1 // SPDX-License-Identifier: Apache-2.0 2 /* 3 * FIPS-46-3 compliant Triple-DES implementation 4 * 5 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 * 19 * This file is part of mbed TLS (https://tls.mbed.org) 20 */ 21 /* 22 * DES, on which TDES is based, was originally designed by Horst Feistel 23 * at IBM in 1974, and was adopted as a standard by NIST (formerly NBS). 24 * 25 * http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf 26 */ 27 28 #if !defined(MBEDTLS_CONFIG_FILE) 29 #include "mbedtls/config.h" 30 #else 31 #include MBEDTLS_CONFIG_FILE 32 #endif 33 34 #if defined(MBEDTLS_DES_C) 35 36 #include "mbedtls/des.h" 37 #include "mbedtls/platform_util.h" 38 39 #include <string.h> 40 41 #if defined(MBEDTLS_SELF_TEST) 42 #if defined(MBEDTLS_PLATFORM_C) 43 #include "mbedtls/platform.h" 44 #else 45 #include <stdio.h> 46 #define mbedtls_printf printf 47 #endif /* MBEDTLS_PLATFORM_C */ 48 #endif /* MBEDTLS_SELF_TEST */ 49 50 #if !defined(MBEDTLS_DES_ALT) 51 52 /* 53 * 32-bit integer manipulation macros (big endian) 54 */ 55 #ifndef GET_UINT32_BE 56 #define GET_UINT32_BE(n,b,i) \ 57 { \ 58 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \ 59 | ( (uint32_t) (b)[(i) + 1] << 16 ) \ 60 | ( (uint32_t) (b)[(i) + 2] << 8 ) \ 61 | ( (uint32_t) (b)[(i) + 3] ); \ 62 } 63 #endif 64 65 #ifndef PUT_UINT32_BE 66 #define PUT_UINT32_BE(n,b,i) \ 67 { \ 68 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \ 69 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \ 70 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \ 71 (b)[(i) + 3] = (unsigned char) ( (n) ); \ 72 } 73 #endif 74 75 /* 76 * Expanded DES S-boxes 77 */ 78 static const uint32_t SB1[64] = 79 { 80 0x01010400, 0x00000000, 0x00010000, 0x01010404, 81 0x01010004, 0x00010404, 0x00000004, 0x00010000, 82 0x00000400, 0x01010400, 0x01010404, 0x00000400, 83 0x01000404, 0x01010004, 0x01000000, 0x00000004, 84 0x00000404, 0x01000400, 0x01000400, 0x00010400, 85 0x00010400, 0x01010000, 0x01010000, 0x01000404, 86 0x00010004, 0x01000004, 0x01000004, 0x00010004, 87 0x00000000, 0x00000404, 0x00010404, 0x01000000, 88 0x00010000, 0x01010404, 0x00000004, 0x01010000, 89 0x01010400, 0x01000000, 0x01000000, 0x00000400, 90 0x01010004, 0x00010000, 0x00010400, 0x01000004, 91 0x00000400, 0x00000004, 0x01000404, 0x00010404, 92 0x01010404, 0x00010004, 0x01010000, 0x01000404, 93 0x01000004, 0x00000404, 0x00010404, 0x01010400, 94 0x00000404, 0x01000400, 0x01000400, 0x00000000, 95 0x00010004, 0x00010400, 0x00000000, 0x01010004 96 }; 97 98 static const uint32_t SB2[64] = 99 { 100 0x80108020, 0x80008000, 0x00008000, 0x00108020, 101 0x00100000, 0x00000020, 0x80100020, 0x80008020, 102 0x80000020, 0x80108020, 0x80108000, 0x80000000, 103 0x80008000, 0x00100000, 0x00000020, 0x80100020, 104 0x00108000, 0x00100020, 0x80008020, 0x00000000, 105 0x80000000, 0x00008000, 0x00108020, 0x80100000, 106 0x00100020, 0x80000020, 0x00000000, 0x00108000, 107 0x00008020, 0x80108000, 0x80100000, 0x00008020, 108 0x00000000, 0x00108020, 0x80100020, 0x00100000, 109 0x80008020, 0x80100000, 0x80108000, 0x00008000, 110 0x80100000, 0x80008000, 0x00000020, 0x80108020, 111 0x00108020, 0x00000020, 0x00008000, 0x80000000, 112 0x00008020, 0x80108000, 0x00100000, 0x80000020, 113 0x00100020, 0x80008020, 0x80000020, 0x00100020, 114 0x00108000, 0x00000000, 0x80008000, 0x00008020, 115 0x80000000, 0x80100020, 0x80108020, 0x00108000 116 }; 117 118 static const uint32_t SB3[64] = 119 { 120 0x00000208, 0x08020200, 0x00000000, 0x08020008, 121 0x08000200, 0x00000000, 0x00020208, 0x08000200, 122 0x00020008, 0x08000008, 0x08000008, 0x00020000, 123 0x08020208, 0x00020008, 0x08020000, 0x00000208, 124 0x08000000, 0x00000008, 0x08020200, 0x00000200, 125 0x00020200, 0x08020000, 0x08020008, 0x00020208, 126 0x08000208, 0x00020200, 0x00020000, 0x08000208, 127 0x00000008, 0x08020208, 0x00000200, 0x08000000, 128 0x08020200, 0x08000000, 0x00020008, 0x00000208, 129 0x00020000, 0x08020200, 0x08000200, 0x00000000, 130 0x00000200, 0x00020008, 0x08020208, 0x08000200, 131 0x08000008, 0x00000200, 0x00000000, 0x08020008, 132 0x08000208, 0x00020000, 0x08000000, 0x08020208, 133 0x00000008, 0x00020208, 0x00020200, 0x08000008, 134 0x08020000, 0x08000208, 0x00000208, 0x08020000, 135 0x00020208, 0x00000008, 0x08020008, 0x00020200 136 }; 137 138 static const uint32_t SB4[64] = 139 { 140 0x00802001, 0x00002081, 0x00002081, 0x00000080, 141 0x00802080, 0x00800081, 0x00800001, 0x00002001, 142 0x00000000, 0x00802000, 0x00802000, 0x00802081, 143 0x00000081, 0x00000000, 0x00800080, 0x00800001, 144 0x00000001, 0x00002000, 0x00800000, 0x00802001, 145 0x00000080, 0x00800000, 0x00002001, 0x00002080, 146 0x00800081, 0x00000001, 0x00002080, 0x00800080, 147 0x00002000, 0x00802080, 0x00802081, 0x00000081, 148 0x00800080, 0x00800001, 0x00802000, 0x00802081, 149 0x00000081, 0x00000000, 0x00000000, 0x00802000, 150 0x00002080, 0x00800080, 0x00800081, 0x00000001, 151 0x00802001, 0x00002081, 0x00002081, 0x00000080, 152 0x00802081, 0x00000081, 0x00000001, 0x00002000, 153 0x00800001, 0x00002001, 0x00802080, 0x00800081, 154 0x00002001, 0x00002080, 0x00800000, 0x00802001, 155 0x00000080, 0x00800000, 0x00002000, 0x00802080 156 }; 157 158 static const uint32_t SB5[64] = 159 { 160 0x00000100, 0x02080100, 0x02080000, 0x42000100, 161 0x00080000, 0x00000100, 0x40000000, 0x02080000, 162 0x40080100, 0x00080000, 0x02000100, 0x40080100, 163 0x42000100, 0x42080000, 0x00080100, 0x40000000, 164 0x02000000, 0x40080000, 0x40080000, 0x00000000, 165 0x40000100, 0x42080100, 0x42080100, 0x02000100, 166 0x42080000, 0x40000100, 0x00000000, 0x42000000, 167 0x02080100, 0x02000000, 0x42000000, 0x00080100, 168 0x00080000, 0x42000100, 0x00000100, 0x02000000, 169 0x40000000, 0x02080000, 0x42000100, 0x40080100, 170 0x02000100, 0x40000000, 0x42080000, 0x02080100, 171 0x40080100, 0x00000100, 0x02000000, 0x42080000, 172 0x42080100, 0x00080100, 0x42000000, 0x42080100, 173 0x02080000, 0x00000000, 0x40080000, 0x42000000, 174 0x00080100, 0x02000100, 0x40000100, 0x00080000, 175 0x00000000, 0x40080000, 0x02080100, 0x40000100 176 }; 177 178 static const uint32_t SB6[64] = 179 { 180 0x20000010, 0x20400000, 0x00004000, 0x20404010, 181 0x20400000, 0x00000010, 0x20404010, 0x00400000, 182 0x20004000, 0x00404010, 0x00400000, 0x20000010, 183 0x00400010, 0x20004000, 0x20000000, 0x00004010, 184 0x00000000, 0x00400010, 0x20004010, 0x00004000, 185 0x00404000, 0x20004010, 0x00000010, 0x20400010, 186 0x20400010, 0x00000000, 0x00404010, 0x20404000, 187 0x00004010, 0x00404000, 0x20404000, 0x20000000, 188 0x20004000, 0x00000010, 0x20400010, 0x00404000, 189 0x20404010, 0x00400000, 0x00004010, 0x20000010, 190 0x00400000, 0x20004000, 0x20000000, 0x00004010, 191 0x20000010, 0x20404010, 0x00404000, 0x20400000, 192 0x00404010, 0x20404000, 0x00000000, 0x20400010, 193 0x00000010, 0x00004000, 0x20400000, 0x00404010, 194 0x00004000, 0x00400010, 0x20004010, 0x00000000, 195 0x20404000, 0x20000000, 0x00400010, 0x20004010 196 }; 197 198 static const uint32_t SB7[64] = 199 { 200 0x00200000, 0x04200002, 0x04000802, 0x00000000, 201 0x00000800, 0x04000802, 0x00200802, 0x04200800, 202 0x04200802, 0x00200000, 0x00000000, 0x04000002, 203 0x00000002, 0x04000000, 0x04200002, 0x00000802, 204 0x04000800, 0x00200802, 0x00200002, 0x04000800, 205 0x04000002, 0x04200000, 0x04200800, 0x00200002, 206 0x04200000, 0x00000800, 0x00000802, 0x04200802, 207 0x00200800, 0x00000002, 0x04000000, 0x00200800, 208 0x04000000, 0x00200800, 0x00200000, 0x04000802, 209 0x04000802, 0x04200002, 0x04200002, 0x00000002, 210 0x00200002, 0x04000000, 0x04000800, 0x00200000, 211 0x04200800, 0x00000802, 0x00200802, 0x04200800, 212 0x00000802, 0x04000002, 0x04200802, 0x04200000, 213 0x00200800, 0x00000000, 0x00000002, 0x04200802, 214 0x00000000, 0x00200802, 0x04200000, 0x00000800, 215 0x04000002, 0x04000800, 0x00000800, 0x00200002 216 }; 217 218 static const uint32_t SB8[64] = 219 { 220 0x10001040, 0x00001000, 0x00040000, 0x10041040, 221 0x10000000, 0x10001040, 0x00000040, 0x10000000, 222 0x00040040, 0x10040000, 0x10041040, 0x00041000, 223 0x10041000, 0x00041040, 0x00001000, 0x00000040, 224 0x10040000, 0x10000040, 0x10001000, 0x00001040, 225 0x00041000, 0x00040040, 0x10040040, 0x10041000, 226 0x00001040, 0x00000000, 0x00000000, 0x10040040, 227 0x10000040, 0x10001000, 0x00041040, 0x00040000, 228 0x00041040, 0x00040000, 0x10041000, 0x00001000, 229 0x00000040, 0x10040040, 0x00001000, 0x00041040, 230 0x10001000, 0x00000040, 0x10000040, 0x10040000, 231 0x10040040, 0x10000000, 0x00040000, 0x10001040, 232 0x00000000, 0x10041040, 0x00040040, 0x10000040, 233 0x10040000, 0x10001000, 0x10001040, 0x00000000, 234 0x10041040, 0x00041000, 0x00041000, 0x00001040, 235 0x00001040, 0x00040040, 0x10000000, 0x10041000 236 }; 237 238 /* 239 * PC1: left and right halves bit-swap 240 */ 241 static const uint32_t LHs[16] = 242 { 243 0x00000000, 0x00000001, 0x00000100, 0x00000101, 244 0x00010000, 0x00010001, 0x00010100, 0x00010101, 245 0x01000000, 0x01000001, 0x01000100, 0x01000101, 246 0x01010000, 0x01010001, 0x01010100, 0x01010101 247 }; 248 249 static const uint32_t RHs[16] = 250 { 251 0x00000000, 0x01000000, 0x00010000, 0x01010000, 252 0x00000100, 0x01000100, 0x00010100, 0x01010100, 253 0x00000001, 0x01000001, 0x00010001, 0x01010001, 254 0x00000101, 0x01000101, 0x00010101, 0x01010101, 255 }; 256 257 /* 258 * Initial Permutation macro 259 */ 260 #define DES_IP(X,Y) \ 261 do \ 262 { \ 263 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \ 264 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \ 265 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \ 266 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \ 267 (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF; \ 268 T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T; \ 269 (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF; \ 270 } while( 0 ) 271 272 /* 273 * Final Permutation macro 274 */ 275 #define DES_FP(X,Y) \ 276 do \ 277 { \ 278 (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF; \ 279 T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T; \ 280 (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF; \ 281 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \ 282 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \ 283 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \ 284 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \ 285 } while( 0 ) 286 287 /* 288 * DES round macro 289 */ 290 #define DES_ROUND(X,Y) \ 291 do \ 292 { \ 293 T = *SK++ ^ (X); \ 294 (Y) ^= SB8[ (T ) & 0x3F ] ^ \ 295 SB6[ (T >> 8) & 0x3F ] ^ \ 296 SB4[ (T >> 16) & 0x3F ] ^ \ 297 SB2[ (T >> 24) & 0x3F ]; \ 298 \ 299 T = *SK++ ^ (((X) << 28) | ((X) >> 4)); \ 300 (Y) ^= SB7[ (T ) & 0x3F ] ^ \ 301 SB5[ (T >> 8) & 0x3F ] ^ \ 302 SB3[ (T >> 16) & 0x3F ] ^ \ 303 SB1[ (T >> 24) & 0x3F ]; \ 304 } while( 0 ) 305 306 #define SWAP(a,b) \ 307 do \ 308 { \ 309 uint32_t t = (a); (a) = (b); (b) = t; t = 0; \ 310 } while( 0 ) 311 312 void mbedtls_des_init( mbedtls_des_context *ctx ) 313 { 314 memset( ctx, 0, sizeof( mbedtls_des_context ) ); 315 } 316 317 void mbedtls_des_free( mbedtls_des_context *ctx ) 318 { 319 if( ctx == NULL ) 320 return; 321 322 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des_context ) ); 323 } 324 325 void mbedtls_des3_init( mbedtls_des3_context *ctx ) 326 { 327 memset( ctx, 0, sizeof( mbedtls_des3_context ) ); 328 } 329 330 void mbedtls_des3_free( mbedtls_des3_context *ctx ) 331 { 332 if( ctx == NULL ) 333 return; 334 335 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des3_context ) ); 336 } 337 338 static const unsigned char odd_parity_table[128] = { 1, 2, 4, 7, 8, 339 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 35, 37, 38, 41, 42, 44, 340 47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 70, 73, 74, 76, 79, 81, 341 82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 104, 107, 109, 110, 112, 342 115, 117, 118, 121, 122, 124, 127, 128, 131, 133, 134, 137, 138, 140, 343 143, 145, 146, 148, 151, 152, 155, 157, 158, 161, 162, 164, 167, 168, 344 171, 173, 174, 176, 179, 181, 182, 185, 186, 188, 191, 193, 194, 196, 345 199, 200, 203, 205, 206, 208, 211, 213, 214, 217, 218, 220, 223, 224, 346 227, 229, 230, 233, 234, 236, 239, 241, 242, 244, 247, 248, 251, 253, 347 254 }; 348 349 void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 350 { 351 int i; 352 353 for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ ) 354 key[i] = odd_parity_table[key[i] / 2]; 355 } 356 357 /* 358 * Check the given key's parity, returns 1 on failure, 0 on SUCCESS 359 */ 360 int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 361 { 362 int i; 363 364 for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ ) 365 if( key[i] != odd_parity_table[key[i] / 2] ) 366 return( 1 ); 367 368 return( 0 ); 369 } 370 371 /* 372 * Table of weak and semi-weak keys 373 * 374 * Source: http://en.wikipedia.org/wiki/Weak_key 375 * 376 * Weak: 377 * Alternating ones + zeros (0x0101010101010101) 378 * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE) 379 * '0xE0E0E0E0F1F1F1F1' 380 * '0x1F1F1F1F0E0E0E0E' 381 * 382 * Semi-weak: 383 * 0x011F011F010E010E and 0x1F011F010E010E01 384 * 0x01E001E001F101F1 and 0xE001E001F101F101 385 * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01 386 * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E 387 * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E 388 * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1 389 * 390 */ 391 392 #define WEAK_KEY_COUNT 16 393 394 static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] = 395 { 396 { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 }, 397 { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE }, 398 { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E }, 399 { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 }, 400 401 { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E }, 402 { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 }, 403 { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 }, 404 { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 }, 405 { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE }, 406 { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 }, 407 { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 }, 408 { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E }, 409 { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE }, 410 { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E }, 411 { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE }, 412 { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 } 413 }; 414 415 int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 416 { 417 int i; 418 419 for( i = 0; i < WEAK_KEY_COUNT; i++ ) 420 if( memcmp( weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0 ) 421 return( 1 ); 422 423 return( 0 ); 424 } 425 426 #if !defined(MBEDTLS_DES_SETKEY_ALT) 427 void mbedtls_des_setkey( uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 428 { 429 int i; 430 uint32_t X, Y, T; 431 432 GET_UINT32_BE( X, key, 0 ); 433 GET_UINT32_BE( Y, key, 4 ); 434 435 /* 436 * Permuted Choice 1 437 */ 438 T = ((Y >> 4) ^ X) & 0x0F0F0F0F; X ^= T; Y ^= (T << 4); 439 T = ((Y ) ^ X) & 0x10101010; X ^= T; Y ^= (T ); 440 441 X = (LHs[ (X ) & 0xF] << 3) | (LHs[ (X >> 8) & 0xF ] << 2) 442 | (LHs[ (X >> 16) & 0xF] << 1) | (LHs[ (X >> 24) & 0xF ] ) 443 | (LHs[ (X >> 5) & 0xF] << 7) | (LHs[ (X >> 13) & 0xF ] << 6) 444 | (LHs[ (X >> 21) & 0xF] << 5) | (LHs[ (X >> 29) & 0xF ] << 4); 445 446 Y = (RHs[ (Y >> 1) & 0xF] << 3) | (RHs[ (Y >> 9) & 0xF ] << 2) 447 | (RHs[ (Y >> 17) & 0xF] << 1) | (RHs[ (Y >> 25) & 0xF ] ) 448 | (RHs[ (Y >> 4) & 0xF] << 7) | (RHs[ (Y >> 12) & 0xF ] << 6) 449 | (RHs[ (Y >> 20) & 0xF] << 5) | (RHs[ (Y >> 28) & 0xF ] << 4); 450 451 X &= 0x0FFFFFFF; 452 Y &= 0x0FFFFFFF; 453 454 /* 455 * calculate subkeys 456 */ 457 for( i = 0; i < 16; i++ ) 458 { 459 if( i < 2 || i == 8 || i == 15 ) 460 { 461 X = ((X << 1) | (X >> 27)) & 0x0FFFFFFF; 462 Y = ((Y << 1) | (Y >> 27)) & 0x0FFFFFFF; 463 } 464 else 465 { 466 X = ((X << 2) | (X >> 26)) & 0x0FFFFFFF; 467 Y = ((Y << 2) | (Y >> 26)) & 0x0FFFFFFF; 468 } 469 470 *SK++ = ((X << 4) & 0x24000000) | ((X << 28) & 0x10000000) 471 | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000) 472 | ((X << 6) & 0x01000000) | ((X << 9) & 0x00200000) 473 | ((X >> 1) & 0x00100000) | ((X << 10) & 0x00040000) 474 | ((X << 2) & 0x00020000) | ((X >> 10) & 0x00010000) 475 | ((Y >> 13) & 0x00002000) | ((Y >> 4) & 0x00001000) 476 | ((Y << 6) & 0x00000800) | ((Y >> 1) & 0x00000400) 477 | ((Y >> 14) & 0x00000200) | ((Y ) & 0x00000100) 478 | ((Y >> 5) & 0x00000020) | ((Y >> 10) & 0x00000010) 479 | ((Y >> 3) & 0x00000008) | ((Y >> 18) & 0x00000004) 480 | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001); 481 482 *SK++ = ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000) 483 | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000) 484 | ((X >> 2) & 0x02000000) | ((X << 1) & 0x01000000) 485 | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000) 486 | ((X << 3) & 0x00080000) | ((X >> 6) & 0x00040000) 487 | ((X << 15) & 0x00020000) | ((X >> 4) & 0x00010000) 488 | ((Y >> 2) & 0x00002000) | ((Y << 8) & 0x00001000) 489 | ((Y >> 14) & 0x00000808) | ((Y >> 9) & 0x00000400) 490 | ((Y ) & 0x00000200) | ((Y << 7) & 0x00000100) 491 | ((Y >> 7) & 0x00000020) | ((Y >> 3) & 0x00000011) 492 | ((Y << 2) & 0x00000004) | ((Y >> 21) & 0x00000002); 493 } 494 } 495 #endif /* !MBEDTLS_DES_SETKEY_ALT */ 496 497 /* 498 * DES key schedule (56-bit, encryption) 499 */ 500 int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 501 { 502 mbedtls_des_setkey( ctx->sk, key ); 503 504 return( 0 ); 505 } 506 507 /* 508 * DES key schedule (56-bit, decryption) 509 */ 510 int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] ) 511 { 512 int i; 513 514 mbedtls_des_setkey( ctx->sk, key ); 515 516 for( i = 0; i < 16; i += 2 ) 517 { 518 SWAP( ctx->sk[i ], ctx->sk[30 - i] ); 519 SWAP( ctx->sk[i + 1], ctx->sk[31 - i] ); 520 } 521 522 return( 0 ); 523 } 524 525 static void des3_set2key( uint32_t esk[96], 526 uint32_t dsk[96], 527 const unsigned char key[MBEDTLS_DES_KEY_SIZE*2] ) 528 { 529 int i; 530 531 mbedtls_des_setkey( esk, key ); 532 mbedtls_des_setkey( dsk + 32, key + 8 ); 533 534 for( i = 0; i < 32; i += 2 ) 535 { 536 dsk[i ] = esk[30 - i]; 537 dsk[i + 1] = esk[31 - i]; 538 539 esk[i + 32] = dsk[62 - i]; 540 esk[i + 33] = dsk[63 - i]; 541 542 esk[i + 64] = esk[i ]; 543 esk[i + 65] = esk[i + 1]; 544 545 dsk[i + 64] = dsk[i ]; 546 dsk[i + 65] = dsk[i + 1]; 547 } 548 } 549 550 /* 551 * Triple-DES key schedule (112-bit, encryption) 552 */ 553 int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx, 554 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] ) 555 { 556 uint32_t sk[96]; 557 558 des3_set2key( ctx->sk, sk, key ); 559 mbedtls_platform_zeroize( sk, sizeof( sk ) ); 560 561 return( 0 ); 562 } 563 564 /* 565 * Triple-DES key schedule (112-bit, decryption) 566 */ 567 int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx, 568 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] ) 569 { 570 uint32_t sk[96]; 571 572 des3_set2key( sk, ctx->sk, key ); 573 mbedtls_platform_zeroize( sk, sizeof( sk ) ); 574 575 return( 0 ); 576 } 577 578 static void des3_set3key( uint32_t esk[96], 579 uint32_t dsk[96], 580 const unsigned char key[24] ) 581 { 582 int i; 583 584 mbedtls_des_setkey( esk, key ); 585 mbedtls_des_setkey( dsk + 32, key + 8 ); 586 mbedtls_des_setkey( esk + 64, key + 16 ); 587 588 for( i = 0; i < 32; i += 2 ) 589 { 590 dsk[i ] = esk[94 - i]; 591 dsk[i + 1] = esk[95 - i]; 592 593 esk[i + 32] = dsk[62 - i]; 594 esk[i + 33] = dsk[63 - i]; 595 596 dsk[i + 64] = esk[30 - i]; 597 dsk[i + 65] = esk[31 - i]; 598 } 599 } 600 601 /* 602 * Triple-DES key schedule (168-bit, encryption) 603 */ 604 int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx, 605 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] ) 606 { 607 uint32_t sk[96]; 608 609 des3_set3key( ctx->sk, sk, key ); 610 mbedtls_platform_zeroize( sk, sizeof( sk ) ); 611 612 return( 0 ); 613 } 614 615 /* 616 * Triple-DES key schedule (168-bit, decryption) 617 */ 618 int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx, 619 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] ) 620 { 621 uint32_t sk[96]; 622 623 des3_set3key( sk, ctx->sk, key ); 624 mbedtls_platform_zeroize( sk, sizeof( sk ) ); 625 626 return( 0 ); 627 } 628 629 /* 630 * DES-ECB block encryption/decryption 631 */ 632 #if !defined(MBEDTLS_DES_CRYPT_ECB_ALT) 633 int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx, 634 const unsigned char input[8], 635 unsigned char output[8] ) 636 { 637 int i; 638 uint32_t X, Y, T, *SK; 639 640 SK = ctx->sk; 641 642 GET_UINT32_BE( X, input, 0 ); 643 GET_UINT32_BE( Y, input, 4 ); 644 645 DES_IP( X, Y ); 646 647 for( i = 0; i < 8; i++ ) 648 { 649 DES_ROUND( Y, X ); 650 DES_ROUND( X, Y ); 651 } 652 653 DES_FP( Y, X ); 654 655 PUT_UINT32_BE( Y, output, 0 ); 656 PUT_UINT32_BE( X, output, 4 ); 657 658 return( 0 ); 659 } 660 #endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */ 661 662 #if defined(MBEDTLS_CIPHER_MODE_CBC) 663 /* 664 * DES-CBC buffer encryption/decryption 665 */ 666 int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx, 667 int mode, 668 size_t length, 669 unsigned char iv[8], 670 const unsigned char *input, 671 unsigned char *output ) 672 { 673 int i; 674 unsigned char temp[8]; 675 676 if( length % 8 ) 677 return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH ); 678 679 if( mode == MBEDTLS_DES_ENCRYPT ) 680 { 681 while( length > 0 ) 682 { 683 for( i = 0; i < 8; i++ ) 684 output[i] = (unsigned char)( input[i] ^ iv[i] ); 685 686 mbedtls_des_crypt_ecb( ctx, output, output ); 687 memcpy( iv, output, 8 ); 688 689 input += 8; 690 output += 8; 691 length -= 8; 692 } 693 } 694 else /* MBEDTLS_DES_DECRYPT */ 695 { 696 while( length > 0 ) 697 { 698 memcpy( temp, input, 8 ); 699 mbedtls_des_crypt_ecb( ctx, input, output ); 700 701 for( i = 0; i < 8; i++ ) 702 output[i] = (unsigned char)( output[i] ^ iv[i] ); 703 704 memcpy( iv, temp, 8 ); 705 706 input += 8; 707 output += 8; 708 length -= 8; 709 } 710 } 711 712 return( 0 ); 713 } 714 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 715 716 /* 717 * 3DES-ECB block encryption/decryption 718 */ 719 #if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT) 720 int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx, 721 const unsigned char input[8], 722 unsigned char output[8] ) 723 { 724 int i; 725 uint32_t X, Y, T, *SK; 726 727 SK = ctx->sk; 728 729 GET_UINT32_BE( X, input, 0 ); 730 GET_UINT32_BE( Y, input, 4 ); 731 732 DES_IP( X, Y ); 733 734 for( i = 0; i < 8; i++ ) 735 { 736 DES_ROUND( Y, X ); 737 DES_ROUND( X, Y ); 738 } 739 740 for( i = 0; i < 8; i++ ) 741 { 742 DES_ROUND( X, Y ); 743 DES_ROUND( Y, X ); 744 } 745 746 for( i = 0; i < 8; i++ ) 747 { 748 DES_ROUND( Y, X ); 749 DES_ROUND( X, Y ); 750 } 751 752 DES_FP( Y, X ); 753 754 PUT_UINT32_BE( Y, output, 0 ); 755 PUT_UINT32_BE( X, output, 4 ); 756 757 return( 0 ); 758 } 759 #endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */ 760 761 #if defined(MBEDTLS_CIPHER_MODE_CBC) 762 /* 763 * 3DES-CBC buffer encryption/decryption 764 */ 765 int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx, 766 int mode, 767 size_t length, 768 unsigned char iv[8], 769 const unsigned char *input, 770 unsigned char *output ) 771 { 772 int i; 773 unsigned char temp[8]; 774 775 if( length % 8 ) 776 return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH ); 777 778 if( mode == MBEDTLS_DES_ENCRYPT ) 779 { 780 while( length > 0 ) 781 { 782 for( i = 0; i < 8; i++ ) 783 output[i] = (unsigned char)( input[i] ^ iv[i] ); 784 785 mbedtls_des3_crypt_ecb( ctx, output, output ); 786 memcpy( iv, output, 8 ); 787 788 input += 8; 789 output += 8; 790 length -= 8; 791 } 792 } 793 else /* MBEDTLS_DES_DECRYPT */ 794 { 795 while( length > 0 ) 796 { 797 memcpy( temp, input, 8 ); 798 mbedtls_des3_crypt_ecb( ctx, input, output ); 799 800 for( i = 0; i < 8; i++ ) 801 output[i] = (unsigned char)( output[i] ^ iv[i] ); 802 803 memcpy( iv, temp, 8 ); 804 805 input += 8; 806 output += 8; 807 length -= 8; 808 } 809 } 810 811 return( 0 ); 812 } 813 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 814 815 #endif /* !MBEDTLS_DES_ALT */ 816 817 #if defined(MBEDTLS_SELF_TEST) 818 /* 819 * DES and 3DES test vectors from: 820 * 821 * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip 822 */ 823 static const unsigned char des3_test_keys[24] = 824 { 825 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 826 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 827 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23 828 }; 829 830 static const unsigned char des3_test_buf[8] = 831 { 832 0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74 833 }; 834 835 static const unsigned char des3_test_ecb_dec[3][8] = 836 { 837 { 0xCD, 0xD6, 0x4F, 0x2F, 0x94, 0x27, 0xC1, 0x5D }, 838 { 0x69, 0x96, 0xC8, 0xFA, 0x47, 0xA2, 0xAB, 0xEB }, 839 { 0x83, 0x25, 0x39, 0x76, 0x44, 0x09, 0x1A, 0x0A } 840 }; 841 842 static const unsigned char des3_test_ecb_enc[3][8] = 843 { 844 { 0x6A, 0x2A, 0x19, 0xF4, 0x1E, 0xCA, 0x85, 0x4B }, 845 { 0x03, 0xE6, 0x9F, 0x5B, 0xFA, 0x58, 0xEB, 0x42 }, 846 { 0xDD, 0x17, 0xE8, 0xB8, 0xB4, 0x37, 0xD2, 0x32 } 847 }; 848 849 #if defined(MBEDTLS_CIPHER_MODE_CBC) 850 static const unsigned char des3_test_iv[8] = 851 { 852 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF, 853 }; 854 855 static const unsigned char des3_test_cbc_dec[3][8] = 856 { 857 { 0x12, 0x9F, 0x40, 0xB9, 0xD2, 0x00, 0x56, 0xB3 }, 858 { 0x47, 0x0E, 0xFC, 0x9A, 0x6B, 0x8E, 0xE3, 0x93 }, 859 { 0xC5, 0xCE, 0xCF, 0x63, 0xEC, 0xEC, 0x51, 0x4C } 860 }; 861 862 static const unsigned char des3_test_cbc_enc[3][8] = 863 { 864 { 0x54, 0xF1, 0x5A, 0xF6, 0xEB, 0xE3, 0xA4, 0xB4 }, 865 { 0x35, 0x76, 0x11, 0x56, 0x5F, 0xA1, 0x8E, 0x4D }, 866 { 0xCB, 0x19, 0x1F, 0x85, 0xD1, 0xED, 0x84, 0x39 } 867 }; 868 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 869 870 /* 871 * Checkup routine 872 */ 873 int mbedtls_des_self_test( int verbose ) 874 { 875 int i, j, u, v, ret = 0; 876 mbedtls_des_context ctx; 877 mbedtls_des3_context ctx3; 878 unsigned char buf[8]; 879 #if defined(MBEDTLS_CIPHER_MODE_CBC) 880 unsigned char prv[8]; 881 unsigned char iv[8]; 882 #endif 883 884 mbedtls_des_init( &ctx ); 885 mbedtls_des3_init( &ctx3 ); 886 /* 887 * ECB mode 888 */ 889 for( i = 0; i < 6; i++ ) 890 { 891 u = i >> 1; 892 v = i & 1; 893 894 if( verbose != 0 ) 895 mbedtls_printf( " DES%c-ECB-%3d (%s): ", 896 ( u == 0 ) ? ' ' : '3', 56 + u * 56, 897 ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" ); 898 899 memcpy( buf, des3_test_buf, 8 ); 900 901 switch( i ) 902 { 903 case 0: 904 mbedtls_des_setkey_dec( &ctx, des3_test_keys ); 905 break; 906 907 case 1: 908 mbedtls_des_setkey_enc( &ctx, des3_test_keys ); 909 break; 910 911 case 2: 912 mbedtls_des3_set2key_dec( &ctx3, des3_test_keys ); 913 break; 914 915 case 3: 916 mbedtls_des3_set2key_enc( &ctx3, des3_test_keys ); 917 break; 918 919 case 4: 920 mbedtls_des3_set3key_dec( &ctx3, des3_test_keys ); 921 break; 922 923 case 5: 924 mbedtls_des3_set3key_enc( &ctx3, des3_test_keys ); 925 break; 926 927 default: 928 return( 1 ); 929 } 930 931 for( j = 0; j < 10000; j++ ) 932 { 933 if( u == 0 ) 934 mbedtls_des_crypt_ecb( &ctx, buf, buf ); 935 else 936 mbedtls_des3_crypt_ecb( &ctx3, buf, buf ); 937 } 938 939 if( ( v == MBEDTLS_DES_DECRYPT && 940 memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) || 941 ( v != MBEDTLS_DES_DECRYPT && 942 memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) ) 943 { 944 if( verbose != 0 ) 945 mbedtls_printf( "failed\n" ); 946 947 ret = 1; 948 goto exit; 949 } 950 951 if( verbose != 0 ) 952 mbedtls_printf( "passed\n" ); 953 } 954 955 if( verbose != 0 ) 956 mbedtls_printf( "\n" ); 957 958 #if defined(MBEDTLS_CIPHER_MODE_CBC) 959 /* 960 * CBC mode 961 */ 962 for( i = 0; i < 6; i++ ) 963 { 964 u = i >> 1; 965 v = i & 1; 966 967 if( verbose != 0 ) 968 mbedtls_printf( " DES%c-CBC-%3d (%s): ", 969 ( u == 0 ) ? ' ' : '3', 56 + u * 56, 970 ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" ); 971 972 memcpy( iv, des3_test_iv, 8 ); 973 memcpy( prv, des3_test_iv, 8 ); 974 memcpy( buf, des3_test_buf, 8 ); 975 976 switch( i ) 977 { 978 case 0: 979 mbedtls_des_setkey_dec( &ctx, des3_test_keys ); 980 break; 981 982 case 1: 983 mbedtls_des_setkey_enc( &ctx, des3_test_keys ); 984 break; 985 986 case 2: 987 mbedtls_des3_set2key_dec( &ctx3, des3_test_keys ); 988 break; 989 990 case 3: 991 mbedtls_des3_set2key_enc( &ctx3, des3_test_keys ); 992 break; 993 994 case 4: 995 mbedtls_des3_set3key_dec( &ctx3, des3_test_keys ); 996 break; 997 998 case 5: 999 mbedtls_des3_set3key_enc( &ctx3, des3_test_keys ); 1000 break; 1001 1002 default: 1003 return( 1 ); 1004 } 1005 1006 if( v == MBEDTLS_DES_DECRYPT ) 1007 { 1008 for( j = 0; j < 10000; j++ ) 1009 { 1010 if( u == 0 ) 1011 mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf ); 1012 else 1013 mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf ); 1014 } 1015 } 1016 else 1017 { 1018 for( j = 0; j < 10000; j++ ) 1019 { 1020 unsigned char tmp[8]; 1021 1022 if( u == 0 ) 1023 mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf ); 1024 else 1025 mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf ); 1026 1027 memcpy( tmp, prv, 8 ); 1028 memcpy( prv, buf, 8 ); 1029 memcpy( buf, tmp, 8 ); 1030 } 1031 1032 memcpy( buf, prv, 8 ); 1033 } 1034 1035 if( ( v == MBEDTLS_DES_DECRYPT && 1036 memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) || 1037 ( v != MBEDTLS_DES_DECRYPT && 1038 memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) ) 1039 { 1040 if( verbose != 0 ) 1041 mbedtls_printf( "failed\n" ); 1042 1043 ret = 1; 1044 goto exit; 1045 } 1046 1047 if( verbose != 0 ) 1048 mbedtls_printf( "passed\n" ); 1049 } 1050 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 1051 1052 if( verbose != 0 ) 1053 mbedtls_printf( "\n" ); 1054 1055 exit: 1056 mbedtls_des_free( &ctx ); 1057 mbedtls_des3_free( &ctx3 ); 1058 1059 return( ret ); 1060 } 1061 1062 #endif /* MBEDTLS_SELF_TEST */ 1063 1064 #endif /* MBEDTLS_DES_C */ 1065