1 /* 2 * FIPS-46-3 compliant Triple-DES implementation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 */ 7 /* 8 * DES, on which TDES is based, was originally designed by Horst Feistel 9 * at IBM in 1974, and was adopted as a standard by NIST (formerly NBS). 10 * 11 * http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf 12 */ 13 14 #include "common.h" 15 16 #if defined(MBEDTLS_DES_C) 17 18 #include "mbedtls/des.h" 19 #include "mbedtls/error.h" 20 #include "mbedtls/platform_util.h" 21 22 #include <string.h> 23 24 #include "mbedtls/platform.h" 25 26 #if !defined(MBEDTLS_DES_ALT) 27 28 /* 29 * Expanded DES S-boxes 30 */ 31 static const uint32_t SB1[64] = 32 { 33 0x01010400, 0x00000000, 0x00010000, 0x01010404, 34 0x01010004, 0x00010404, 0x00000004, 0x00010000, 35 0x00000400, 0x01010400, 0x01010404, 0x00000400, 36 0x01000404, 0x01010004, 0x01000000, 0x00000004, 37 0x00000404, 0x01000400, 0x01000400, 0x00010400, 38 0x00010400, 0x01010000, 0x01010000, 0x01000404, 39 0x00010004, 0x01000004, 0x01000004, 0x00010004, 40 0x00000000, 0x00000404, 0x00010404, 0x01000000, 41 0x00010000, 0x01010404, 0x00000004, 0x01010000, 42 0x01010400, 0x01000000, 0x01000000, 0x00000400, 43 0x01010004, 0x00010000, 0x00010400, 0x01000004, 44 0x00000400, 0x00000004, 0x01000404, 0x00010404, 45 0x01010404, 0x00010004, 0x01010000, 0x01000404, 46 0x01000004, 0x00000404, 0x00010404, 0x01010400, 47 0x00000404, 0x01000400, 0x01000400, 0x00000000, 48 0x00010004, 0x00010400, 0x00000000, 0x01010004 49 }; 50 51 static const uint32_t SB2[64] = 52 { 53 0x80108020, 0x80008000, 0x00008000, 0x00108020, 54 0x00100000, 0x00000020, 0x80100020, 0x80008020, 55 0x80000020, 0x80108020, 0x80108000, 0x80000000, 56 0x80008000, 0x00100000, 0x00000020, 0x80100020, 57 0x00108000, 0x00100020, 0x80008020, 0x00000000, 58 0x80000000, 0x00008000, 0x00108020, 0x80100000, 59 0x00100020, 0x80000020, 0x00000000, 0x00108000, 60 0x00008020, 0x80108000, 0x80100000, 0x00008020, 61 0x00000000, 0x00108020, 0x80100020, 0x00100000, 62 0x80008020, 0x80100000, 0x80108000, 0x00008000, 63 0x80100000, 0x80008000, 0x00000020, 0x80108020, 64 0x00108020, 0x00000020, 0x00008000, 0x80000000, 65 0x00008020, 0x80108000, 0x00100000, 0x80000020, 66 0x00100020, 0x80008020, 0x80000020, 0x00100020, 67 0x00108000, 0x00000000, 0x80008000, 0x00008020, 68 0x80000000, 0x80100020, 0x80108020, 0x00108000 69 }; 70 71 static const uint32_t SB3[64] = 72 { 73 0x00000208, 0x08020200, 0x00000000, 0x08020008, 74 0x08000200, 0x00000000, 0x00020208, 0x08000200, 75 0x00020008, 0x08000008, 0x08000008, 0x00020000, 76 0x08020208, 0x00020008, 0x08020000, 0x00000208, 77 0x08000000, 0x00000008, 0x08020200, 0x00000200, 78 0x00020200, 0x08020000, 0x08020008, 0x00020208, 79 0x08000208, 0x00020200, 0x00020000, 0x08000208, 80 0x00000008, 0x08020208, 0x00000200, 0x08000000, 81 0x08020200, 0x08000000, 0x00020008, 0x00000208, 82 0x00020000, 0x08020200, 0x08000200, 0x00000000, 83 0x00000200, 0x00020008, 0x08020208, 0x08000200, 84 0x08000008, 0x00000200, 0x00000000, 0x08020008, 85 0x08000208, 0x00020000, 0x08000000, 0x08020208, 86 0x00000008, 0x00020208, 0x00020200, 0x08000008, 87 0x08020000, 0x08000208, 0x00000208, 0x08020000, 88 0x00020208, 0x00000008, 0x08020008, 0x00020200 89 }; 90 91 static const uint32_t SB4[64] = 92 { 93 0x00802001, 0x00002081, 0x00002081, 0x00000080, 94 0x00802080, 0x00800081, 0x00800001, 0x00002001, 95 0x00000000, 0x00802000, 0x00802000, 0x00802081, 96 0x00000081, 0x00000000, 0x00800080, 0x00800001, 97 0x00000001, 0x00002000, 0x00800000, 0x00802001, 98 0x00000080, 0x00800000, 0x00002001, 0x00002080, 99 0x00800081, 0x00000001, 0x00002080, 0x00800080, 100 0x00002000, 0x00802080, 0x00802081, 0x00000081, 101 0x00800080, 0x00800001, 0x00802000, 0x00802081, 102 0x00000081, 0x00000000, 0x00000000, 0x00802000, 103 0x00002080, 0x00800080, 0x00800081, 0x00000001, 104 0x00802001, 0x00002081, 0x00002081, 0x00000080, 105 0x00802081, 0x00000081, 0x00000001, 0x00002000, 106 0x00800001, 0x00002001, 0x00802080, 0x00800081, 107 0x00002001, 0x00002080, 0x00800000, 0x00802001, 108 0x00000080, 0x00800000, 0x00002000, 0x00802080 109 }; 110 111 static const uint32_t SB5[64] = 112 { 113 0x00000100, 0x02080100, 0x02080000, 0x42000100, 114 0x00080000, 0x00000100, 0x40000000, 0x02080000, 115 0x40080100, 0x00080000, 0x02000100, 0x40080100, 116 0x42000100, 0x42080000, 0x00080100, 0x40000000, 117 0x02000000, 0x40080000, 0x40080000, 0x00000000, 118 0x40000100, 0x42080100, 0x42080100, 0x02000100, 119 0x42080000, 0x40000100, 0x00000000, 0x42000000, 120 0x02080100, 0x02000000, 0x42000000, 0x00080100, 121 0x00080000, 0x42000100, 0x00000100, 0x02000000, 122 0x40000000, 0x02080000, 0x42000100, 0x40080100, 123 0x02000100, 0x40000000, 0x42080000, 0x02080100, 124 0x40080100, 0x00000100, 0x02000000, 0x42080000, 125 0x42080100, 0x00080100, 0x42000000, 0x42080100, 126 0x02080000, 0x00000000, 0x40080000, 0x42000000, 127 0x00080100, 0x02000100, 0x40000100, 0x00080000, 128 0x00000000, 0x40080000, 0x02080100, 0x40000100 129 }; 130 131 static const uint32_t SB6[64] = 132 { 133 0x20000010, 0x20400000, 0x00004000, 0x20404010, 134 0x20400000, 0x00000010, 0x20404010, 0x00400000, 135 0x20004000, 0x00404010, 0x00400000, 0x20000010, 136 0x00400010, 0x20004000, 0x20000000, 0x00004010, 137 0x00000000, 0x00400010, 0x20004010, 0x00004000, 138 0x00404000, 0x20004010, 0x00000010, 0x20400010, 139 0x20400010, 0x00000000, 0x00404010, 0x20404000, 140 0x00004010, 0x00404000, 0x20404000, 0x20000000, 141 0x20004000, 0x00000010, 0x20400010, 0x00404000, 142 0x20404010, 0x00400000, 0x00004010, 0x20000010, 143 0x00400000, 0x20004000, 0x20000000, 0x00004010, 144 0x20000010, 0x20404010, 0x00404000, 0x20400000, 145 0x00404010, 0x20404000, 0x00000000, 0x20400010, 146 0x00000010, 0x00004000, 0x20400000, 0x00404010, 147 0x00004000, 0x00400010, 0x20004010, 0x00000000, 148 0x20404000, 0x20000000, 0x00400010, 0x20004010 149 }; 150 151 static const uint32_t SB7[64] = 152 { 153 0x00200000, 0x04200002, 0x04000802, 0x00000000, 154 0x00000800, 0x04000802, 0x00200802, 0x04200800, 155 0x04200802, 0x00200000, 0x00000000, 0x04000002, 156 0x00000002, 0x04000000, 0x04200002, 0x00000802, 157 0x04000800, 0x00200802, 0x00200002, 0x04000800, 158 0x04000002, 0x04200000, 0x04200800, 0x00200002, 159 0x04200000, 0x00000800, 0x00000802, 0x04200802, 160 0x00200800, 0x00000002, 0x04000000, 0x00200800, 161 0x04000000, 0x00200800, 0x00200000, 0x04000802, 162 0x04000802, 0x04200002, 0x04200002, 0x00000002, 163 0x00200002, 0x04000000, 0x04000800, 0x00200000, 164 0x04200800, 0x00000802, 0x00200802, 0x04200800, 165 0x00000802, 0x04000002, 0x04200802, 0x04200000, 166 0x00200800, 0x00000000, 0x00000002, 0x04200802, 167 0x00000000, 0x00200802, 0x04200000, 0x00000800, 168 0x04000002, 0x04000800, 0x00000800, 0x00200002 169 }; 170 171 static const uint32_t SB8[64] = 172 { 173 0x10001040, 0x00001000, 0x00040000, 0x10041040, 174 0x10000000, 0x10001040, 0x00000040, 0x10000000, 175 0x00040040, 0x10040000, 0x10041040, 0x00041000, 176 0x10041000, 0x00041040, 0x00001000, 0x00000040, 177 0x10040000, 0x10000040, 0x10001000, 0x00001040, 178 0x00041000, 0x00040040, 0x10040040, 0x10041000, 179 0x00001040, 0x00000000, 0x00000000, 0x10040040, 180 0x10000040, 0x10001000, 0x00041040, 0x00040000, 181 0x00041040, 0x00040000, 0x10041000, 0x00001000, 182 0x00000040, 0x10040040, 0x00001000, 0x00041040, 183 0x10001000, 0x00000040, 0x10000040, 0x10040000, 184 0x10040040, 0x10000000, 0x00040000, 0x10001040, 185 0x00000000, 0x10041040, 0x00040040, 0x10000040, 186 0x10040000, 0x10001000, 0x10001040, 0x00000000, 187 0x10041040, 0x00041000, 0x00041000, 0x00001040, 188 0x00001040, 0x00040040, 0x10000000, 0x10041000 189 }; 190 191 /* 192 * PC1: left and right halves bit-swap 193 */ 194 static const uint32_t LHs[16] = 195 { 196 0x00000000, 0x00000001, 0x00000100, 0x00000101, 197 0x00010000, 0x00010001, 0x00010100, 0x00010101, 198 0x01000000, 0x01000001, 0x01000100, 0x01000101, 199 0x01010000, 0x01010001, 0x01010100, 0x01010101 200 }; 201 202 static const uint32_t RHs[16] = 203 { 204 0x00000000, 0x01000000, 0x00010000, 0x01010000, 205 0x00000100, 0x01000100, 0x00010100, 0x01010100, 206 0x00000001, 0x01000001, 0x00010001, 0x01010001, 207 0x00000101, 0x01000101, 0x00010101, 0x01010101, 208 }; 209 210 /* 211 * Initial Permutation macro 212 */ 213 #define DES_IP(X, Y) \ 214 do \ 215 { \ 216 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \ 217 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \ 218 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \ 219 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \ 220 (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF; \ 221 T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T; \ 222 (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF; \ 223 } while (0) 224 225 /* 226 * Final Permutation macro 227 */ 228 #define DES_FP(X, Y) \ 229 do \ 230 { \ 231 (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF; \ 232 T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T; \ 233 (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF; \ 234 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \ 235 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \ 236 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \ 237 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \ 238 } while (0) 239 240 /* 241 * DES round macro 242 */ 243 #define DES_ROUND(X, Y) \ 244 do \ 245 { \ 246 T = *SK++ ^ (X); \ 247 (Y) ^= SB8[(T) & 0x3F] ^ \ 248 SB6[(T >> 8) & 0x3F] ^ \ 249 SB4[(T >> 16) & 0x3F] ^ \ 250 SB2[(T >> 24) & 0x3F]; \ 251 \ 252 T = *SK++ ^ (((X) << 28) | ((X) >> 4)); \ 253 (Y) ^= SB7[(T) & 0x3F] ^ \ 254 SB5[(T >> 8) & 0x3F] ^ \ 255 SB3[(T >> 16) & 0x3F] ^ \ 256 SB1[(T >> 24) & 0x3F]; \ 257 } while (0) 258 259 #define SWAP(a, b) \ 260 do \ 261 { \ 262 uint32_t t = (a); (a) = (b); (b) = t; t = 0; \ 263 } while (0) 264 265 void mbedtls_des_init(mbedtls_des_context *ctx) 266 { 267 memset(ctx, 0, sizeof(mbedtls_des_context)); 268 } 269 270 void mbedtls_des_free(mbedtls_des_context *ctx) 271 { 272 if (ctx == NULL) { 273 return; 274 } 275 276 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_des_context)); 277 } 278 279 void mbedtls_des3_init(mbedtls_des3_context *ctx) 280 { 281 memset(ctx, 0, sizeof(mbedtls_des3_context)); 282 } 283 284 void mbedtls_des3_free(mbedtls_des3_context *ctx) 285 { 286 if (ctx == NULL) { 287 return; 288 } 289 290 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_des3_context)); 291 } 292 293 static const unsigned char odd_parity_table[128] = { 1, 2, 4, 7, 8, 294 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 295 35, 37, 38, 41, 42, 44, 296 47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 297 70, 73, 74, 76, 79, 81, 298 82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 299 104, 107, 109, 110, 112, 300 115, 117, 118, 121, 122, 124, 127, 128, 131, 301 133, 134, 137, 138, 140, 302 143, 145, 146, 148, 151, 152, 155, 157, 158, 303 161, 162, 164, 167, 168, 304 171, 173, 174, 176, 179, 181, 182, 185, 186, 305 188, 191, 193, 194, 196, 306 199, 200, 203, 205, 206, 208, 211, 213, 214, 307 217, 218, 220, 223, 224, 308 227, 229, 230, 233, 234, 236, 239, 241, 242, 309 244, 247, 248, 251, 253, 310 254 }; 311 312 void mbedtls_des_key_set_parity(unsigned char key[MBEDTLS_DES_KEY_SIZE]) 313 { 314 int i; 315 316 for (i = 0; i < MBEDTLS_DES_KEY_SIZE; i++) { 317 key[i] = odd_parity_table[key[i] / 2]; 318 } 319 } 320 321 /* 322 * Check the given key's parity, returns 1 on failure, 0 on SUCCESS 323 */ 324 int mbedtls_des_key_check_key_parity(const unsigned char key[MBEDTLS_DES_KEY_SIZE]) 325 { 326 int i; 327 328 for (i = 0; i < MBEDTLS_DES_KEY_SIZE; i++) { 329 if (key[i] != odd_parity_table[key[i] / 2]) { 330 return 1; 331 } 332 } 333 334 return 0; 335 } 336 337 /* 338 * Table of weak and semi-weak keys 339 * 340 * Source: http://en.wikipedia.org/wiki/Weak_key 341 * 342 * Weak: 343 * Alternating ones + zeros (0x0101010101010101) 344 * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE) 345 * '0xE0E0E0E0F1F1F1F1' 346 * '0x1F1F1F1F0E0E0E0E' 347 * 348 * Semi-weak: 349 * 0x011F011F010E010E and 0x1F011F010E010E01 350 * 0x01E001E001F101F1 and 0xE001E001F101F101 351 * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01 352 * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E 353 * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E 354 * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1 355 * 356 */ 357 358 #define WEAK_KEY_COUNT 16 359 360 static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] = 361 { 362 { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 }, 363 { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE }, 364 { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E }, 365 { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 }, 366 367 { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E }, 368 { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 }, 369 { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 }, 370 { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 }, 371 { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE }, 372 { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 }, 373 { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 }, 374 { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E }, 375 { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE }, 376 { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E }, 377 { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE }, 378 { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 } 379 }; 380 381 int mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE]) 382 { 383 int i; 384 385 for (i = 0; i < WEAK_KEY_COUNT; i++) { 386 if (memcmp(weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0) { 387 return 1; 388 } 389 } 390 391 return 0; 392 } 393 394 #if !defined(MBEDTLS_DES_SETKEY_ALT) 395 void mbedtls_des_setkey(uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE]) 396 { 397 int i; 398 uint32_t X, Y, T; 399 400 X = MBEDTLS_GET_UINT32_BE(key, 0); 401 Y = MBEDTLS_GET_UINT32_BE(key, 4); 402 403 /* 404 * Permuted Choice 1 405 */ 406 T = ((Y >> 4) ^ X) & 0x0F0F0F0F; X ^= T; Y ^= (T << 4); 407 T = ((Y) ^ X) & 0x10101010; X ^= T; Y ^= (T); 408 409 X = (LHs[(X) & 0xF] << 3) | (LHs[(X >> 8) & 0xF] << 2) 410 | (LHs[(X >> 16) & 0xF] << 1) | (LHs[(X >> 24) & 0xF]) 411 | (LHs[(X >> 5) & 0xF] << 7) | (LHs[(X >> 13) & 0xF] << 6) 412 | (LHs[(X >> 21) & 0xF] << 5) | (LHs[(X >> 29) & 0xF] << 4); 413 414 Y = (RHs[(Y >> 1) & 0xF] << 3) | (RHs[(Y >> 9) & 0xF] << 2) 415 | (RHs[(Y >> 17) & 0xF] << 1) | (RHs[(Y >> 25) & 0xF]) 416 | (RHs[(Y >> 4) & 0xF] << 7) | (RHs[(Y >> 12) & 0xF] << 6) 417 | (RHs[(Y >> 20) & 0xF] << 5) | (RHs[(Y >> 28) & 0xF] << 4); 418 419 X &= 0x0FFFFFFF; 420 Y &= 0x0FFFFFFF; 421 422 /* 423 * calculate subkeys 424 */ 425 for (i = 0; i < 16; i++) { 426 if (i < 2 || i == 8 || i == 15) { 427 X = ((X << 1) | (X >> 27)) & 0x0FFFFFFF; 428 Y = ((Y << 1) | (Y >> 27)) & 0x0FFFFFFF; 429 } else { 430 X = ((X << 2) | (X >> 26)) & 0x0FFFFFFF; 431 Y = ((Y << 2) | (Y >> 26)) & 0x0FFFFFFF; 432 } 433 434 *SK++ = ((X << 4) & 0x24000000) | ((X << 28) & 0x10000000) 435 | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000) 436 | ((X << 6) & 0x01000000) | ((X << 9) & 0x00200000) 437 | ((X >> 1) & 0x00100000) | ((X << 10) & 0x00040000) 438 | ((X << 2) & 0x00020000) | ((X >> 10) & 0x00010000) 439 | ((Y >> 13) & 0x00002000) | ((Y >> 4) & 0x00001000) 440 | ((Y << 6) & 0x00000800) | ((Y >> 1) & 0x00000400) 441 | ((Y >> 14) & 0x00000200) | ((Y) & 0x00000100) 442 | ((Y >> 5) & 0x00000020) | ((Y >> 10) & 0x00000010) 443 | ((Y >> 3) & 0x00000008) | ((Y >> 18) & 0x00000004) 444 | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001); 445 446 *SK++ = ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000) 447 | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000) 448 | ((X >> 2) & 0x02000000) | ((X << 1) & 0x01000000) 449 | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000) 450 | ((X << 3) & 0x00080000) | ((X >> 6) & 0x00040000) 451 | ((X << 15) & 0x00020000) | ((X >> 4) & 0x00010000) 452 | ((Y >> 2) & 0x00002000) | ((Y << 8) & 0x00001000) 453 | ((Y >> 14) & 0x00000808) | ((Y >> 9) & 0x00000400) 454 | ((Y) & 0x00000200) | ((Y << 7) & 0x00000100) 455 | ((Y >> 7) & 0x00000020) | ((Y >> 3) & 0x00000011) 456 | ((Y << 2) & 0x00000004) | ((Y >> 21) & 0x00000002); 457 } 458 } 459 #endif /* !MBEDTLS_DES_SETKEY_ALT */ 460 461 /* 462 * DES key schedule (56-bit, encryption) 463 */ 464 int mbedtls_des_setkey_enc(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE]) 465 { 466 mbedtls_des_setkey(ctx->sk, key); 467 468 return 0; 469 } 470 471 /* 472 * DES key schedule (56-bit, decryption) 473 */ 474 int mbedtls_des_setkey_dec(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE]) 475 { 476 int i; 477 478 mbedtls_des_setkey(ctx->sk, key); 479 480 for (i = 0; i < 16; i += 2) { 481 SWAP(ctx->sk[i], ctx->sk[30 - i]); 482 SWAP(ctx->sk[i + 1], ctx->sk[31 - i]); 483 } 484 485 return 0; 486 } 487 488 static void des3_set2key(uint32_t esk[96], 489 uint32_t dsk[96], 490 const unsigned char key[MBEDTLS_DES_KEY_SIZE*2]) 491 { 492 int i; 493 494 mbedtls_des_setkey(esk, key); 495 mbedtls_des_setkey(dsk + 32, key + 8); 496 497 for (i = 0; i < 32; i += 2) { 498 dsk[i] = esk[30 - i]; 499 dsk[i + 1] = esk[31 - i]; 500 501 esk[i + 32] = dsk[62 - i]; 502 esk[i + 33] = dsk[63 - i]; 503 504 esk[i + 64] = esk[i]; 505 esk[i + 65] = esk[i + 1]; 506 507 dsk[i + 64] = dsk[i]; 508 dsk[i + 65] = dsk[i + 1]; 509 } 510 } 511 512 /* 513 * Triple-DES key schedule (112-bit, encryption) 514 */ 515 int mbedtls_des3_set2key_enc(mbedtls_des3_context *ctx, 516 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2]) 517 { 518 uint32_t sk[96]; 519 520 des3_set2key(ctx->sk, sk, key); 521 mbedtls_platform_zeroize(sk, sizeof(sk)); 522 523 return 0; 524 } 525 526 /* 527 * Triple-DES key schedule (112-bit, decryption) 528 */ 529 int mbedtls_des3_set2key_dec(mbedtls_des3_context *ctx, 530 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2]) 531 { 532 uint32_t sk[96]; 533 534 des3_set2key(sk, ctx->sk, key); 535 mbedtls_platform_zeroize(sk, sizeof(sk)); 536 537 return 0; 538 } 539 540 static void des3_set3key(uint32_t esk[96], 541 uint32_t dsk[96], 542 const unsigned char key[24]) 543 { 544 int i; 545 546 mbedtls_des_setkey(esk, key); 547 mbedtls_des_setkey(dsk + 32, key + 8); 548 mbedtls_des_setkey(esk + 64, key + 16); 549 550 for (i = 0; i < 32; i += 2) { 551 dsk[i] = esk[94 - i]; 552 dsk[i + 1] = esk[95 - i]; 553 554 esk[i + 32] = dsk[62 - i]; 555 esk[i + 33] = dsk[63 - i]; 556 557 dsk[i + 64] = esk[30 - i]; 558 dsk[i + 65] = esk[31 - i]; 559 } 560 } 561 562 /* 563 * Triple-DES key schedule (168-bit, encryption) 564 */ 565 int mbedtls_des3_set3key_enc(mbedtls_des3_context *ctx, 566 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3]) 567 { 568 uint32_t sk[96]; 569 570 des3_set3key(ctx->sk, sk, key); 571 mbedtls_platform_zeroize(sk, sizeof(sk)); 572 573 return 0; 574 } 575 576 /* 577 * Triple-DES key schedule (168-bit, decryption) 578 */ 579 int mbedtls_des3_set3key_dec(mbedtls_des3_context *ctx, 580 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3]) 581 { 582 uint32_t sk[96]; 583 584 des3_set3key(sk, ctx->sk, key); 585 mbedtls_platform_zeroize(sk, sizeof(sk)); 586 587 return 0; 588 } 589 590 /* 591 * DES-ECB block encryption/decryption 592 */ 593 #if !defined(MBEDTLS_DES_CRYPT_ECB_ALT) 594 int mbedtls_des_crypt_ecb(mbedtls_des_context *ctx, 595 const unsigned char input[8], 596 unsigned char output[8]) 597 { 598 int i; 599 uint32_t X, Y, T, *SK; 600 601 SK = ctx->sk; 602 603 X = MBEDTLS_GET_UINT32_BE(input, 0); 604 Y = MBEDTLS_GET_UINT32_BE(input, 4); 605 606 DES_IP(X, Y); 607 608 for (i = 0; i < 8; i++) { 609 DES_ROUND(Y, X); 610 DES_ROUND(X, Y); 611 } 612 613 DES_FP(Y, X); 614 615 MBEDTLS_PUT_UINT32_BE(Y, output, 0); 616 MBEDTLS_PUT_UINT32_BE(X, output, 4); 617 618 return 0; 619 } 620 #endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */ 621 622 #if defined(MBEDTLS_CIPHER_MODE_CBC) 623 /* 624 * DES-CBC buffer encryption/decryption 625 */ 626 int mbedtls_des_crypt_cbc(mbedtls_des_context *ctx, 627 int mode, 628 size_t length, 629 unsigned char iv[8], 630 const unsigned char *input, 631 unsigned char *output) 632 { 633 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 634 unsigned char temp[8]; 635 636 if (length % 8) { 637 return MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH; 638 } 639 640 if (mode == MBEDTLS_DES_ENCRYPT) { 641 while (length > 0) { 642 mbedtls_xor(output, input, iv, 8); 643 644 ret = mbedtls_des_crypt_ecb(ctx, output, output); 645 if (ret != 0) { 646 goto exit; 647 } 648 memcpy(iv, output, 8); 649 650 input += 8; 651 output += 8; 652 length -= 8; 653 } 654 } else { /* MBEDTLS_DES_DECRYPT */ 655 while (length > 0) { 656 memcpy(temp, input, 8); 657 ret = mbedtls_des_crypt_ecb(ctx, input, output); 658 if (ret != 0) { 659 goto exit; 660 } 661 662 mbedtls_xor(output, output, iv, 8); 663 664 memcpy(iv, temp, 8); 665 666 input += 8; 667 output += 8; 668 length -= 8; 669 } 670 } 671 ret = 0; 672 673 exit: 674 return ret; 675 } 676 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 677 678 /* 679 * 3DES-ECB block encryption/decryption 680 */ 681 #if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT) 682 int mbedtls_des3_crypt_ecb(mbedtls_des3_context *ctx, 683 const unsigned char input[8], 684 unsigned char output[8]) 685 { 686 int i; 687 uint32_t X, Y, T, *SK; 688 689 SK = ctx->sk; 690 691 X = MBEDTLS_GET_UINT32_BE(input, 0); 692 Y = MBEDTLS_GET_UINT32_BE(input, 4); 693 694 DES_IP(X, Y); 695 696 for (i = 0; i < 8; i++) { 697 DES_ROUND(Y, X); 698 DES_ROUND(X, Y); 699 } 700 701 for (i = 0; i < 8; i++) { 702 DES_ROUND(X, Y); 703 DES_ROUND(Y, X); 704 } 705 706 for (i = 0; i < 8; i++) { 707 DES_ROUND(Y, X); 708 DES_ROUND(X, Y); 709 } 710 711 DES_FP(Y, X); 712 713 MBEDTLS_PUT_UINT32_BE(Y, output, 0); 714 MBEDTLS_PUT_UINT32_BE(X, output, 4); 715 716 return 0; 717 } 718 #endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */ 719 720 #if defined(MBEDTLS_CIPHER_MODE_CBC) 721 /* 722 * 3DES-CBC buffer encryption/decryption 723 */ 724 int mbedtls_des3_crypt_cbc(mbedtls_des3_context *ctx, 725 int mode, 726 size_t length, 727 unsigned char iv[8], 728 const unsigned char *input, 729 unsigned char *output) 730 { 731 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 732 unsigned char temp[8]; 733 734 if (length % 8) { 735 return MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH; 736 } 737 738 if (mode == MBEDTLS_DES_ENCRYPT) { 739 while (length > 0) { 740 mbedtls_xor(output, input, iv, 8); 741 742 ret = mbedtls_des3_crypt_ecb(ctx, output, output); 743 if (ret != 0) { 744 goto exit; 745 } 746 memcpy(iv, output, 8); 747 748 input += 8; 749 output += 8; 750 length -= 8; 751 } 752 } else { /* MBEDTLS_DES_DECRYPT */ 753 while (length > 0) { 754 memcpy(temp, input, 8); 755 ret = mbedtls_des3_crypt_ecb(ctx, input, output); 756 if (ret != 0) { 757 goto exit; 758 } 759 760 mbedtls_xor(output, output, iv, 8); 761 762 memcpy(iv, temp, 8); 763 764 input += 8; 765 output += 8; 766 length -= 8; 767 } 768 } 769 ret = 0; 770 771 exit: 772 return ret; 773 } 774 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 775 776 #endif /* !MBEDTLS_DES_ALT */ 777 778 #if defined(MBEDTLS_SELF_TEST) 779 /* 780 * DES and 3DES test vectors from: 781 * 782 * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip 783 */ 784 static const unsigned char des3_test_keys[24] = 785 { 786 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 787 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 788 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23 789 }; 790 791 static const unsigned char des3_test_buf[8] = 792 { 793 0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74 794 }; 795 796 static const unsigned char des3_test_ecb_dec[3][8] = 797 { 798 { 0x37, 0x2B, 0x98, 0xBF, 0x52, 0x65, 0xB0, 0x59 }, 799 { 0xC2, 0x10, 0x19, 0x9C, 0x38, 0x5A, 0x65, 0xA1 }, 800 { 0xA2, 0x70, 0x56, 0x68, 0x69, 0xE5, 0x15, 0x1D } 801 }; 802 803 static const unsigned char des3_test_ecb_enc[3][8] = 804 { 805 { 0x1C, 0xD5, 0x97, 0xEA, 0x84, 0x26, 0x73, 0xFB }, 806 { 0xB3, 0x92, 0x4D, 0xF3, 0xC5, 0xB5, 0x42, 0x93 }, 807 { 0xDA, 0x37, 0x64, 0x41, 0xBA, 0x6F, 0x62, 0x6F } 808 }; 809 810 #if defined(MBEDTLS_CIPHER_MODE_CBC) 811 static const unsigned char des3_test_iv[8] = 812 { 813 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF, 814 }; 815 816 static const unsigned char des3_test_cbc_dec[3][8] = 817 { 818 { 0x58, 0xD9, 0x48, 0xEF, 0x85, 0x14, 0x65, 0x9A }, 819 { 0x5F, 0xC8, 0x78, 0xD4, 0xD7, 0x92, 0xD9, 0x54 }, 820 { 0x25, 0xF9, 0x75, 0x85, 0xA8, 0x1E, 0x48, 0xBF } 821 }; 822 823 static const unsigned char des3_test_cbc_enc[3][8] = 824 { 825 { 0x91, 0x1C, 0x6D, 0xCF, 0x48, 0xA7, 0xC3, 0x4D }, 826 { 0x60, 0x1A, 0x76, 0x8F, 0xA1, 0xF9, 0x66, 0xF1 }, 827 { 0xA1, 0x50, 0x0F, 0x99, 0xB2, 0xCD, 0x64, 0x76 } 828 }; 829 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 830 831 /* 832 * Checkup routine 833 */ 834 int mbedtls_des_self_test(int verbose) 835 { 836 int i, j, u, v, ret = 0; 837 mbedtls_des_context ctx; 838 mbedtls_des3_context ctx3; 839 unsigned char buf[8]; 840 #if defined(MBEDTLS_CIPHER_MODE_CBC) 841 unsigned char prv[8]; 842 unsigned char iv[8]; 843 #endif 844 845 mbedtls_des_init(&ctx); 846 mbedtls_des3_init(&ctx3); 847 /* 848 * ECB mode 849 */ 850 for (i = 0; i < 6; i++) { 851 u = i >> 1; 852 v = i & 1; 853 854 if (verbose != 0) { 855 mbedtls_printf(" DES%c-ECB-%3d (%s): ", 856 (u == 0) ? ' ' : '3', 56 + u * 56, 857 (v == MBEDTLS_DES_DECRYPT) ? "dec" : "enc"); 858 } 859 860 memcpy(buf, des3_test_buf, 8); 861 862 switch (i) { 863 case 0: 864 ret = mbedtls_des_setkey_dec(&ctx, des3_test_keys); 865 break; 866 867 case 1: 868 ret = mbedtls_des_setkey_enc(&ctx, des3_test_keys); 869 break; 870 871 case 2: 872 ret = mbedtls_des3_set2key_dec(&ctx3, des3_test_keys); 873 break; 874 875 case 3: 876 ret = mbedtls_des3_set2key_enc(&ctx3, des3_test_keys); 877 break; 878 879 case 4: 880 ret = mbedtls_des3_set3key_dec(&ctx3, des3_test_keys); 881 break; 882 883 case 5: 884 ret = mbedtls_des3_set3key_enc(&ctx3, des3_test_keys); 885 break; 886 887 default: 888 return 1; 889 } 890 if (ret != 0) { 891 goto exit; 892 } 893 894 for (j = 0; j < 100; j++) { 895 if (u == 0) { 896 ret = mbedtls_des_crypt_ecb(&ctx, buf, buf); 897 } else { 898 ret = mbedtls_des3_crypt_ecb(&ctx3, buf, buf); 899 } 900 if (ret != 0) { 901 goto exit; 902 } 903 } 904 905 if ((v == MBEDTLS_DES_DECRYPT && 906 memcmp(buf, des3_test_ecb_dec[u], 8) != 0) || 907 (v != MBEDTLS_DES_DECRYPT && 908 memcmp(buf, des3_test_ecb_enc[u], 8) != 0)) { 909 if (verbose != 0) { 910 mbedtls_printf("failed\n"); 911 } 912 913 ret = 1; 914 goto exit; 915 } 916 917 if (verbose != 0) { 918 mbedtls_printf("passed\n"); 919 } 920 } 921 922 if (verbose != 0) { 923 mbedtls_printf("\n"); 924 } 925 926 #if defined(MBEDTLS_CIPHER_MODE_CBC) 927 /* 928 * CBC mode 929 */ 930 for (i = 0; i < 6; i++) { 931 u = i >> 1; 932 v = i & 1; 933 934 if (verbose != 0) { 935 mbedtls_printf(" DES%c-CBC-%3d (%s): ", 936 (u == 0) ? ' ' : '3', 56 + u * 56, 937 (v == MBEDTLS_DES_DECRYPT) ? "dec" : "enc"); 938 } 939 940 memcpy(iv, des3_test_iv, 8); 941 memcpy(prv, des3_test_iv, 8); 942 memcpy(buf, des3_test_buf, 8); 943 944 switch (i) { 945 case 0: 946 ret = mbedtls_des_setkey_dec(&ctx, des3_test_keys); 947 break; 948 949 case 1: 950 ret = mbedtls_des_setkey_enc(&ctx, des3_test_keys); 951 break; 952 953 case 2: 954 ret = mbedtls_des3_set2key_dec(&ctx3, des3_test_keys); 955 break; 956 957 case 3: 958 ret = mbedtls_des3_set2key_enc(&ctx3, des3_test_keys); 959 break; 960 961 case 4: 962 ret = mbedtls_des3_set3key_dec(&ctx3, des3_test_keys); 963 break; 964 965 case 5: 966 ret = mbedtls_des3_set3key_enc(&ctx3, des3_test_keys); 967 break; 968 969 default: 970 return 1; 971 } 972 if (ret != 0) { 973 goto exit; 974 } 975 976 if (v == MBEDTLS_DES_DECRYPT) { 977 for (j = 0; j < 100; j++) { 978 if (u == 0) { 979 ret = mbedtls_des_crypt_cbc(&ctx, v, 8, iv, buf, buf); 980 } else { 981 ret = mbedtls_des3_crypt_cbc(&ctx3, v, 8, iv, buf, buf); 982 } 983 if (ret != 0) { 984 goto exit; 985 } 986 } 987 } else { 988 for (j = 0; j < 100; j++) { 989 unsigned char tmp[8]; 990 991 if (u == 0) { 992 ret = mbedtls_des_crypt_cbc(&ctx, v, 8, iv, buf, buf); 993 } else { 994 ret = mbedtls_des3_crypt_cbc(&ctx3, v, 8, iv, buf, buf); 995 } 996 if (ret != 0) { 997 goto exit; 998 } 999 1000 memcpy(tmp, prv, 8); 1001 memcpy(prv, buf, 8); 1002 memcpy(buf, tmp, 8); 1003 } 1004 1005 memcpy(buf, prv, 8); 1006 } 1007 1008 if ((v == MBEDTLS_DES_DECRYPT && 1009 memcmp(buf, des3_test_cbc_dec[u], 8) != 0) || 1010 (v != MBEDTLS_DES_DECRYPT && 1011 memcmp(buf, des3_test_cbc_enc[u], 8) != 0)) { 1012 if (verbose != 0) { 1013 mbedtls_printf("failed\n"); 1014 } 1015 1016 ret = 1; 1017 goto exit; 1018 } 1019 1020 if (verbose != 0) { 1021 mbedtls_printf("passed\n"); 1022 } 1023 } 1024 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1025 1026 if (verbose != 0) { 1027 mbedtls_printf("\n"); 1028 } 1029 1030 exit: 1031 mbedtls_des_free(&ctx); 1032 mbedtls_des3_free(&ctx3); 1033 1034 if (ret != 0) { 1035 ret = 1; 1036 } 1037 return ret; 1038 } 1039 1040 #endif /* MBEDTLS_SELF_TEST */ 1041 1042 #endif /* MBEDTLS_DES_C */ 1043