1 /*
2  *  FIPS-46-3 compliant Triple-DES implementation
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 /*
20  *  DES, on which TDES is based, was originally designed by Horst Feistel
21  *  at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
22  *
23  *  http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
24  */
25 
26 #include "common.h"
27 
28 #if defined(MBEDTLS_DES_C)
29 
30 #include "mbedtls/des.h"
31 #include "mbedtls/platform_util.h"
32 
33 #include <string.h>
34 
35 #if defined(MBEDTLS_SELF_TEST)
36 #if defined(MBEDTLS_PLATFORM_C)
37 #include "mbedtls/platform.h"
38 #else
39 #include <stdio.h>
40 #define mbedtls_printf printf
41 #endif /* MBEDTLS_PLATFORM_C */
42 #endif /* MBEDTLS_SELF_TEST */
43 
44 #if !defined(MBEDTLS_DES_ALT)
45 
46 /*
47  * 32-bit integer manipulation macros (big endian)
48  */
49 #ifndef GET_UINT32_BE
50 #define GET_UINT32_BE(n,b,i)                            \
51 {                                                       \
52     (n) = ( (uint32_t) (b)[(i)    ] << 24 )             \
53         | ( (uint32_t) (b)[(i) + 1] << 16 )             \
54         | ( (uint32_t) (b)[(i) + 2] <<  8 )             \
55         | ( (uint32_t) (b)[(i) + 3]       );            \
56 }
57 #endif
58 
59 #ifndef PUT_UINT32_BE
60 #define PUT_UINT32_BE(n,b,i)                            \
61 {                                                       \
62     (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
63     (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
64     (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
65     (b)[(i) + 3] = (unsigned char) ( (n)       );       \
66 }
67 #endif
68 
69 /*
70  * Expanded DES S-boxes
71  */
72 static const uint32_t SB1[64] =
73 {
74     0x01010400, 0x00000000, 0x00010000, 0x01010404,
75     0x01010004, 0x00010404, 0x00000004, 0x00010000,
76     0x00000400, 0x01010400, 0x01010404, 0x00000400,
77     0x01000404, 0x01010004, 0x01000000, 0x00000004,
78     0x00000404, 0x01000400, 0x01000400, 0x00010400,
79     0x00010400, 0x01010000, 0x01010000, 0x01000404,
80     0x00010004, 0x01000004, 0x01000004, 0x00010004,
81     0x00000000, 0x00000404, 0x00010404, 0x01000000,
82     0x00010000, 0x01010404, 0x00000004, 0x01010000,
83     0x01010400, 0x01000000, 0x01000000, 0x00000400,
84     0x01010004, 0x00010000, 0x00010400, 0x01000004,
85     0x00000400, 0x00000004, 0x01000404, 0x00010404,
86     0x01010404, 0x00010004, 0x01010000, 0x01000404,
87     0x01000004, 0x00000404, 0x00010404, 0x01010400,
88     0x00000404, 0x01000400, 0x01000400, 0x00000000,
89     0x00010004, 0x00010400, 0x00000000, 0x01010004
90 };
91 
92 static const uint32_t SB2[64] =
93 {
94     0x80108020, 0x80008000, 0x00008000, 0x00108020,
95     0x00100000, 0x00000020, 0x80100020, 0x80008020,
96     0x80000020, 0x80108020, 0x80108000, 0x80000000,
97     0x80008000, 0x00100000, 0x00000020, 0x80100020,
98     0x00108000, 0x00100020, 0x80008020, 0x00000000,
99     0x80000000, 0x00008000, 0x00108020, 0x80100000,
100     0x00100020, 0x80000020, 0x00000000, 0x00108000,
101     0x00008020, 0x80108000, 0x80100000, 0x00008020,
102     0x00000000, 0x00108020, 0x80100020, 0x00100000,
103     0x80008020, 0x80100000, 0x80108000, 0x00008000,
104     0x80100000, 0x80008000, 0x00000020, 0x80108020,
105     0x00108020, 0x00000020, 0x00008000, 0x80000000,
106     0x00008020, 0x80108000, 0x00100000, 0x80000020,
107     0x00100020, 0x80008020, 0x80000020, 0x00100020,
108     0x00108000, 0x00000000, 0x80008000, 0x00008020,
109     0x80000000, 0x80100020, 0x80108020, 0x00108000
110 };
111 
112 static const uint32_t SB3[64] =
113 {
114     0x00000208, 0x08020200, 0x00000000, 0x08020008,
115     0x08000200, 0x00000000, 0x00020208, 0x08000200,
116     0x00020008, 0x08000008, 0x08000008, 0x00020000,
117     0x08020208, 0x00020008, 0x08020000, 0x00000208,
118     0x08000000, 0x00000008, 0x08020200, 0x00000200,
119     0x00020200, 0x08020000, 0x08020008, 0x00020208,
120     0x08000208, 0x00020200, 0x00020000, 0x08000208,
121     0x00000008, 0x08020208, 0x00000200, 0x08000000,
122     0x08020200, 0x08000000, 0x00020008, 0x00000208,
123     0x00020000, 0x08020200, 0x08000200, 0x00000000,
124     0x00000200, 0x00020008, 0x08020208, 0x08000200,
125     0x08000008, 0x00000200, 0x00000000, 0x08020008,
126     0x08000208, 0x00020000, 0x08000000, 0x08020208,
127     0x00000008, 0x00020208, 0x00020200, 0x08000008,
128     0x08020000, 0x08000208, 0x00000208, 0x08020000,
129     0x00020208, 0x00000008, 0x08020008, 0x00020200
130 };
131 
132 static const uint32_t SB4[64] =
133 {
134     0x00802001, 0x00002081, 0x00002081, 0x00000080,
135     0x00802080, 0x00800081, 0x00800001, 0x00002001,
136     0x00000000, 0x00802000, 0x00802000, 0x00802081,
137     0x00000081, 0x00000000, 0x00800080, 0x00800001,
138     0x00000001, 0x00002000, 0x00800000, 0x00802001,
139     0x00000080, 0x00800000, 0x00002001, 0x00002080,
140     0x00800081, 0x00000001, 0x00002080, 0x00800080,
141     0x00002000, 0x00802080, 0x00802081, 0x00000081,
142     0x00800080, 0x00800001, 0x00802000, 0x00802081,
143     0x00000081, 0x00000000, 0x00000000, 0x00802000,
144     0x00002080, 0x00800080, 0x00800081, 0x00000001,
145     0x00802001, 0x00002081, 0x00002081, 0x00000080,
146     0x00802081, 0x00000081, 0x00000001, 0x00002000,
147     0x00800001, 0x00002001, 0x00802080, 0x00800081,
148     0x00002001, 0x00002080, 0x00800000, 0x00802001,
149     0x00000080, 0x00800000, 0x00002000, 0x00802080
150 };
151 
152 static const uint32_t SB5[64] =
153 {
154     0x00000100, 0x02080100, 0x02080000, 0x42000100,
155     0x00080000, 0x00000100, 0x40000000, 0x02080000,
156     0x40080100, 0x00080000, 0x02000100, 0x40080100,
157     0x42000100, 0x42080000, 0x00080100, 0x40000000,
158     0x02000000, 0x40080000, 0x40080000, 0x00000000,
159     0x40000100, 0x42080100, 0x42080100, 0x02000100,
160     0x42080000, 0x40000100, 0x00000000, 0x42000000,
161     0x02080100, 0x02000000, 0x42000000, 0x00080100,
162     0x00080000, 0x42000100, 0x00000100, 0x02000000,
163     0x40000000, 0x02080000, 0x42000100, 0x40080100,
164     0x02000100, 0x40000000, 0x42080000, 0x02080100,
165     0x40080100, 0x00000100, 0x02000000, 0x42080000,
166     0x42080100, 0x00080100, 0x42000000, 0x42080100,
167     0x02080000, 0x00000000, 0x40080000, 0x42000000,
168     0x00080100, 0x02000100, 0x40000100, 0x00080000,
169     0x00000000, 0x40080000, 0x02080100, 0x40000100
170 };
171 
172 static const uint32_t SB6[64] =
173 {
174     0x20000010, 0x20400000, 0x00004000, 0x20404010,
175     0x20400000, 0x00000010, 0x20404010, 0x00400000,
176     0x20004000, 0x00404010, 0x00400000, 0x20000010,
177     0x00400010, 0x20004000, 0x20000000, 0x00004010,
178     0x00000000, 0x00400010, 0x20004010, 0x00004000,
179     0x00404000, 0x20004010, 0x00000010, 0x20400010,
180     0x20400010, 0x00000000, 0x00404010, 0x20404000,
181     0x00004010, 0x00404000, 0x20404000, 0x20000000,
182     0x20004000, 0x00000010, 0x20400010, 0x00404000,
183     0x20404010, 0x00400000, 0x00004010, 0x20000010,
184     0x00400000, 0x20004000, 0x20000000, 0x00004010,
185     0x20000010, 0x20404010, 0x00404000, 0x20400000,
186     0x00404010, 0x20404000, 0x00000000, 0x20400010,
187     0x00000010, 0x00004000, 0x20400000, 0x00404010,
188     0x00004000, 0x00400010, 0x20004010, 0x00000000,
189     0x20404000, 0x20000000, 0x00400010, 0x20004010
190 };
191 
192 static const uint32_t SB7[64] =
193 {
194     0x00200000, 0x04200002, 0x04000802, 0x00000000,
195     0x00000800, 0x04000802, 0x00200802, 0x04200800,
196     0x04200802, 0x00200000, 0x00000000, 0x04000002,
197     0x00000002, 0x04000000, 0x04200002, 0x00000802,
198     0x04000800, 0x00200802, 0x00200002, 0x04000800,
199     0x04000002, 0x04200000, 0x04200800, 0x00200002,
200     0x04200000, 0x00000800, 0x00000802, 0x04200802,
201     0x00200800, 0x00000002, 0x04000000, 0x00200800,
202     0x04000000, 0x00200800, 0x00200000, 0x04000802,
203     0x04000802, 0x04200002, 0x04200002, 0x00000002,
204     0x00200002, 0x04000000, 0x04000800, 0x00200000,
205     0x04200800, 0x00000802, 0x00200802, 0x04200800,
206     0x00000802, 0x04000002, 0x04200802, 0x04200000,
207     0x00200800, 0x00000000, 0x00000002, 0x04200802,
208     0x00000000, 0x00200802, 0x04200000, 0x00000800,
209     0x04000002, 0x04000800, 0x00000800, 0x00200002
210 };
211 
212 static const uint32_t SB8[64] =
213 {
214     0x10001040, 0x00001000, 0x00040000, 0x10041040,
215     0x10000000, 0x10001040, 0x00000040, 0x10000000,
216     0x00040040, 0x10040000, 0x10041040, 0x00041000,
217     0x10041000, 0x00041040, 0x00001000, 0x00000040,
218     0x10040000, 0x10000040, 0x10001000, 0x00001040,
219     0x00041000, 0x00040040, 0x10040040, 0x10041000,
220     0x00001040, 0x00000000, 0x00000000, 0x10040040,
221     0x10000040, 0x10001000, 0x00041040, 0x00040000,
222     0x00041040, 0x00040000, 0x10041000, 0x00001000,
223     0x00000040, 0x10040040, 0x00001000, 0x00041040,
224     0x10001000, 0x00000040, 0x10000040, 0x10040000,
225     0x10040040, 0x10000000, 0x00040000, 0x10001040,
226     0x00000000, 0x10041040, 0x00040040, 0x10000040,
227     0x10040000, 0x10001000, 0x10001040, 0x00000000,
228     0x10041040, 0x00041000, 0x00041000, 0x00001040,
229     0x00001040, 0x00040040, 0x10000000, 0x10041000
230 };
231 
232 /*
233  * PC1: left and right halves bit-swap
234  */
235 static const uint32_t LHs[16] =
236 {
237     0x00000000, 0x00000001, 0x00000100, 0x00000101,
238     0x00010000, 0x00010001, 0x00010100, 0x00010101,
239     0x01000000, 0x01000001, 0x01000100, 0x01000101,
240     0x01010000, 0x01010001, 0x01010100, 0x01010101
241 };
242 
243 static const uint32_t RHs[16] =
244 {
245     0x00000000, 0x01000000, 0x00010000, 0x01010000,
246     0x00000100, 0x01000100, 0x00010100, 0x01010100,
247     0x00000001, 0x01000001, 0x00010001, 0x01010001,
248     0x00000101, 0x01000101, 0x00010101, 0x01010101,
249 };
250 
251 /*
252  * Initial Permutation macro
253  */
254 #define DES_IP(X,Y)                                                       \
255     do                                                                    \
256     {                                                                     \
257         T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
258         T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
259         T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
260         T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
261         (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF;                    \
262         T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T;                 \
263         (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF;                    \
264     } while( 0 )
265 
266 /*
267  * Final Permutation macro
268  */
269 #define DES_FP(X,Y)                                                       \
270     do                                                                    \
271     {                                                                     \
272         (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF;                    \
273         T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T;                 \
274         (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF;                    \
275         T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
276         T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
277         T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
278         T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
279     } while( 0 )
280 
281 /*
282  * DES round macro
283  */
284 #define DES_ROUND(X,Y)                              \
285     do                                              \
286     {                                               \
287         T = *SK++ ^ (X);                            \
288         (Y) ^= SB8[ (T      ) & 0x3F ] ^            \
289                SB6[ (T >>  8) & 0x3F ] ^            \
290                SB4[ (T >> 16) & 0x3F ] ^            \
291                SB2[ (T >> 24) & 0x3F ];             \
292                                                     \
293         T = *SK++ ^ (((X) << 28) | ((X) >> 4));     \
294         (Y) ^= SB7[ (T      ) & 0x3F ] ^            \
295                SB5[ (T >>  8) & 0x3F ] ^            \
296                SB3[ (T >> 16) & 0x3F ] ^            \
297                SB1[ (T >> 24) & 0x3F ];             \
298     } while( 0 )
299 
300 #define SWAP(a,b)                                       \
301     do                                                  \
302     {                                                   \
303         uint32_t t = (a); (a) = (b); (b) = t; t = 0;    \
304     } while( 0 )
305 
mbedtls_des_init(mbedtls_des_context * ctx)306 void mbedtls_des_init( mbedtls_des_context *ctx )
307 {
308     memset( ctx, 0, sizeof( mbedtls_des_context ) );
309 }
310 
mbedtls_des_free(mbedtls_des_context * ctx)311 void mbedtls_des_free( mbedtls_des_context *ctx )
312 {
313     if( ctx == NULL )
314         return;
315 
316     mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des_context ) );
317 }
318 
mbedtls_des3_init(mbedtls_des3_context * ctx)319 void mbedtls_des3_init( mbedtls_des3_context *ctx )
320 {
321     memset( ctx, 0, sizeof( mbedtls_des3_context ) );
322 }
323 
mbedtls_des3_free(mbedtls_des3_context * ctx)324 void mbedtls_des3_free( mbedtls_des3_context *ctx )
325 {
326     if( ctx == NULL )
327         return;
328 
329     mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des3_context ) );
330 }
331 
332 static const unsigned char odd_parity_table[128] = { 1,  2,  4,  7,  8,
333         11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 35, 37, 38, 41, 42, 44,
334         47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 70, 73, 74, 76, 79, 81,
335         82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 104, 107, 109, 110, 112,
336         115, 117, 118, 121, 122, 124, 127, 128, 131, 133, 134, 137, 138, 140,
337         143, 145, 146, 148, 151, 152, 155, 157, 158, 161, 162, 164, 167, 168,
338         171, 173, 174, 176, 179, 181, 182, 185, 186, 188, 191, 193, 194, 196,
339         199, 200, 203, 205, 206, 208, 211, 213, 214, 217, 218, 220, 223, 224,
340         227, 229, 230, 233, 234, 236, 239, 241, 242, 244, 247, 248, 251, 253,
341         254 };
342 
mbedtls_des_key_set_parity(unsigned char key[MBEDTLS_DES_KEY_SIZE])343 void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] )
344 {
345     int i;
346 
347     for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
348         key[i] = odd_parity_table[key[i] / 2];
349 }
350 
351 /*
352  * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
353  */
mbedtls_des_key_check_key_parity(const unsigned char key[MBEDTLS_DES_KEY_SIZE])354 int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
355 {
356     int i;
357 
358     for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
359         if( key[i] != odd_parity_table[key[i] / 2] )
360             return( 1 );
361 
362     return( 0 );
363 }
364 
365 /*
366  * Table of weak and semi-weak keys
367  *
368  * Source: http://en.wikipedia.org/wiki/Weak_key
369  *
370  * Weak:
371  * Alternating ones + zeros (0x0101010101010101)
372  * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
373  * '0xE0E0E0E0F1F1F1F1'
374  * '0x1F1F1F1F0E0E0E0E'
375  *
376  * Semi-weak:
377  * 0x011F011F010E010E and 0x1F011F010E010E01
378  * 0x01E001E001F101F1 and 0xE001E001F101F101
379  * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
380  * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
381  * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
382  * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
383  *
384  */
385 
386 #define WEAK_KEY_COUNT 16
387 
388 static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] =
389 {
390     { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
391     { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
392     { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
393     { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
394 
395     { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
396     { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
397     { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
398     { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
399     { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
400     { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
401     { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
402     { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
403     { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
404     { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
405     { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
406     { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
407 };
408 
mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE])409 int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
410 {
411     int i;
412 
413     for( i = 0; i < WEAK_KEY_COUNT; i++ )
414         if( memcmp( weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0 )
415             return( 1 );
416 
417     return( 0 );
418 }
419 
420 #if !defined(MBEDTLS_DES_SETKEY_ALT)
mbedtls_des_setkey(uint32_t SK[32],const unsigned char key[MBEDTLS_DES_KEY_SIZE])421 void mbedtls_des_setkey( uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
422 {
423     int i;
424     uint32_t X, Y, T;
425 
426     GET_UINT32_BE( X, key, 0 );
427     GET_UINT32_BE( Y, key, 4 );
428 
429     /*
430      * Permuted Choice 1
431      */
432     T =  ((Y >>  4) ^ X) & 0x0F0F0F0F;  X ^= T; Y ^= (T <<  4);
433     T =  ((Y      ) ^ X) & 0x10101010;  X ^= T; Y ^= (T      );
434 
435     X =   (LHs[ (X      ) & 0xF] << 3) | (LHs[ (X >>  8) & 0xF ] << 2)
436         | (LHs[ (X >> 16) & 0xF] << 1) | (LHs[ (X >> 24) & 0xF ]     )
437         | (LHs[ (X >>  5) & 0xF] << 7) | (LHs[ (X >> 13) & 0xF ] << 6)
438         | (LHs[ (X >> 21) & 0xF] << 5) | (LHs[ (X >> 29) & 0xF ] << 4);
439 
440     Y =   (RHs[ (Y >>  1) & 0xF] << 3) | (RHs[ (Y >>  9) & 0xF ] << 2)
441         | (RHs[ (Y >> 17) & 0xF] << 1) | (RHs[ (Y >> 25) & 0xF ]     )
442         | (RHs[ (Y >>  4) & 0xF] << 7) | (RHs[ (Y >> 12) & 0xF ] << 6)
443         | (RHs[ (Y >> 20) & 0xF] << 5) | (RHs[ (Y >> 28) & 0xF ] << 4);
444 
445     X &= 0x0FFFFFFF;
446     Y &= 0x0FFFFFFF;
447 
448     /*
449      * calculate subkeys
450      */
451     for( i = 0; i < 16; i++ )
452     {
453         if( i < 2 || i == 8 || i == 15 )
454         {
455             X = ((X <<  1) | (X >> 27)) & 0x0FFFFFFF;
456             Y = ((Y <<  1) | (Y >> 27)) & 0x0FFFFFFF;
457         }
458         else
459         {
460             X = ((X <<  2) | (X >> 26)) & 0x0FFFFFFF;
461             Y = ((Y <<  2) | (Y >> 26)) & 0x0FFFFFFF;
462         }
463 
464         *SK++ =   ((X <<  4) & 0x24000000) | ((X << 28) & 0x10000000)
465                 | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
466                 | ((X <<  6) & 0x01000000) | ((X <<  9) & 0x00200000)
467                 | ((X >>  1) & 0x00100000) | ((X << 10) & 0x00040000)
468                 | ((X <<  2) & 0x00020000) | ((X >> 10) & 0x00010000)
469                 | ((Y >> 13) & 0x00002000) | ((Y >>  4) & 0x00001000)
470                 | ((Y <<  6) & 0x00000800) | ((Y >>  1) & 0x00000400)
471                 | ((Y >> 14) & 0x00000200) | ((Y      ) & 0x00000100)
472                 | ((Y >>  5) & 0x00000020) | ((Y >> 10) & 0x00000010)
473                 | ((Y >>  3) & 0x00000008) | ((Y >> 18) & 0x00000004)
474                 | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
475 
476         *SK++ =   ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
477                 | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
478                 | ((X >>  2) & 0x02000000) | ((X <<  1) & 0x01000000)
479                 | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
480                 | ((X <<  3) & 0x00080000) | ((X >>  6) & 0x00040000)
481                 | ((X << 15) & 0x00020000) | ((X >>  4) & 0x00010000)
482                 | ((Y >>  2) & 0x00002000) | ((Y <<  8) & 0x00001000)
483                 | ((Y >> 14) & 0x00000808) | ((Y >>  9) & 0x00000400)
484                 | ((Y      ) & 0x00000200) | ((Y <<  7) & 0x00000100)
485                 | ((Y >>  7) & 0x00000020) | ((Y >>  3) & 0x00000011)
486                 | ((Y <<  2) & 0x00000004) | ((Y >> 21) & 0x00000002);
487     }
488 }
489 #endif /* !MBEDTLS_DES_SETKEY_ALT */
490 
491 /*
492  * DES key schedule (56-bit, encryption)
493  */
mbedtls_des_setkey_enc(mbedtls_des_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE])494 int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
495 {
496     mbedtls_des_setkey( ctx->sk, key );
497 
498     return( 0 );
499 }
500 
501 /*
502  * DES key schedule (56-bit, decryption)
503  */
mbedtls_des_setkey_dec(mbedtls_des_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE])504 int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
505 {
506     int i;
507 
508     mbedtls_des_setkey( ctx->sk, key );
509 
510     for( i = 0; i < 16; i += 2 )
511     {
512         SWAP( ctx->sk[i    ], ctx->sk[30 - i] );
513         SWAP( ctx->sk[i + 1], ctx->sk[31 - i] );
514     }
515 
516     return( 0 );
517 }
518 
des3_set2key(uint32_t esk[96],uint32_t dsk[96],const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])519 static void des3_set2key( uint32_t esk[96],
520                           uint32_t dsk[96],
521                           const unsigned char key[MBEDTLS_DES_KEY_SIZE*2] )
522 {
523     int i;
524 
525     mbedtls_des_setkey( esk, key );
526     mbedtls_des_setkey( dsk + 32, key + 8 );
527 
528     for( i = 0; i < 32; i += 2 )
529     {
530         dsk[i     ] = esk[30 - i];
531         dsk[i +  1] = esk[31 - i];
532 
533         esk[i + 32] = dsk[62 - i];
534         esk[i + 33] = dsk[63 - i];
535 
536         esk[i + 64] = esk[i    ];
537         esk[i + 65] = esk[i + 1];
538 
539         dsk[i + 64] = dsk[i    ];
540         dsk[i + 65] = dsk[i + 1];
541     }
542 }
543 
544 /*
545  * Triple-DES key schedule (112-bit, encryption)
546  */
mbedtls_des3_set2key_enc(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])547 int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx,
548                       const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
549 {
550     uint32_t sk[96];
551 
552     des3_set2key( ctx->sk, sk, key );
553     mbedtls_platform_zeroize( sk,  sizeof( sk ) );
554 
555     return( 0 );
556 }
557 
558 /*
559  * Triple-DES key schedule (112-bit, decryption)
560  */
mbedtls_des3_set2key_dec(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])561 int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx,
562                       const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
563 {
564     uint32_t sk[96];
565 
566     des3_set2key( sk, ctx->sk, key );
567     mbedtls_platform_zeroize( sk,  sizeof( sk ) );
568 
569     return( 0 );
570 }
571 
des3_set3key(uint32_t esk[96],uint32_t dsk[96],const unsigned char key[24])572 static void des3_set3key( uint32_t esk[96],
573                           uint32_t dsk[96],
574                           const unsigned char key[24] )
575 {
576     int i;
577 
578     mbedtls_des_setkey( esk, key );
579     mbedtls_des_setkey( dsk + 32, key +  8 );
580     mbedtls_des_setkey( esk + 64, key + 16 );
581 
582     for( i = 0; i < 32; i += 2 )
583     {
584         dsk[i     ] = esk[94 - i];
585         dsk[i +  1] = esk[95 - i];
586 
587         esk[i + 32] = dsk[62 - i];
588         esk[i + 33] = dsk[63 - i];
589 
590         dsk[i + 64] = esk[30 - i];
591         dsk[i + 65] = esk[31 - i];
592     }
593 }
594 
595 /*
596  * Triple-DES key schedule (168-bit, encryption)
597  */
mbedtls_des3_set3key_enc(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])598 int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx,
599                       const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
600 {
601     uint32_t sk[96];
602 
603     des3_set3key( ctx->sk, sk, key );
604     mbedtls_platform_zeroize( sk,  sizeof( sk ) );
605 
606     return( 0 );
607 }
608 
609 /*
610  * Triple-DES key schedule (168-bit, decryption)
611  */
mbedtls_des3_set3key_dec(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])612 int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx,
613                       const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
614 {
615     uint32_t sk[96];
616 
617     des3_set3key( sk, ctx->sk, key );
618     mbedtls_platform_zeroize( sk,  sizeof( sk ) );
619 
620     return( 0 );
621 }
622 
623 /*
624  * DES-ECB block encryption/decryption
625  */
626 #if !defined(MBEDTLS_DES_CRYPT_ECB_ALT)
mbedtls_des_crypt_ecb(mbedtls_des_context * ctx,const unsigned char input[8],unsigned char output[8])627 int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx,
628                     const unsigned char input[8],
629                     unsigned char output[8] )
630 {
631     int i;
632     uint32_t X, Y, T, *SK;
633 
634     SK = ctx->sk;
635 
636     GET_UINT32_BE( X, input, 0 );
637     GET_UINT32_BE( Y, input, 4 );
638 
639     DES_IP( X, Y );
640 
641     for( i = 0; i < 8; i++ )
642     {
643         DES_ROUND( Y, X );
644         DES_ROUND( X, Y );
645     }
646 
647     DES_FP( Y, X );
648 
649     PUT_UINT32_BE( Y, output, 0 );
650     PUT_UINT32_BE( X, output, 4 );
651 
652     return( 0 );
653 }
654 #endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */
655 
656 #if defined(MBEDTLS_CIPHER_MODE_CBC)
657 /*
658  * DES-CBC buffer encryption/decryption
659  */
mbedtls_des_crypt_cbc(mbedtls_des_context * ctx,int mode,size_t length,unsigned char iv[8],const unsigned char * input,unsigned char * output)660 int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx,
661                     int mode,
662                     size_t length,
663                     unsigned char iv[8],
664                     const unsigned char *input,
665                     unsigned char *output )
666 {
667     int i;
668     unsigned char temp[8];
669 
670     if( length % 8 )
671         return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
672 
673     if( mode == MBEDTLS_DES_ENCRYPT )
674     {
675         while( length > 0 )
676         {
677             for( i = 0; i < 8; i++ )
678                 output[i] = (unsigned char)( input[i] ^ iv[i] );
679 
680             mbedtls_des_crypt_ecb( ctx, output, output );
681             memcpy( iv, output, 8 );
682 
683             input  += 8;
684             output += 8;
685             length -= 8;
686         }
687     }
688     else /* MBEDTLS_DES_DECRYPT */
689     {
690         while( length > 0 )
691         {
692             memcpy( temp, input, 8 );
693             mbedtls_des_crypt_ecb( ctx, input, output );
694 
695             for( i = 0; i < 8; i++ )
696                 output[i] = (unsigned char)( output[i] ^ iv[i] );
697 
698             memcpy( iv, temp, 8 );
699 
700             input  += 8;
701             output += 8;
702             length -= 8;
703         }
704     }
705 
706     return( 0 );
707 }
708 #endif /* MBEDTLS_CIPHER_MODE_CBC */
709 
710 /*
711  * 3DES-ECB block encryption/decryption
712  */
713 #if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
mbedtls_des3_crypt_ecb(mbedtls_des3_context * ctx,const unsigned char input[8],unsigned char output[8])714 int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx,
715                      const unsigned char input[8],
716                      unsigned char output[8] )
717 {
718     int i;
719     uint32_t X, Y, T, *SK;
720 
721     SK = ctx->sk;
722 
723     GET_UINT32_BE( X, input, 0 );
724     GET_UINT32_BE( Y, input, 4 );
725 
726     DES_IP( X, Y );
727 
728     for( i = 0; i < 8; i++ )
729     {
730         DES_ROUND( Y, X );
731         DES_ROUND( X, Y );
732     }
733 
734     for( i = 0; i < 8; i++ )
735     {
736         DES_ROUND( X, Y );
737         DES_ROUND( Y, X );
738     }
739 
740     for( i = 0; i < 8; i++ )
741     {
742         DES_ROUND( Y, X );
743         DES_ROUND( X, Y );
744     }
745 
746     DES_FP( Y, X );
747 
748     PUT_UINT32_BE( Y, output, 0 );
749     PUT_UINT32_BE( X, output, 4 );
750 
751     return( 0 );
752 }
753 #endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */
754 
755 #if defined(MBEDTLS_CIPHER_MODE_CBC)
756 /*
757  * 3DES-CBC buffer encryption/decryption
758  */
mbedtls_des3_crypt_cbc(mbedtls_des3_context * ctx,int mode,size_t length,unsigned char iv[8],const unsigned char * input,unsigned char * output)759 int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx,
760                      int mode,
761                      size_t length,
762                      unsigned char iv[8],
763                      const unsigned char *input,
764                      unsigned char *output )
765 {
766     int i;
767     unsigned char temp[8];
768 
769     if( length % 8 )
770         return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
771 
772     if( mode == MBEDTLS_DES_ENCRYPT )
773     {
774         while( length > 0 )
775         {
776             for( i = 0; i < 8; i++ )
777                 output[i] = (unsigned char)( input[i] ^ iv[i] );
778 
779             mbedtls_des3_crypt_ecb( ctx, output, output );
780             memcpy( iv, output, 8 );
781 
782             input  += 8;
783             output += 8;
784             length -= 8;
785         }
786     }
787     else /* MBEDTLS_DES_DECRYPT */
788     {
789         while( length > 0 )
790         {
791             memcpy( temp, input, 8 );
792             mbedtls_des3_crypt_ecb( ctx, input, output );
793 
794             for( i = 0; i < 8; i++ )
795                 output[i] = (unsigned char)( output[i] ^ iv[i] );
796 
797             memcpy( iv, temp, 8 );
798 
799             input  += 8;
800             output += 8;
801             length -= 8;
802         }
803     }
804 
805     return( 0 );
806 }
807 #endif /* MBEDTLS_CIPHER_MODE_CBC */
808 
809 #endif /* !MBEDTLS_DES_ALT */
810 
811 #if defined(MBEDTLS_SELF_TEST)
812 /*
813  * DES and 3DES test vectors from:
814  *
815  * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
816  */
817 static const unsigned char des3_test_keys[24] =
818 {
819     0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
820     0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
821     0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
822 };
823 
824 static const unsigned char des3_test_buf[8] =
825 {
826     0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
827 };
828 
829 static const unsigned char des3_test_ecb_dec[3][8] =
830 {
831     { 0x37, 0x2B, 0x98, 0xBF, 0x52, 0x65, 0xB0, 0x59 },
832     { 0xC2, 0x10, 0x19, 0x9C, 0x38, 0x5A, 0x65, 0xA1 },
833     { 0xA2, 0x70, 0x56, 0x68, 0x69, 0xE5, 0x15, 0x1D }
834 };
835 
836 static const unsigned char des3_test_ecb_enc[3][8] =
837 {
838     { 0x1C, 0xD5, 0x97, 0xEA, 0x84, 0x26, 0x73, 0xFB },
839     { 0xB3, 0x92, 0x4D, 0xF3, 0xC5, 0xB5, 0x42, 0x93 },
840     { 0xDA, 0x37, 0x64, 0x41, 0xBA, 0x6F, 0x62, 0x6F }
841 };
842 
843 #if defined(MBEDTLS_CIPHER_MODE_CBC)
844 static const unsigned char des3_test_iv[8] =
845 {
846     0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
847 };
848 
849 static const unsigned char des3_test_cbc_dec[3][8] =
850 {
851     { 0x58, 0xD9, 0x48, 0xEF, 0x85, 0x14, 0x65, 0x9A },
852     { 0x5F, 0xC8, 0x78, 0xD4, 0xD7, 0x92, 0xD9, 0x54 },
853     { 0x25, 0xF9, 0x75, 0x85, 0xA8, 0x1E, 0x48, 0xBF }
854 };
855 
856 static const unsigned char des3_test_cbc_enc[3][8] =
857 {
858     { 0x91, 0x1C, 0x6D, 0xCF, 0x48, 0xA7, 0xC3, 0x4D },
859     { 0x60, 0x1A, 0x76, 0x8F, 0xA1, 0xF9, 0x66, 0xF1 },
860     { 0xA1, 0x50, 0x0F, 0x99, 0xB2, 0xCD, 0x64, 0x76 }
861 };
862 #endif /* MBEDTLS_CIPHER_MODE_CBC */
863 
864 /*
865  * Checkup routine
866  */
mbedtls_des_self_test(int verbose)867 int mbedtls_des_self_test( int verbose )
868 {
869     int i, j, u, v, ret = 0;
870     mbedtls_des_context ctx;
871     mbedtls_des3_context ctx3;
872     unsigned char buf[8];
873 #if defined(MBEDTLS_CIPHER_MODE_CBC)
874     unsigned char prv[8];
875     unsigned char iv[8];
876 #endif
877 
878     mbedtls_des_init( &ctx );
879     mbedtls_des3_init( &ctx3 );
880     /*
881      * ECB mode
882      */
883     for( i = 0; i < 6; i++ )
884     {
885         u = i >> 1;
886         v = i  & 1;
887 
888         if( verbose != 0 )
889             mbedtls_printf( "  DES%c-ECB-%3d (%s): ",
890                              ( u == 0 ) ? ' ' : '3', 56 + u * 56,
891                              ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
892 
893         memcpy( buf, des3_test_buf, 8 );
894 
895         switch( i )
896         {
897         case 0:
898             mbedtls_des_setkey_dec( &ctx, des3_test_keys );
899             break;
900 
901         case 1:
902             mbedtls_des_setkey_enc( &ctx, des3_test_keys );
903             break;
904 
905         case 2:
906             mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
907             break;
908 
909         case 3:
910             mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
911             break;
912 
913         case 4:
914             mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
915             break;
916 
917         case 5:
918             mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
919             break;
920 
921         default:
922             return( 1 );
923         }
924 
925         for( j = 0; j < 100; j++ )
926         {
927             if( u == 0 )
928                 mbedtls_des_crypt_ecb( &ctx, buf, buf );
929             else
930                 mbedtls_des3_crypt_ecb( &ctx3, buf, buf );
931         }
932 
933         if( ( v == MBEDTLS_DES_DECRYPT &&
934                 memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) ||
935             ( v != MBEDTLS_DES_DECRYPT &&
936                 memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) )
937         {
938             if( verbose != 0 )
939                 mbedtls_printf( "failed\n" );
940 
941             ret = 1;
942             goto exit;
943         }
944 
945         if( verbose != 0 )
946             mbedtls_printf( "passed\n" );
947     }
948 
949     if( verbose != 0 )
950         mbedtls_printf( "\n" );
951 
952 #if defined(MBEDTLS_CIPHER_MODE_CBC)
953     /*
954      * CBC mode
955      */
956     for( i = 0; i < 6; i++ )
957     {
958         u = i >> 1;
959         v = i  & 1;
960 
961         if( verbose != 0 )
962             mbedtls_printf( "  DES%c-CBC-%3d (%s): ",
963                              ( u == 0 ) ? ' ' : '3', 56 + u * 56,
964                              ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
965 
966         memcpy( iv,  des3_test_iv,  8 );
967         memcpy( prv, des3_test_iv,  8 );
968         memcpy( buf, des3_test_buf, 8 );
969 
970         switch( i )
971         {
972         case 0:
973             mbedtls_des_setkey_dec( &ctx, des3_test_keys );
974             break;
975 
976         case 1:
977             mbedtls_des_setkey_enc( &ctx, des3_test_keys );
978             break;
979 
980         case 2:
981             mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
982             break;
983 
984         case 3:
985             mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
986             break;
987 
988         case 4:
989             mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
990             break;
991 
992         case 5:
993             mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
994             break;
995 
996         default:
997             return( 1 );
998         }
999 
1000         if( v == MBEDTLS_DES_DECRYPT )
1001         {
1002             for( j = 0; j < 100; j++ )
1003             {
1004                 if( u == 0 )
1005                     mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
1006                 else
1007                     mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
1008             }
1009         }
1010         else
1011         {
1012             for( j = 0; j < 100; j++ )
1013             {
1014                 unsigned char tmp[8];
1015 
1016                 if( u == 0 )
1017                     mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
1018                 else
1019                     mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
1020 
1021                 memcpy( tmp, prv, 8 );
1022                 memcpy( prv, buf, 8 );
1023                 memcpy( buf, tmp, 8 );
1024             }
1025 
1026             memcpy( buf, prv, 8 );
1027         }
1028 
1029         if( ( v == MBEDTLS_DES_DECRYPT &&
1030                 memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) ||
1031             ( v != MBEDTLS_DES_DECRYPT &&
1032                 memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) )
1033         {
1034             if( verbose != 0 )
1035                 mbedtls_printf( "failed\n" );
1036 
1037             ret = 1;
1038             goto exit;
1039         }
1040 
1041         if( verbose != 0 )
1042             mbedtls_printf( "passed\n" );
1043     }
1044 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1045 
1046     if( verbose != 0 )
1047         mbedtls_printf( "\n" );
1048 
1049 exit:
1050     mbedtls_des_free( &ctx );
1051     mbedtls_des3_free( &ctx3 );
1052 
1053     return( ret );
1054 }
1055 
1056 #endif /* MBEDTLS_SELF_TEST */
1057 
1058 #endif /* MBEDTLS_DES_C */
1059