1 /*
2 * FIPS-46-3 compliant Triple-DES implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19 /*
20 * DES, on which TDES is based, was originally designed by Horst Feistel
21 * at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
22 *
23 * http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
24 */
25
26 #include "common.h"
27
28 #if defined(MBEDTLS_DES_C)
29
30 #include "mbedtls/des.h"
31 #include "mbedtls/platform_util.h"
32
33 #include <string.h>
34
35 #if defined(MBEDTLS_SELF_TEST)
36 #if defined(MBEDTLS_PLATFORM_C)
37 #include "mbedtls/platform.h"
38 #else
39 #include <stdio.h>
40 #define mbedtls_printf printf
41 #endif /* MBEDTLS_PLATFORM_C */
42 #endif /* MBEDTLS_SELF_TEST */
43
44 #if !defined(MBEDTLS_DES_ALT)
45
46 /*
47 * 32-bit integer manipulation macros (big endian)
48 */
49 #ifndef GET_UINT32_BE
50 #define GET_UINT32_BE(n,b,i) \
51 { \
52 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
53 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
54 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
55 | ( (uint32_t) (b)[(i) + 3] ); \
56 }
57 #endif
58
59 #ifndef PUT_UINT32_BE
60 #define PUT_UINT32_BE(n,b,i) \
61 { \
62 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
63 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
64 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
65 (b)[(i) + 3] = (unsigned char) ( (n) ); \
66 }
67 #endif
68
69 /*
70 * Expanded DES S-boxes
71 */
72 static const uint32_t SB1[64] =
73 {
74 0x01010400, 0x00000000, 0x00010000, 0x01010404,
75 0x01010004, 0x00010404, 0x00000004, 0x00010000,
76 0x00000400, 0x01010400, 0x01010404, 0x00000400,
77 0x01000404, 0x01010004, 0x01000000, 0x00000004,
78 0x00000404, 0x01000400, 0x01000400, 0x00010400,
79 0x00010400, 0x01010000, 0x01010000, 0x01000404,
80 0x00010004, 0x01000004, 0x01000004, 0x00010004,
81 0x00000000, 0x00000404, 0x00010404, 0x01000000,
82 0x00010000, 0x01010404, 0x00000004, 0x01010000,
83 0x01010400, 0x01000000, 0x01000000, 0x00000400,
84 0x01010004, 0x00010000, 0x00010400, 0x01000004,
85 0x00000400, 0x00000004, 0x01000404, 0x00010404,
86 0x01010404, 0x00010004, 0x01010000, 0x01000404,
87 0x01000004, 0x00000404, 0x00010404, 0x01010400,
88 0x00000404, 0x01000400, 0x01000400, 0x00000000,
89 0x00010004, 0x00010400, 0x00000000, 0x01010004
90 };
91
92 static const uint32_t SB2[64] =
93 {
94 0x80108020, 0x80008000, 0x00008000, 0x00108020,
95 0x00100000, 0x00000020, 0x80100020, 0x80008020,
96 0x80000020, 0x80108020, 0x80108000, 0x80000000,
97 0x80008000, 0x00100000, 0x00000020, 0x80100020,
98 0x00108000, 0x00100020, 0x80008020, 0x00000000,
99 0x80000000, 0x00008000, 0x00108020, 0x80100000,
100 0x00100020, 0x80000020, 0x00000000, 0x00108000,
101 0x00008020, 0x80108000, 0x80100000, 0x00008020,
102 0x00000000, 0x00108020, 0x80100020, 0x00100000,
103 0x80008020, 0x80100000, 0x80108000, 0x00008000,
104 0x80100000, 0x80008000, 0x00000020, 0x80108020,
105 0x00108020, 0x00000020, 0x00008000, 0x80000000,
106 0x00008020, 0x80108000, 0x00100000, 0x80000020,
107 0x00100020, 0x80008020, 0x80000020, 0x00100020,
108 0x00108000, 0x00000000, 0x80008000, 0x00008020,
109 0x80000000, 0x80100020, 0x80108020, 0x00108000
110 };
111
112 static const uint32_t SB3[64] =
113 {
114 0x00000208, 0x08020200, 0x00000000, 0x08020008,
115 0x08000200, 0x00000000, 0x00020208, 0x08000200,
116 0x00020008, 0x08000008, 0x08000008, 0x00020000,
117 0x08020208, 0x00020008, 0x08020000, 0x00000208,
118 0x08000000, 0x00000008, 0x08020200, 0x00000200,
119 0x00020200, 0x08020000, 0x08020008, 0x00020208,
120 0x08000208, 0x00020200, 0x00020000, 0x08000208,
121 0x00000008, 0x08020208, 0x00000200, 0x08000000,
122 0x08020200, 0x08000000, 0x00020008, 0x00000208,
123 0x00020000, 0x08020200, 0x08000200, 0x00000000,
124 0x00000200, 0x00020008, 0x08020208, 0x08000200,
125 0x08000008, 0x00000200, 0x00000000, 0x08020008,
126 0x08000208, 0x00020000, 0x08000000, 0x08020208,
127 0x00000008, 0x00020208, 0x00020200, 0x08000008,
128 0x08020000, 0x08000208, 0x00000208, 0x08020000,
129 0x00020208, 0x00000008, 0x08020008, 0x00020200
130 };
131
132 static const uint32_t SB4[64] =
133 {
134 0x00802001, 0x00002081, 0x00002081, 0x00000080,
135 0x00802080, 0x00800081, 0x00800001, 0x00002001,
136 0x00000000, 0x00802000, 0x00802000, 0x00802081,
137 0x00000081, 0x00000000, 0x00800080, 0x00800001,
138 0x00000001, 0x00002000, 0x00800000, 0x00802001,
139 0x00000080, 0x00800000, 0x00002001, 0x00002080,
140 0x00800081, 0x00000001, 0x00002080, 0x00800080,
141 0x00002000, 0x00802080, 0x00802081, 0x00000081,
142 0x00800080, 0x00800001, 0x00802000, 0x00802081,
143 0x00000081, 0x00000000, 0x00000000, 0x00802000,
144 0x00002080, 0x00800080, 0x00800081, 0x00000001,
145 0x00802001, 0x00002081, 0x00002081, 0x00000080,
146 0x00802081, 0x00000081, 0x00000001, 0x00002000,
147 0x00800001, 0x00002001, 0x00802080, 0x00800081,
148 0x00002001, 0x00002080, 0x00800000, 0x00802001,
149 0x00000080, 0x00800000, 0x00002000, 0x00802080
150 };
151
152 static const uint32_t SB5[64] =
153 {
154 0x00000100, 0x02080100, 0x02080000, 0x42000100,
155 0x00080000, 0x00000100, 0x40000000, 0x02080000,
156 0x40080100, 0x00080000, 0x02000100, 0x40080100,
157 0x42000100, 0x42080000, 0x00080100, 0x40000000,
158 0x02000000, 0x40080000, 0x40080000, 0x00000000,
159 0x40000100, 0x42080100, 0x42080100, 0x02000100,
160 0x42080000, 0x40000100, 0x00000000, 0x42000000,
161 0x02080100, 0x02000000, 0x42000000, 0x00080100,
162 0x00080000, 0x42000100, 0x00000100, 0x02000000,
163 0x40000000, 0x02080000, 0x42000100, 0x40080100,
164 0x02000100, 0x40000000, 0x42080000, 0x02080100,
165 0x40080100, 0x00000100, 0x02000000, 0x42080000,
166 0x42080100, 0x00080100, 0x42000000, 0x42080100,
167 0x02080000, 0x00000000, 0x40080000, 0x42000000,
168 0x00080100, 0x02000100, 0x40000100, 0x00080000,
169 0x00000000, 0x40080000, 0x02080100, 0x40000100
170 };
171
172 static const uint32_t SB6[64] =
173 {
174 0x20000010, 0x20400000, 0x00004000, 0x20404010,
175 0x20400000, 0x00000010, 0x20404010, 0x00400000,
176 0x20004000, 0x00404010, 0x00400000, 0x20000010,
177 0x00400010, 0x20004000, 0x20000000, 0x00004010,
178 0x00000000, 0x00400010, 0x20004010, 0x00004000,
179 0x00404000, 0x20004010, 0x00000010, 0x20400010,
180 0x20400010, 0x00000000, 0x00404010, 0x20404000,
181 0x00004010, 0x00404000, 0x20404000, 0x20000000,
182 0x20004000, 0x00000010, 0x20400010, 0x00404000,
183 0x20404010, 0x00400000, 0x00004010, 0x20000010,
184 0x00400000, 0x20004000, 0x20000000, 0x00004010,
185 0x20000010, 0x20404010, 0x00404000, 0x20400000,
186 0x00404010, 0x20404000, 0x00000000, 0x20400010,
187 0x00000010, 0x00004000, 0x20400000, 0x00404010,
188 0x00004000, 0x00400010, 0x20004010, 0x00000000,
189 0x20404000, 0x20000000, 0x00400010, 0x20004010
190 };
191
192 static const uint32_t SB7[64] =
193 {
194 0x00200000, 0x04200002, 0x04000802, 0x00000000,
195 0x00000800, 0x04000802, 0x00200802, 0x04200800,
196 0x04200802, 0x00200000, 0x00000000, 0x04000002,
197 0x00000002, 0x04000000, 0x04200002, 0x00000802,
198 0x04000800, 0x00200802, 0x00200002, 0x04000800,
199 0x04000002, 0x04200000, 0x04200800, 0x00200002,
200 0x04200000, 0x00000800, 0x00000802, 0x04200802,
201 0x00200800, 0x00000002, 0x04000000, 0x00200800,
202 0x04000000, 0x00200800, 0x00200000, 0x04000802,
203 0x04000802, 0x04200002, 0x04200002, 0x00000002,
204 0x00200002, 0x04000000, 0x04000800, 0x00200000,
205 0x04200800, 0x00000802, 0x00200802, 0x04200800,
206 0x00000802, 0x04000002, 0x04200802, 0x04200000,
207 0x00200800, 0x00000000, 0x00000002, 0x04200802,
208 0x00000000, 0x00200802, 0x04200000, 0x00000800,
209 0x04000002, 0x04000800, 0x00000800, 0x00200002
210 };
211
212 static const uint32_t SB8[64] =
213 {
214 0x10001040, 0x00001000, 0x00040000, 0x10041040,
215 0x10000000, 0x10001040, 0x00000040, 0x10000000,
216 0x00040040, 0x10040000, 0x10041040, 0x00041000,
217 0x10041000, 0x00041040, 0x00001000, 0x00000040,
218 0x10040000, 0x10000040, 0x10001000, 0x00001040,
219 0x00041000, 0x00040040, 0x10040040, 0x10041000,
220 0x00001040, 0x00000000, 0x00000000, 0x10040040,
221 0x10000040, 0x10001000, 0x00041040, 0x00040000,
222 0x00041040, 0x00040000, 0x10041000, 0x00001000,
223 0x00000040, 0x10040040, 0x00001000, 0x00041040,
224 0x10001000, 0x00000040, 0x10000040, 0x10040000,
225 0x10040040, 0x10000000, 0x00040000, 0x10001040,
226 0x00000000, 0x10041040, 0x00040040, 0x10000040,
227 0x10040000, 0x10001000, 0x10001040, 0x00000000,
228 0x10041040, 0x00041000, 0x00041000, 0x00001040,
229 0x00001040, 0x00040040, 0x10000000, 0x10041000
230 };
231
232 /*
233 * PC1: left and right halves bit-swap
234 */
235 static const uint32_t LHs[16] =
236 {
237 0x00000000, 0x00000001, 0x00000100, 0x00000101,
238 0x00010000, 0x00010001, 0x00010100, 0x00010101,
239 0x01000000, 0x01000001, 0x01000100, 0x01000101,
240 0x01010000, 0x01010001, 0x01010100, 0x01010101
241 };
242
243 static const uint32_t RHs[16] =
244 {
245 0x00000000, 0x01000000, 0x00010000, 0x01010000,
246 0x00000100, 0x01000100, 0x00010100, 0x01010100,
247 0x00000001, 0x01000001, 0x00010001, 0x01010001,
248 0x00000101, 0x01000101, 0x00010101, 0x01010101,
249 };
250
251 /*
252 * Initial Permutation macro
253 */
254 #define DES_IP(X,Y) \
255 do \
256 { \
257 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \
258 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
259 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \
260 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \
261 (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF; \
262 T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T; \
263 (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF; \
264 } while( 0 )
265
266 /*
267 * Final Permutation macro
268 */
269 #define DES_FP(X,Y) \
270 do \
271 { \
272 (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF; \
273 T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T; \
274 (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF; \
275 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \
276 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \
277 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
278 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \
279 } while( 0 )
280
281 /*
282 * DES round macro
283 */
284 #define DES_ROUND(X,Y) \
285 do \
286 { \
287 T = *SK++ ^ (X); \
288 (Y) ^= SB8[ (T ) & 0x3F ] ^ \
289 SB6[ (T >> 8) & 0x3F ] ^ \
290 SB4[ (T >> 16) & 0x3F ] ^ \
291 SB2[ (T >> 24) & 0x3F ]; \
292 \
293 T = *SK++ ^ (((X) << 28) | ((X) >> 4)); \
294 (Y) ^= SB7[ (T ) & 0x3F ] ^ \
295 SB5[ (T >> 8) & 0x3F ] ^ \
296 SB3[ (T >> 16) & 0x3F ] ^ \
297 SB1[ (T >> 24) & 0x3F ]; \
298 } while( 0 )
299
300 #define SWAP(a,b) \
301 do \
302 { \
303 uint32_t t = (a); (a) = (b); (b) = t; t = 0; \
304 } while( 0 )
305
mbedtls_des_init(mbedtls_des_context * ctx)306 void mbedtls_des_init( mbedtls_des_context *ctx )
307 {
308 memset( ctx, 0, sizeof( mbedtls_des_context ) );
309 }
310
mbedtls_des_free(mbedtls_des_context * ctx)311 void mbedtls_des_free( mbedtls_des_context *ctx )
312 {
313 if( ctx == NULL )
314 return;
315
316 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des_context ) );
317 }
318
mbedtls_des3_init(mbedtls_des3_context * ctx)319 void mbedtls_des3_init( mbedtls_des3_context *ctx )
320 {
321 memset( ctx, 0, sizeof( mbedtls_des3_context ) );
322 }
323
mbedtls_des3_free(mbedtls_des3_context * ctx)324 void mbedtls_des3_free( mbedtls_des3_context *ctx )
325 {
326 if( ctx == NULL )
327 return;
328
329 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des3_context ) );
330 }
331
332 static const unsigned char odd_parity_table[128] = { 1, 2, 4, 7, 8,
333 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 35, 37, 38, 41, 42, 44,
334 47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 70, 73, 74, 76, 79, 81,
335 82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 104, 107, 109, 110, 112,
336 115, 117, 118, 121, 122, 124, 127, 128, 131, 133, 134, 137, 138, 140,
337 143, 145, 146, 148, 151, 152, 155, 157, 158, 161, 162, 164, 167, 168,
338 171, 173, 174, 176, 179, 181, 182, 185, 186, 188, 191, 193, 194, 196,
339 199, 200, 203, 205, 206, 208, 211, 213, 214, 217, 218, 220, 223, 224,
340 227, 229, 230, 233, 234, 236, 239, 241, 242, 244, 247, 248, 251, 253,
341 254 };
342
mbedtls_des_key_set_parity(unsigned char key[MBEDTLS_DES_KEY_SIZE])343 void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] )
344 {
345 int i;
346
347 for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
348 key[i] = odd_parity_table[key[i] / 2];
349 }
350
351 /*
352 * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
353 */
mbedtls_des_key_check_key_parity(const unsigned char key[MBEDTLS_DES_KEY_SIZE])354 int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
355 {
356 int i;
357
358 for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
359 if( key[i] != odd_parity_table[key[i] / 2] )
360 return( 1 );
361
362 return( 0 );
363 }
364
365 /*
366 * Table of weak and semi-weak keys
367 *
368 * Source: http://en.wikipedia.org/wiki/Weak_key
369 *
370 * Weak:
371 * Alternating ones + zeros (0x0101010101010101)
372 * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
373 * '0xE0E0E0E0F1F1F1F1'
374 * '0x1F1F1F1F0E0E0E0E'
375 *
376 * Semi-weak:
377 * 0x011F011F010E010E and 0x1F011F010E010E01
378 * 0x01E001E001F101F1 and 0xE001E001F101F101
379 * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
380 * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
381 * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
382 * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
383 *
384 */
385
386 #define WEAK_KEY_COUNT 16
387
388 static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] =
389 {
390 { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
391 { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
392 { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
393 { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
394
395 { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
396 { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
397 { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
398 { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
399 { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
400 { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
401 { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
402 { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
403 { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
404 { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
405 { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
406 { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
407 };
408
mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE])409 int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
410 {
411 int i;
412
413 for( i = 0; i < WEAK_KEY_COUNT; i++ )
414 if( memcmp( weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0 )
415 return( 1 );
416
417 return( 0 );
418 }
419
420 #if !defined(MBEDTLS_DES_SETKEY_ALT)
mbedtls_des_setkey(uint32_t SK[32],const unsigned char key[MBEDTLS_DES_KEY_SIZE])421 void mbedtls_des_setkey( uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
422 {
423 int i;
424 uint32_t X, Y, T;
425
426 GET_UINT32_BE( X, key, 0 );
427 GET_UINT32_BE( Y, key, 4 );
428
429 /*
430 * Permuted Choice 1
431 */
432 T = ((Y >> 4) ^ X) & 0x0F0F0F0F; X ^= T; Y ^= (T << 4);
433 T = ((Y ) ^ X) & 0x10101010; X ^= T; Y ^= (T );
434
435 X = (LHs[ (X ) & 0xF] << 3) | (LHs[ (X >> 8) & 0xF ] << 2)
436 | (LHs[ (X >> 16) & 0xF] << 1) | (LHs[ (X >> 24) & 0xF ] )
437 | (LHs[ (X >> 5) & 0xF] << 7) | (LHs[ (X >> 13) & 0xF ] << 6)
438 | (LHs[ (X >> 21) & 0xF] << 5) | (LHs[ (X >> 29) & 0xF ] << 4);
439
440 Y = (RHs[ (Y >> 1) & 0xF] << 3) | (RHs[ (Y >> 9) & 0xF ] << 2)
441 | (RHs[ (Y >> 17) & 0xF] << 1) | (RHs[ (Y >> 25) & 0xF ] )
442 | (RHs[ (Y >> 4) & 0xF] << 7) | (RHs[ (Y >> 12) & 0xF ] << 6)
443 | (RHs[ (Y >> 20) & 0xF] << 5) | (RHs[ (Y >> 28) & 0xF ] << 4);
444
445 X &= 0x0FFFFFFF;
446 Y &= 0x0FFFFFFF;
447
448 /*
449 * calculate subkeys
450 */
451 for( i = 0; i < 16; i++ )
452 {
453 if( i < 2 || i == 8 || i == 15 )
454 {
455 X = ((X << 1) | (X >> 27)) & 0x0FFFFFFF;
456 Y = ((Y << 1) | (Y >> 27)) & 0x0FFFFFFF;
457 }
458 else
459 {
460 X = ((X << 2) | (X >> 26)) & 0x0FFFFFFF;
461 Y = ((Y << 2) | (Y >> 26)) & 0x0FFFFFFF;
462 }
463
464 *SK++ = ((X << 4) & 0x24000000) | ((X << 28) & 0x10000000)
465 | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
466 | ((X << 6) & 0x01000000) | ((X << 9) & 0x00200000)
467 | ((X >> 1) & 0x00100000) | ((X << 10) & 0x00040000)
468 | ((X << 2) & 0x00020000) | ((X >> 10) & 0x00010000)
469 | ((Y >> 13) & 0x00002000) | ((Y >> 4) & 0x00001000)
470 | ((Y << 6) & 0x00000800) | ((Y >> 1) & 0x00000400)
471 | ((Y >> 14) & 0x00000200) | ((Y ) & 0x00000100)
472 | ((Y >> 5) & 0x00000020) | ((Y >> 10) & 0x00000010)
473 | ((Y >> 3) & 0x00000008) | ((Y >> 18) & 0x00000004)
474 | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
475
476 *SK++ = ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
477 | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
478 | ((X >> 2) & 0x02000000) | ((X << 1) & 0x01000000)
479 | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
480 | ((X << 3) & 0x00080000) | ((X >> 6) & 0x00040000)
481 | ((X << 15) & 0x00020000) | ((X >> 4) & 0x00010000)
482 | ((Y >> 2) & 0x00002000) | ((Y << 8) & 0x00001000)
483 | ((Y >> 14) & 0x00000808) | ((Y >> 9) & 0x00000400)
484 | ((Y ) & 0x00000200) | ((Y << 7) & 0x00000100)
485 | ((Y >> 7) & 0x00000020) | ((Y >> 3) & 0x00000011)
486 | ((Y << 2) & 0x00000004) | ((Y >> 21) & 0x00000002);
487 }
488 }
489 #endif /* !MBEDTLS_DES_SETKEY_ALT */
490
491 /*
492 * DES key schedule (56-bit, encryption)
493 */
mbedtls_des_setkey_enc(mbedtls_des_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE])494 int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
495 {
496 mbedtls_des_setkey( ctx->sk, key );
497
498 return( 0 );
499 }
500
501 /*
502 * DES key schedule (56-bit, decryption)
503 */
mbedtls_des_setkey_dec(mbedtls_des_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE])504 int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
505 {
506 int i;
507
508 mbedtls_des_setkey( ctx->sk, key );
509
510 for( i = 0; i < 16; i += 2 )
511 {
512 SWAP( ctx->sk[i ], ctx->sk[30 - i] );
513 SWAP( ctx->sk[i + 1], ctx->sk[31 - i] );
514 }
515
516 return( 0 );
517 }
518
des3_set2key(uint32_t esk[96],uint32_t dsk[96],const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])519 static void des3_set2key( uint32_t esk[96],
520 uint32_t dsk[96],
521 const unsigned char key[MBEDTLS_DES_KEY_SIZE*2] )
522 {
523 int i;
524
525 mbedtls_des_setkey( esk, key );
526 mbedtls_des_setkey( dsk + 32, key + 8 );
527
528 for( i = 0; i < 32; i += 2 )
529 {
530 dsk[i ] = esk[30 - i];
531 dsk[i + 1] = esk[31 - i];
532
533 esk[i + 32] = dsk[62 - i];
534 esk[i + 33] = dsk[63 - i];
535
536 esk[i + 64] = esk[i ];
537 esk[i + 65] = esk[i + 1];
538
539 dsk[i + 64] = dsk[i ];
540 dsk[i + 65] = dsk[i + 1];
541 }
542 }
543
544 /*
545 * Triple-DES key schedule (112-bit, encryption)
546 */
mbedtls_des3_set2key_enc(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])547 int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx,
548 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
549 {
550 uint32_t sk[96];
551
552 des3_set2key( ctx->sk, sk, key );
553 mbedtls_platform_zeroize( sk, sizeof( sk ) );
554
555 return( 0 );
556 }
557
558 /*
559 * Triple-DES key schedule (112-bit, decryption)
560 */
mbedtls_des3_set2key_dec(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])561 int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx,
562 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
563 {
564 uint32_t sk[96];
565
566 des3_set2key( sk, ctx->sk, key );
567 mbedtls_platform_zeroize( sk, sizeof( sk ) );
568
569 return( 0 );
570 }
571
des3_set3key(uint32_t esk[96],uint32_t dsk[96],const unsigned char key[24])572 static void des3_set3key( uint32_t esk[96],
573 uint32_t dsk[96],
574 const unsigned char key[24] )
575 {
576 int i;
577
578 mbedtls_des_setkey( esk, key );
579 mbedtls_des_setkey( dsk + 32, key + 8 );
580 mbedtls_des_setkey( esk + 64, key + 16 );
581
582 for( i = 0; i < 32; i += 2 )
583 {
584 dsk[i ] = esk[94 - i];
585 dsk[i + 1] = esk[95 - i];
586
587 esk[i + 32] = dsk[62 - i];
588 esk[i + 33] = dsk[63 - i];
589
590 dsk[i + 64] = esk[30 - i];
591 dsk[i + 65] = esk[31 - i];
592 }
593 }
594
595 /*
596 * Triple-DES key schedule (168-bit, encryption)
597 */
mbedtls_des3_set3key_enc(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])598 int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx,
599 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
600 {
601 uint32_t sk[96];
602
603 des3_set3key( ctx->sk, sk, key );
604 mbedtls_platform_zeroize( sk, sizeof( sk ) );
605
606 return( 0 );
607 }
608
609 /*
610 * Triple-DES key schedule (168-bit, decryption)
611 */
mbedtls_des3_set3key_dec(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])612 int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx,
613 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
614 {
615 uint32_t sk[96];
616
617 des3_set3key( sk, ctx->sk, key );
618 mbedtls_platform_zeroize( sk, sizeof( sk ) );
619
620 return( 0 );
621 }
622
623 /*
624 * DES-ECB block encryption/decryption
625 */
626 #if !defined(MBEDTLS_DES_CRYPT_ECB_ALT)
mbedtls_des_crypt_ecb(mbedtls_des_context * ctx,const unsigned char input[8],unsigned char output[8])627 int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx,
628 const unsigned char input[8],
629 unsigned char output[8] )
630 {
631 int i;
632 uint32_t X, Y, T, *SK;
633
634 SK = ctx->sk;
635
636 GET_UINT32_BE( X, input, 0 );
637 GET_UINT32_BE( Y, input, 4 );
638
639 DES_IP( X, Y );
640
641 for( i = 0; i < 8; i++ )
642 {
643 DES_ROUND( Y, X );
644 DES_ROUND( X, Y );
645 }
646
647 DES_FP( Y, X );
648
649 PUT_UINT32_BE( Y, output, 0 );
650 PUT_UINT32_BE( X, output, 4 );
651
652 return( 0 );
653 }
654 #endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */
655
656 #if defined(MBEDTLS_CIPHER_MODE_CBC)
657 /*
658 * DES-CBC buffer encryption/decryption
659 */
mbedtls_des_crypt_cbc(mbedtls_des_context * ctx,int mode,size_t length,unsigned char iv[8],const unsigned char * input,unsigned char * output)660 int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx,
661 int mode,
662 size_t length,
663 unsigned char iv[8],
664 const unsigned char *input,
665 unsigned char *output )
666 {
667 int i;
668 unsigned char temp[8];
669
670 if( length % 8 )
671 return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
672
673 if( mode == MBEDTLS_DES_ENCRYPT )
674 {
675 while( length > 0 )
676 {
677 for( i = 0; i < 8; i++ )
678 output[i] = (unsigned char)( input[i] ^ iv[i] );
679
680 mbedtls_des_crypt_ecb( ctx, output, output );
681 memcpy( iv, output, 8 );
682
683 input += 8;
684 output += 8;
685 length -= 8;
686 }
687 }
688 else /* MBEDTLS_DES_DECRYPT */
689 {
690 while( length > 0 )
691 {
692 memcpy( temp, input, 8 );
693 mbedtls_des_crypt_ecb( ctx, input, output );
694
695 for( i = 0; i < 8; i++ )
696 output[i] = (unsigned char)( output[i] ^ iv[i] );
697
698 memcpy( iv, temp, 8 );
699
700 input += 8;
701 output += 8;
702 length -= 8;
703 }
704 }
705
706 return( 0 );
707 }
708 #endif /* MBEDTLS_CIPHER_MODE_CBC */
709
710 /*
711 * 3DES-ECB block encryption/decryption
712 */
713 #if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
mbedtls_des3_crypt_ecb(mbedtls_des3_context * ctx,const unsigned char input[8],unsigned char output[8])714 int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx,
715 const unsigned char input[8],
716 unsigned char output[8] )
717 {
718 int i;
719 uint32_t X, Y, T, *SK;
720
721 SK = ctx->sk;
722
723 GET_UINT32_BE( X, input, 0 );
724 GET_UINT32_BE( Y, input, 4 );
725
726 DES_IP( X, Y );
727
728 for( i = 0; i < 8; i++ )
729 {
730 DES_ROUND( Y, X );
731 DES_ROUND( X, Y );
732 }
733
734 for( i = 0; i < 8; i++ )
735 {
736 DES_ROUND( X, Y );
737 DES_ROUND( Y, X );
738 }
739
740 for( i = 0; i < 8; i++ )
741 {
742 DES_ROUND( Y, X );
743 DES_ROUND( X, Y );
744 }
745
746 DES_FP( Y, X );
747
748 PUT_UINT32_BE( Y, output, 0 );
749 PUT_UINT32_BE( X, output, 4 );
750
751 return( 0 );
752 }
753 #endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */
754
755 #if defined(MBEDTLS_CIPHER_MODE_CBC)
756 /*
757 * 3DES-CBC buffer encryption/decryption
758 */
mbedtls_des3_crypt_cbc(mbedtls_des3_context * ctx,int mode,size_t length,unsigned char iv[8],const unsigned char * input,unsigned char * output)759 int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx,
760 int mode,
761 size_t length,
762 unsigned char iv[8],
763 const unsigned char *input,
764 unsigned char *output )
765 {
766 int i;
767 unsigned char temp[8];
768
769 if( length % 8 )
770 return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
771
772 if( mode == MBEDTLS_DES_ENCRYPT )
773 {
774 while( length > 0 )
775 {
776 for( i = 0; i < 8; i++ )
777 output[i] = (unsigned char)( input[i] ^ iv[i] );
778
779 mbedtls_des3_crypt_ecb( ctx, output, output );
780 memcpy( iv, output, 8 );
781
782 input += 8;
783 output += 8;
784 length -= 8;
785 }
786 }
787 else /* MBEDTLS_DES_DECRYPT */
788 {
789 while( length > 0 )
790 {
791 memcpy( temp, input, 8 );
792 mbedtls_des3_crypt_ecb( ctx, input, output );
793
794 for( i = 0; i < 8; i++ )
795 output[i] = (unsigned char)( output[i] ^ iv[i] );
796
797 memcpy( iv, temp, 8 );
798
799 input += 8;
800 output += 8;
801 length -= 8;
802 }
803 }
804
805 return( 0 );
806 }
807 #endif /* MBEDTLS_CIPHER_MODE_CBC */
808
809 #endif /* !MBEDTLS_DES_ALT */
810
811 #if defined(MBEDTLS_SELF_TEST)
812 /*
813 * DES and 3DES test vectors from:
814 *
815 * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
816 */
817 static const unsigned char des3_test_keys[24] =
818 {
819 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
820 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
821 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
822 };
823
824 static const unsigned char des3_test_buf[8] =
825 {
826 0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
827 };
828
829 static const unsigned char des3_test_ecb_dec[3][8] =
830 {
831 { 0x37, 0x2B, 0x98, 0xBF, 0x52, 0x65, 0xB0, 0x59 },
832 { 0xC2, 0x10, 0x19, 0x9C, 0x38, 0x5A, 0x65, 0xA1 },
833 { 0xA2, 0x70, 0x56, 0x68, 0x69, 0xE5, 0x15, 0x1D }
834 };
835
836 static const unsigned char des3_test_ecb_enc[3][8] =
837 {
838 { 0x1C, 0xD5, 0x97, 0xEA, 0x84, 0x26, 0x73, 0xFB },
839 { 0xB3, 0x92, 0x4D, 0xF3, 0xC5, 0xB5, 0x42, 0x93 },
840 { 0xDA, 0x37, 0x64, 0x41, 0xBA, 0x6F, 0x62, 0x6F }
841 };
842
843 #if defined(MBEDTLS_CIPHER_MODE_CBC)
844 static const unsigned char des3_test_iv[8] =
845 {
846 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
847 };
848
849 static const unsigned char des3_test_cbc_dec[3][8] =
850 {
851 { 0x58, 0xD9, 0x48, 0xEF, 0x85, 0x14, 0x65, 0x9A },
852 { 0x5F, 0xC8, 0x78, 0xD4, 0xD7, 0x92, 0xD9, 0x54 },
853 { 0x25, 0xF9, 0x75, 0x85, 0xA8, 0x1E, 0x48, 0xBF }
854 };
855
856 static const unsigned char des3_test_cbc_enc[3][8] =
857 {
858 { 0x91, 0x1C, 0x6D, 0xCF, 0x48, 0xA7, 0xC3, 0x4D },
859 { 0x60, 0x1A, 0x76, 0x8F, 0xA1, 0xF9, 0x66, 0xF1 },
860 { 0xA1, 0x50, 0x0F, 0x99, 0xB2, 0xCD, 0x64, 0x76 }
861 };
862 #endif /* MBEDTLS_CIPHER_MODE_CBC */
863
864 /*
865 * Checkup routine
866 */
mbedtls_des_self_test(int verbose)867 int mbedtls_des_self_test( int verbose )
868 {
869 int i, j, u, v, ret = 0;
870 mbedtls_des_context ctx;
871 mbedtls_des3_context ctx3;
872 unsigned char buf[8];
873 #if defined(MBEDTLS_CIPHER_MODE_CBC)
874 unsigned char prv[8];
875 unsigned char iv[8];
876 #endif
877
878 mbedtls_des_init( &ctx );
879 mbedtls_des3_init( &ctx3 );
880 /*
881 * ECB mode
882 */
883 for( i = 0; i < 6; i++ )
884 {
885 u = i >> 1;
886 v = i & 1;
887
888 if( verbose != 0 )
889 mbedtls_printf( " DES%c-ECB-%3d (%s): ",
890 ( u == 0 ) ? ' ' : '3', 56 + u * 56,
891 ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
892
893 memcpy( buf, des3_test_buf, 8 );
894
895 switch( i )
896 {
897 case 0:
898 mbedtls_des_setkey_dec( &ctx, des3_test_keys );
899 break;
900
901 case 1:
902 mbedtls_des_setkey_enc( &ctx, des3_test_keys );
903 break;
904
905 case 2:
906 mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
907 break;
908
909 case 3:
910 mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
911 break;
912
913 case 4:
914 mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
915 break;
916
917 case 5:
918 mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
919 break;
920
921 default:
922 return( 1 );
923 }
924
925 for( j = 0; j < 100; j++ )
926 {
927 if( u == 0 )
928 mbedtls_des_crypt_ecb( &ctx, buf, buf );
929 else
930 mbedtls_des3_crypt_ecb( &ctx3, buf, buf );
931 }
932
933 if( ( v == MBEDTLS_DES_DECRYPT &&
934 memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) ||
935 ( v != MBEDTLS_DES_DECRYPT &&
936 memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) )
937 {
938 if( verbose != 0 )
939 mbedtls_printf( "failed\n" );
940
941 ret = 1;
942 goto exit;
943 }
944
945 if( verbose != 0 )
946 mbedtls_printf( "passed\n" );
947 }
948
949 if( verbose != 0 )
950 mbedtls_printf( "\n" );
951
952 #if defined(MBEDTLS_CIPHER_MODE_CBC)
953 /*
954 * CBC mode
955 */
956 for( i = 0; i < 6; i++ )
957 {
958 u = i >> 1;
959 v = i & 1;
960
961 if( verbose != 0 )
962 mbedtls_printf( " DES%c-CBC-%3d (%s): ",
963 ( u == 0 ) ? ' ' : '3', 56 + u * 56,
964 ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
965
966 memcpy( iv, des3_test_iv, 8 );
967 memcpy( prv, des3_test_iv, 8 );
968 memcpy( buf, des3_test_buf, 8 );
969
970 switch( i )
971 {
972 case 0:
973 mbedtls_des_setkey_dec( &ctx, des3_test_keys );
974 break;
975
976 case 1:
977 mbedtls_des_setkey_enc( &ctx, des3_test_keys );
978 break;
979
980 case 2:
981 mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
982 break;
983
984 case 3:
985 mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
986 break;
987
988 case 4:
989 mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
990 break;
991
992 case 5:
993 mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
994 break;
995
996 default:
997 return( 1 );
998 }
999
1000 if( v == MBEDTLS_DES_DECRYPT )
1001 {
1002 for( j = 0; j < 100; j++ )
1003 {
1004 if( u == 0 )
1005 mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
1006 else
1007 mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
1008 }
1009 }
1010 else
1011 {
1012 for( j = 0; j < 100; j++ )
1013 {
1014 unsigned char tmp[8];
1015
1016 if( u == 0 )
1017 mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
1018 else
1019 mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
1020
1021 memcpy( tmp, prv, 8 );
1022 memcpy( prv, buf, 8 );
1023 memcpy( buf, tmp, 8 );
1024 }
1025
1026 memcpy( buf, prv, 8 );
1027 }
1028
1029 if( ( v == MBEDTLS_DES_DECRYPT &&
1030 memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) ||
1031 ( v != MBEDTLS_DES_DECRYPT &&
1032 memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) )
1033 {
1034 if( verbose != 0 )
1035 mbedtls_printf( "failed\n" );
1036
1037 ret = 1;
1038 goto exit;
1039 }
1040
1041 if( verbose != 0 )
1042 mbedtls_printf( "passed\n" );
1043 }
1044 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1045
1046 if( verbose != 0 )
1047 mbedtls_printf( "\n" );
1048
1049 exit:
1050 mbedtls_des_free( &ctx );
1051 mbedtls_des3_free( &ctx3 );
1052
1053 return( ret );
1054 }
1055
1056 #endif /* MBEDTLS_SELF_TEST */
1057
1058 #endif /* MBEDTLS_DES_C */
1059