1 /*
2 * FIPS-46-3 compliant Triple-DES implementation
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21 /*
22 * DES, on which TDES is based, was originally designed by Horst Feistel
23 * at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
24 *
25 * http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
26 */
27
28 #if !defined(MBEDTLS_CONFIG_FILE)
29 #include "mbedtls/config.h"
30 #else
31 #include MBEDTLS_CONFIG_FILE
32 #endif
33
34 #if defined(MBEDTLS_DES_C)
35
36 #include "mbedtls/des.h"
37 #include "mbedtls/platform_util.h"
38
39 #include <string.h>
40
41 #if defined(MBEDTLS_SELF_TEST)
42 #if defined(MBEDTLS_PLATFORM_C)
43 #include "mbedtls/platform.h"
44 #else
45 #include <stdio.h>
46 #define mbedtls_printf printf
47 #endif /* MBEDTLS_PLATFORM_C */
48 #endif /* MBEDTLS_SELF_TEST */
49
50 #if !defined(MBEDTLS_DES_ALT)
51
52 /*
53 * 32-bit integer manipulation macros (big endian)
54 */
55 #ifndef GET_UINT32_BE
56 #define GET_UINT32_BE(n,b,i) \
57 { \
58 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
59 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
60 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
61 | ( (uint32_t) (b)[(i) + 3] ); \
62 }
63 #endif
64
65 #ifndef PUT_UINT32_BE
66 #define PUT_UINT32_BE(n,b,i) \
67 { \
68 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
69 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
70 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
71 (b)[(i) + 3] = (unsigned char) ( (n) ); \
72 }
73 #endif
74
75 /*
76 * Expanded DES S-boxes
77 */
78 static const uint32_t SB1[64] =
79 {
80 0x01010400, 0x00000000, 0x00010000, 0x01010404,
81 0x01010004, 0x00010404, 0x00000004, 0x00010000,
82 0x00000400, 0x01010400, 0x01010404, 0x00000400,
83 0x01000404, 0x01010004, 0x01000000, 0x00000004,
84 0x00000404, 0x01000400, 0x01000400, 0x00010400,
85 0x00010400, 0x01010000, 0x01010000, 0x01000404,
86 0x00010004, 0x01000004, 0x01000004, 0x00010004,
87 0x00000000, 0x00000404, 0x00010404, 0x01000000,
88 0x00010000, 0x01010404, 0x00000004, 0x01010000,
89 0x01010400, 0x01000000, 0x01000000, 0x00000400,
90 0x01010004, 0x00010000, 0x00010400, 0x01000004,
91 0x00000400, 0x00000004, 0x01000404, 0x00010404,
92 0x01010404, 0x00010004, 0x01010000, 0x01000404,
93 0x01000004, 0x00000404, 0x00010404, 0x01010400,
94 0x00000404, 0x01000400, 0x01000400, 0x00000000,
95 0x00010004, 0x00010400, 0x00000000, 0x01010004
96 };
97
98 static const uint32_t SB2[64] =
99 {
100 0x80108020, 0x80008000, 0x00008000, 0x00108020,
101 0x00100000, 0x00000020, 0x80100020, 0x80008020,
102 0x80000020, 0x80108020, 0x80108000, 0x80000000,
103 0x80008000, 0x00100000, 0x00000020, 0x80100020,
104 0x00108000, 0x00100020, 0x80008020, 0x00000000,
105 0x80000000, 0x00008000, 0x00108020, 0x80100000,
106 0x00100020, 0x80000020, 0x00000000, 0x00108000,
107 0x00008020, 0x80108000, 0x80100000, 0x00008020,
108 0x00000000, 0x00108020, 0x80100020, 0x00100000,
109 0x80008020, 0x80100000, 0x80108000, 0x00008000,
110 0x80100000, 0x80008000, 0x00000020, 0x80108020,
111 0x00108020, 0x00000020, 0x00008000, 0x80000000,
112 0x00008020, 0x80108000, 0x00100000, 0x80000020,
113 0x00100020, 0x80008020, 0x80000020, 0x00100020,
114 0x00108000, 0x00000000, 0x80008000, 0x00008020,
115 0x80000000, 0x80100020, 0x80108020, 0x00108000
116 };
117
118 static const uint32_t SB3[64] =
119 {
120 0x00000208, 0x08020200, 0x00000000, 0x08020008,
121 0x08000200, 0x00000000, 0x00020208, 0x08000200,
122 0x00020008, 0x08000008, 0x08000008, 0x00020000,
123 0x08020208, 0x00020008, 0x08020000, 0x00000208,
124 0x08000000, 0x00000008, 0x08020200, 0x00000200,
125 0x00020200, 0x08020000, 0x08020008, 0x00020208,
126 0x08000208, 0x00020200, 0x00020000, 0x08000208,
127 0x00000008, 0x08020208, 0x00000200, 0x08000000,
128 0x08020200, 0x08000000, 0x00020008, 0x00000208,
129 0x00020000, 0x08020200, 0x08000200, 0x00000000,
130 0x00000200, 0x00020008, 0x08020208, 0x08000200,
131 0x08000008, 0x00000200, 0x00000000, 0x08020008,
132 0x08000208, 0x00020000, 0x08000000, 0x08020208,
133 0x00000008, 0x00020208, 0x00020200, 0x08000008,
134 0x08020000, 0x08000208, 0x00000208, 0x08020000,
135 0x00020208, 0x00000008, 0x08020008, 0x00020200
136 };
137
138 static const uint32_t SB4[64] =
139 {
140 0x00802001, 0x00002081, 0x00002081, 0x00000080,
141 0x00802080, 0x00800081, 0x00800001, 0x00002001,
142 0x00000000, 0x00802000, 0x00802000, 0x00802081,
143 0x00000081, 0x00000000, 0x00800080, 0x00800001,
144 0x00000001, 0x00002000, 0x00800000, 0x00802001,
145 0x00000080, 0x00800000, 0x00002001, 0x00002080,
146 0x00800081, 0x00000001, 0x00002080, 0x00800080,
147 0x00002000, 0x00802080, 0x00802081, 0x00000081,
148 0x00800080, 0x00800001, 0x00802000, 0x00802081,
149 0x00000081, 0x00000000, 0x00000000, 0x00802000,
150 0x00002080, 0x00800080, 0x00800081, 0x00000001,
151 0x00802001, 0x00002081, 0x00002081, 0x00000080,
152 0x00802081, 0x00000081, 0x00000001, 0x00002000,
153 0x00800001, 0x00002001, 0x00802080, 0x00800081,
154 0x00002001, 0x00002080, 0x00800000, 0x00802001,
155 0x00000080, 0x00800000, 0x00002000, 0x00802080
156 };
157
158 static const uint32_t SB5[64] =
159 {
160 0x00000100, 0x02080100, 0x02080000, 0x42000100,
161 0x00080000, 0x00000100, 0x40000000, 0x02080000,
162 0x40080100, 0x00080000, 0x02000100, 0x40080100,
163 0x42000100, 0x42080000, 0x00080100, 0x40000000,
164 0x02000000, 0x40080000, 0x40080000, 0x00000000,
165 0x40000100, 0x42080100, 0x42080100, 0x02000100,
166 0x42080000, 0x40000100, 0x00000000, 0x42000000,
167 0x02080100, 0x02000000, 0x42000000, 0x00080100,
168 0x00080000, 0x42000100, 0x00000100, 0x02000000,
169 0x40000000, 0x02080000, 0x42000100, 0x40080100,
170 0x02000100, 0x40000000, 0x42080000, 0x02080100,
171 0x40080100, 0x00000100, 0x02000000, 0x42080000,
172 0x42080100, 0x00080100, 0x42000000, 0x42080100,
173 0x02080000, 0x00000000, 0x40080000, 0x42000000,
174 0x00080100, 0x02000100, 0x40000100, 0x00080000,
175 0x00000000, 0x40080000, 0x02080100, 0x40000100
176 };
177
178 static const uint32_t SB6[64] =
179 {
180 0x20000010, 0x20400000, 0x00004000, 0x20404010,
181 0x20400000, 0x00000010, 0x20404010, 0x00400000,
182 0x20004000, 0x00404010, 0x00400000, 0x20000010,
183 0x00400010, 0x20004000, 0x20000000, 0x00004010,
184 0x00000000, 0x00400010, 0x20004010, 0x00004000,
185 0x00404000, 0x20004010, 0x00000010, 0x20400010,
186 0x20400010, 0x00000000, 0x00404010, 0x20404000,
187 0x00004010, 0x00404000, 0x20404000, 0x20000000,
188 0x20004000, 0x00000010, 0x20400010, 0x00404000,
189 0x20404010, 0x00400000, 0x00004010, 0x20000010,
190 0x00400000, 0x20004000, 0x20000000, 0x00004010,
191 0x20000010, 0x20404010, 0x00404000, 0x20400000,
192 0x00404010, 0x20404000, 0x00000000, 0x20400010,
193 0x00000010, 0x00004000, 0x20400000, 0x00404010,
194 0x00004000, 0x00400010, 0x20004010, 0x00000000,
195 0x20404000, 0x20000000, 0x00400010, 0x20004010
196 };
197
198 static const uint32_t SB7[64] =
199 {
200 0x00200000, 0x04200002, 0x04000802, 0x00000000,
201 0x00000800, 0x04000802, 0x00200802, 0x04200800,
202 0x04200802, 0x00200000, 0x00000000, 0x04000002,
203 0x00000002, 0x04000000, 0x04200002, 0x00000802,
204 0x04000800, 0x00200802, 0x00200002, 0x04000800,
205 0x04000002, 0x04200000, 0x04200800, 0x00200002,
206 0x04200000, 0x00000800, 0x00000802, 0x04200802,
207 0x00200800, 0x00000002, 0x04000000, 0x00200800,
208 0x04000000, 0x00200800, 0x00200000, 0x04000802,
209 0x04000802, 0x04200002, 0x04200002, 0x00000002,
210 0x00200002, 0x04000000, 0x04000800, 0x00200000,
211 0x04200800, 0x00000802, 0x00200802, 0x04200800,
212 0x00000802, 0x04000002, 0x04200802, 0x04200000,
213 0x00200800, 0x00000000, 0x00000002, 0x04200802,
214 0x00000000, 0x00200802, 0x04200000, 0x00000800,
215 0x04000002, 0x04000800, 0x00000800, 0x00200002
216 };
217
218 static const uint32_t SB8[64] =
219 {
220 0x10001040, 0x00001000, 0x00040000, 0x10041040,
221 0x10000000, 0x10001040, 0x00000040, 0x10000000,
222 0x00040040, 0x10040000, 0x10041040, 0x00041000,
223 0x10041000, 0x00041040, 0x00001000, 0x00000040,
224 0x10040000, 0x10000040, 0x10001000, 0x00001040,
225 0x00041000, 0x00040040, 0x10040040, 0x10041000,
226 0x00001040, 0x00000000, 0x00000000, 0x10040040,
227 0x10000040, 0x10001000, 0x00041040, 0x00040000,
228 0x00041040, 0x00040000, 0x10041000, 0x00001000,
229 0x00000040, 0x10040040, 0x00001000, 0x00041040,
230 0x10001000, 0x00000040, 0x10000040, 0x10040000,
231 0x10040040, 0x10000000, 0x00040000, 0x10001040,
232 0x00000000, 0x10041040, 0x00040040, 0x10000040,
233 0x10040000, 0x10001000, 0x10001040, 0x00000000,
234 0x10041040, 0x00041000, 0x00041000, 0x00001040,
235 0x00001040, 0x00040040, 0x10000000, 0x10041000
236 };
237
238 /*
239 * PC1: left and right halves bit-swap
240 */
241 static const uint32_t LHs[16] =
242 {
243 0x00000000, 0x00000001, 0x00000100, 0x00000101,
244 0x00010000, 0x00010001, 0x00010100, 0x00010101,
245 0x01000000, 0x01000001, 0x01000100, 0x01000101,
246 0x01010000, 0x01010001, 0x01010100, 0x01010101
247 };
248
249 static const uint32_t RHs[16] =
250 {
251 0x00000000, 0x01000000, 0x00010000, 0x01010000,
252 0x00000100, 0x01000100, 0x00010100, 0x01010100,
253 0x00000001, 0x01000001, 0x00010001, 0x01010001,
254 0x00000101, 0x01000101, 0x00010101, 0x01010101,
255 };
256
257 /*
258 * Initial Permutation macro
259 */
260 #define DES_IP(X,Y) \
261 { \
262 T = ((X >> 4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T << 4); \
263 T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16); \
264 T = ((Y >> 2) ^ X) & 0x33333333; X ^= T; Y ^= (T << 2); \
265 T = ((Y >> 8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T << 8); \
266 Y = ((Y << 1) | (Y >> 31)) & 0xFFFFFFFF; \
267 T = (X ^ Y) & 0xAAAAAAAA; Y ^= T; X ^= T; \
268 X = ((X << 1) | (X >> 31)) & 0xFFFFFFFF; \
269 }
270
271 /*
272 * Final Permutation macro
273 */
274 #define DES_FP(X,Y) \
275 { \
276 X = ((X << 31) | (X >> 1)) & 0xFFFFFFFF; \
277 T = (X ^ Y) & 0xAAAAAAAA; X ^= T; Y ^= T; \
278 Y = ((Y << 31) | (Y >> 1)) & 0xFFFFFFFF; \
279 T = ((Y >> 8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T << 8); \
280 T = ((Y >> 2) ^ X) & 0x33333333; X ^= T; Y ^= (T << 2); \
281 T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16); \
282 T = ((X >> 4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T << 4); \
283 }
284
285 /*
286 * DES round macro
287 */
288 #define DES_ROUND(X,Y) \
289 { \
290 T = *SK++ ^ X; \
291 Y ^= SB8[ (T ) & 0x3F ] ^ \
292 SB6[ (T >> 8) & 0x3F ] ^ \
293 SB4[ (T >> 16) & 0x3F ] ^ \
294 SB2[ (T >> 24) & 0x3F ]; \
295 \
296 T = *SK++ ^ ((X << 28) | (X >> 4)); \
297 Y ^= SB7[ (T ) & 0x3F ] ^ \
298 SB5[ (T >> 8) & 0x3F ] ^ \
299 SB3[ (T >> 16) & 0x3F ] ^ \
300 SB1[ (T >> 24) & 0x3F ]; \
301 }
302
303 #define SWAP(a,b) { uint32_t t = a; a = b; b = t; t = 0; }
304
mbedtls_des_init(mbedtls_des_context * ctx)305 void mbedtls_des_init( mbedtls_des_context *ctx )
306 {
307 memset( ctx, 0, sizeof( mbedtls_des_context ) );
308 }
309
mbedtls_des_free(mbedtls_des_context * ctx)310 void mbedtls_des_free( mbedtls_des_context *ctx )
311 {
312 if( ctx == NULL )
313 return;
314
315 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des_context ) );
316 }
317
mbedtls_des3_init(mbedtls_des3_context * ctx)318 void mbedtls_des3_init( mbedtls_des3_context *ctx )
319 {
320 memset( ctx, 0, sizeof( mbedtls_des3_context ) );
321 }
322
mbedtls_des3_free(mbedtls_des3_context * ctx)323 void mbedtls_des3_free( mbedtls_des3_context *ctx )
324 {
325 if( ctx == NULL )
326 return;
327
328 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des3_context ) );
329 }
330
331 static const unsigned char odd_parity_table[128] = { 1, 2, 4, 7, 8,
332 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 35, 37, 38, 41, 42, 44,
333 47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 70, 73, 74, 76, 79, 81,
334 82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 104, 107, 109, 110, 112,
335 115, 117, 118, 121, 122, 124, 127, 128, 131, 133, 134, 137, 138, 140,
336 143, 145, 146, 148, 151, 152, 155, 157, 158, 161, 162, 164, 167, 168,
337 171, 173, 174, 176, 179, 181, 182, 185, 186, 188, 191, 193, 194, 196,
338 199, 200, 203, 205, 206, 208, 211, 213, 214, 217, 218, 220, 223, 224,
339 227, 229, 230, 233, 234, 236, 239, 241, 242, 244, 247, 248, 251, 253,
340 254 };
341
mbedtls_des_key_set_parity(unsigned char key[MBEDTLS_DES_KEY_SIZE])342 void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] )
343 {
344 int i;
345
346 for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
347 key[i] = odd_parity_table[key[i] / 2];
348 }
349
350 /*
351 * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
352 */
mbedtls_des_key_check_key_parity(const unsigned char key[MBEDTLS_DES_KEY_SIZE])353 int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
354 {
355 int i;
356
357 for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
358 if( key[i] != odd_parity_table[key[i] / 2] )
359 return( 1 );
360
361 return( 0 );
362 }
363
364 /*
365 * Table of weak and semi-weak keys
366 *
367 * Source: http://en.wikipedia.org/wiki/Weak_key
368 *
369 * Weak:
370 * Alternating ones + zeros (0x0101010101010101)
371 * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
372 * '0xE0E0E0E0F1F1F1F1'
373 * '0x1F1F1F1F0E0E0E0E'
374 *
375 * Semi-weak:
376 * 0x011F011F010E010E and 0x1F011F010E010E01
377 * 0x01E001E001F101F1 and 0xE001E001F101F101
378 * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
379 * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
380 * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
381 * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
382 *
383 */
384
385 #define WEAK_KEY_COUNT 16
386
387 static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] =
388 {
389 { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
390 { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
391 { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
392 { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
393
394 { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
395 { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
396 { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
397 { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
398 { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
399 { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
400 { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
401 { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
402 { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
403 { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
404 { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
405 { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
406 };
407
mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE])408 int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
409 {
410 int i;
411
412 for( i = 0; i < WEAK_KEY_COUNT; i++ )
413 if( memcmp( weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0 )
414 return( 1 );
415
416 return( 0 );
417 }
418
419 #if !defined(MBEDTLS_DES_SETKEY_ALT)
mbedtls_des_setkey(uint32_t SK[32],const unsigned char key[MBEDTLS_DES_KEY_SIZE])420 void mbedtls_des_setkey( uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
421 {
422 int i;
423 uint32_t X, Y, T;
424
425 GET_UINT32_BE( X, key, 0 );
426 GET_UINT32_BE( Y, key, 4 );
427
428 /*
429 * Permuted Choice 1
430 */
431 T = ((Y >> 4) ^ X) & 0x0F0F0F0F; X ^= T; Y ^= (T << 4);
432 T = ((Y ) ^ X) & 0x10101010; X ^= T; Y ^= (T );
433
434 X = (LHs[ (X ) & 0xF] << 3) | (LHs[ (X >> 8) & 0xF ] << 2)
435 | (LHs[ (X >> 16) & 0xF] << 1) | (LHs[ (X >> 24) & 0xF ] )
436 | (LHs[ (X >> 5) & 0xF] << 7) | (LHs[ (X >> 13) & 0xF ] << 6)
437 | (LHs[ (X >> 21) & 0xF] << 5) | (LHs[ (X >> 29) & 0xF ] << 4);
438
439 Y = (RHs[ (Y >> 1) & 0xF] << 3) | (RHs[ (Y >> 9) & 0xF ] << 2)
440 | (RHs[ (Y >> 17) & 0xF] << 1) | (RHs[ (Y >> 25) & 0xF ] )
441 | (RHs[ (Y >> 4) & 0xF] << 7) | (RHs[ (Y >> 12) & 0xF ] << 6)
442 | (RHs[ (Y >> 20) & 0xF] << 5) | (RHs[ (Y >> 28) & 0xF ] << 4);
443
444 X &= 0x0FFFFFFF;
445 Y &= 0x0FFFFFFF;
446
447 /*
448 * calculate subkeys
449 */
450 for( i = 0; i < 16; i++ )
451 {
452 if( i < 2 || i == 8 || i == 15 )
453 {
454 X = ((X << 1) | (X >> 27)) & 0x0FFFFFFF;
455 Y = ((Y << 1) | (Y >> 27)) & 0x0FFFFFFF;
456 }
457 else
458 {
459 X = ((X << 2) | (X >> 26)) & 0x0FFFFFFF;
460 Y = ((Y << 2) | (Y >> 26)) & 0x0FFFFFFF;
461 }
462
463 *SK++ = ((X << 4) & 0x24000000) | ((X << 28) & 0x10000000)
464 | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
465 | ((X << 6) & 0x01000000) | ((X << 9) & 0x00200000)
466 | ((X >> 1) & 0x00100000) | ((X << 10) & 0x00040000)
467 | ((X << 2) & 0x00020000) | ((X >> 10) & 0x00010000)
468 | ((Y >> 13) & 0x00002000) | ((Y >> 4) & 0x00001000)
469 | ((Y << 6) & 0x00000800) | ((Y >> 1) & 0x00000400)
470 | ((Y >> 14) & 0x00000200) | ((Y ) & 0x00000100)
471 | ((Y >> 5) & 0x00000020) | ((Y >> 10) & 0x00000010)
472 | ((Y >> 3) & 0x00000008) | ((Y >> 18) & 0x00000004)
473 | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
474
475 *SK++ = ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
476 | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
477 | ((X >> 2) & 0x02000000) | ((X << 1) & 0x01000000)
478 | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
479 | ((X << 3) & 0x00080000) | ((X >> 6) & 0x00040000)
480 | ((X << 15) & 0x00020000) | ((X >> 4) & 0x00010000)
481 | ((Y >> 2) & 0x00002000) | ((Y << 8) & 0x00001000)
482 | ((Y >> 14) & 0x00000808) | ((Y >> 9) & 0x00000400)
483 | ((Y ) & 0x00000200) | ((Y << 7) & 0x00000100)
484 | ((Y >> 7) & 0x00000020) | ((Y >> 3) & 0x00000011)
485 | ((Y << 2) & 0x00000004) | ((Y >> 21) & 0x00000002);
486 }
487 }
488 #endif /* !MBEDTLS_DES_SETKEY_ALT */
489
490 /*
491 * DES key schedule (56-bit, encryption)
492 */
mbedtls_des_setkey_enc(mbedtls_des_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE])493 int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
494 {
495 mbedtls_des_setkey( ctx->sk, key );
496
497 return( 0 );
498 }
499
500 /*
501 * DES key schedule (56-bit, decryption)
502 */
mbedtls_des_setkey_dec(mbedtls_des_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE])503 int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
504 {
505 int i;
506
507 mbedtls_des_setkey( ctx->sk, key );
508
509 for( i = 0; i < 16; i += 2 )
510 {
511 SWAP( ctx->sk[i ], ctx->sk[30 - i] );
512 SWAP( ctx->sk[i + 1], ctx->sk[31 - i] );
513 }
514
515 return( 0 );
516 }
517
des3_set2key(uint32_t esk[96],uint32_t dsk[96],const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])518 static void des3_set2key( uint32_t esk[96],
519 uint32_t dsk[96],
520 const unsigned char key[MBEDTLS_DES_KEY_SIZE*2] )
521 {
522 int i;
523
524 mbedtls_des_setkey( esk, key );
525 mbedtls_des_setkey( dsk + 32, key + 8 );
526
527 for( i = 0; i < 32; i += 2 )
528 {
529 dsk[i ] = esk[30 - i];
530 dsk[i + 1] = esk[31 - i];
531
532 esk[i + 32] = dsk[62 - i];
533 esk[i + 33] = dsk[63 - i];
534
535 esk[i + 64] = esk[i ];
536 esk[i + 65] = esk[i + 1];
537
538 dsk[i + 64] = dsk[i ];
539 dsk[i + 65] = dsk[i + 1];
540 }
541 }
542
543 /*
544 * Triple-DES key schedule (112-bit, encryption)
545 */
mbedtls_des3_set2key_enc(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])546 int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx,
547 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
548 {
549 uint32_t sk[96];
550
551 des3_set2key( ctx->sk, sk, key );
552 mbedtls_platform_zeroize( sk, sizeof( sk ) );
553
554 return( 0 );
555 }
556
557 /*
558 * Triple-DES key schedule (112-bit, decryption)
559 */
mbedtls_des3_set2key_dec(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])560 int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx,
561 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
562 {
563 uint32_t sk[96];
564
565 des3_set2key( sk, ctx->sk, key );
566 mbedtls_platform_zeroize( sk, sizeof( sk ) );
567
568 return( 0 );
569 }
570
des3_set3key(uint32_t esk[96],uint32_t dsk[96],const unsigned char key[24])571 static void des3_set3key( uint32_t esk[96],
572 uint32_t dsk[96],
573 const unsigned char key[24] )
574 {
575 int i;
576
577 mbedtls_des_setkey( esk, key );
578 mbedtls_des_setkey( dsk + 32, key + 8 );
579 mbedtls_des_setkey( esk + 64, key + 16 );
580
581 for( i = 0; i < 32; i += 2 )
582 {
583 dsk[i ] = esk[94 - i];
584 dsk[i + 1] = esk[95 - i];
585
586 esk[i + 32] = dsk[62 - i];
587 esk[i + 33] = dsk[63 - i];
588
589 dsk[i + 64] = esk[30 - i];
590 dsk[i + 65] = esk[31 - i];
591 }
592 }
593
594 /*
595 * Triple-DES key schedule (168-bit, encryption)
596 */
mbedtls_des3_set3key_enc(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])597 int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx,
598 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
599 {
600 uint32_t sk[96];
601
602 des3_set3key( ctx->sk, sk, key );
603 mbedtls_platform_zeroize( sk, sizeof( sk ) );
604
605 return( 0 );
606 }
607
608 /*
609 * Triple-DES key schedule (168-bit, decryption)
610 */
mbedtls_des3_set3key_dec(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])611 int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx,
612 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
613 {
614 uint32_t sk[96];
615
616 des3_set3key( sk, ctx->sk, key );
617 mbedtls_platform_zeroize( sk, sizeof( sk ) );
618
619 return( 0 );
620 }
621
622 /*
623 * DES-ECB block encryption/decryption
624 */
625 #if !defined(MBEDTLS_DES_CRYPT_ECB_ALT)
mbedtls_des_crypt_ecb(mbedtls_des_context * ctx,const unsigned char input[8],unsigned char output[8])626 int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx,
627 const unsigned char input[8],
628 unsigned char output[8] )
629 {
630 int i;
631 uint32_t X, Y, T, *SK;
632
633 SK = ctx->sk;
634
635 GET_UINT32_BE( X, input, 0 );
636 GET_UINT32_BE( Y, input, 4 );
637
638 DES_IP( X, Y );
639
640 for( i = 0; i < 8; i++ )
641 {
642 DES_ROUND( Y, X );
643 DES_ROUND( X, Y );
644 }
645
646 DES_FP( Y, X );
647
648 PUT_UINT32_BE( Y, output, 0 );
649 PUT_UINT32_BE( X, output, 4 );
650
651 return( 0 );
652 }
653 #endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */
654
655 #if defined(MBEDTLS_CIPHER_MODE_CBC)
656 /*
657 * DES-CBC buffer encryption/decryption
658 */
mbedtls_des_crypt_cbc(mbedtls_des_context * ctx,int mode,size_t length,unsigned char iv[8],const unsigned char * input,unsigned char * output)659 int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx,
660 int mode,
661 size_t length,
662 unsigned char iv[8],
663 const unsigned char *input,
664 unsigned char *output )
665 {
666 int i;
667 unsigned char temp[8];
668
669 if( length % 8 )
670 return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
671
672 if( mode == MBEDTLS_DES_ENCRYPT )
673 {
674 while( length > 0 )
675 {
676 for( i = 0; i < 8; i++ )
677 output[i] = (unsigned char)( input[i] ^ iv[i] );
678
679 mbedtls_des_crypt_ecb( ctx, output, output );
680 memcpy( iv, output, 8 );
681
682 input += 8;
683 output += 8;
684 length -= 8;
685 }
686 }
687 else /* MBEDTLS_DES_DECRYPT */
688 {
689 while( length > 0 )
690 {
691 memcpy( temp, input, 8 );
692 mbedtls_des_crypt_ecb( ctx, input, output );
693
694 for( i = 0; i < 8; i++ )
695 output[i] = (unsigned char)( output[i] ^ iv[i] );
696
697 memcpy( iv, temp, 8 );
698
699 input += 8;
700 output += 8;
701 length -= 8;
702 }
703 }
704
705 return( 0 );
706 }
707 #endif /* MBEDTLS_CIPHER_MODE_CBC */
708
709 /*
710 * 3DES-ECB block encryption/decryption
711 */
712 #if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
mbedtls_des3_crypt_ecb(mbedtls_des3_context * ctx,const unsigned char input[8],unsigned char output[8])713 int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx,
714 const unsigned char input[8],
715 unsigned char output[8] )
716 {
717 int i;
718 uint32_t X, Y, T, *SK;
719
720 SK = ctx->sk;
721
722 GET_UINT32_BE( X, input, 0 );
723 GET_UINT32_BE( Y, input, 4 );
724
725 DES_IP( X, Y );
726
727 for( i = 0; i < 8; i++ )
728 {
729 DES_ROUND( Y, X );
730 DES_ROUND( X, Y );
731 }
732
733 for( i = 0; i < 8; i++ )
734 {
735 DES_ROUND( X, Y );
736 DES_ROUND( Y, X );
737 }
738
739 for( i = 0; i < 8; i++ )
740 {
741 DES_ROUND( Y, X );
742 DES_ROUND( X, Y );
743 }
744
745 DES_FP( Y, X );
746
747 PUT_UINT32_BE( Y, output, 0 );
748 PUT_UINT32_BE( X, output, 4 );
749
750 return( 0 );
751 }
752 #endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */
753
754 #if defined(MBEDTLS_CIPHER_MODE_CBC)
755 /*
756 * 3DES-CBC buffer encryption/decryption
757 */
mbedtls_des3_crypt_cbc(mbedtls_des3_context * ctx,int mode,size_t length,unsigned char iv[8],const unsigned char * input,unsigned char * output)758 int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx,
759 int mode,
760 size_t length,
761 unsigned char iv[8],
762 const unsigned char *input,
763 unsigned char *output )
764 {
765 int i;
766 unsigned char temp[8];
767
768 if( length % 8 )
769 return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
770
771 if( mode == MBEDTLS_DES_ENCRYPT )
772 {
773 while( length > 0 )
774 {
775 for( i = 0; i < 8; i++ )
776 output[i] = (unsigned char)( input[i] ^ iv[i] );
777
778 mbedtls_des3_crypt_ecb( ctx, output, output );
779 memcpy( iv, output, 8 );
780
781 input += 8;
782 output += 8;
783 length -= 8;
784 }
785 }
786 else /* MBEDTLS_DES_DECRYPT */
787 {
788 while( length > 0 )
789 {
790 memcpy( temp, input, 8 );
791 mbedtls_des3_crypt_ecb( ctx, input, output );
792
793 for( i = 0; i < 8; i++ )
794 output[i] = (unsigned char)( output[i] ^ iv[i] );
795
796 memcpy( iv, temp, 8 );
797
798 input += 8;
799 output += 8;
800 length -= 8;
801 }
802 }
803
804 return( 0 );
805 }
806 #endif /* MBEDTLS_CIPHER_MODE_CBC */
807
808 #endif /* !MBEDTLS_DES_ALT */
809
810 #if defined(MBEDTLS_SELF_TEST)
811 /*
812 * DES and 3DES test vectors from:
813 *
814 * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
815 */
816 static const unsigned char des3_test_keys[24] =
817 {
818 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
819 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
820 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
821 };
822
823 static const unsigned char des3_test_buf[8] =
824 {
825 0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
826 };
827
828 static const unsigned char des3_test_ecb_dec[3][8] =
829 {
830 { 0xCD, 0xD6, 0x4F, 0x2F, 0x94, 0x27, 0xC1, 0x5D },
831 { 0x69, 0x96, 0xC8, 0xFA, 0x47, 0xA2, 0xAB, 0xEB },
832 { 0x83, 0x25, 0x39, 0x76, 0x44, 0x09, 0x1A, 0x0A }
833 };
834
835 static const unsigned char des3_test_ecb_enc[3][8] =
836 {
837 { 0x6A, 0x2A, 0x19, 0xF4, 0x1E, 0xCA, 0x85, 0x4B },
838 { 0x03, 0xE6, 0x9F, 0x5B, 0xFA, 0x58, 0xEB, 0x42 },
839 { 0xDD, 0x17, 0xE8, 0xB8, 0xB4, 0x37, 0xD2, 0x32 }
840 };
841
842 #if defined(MBEDTLS_CIPHER_MODE_CBC)
843 static const unsigned char des3_test_iv[8] =
844 {
845 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
846 };
847
848 static const unsigned char des3_test_cbc_dec[3][8] =
849 {
850 { 0x12, 0x9F, 0x40, 0xB9, 0xD2, 0x00, 0x56, 0xB3 },
851 { 0x47, 0x0E, 0xFC, 0x9A, 0x6B, 0x8E, 0xE3, 0x93 },
852 { 0xC5, 0xCE, 0xCF, 0x63, 0xEC, 0xEC, 0x51, 0x4C }
853 };
854
855 static const unsigned char des3_test_cbc_enc[3][8] =
856 {
857 { 0x54, 0xF1, 0x5A, 0xF6, 0xEB, 0xE3, 0xA4, 0xB4 },
858 { 0x35, 0x76, 0x11, 0x56, 0x5F, 0xA1, 0x8E, 0x4D },
859 { 0xCB, 0x19, 0x1F, 0x85, 0xD1, 0xED, 0x84, 0x39 }
860 };
861 #endif /* MBEDTLS_CIPHER_MODE_CBC */
862
863 /*
864 * Checkup routine
865 */
mbedtls_des_self_test(int verbose)866 int mbedtls_des_self_test( int verbose )
867 {
868 int i, j, u, v, ret = 0;
869 mbedtls_des_context ctx;
870 mbedtls_des3_context ctx3;
871 unsigned char buf[8];
872 #if defined(MBEDTLS_CIPHER_MODE_CBC)
873 unsigned char prv[8];
874 unsigned char iv[8];
875 #endif
876
877 mbedtls_des_init( &ctx );
878 mbedtls_des3_init( &ctx3 );
879 /*
880 * ECB mode
881 */
882 for( i = 0; i < 6; i++ )
883 {
884 u = i >> 1;
885 v = i & 1;
886
887 if( verbose != 0 )
888 mbedtls_printf( " DES%c-ECB-%3d (%s): ",
889 ( u == 0 ) ? ' ' : '3', 56 + u * 56,
890 ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
891
892 memcpy( buf, des3_test_buf, 8 );
893
894 switch( i )
895 {
896 case 0:
897 mbedtls_des_setkey_dec( &ctx, des3_test_keys );
898 break;
899
900 case 1:
901 mbedtls_des_setkey_enc( &ctx, des3_test_keys );
902 break;
903
904 case 2:
905 mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
906 break;
907
908 case 3:
909 mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
910 break;
911
912 case 4:
913 mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
914 break;
915
916 case 5:
917 mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
918 break;
919
920 default:
921 return( 1 );
922 }
923
924 for( j = 0; j < 10000; j++ )
925 {
926 if( u == 0 )
927 mbedtls_des_crypt_ecb( &ctx, buf, buf );
928 else
929 mbedtls_des3_crypt_ecb( &ctx3, buf, buf );
930 }
931
932 if( ( v == MBEDTLS_DES_DECRYPT &&
933 memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) ||
934 ( v != MBEDTLS_DES_DECRYPT &&
935 memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) )
936 {
937 if( verbose != 0 )
938 mbedtls_printf( "failed\n" );
939
940 ret = 1;
941 goto exit;
942 }
943
944 if( verbose != 0 )
945 mbedtls_printf( "passed\n" );
946 }
947
948 if( verbose != 0 )
949 mbedtls_printf( "\n" );
950
951 #if defined(MBEDTLS_CIPHER_MODE_CBC)
952 /*
953 * CBC mode
954 */
955 for( i = 0; i < 6; i++ )
956 {
957 u = i >> 1;
958 v = i & 1;
959
960 if( verbose != 0 )
961 mbedtls_printf( " DES%c-CBC-%3d (%s): ",
962 ( u == 0 ) ? ' ' : '3', 56 + u * 56,
963 ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
964
965 memcpy( iv, des3_test_iv, 8 );
966 memcpy( prv, des3_test_iv, 8 );
967 memcpy( buf, des3_test_buf, 8 );
968
969 switch( i )
970 {
971 case 0:
972 mbedtls_des_setkey_dec( &ctx, des3_test_keys );
973 break;
974
975 case 1:
976 mbedtls_des_setkey_enc( &ctx, des3_test_keys );
977 break;
978
979 case 2:
980 mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
981 break;
982
983 case 3:
984 mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
985 break;
986
987 case 4:
988 mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
989 break;
990
991 case 5:
992 mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
993 break;
994
995 default:
996 return( 1 );
997 }
998
999 if( v == MBEDTLS_DES_DECRYPT )
1000 {
1001 for( j = 0; j < 10000; j++ )
1002 {
1003 if( u == 0 )
1004 mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
1005 else
1006 mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
1007 }
1008 }
1009 else
1010 {
1011 for( j = 0; j < 10000; j++ )
1012 {
1013 unsigned char tmp[8];
1014
1015 if( u == 0 )
1016 mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
1017 else
1018 mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
1019
1020 memcpy( tmp, prv, 8 );
1021 memcpy( prv, buf, 8 );
1022 memcpy( buf, tmp, 8 );
1023 }
1024
1025 memcpy( buf, prv, 8 );
1026 }
1027
1028 if( ( v == MBEDTLS_DES_DECRYPT &&
1029 memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) ||
1030 ( v != MBEDTLS_DES_DECRYPT &&
1031 memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) )
1032 {
1033 if( verbose != 0 )
1034 mbedtls_printf( "failed\n" );
1035
1036 ret = 1;
1037 goto exit;
1038 }
1039
1040 if( verbose != 0 )
1041 mbedtls_printf( "passed\n" );
1042 }
1043 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1044
1045 if( verbose != 0 )
1046 mbedtls_printf( "\n" );
1047
1048 exit:
1049 mbedtls_des_free( &ctx );
1050 mbedtls_des3_free( &ctx3 );
1051
1052 return( ret );
1053 }
1054
1055 #endif /* MBEDTLS_SELF_TEST */
1056
1057 #endif /* MBEDTLS_DES_C */
1058