1/* 2 * FIPS-46-3 compliant Triple-DES implementation 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19/* 20 * DES, on which TDES is based, was originally designed by Horst Feistel 21 * at IBM in 1974, and was adopted as a standard by NIST (formerly NBS). 22 * 23 * http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf 24 */ 25 26#include "common.h" 27 28#if defined(MBEDTLS_DES_C) 29 30#include "mbedtls/des.h" 31#include "mbedtls/error.h" 32#include "mbedtls/platform_util.h" 33 34#include <string.h> 35 36#include "mbedtls/platform.h" 37 38#if !defined(MBEDTLS_DES_ALT) 39 40/* 41 * Expanded DES S-boxes 42 */ 43static const uint32_t SB1[64] = 44{ 45 0x01010400, 0x00000000, 0x00010000, 0x01010404, 46 0x01010004, 0x00010404, 0x00000004, 0x00010000, 47 0x00000400, 0x01010400, 0x01010404, 0x00000400, 48 0x01000404, 0x01010004, 0x01000000, 0x00000004, 49 0x00000404, 0x01000400, 0x01000400, 0x00010400, 50 0x00010400, 0x01010000, 0x01010000, 0x01000404, 51 0x00010004, 0x01000004, 0x01000004, 0x00010004, 52 0x00000000, 0x00000404, 0x00010404, 0x01000000, 53 0x00010000, 0x01010404, 0x00000004, 0x01010000, 54 0x01010400, 0x01000000, 0x01000000, 0x00000400, 55 0x01010004, 0x00010000, 0x00010400, 0x01000004, 56 0x00000400, 0x00000004, 0x01000404, 0x00010404, 57 0x01010404, 0x00010004, 0x01010000, 0x01000404, 58 0x01000004, 0x00000404, 0x00010404, 0x01010400, 59 0x00000404, 0x01000400, 0x01000400, 0x00000000, 60 0x00010004, 0x00010400, 0x00000000, 0x01010004 61}; 62 63static const uint32_t SB2[64] = 64{ 65 0x80108020, 0x80008000, 0x00008000, 0x00108020, 66 0x00100000, 0x00000020, 0x80100020, 0x80008020, 67 0x80000020, 0x80108020, 0x80108000, 0x80000000, 68 0x80008000, 0x00100000, 0x00000020, 0x80100020, 69 0x00108000, 0x00100020, 0x80008020, 0x00000000, 70 0x80000000, 0x00008000, 0x00108020, 0x80100000, 71 0x00100020, 0x80000020, 0x00000000, 0x00108000, 72 0x00008020, 0x80108000, 0x80100000, 0x00008020, 73 0x00000000, 0x00108020, 0x80100020, 0x00100000, 74 0x80008020, 0x80100000, 0x80108000, 0x00008000, 75 0x80100000, 0x80008000, 0x00000020, 0x80108020, 76 0x00108020, 0x00000020, 0x00008000, 0x80000000, 77 0x00008020, 0x80108000, 0x00100000, 0x80000020, 78 0x00100020, 0x80008020, 0x80000020, 0x00100020, 79 0x00108000, 0x00000000, 0x80008000, 0x00008020, 80 0x80000000, 0x80100020, 0x80108020, 0x00108000 81}; 82 83static const uint32_t SB3[64] = 84{ 85 0x00000208, 0x08020200, 0x00000000, 0x08020008, 86 0x08000200, 0x00000000, 0x00020208, 0x08000200, 87 0x00020008, 0x08000008, 0x08000008, 0x00020000, 88 0x08020208, 0x00020008, 0x08020000, 0x00000208, 89 0x08000000, 0x00000008, 0x08020200, 0x00000200, 90 0x00020200, 0x08020000, 0x08020008, 0x00020208, 91 0x08000208, 0x00020200, 0x00020000, 0x08000208, 92 0x00000008, 0x08020208, 0x00000200, 0x08000000, 93 0x08020200, 0x08000000, 0x00020008, 0x00000208, 94 0x00020000, 0x08020200, 0x08000200, 0x00000000, 95 0x00000200, 0x00020008, 0x08020208, 0x08000200, 96 0x08000008, 0x00000200, 0x00000000, 0x08020008, 97 0x08000208, 0x00020000, 0x08000000, 0x08020208, 98 0x00000008, 0x00020208, 0x00020200, 0x08000008, 99 0x08020000, 0x08000208, 0x00000208, 0x08020000, 100 0x00020208, 0x00000008, 0x08020008, 0x00020200 101}; 102 103static const uint32_t SB4[64] = 104{ 105 0x00802001, 0x00002081, 0x00002081, 0x00000080, 106 0x00802080, 0x00800081, 0x00800001, 0x00002001, 107 0x00000000, 0x00802000, 0x00802000, 0x00802081, 108 0x00000081, 0x00000000, 0x00800080, 0x00800001, 109 0x00000001, 0x00002000, 0x00800000, 0x00802001, 110 0x00000080, 0x00800000, 0x00002001, 0x00002080, 111 0x00800081, 0x00000001, 0x00002080, 0x00800080, 112 0x00002000, 0x00802080, 0x00802081, 0x00000081, 113 0x00800080, 0x00800001, 0x00802000, 0x00802081, 114 0x00000081, 0x00000000, 0x00000000, 0x00802000, 115 0x00002080, 0x00800080, 0x00800081, 0x00000001, 116 0x00802001, 0x00002081, 0x00002081, 0x00000080, 117 0x00802081, 0x00000081, 0x00000001, 0x00002000, 118 0x00800001, 0x00002001, 0x00802080, 0x00800081, 119 0x00002001, 0x00002080, 0x00800000, 0x00802001, 120 0x00000080, 0x00800000, 0x00002000, 0x00802080 121}; 122 123static const uint32_t SB5[64] = 124{ 125 0x00000100, 0x02080100, 0x02080000, 0x42000100, 126 0x00080000, 0x00000100, 0x40000000, 0x02080000, 127 0x40080100, 0x00080000, 0x02000100, 0x40080100, 128 0x42000100, 0x42080000, 0x00080100, 0x40000000, 129 0x02000000, 0x40080000, 0x40080000, 0x00000000, 130 0x40000100, 0x42080100, 0x42080100, 0x02000100, 131 0x42080000, 0x40000100, 0x00000000, 0x42000000, 132 0x02080100, 0x02000000, 0x42000000, 0x00080100, 133 0x00080000, 0x42000100, 0x00000100, 0x02000000, 134 0x40000000, 0x02080000, 0x42000100, 0x40080100, 135 0x02000100, 0x40000000, 0x42080000, 0x02080100, 136 0x40080100, 0x00000100, 0x02000000, 0x42080000, 137 0x42080100, 0x00080100, 0x42000000, 0x42080100, 138 0x02080000, 0x00000000, 0x40080000, 0x42000000, 139 0x00080100, 0x02000100, 0x40000100, 0x00080000, 140 0x00000000, 0x40080000, 0x02080100, 0x40000100 141}; 142 143static const uint32_t SB6[64] = 144{ 145 0x20000010, 0x20400000, 0x00004000, 0x20404010, 146 0x20400000, 0x00000010, 0x20404010, 0x00400000, 147 0x20004000, 0x00404010, 0x00400000, 0x20000010, 148 0x00400010, 0x20004000, 0x20000000, 0x00004010, 149 0x00000000, 0x00400010, 0x20004010, 0x00004000, 150 0x00404000, 0x20004010, 0x00000010, 0x20400010, 151 0x20400010, 0x00000000, 0x00404010, 0x20404000, 152 0x00004010, 0x00404000, 0x20404000, 0x20000000, 153 0x20004000, 0x00000010, 0x20400010, 0x00404000, 154 0x20404010, 0x00400000, 0x00004010, 0x20000010, 155 0x00400000, 0x20004000, 0x20000000, 0x00004010, 156 0x20000010, 0x20404010, 0x00404000, 0x20400000, 157 0x00404010, 0x20404000, 0x00000000, 0x20400010, 158 0x00000010, 0x00004000, 0x20400000, 0x00404010, 159 0x00004000, 0x00400010, 0x20004010, 0x00000000, 160 0x20404000, 0x20000000, 0x00400010, 0x20004010 161}; 162 163static const uint32_t SB7[64] = 164{ 165 0x00200000, 0x04200002, 0x04000802, 0x00000000, 166 0x00000800, 0x04000802, 0x00200802, 0x04200800, 167 0x04200802, 0x00200000, 0x00000000, 0x04000002, 168 0x00000002, 0x04000000, 0x04200002, 0x00000802, 169 0x04000800, 0x00200802, 0x00200002, 0x04000800, 170 0x04000002, 0x04200000, 0x04200800, 0x00200002, 171 0x04200000, 0x00000800, 0x00000802, 0x04200802, 172 0x00200800, 0x00000002, 0x04000000, 0x00200800, 173 0x04000000, 0x00200800, 0x00200000, 0x04000802, 174 0x04000802, 0x04200002, 0x04200002, 0x00000002, 175 0x00200002, 0x04000000, 0x04000800, 0x00200000, 176 0x04200800, 0x00000802, 0x00200802, 0x04200800, 177 0x00000802, 0x04000002, 0x04200802, 0x04200000, 178 0x00200800, 0x00000000, 0x00000002, 0x04200802, 179 0x00000000, 0x00200802, 0x04200000, 0x00000800, 180 0x04000002, 0x04000800, 0x00000800, 0x00200002 181}; 182 183static const uint32_t SB8[64] = 184{ 185 0x10001040, 0x00001000, 0x00040000, 0x10041040, 186 0x10000000, 0x10001040, 0x00000040, 0x10000000, 187 0x00040040, 0x10040000, 0x10041040, 0x00041000, 188 0x10041000, 0x00041040, 0x00001000, 0x00000040, 189 0x10040000, 0x10000040, 0x10001000, 0x00001040, 190 0x00041000, 0x00040040, 0x10040040, 0x10041000, 191 0x00001040, 0x00000000, 0x00000000, 0x10040040, 192 0x10000040, 0x10001000, 0x00041040, 0x00040000, 193 0x00041040, 0x00040000, 0x10041000, 0x00001000, 194 0x00000040, 0x10040040, 0x00001000, 0x00041040, 195 0x10001000, 0x00000040, 0x10000040, 0x10040000, 196 0x10040040, 0x10000000, 0x00040000, 0x10001040, 197 0x00000000, 0x10041040, 0x00040040, 0x10000040, 198 0x10040000, 0x10001000, 0x10001040, 0x00000000, 199 0x10041040, 0x00041000, 0x00041000, 0x00001040, 200 0x00001040, 0x00040040, 0x10000000, 0x10041000 201}; 202 203/* 204 * PC1: left and right halves bit-swap 205 */ 206static const uint32_t LHs[16] = 207{ 208 0x00000000, 0x00000001, 0x00000100, 0x00000101, 209 0x00010000, 0x00010001, 0x00010100, 0x00010101, 210 0x01000000, 0x01000001, 0x01000100, 0x01000101, 211 0x01010000, 0x01010001, 0x01010100, 0x01010101 212}; 213 214static const uint32_t RHs[16] = 215{ 216 0x00000000, 0x01000000, 0x00010000, 0x01010000, 217 0x00000100, 0x01000100, 0x00010100, 0x01010100, 218 0x00000001, 0x01000001, 0x00010001, 0x01010001, 219 0x00000101, 0x01000101, 0x00010101, 0x01010101, 220}; 221 222/* 223 * Initial Permutation macro 224 */ 225#define DES_IP(X, Y) \ 226 do \ 227 { \ 228 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \ 229 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \ 230 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \ 231 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \ 232 (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF; \ 233 T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T; \ 234 (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF; \ 235 } while (0) 236 237/* 238 * Final Permutation macro 239 */ 240#define DES_FP(X, Y) \ 241 do \ 242 { \ 243 (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF; \ 244 T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T; \ 245 (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF; \ 246 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \ 247 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \ 248 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \ 249 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \ 250 } while (0) 251 252/* 253 * DES round macro 254 */ 255#define DES_ROUND(X, Y) \ 256 do \ 257 { \ 258 T = *SK++ ^ (X); \ 259 (Y) ^= SB8[(T) & 0x3F] ^ \ 260 SB6[(T >> 8) & 0x3F] ^ \ 261 SB4[(T >> 16) & 0x3F] ^ \ 262 SB2[(T >> 24) & 0x3F]; \ 263 \ 264 T = *SK++ ^ (((X) << 28) | ((X) >> 4)); \ 265 (Y) ^= SB7[(T) & 0x3F] ^ \ 266 SB5[(T >> 8) & 0x3F] ^ \ 267 SB3[(T >> 16) & 0x3F] ^ \ 268 SB1[(T >> 24) & 0x3F]; \ 269 } while (0) 270 271#define SWAP(a, b) \ 272 do \ 273 { \ 274 uint32_t t = (a); (a) = (b); (b) = t; t = 0; \ 275 } while (0) 276 277void mbedtls_des_init(mbedtls_des_context *ctx) 278{ 279 memset(ctx, 0, sizeof(mbedtls_des_context)); 280} 281 282void mbedtls_des_free(mbedtls_des_context *ctx) 283{ 284 if (ctx == NULL) { 285 return; 286 } 287 288 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_des_context)); 289} 290 291void mbedtls_des3_init(mbedtls_des3_context *ctx) 292{ 293 memset(ctx, 0, sizeof(mbedtls_des3_context)); 294} 295 296void mbedtls_des3_free(mbedtls_des3_context *ctx) 297{ 298 if (ctx == NULL) { 299 return; 300 } 301 302 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_des3_context)); 303} 304 305static const unsigned char odd_parity_table[128] = { 1, 2, 4, 7, 8, 306 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 307 35, 37, 38, 41, 42, 44, 308 47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 309 70, 73, 74, 76, 79, 81, 310 82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 311 104, 107, 109, 110, 112, 312 115, 117, 118, 121, 122, 124, 127, 128, 131, 313 133, 134, 137, 138, 140, 314 143, 145, 146, 148, 151, 152, 155, 157, 158, 315 161, 162, 164, 167, 168, 316 171, 173, 174, 176, 179, 181, 182, 185, 186, 317 188, 191, 193, 194, 196, 318 199, 200, 203, 205, 206, 208, 211, 213, 214, 319 217, 218, 220, 223, 224, 320 227, 229, 230, 233, 234, 236, 239, 241, 242, 321 244, 247, 248, 251, 253, 322 254 }; 323 324void mbedtls_des_key_set_parity(unsigned char key[MBEDTLS_DES_KEY_SIZE]) 325{ 326 int i; 327 328 for (i = 0; i < MBEDTLS_DES_KEY_SIZE; i++) { 329 key[i] = odd_parity_table[key[i] / 2]; 330 } 331} 332 333/* 334 * Check the given key's parity, returns 1 on failure, 0 on SUCCESS 335 */ 336int mbedtls_des_key_check_key_parity(const unsigned char key[MBEDTLS_DES_KEY_SIZE]) 337{ 338 int i; 339 340 for (i = 0; i < MBEDTLS_DES_KEY_SIZE; i++) { 341 if (key[i] != odd_parity_table[key[i] / 2]) { 342 return 1; 343 } 344 } 345 346 return 0; 347} 348 349/* 350 * Table of weak and semi-weak keys 351 * 352 * Source: http://en.wikipedia.org/wiki/Weak_key 353 * 354 * Weak: 355 * Alternating ones + zeros (0x0101010101010101) 356 * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE) 357 * '0xE0E0E0E0F1F1F1F1' 358 * '0x1F1F1F1F0E0E0E0E' 359 * 360 * Semi-weak: 361 * 0x011F011F010E010E and 0x1F011F010E010E01 362 * 0x01E001E001F101F1 and 0xE001E001F101F101 363 * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01 364 * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E 365 * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E 366 * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1 367 * 368 */ 369 370#define WEAK_KEY_COUNT 16 371 372static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] = 373{ 374 { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 }, 375 { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE }, 376 { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E }, 377 { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 }, 378 379 { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E }, 380 { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 }, 381 { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 }, 382 { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 }, 383 { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE }, 384 { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 }, 385 { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 }, 386 { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E }, 387 { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE }, 388 { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E }, 389 { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE }, 390 { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 } 391}; 392 393int mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE]) 394{ 395 int i; 396 397 for (i = 0; i < WEAK_KEY_COUNT; i++) { 398 if (memcmp(weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0) { 399 return 1; 400 } 401 } 402 403 return 0; 404} 405 406#if !defined(MBEDTLS_DES_SETKEY_ALT) 407void mbedtls_des_setkey(uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE]) 408{ 409 int i; 410 uint32_t X, Y, T; 411 412 X = MBEDTLS_GET_UINT32_BE(key, 0); 413 Y = MBEDTLS_GET_UINT32_BE(key, 4); 414 415 /* 416 * Permuted Choice 1 417 */ 418 T = ((Y >> 4) ^ X) & 0x0F0F0F0F; X ^= T; Y ^= (T << 4); 419 T = ((Y) ^ X) & 0x10101010; X ^= T; Y ^= (T); 420 421 X = (LHs[(X) & 0xF] << 3) | (LHs[(X >> 8) & 0xF] << 2) 422 | (LHs[(X >> 16) & 0xF] << 1) | (LHs[(X >> 24) & 0xF]) 423 | (LHs[(X >> 5) & 0xF] << 7) | (LHs[(X >> 13) & 0xF] << 6) 424 | (LHs[(X >> 21) & 0xF] << 5) | (LHs[(X >> 29) & 0xF] << 4); 425 426 Y = (RHs[(Y >> 1) & 0xF] << 3) | (RHs[(Y >> 9) & 0xF] << 2) 427 | (RHs[(Y >> 17) & 0xF] << 1) | (RHs[(Y >> 25) & 0xF]) 428 | (RHs[(Y >> 4) & 0xF] << 7) | (RHs[(Y >> 12) & 0xF] << 6) 429 | (RHs[(Y >> 20) & 0xF] << 5) | (RHs[(Y >> 28) & 0xF] << 4); 430 431 X &= 0x0FFFFFFF; 432 Y &= 0x0FFFFFFF; 433 434 /* 435 * calculate subkeys 436 */ 437 for (i = 0; i < 16; i++) { 438 if (i < 2 || i == 8 || i == 15) { 439 X = ((X << 1) | (X >> 27)) & 0x0FFFFFFF; 440 Y = ((Y << 1) | (Y >> 27)) & 0x0FFFFFFF; 441 } else { 442 X = ((X << 2) | (X >> 26)) & 0x0FFFFFFF; 443 Y = ((Y << 2) | (Y >> 26)) & 0x0FFFFFFF; 444 } 445 446 *SK++ = ((X << 4) & 0x24000000) | ((X << 28) & 0x10000000) 447 | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000) 448 | ((X << 6) & 0x01000000) | ((X << 9) & 0x00200000) 449 | ((X >> 1) & 0x00100000) | ((X << 10) & 0x00040000) 450 | ((X << 2) & 0x00020000) | ((X >> 10) & 0x00010000) 451 | ((Y >> 13) & 0x00002000) | ((Y >> 4) & 0x00001000) 452 | ((Y << 6) & 0x00000800) | ((Y >> 1) & 0x00000400) 453 | ((Y >> 14) & 0x00000200) | ((Y) & 0x00000100) 454 | ((Y >> 5) & 0x00000020) | ((Y >> 10) & 0x00000010) 455 | ((Y >> 3) & 0x00000008) | ((Y >> 18) & 0x00000004) 456 | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001); 457 458 *SK++ = ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000) 459 | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000) 460 | ((X >> 2) & 0x02000000) | ((X << 1) & 0x01000000) 461 | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000) 462 | ((X << 3) & 0x00080000) | ((X >> 6) & 0x00040000) 463 | ((X << 15) & 0x00020000) | ((X >> 4) & 0x00010000) 464 | ((Y >> 2) & 0x00002000) | ((Y << 8) & 0x00001000) 465 | ((Y >> 14) & 0x00000808) | ((Y >> 9) & 0x00000400) 466 | ((Y) & 0x00000200) | ((Y << 7) & 0x00000100) 467 | ((Y >> 7) & 0x00000020) | ((Y >> 3) & 0x00000011) 468 | ((Y << 2) & 0x00000004) | ((Y >> 21) & 0x00000002); 469 } 470} 471#endif /* !MBEDTLS_DES_SETKEY_ALT */ 472 473/* 474 * DES key schedule (56-bit, encryption) 475 */ 476int mbedtls_des_setkey_enc(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE]) 477{ 478 mbedtls_des_setkey(ctx->sk, key); 479 480 return 0; 481} 482 483/* 484 * DES key schedule (56-bit, decryption) 485 */ 486int mbedtls_des_setkey_dec(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE]) 487{ 488 int i; 489 490 mbedtls_des_setkey(ctx->sk, key); 491 492 for (i = 0; i < 16; i += 2) { 493 SWAP(ctx->sk[i], ctx->sk[30 - i]); 494 SWAP(ctx->sk[i + 1], ctx->sk[31 - i]); 495 } 496 497 return 0; 498} 499 500static void des3_set2key(uint32_t esk[96], 501 uint32_t dsk[96], 502 const unsigned char key[MBEDTLS_DES_KEY_SIZE*2]) 503{ 504 int i; 505 506 mbedtls_des_setkey(esk, key); 507 mbedtls_des_setkey(dsk + 32, key + 8); 508 509 for (i = 0; i < 32; i += 2) { 510 dsk[i] = esk[30 - i]; 511 dsk[i + 1] = esk[31 - i]; 512 513 esk[i + 32] = dsk[62 - i]; 514 esk[i + 33] = dsk[63 - i]; 515 516 esk[i + 64] = esk[i]; 517 esk[i + 65] = esk[i + 1]; 518 519 dsk[i + 64] = dsk[i]; 520 dsk[i + 65] = dsk[i + 1]; 521 } 522} 523 524/* 525 * Triple-DES key schedule (112-bit, encryption) 526 */ 527int mbedtls_des3_set2key_enc(mbedtls_des3_context *ctx, 528 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2]) 529{ 530 uint32_t sk[96]; 531 532 des3_set2key(ctx->sk, sk, key); 533 mbedtls_platform_zeroize(sk, sizeof(sk)); 534 535 return 0; 536} 537 538/* 539 * Triple-DES key schedule (112-bit, decryption) 540 */ 541int mbedtls_des3_set2key_dec(mbedtls_des3_context *ctx, 542 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2]) 543{ 544 uint32_t sk[96]; 545 546 des3_set2key(sk, ctx->sk, key); 547 mbedtls_platform_zeroize(sk, sizeof(sk)); 548 549 return 0; 550} 551 552static void des3_set3key(uint32_t esk[96], 553 uint32_t dsk[96], 554 const unsigned char key[24]) 555{ 556 int i; 557 558 mbedtls_des_setkey(esk, key); 559 mbedtls_des_setkey(dsk + 32, key + 8); 560 mbedtls_des_setkey(esk + 64, key + 16); 561 562 for (i = 0; i < 32; i += 2) { 563 dsk[i] = esk[94 - i]; 564 dsk[i + 1] = esk[95 - i]; 565 566 esk[i + 32] = dsk[62 - i]; 567 esk[i + 33] = dsk[63 - i]; 568 569 dsk[i + 64] = esk[30 - i]; 570 dsk[i + 65] = esk[31 - i]; 571 } 572} 573 574/* 575 * Triple-DES key schedule (168-bit, encryption) 576 */ 577int mbedtls_des3_set3key_enc(mbedtls_des3_context *ctx, 578 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3]) 579{ 580 uint32_t sk[96]; 581 582 des3_set3key(ctx->sk, sk, key); 583 mbedtls_platform_zeroize(sk, sizeof(sk)); 584 585 return 0; 586} 587 588/* 589 * Triple-DES key schedule (168-bit, decryption) 590 */ 591int mbedtls_des3_set3key_dec(mbedtls_des3_context *ctx, 592 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3]) 593{ 594 uint32_t sk[96]; 595 596 des3_set3key(sk, ctx->sk, key); 597 mbedtls_platform_zeroize(sk, sizeof(sk)); 598 599 return 0; 600} 601 602/* 603 * DES-ECB block encryption/decryption 604 */ 605#if !defined(MBEDTLS_DES_CRYPT_ECB_ALT) 606int mbedtls_des_crypt_ecb(mbedtls_des_context *ctx, 607 const unsigned char input[8], 608 unsigned char output[8]) 609{ 610 int i; 611 uint32_t X, Y, T, *SK; 612 613 SK = ctx->sk; 614 615 X = MBEDTLS_GET_UINT32_BE(input, 0); 616 Y = MBEDTLS_GET_UINT32_BE(input, 4); 617 618 DES_IP(X, Y); 619 620 for (i = 0; i < 8; i++) { 621 DES_ROUND(Y, X); 622 DES_ROUND(X, Y); 623 } 624 625 DES_FP(Y, X); 626 627 MBEDTLS_PUT_UINT32_BE(Y, output, 0); 628 MBEDTLS_PUT_UINT32_BE(X, output, 4); 629 630 return 0; 631} 632#endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */ 633 634#if defined(MBEDTLS_CIPHER_MODE_CBC) 635/* 636 * DES-CBC buffer encryption/decryption 637 */ 638int mbedtls_des_crypt_cbc(mbedtls_des_context *ctx, 639 int mode, 640 size_t length, 641 unsigned char iv[8], 642 const unsigned char *input, 643 unsigned char *output) 644{ 645 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 646 unsigned char temp[8]; 647 648 if (length % 8) { 649 return MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH; 650 } 651 652 if (mode == MBEDTLS_DES_ENCRYPT) { 653 while (length > 0) { 654 mbedtls_xor(output, input, iv, 8); 655 656 ret = mbedtls_des_crypt_ecb(ctx, output, output); 657 if (ret != 0) { 658 goto exit; 659 } 660 memcpy(iv, output, 8); 661 662 input += 8; 663 output += 8; 664 length -= 8; 665 } 666 } else { /* MBEDTLS_DES_DECRYPT */ 667 while (length > 0) { 668 memcpy(temp, input, 8); 669 ret = mbedtls_des_crypt_ecb(ctx, input, output); 670 if (ret != 0) { 671 goto exit; 672 } 673 674 mbedtls_xor(output, output, iv, 8); 675 676 memcpy(iv, temp, 8); 677 678 input += 8; 679 output += 8; 680 length -= 8; 681 } 682 } 683 ret = 0; 684 685exit: 686 return ret; 687} 688#endif /* MBEDTLS_CIPHER_MODE_CBC */ 689 690/* 691 * 3DES-ECB block encryption/decryption 692 */ 693#if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT) 694int mbedtls_des3_crypt_ecb(mbedtls_des3_context *ctx, 695 const unsigned char input[8], 696 unsigned char output[8]) 697{ 698 int i; 699 uint32_t X, Y, T, *SK; 700 701 SK = ctx->sk; 702 703 X = MBEDTLS_GET_UINT32_BE(input, 0); 704 Y = MBEDTLS_GET_UINT32_BE(input, 4); 705 706 DES_IP(X, Y); 707 708 for (i = 0; i < 8; i++) { 709 DES_ROUND(Y, X); 710 DES_ROUND(X, Y); 711 } 712 713 for (i = 0; i < 8; i++) { 714 DES_ROUND(X, Y); 715 DES_ROUND(Y, X); 716 } 717 718 for (i = 0; i < 8; i++) { 719 DES_ROUND(Y, X); 720 DES_ROUND(X, Y); 721 } 722 723 DES_FP(Y, X); 724 725 MBEDTLS_PUT_UINT32_BE(Y, output, 0); 726 MBEDTLS_PUT_UINT32_BE(X, output, 4); 727 728 return 0; 729} 730#endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */ 731 732#if defined(MBEDTLS_CIPHER_MODE_CBC) 733/* 734 * 3DES-CBC buffer encryption/decryption 735 */ 736int mbedtls_des3_crypt_cbc(mbedtls_des3_context *ctx, 737 int mode, 738 size_t length, 739 unsigned char iv[8], 740 const unsigned char *input, 741 unsigned char *output) 742{ 743 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 744 unsigned char temp[8]; 745 746 if (length % 8) { 747 return MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH; 748 } 749 750 if (mode == MBEDTLS_DES_ENCRYPT) { 751 while (length > 0) { 752 mbedtls_xor(output, input, iv, 8); 753 754 ret = mbedtls_des3_crypt_ecb(ctx, output, output); 755 if (ret != 0) { 756 goto exit; 757 } 758 memcpy(iv, output, 8); 759 760 input += 8; 761 output += 8; 762 length -= 8; 763 } 764 } else { /* MBEDTLS_DES_DECRYPT */ 765 while (length > 0) { 766 memcpy(temp, input, 8); 767 ret = mbedtls_des3_crypt_ecb(ctx, input, output); 768 if (ret != 0) { 769 goto exit; 770 } 771 772 mbedtls_xor(output, output, iv, 8); 773 774 memcpy(iv, temp, 8); 775 776 input += 8; 777 output += 8; 778 length -= 8; 779 } 780 } 781 ret = 0; 782 783exit: 784 return ret; 785} 786#endif /* MBEDTLS_CIPHER_MODE_CBC */ 787 788#endif /* !MBEDTLS_DES_ALT */ 789 790#if defined(MBEDTLS_SELF_TEST) 791/* 792 * DES and 3DES test vectors from: 793 * 794 * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip 795 */ 796static const unsigned char des3_test_keys[24] = 797{ 798 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 799 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 800 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23 801}; 802 803static const unsigned char des3_test_buf[8] = 804{ 805 0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74 806}; 807 808static const unsigned char des3_test_ecb_dec[3][8] = 809{ 810 { 0x37, 0x2B, 0x98, 0xBF, 0x52, 0x65, 0xB0, 0x59 }, 811 { 0xC2, 0x10, 0x19, 0x9C, 0x38, 0x5A, 0x65, 0xA1 }, 812 { 0xA2, 0x70, 0x56, 0x68, 0x69, 0xE5, 0x15, 0x1D } 813}; 814 815static const unsigned char des3_test_ecb_enc[3][8] = 816{ 817 { 0x1C, 0xD5, 0x97, 0xEA, 0x84, 0x26, 0x73, 0xFB }, 818 { 0xB3, 0x92, 0x4D, 0xF3, 0xC5, 0xB5, 0x42, 0x93 }, 819 { 0xDA, 0x37, 0x64, 0x41, 0xBA, 0x6F, 0x62, 0x6F } 820}; 821 822#if defined(MBEDTLS_CIPHER_MODE_CBC) 823static const unsigned char des3_test_iv[8] = 824{ 825 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF, 826}; 827 828static const unsigned char des3_test_cbc_dec[3][8] = 829{ 830 { 0x58, 0xD9, 0x48, 0xEF, 0x85, 0x14, 0x65, 0x9A }, 831 { 0x5F, 0xC8, 0x78, 0xD4, 0xD7, 0x92, 0xD9, 0x54 }, 832 { 0x25, 0xF9, 0x75, 0x85, 0xA8, 0x1E, 0x48, 0xBF } 833}; 834 835static const unsigned char des3_test_cbc_enc[3][8] = 836{ 837 { 0x91, 0x1C, 0x6D, 0xCF, 0x48, 0xA7, 0xC3, 0x4D }, 838 { 0x60, 0x1A, 0x76, 0x8F, 0xA1, 0xF9, 0x66, 0xF1 }, 839 { 0xA1, 0x50, 0x0F, 0x99, 0xB2, 0xCD, 0x64, 0x76 } 840}; 841#endif /* MBEDTLS_CIPHER_MODE_CBC */ 842 843/* 844 * Checkup routine 845 */ 846int mbedtls_des_self_test(int verbose) 847{ 848 int i, j, u, v, ret = 0; 849 mbedtls_des_context ctx; 850 mbedtls_des3_context ctx3; 851 unsigned char buf[8]; 852#if defined(MBEDTLS_CIPHER_MODE_CBC) 853 unsigned char prv[8]; 854 unsigned char iv[8]; 855#endif 856 857 mbedtls_des_init(&ctx); 858 mbedtls_des3_init(&ctx3); 859 /* 860 * ECB mode 861 */ 862 for (i = 0; i < 6; i++) { 863 u = i >> 1; 864 v = i & 1; 865 866 if (verbose != 0) { 867 mbedtls_printf(" DES%c-ECB-%3d (%s): ", 868 (u == 0) ? ' ' : '3', 56 + u * 56, 869 (v == MBEDTLS_DES_DECRYPT) ? "dec" : "enc"); 870 } 871 872 memcpy(buf, des3_test_buf, 8); 873 874 switch (i) { 875 case 0: 876 ret = mbedtls_des_setkey_dec(&ctx, des3_test_keys); 877 break; 878 879 case 1: 880 ret = mbedtls_des_setkey_enc(&ctx, des3_test_keys); 881 break; 882 883 case 2: 884 ret = mbedtls_des3_set2key_dec(&ctx3, des3_test_keys); 885 break; 886 887 case 3: 888 ret = mbedtls_des3_set2key_enc(&ctx3, des3_test_keys); 889 break; 890 891 case 4: 892 ret = mbedtls_des3_set3key_dec(&ctx3, des3_test_keys); 893 break; 894 895 case 5: 896 ret = mbedtls_des3_set3key_enc(&ctx3, des3_test_keys); 897 break; 898 899 default: 900 return 1; 901 } 902 if (ret != 0) { 903 goto exit; 904 } 905 906 for (j = 0; j < 100; j++) { 907 if (u == 0) { 908 ret = mbedtls_des_crypt_ecb(&ctx, buf, buf); 909 } else { 910 ret = mbedtls_des3_crypt_ecb(&ctx3, buf, buf); 911 } 912 if (ret != 0) { 913 goto exit; 914 } 915 } 916 917 if ((v == MBEDTLS_DES_DECRYPT && 918 memcmp(buf, des3_test_ecb_dec[u], 8) != 0) || 919 (v != MBEDTLS_DES_DECRYPT && 920 memcmp(buf, des3_test_ecb_enc[u], 8) != 0)) { 921 if (verbose != 0) { 922 mbedtls_printf("failed\n"); 923 } 924 925 ret = 1; 926 goto exit; 927 } 928 929 if (verbose != 0) { 930 mbedtls_printf("passed\n"); 931 } 932 } 933 934 if (verbose != 0) { 935 mbedtls_printf("\n"); 936 } 937 938#if defined(MBEDTLS_CIPHER_MODE_CBC) 939 /* 940 * CBC mode 941 */ 942 for (i = 0; i < 6; i++) { 943 u = i >> 1; 944 v = i & 1; 945 946 if (verbose != 0) { 947 mbedtls_printf(" DES%c-CBC-%3d (%s): ", 948 (u == 0) ? ' ' : '3', 56 + u * 56, 949 (v == MBEDTLS_DES_DECRYPT) ? "dec" : "enc"); 950 } 951 952 memcpy(iv, des3_test_iv, 8); 953 memcpy(prv, des3_test_iv, 8); 954 memcpy(buf, des3_test_buf, 8); 955 956 switch (i) { 957 case 0: 958 ret = mbedtls_des_setkey_dec(&ctx, des3_test_keys); 959 break; 960 961 case 1: 962 ret = mbedtls_des_setkey_enc(&ctx, des3_test_keys); 963 break; 964 965 case 2: 966 ret = mbedtls_des3_set2key_dec(&ctx3, des3_test_keys); 967 break; 968 969 case 3: 970 ret = mbedtls_des3_set2key_enc(&ctx3, des3_test_keys); 971 break; 972 973 case 4: 974 ret = mbedtls_des3_set3key_dec(&ctx3, des3_test_keys); 975 break; 976 977 case 5: 978 ret = mbedtls_des3_set3key_enc(&ctx3, des3_test_keys); 979 break; 980 981 default: 982 return 1; 983 } 984 if (ret != 0) { 985 goto exit; 986 } 987 988 if (v == MBEDTLS_DES_DECRYPT) { 989 for (j = 0; j < 100; j++) { 990 if (u == 0) { 991 ret = mbedtls_des_crypt_cbc(&ctx, v, 8, iv, buf, buf); 992 } else { 993 ret = mbedtls_des3_crypt_cbc(&ctx3, v, 8, iv, buf, buf); 994 } 995 if (ret != 0) { 996 goto exit; 997 } 998 } 999 } else { 1000 for (j = 0; j < 100; j++) { 1001 unsigned char tmp[8]; 1002 1003 if (u == 0) { 1004 ret = mbedtls_des_crypt_cbc(&ctx, v, 8, iv, buf, buf); 1005 } else { 1006 ret = mbedtls_des3_crypt_cbc(&ctx3, v, 8, iv, buf, buf); 1007 } 1008 if (ret != 0) { 1009 goto exit; 1010 } 1011 1012 memcpy(tmp, prv, 8); 1013 memcpy(prv, buf, 8); 1014 memcpy(buf, tmp, 8); 1015 } 1016 1017 memcpy(buf, prv, 8); 1018 } 1019 1020 if ((v == MBEDTLS_DES_DECRYPT && 1021 memcmp(buf, des3_test_cbc_dec[u], 8) != 0) || 1022 (v != MBEDTLS_DES_DECRYPT && 1023 memcmp(buf, des3_test_cbc_enc[u], 8) != 0)) { 1024 if (verbose != 0) { 1025 mbedtls_printf("failed\n"); 1026 } 1027 1028 ret = 1; 1029 goto exit; 1030 } 1031 1032 if (verbose != 0) { 1033 mbedtls_printf("passed\n"); 1034 } 1035 } 1036#endif /* MBEDTLS_CIPHER_MODE_CBC */ 1037 1038 if (verbose != 0) { 1039 mbedtls_printf("\n"); 1040 } 1041 1042exit: 1043 mbedtls_des_free(&ctx); 1044 mbedtls_des3_free(&ctx3); 1045 1046 if (ret != 0) { 1047 ret = 1; 1048 } 1049 return ret; 1050} 1051 1052#endif /* MBEDTLS_SELF_TEST */ 1053 1054#endif /* MBEDTLS_DES_C */ 1055