1 /*
2 * FIPS-46-3 compliant Triple-DES implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19 /*
20 * DES, on which TDES is based, was originally designed by Horst Feistel
21 * at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
22 *
23 * http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
24 */
25
26 #include "common.h"
27
28 #if defined(MBEDTLS_DES_C)
29
30 #include "mbedtls/des.h"
31 #include "mbedtls/error.h"
32 #include "mbedtls/platform_util.h"
33
34 #include <string.h>
35
36 #include "mbedtls/platform.h"
37
38 #if !defined(MBEDTLS_DES_ALT)
39
40 /*
41 * Expanded DES S-boxes
42 */
43 static const uint32_t SB1[64] =
44 {
45 0x01010400, 0x00000000, 0x00010000, 0x01010404,
46 0x01010004, 0x00010404, 0x00000004, 0x00010000,
47 0x00000400, 0x01010400, 0x01010404, 0x00000400,
48 0x01000404, 0x01010004, 0x01000000, 0x00000004,
49 0x00000404, 0x01000400, 0x01000400, 0x00010400,
50 0x00010400, 0x01010000, 0x01010000, 0x01000404,
51 0x00010004, 0x01000004, 0x01000004, 0x00010004,
52 0x00000000, 0x00000404, 0x00010404, 0x01000000,
53 0x00010000, 0x01010404, 0x00000004, 0x01010000,
54 0x01010400, 0x01000000, 0x01000000, 0x00000400,
55 0x01010004, 0x00010000, 0x00010400, 0x01000004,
56 0x00000400, 0x00000004, 0x01000404, 0x00010404,
57 0x01010404, 0x00010004, 0x01010000, 0x01000404,
58 0x01000004, 0x00000404, 0x00010404, 0x01010400,
59 0x00000404, 0x01000400, 0x01000400, 0x00000000,
60 0x00010004, 0x00010400, 0x00000000, 0x01010004
61 };
62
63 static const uint32_t SB2[64] =
64 {
65 0x80108020, 0x80008000, 0x00008000, 0x00108020,
66 0x00100000, 0x00000020, 0x80100020, 0x80008020,
67 0x80000020, 0x80108020, 0x80108000, 0x80000000,
68 0x80008000, 0x00100000, 0x00000020, 0x80100020,
69 0x00108000, 0x00100020, 0x80008020, 0x00000000,
70 0x80000000, 0x00008000, 0x00108020, 0x80100000,
71 0x00100020, 0x80000020, 0x00000000, 0x00108000,
72 0x00008020, 0x80108000, 0x80100000, 0x00008020,
73 0x00000000, 0x00108020, 0x80100020, 0x00100000,
74 0x80008020, 0x80100000, 0x80108000, 0x00008000,
75 0x80100000, 0x80008000, 0x00000020, 0x80108020,
76 0x00108020, 0x00000020, 0x00008000, 0x80000000,
77 0x00008020, 0x80108000, 0x00100000, 0x80000020,
78 0x00100020, 0x80008020, 0x80000020, 0x00100020,
79 0x00108000, 0x00000000, 0x80008000, 0x00008020,
80 0x80000000, 0x80100020, 0x80108020, 0x00108000
81 };
82
83 static const uint32_t SB3[64] =
84 {
85 0x00000208, 0x08020200, 0x00000000, 0x08020008,
86 0x08000200, 0x00000000, 0x00020208, 0x08000200,
87 0x00020008, 0x08000008, 0x08000008, 0x00020000,
88 0x08020208, 0x00020008, 0x08020000, 0x00000208,
89 0x08000000, 0x00000008, 0x08020200, 0x00000200,
90 0x00020200, 0x08020000, 0x08020008, 0x00020208,
91 0x08000208, 0x00020200, 0x00020000, 0x08000208,
92 0x00000008, 0x08020208, 0x00000200, 0x08000000,
93 0x08020200, 0x08000000, 0x00020008, 0x00000208,
94 0x00020000, 0x08020200, 0x08000200, 0x00000000,
95 0x00000200, 0x00020008, 0x08020208, 0x08000200,
96 0x08000008, 0x00000200, 0x00000000, 0x08020008,
97 0x08000208, 0x00020000, 0x08000000, 0x08020208,
98 0x00000008, 0x00020208, 0x00020200, 0x08000008,
99 0x08020000, 0x08000208, 0x00000208, 0x08020000,
100 0x00020208, 0x00000008, 0x08020008, 0x00020200
101 };
102
103 static const uint32_t SB4[64] =
104 {
105 0x00802001, 0x00002081, 0x00002081, 0x00000080,
106 0x00802080, 0x00800081, 0x00800001, 0x00002001,
107 0x00000000, 0x00802000, 0x00802000, 0x00802081,
108 0x00000081, 0x00000000, 0x00800080, 0x00800001,
109 0x00000001, 0x00002000, 0x00800000, 0x00802001,
110 0x00000080, 0x00800000, 0x00002001, 0x00002080,
111 0x00800081, 0x00000001, 0x00002080, 0x00800080,
112 0x00002000, 0x00802080, 0x00802081, 0x00000081,
113 0x00800080, 0x00800001, 0x00802000, 0x00802081,
114 0x00000081, 0x00000000, 0x00000000, 0x00802000,
115 0x00002080, 0x00800080, 0x00800081, 0x00000001,
116 0x00802001, 0x00002081, 0x00002081, 0x00000080,
117 0x00802081, 0x00000081, 0x00000001, 0x00002000,
118 0x00800001, 0x00002001, 0x00802080, 0x00800081,
119 0x00002001, 0x00002080, 0x00800000, 0x00802001,
120 0x00000080, 0x00800000, 0x00002000, 0x00802080
121 };
122
123 static const uint32_t SB5[64] =
124 {
125 0x00000100, 0x02080100, 0x02080000, 0x42000100,
126 0x00080000, 0x00000100, 0x40000000, 0x02080000,
127 0x40080100, 0x00080000, 0x02000100, 0x40080100,
128 0x42000100, 0x42080000, 0x00080100, 0x40000000,
129 0x02000000, 0x40080000, 0x40080000, 0x00000000,
130 0x40000100, 0x42080100, 0x42080100, 0x02000100,
131 0x42080000, 0x40000100, 0x00000000, 0x42000000,
132 0x02080100, 0x02000000, 0x42000000, 0x00080100,
133 0x00080000, 0x42000100, 0x00000100, 0x02000000,
134 0x40000000, 0x02080000, 0x42000100, 0x40080100,
135 0x02000100, 0x40000000, 0x42080000, 0x02080100,
136 0x40080100, 0x00000100, 0x02000000, 0x42080000,
137 0x42080100, 0x00080100, 0x42000000, 0x42080100,
138 0x02080000, 0x00000000, 0x40080000, 0x42000000,
139 0x00080100, 0x02000100, 0x40000100, 0x00080000,
140 0x00000000, 0x40080000, 0x02080100, 0x40000100
141 };
142
143 static const uint32_t SB6[64] =
144 {
145 0x20000010, 0x20400000, 0x00004000, 0x20404010,
146 0x20400000, 0x00000010, 0x20404010, 0x00400000,
147 0x20004000, 0x00404010, 0x00400000, 0x20000010,
148 0x00400010, 0x20004000, 0x20000000, 0x00004010,
149 0x00000000, 0x00400010, 0x20004010, 0x00004000,
150 0x00404000, 0x20004010, 0x00000010, 0x20400010,
151 0x20400010, 0x00000000, 0x00404010, 0x20404000,
152 0x00004010, 0x00404000, 0x20404000, 0x20000000,
153 0x20004000, 0x00000010, 0x20400010, 0x00404000,
154 0x20404010, 0x00400000, 0x00004010, 0x20000010,
155 0x00400000, 0x20004000, 0x20000000, 0x00004010,
156 0x20000010, 0x20404010, 0x00404000, 0x20400000,
157 0x00404010, 0x20404000, 0x00000000, 0x20400010,
158 0x00000010, 0x00004000, 0x20400000, 0x00404010,
159 0x00004000, 0x00400010, 0x20004010, 0x00000000,
160 0x20404000, 0x20000000, 0x00400010, 0x20004010
161 };
162
163 static const uint32_t SB7[64] =
164 {
165 0x00200000, 0x04200002, 0x04000802, 0x00000000,
166 0x00000800, 0x04000802, 0x00200802, 0x04200800,
167 0x04200802, 0x00200000, 0x00000000, 0x04000002,
168 0x00000002, 0x04000000, 0x04200002, 0x00000802,
169 0x04000800, 0x00200802, 0x00200002, 0x04000800,
170 0x04000002, 0x04200000, 0x04200800, 0x00200002,
171 0x04200000, 0x00000800, 0x00000802, 0x04200802,
172 0x00200800, 0x00000002, 0x04000000, 0x00200800,
173 0x04000000, 0x00200800, 0x00200000, 0x04000802,
174 0x04000802, 0x04200002, 0x04200002, 0x00000002,
175 0x00200002, 0x04000000, 0x04000800, 0x00200000,
176 0x04200800, 0x00000802, 0x00200802, 0x04200800,
177 0x00000802, 0x04000002, 0x04200802, 0x04200000,
178 0x00200800, 0x00000000, 0x00000002, 0x04200802,
179 0x00000000, 0x00200802, 0x04200000, 0x00000800,
180 0x04000002, 0x04000800, 0x00000800, 0x00200002
181 };
182
183 static const uint32_t SB8[64] =
184 {
185 0x10001040, 0x00001000, 0x00040000, 0x10041040,
186 0x10000000, 0x10001040, 0x00000040, 0x10000000,
187 0x00040040, 0x10040000, 0x10041040, 0x00041000,
188 0x10041000, 0x00041040, 0x00001000, 0x00000040,
189 0x10040000, 0x10000040, 0x10001000, 0x00001040,
190 0x00041000, 0x00040040, 0x10040040, 0x10041000,
191 0x00001040, 0x00000000, 0x00000000, 0x10040040,
192 0x10000040, 0x10001000, 0x00041040, 0x00040000,
193 0x00041040, 0x00040000, 0x10041000, 0x00001000,
194 0x00000040, 0x10040040, 0x00001000, 0x00041040,
195 0x10001000, 0x00000040, 0x10000040, 0x10040000,
196 0x10040040, 0x10000000, 0x00040000, 0x10001040,
197 0x00000000, 0x10041040, 0x00040040, 0x10000040,
198 0x10040000, 0x10001000, 0x10001040, 0x00000000,
199 0x10041040, 0x00041000, 0x00041000, 0x00001040,
200 0x00001040, 0x00040040, 0x10000000, 0x10041000
201 };
202
203 /*
204 * PC1: left and right halves bit-swap
205 */
206 static const uint32_t LHs[16] =
207 {
208 0x00000000, 0x00000001, 0x00000100, 0x00000101,
209 0x00010000, 0x00010001, 0x00010100, 0x00010101,
210 0x01000000, 0x01000001, 0x01000100, 0x01000101,
211 0x01010000, 0x01010001, 0x01010100, 0x01010101
212 };
213
214 static const uint32_t RHs[16] =
215 {
216 0x00000000, 0x01000000, 0x00010000, 0x01010000,
217 0x00000100, 0x01000100, 0x00010100, 0x01010100,
218 0x00000001, 0x01000001, 0x00010001, 0x01010001,
219 0x00000101, 0x01000101, 0x00010101, 0x01010101,
220 };
221
222 /*
223 * Initial Permutation macro
224 */
225 #define DES_IP(X,Y) \
226 do \
227 { \
228 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \
229 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
230 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \
231 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \
232 (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF; \
233 T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T; \
234 (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF; \
235 } while( 0 )
236
237 /*
238 * Final Permutation macro
239 */
240 #define DES_FP(X,Y) \
241 do \
242 { \
243 (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF; \
244 T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T; \
245 (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF; \
246 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \
247 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \
248 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
249 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \
250 } while( 0 )
251
252 /*
253 * DES round macro
254 */
255 #define DES_ROUND(X,Y) \
256 do \
257 { \
258 T = *SK++ ^ (X); \
259 (Y) ^= SB8[ (T ) & 0x3F ] ^ \
260 SB6[ (T >> 8) & 0x3F ] ^ \
261 SB4[ (T >> 16) & 0x3F ] ^ \
262 SB2[ (T >> 24) & 0x3F ]; \
263 \
264 T = *SK++ ^ (((X) << 28) | ((X) >> 4)); \
265 (Y) ^= SB7[ (T ) & 0x3F ] ^ \
266 SB5[ (T >> 8) & 0x3F ] ^ \
267 SB3[ (T >> 16) & 0x3F ] ^ \
268 SB1[ (T >> 24) & 0x3F ]; \
269 } while( 0 )
270
271 #define SWAP(a,b) \
272 do \
273 { \
274 uint32_t t = (a); (a) = (b); (b) = t; t = 0; \
275 } while( 0 )
276
mbedtls_des_init(mbedtls_des_context * ctx)277 void mbedtls_des_init( mbedtls_des_context *ctx )
278 {
279 memset( ctx, 0, sizeof( mbedtls_des_context ) );
280 }
281
mbedtls_des_free(mbedtls_des_context * ctx)282 void mbedtls_des_free( mbedtls_des_context *ctx )
283 {
284 if( ctx == NULL )
285 return;
286
287 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des_context ) );
288 }
289
mbedtls_des3_init(mbedtls_des3_context * ctx)290 void mbedtls_des3_init( mbedtls_des3_context *ctx )
291 {
292 memset( ctx, 0, sizeof( mbedtls_des3_context ) );
293 }
294
mbedtls_des3_free(mbedtls_des3_context * ctx)295 void mbedtls_des3_free( mbedtls_des3_context *ctx )
296 {
297 if( ctx == NULL )
298 return;
299
300 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des3_context ) );
301 }
302
303 static const unsigned char odd_parity_table[128] = { 1, 2, 4, 7, 8,
304 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 35, 37, 38, 41, 42, 44,
305 47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 70, 73, 74, 76, 79, 81,
306 82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 104, 107, 109, 110, 112,
307 115, 117, 118, 121, 122, 124, 127, 128, 131, 133, 134, 137, 138, 140,
308 143, 145, 146, 148, 151, 152, 155, 157, 158, 161, 162, 164, 167, 168,
309 171, 173, 174, 176, 179, 181, 182, 185, 186, 188, 191, 193, 194, 196,
310 199, 200, 203, 205, 206, 208, 211, 213, 214, 217, 218, 220, 223, 224,
311 227, 229, 230, 233, 234, 236, 239, 241, 242, 244, 247, 248, 251, 253,
312 254 };
313
mbedtls_des_key_set_parity(unsigned char key[MBEDTLS_DES_KEY_SIZE])314 void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] )
315 {
316 int i;
317
318 for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
319 key[i] = odd_parity_table[key[i] / 2];
320 }
321
322 /*
323 * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
324 */
mbedtls_des_key_check_key_parity(const unsigned char key[MBEDTLS_DES_KEY_SIZE])325 int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
326 {
327 int i;
328
329 for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
330 if( key[i] != odd_parity_table[key[i] / 2] )
331 return( 1 );
332
333 return( 0 );
334 }
335
336 /*
337 * Table of weak and semi-weak keys
338 *
339 * Source: http://en.wikipedia.org/wiki/Weak_key
340 *
341 * Weak:
342 * Alternating ones + zeros (0x0101010101010101)
343 * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
344 * '0xE0E0E0E0F1F1F1F1'
345 * '0x1F1F1F1F0E0E0E0E'
346 *
347 * Semi-weak:
348 * 0x011F011F010E010E and 0x1F011F010E010E01
349 * 0x01E001E001F101F1 and 0xE001E001F101F101
350 * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
351 * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
352 * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
353 * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
354 *
355 */
356
357 #define WEAK_KEY_COUNT 16
358
359 static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] =
360 {
361 { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
362 { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
363 { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
364 { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
365
366 { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
367 { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
368 { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
369 { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
370 { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
371 { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
372 { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
373 { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
374 { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
375 { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
376 { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
377 { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
378 };
379
mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE])380 int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
381 {
382 int i;
383
384 for( i = 0; i < WEAK_KEY_COUNT; i++ )
385 if( memcmp( weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0 )
386 return( 1 );
387
388 return( 0 );
389 }
390
391 #if !defined(MBEDTLS_DES_SETKEY_ALT)
mbedtls_des_setkey(uint32_t SK[32],const unsigned char key[MBEDTLS_DES_KEY_SIZE])392 void mbedtls_des_setkey( uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
393 {
394 int i;
395 uint32_t X, Y, T;
396
397 X = MBEDTLS_GET_UINT32_BE( key, 0 );
398 Y = MBEDTLS_GET_UINT32_BE( key, 4 );
399
400 /*
401 * Permuted Choice 1
402 */
403 T = ((Y >> 4) ^ X) & 0x0F0F0F0F; X ^= T; Y ^= (T << 4);
404 T = ((Y ) ^ X) & 0x10101010; X ^= T; Y ^= (T );
405
406 X = (LHs[ (X ) & 0xF] << 3) | (LHs[ (X >> 8) & 0xF ] << 2)
407 | (LHs[ (X >> 16) & 0xF] << 1) | (LHs[ (X >> 24) & 0xF ] )
408 | (LHs[ (X >> 5) & 0xF] << 7) | (LHs[ (X >> 13) & 0xF ] << 6)
409 | (LHs[ (X >> 21) & 0xF] << 5) | (LHs[ (X >> 29) & 0xF ] << 4);
410
411 Y = (RHs[ (Y >> 1) & 0xF] << 3) | (RHs[ (Y >> 9) & 0xF ] << 2)
412 | (RHs[ (Y >> 17) & 0xF] << 1) | (RHs[ (Y >> 25) & 0xF ] )
413 | (RHs[ (Y >> 4) & 0xF] << 7) | (RHs[ (Y >> 12) & 0xF ] << 6)
414 | (RHs[ (Y >> 20) & 0xF] << 5) | (RHs[ (Y >> 28) & 0xF ] << 4);
415
416 X &= 0x0FFFFFFF;
417 Y &= 0x0FFFFFFF;
418
419 /*
420 * calculate subkeys
421 */
422 for( i = 0; i < 16; i++ )
423 {
424 if( i < 2 || i == 8 || i == 15 )
425 {
426 X = ((X << 1) | (X >> 27)) & 0x0FFFFFFF;
427 Y = ((Y << 1) | (Y >> 27)) & 0x0FFFFFFF;
428 }
429 else
430 {
431 X = ((X << 2) | (X >> 26)) & 0x0FFFFFFF;
432 Y = ((Y << 2) | (Y >> 26)) & 0x0FFFFFFF;
433 }
434
435 *SK++ = ((X << 4) & 0x24000000) | ((X << 28) & 0x10000000)
436 | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
437 | ((X << 6) & 0x01000000) | ((X << 9) & 0x00200000)
438 | ((X >> 1) & 0x00100000) | ((X << 10) & 0x00040000)
439 | ((X << 2) & 0x00020000) | ((X >> 10) & 0x00010000)
440 | ((Y >> 13) & 0x00002000) | ((Y >> 4) & 0x00001000)
441 | ((Y << 6) & 0x00000800) | ((Y >> 1) & 0x00000400)
442 | ((Y >> 14) & 0x00000200) | ((Y ) & 0x00000100)
443 | ((Y >> 5) & 0x00000020) | ((Y >> 10) & 0x00000010)
444 | ((Y >> 3) & 0x00000008) | ((Y >> 18) & 0x00000004)
445 | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
446
447 *SK++ = ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
448 | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
449 | ((X >> 2) & 0x02000000) | ((X << 1) & 0x01000000)
450 | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
451 | ((X << 3) & 0x00080000) | ((X >> 6) & 0x00040000)
452 | ((X << 15) & 0x00020000) | ((X >> 4) & 0x00010000)
453 | ((Y >> 2) & 0x00002000) | ((Y << 8) & 0x00001000)
454 | ((Y >> 14) & 0x00000808) | ((Y >> 9) & 0x00000400)
455 | ((Y ) & 0x00000200) | ((Y << 7) & 0x00000100)
456 | ((Y >> 7) & 0x00000020) | ((Y >> 3) & 0x00000011)
457 | ((Y << 2) & 0x00000004) | ((Y >> 21) & 0x00000002);
458 }
459 }
460 #endif /* !MBEDTLS_DES_SETKEY_ALT */
461
462 /*
463 * DES key schedule (56-bit, encryption)
464 */
mbedtls_des_setkey_enc(mbedtls_des_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE])465 int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
466 {
467 mbedtls_des_setkey( ctx->sk, key );
468
469 return( 0 );
470 }
471
472 /*
473 * DES key schedule (56-bit, decryption)
474 */
mbedtls_des_setkey_dec(mbedtls_des_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE])475 int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
476 {
477 int i;
478
479 mbedtls_des_setkey( ctx->sk, key );
480
481 for( i = 0; i < 16; i += 2 )
482 {
483 SWAP( ctx->sk[i ], ctx->sk[30 - i] );
484 SWAP( ctx->sk[i + 1], ctx->sk[31 - i] );
485 }
486
487 return( 0 );
488 }
489
des3_set2key(uint32_t esk[96],uint32_t dsk[96],const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])490 static void des3_set2key( uint32_t esk[96],
491 uint32_t dsk[96],
492 const unsigned char key[MBEDTLS_DES_KEY_SIZE*2] )
493 {
494 int i;
495
496 mbedtls_des_setkey( esk, key );
497 mbedtls_des_setkey( dsk + 32, key + 8 );
498
499 for( i = 0; i < 32; i += 2 )
500 {
501 dsk[i ] = esk[30 - i];
502 dsk[i + 1] = esk[31 - i];
503
504 esk[i + 32] = dsk[62 - i];
505 esk[i + 33] = dsk[63 - i];
506
507 esk[i + 64] = esk[i ];
508 esk[i + 65] = esk[i + 1];
509
510 dsk[i + 64] = dsk[i ];
511 dsk[i + 65] = dsk[i + 1];
512 }
513 }
514
515 /*
516 * Triple-DES key schedule (112-bit, encryption)
517 */
mbedtls_des3_set2key_enc(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])518 int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx,
519 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
520 {
521 uint32_t sk[96];
522
523 des3_set2key( ctx->sk, sk, key );
524 mbedtls_platform_zeroize( sk, sizeof( sk ) );
525
526 return( 0 );
527 }
528
529 /*
530 * Triple-DES key schedule (112-bit, decryption)
531 */
mbedtls_des3_set2key_dec(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])532 int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx,
533 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
534 {
535 uint32_t sk[96];
536
537 des3_set2key( sk, ctx->sk, key );
538 mbedtls_platform_zeroize( sk, sizeof( sk ) );
539
540 return( 0 );
541 }
542
des3_set3key(uint32_t esk[96],uint32_t dsk[96],const unsigned char key[24])543 static void des3_set3key( uint32_t esk[96],
544 uint32_t dsk[96],
545 const unsigned char key[24] )
546 {
547 int i;
548
549 mbedtls_des_setkey( esk, key );
550 mbedtls_des_setkey( dsk + 32, key + 8 );
551 mbedtls_des_setkey( esk + 64, key + 16 );
552
553 for( i = 0; i < 32; i += 2 )
554 {
555 dsk[i ] = esk[94 - i];
556 dsk[i + 1] = esk[95 - i];
557
558 esk[i + 32] = dsk[62 - i];
559 esk[i + 33] = dsk[63 - i];
560
561 dsk[i + 64] = esk[30 - i];
562 dsk[i + 65] = esk[31 - i];
563 }
564 }
565
566 /*
567 * Triple-DES key schedule (168-bit, encryption)
568 */
mbedtls_des3_set3key_enc(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])569 int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx,
570 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
571 {
572 uint32_t sk[96];
573
574 des3_set3key( ctx->sk, sk, key );
575 mbedtls_platform_zeroize( sk, sizeof( sk ) );
576
577 return( 0 );
578 }
579
580 /*
581 * Triple-DES key schedule (168-bit, decryption)
582 */
mbedtls_des3_set3key_dec(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])583 int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx,
584 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
585 {
586 uint32_t sk[96];
587
588 des3_set3key( sk, ctx->sk, key );
589 mbedtls_platform_zeroize( sk, sizeof( sk ) );
590
591 return( 0 );
592 }
593
594 /*
595 * DES-ECB block encryption/decryption
596 */
597 #if !defined(MBEDTLS_DES_CRYPT_ECB_ALT)
mbedtls_des_crypt_ecb(mbedtls_des_context * ctx,const unsigned char input[8],unsigned char output[8])598 int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx,
599 const unsigned char input[8],
600 unsigned char output[8] )
601 {
602 int i;
603 uint32_t X, Y, T, *SK;
604
605 SK = ctx->sk;
606
607 X = MBEDTLS_GET_UINT32_BE( input, 0 );
608 Y = MBEDTLS_GET_UINT32_BE( input, 4 );
609
610 DES_IP( X, Y );
611
612 for( i = 0; i < 8; i++ )
613 {
614 DES_ROUND( Y, X );
615 DES_ROUND( X, Y );
616 }
617
618 DES_FP( Y, X );
619
620 MBEDTLS_PUT_UINT32_BE( Y, output, 0 );
621 MBEDTLS_PUT_UINT32_BE( X, output, 4 );
622
623 return( 0 );
624 }
625 #endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */
626
627 #if defined(MBEDTLS_CIPHER_MODE_CBC)
628 /*
629 * DES-CBC buffer encryption/decryption
630 */
mbedtls_des_crypt_cbc(mbedtls_des_context * ctx,int mode,size_t length,unsigned char iv[8],const unsigned char * input,unsigned char * output)631 int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx,
632 int mode,
633 size_t length,
634 unsigned char iv[8],
635 const unsigned char *input,
636 unsigned char *output )
637 {
638 int i;
639 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
640 unsigned char temp[8];
641
642 if( length % 8 )
643 return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
644
645 if( mode == MBEDTLS_DES_ENCRYPT )
646 {
647 while( length > 0 )
648 {
649 for( i = 0; i < 8; i++ )
650 output[i] = (unsigned char)( input[i] ^ iv[i] );
651
652 ret = mbedtls_des_crypt_ecb( ctx, output, output );
653 if( ret != 0 )
654 goto exit;
655 memcpy( iv, output, 8 );
656
657 input += 8;
658 output += 8;
659 length -= 8;
660 }
661 }
662 else /* MBEDTLS_DES_DECRYPT */
663 {
664 while( length > 0 )
665 {
666 memcpy( temp, input, 8 );
667 ret = mbedtls_des_crypt_ecb( ctx, input, output );
668 if( ret != 0 )
669 goto exit;
670
671 for( i = 0; i < 8; i++ )
672 output[i] = (unsigned char)( output[i] ^ iv[i] );
673
674 memcpy( iv, temp, 8 );
675
676 input += 8;
677 output += 8;
678 length -= 8;
679 }
680 }
681 ret = 0;
682
683 exit:
684 return( ret );
685 }
686 #endif /* MBEDTLS_CIPHER_MODE_CBC */
687
688 /*
689 * 3DES-ECB block encryption/decryption
690 */
691 #if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
mbedtls_des3_crypt_ecb(mbedtls_des3_context * ctx,const unsigned char input[8],unsigned char output[8])692 int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx,
693 const unsigned char input[8],
694 unsigned char output[8] )
695 {
696 int i;
697 uint32_t X, Y, T, *SK;
698
699 SK = ctx->sk;
700
701 X = MBEDTLS_GET_UINT32_BE( input, 0 );
702 Y = MBEDTLS_GET_UINT32_BE( input, 4 );
703
704 DES_IP( X, Y );
705
706 for( i = 0; i < 8; i++ )
707 {
708 DES_ROUND( Y, X );
709 DES_ROUND( X, Y );
710 }
711
712 for( i = 0; i < 8; i++ )
713 {
714 DES_ROUND( X, Y );
715 DES_ROUND( Y, X );
716 }
717
718 for( i = 0; i < 8; i++ )
719 {
720 DES_ROUND( Y, X );
721 DES_ROUND( X, Y );
722 }
723
724 DES_FP( Y, X );
725
726 MBEDTLS_PUT_UINT32_BE( Y, output, 0 );
727 MBEDTLS_PUT_UINT32_BE( X, output, 4 );
728
729 return( 0 );
730 }
731 #endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */
732
733 #if defined(MBEDTLS_CIPHER_MODE_CBC)
734 /*
735 * 3DES-CBC buffer encryption/decryption
736 */
mbedtls_des3_crypt_cbc(mbedtls_des3_context * ctx,int mode,size_t length,unsigned char iv[8],const unsigned char * input,unsigned char * output)737 int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx,
738 int mode,
739 size_t length,
740 unsigned char iv[8],
741 const unsigned char *input,
742 unsigned char *output )
743 {
744 int i;
745 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
746 unsigned char temp[8];
747
748 if( length % 8 )
749 return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
750
751 if( mode == MBEDTLS_DES_ENCRYPT )
752 {
753 while( length > 0 )
754 {
755 for( i = 0; i < 8; i++ )
756 output[i] = (unsigned char)( input[i] ^ iv[i] );
757
758 ret = mbedtls_des3_crypt_ecb( ctx, output, output );
759 if( ret != 0 )
760 goto exit;
761 memcpy( iv, output, 8 );
762
763 input += 8;
764 output += 8;
765 length -= 8;
766 }
767 }
768 else /* MBEDTLS_DES_DECRYPT */
769 {
770 while( length > 0 )
771 {
772 memcpy( temp, input, 8 );
773 ret = mbedtls_des3_crypt_ecb( ctx, input, output );
774 if( ret != 0 )
775 goto exit;
776
777 for( i = 0; i < 8; i++ )
778 output[i] = (unsigned char)( output[i] ^ iv[i] );
779
780 memcpy( iv, temp, 8 );
781
782 input += 8;
783 output += 8;
784 length -= 8;
785 }
786 }
787 ret = 0;
788
789 exit:
790 return( ret );
791 }
792 #endif /* MBEDTLS_CIPHER_MODE_CBC */
793
794 #endif /* !MBEDTLS_DES_ALT */
795
796 #if defined(MBEDTLS_SELF_TEST)
797 /*
798 * DES and 3DES test vectors from:
799 *
800 * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
801 */
802 static const unsigned char des3_test_keys[24] =
803 {
804 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
805 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
806 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
807 };
808
809 static const unsigned char des3_test_buf[8] =
810 {
811 0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
812 };
813
814 static const unsigned char des3_test_ecb_dec[3][8] =
815 {
816 { 0x37, 0x2B, 0x98, 0xBF, 0x52, 0x65, 0xB0, 0x59 },
817 { 0xC2, 0x10, 0x19, 0x9C, 0x38, 0x5A, 0x65, 0xA1 },
818 { 0xA2, 0x70, 0x56, 0x68, 0x69, 0xE5, 0x15, 0x1D }
819 };
820
821 static const unsigned char des3_test_ecb_enc[3][8] =
822 {
823 { 0x1C, 0xD5, 0x97, 0xEA, 0x84, 0x26, 0x73, 0xFB },
824 { 0xB3, 0x92, 0x4D, 0xF3, 0xC5, 0xB5, 0x42, 0x93 },
825 { 0xDA, 0x37, 0x64, 0x41, 0xBA, 0x6F, 0x62, 0x6F }
826 };
827
828 #if defined(MBEDTLS_CIPHER_MODE_CBC)
829 static const unsigned char des3_test_iv[8] =
830 {
831 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
832 };
833
834 static const unsigned char des3_test_cbc_dec[3][8] =
835 {
836 { 0x58, 0xD9, 0x48, 0xEF, 0x85, 0x14, 0x65, 0x9A },
837 { 0x5F, 0xC8, 0x78, 0xD4, 0xD7, 0x92, 0xD9, 0x54 },
838 { 0x25, 0xF9, 0x75, 0x85, 0xA8, 0x1E, 0x48, 0xBF }
839 };
840
841 static const unsigned char des3_test_cbc_enc[3][8] =
842 {
843 { 0x91, 0x1C, 0x6D, 0xCF, 0x48, 0xA7, 0xC3, 0x4D },
844 { 0x60, 0x1A, 0x76, 0x8F, 0xA1, 0xF9, 0x66, 0xF1 },
845 { 0xA1, 0x50, 0x0F, 0x99, 0xB2, 0xCD, 0x64, 0x76 }
846 };
847 #endif /* MBEDTLS_CIPHER_MODE_CBC */
848
849 /*
850 * Checkup routine
851 */
mbedtls_des_self_test(int verbose)852 int mbedtls_des_self_test( int verbose )
853 {
854 int i, j, u, v, ret = 0;
855 mbedtls_des_context ctx;
856 mbedtls_des3_context ctx3;
857 unsigned char buf[8];
858 #if defined(MBEDTLS_CIPHER_MODE_CBC)
859 unsigned char prv[8];
860 unsigned char iv[8];
861 #endif
862
863 mbedtls_des_init( &ctx );
864 mbedtls_des3_init( &ctx3 );
865 /*
866 * ECB mode
867 */
868 for( i = 0; i < 6; i++ )
869 {
870 u = i >> 1;
871 v = i & 1;
872
873 if( verbose != 0 )
874 mbedtls_printf( " DES%c-ECB-%3d (%s): ",
875 ( u == 0 ) ? ' ' : '3', 56 + u * 56,
876 ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
877
878 memcpy( buf, des3_test_buf, 8 );
879
880 switch( i )
881 {
882 case 0:
883 ret = mbedtls_des_setkey_dec( &ctx, des3_test_keys );
884 break;
885
886 case 1:
887 ret = mbedtls_des_setkey_enc( &ctx, des3_test_keys );
888 break;
889
890 case 2:
891 ret = mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
892 break;
893
894 case 3:
895 ret = mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
896 break;
897
898 case 4:
899 ret = mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
900 break;
901
902 case 5:
903 ret = mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
904 break;
905
906 default:
907 return( 1 );
908 }
909 if( ret != 0 )
910 goto exit;
911
912 for( j = 0; j < 100; j++ )
913 {
914 if( u == 0 )
915 ret = mbedtls_des_crypt_ecb( &ctx, buf, buf );
916 else
917 ret = mbedtls_des3_crypt_ecb( &ctx3, buf, buf );
918 if( ret != 0 )
919 goto exit;
920 }
921
922 if( ( v == MBEDTLS_DES_DECRYPT &&
923 memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) ||
924 ( v != MBEDTLS_DES_DECRYPT &&
925 memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) )
926 {
927 if( verbose != 0 )
928 mbedtls_printf( "failed\n" );
929
930 ret = 1;
931 goto exit;
932 }
933
934 if( verbose != 0 )
935 mbedtls_printf( "passed\n" );
936 }
937
938 if( verbose != 0 )
939 mbedtls_printf( "\n" );
940
941 #if defined(MBEDTLS_CIPHER_MODE_CBC)
942 /*
943 * CBC mode
944 */
945 for( i = 0; i < 6; i++ )
946 {
947 u = i >> 1;
948 v = i & 1;
949
950 if( verbose != 0 )
951 mbedtls_printf( " DES%c-CBC-%3d (%s): ",
952 ( u == 0 ) ? ' ' : '3', 56 + u * 56,
953 ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
954
955 memcpy( iv, des3_test_iv, 8 );
956 memcpy( prv, des3_test_iv, 8 );
957 memcpy( buf, des3_test_buf, 8 );
958
959 switch( i )
960 {
961 case 0:
962 ret = mbedtls_des_setkey_dec( &ctx, des3_test_keys );
963 break;
964
965 case 1:
966 ret = mbedtls_des_setkey_enc( &ctx, des3_test_keys );
967 break;
968
969 case 2:
970 ret = mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
971 break;
972
973 case 3:
974 ret = mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
975 break;
976
977 case 4:
978 ret = mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
979 break;
980
981 case 5:
982 ret = mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
983 break;
984
985 default:
986 return( 1 );
987 }
988 if( ret != 0 )
989 goto exit;
990
991 if( v == MBEDTLS_DES_DECRYPT )
992 {
993 for( j = 0; j < 100; j++ )
994 {
995 if( u == 0 )
996 ret = mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
997 else
998 ret = mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
999 if( ret != 0 )
1000 goto exit;
1001 }
1002 }
1003 else
1004 {
1005 for( j = 0; j < 100; j++ )
1006 {
1007 unsigned char tmp[8];
1008
1009 if( u == 0 )
1010 ret = mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
1011 else
1012 ret = mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
1013 if( ret != 0 )
1014 goto exit;
1015
1016 memcpy( tmp, prv, 8 );
1017 memcpy( prv, buf, 8 );
1018 memcpy( buf, tmp, 8 );
1019 }
1020
1021 memcpy( buf, prv, 8 );
1022 }
1023
1024 if( ( v == MBEDTLS_DES_DECRYPT &&
1025 memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) ||
1026 ( v != MBEDTLS_DES_DECRYPT &&
1027 memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) )
1028 {
1029 if( verbose != 0 )
1030 mbedtls_printf( "failed\n" );
1031
1032 ret = 1;
1033 goto exit;
1034 }
1035
1036 if( verbose != 0 )
1037 mbedtls_printf( "passed\n" );
1038 }
1039 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1040
1041 if( verbose != 0 )
1042 mbedtls_printf( "\n" );
1043
1044 exit:
1045 mbedtls_des_free( &ctx );
1046 mbedtls_des3_free( &ctx3 );
1047
1048 if( ret != 0 )
1049 ret = 1;
1050 return( ret );
1051 }
1052
1053 #endif /* MBEDTLS_SELF_TEST */
1054
1055 #endif /* MBEDTLS_DES_C */
1056
