1 /* 2 * FIPS-46-3 compliant Triple-DES implementation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 /* 20 * DES, on which TDES is based, was originally designed by Horst Feistel 21 * at IBM in 1974, and was adopted as a standard by NIST (formerly NBS). 22 * 23 * http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf 24 */ 25 26 #include "common.h" 27 28 #if defined(MBEDTLS_DES_C) 29 30 #include "mbedtls/des.h" 31 #include "mbedtls/error.h" 32 #include "mbedtls/platform_util.h" 33 34 #include <string.h> 35 36 #if defined(MBEDTLS_SELF_TEST) 37 #if defined(MBEDTLS_PLATFORM_C) 38 #include "mbedtls/platform.h" 39 #else 40 #include <stdio.h> 41 #define mbedtls_printf printf 42 #endif /* MBEDTLS_PLATFORM_C */ 43 #endif /* MBEDTLS_SELF_TEST */ 44 45 #if !defined(MBEDTLS_DES_ALT) 46 47 /* 48 * Expanded DES S-boxes 49 */ 50 static const uint32_t SB1[64] = 51 { 52 0x01010400, 0x00000000, 0x00010000, 0x01010404, 53 0x01010004, 0x00010404, 0x00000004, 0x00010000, 54 0x00000400, 0x01010400, 0x01010404, 0x00000400, 55 0x01000404, 0x01010004, 0x01000000, 0x00000004, 56 0x00000404, 0x01000400, 0x01000400, 0x00010400, 57 0x00010400, 0x01010000, 0x01010000, 0x01000404, 58 0x00010004, 0x01000004, 0x01000004, 0x00010004, 59 0x00000000, 0x00000404, 0x00010404, 0x01000000, 60 0x00010000, 0x01010404, 0x00000004, 0x01010000, 61 0x01010400, 0x01000000, 0x01000000, 0x00000400, 62 0x01010004, 0x00010000, 0x00010400, 0x01000004, 63 0x00000400, 0x00000004, 0x01000404, 0x00010404, 64 0x01010404, 0x00010004, 0x01010000, 0x01000404, 65 0x01000004, 0x00000404, 0x00010404, 0x01010400, 66 0x00000404, 0x01000400, 0x01000400, 0x00000000, 67 0x00010004, 0x00010400, 0x00000000, 0x01010004 68 }; 69 70 static const uint32_t SB2[64] = 71 { 72 0x80108020, 0x80008000, 0x00008000, 0x00108020, 73 0x00100000, 0x00000020, 0x80100020, 0x80008020, 74 0x80000020, 0x80108020, 0x80108000, 0x80000000, 75 0x80008000, 0x00100000, 0x00000020, 0x80100020, 76 0x00108000, 0x00100020, 0x80008020, 0x00000000, 77 0x80000000, 0x00008000, 0x00108020, 0x80100000, 78 0x00100020, 0x80000020, 0x00000000, 0x00108000, 79 0x00008020, 0x80108000, 0x80100000, 0x00008020, 80 0x00000000, 0x00108020, 0x80100020, 0x00100000, 81 0x80008020, 0x80100000, 0x80108000, 0x00008000, 82 0x80100000, 0x80008000, 0x00000020, 0x80108020, 83 0x00108020, 0x00000020, 0x00008000, 0x80000000, 84 0x00008020, 0x80108000, 0x00100000, 0x80000020, 85 0x00100020, 0x80008020, 0x80000020, 0x00100020, 86 0x00108000, 0x00000000, 0x80008000, 0x00008020, 87 0x80000000, 0x80100020, 0x80108020, 0x00108000 88 }; 89 90 static const uint32_t SB3[64] = 91 { 92 0x00000208, 0x08020200, 0x00000000, 0x08020008, 93 0x08000200, 0x00000000, 0x00020208, 0x08000200, 94 0x00020008, 0x08000008, 0x08000008, 0x00020000, 95 0x08020208, 0x00020008, 0x08020000, 0x00000208, 96 0x08000000, 0x00000008, 0x08020200, 0x00000200, 97 0x00020200, 0x08020000, 0x08020008, 0x00020208, 98 0x08000208, 0x00020200, 0x00020000, 0x08000208, 99 0x00000008, 0x08020208, 0x00000200, 0x08000000, 100 0x08020200, 0x08000000, 0x00020008, 0x00000208, 101 0x00020000, 0x08020200, 0x08000200, 0x00000000, 102 0x00000200, 0x00020008, 0x08020208, 0x08000200, 103 0x08000008, 0x00000200, 0x00000000, 0x08020008, 104 0x08000208, 0x00020000, 0x08000000, 0x08020208, 105 0x00000008, 0x00020208, 0x00020200, 0x08000008, 106 0x08020000, 0x08000208, 0x00000208, 0x08020000, 107 0x00020208, 0x00000008, 0x08020008, 0x00020200 108 }; 109 110 static const uint32_t SB4[64] = 111 { 112 0x00802001, 0x00002081, 0x00002081, 0x00000080, 113 0x00802080, 0x00800081, 0x00800001, 0x00002001, 114 0x00000000, 0x00802000, 0x00802000, 0x00802081, 115 0x00000081, 0x00000000, 0x00800080, 0x00800001, 116 0x00000001, 0x00002000, 0x00800000, 0x00802001, 117 0x00000080, 0x00800000, 0x00002001, 0x00002080, 118 0x00800081, 0x00000001, 0x00002080, 0x00800080, 119 0x00002000, 0x00802080, 0x00802081, 0x00000081, 120 0x00800080, 0x00800001, 0x00802000, 0x00802081, 121 0x00000081, 0x00000000, 0x00000000, 0x00802000, 122 0x00002080, 0x00800080, 0x00800081, 0x00000001, 123 0x00802001, 0x00002081, 0x00002081, 0x00000080, 124 0x00802081, 0x00000081, 0x00000001, 0x00002000, 125 0x00800001, 0x00002001, 0x00802080, 0x00800081, 126 0x00002001, 0x00002080, 0x00800000, 0x00802001, 127 0x00000080, 0x00800000, 0x00002000, 0x00802080 128 }; 129 130 static const uint32_t SB5[64] = 131 { 132 0x00000100, 0x02080100, 0x02080000, 0x42000100, 133 0x00080000, 0x00000100, 0x40000000, 0x02080000, 134 0x40080100, 0x00080000, 0x02000100, 0x40080100, 135 0x42000100, 0x42080000, 0x00080100, 0x40000000, 136 0x02000000, 0x40080000, 0x40080000, 0x00000000, 137 0x40000100, 0x42080100, 0x42080100, 0x02000100, 138 0x42080000, 0x40000100, 0x00000000, 0x42000000, 139 0x02080100, 0x02000000, 0x42000000, 0x00080100, 140 0x00080000, 0x42000100, 0x00000100, 0x02000000, 141 0x40000000, 0x02080000, 0x42000100, 0x40080100, 142 0x02000100, 0x40000000, 0x42080000, 0x02080100, 143 0x40080100, 0x00000100, 0x02000000, 0x42080000, 144 0x42080100, 0x00080100, 0x42000000, 0x42080100, 145 0x02080000, 0x00000000, 0x40080000, 0x42000000, 146 0x00080100, 0x02000100, 0x40000100, 0x00080000, 147 0x00000000, 0x40080000, 0x02080100, 0x40000100 148 }; 149 150 static const uint32_t SB6[64] = 151 { 152 0x20000010, 0x20400000, 0x00004000, 0x20404010, 153 0x20400000, 0x00000010, 0x20404010, 0x00400000, 154 0x20004000, 0x00404010, 0x00400000, 0x20000010, 155 0x00400010, 0x20004000, 0x20000000, 0x00004010, 156 0x00000000, 0x00400010, 0x20004010, 0x00004000, 157 0x00404000, 0x20004010, 0x00000010, 0x20400010, 158 0x20400010, 0x00000000, 0x00404010, 0x20404000, 159 0x00004010, 0x00404000, 0x20404000, 0x20000000, 160 0x20004000, 0x00000010, 0x20400010, 0x00404000, 161 0x20404010, 0x00400000, 0x00004010, 0x20000010, 162 0x00400000, 0x20004000, 0x20000000, 0x00004010, 163 0x20000010, 0x20404010, 0x00404000, 0x20400000, 164 0x00404010, 0x20404000, 0x00000000, 0x20400010, 165 0x00000010, 0x00004000, 0x20400000, 0x00404010, 166 0x00004000, 0x00400010, 0x20004010, 0x00000000, 167 0x20404000, 0x20000000, 0x00400010, 0x20004010 168 }; 169 170 static const uint32_t SB7[64] = 171 { 172 0x00200000, 0x04200002, 0x04000802, 0x00000000, 173 0x00000800, 0x04000802, 0x00200802, 0x04200800, 174 0x04200802, 0x00200000, 0x00000000, 0x04000002, 175 0x00000002, 0x04000000, 0x04200002, 0x00000802, 176 0x04000800, 0x00200802, 0x00200002, 0x04000800, 177 0x04000002, 0x04200000, 0x04200800, 0x00200002, 178 0x04200000, 0x00000800, 0x00000802, 0x04200802, 179 0x00200800, 0x00000002, 0x04000000, 0x00200800, 180 0x04000000, 0x00200800, 0x00200000, 0x04000802, 181 0x04000802, 0x04200002, 0x04200002, 0x00000002, 182 0x00200002, 0x04000000, 0x04000800, 0x00200000, 183 0x04200800, 0x00000802, 0x00200802, 0x04200800, 184 0x00000802, 0x04000002, 0x04200802, 0x04200000, 185 0x00200800, 0x00000000, 0x00000002, 0x04200802, 186 0x00000000, 0x00200802, 0x04200000, 0x00000800, 187 0x04000002, 0x04000800, 0x00000800, 0x00200002 188 }; 189 190 static const uint32_t SB8[64] = 191 { 192 0x10001040, 0x00001000, 0x00040000, 0x10041040, 193 0x10000000, 0x10001040, 0x00000040, 0x10000000, 194 0x00040040, 0x10040000, 0x10041040, 0x00041000, 195 0x10041000, 0x00041040, 0x00001000, 0x00000040, 196 0x10040000, 0x10000040, 0x10001000, 0x00001040, 197 0x00041000, 0x00040040, 0x10040040, 0x10041000, 198 0x00001040, 0x00000000, 0x00000000, 0x10040040, 199 0x10000040, 0x10001000, 0x00041040, 0x00040000, 200 0x00041040, 0x00040000, 0x10041000, 0x00001000, 201 0x00000040, 0x10040040, 0x00001000, 0x00041040, 202 0x10001000, 0x00000040, 0x10000040, 0x10040000, 203 0x10040040, 0x10000000, 0x00040000, 0x10001040, 204 0x00000000, 0x10041040, 0x00040040, 0x10000040, 205 0x10040000, 0x10001000, 0x10001040, 0x00000000, 206 0x10041040, 0x00041000, 0x00041000, 0x00001040, 207 0x00001040, 0x00040040, 0x10000000, 0x10041000 208 }; 209 210 /* 211 * PC1: left and right halves bit-swap 212 */ 213 static const uint32_t LHs[16] = 214 { 215 0x00000000, 0x00000001, 0x00000100, 0x00000101, 216 0x00010000, 0x00010001, 0x00010100, 0x00010101, 217 0x01000000, 0x01000001, 0x01000100, 0x01000101, 218 0x01010000, 0x01010001, 0x01010100, 0x01010101 219 }; 220 221 static const uint32_t RHs[16] = 222 { 223 0x00000000, 0x01000000, 0x00010000, 0x01010000, 224 0x00000100, 0x01000100, 0x00010100, 0x01010100, 225 0x00000001, 0x01000001, 0x00010001, 0x01010001, 226 0x00000101, 0x01000101, 0x00010101, 0x01010101, 227 }; 228 229 /* 230 * Initial Permutation macro 231 */ 232 #define DES_IP(X,Y) \ 233 do \ 234 { \ 235 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \ 236 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \ 237 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \ 238 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \ 239 (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF; \ 240 T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T; \ 241 (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF; \ 242 } while( 0 ) 243 244 /* 245 * Final Permutation macro 246 */ 247 #define DES_FP(X,Y) \ 248 do \ 249 { \ 250 (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF; \ 251 T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T; \ 252 (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF; \ 253 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \ 254 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \ 255 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \ 256 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \ 257 } while( 0 ) 258 259 /* 260 * DES round macro 261 */ 262 #define DES_ROUND(X,Y) \ 263 do \ 264 { \ 265 T = *SK++ ^ (X); \ 266 (Y) ^= SB8[ (T ) & 0x3F ] ^ \ 267 SB6[ (T >> 8) & 0x3F ] ^ \ 268 SB4[ (T >> 16) & 0x3F ] ^ \ 269 SB2[ (T >> 24) & 0x3F ]; \ 270 \ 271 T = *SK++ ^ (((X) << 28) | ((X) >> 4)); \ 272 (Y) ^= SB7[ (T ) & 0x3F ] ^ \ 273 SB5[ (T >> 8) & 0x3F ] ^ \ 274 SB3[ (T >> 16) & 0x3F ] ^ \ 275 SB1[ (T >> 24) & 0x3F ]; \ 276 } while( 0 ) 277 278 #define SWAP(a,b) \ 279 do \ 280 { \ 281 uint32_t t = (a); (a) = (b); (b) = t; t = 0; \ 282 } while( 0 ) 283 284 void mbedtls_des_init( mbedtls_des_context *ctx ) 285 { 286 memset( ctx, 0, sizeof( mbedtls_des_context ) ); 287 } 288 289 void mbedtls_des_free( mbedtls_des_context *ctx ) 290 { 291 if( ctx == NULL ) 292 return; 293 294 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des_context ) ); 295 } 296 297 void mbedtls_des3_init( mbedtls_des3_context *ctx ) 298 { 299 memset( ctx, 0, sizeof( mbedtls_des3_context ) ); 300 } 301 302 void mbedtls_des3_free( mbedtls_des3_context *ctx ) 303 { 304 if( ctx == NULL ) 305 return; 306 307 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des3_context ) ); 308 } 309 310 static const unsigned char odd_parity_table[128] = { 1, 2, 4, 7, 8, 311 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 35, 37, 38, 41, 42, 44, 312 47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 70, 73, 74, 76, 79, 81, 313 82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 104, 107, 109, 110, 112, 314 115, 117, 118, 121, 122, 124, 127, 128, 131, 133, 134, 137, 138, 140, 315 143, 145, 146, 148, 151, 152, 155, 157, 158, 161, 162, 164, 167, 168, 316 171, 173, 174, 176, 179, 181, 182, 185, 186, 188, 191, 193, 194, 196, 317 199, 200, 203, 205, 206, 208, 211, 213, 214, 217, 218, 220, 223, 224, 318 227, 229, 230, 233, 234, 236, 239, 241, 242, 244, 247, 248, 251, 253, 319 254 }; 320 321 void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 322 { 323 int i; 324 325 for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ ) 326 key[i] = odd_parity_table[key[i] / 2]; 327 } 328 329 /* 330 * Check the given key's parity, returns 1 on failure, 0 on SUCCESS 331 */ 332 int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 333 { 334 int i; 335 336 for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ ) 337 if( key[i] != odd_parity_table[key[i] / 2] ) 338 return( 1 ); 339 340 return( 0 ); 341 } 342 343 /* 344 * Table of weak and semi-weak keys 345 * 346 * Source: http://en.wikipedia.org/wiki/Weak_key 347 * 348 * Weak: 349 * Alternating ones + zeros (0x0101010101010101) 350 * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE) 351 * '0xE0E0E0E0F1F1F1F1' 352 * '0x1F1F1F1F0E0E0E0E' 353 * 354 * Semi-weak: 355 * 0x011F011F010E010E and 0x1F011F010E010E01 356 * 0x01E001E001F101F1 and 0xE001E001F101F101 357 * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01 358 * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E 359 * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E 360 * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1 361 * 362 */ 363 364 #define WEAK_KEY_COUNT 16 365 366 static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] = 367 { 368 { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 }, 369 { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE }, 370 { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E }, 371 { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 }, 372 373 { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E }, 374 { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 }, 375 { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 }, 376 { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 }, 377 { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE }, 378 { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 }, 379 { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 }, 380 { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E }, 381 { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE }, 382 { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E }, 383 { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE }, 384 { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 } 385 }; 386 387 int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 388 { 389 int i; 390 391 for( i = 0; i < WEAK_KEY_COUNT; i++ ) 392 if( memcmp( weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0 ) 393 return( 1 ); 394 395 return( 0 ); 396 } 397 398 #if !defined(MBEDTLS_DES_SETKEY_ALT) 399 void mbedtls_des_setkey( uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 400 { 401 int i; 402 uint32_t X, Y, T; 403 404 X = MBEDTLS_GET_UINT32_BE( key, 0 ); 405 Y = MBEDTLS_GET_UINT32_BE( key, 4 ); 406 407 /* 408 * Permuted Choice 1 409 */ 410 T = ((Y >> 4) ^ X) & 0x0F0F0F0F; X ^= T; Y ^= (T << 4); 411 T = ((Y ) ^ X) & 0x10101010; X ^= T; Y ^= (T ); 412 413 X = (LHs[ (X ) & 0xF] << 3) | (LHs[ (X >> 8) & 0xF ] << 2) 414 | (LHs[ (X >> 16) & 0xF] << 1) | (LHs[ (X >> 24) & 0xF ] ) 415 | (LHs[ (X >> 5) & 0xF] << 7) | (LHs[ (X >> 13) & 0xF ] << 6) 416 | (LHs[ (X >> 21) & 0xF] << 5) | (LHs[ (X >> 29) & 0xF ] << 4); 417 418 Y = (RHs[ (Y >> 1) & 0xF] << 3) | (RHs[ (Y >> 9) & 0xF ] << 2) 419 | (RHs[ (Y >> 17) & 0xF] << 1) | (RHs[ (Y >> 25) & 0xF ] ) 420 | (RHs[ (Y >> 4) & 0xF] << 7) | (RHs[ (Y >> 12) & 0xF ] << 6) 421 | (RHs[ (Y >> 20) & 0xF] << 5) | (RHs[ (Y >> 28) & 0xF ] << 4); 422 423 X &= 0x0FFFFFFF; 424 Y &= 0x0FFFFFFF; 425 426 /* 427 * calculate subkeys 428 */ 429 for( i = 0; i < 16; i++ ) 430 { 431 if( i < 2 || i == 8 || i == 15 ) 432 { 433 X = ((X << 1) | (X >> 27)) & 0x0FFFFFFF; 434 Y = ((Y << 1) | (Y >> 27)) & 0x0FFFFFFF; 435 } 436 else 437 { 438 X = ((X << 2) | (X >> 26)) & 0x0FFFFFFF; 439 Y = ((Y << 2) | (Y >> 26)) & 0x0FFFFFFF; 440 } 441 442 *SK++ = ((X << 4) & 0x24000000) | ((X << 28) & 0x10000000) 443 | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000) 444 | ((X << 6) & 0x01000000) | ((X << 9) & 0x00200000) 445 | ((X >> 1) & 0x00100000) | ((X << 10) & 0x00040000) 446 | ((X << 2) & 0x00020000) | ((X >> 10) & 0x00010000) 447 | ((Y >> 13) & 0x00002000) | ((Y >> 4) & 0x00001000) 448 | ((Y << 6) & 0x00000800) | ((Y >> 1) & 0x00000400) 449 | ((Y >> 14) & 0x00000200) | ((Y ) & 0x00000100) 450 | ((Y >> 5) & 0x00000020) | ((Y >> 10) & 0x00000010) 451 | ((Y >> 3) & 0x00000008) | ((Y >> 18) & 0x00000004) 452 | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001); 453 454 *SK++ = ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000) 455 | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000) 456 | ((X >> 2) & 0x02000000) | ((X << 1) & 0x01000000) 457 | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000) 458 | ((X << 3) & 0x00080000) | ((X >> 6) & 0x00040000) 459 | ((X << 15) & 0x00020000) | ((X >> 4) & 0x00010000) 460 | ((Y >> 2) & 0x00002000) | ((Y << 8) & 0x00001000) 461 | ((Y >> 14) & 0x00000808) | ((Y >> 9) & 0x00000400) 462 | ((Y ) & 0x00000200) | ((Y << 7) & 0x00000100) 463 | ((Y >> 7) & 0x00000020) | ((Y >> 3) & 0x00000011) 464 | ((Y << 2) & 0x00000004) | ((Y >> 21) & 0x00000002); 465 } 466 } 467 #endif /* !MBEDTLS_DES_SETKEY_ALT */ 468 469 /* 470 * DES key schedule (56-bit, encryption) 471 */ 472 int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 473 { 474 mbedtls_des_setkey( ctx->sk, key ); 475 476 return( 0 ); 477 } 478 479 /* 480 * DES key schedule (56-bit, decryption) 481 */ 482 int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 483 { 484 int i; 485 486 mbedtls_des_setkey( ctx->sk, key ); 487 488 for( i = 0; i < 16; i += 2 ) 489 { 490 SWAP( ctx->sk[i ], ctx->sk[30 - i] ); 491 SWAP( ctx->sk[i + 1], ctx->sk[31 - i] ); 492 } 493 494 return( 0 ); 495 } 496 497 static void des3_set2key( uint32_t esk[96], 498 uint32_t dsk[96], 499 const unsigned char key[MBEDTLS_DES_KEY_SIZE*2] ) 500 { 501 int i; 502 503 mbedtls_des_setkey( esk, key ); 504 mbedtls_des_setkey( dsk + 32, key + 8 ); 505 506 for( i = 0; i < 32; i += 2 ) 507 { 508 dsk[i ] = esk[30 - i]; 509 dsk[i + 1] = esk[31 - i]; 510 511 esk[i + 32] = dsk[62 - i]; 512 esk[i + 33] = dsk[63 - i]; 513 514 esk[i + 64] = esk[i ]; 515 esk[i + 65] = esk[i + 1]; 516 517 dsk[i + 64] = dsk[i ]; 518 dsk[i + 65] = dsk[i + 1]; 519 } 520 } 521 522 /* 523 * Triple-DES key schedule (112-bit, encryption) 524 */ 525 int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx, 526 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] ) 527 { 528 uint32_t sk[96]; 529 530 des3_set2key( ctx->sk, sk, key ); 531 mbedtls_platform_zeroize( sk, sizeof( sk ) ); 532 533 return( 0 ); 534 } 535 536 /* 537 * Triple-DES key schedule (112-bit, decryption) 538 */ 539 int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx, 540 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] ) 541 { 542 uint32_t sk[96]; 543 544 des3_set2key( sk, ctx->sk, key ); 545 mbedtls_platform_zeroize( sk, sizeof( sk ) ); 546 547 return( 0 ); 548 } 549 550 static void des3_set3key( uint32_t esk[96], 551 uint32_t dsk[96], 552 const unsigned char key[24] ) 553 { 554 int i; 555 556 mbedtls_des_setkey( esk, key ); 557 mbedtls_des_setkey( dsk + 32, key + 8 ); 558 mbedtls_des_setkey( esk + 64, key + 16 ); 559 560 for( i = 0; i < 32; i += 2 ) 561 { 562 dsk[i ] = esk[94 - i]; 563 dsk[i + 1] = esk[95 - i]; 564 565 esk[i + 32] = dsk[62 - i]; 566 esk[i + 33] = dsk[63 - i]; 567 568 dsk[i + 64] = esk[30 - i]; 569 dsk[i + 65] = esk[31 - i]; 570 } 571 } 572 573 /* 574 * Triple-DES key schedule (168-bit, encryption) 575 */ 576 int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx, 577 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] ) 578 { 579 uint32_t sk[96]; 580 581 des3_set3key( ctx->sk, sk, key ); 582 mbedtls_platform_zeroize( sk, sizeof( sk ) ); 583 584 return( 0 ); 585 } 586 587 /* 588 * Triple-DES key schedule (168-bit, decryption) 589 */ 590 int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx, 591 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] ) 592 { 593 uint32_t sk[96]; 594 595 des3_set3key( sk, ctx->sk, key ); 596 mbedtls_platform_zeroize( sk, sizeof( sk ) ); 597 598 return( 0 ); 599 } 600 601 /* 602 * DES-ECB block encryption/decryption 603 */ 604 #if !defined(MBEDTLS_DES_CRYPT_ECB_ALT) 605 int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx, 606 const unsigned char input[8], 607 unsigned char output[8] ) 608 { 609 int i; 610 uint32_t X, Y, T, *SK; 611 612 SK = ctx->sk; 613 614 X = MBEDTLS_GET_UINT32_BE( input, 0 ); 615 Y = MBEDTLS_GET_UINT32_BE( input, 4 ); 616 617 DES_IP( X, Y ); 618 619 for( i = 0; i < 8; i++ ) 620 { 621 DES_ROUND( Y, X ); 622 DES_ROUND( X, Y ); 623 } 624 625 DES_FP( Y, X ); 626 627 MBEDTLS_PUT_UINT32_BE( Y, output, 0 ); 628 MBEDTLS_PUT_UINT32_BE( X, output, 4 ); 629 630 return( 0 ); 631 } 632 #endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */ 633 634 #if defined(MBEDTLS_CIPHER_MODE_CBC) 635 /* 636 * DES-CBC buffer encryption/decryption 637 */ 638 int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx, 639 int mode, 640 size_t length, 641 unsigned char iv[8], 642 const unsigned char *input, 643 unsigned char *output ) 644 { 645 int i; 646 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 647 unsigned char temp[8]; 648 649 if( length % 8 ) 650 return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH ); 651 652 if( mode == MBEDTLS_DES_ENCRYPT ) 653 { 654 while( length > 0 ) 655 { 656 for( i = 0; i < 8; i++ ) 657 output[i] = (unsigned char)( input[i] ^ iv[i] ); 658 659 ret = mbedtls_des_crypt_ecb( ctx, output, output ); 660 if( ret != 0 ) 661 goto exit; 662 memcpy( iv, output, 8 ); 663 664 input += 8; 665 output += 8; 666 length -= 8; 667 } 668 } 669 else /* MBEDTLS_DES_DECRYPT */ 670 { 671 while( length > 0 ) 672 { 673 memcpy( temp, input, 8 ); 674 ret = mbedtls_des_crypt_ecb( ctx, input, output ); 675 if( ret != 0 ) 676 goto exit; 677 678 for( i = 0; i < 8; i++ ) 679 output[i] = (unsigned char)( output[i] ^ iv[i] ); 680 681 memcpy( iv, temp, 8 ); 682 683 input += 8; 684 output += 8; 685 length -= 8; 686 } 687 } 688 ret = 0; 689 690 exit: 691 return( ret ); 692 } 693 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 694 695 /* 696 * 3DES-ECB block encryption/decryption 697 */ 698 #if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT) 699 int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx, 700 const unsigned char input[8], 701 unsigned char output[8] ) 702 { 703 int i; 704 uint32_t X, Y, T, *SK; 705 706 SK = ctx->sk; 707 708 X = MBEDTLS_GET_UINT32_BE( input, 0 ); 709 Y = MBEDTLS_GET_UINT32_BE( input, 4 ); 710 711 DES_IP( X, Y ); 712 713 for( i = 0; i < 8; i++ ) 714 { 715 DES_ROUND( Y, X ); 716 DES_ROUND( X, Y ); 717 } 718 719 for( i = 0; i < 8; i++ ) 720 { 721 DES_ROUND( X, Y ); 722 DES_ROUND( Y, X ); 723 } 724 725 for( i = 0; i < 8; i++ ) 726 { 727 DES_ROUND( Y, X ); 728 DES_ROUND( X, Y ); 729 } 730 731 DES_FP( Y, X ); 732 733 MBEDTLS_PUT_UINT32_BE( Y, output, 0 ); 734 MBEDTLS_PUT_UINT32_BE( X, output, 4 ); 735 736 return( 0 ); 737 } 738 #endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */ 739 740 #if defined(MBEDTLS_CIPHER_MODE_CBC) 741 /* 742 * 3DES-CBC buffer encryption/decryption 743 */ 744 int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx, 745 int mode, 746 size_t length, 747 unsigned char iv[8], 748 const unsigned char *input, 749 unsigned char *output ) 750 { 751 int i; 752 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 753 unsigned char temp[8]; 754 755 if( length % 8 ) 756 return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH ); 757 758 if( mode == MBEDTLS_DES_ENCRYPT ) 759 { 760 while( length > 0 ) 761 { 762 for( i = 0; i < 8; i++ ) 763 output[i] = (unsigned char)( input[i] ^ iv[i] ); 764 765 ret = mbedtls_des3_crypt_ecb( ctx, output, output ); 766 if( ret != 0 ) 767 goto exit; 768 memcpy( iv, output, 8 ); 769 770 input += 8; 771 output += 8; 772 length -= 8; 773 } 774 } 775 else /* MBEDTLS_DES_DECRYPT */ 776 { 777 while( length > 0 ) 778 { 779 memcpy( temp, input, 8 ); 780 ret = mbedtls_des3_crypt_ecb( ctx, input, output ); 781 if( ret != 0 ) 782 goto exit; 783 784 for( i = 0; i < 8; i++ ) 785 output[i] = (unsigned char)( output[i] ^ iv[i] ); 786 787 memcpy( iv, temp, 8 ); 788 789 input += 8; 790 output += 8; 791 length -= 8; 792 } 793 } 794 ret = 0; 795 796 exit: 797 return( ret ); 798 } 799 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 800 801 #endif /* !MBEDTLS_DES_ALT */ 802 803 #if defined(MBEDTLS_SELF_TEST) 804 /* 805 * DES and 3DES test vectors from: 806 * 807 * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip 808 */ 809 static const unsigned char des3_test_keys[24] = 810 { 811 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 812 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 813 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23 814 }; 815 816 static const unsigned char des3_test_buf[8] = 817 { 818 0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74 819 }; 820 821 static const unsigned char des3_test_ecb_dec[3][8] = 822 { 823 { 0x37, 0x2B, 0x98, 0xBF, 0x52, 0x65, 0xB0, 0x59 }, 824 { 0xC2, 0x10, 0x19, 0x9C, 0x38, 0x5A, 0x65, 0xA1 }, 825 { 0xA2, 0x70, 0x56, 0x68, 0x69, 0xE5, 0x15, 0x1D } 826 }; 827 828 static const unsigned char des3_test_ecb_enc[3][8] = 829 { 830 { 0x1C, 0xD5, 0x97, 0xEA, 0x84, 0x26, 0x73, 0xFB }, 831 { 0xB3, 0x92, 0x4D, 0xF3, 0xC5, 0xB5, 0x42, 0x93 }, 832 { 0xDA, 0x37, 0x64, 0x41, 0xBA, 0x6F, 0x62, 0x6F } 833 }; 834 835 #if defined(MBEDTLS_CIPHER_MODE_CBC) 836 static const unsigned char des3_test_iv[8] = 837 { 838 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF, 839 }; 840 841 static const unsigned char des3_test_cbc_dec[3][8] = 842 { 843 { 0x58, 0xD9, 0x48, 0xEF, 0x85, 0x14, 0x65, 0x9A }, 844 { 0x5F, 0xC8, 0x78, 0xD4, 0xD7, 0x92, 0xD9, 0x54 }, 845 { 0x25, 0xF9, 0x75, 0x85, 0xA8, 0x1E, 0x48, 0xBF } 846 }; 847 848 static const unsigned char des3_test_cbc_enc[3][8] = 849 { 850 { 0x91, 0x1C, 0x6D, 0xCF, 0x48, 0xA7, 0xC3, 0x4D }, 851 { 0x60, 0x1A, 0x76, 0x8F, 0xA1, 0xF9, 0x66, 0xF1 }, 852 { 0xA1, 0x50, 0x0F, 0x99, 0xB2, 0xCD, 0x64, 0x76 } 853 }; 854 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 855 856 /* 857 * Checkup routine 858 */ 859 int mbedtls_des_self_test( int verbose ) 860 { 861 int i, j, u, v, ret = 0; 862 mbedtls_des_context ctx; 863 mbedtls_des3_context ctx3; 864 unsigned char buf[8]; 865 #if defined(MBEDTLS_CIPHER_MODE_CBC) 866 unsigned char prv[8]; 867 unsigned char iv[8]; 868 #endif 869 870 mbedtls_des_init( &ctx ); 871 mbedtls_des3_init( &ctx3 ); 872 /* 873 * ECB mode 874 */ 875 for( i = 0; i < 6; i++ ) 876 { 877 u = i >> 1; 878 v = i & 1; 879 880 if( verbose != 0 ) 881 mbedtls_printf( " DES%c-ECB-%3d (%s): ", 882 ( u == 0 ) ? ' ' : '3', 56 + u * 56, 883 ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" ); 884 885 memcpy( buf, des3_test_buf, 8 ); 886 887 switch( i ) 888 { 889 case 0: 890 ret = mbedtls_des_setkey_dec( &ctx, des3_test_keys ); 891 break; 892 893 case 1: 894 ret = mbedtls_des_setkey_enc( &ctx, des3_test_keys ); 895 break; 896 897 case 2: 898 ret = mbedtls_des3_set2key_dec( &ctx3, des3_test_keys ); 899 break; 900 901 case 3: 902 ret = mbedtls_des3_set2key_enc( &ctx3, des3_test_keys ); 903 break; 904 905 case 4: 906 ret = mbedtls_des3_set3key_dec( &ctx3, des3_test_keys ); 907 break; 908 909 case 5: 910 ret = mbedtls_des3_set3key_enc( &ctx3, des3_test_keys ); 911 break; 912 913 default: 914 return( 1 ); 915 } 916 if( ret != 0 ) 917 goto exit; 918 919 for( j = 0; j < 100; j++ ) 920 { 921 if( u == 0 ) 922 ret = mbedtls_des_crypt_ecb( &ctx, buf, buf ); 923 else 924 ret = mbedtls_des3_crypt_ecb( &ctx3, buf, buf ); 925 if( ret != 0 ) 926 goto exit; 927 } 928 929 if( ( v == MBEDTLS_DES_DECRYPT && 930 memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) || 931 ( v != MBEDTLS_DES_DECRYPT && 932 memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) ) 933 { 934 if( verbose != 0 ) 935 mbedtls_printf( "failed\n" ); 936 937 ret = 1; 938 goto exit; 939 } 940 941 if( verbose != 0 ) 942 mbedtls_printf( "passed\n" ); 943 } 944 945 if( verbose != 0 ) 946 mbedtls_printf( "\n" ); 947 948 #if defined(MBEDTLS_CIPHER_MODE_CBC) 949 /* 950 * CBC mode 951 */ 952 for( i = 0; i < 6; i++ ) 953 { 954 u = i >> 1; 955 v = i & 1; 956 957 if( verbose != 0 ) 958 mbedtls_printf( " DES%c-CBC-%3d (%s): ", 959 ( u == 0 ) ? ' ' : '3', 56 + u * 56, 960 ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" ); 961 962 memcpy( iv, des3_test_iv, 8 ); 963 memcpy( prv, des3_test_iv, 8 ); 964 memcpy( buf, des3_test_buf, 8 ); 965 966 switch( i ) 967 { 968 case 0: 969 ret = mbedtls_des_setkey_dec( &ctx, des3_test_keys ); 970 break; 971 972 case 1: 973 ret = mbedtls_des_setkey_enc( &ctx, des3_test_keys ); 974 break; 975 976 case 2: 977 ret = mbedtls_des3_set2key_dec( &ctx3, des3_test_keys ); 978 break; 979 980 case 3: 981 ret = mbedtls_des3_set2key_enc( &ctx3, des3_test_keys ); 982 break; 983 984 case 4: 985 ret = mbedtls_des3_set3key_dec( &ctx3, des3_test_keys ); 986 break; 987 988 case 5: 989 ret = mbedtls_des3_set3key_enc( &ctx3, des3_test_keys ); 990 break; 991 992 default: 993 return( 1 ); 994 } 995 if( ret != 0 ) 996 goto exit; 997 998 if( v == MBEDTLS_DES_DECRYPT ) 999 { 1000 for( j = 0; j < 100; j++ ) 1001 { 1002 if( u == 0 ) 1003 ret = mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf ); 1004 else 1005 ret = mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf ); 1006 if( ret != 0 ) 1007 goto exit; 1008 } 1009 } 1010 else 1011 { 1012 for( j = 0; j < 100; j++ ) 1013 { 1014 unsigned char tmp[8]; 1015 1016 if( u == 0 ) 1017 ret = mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf ); 1018 else 1019 ret = mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf ); 1020 if( ret != 0 ) 1021 goto exit; 1022 1023 memcpy( tmp, prv, 8 ); 1024 memcpy( prv, buf, 8 ); 1025 memcpy( buf, tmp, 8 ); 1026 } 1027 1028 memcpy( buf, prv, 8 ); 1029 } 1030 1031 if( ( v == MBEDTLS_DES_DECRYPT && 1032 memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) || 1033 ( v != MBEDTLS_DES_DECRYPT && 1034 memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) ) 1035 { 1036 if( verbose != 0 ) 1037 mbedtls_printf( "failed\n" ); 1038 1039 ret = 1; 1040 goto exit; 1041 } 1042 1043 if( verbose != 0 ) 1044 mbedtls_printf( "passed\n" ); 1045 } 1046 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1047 1048 if( verbose != 0 ) 1049 mbedtls_printf( "\n" ); 1050 1051 exit: 1052 mbedtls_des_free( &ctx ); 1053 mbedtls_des3_free( &ctx3 ); 1054 1055 if( ret != 0 ) 1056 ret = 1; 1057 return( ret ); 1058 } 1059 1060 #endif /* MBEDTLS_SELF_TEST */ 1061 1062 #endif /* MBEDTLS_DES_C */ 1063