBEDTLS_GET_UINT32_BE(key, 0);
401 Y = MBEDTLS_GET_UINT32_BE(key, 4);
402
403 /*
404 * Permuted Choice 1
405 */
406 T = ((Y >> 4) ^ X) & 0x0F0F0F0F; X ^= T; Y ^= (T << 4);
407 T = ((Y) ^ X) & 0x10101010; X ^= T; Y ^= (T);
408
409 X = (LHs[(X) & 0xF] << 3) | (LHs[(X >> 8) & 0xF] << 2)
410 | (LHs[(X >> 16) & 0xF] << 1) | (LHs[(X >> 24) & 0xF])
411 | (LHs[(X >> 5) & 0xF] << 7) | (LHs[(X >> 13) & 0xF] << 6)
412 | (LHs[(X >> 21) & 0xF] << 5) | (LHs[(X >> 29) & 0xF] << 4);
413
414 Y = (RHs[(Y >> 1) & 0xF] << 3) | (RHs[(Y >> 9) & 0xF] << 2)
415 | (RHs[(Y >> 17) & 0xF] << 1) | (RHs[(Y >> 25) & 0xF])
416 | (RHs[(Y >> 4) & 0xF] << 7) | (RHs[(Y >> 12) & 0xF] << 6)
417 | (RHs[(Y >> 20) & 0xF] << 5) | (RHs[(Y >> 28) & 0xF] << 4);
418
419 X &= 0x0FFFFFFF;
420 Y &= 0x0FFFFFFF;
421
422 /*
423 * calculate subkeys
424 */
425 for (i = 0; i < 16; i++) {
426 if (i < 2 || i == 8 || i == 15) {
427 X = ((X << 1) | (X >> 27)) & 0x0FFFFFFF;
428 Y = ((Y << 1) | (Y >> 27)) & 0x0FFFFFFF;
429 } else {
430 X = ((X << 2) | (X >> 26)) & 0x0FFFFFFF;
431 Y = ((Y << 2) | (Y >> 26)) & 0x0FFFFFFF;
432 }
433
434 *SK++ = ((X << 4) & 0x24000000) | ((X << 28) & 0x10000000)
435 | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
436 | ((X << 6) & 0x01000000) | ((X << 9) & 0x00200000)
437 | ((X >> 1) & 0x00100000) | ((X << 10) & 0x00040000)
438 | ((X << 2) & 0x00020000) | ((X >> 10) & 0x00010000)
439 | ((Y >> 13) & 0x00002000) | ((Y >> 4) & 0x00001000)
440 | ((Y << 6) & 0x00000800) | ((Y >> 1) & 0x00000400)
441 | ((Y >> 14) & 0x00000200) | ((Y) & 0x00000100)
442 | ((Y >> 5) & 0x00000020) | ((Y >> 10) & 0x00000010)
443 | ((Y >> 3) & 0x00000008) | ((Y >> 18) & 0x00000004)
444 | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
445
446 *SK++ = ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
447 | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
448 | ((X >> 2) & 0x02000000) | ((X << 1) & 0x01000000)
449 | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
450 | ((X << 3) & 0x00080000) | ((X >> 6) & 0x00040000)
451 | ((X << 15) & 0x00020000) | ((X >> 4) & 0x00010000)
452 | ((Y >> 2) & 0x00002000) | ((Y << 8) & 0x00001000)
453 | ((Y >> 14) & 0x00000808) | ((Y >> 9) & 0x00000400)
454 | ((Y) & 0x00000200) | ((Y << 7) & 0x00000100)
455 | ((Y >> 7) & 0x00000020) | ((Y >> 3) & 0x00000011)
456 | ((Y << 2) & 0x00000004) | ((Y >> 21) & 0x00000002);
457 }
458 }
459 #endif /* !MBEDTLS_DES_SETKEY_ALT */
460
461 /*
462 * DES key schedule (56-bit, encryption)
463 */
mbedtls_des_setkey_enc(mbedtls_des_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE])464 int mbedtls_des_setkey_enc(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE])
465 {
466 mbedtls_des_setkey(ctx->sk, key);
467
468 return 0;
469 }
470
471 /*
472 * DES key schedule (56-bit, decryption)
473 */
mbedtls_des_setkey_dec(mbedtls_des_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE])474 int mbedtls_des_setkey_dec(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE])
475 {
476 int i;
477
478 mbedtls_des_setkey(ctx->sk, key);
479
480 for (i = 0; i < 16; i += 2) {
481 SWAP(ctx->sk[i], ctx->sk[30 - i]);
482 SWAP(ctx->sk[i + 1], ctx->sk[31 - i]);
483 }
484
485 return 0;
486 }
487
des3_set2key(uint32_t esk[96],uint32_t dsk[96],const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])488 static void des3_set2key(uint32_t esk[96],
489 uint32_t dsk[96],
490 const unsigned char key[MBEDTLS_DES_KEY_SIZE*2])
491 {
492 int i;
493
494 mbedtls_des_setkey(esk, key);
495 mbedtls_des_setkey(dsk + 32, key + 8);
496
497 for (i = 0; i < 32; i += 2) {
498 dsk[i] = esk[30 - i];
499 dsk[i + 1] = esk[31 - i];
500
501 esk[i + 32] = dsk[62 - i];
502 esk[i + 33] = dsk[63 - i];
503
504 esk[i + 64] = esk[i];
505 esk[i + 65] = esk[i + 1];
506
507 dsk[i + 64] = dsk[i];
508 dsk[i + 65] = dsk[i + 1];
509 }
510 }
511
512 /*
513 * Triple-DES key schedule (112-bit, encryption)
514 */
mbedtls_des3_set2key_enc(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])515 int mbedtls_des3_set2key_enc(mbedtls_des3_context *ctx,
516 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])
517 {
518 uint32_t sk[96];
519
520 des3_set2key(ctx->sk, sk, key);
521 mbedtls_platform_zeroize(sk, sizeof(sk));
522
523 return 0;
524 }
525
526 /*
527 * Triple-DES key schedule (112-bit, decryption)
528 */
mbedtls_des3_set2key_dec(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])529 int mbedtls_des3_set2key_dec(mbedtls_des3_context *ctx,
530 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])
531 {
532 uint32_t sk[96];
533
534 des3_set2key(sk, ctx->sk, key);
535 mbedtls_platform_zeroize(sk, sizeof(sk));
536
537 return 0;
538 }
539
des3_set3key(uint32_t esk[96],uint32_t dsk[96],const unsigned char key[24])540 static void des3_set3key(uint32_t esk[96],
541 uint32_t dsk[96],
542 const unsigned char key[24])
543 {
544 int i;
545
546 mbedtls_des_setkey(esk, key);
547 mbedtls_des_setkey(dsk + 32, key + 8);
548 mbedtls_des_setkey(esk + 64, key + 16);
549
550 for (i = 0; i < 32; i += 2) {
551 dsk[i] = esk[94 - i];
552 dsk[i + 1] = esk[95 - i];
553
554 esk[i + 32] = dsk[62 - i];
555 esk[i + 33] = dsk[63 - i];
556
557 dsk[i + 64] = esk[30 - i];
558 dsk[i + 65] = esk[31 - i];
559 }
560 }
561
562 /*
563 * Triple-DES key schedule (168-bit, encryption)
564 */
mbedtls_des3_set3key_enc(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])565 int mbedtls_des3_set3key_enc(mbedtls_des3_context *ctx,
566 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])
567 {
568 uint32_t sk[96];
569
570 des3_set3key(ctx->sk, sk, key);
571 mbedtls_platform_zeroize(sk, sizeof(sk));
572
573 return 0;
574 }
575
576 /*
577 * Triple-DES key schedule (168-bit, decryption)
578 */
mbedtls_des3_set3key_dec(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])579 int mbedtls_des3_set3key_dec(mbedtls_des3_context *ctx,
580 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])
581 {
582 uint32_t sk[96];
583
584 des3_set3key(sk, ctx->sk, key);
585 mbedtls_platform_zeroize(sk, sizeof(sk));
586
587 return 0;
588 }
589
590 /*
591 * DES-ECB block encryption/decryption
592 */
593 #if !defined(MBEDTLS_DES_CRYPT_ECB_ALT)
mbedtls_des_crypt_ecb(mbedtls_des_context * ctx,const unsigned char input[8],unsigned char output[8])594 int mbedtls_des_crypt_ecb(mbedtls_des_context *ctx,
595 const unsigned char input[8],
596 unsigned char output[8])
597 {
598 int i;
599 uint32_t X, Y, T, *SK;
600
601 SK = ctx->sk;
602
603 X = MBEDTLS_GET_UINT32_BE(input, 0);
604 Y = MBEDTLS_GET_UINT32_BE(input, 4);
605
606 DES_IP(X, Y);
607
608 for (i = 0; i < 8; i++) {
609 DES_ROUND(Y, X);
610 DES_ROUND(X, Y);
611 }
612
613 DES_FP(Y, X);
614
615 MBEDTLS_PUT_UINT32_BE(Y, output, 0);
616 MBEDTLS_PUT_UINT32_BE(X, output, 4);
617
618 return 0;
619 }
620 #endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */
621
622 #if defined(MBEDTLS_CIPHER_MODE_CBC)
623 /*
624 * DES-CBC buffer encryption/decryption
625 */
mbedtls_des_crypt_cbc(mbedtls_des_context * ctx,int mode,size_t length,unsigned char iv[8],const unsigned char * input,unsigned char * output)626 int mbedtls_des_crypt_cbc(mbedtls_des_context *ctx,
627 int mode,
628 size_t length,
629 unsigned char iv[8],
630 const unsigned char *input,
631 unsigned char *output)
632 {
633 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
634 unsigned char temp[8];
635
636 if (length % 8) {
637 return MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH;
638 }
639
640 if (mode == MBEDTLS_DES_ENCRYPT) {
641 while (length > 0) {
642 mbedtls_xor(output, input, iv, 8);
643
644 ret = mbedtls_des_crypt_ecb(ctx, output, output);
645 if (ret != 0) {
646 goto exit;
647 }
648 memcpy(iv, output, 8);
649
650 input += 8;
651 output += 8;
652 length -= 8;
653 }
654 } else { /* MBEDTLS_DES_DECRYPT */
655 while (length > 0) {
656 memcpy(temp, input, 8);
657 ret = mbedtls_des_crypt_ecb(ctx, input, output);
658 if (ret != 0) {
659 goto exit;
660 }
661
662 mbedtls_xor(output, output, iv, 8);
663
664 memcpy(iv, temp, 8);
665
666 input += 8;
667 output += 8;
668 length -= 8;
669 }
670 }
671 ret = 0;
672
673 exit:
674 return ret;
675 }
676 #endif /* MBEDTLS_CIPHER_MODE_CBC */
677
678 /*
679 * 3DES-ECB block encryption/decryption
680 */
681 #if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
mbedtls_des3_crypt_ecb(mbedtls_des3_context * ctx,const unsigned char input[8],unsigned char output[8])682 int mbedtls_des3_crypt_ecb(mbedtls_des3_context *ctx,
683 const unsigned char input[8],
684 unsigned char output[8])
685 {
686 int i;
687 uint32_t X, Y, T, *SK;
688
689 SK = ctx->sk;
690
691 X = MBEDTLS_GET_UINT32_BE(input, 0);
692 Y = MBEDTLS_GET_UINT32_BE(input, 4);
693
694 DES_IP(X, Y);
695
696 for (i = 0; i < 8; i++) {
697 DES_ROUND(Y, X);
698 DES_ROUND(X, Y);
699 }
700
701 for (i = 0; i < 8; i++) {
702 DES_ROUND(X, Y);
703 DES_ROUND(Y, X);
704 }
705
706 for (i = 0; i < 8; i++) {
707 DES_ROUND(Y, X);
708 DES_ROUND(X, Y);
709 }
710
711 DES_FP(Y, X);
712
713 MBEDTLS_PUT_UINT32_BE(Y, output, 0);
714 MBEDTLS_PUT_UINT32_BE(X, output, 4);
715
716 return 0;
717 }
718 #endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */
719
720 #if defined(MBEDTLS_CIPHER_MODE_CBC)
721 /*
722 * 3DES-CBC buffer encryption/decryption
723 */
mbedtls_des3_crypt_cbc(mbedtls_des3_context * ctx,int mode,size_t length,unsigned char iv[8],const unsigned char * input,unsigned char * output)724 int mbedtls_des3_crypt_cbc(mbedtls_des3_context *ctx,
725 int mode,
726 size_t length,
727 unsigned char iv[8],
728 const unsigned char *input,
729 unsigned char *output)
730 {
731 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
732 unsigned char temp[8];
733
734 if (length % 8) {
735 return MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH;
736 }
737
738 if (mode == MBEDTLS_DES_ENCRYPT) {
739 while (length > 0) {
740 mbedtls_xor(output, input, iv, 8);
741
742 ret = mbedtls_des3_crypt_ecb(ctx, output, output);
743 if (ret != 0) {
744 goto exit;
745 }
746 memcpy(iv, output, 8);
747
748 input += 8;
749 output += 8;
750 length -= 8;
751 }
752 } else { /* MBEDTLS_DES_DECRYPT */
753 while (length > 0) {
754 memcpy(temp, input, 8);
755 ret = mbedtls_des3_crypt_ecb(ctx, input, output);
756 if (ret != 0) {
757 goto exit;
758 }
759
760 mbedtls_xor(output, output, iv, 8);
761
762 memcpy(iv, temp, 8);
763
764 input += 8;
765 output += 8;
766 length -= 8;
767 }
768 }
769 ret = 0;
770
771 exit:
772 return ret;
773 }
774 #endif /* MBEDTLS_CIPHER_MODE_CBC */
775
776 #endif /* !MBEDTLS_DES_ALT */
777
778 #if defined(MBEDTLS_SELF_TEST)
779 /*
780 * DES and 3DES test vectors from:
781 *
782 * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
783 */
784 static const unsigned char des3_test_keys[24] =
785 {
786 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
787 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
788 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
789 };
790
791 static const unsigned char des3_test_buf[8] =
792 {
793 0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
794 };
795
796 static const unsigned char des3_test_ecb_dec[3][8] =
797 {
798 { 0x37, 0x2B, 0x98, 0xBF, 0x52, 0x65, 0xB0, 0x59 },
799 { 0xC2, 0x10, 0x19, 0x9C, 0x38, 0x5A, 0x65, 0xA1 },
800 { 0xA2, 0x70, 0x56, 0x68, 0x69, 0xE5, 0x15, 0x1D }
801 };
802
803 static const unsigned char des3_test_ecb_enc[3][8] =
804 {
805 { 0x1C, 0xD5, 0x97, 0xEA, 0x84, 0x26, 0x73, 0xFB },
806 { 0xB3, 0x92, 0x4D, 0xF3, 0xC5, 0xB5, 0x42, 0x93 },
807 { 0xDA, 0x37, 0x64, 0x41, 0xBA, 0x6F, 0x62, 0x6F }
808 };
809
810 #if defined(MBEDTLS_CIPHER_MODE_CBC)
811 static const unsigned char des3_test_iv[8] =
812 {
813 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
814 };
815
816 static const unsigned char des3_test_cbc_dec[3][8] =
817 {
818 { 0x58, 0xD9, 0x48, 0xEF, 0x85, 0x14, 0x65, 0x9A },
819 { 0x5F, 0xC8, 0x78, 0xD4, 0xD7, 0x92, 0xD9, 0x54 },
820 { 0x25, 0xF9, 0x75, 0x85, 0xA8, 0x1E, 0x48, 0xBF }
821 };
822
823 static const unsigned char des3_test_cbc_enc[3][8] =
824 {
825 { 0x91, 0x1C, 0x6D, 0xCF, 0x48, 0xA7, 0xC3, 0x4D },
826 { 0x60, 0x1A, 0x76, 0x8F, 0xA1, 0xF9, 0x66, 0xF1 },
827 { 0xA1, 0x50, 0x0F, 0x99, 0xB2, 0xCD, 0x64, 0x76 }
828 };
829 #endif /* MBEDTLS_CIPHER_MODE_CBC */
830
831 /*
832 * Checkup routine
833 */
mbedtls_des_self_test(int verbose)834 int mbedtls_des_self_test(int verbose)
835 {
836 int i, j, u, v, ret = 0;
837 mbedtls_des_context ctx;
838 mbedtls_des3_context ctx3;
839 unsigned char buf[8];
840 #if defined(MBEDTLS_CIPHER_MODE_CBC)
841 unsigned char prv[8];
842 unsigned char iv[8];
843 #endif
844
845 mbedtls_des_init(&ctx);
846 mbedtls_des3_init(&ctx3);
847 /*
848 * ECB mode
849 */
850 for (i = 0; i < 6; i++) {
851 u = i >> 1;
852 v = i & 1;
853
854 if (verbose != 0) {
855 mbedtls_printf(" DES%c-ECB-%3d (%s): ",
856 (u == 0) ? ' ' : '3', 56 + u * 56,
857 (v == MBEDTLS_DES_DECRYPT) ? "dec" : "enc");
858 }
859
860 memcpy(buf, des3_test_buf, 8);
861
862 switch (i) {
863 case 0:
864 ret = mbedtls_des_setkey_dec(&ctx, des3_test_keys);
865 break;
866
867 case 1:
868 ret = mbedtls_des_setkey_enc(&ctx, des3_test_keys);
869 break;
870
871 case 2:
872 ret = mbedtls_des3_set2key_dec(&ctx3, des3_test_keys);
873 break;
874
875 case 3:
876 ret = mbedtls_des3_set2key_enc(&ctx3, des3_test_keys);
877 break;
878
879 case 4:
880 ret = mbedtls_des3_set3key_dec(&ctx3, des3_test_keys);
881 break;
882
883 case 5:
884 ret = mbedtls_des3_set3key_enc(&ctx3, des3_test_keys);
885 break;
886
887 default:
888 return 1;
889 }
890 if (ret != 0) {
891 goto exit;
892 }
893
894 for (j = 0; j < 100; j++) {
895 if (u == 0) {
896 ret = mbedtls_des_crypt_ecb(&ctx, buf, buf);
897 } else {
898 ret = mbedtls_des3_crypt_ecb(&ctx3, buf, buf);
899 }
900 if (ret != 0) {
901 goto exit;
902 }
903 }
904
905 if ((v == MBEDTLS_DES_DECRYPT &&
906 memcmp(buf, des3_test_ecb_dec[u], 8) != 0) ||
907 (v != MBEDTLS_DES_DECRYPT &&
908 memcmp(buf, des3_test_ecb_enc[u], 8) != 0)) {
909 if (verbose != 0) {
910 mbedtls_printf("failed\n");
911 }
912
913 ret = 1;
914 goto exit;
915 }
916
917 if (verbose != 0) {
918 mbedtls_printf("passed\n");
919 }
920 }
921
922 if (verbose != 0) {
923 mbedtls_printf("\n");
924 }
925
926 #if defined(MBEDTLS_CIPHER_MODE_CBC)
927 /*
928 * CBC mode
929 */
930 for (i = 0; i < 6; i++) {
931 u = i >> 1;
932 v = i & 1;
933
934 if (verbose != 0) {
935 mbedtls_printf(" DES%c-CBC-%3d (%s): ",
936 (u == 0) ? ' ' : '3', 56 + u * 56,
937 (v == MBEDTLS_DES_DECRYPT) ? "dec" : "enc");
938 }
939
940 memcpy(iv, des3_test_iv, 8);
941 memcpy(prv, des3_test_iv, 8);
942 memcpy(buf, des3_test_buf, 8);
943
944 switch (i) {
945 case 0:
946 ret = mbedtls_des_setkey_dec(&ctx, des3_test_keys);
947 break;
948
949 case 1:
950 ret = mbedtls_des_setkey_enc(&ctx, des3_test_keys);
951 break;
952
953 case 2:
954 ret = mbedtls_des3_set2key_dec(&ctx3, des3_test_keys);
955 break;
956
957 case 3:
958 ret = mbedtls_des3_set2key_enc(&ctx3, des3_test_keys);
959 break;
960
961 case 4:
962 ret = mbedtls_des3_set3key_dec(&ctx3, des3_test_keys);
963 break;
964
965 case 5:
966 ret = mbedtls_des3_set3key_enc(&ctx3, des3_test_keys);
967 break;
968
969 default:
970 return 1;
971 }
972 if (ret != 0) {
973 goto exit;
974 }
975
976 if (v == MBEDTLS_DES_DECRYPT) {
977 for (j = 0; j < 100; j++) {
978 if (u == 0) {
979 ret = mbedtls_des_crypt_cbc(&ctx, v, 8, iv, buf, buf);
980 } else {
981 ret = mbedtls_des3_crypt_cbc(&ctx3, v, 8, iv, buf, buf);
982 }
983 if (ret != 0) {
984 goto exit;
985 }
986 }
987 } else {
988 for (j = 0; j < 100; j++) {
989 unsigned char tmp[8];
990
991 if (u == 0) {
992 ret = mbedtls_des_crypt_cbc(&ctx, v, 8, iv, buf, buf);
993 } else {
994 ret = mbedtls_des3_crypt_cbc(&ctx3, v, 8, iv, buf, buf);
995 }
996 if (ret != 0) {
997 goto exit;
998 }
999
1000 memcpy(tmp, prv, 8);
1001 memcpy(prv, buf, 8);
1002 memcpy(buf, tmp, 8);
1003 }
1004
1005 memcpy(buf, prv, 8);
1006 }
1007
1008 if ((v == MBEDTLS_DES_DECRYPT &&
1009 memcmp(buf, des3_test_cbc_dec[u], 8) != 0) ||
1010 (v != MBEDTLS_DES_DECRYPT &&
1011 memcmp(buf, des3_test_cbc_enc[u], 8) != 0)) {
1012 if (verbose != 0) {
1013 mbedtls_printf("failed\n");
1014 }
1015
1016 ret = 1;
1017 goto exit;
1018 }
1019
1020 if (verbose != 0) {
1021 mbedtls_printf("passed\n");
1022 }
1023 }
1024 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1025
1026 if (verbose != 0) {
1027 mbedtls_printf("\n");
1028 }
1029
1030 exit:
1031 mbedtls_des_free(&ctx);
1032 mbedtls_des3_free(&ctx3);
1033
1034 if (ret != 0) {
1035 ret = 1;
1036 }
1037 return ret;
1038 }
1039
1040 #endif /* MBEDTLS_SELF_TEST */
1041
1042 #endif /* MBEDTLS_DES_C */
1043
