• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  FIPS-46-3 compliant Triple-DES implementation
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 /*
20  *  DES, on which TDES is based, was originally designed by Horst Feistel
21  *  at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
22  *
23  *  http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
24  */
25 
26 #include "common.h"
27 
28 #if defined(MBEDTLS_DES_C)
29 
30 #include "mbedtls/des.h"
31 #include "mbedtls/error.h"
32 #include "mbedtls/platform_util.h"
33 
34 #include <string.h>
35 
36 #if defined(MBEDTLS_SELF_TEST)
37 #if defined(MBEDTLS_PLATFORM_C)
38 #include "mbedtls/platform.h"
39 #else
40 #include <stdio.h>
41 #define mbedtls_printf printf
42 #endif /* MBEDTLS_PLATFORM_C */
43 #endif /* MBEDTLS_SELF_TEST */
44 
45 #if !defined(MBEDTLS_DES_ALT)
46 
47 /*
48  * Expanded DES S-boxes
49  */
50 static const uint32_t SB1[64] =
51 {
52     0x01010400, 0x00000000, 0x00010000, 0x01010404,
53     0x01010004, 0x00010404, 0x00000004, 0x00010000,
54     0x00000400, 0x01010400, 0x01010404, 0x00000400,
55     0x01000404, 0x01010004, 0x01000000, 0x00000004,
56     0x00000404, 0x01000400, 0x01000400, 0x00010400,
57     0x00010400, 0x01010000, 0x01010000, 0x01000404,
58     0x00010004, 0x01000004, 0x01000004, 0x00010004,
59     0x00000000, 0x00000404, 0x00010404, 0x01000000,
60     0x00010000, 0x01010404, 0x00000004, 0x01010000,
61     0x01010400, 0x01000000, 0x01000000, 0x00000400,
62     0x01010004, 0x00010000, 0x00010400, 0x01000004,
63     0x00000400, 0x00000004, 0x01000404, 0x00010404,
64     0x01010404, 0x00010004, 0x01010000, 0x01000404,
65     0x01000004, 0x00000404, 0x00010404, 0x01010400,
66     0x00000404, 0x01000400, 0x01000400, 0x00000000,
67     0x00010004, 0x00010400, 0x00000000, 0x01010004
68 };
69 
70 static const uint32_t SB2[64] =
71 {
72     0x80108020, 0x80008000, 0x00008000, 0x00108020,
73     0x00100000, 0x00000020, 0x80100020, 0x80008020,
74     0x80000020, 0x80108020, 0x80108000, 0x80000000,
75     0x80008000, 0x00100000, 0x00000020, 0x80100020,
76     0x00108000, 0x00100020, 0x80008020, 0x00000000,
77     0x80000000, 0x00008000, 0x00108020, 0x80100000,
78     0x00100020, 0x80000020, 0x00000000, 0x00108000,
79     0x00008020, 0x80108000, 0x80100000, 0x00008020,
80     0x00000000, 0x00108020, 0x80100020, 0x00100000,
81     0x80008020, 0x80100000, 0x80108000, 0x00008000,
82     0x80100000, 0x80008000, 0x00000020, 0x80108020,
83     0x00108020, 0x00000020, 0x00008000, 0x80000000,
84     0x00008020, 0x80108000, 0x00100000, 0x80000020,
85     0x00100020, 0x80008020, 0x80000020, 0x00100020,
86     0x00108000, 0x00000000, 0x80008000, 0x00008020,
87     0x80000000, 0x80100020, 0x80108020, 0x00108000
88 };
89 
90 static const uint32_t SB3[64] =
91 {
92     0x00000208, 0x08020200, 0x00000000, 0x08020008,
93     0x08000200, 0x00000000, 0x00020208, 0x08000200,
94     0x00020008, 0x08000008, 0x08000008, 0x00020000,
95     0x08020208, 0x00020008, 0x08020000, 0x00000208,
96     0x08000000, 0x00000008, 0x08020200, 0x00000200,
97     0x00020200, 0x08020000, 0x08020008, 0x00020208,
98     0x08000208, 0x00020200, 0x00020000, 0x08000208,
99     0x00000008, 0x08020208, 0x00000200, 0x08000000,
100     0x08020200, 0x08000000, 0x00020008, 0x00000208,
101     0x00020000, 0x08020200, 0x08000200, 0x00000000,
102     0x00000200, 0x00020008, 0x08020208, 0x08000200,
103     0x08000008, 0x00000200, 0x00000000, 0x08020008,
104     0x08000208, 0x00020000, 0x08000000, 0x08020208,
105     0x00000008, 0x00020208, 0x00020200, 0x08000008,
106     0x08020000, 0x08000208, 0x00000208, 0x08020000,
107     0x00020208, 0x00000008, 0x08020008, 0x00020200
108 };
109 
110 static const uint32_t SB4[64] =
111 {
112     0x00802001, 0x00002081, 0x00002081, 0x00000080,
113     0x00802080, 0x00800081, 0x00800001, 0x00002001,
114     0x00000000, 0x00802000, 0x00802000, 0x00802081,
115     0x00000081, 0x00000000, 0x00800080, 0x00800001,
116     0x00000001, 0x00002000, 0x00800000, 0x00802001,
117     0x00000080, 0x00800000, 0x00002001, 0x00002080,
118     0x00800081, 0x00000001, 0x00002080, 0x00800080,
119     0x00002000, 0x00802080, 0x00802081, 0x00000081,
120     0x00800080, 0x00800001, 0x00802000, 0x00802081,
121     0x00000081, 0x00000000, 0x00000000, 0x00802000,
122     0x00002080, 0x00800080, 0x00800081, 0x00000001,
123     0x00802001, 0x00002081, 0x00002081, 0x00000080,
124     0x00802081, 0x00000081, 0x00000001, 0x00002000,
125     0x00800001, 0x00002001, 0x00802080, 0x00800081,
126     0x00002001, 0x00002080, 0x00800000, 0x00802001,
127     0x00000080, 0x00800000, 0x00002000, 0x00802080
128 };
129 
130 static const uint32_t SB5[64] =
131 {
132     0x00000100, 0x02080100, 0x02080000, 0x42000100,
133     0x00080000, 0x00000100, 0x40000000, 0x02080000,
134     0x40080100, 0x00080000, 0x02000100, 0x40080100,
135     0x42000100, 0x42080000, 0x00080100, 0x40000000,
136     0x02000000, 0x40080000, 0x40080000, 0x00000000,
137     0x40000100, 0x42080100, 0x42080100, 0x02000100,
138     0x42080000, 0x40000100, 0x00000000, 0x42000000,
139     0x02080100, 0x02000000, 0x42000000, 0x00080100,
140     0x00080000, 0x42000100, 0x00000100, 0x02000000,
141     0x40000000, 0x02080000, 0x42000100, 0x40080100,
142     0x02000100, 0x40000000, 0x42080000, 0x02080100,
143     0x40080100, 0x00000100, 0x02000000, 0x42080000,
144     0x42080100, 0x00080100, 0x42000000, 0x42080100,
145     0x02080000, 0x00000000, 0x40080000, 0x42000000,
146     0x00080100, 0x02000100, 0x40000100, 0x00080000,
147     0x00000000, 0x40080000, 0x02080100, 0x40000100
148 };
149 
150 static const uint32_t SB6[64] =
151 {
152     0x20000010, 0x20400000, 0x00004000, 0x20404010,
153     0x20400000, 0x00000010, 0x20404010, 0x00400000,
154     0x20004000, 0x00404010, 0x00400000, 0x20000010,
155     0x00400010, 0x20004000, 0x20000000, 0x00004010,
156     0x00000000, 0x00400010, 0x20004010, 0x00004000,
157     0x00404000, 0x20004010, 0x00000010, 0x20400010,
158     0x20400010, 0x00000000, 0x00404010, 0x20404000,
159     0x00004010, 0x00404000, 0x20404000, 0x20000000,
160     0x20004000, 0x00000010, 0x20400010, 0x00404000,
161     0x20404010, 0x00400000, 0x00004010, 0x20000010,
162     0x00400000, 0x20004000, 0x20000000, 0x00004010,
163     0x20000010, 0x20404010, 0x00404000, 0x20400000,
164     0x00404010, 0x20404000, 0x00000000, 0x20400010,
165     0x00000010, 0x00004000, 0x20400000, 0x00404010,
166     0x00004000, 0x00400010, 0x20004010, 0x00000000,
167     0x20404000, 0x20000000, 0x00400010, 0x20004010
168 };
169 
170 static const uint32_t SB7[64] =
171 {
172     0x00200000, 0x04200002, 0x04000802, 0x00000000,
173     0x00000800, 0x04000802, 0x00200802, 0x04200800,
174     0x04200802, 0x00200000, 0x00000000, 0x04000002,
175     0x00000002, 0x04000000, 0x04200002, 0x00000802,
176     0x04000800, 0x00200802, 0x00200002, 0x04000800,
177     0x04000002, 0x04200000, 0x04200800, 0x00200002,
178     0x04200000, 0x00000800, 0x00000802, 0x04200802,
179     0x00200800, 0x00000002, 0x04000000, 0x00200800,
180     0x04000000, 0x00200800, 0x00200000, 0x04000802,
181     0x04000802, 0x04200002, 0x04200002, 0x00000002,
182     0x00200002, 0x04000000, 0x04000800, 0x00200000,
183     0x04200800, 0x00000802, 0x00200802, 0x04200800,
184     0x00000802, 0x04000002, 0x04200802, 0x04200000,
185     0x00200800, 0x00000000, 0x00000002, 0x04200802,
186     0x00000000, 0x00200802, 0x04200000, 0x00000800,
187     0x04000002, 0x04000800, 0x00000800, 0x00200002
188 };
189 
190 static const uint32_t SB8[64] =
191 {
192     0x10001040, 0x00001000, 0x00040000, 0x10041040,
193     0x10000000, 0x10001040, 0x00000040, 0x10000000,
194     0x00040040, 0x10040000, 0x10041040, 0x00041000,
195     0x10041000, 0x00041040, 0x00001000, 0x00000040,
196     0x10040000, 0x10000040, 0x10001000, 0x00001040,
197     0x00041000, 0x00040040, 0x10040040, 0x10041000,
198     0x00001040, 0x00000000, 0x00000000, 0x10040040,
199     0x10000040, 0x10001000, 0x00041040, 0x00040000,
200     0x00041040, 0x00040000, 0x10041000, 0x00001000,
201     0x00000040, 0x10040040, 0x00001000, 0x00041040,
202     0x10001000, 0x00000040, 0x10000040, 0x10040000,
203     0x10040040, 0x10000000, 0x00040000, 0x10001040,
204     0x00000000, 0x10041040, 0x00040040, 0x10000040,
205     0x10040000, 0x10001000, 0x10001040, 0x00000000,
206     0x10041040, 0x00041000, 0x00041000, 0x00001040,
207     0x00001040, 0x00040040, 0x10000000, 0x10041000
208 };
209 
210 /*
211  * PC1: left and right halves bit-swap
212  */
213 static const uint32_t LHs[16] =
214 {
215     0x00000000, 0x00000001, 0x00000100, 0x00000101,
216     0x00010000, 0x00010001, 0x00010100, 0x00010101,
217     0x01000000, 0x01000001, 0x01000100, 0x01000101,
218     0x01010000, 0x01010001, 0x01010100, 0x01010101
219 };
220 
221 static const uint32_t RHs[16] =
222 {
223     0x00000000, 0x01000000, 0x00010000, 0x01010000,
224     0x00000100, 0x01000100, 0x00010100, 0x01010100,
225     0x00000001, 0x01000001, 0x00010001, 0x01010001,
226     0x00000101, 0x01000101, 0x00010101, 0x01010101,
227 };
228 
229 /*
230  * Initial Permutation macro
231  */
232 #define DES_IP(X,Y)                                                       \
233     do                                                                    \
234     {                                                                     \
235         T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
236         T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
237         T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
238         T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
239         (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF;                    \
240         T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T;                 \
241         (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF;                    \
242     } while( 0 )
243 
244 /*
245  * Final Permutation macro
246  */
247 #define DES_FP(X,Y)                                                       \
248     do                                                                    \
249     {                                                                     \
250         (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF;                    \
251         T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T;                 \
252         (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF;                    \
253         T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
254         T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
255         T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
256         T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
257     } while( 0 )
258 
259 /*
260  * DES round macro
261  */
262 #define DES_ROUND(X,Y)                              \
263     do                                              \
264     {                                               \
265         T = *SK++ ^ (X);                            \
266         (Y) ^= SB8[ (T      ) & 0x3F ] ^            \
267                SB6[ (T >>  8) & 0x3F ] ^            \
268                SB4[ (T >> 16) & 0x3F ] ^            \
269                SB2[ (T >> 24) & 0x3F ];             \
270                                                     \
271         T = *SK++ ^ (((X) << 28) | ((X) >> 4));     \
272         (Y) ^= SB7[ (T      ) & 0x3F ] ^            \
273                SB5[ (T >>  8) & 0x3F ] ^            \
274                SB3[ (T >> 16) & 0x3F ] ^            \
275                SB1[ (T >> 24) & 0x3F ];             \
276     } while( 0 )
277 
278 #define SWAP(a,b)                                       \
279     do                                                  \
280     {                                                   \
281         uint32_t t = (a); (a) = (b); (b) = t; t = 0;    \
282     } while( 0 )
283 
mbedtls_des_init(mbedtls_des_context * ctx)284 void mbedtls_des_init( mbedtls_des_context *ctx )
285 {
286     memset( ctx, 0, sizeof( mbedtls_des_context ) );
287 }
288 
mbedtls_des_free(mbedtls_des_context * ctx)289 void mbedtls_des_free( mbedtls_des_context *ctx )
290 {
291     if( ctx == NULL )
292         return;
293 
294     mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des_context ) );
295 }
296 
mbedtls_des3_init(mbedtls_des3_context * ctx)297 void mbedtls_des3_init( mbedtls_des3_context *ctx )
298 {
299     memset( ctx, 0, sizeof( mbedtls_des3_context ) );
300 }
301 
mbedtls_des3_free(mbedtls_des3_context * ctx)302 void mbedtls_des3_free( mbedtls_des3_context *ctx )
303 {
304     if( ctx == NULL )
305         return;
306 
307     mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des3_context ) );
308 }
309 
310 static const unsigned char odd_parity_table[128] = { 1,  2,  4,  7,  8,
311         11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 35, 37, 38, 41, 42, 44,
312         47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 70, 73, 74, 76, 79, 81,
313         82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 104, 107, 109, 110, 112,
314         115, 117, 118, 121, 122, 124, 127, 128, 131, 133, 134, 137, 138, 140,
315         143, 145, 146, 148, 151, 152, 155, 157, 158, 161, 162, 164, 167, 168,
316         171, 173, 174, 176, 179, 181, 182, 185, 186, 188, 191, 193, 194, 196,
317         199, 200, 203, 205, 206, 208, 211, 213, 214, 217, 218, 220, 223, 224,
318         227, 229, 230, 233, 234, 236, 239, 241, 242, 244, 247, 248, 251, 253,
319         254 };
320 
mbedtls_des_key_set_parity(unsigned char key[MBEDTLS_DES_KEY_SIZE])321 void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] )
322 {
323     int i;
324 
325     for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
326         key[i] = odd_parity_table[key[i] / 2];
327 }
328 
329 /*
330  * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
331  */
mbedtls_des_key_check_key_parity(const unsigned char key[MBEDTLS_DES_KEY_SIZE])332 int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
333 {
334     int i;
335 
336     for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
337         if( key[i] != odd_parity_table[key[i] / 2] )
338             return( 1 );
339 
340     return( 0 );
341 }
342 
343 /*
344  * Table of weak and semi-weak keys
345  *
346  * Source: http://en.wikipedia.org/wiki/Weak_key
347  *
348  * Weak:
349  * Alternating ones + zeros (0x0101010101010101)
350  * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
351  * '0xE0E0E0E0F1F1F1F1'
352  * '0x1F1F1F1F0E0E0E0E'
353  *
354  * Semi-weak:
355  * 0x011F011F010E010E and 0x1F011F010E010E01
356  * 0x01E001E001F101F1 and 0xE001E001F101F101
357  * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
358  * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
359  * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
360  * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
361  *
362  */
363 
364 #define WEAK_KEY_COUNT 16
365 
366 static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] =
367 {
368     { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
369     { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
370     { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
371     { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
372 
373     { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
374     { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
375     { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
376     { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
377     { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
378     { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
379     { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
380     { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
381     { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
382     { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
383     { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
384     { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
385 };
386 
mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE])387 int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
388 {
389     int i;
390 
391     for( i = 0; i < WEAK_KEY_COUNT; i++ )
392         if( memcmp( weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0 )
393             return( 1 );
394 
395     return( 0 );
396 }
397 
398 #if !defined(MBEDTLS_DES_SETKEY_ALT)
mbedtls_des_setkey(uint32_t SK[32],const unsigned char key[MBEDTLS_DES_KEY_SIZE])399 void mbedtls_des_setkey( uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
400 {
401     int i;
402     uint32_t X, Y, T;
403 
404     X = MBEDTLS_GET_UINT32_BE( key, 0 );
405     Y = MBEDTLS_GET_UINT32_BE( key, 4 );
406 
407     /*
408      * Permuted Choice 1
409      */
410     T =  ((Y >>  4) ^ X) & 0x0F0F0F0F;  X ^= T; Y ^= (T <<  4);
411     T =  ((Y      ) ^ X) & 0x10101010;  X ^= T; Y ^= (T      );
412 
413     X =   (LHs[ (X      ) & 0xF] << 3) | (LHs[ (X >>  8) & 0xF ] << 2)
414         | (LHs[ (X >> 16) & 0xF] << 1) | (LHs[ (X >> 24) & 0xF ]     )
415         | (LHs[ (X >>  5) & 0xF] << 7) | (LHs[ (X >> 13) & 0xF ] << 6)
416         | (LHs[ (X >> 21) & 0xF] << 5) | (LHs[ (X >> 29) & 0xF ] << 4);
417 
418     Y =   (RHs[ (Y >>  1) & 0xF] << 3) | (RHs[ (Y >>  9) & 0xF ] << 2)
419         | (RHs[ (Y >> 17) & 0xF] << 1) | (RHs[ (Y >> 25) & 0xF ]     )
420         | (RHs[ (Y >>  4) & 0xF] << 7) | (RHs[ (Y >> 12) & 0xF ] << 6)
421         | (RHs[ (Y >> 20) & 0xF] << 5) | (RHs[ (Y >> 28) & 0xF ] << 4);
422 
423     X &= 0x0FFFFFFF;
424     Y &= 0x0FFFFFFF;
425 
426     /*
427      * calculate subkeys
428      */
429     for( i = 0; i < 16; i++ )
430     {
431         if( i < 2 || i == 8 || i == 15 )
432         {
433             X = ((X <<  1) | (X >> 27)) & 0x0FFFFFFF;
434             Y = ((Y <<  1) | (Y >> 27)) & 0x0FFFFFFF;
435         }
436         else
437         {
438             X = ((X <<  2) | (X >> 26)) & 0x0FFFFFFF;
439             Y = ((Y <<  2) | (Y >> 26)) & 0x0FFFFFFF;
440         }
441 
442         *SK++ =   ((X <<  4) & 0x24000000) | ((X << 28) & 0x10000000)
443                 | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
444                 | ((X <<  6) & 0x01000000) | ((X <<  9) & 0x00200000)
445                 | ((X >>  1) & 0x00100000) | ((X << 10) & 0x00040000)
446                 | ((X <<  2) & 0x00020000) | ((X >> 10) & 0x00010000)
447                 | ((Y >> 13) & 0x00002000) | ((Y >>  4) & 0x00001000)
448                 | ((Y <<  6) & 0x00000800) | ((Y >>  1) & 0x00000400)
449                 | ((Y >> 14) & 0x00000200) | ((Y      ) & 0x00000100)
450                 | ((Y >>  5) & 0x00000020) | ((Y >> 10) & 0x00000010)
451                 | ((Y >>  3) & 0x00000008) | ((Y >> 18) & 0x00000004)
452                 | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
453 
454         *SK++ =   ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
455                 | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
456                 | ((X >>  2) & 0x02000000) | ((X <<  1) & 0x01000000)
457                 | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
458                 | ((X <<  3) & 0x00080000) | ((X >>  6) & 0x00040000)
459                 | ((X << 15) & 0x00020000) | ((X >>  4) & 0x00010000)
460                 | ((Y >>  2) & 0x00002000) | ((Y <<  8) & 0x00001000)
461                 | ((Y >> 14) & 0x00000808) | ((Y >>  9) & 0x00000400)
462                 | ((Y      ) & 0x00000200) | ((Y <<  7) & 0x00000100)
463                 | ((Y >>  7) & 0x00000020) | ((Y >>  3) & 0x00000011)
464                 | ((Y <<  2) & 0x00000004) | ((Y >> 21) & 0x00000002);
465     }
466 }
467 #endif /* !MBEDTLS_DES_SETKEY_ALT */
468 
469 /*
470  * DES key schedule (56-bit, encryption)
471  */
mbedtls_des_setkey_enc(mbedtls_des_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE])472 int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
473 {
474     mbedtls_des_setkey( ctx->sk, key );
475 
476     return( 0 );
477 }
478 
479 /*
480  * DES key schedule (56-bit, decryption)
481  */
mbedtls_des_setkey_dec(mbedtls_des_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE])482 int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
483 {
484     int i;
485 
486     mbedtls_des_setkey( ctx->sk, key );
487 
488     for( i = 0; i < 16; i += 2 )
489     {
490         SWAP( ctx->sk[i    ], ctx->sk[30 - i] );
491         SWAP( ctx->sk[i + 1], ctx->sk[31 - i] );
492     }
493 
494     return( 0 );
495 }
496 
des3_set2key(uint32_t esk[96],uint32_t dsk[96],const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])497 static void des3_set2key( uint32_t esk[96],
498                           uint32_t dsk[96],
499                           const unsigned char key[MBEDTLS_DES_KEY_SIZE*2] )
500 {
501     int i;
502 
503     mbedtls_des_setkey( esk, key );
504     mbedtls_des_setkey( dsk + 32, key + 8 );
505 
506     for( i = 0; i < 32; i += 2 )
507     {
508         dsk[i     ] = esk[30 - i];
509         dsk[i +  1] = esk[31 - i];
510 
511         esk[i + 32] = dsk[62 - i];
512         esk[i + 33] = dsk[63 - i];
513 
514         esk[i + 64] = esk[i    ];
515         esk[i + 65] = esk[i + 1];
516 
517         dsk[i + 64] = dsk[i    ];
518         dsk[i + 65] = dsk[i + 1];
519     }
520 }
521 
522 /*
523  * Triple-DES key schedule (112-bit, encryption)
524  */
mbedtls_des3_set2key_enc(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])525 int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx,
526                       const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
527 {
528     uint32_t sk[96];
529 
530     des3_set2key( ctx->sk, sk, key );
531     mbedtls_platform_zeroize( sk,  sizeof( sk ) );
532 
533     return( 0 );
534 }
535 
536 /*
537  * Triple-DES key schedule (112-bit, decryption)
538  */
mbedtls_des3_set2key_dec(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])539 int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx,
540                       const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
541 {
542     uint32_t sk[96];
543 
544     des3_set2key( sk, ctx->sk, key );
545     mbedtls_platform_zeroize( sk,  sizeof( sk ) );
546 
547     return( 0 );
548 }
549 
des3_set3key(uint32_t esk[96],uint32_t dsk[96],const unsigned char key[24])550 static void des3_set3key( uint32_t esk[96],
551                           uint32_t dsk[96],
552                           const unsigned char key[24] )
553 {
554     int i;
555 
556     mbedtls_des_setkey( esk, key );
557     mbedtls_des_setkey( dsk + 32, key +  8 );
558     mbedtls_des_setkey( esk + 64, key + 16 );
559 
560     for( i = 0; i < 32; i += 2 )
561     {
562         dsk[i     ] = esk[94 - i];
563         dsk[i +  1] = esk[95 - i];
564 
565         esk[i + 32] = dsk[62 - i];
566         esk[i + 33] = dsk[63 - i];
567 
568         dsk[i + 64] = esk[30 - i];
569         dsk[i + 65] = esk[31 - i];
570     }
571 }
572 
573 /*
574  * Triple-DES key schedule (168-bit, encryption)
575  */
mbedtls_des3_set3key_enc(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])576 int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx,
577                       const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
578 {
579     uint32_t sk[96];
580 
581     des3_set3key( ctx->sk, sk, key );
582     mbedtls_platform_zeroize( sk,  sizeof( sk ) );
583 
584     return( 0 );
585 }
586 
587 /*
588  * Triple-DES key schedule (168-bit, decryption)
589  */
mbedtls_des3_set3key_dec(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])590 int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx,
591                       const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
592 {
593     uint32_t sk[96];
594 
595     des3_set3key( sk, ctx->sk, key );
596     mbedtls_platform_zeroize( sk,  sizeof( sk ) );
597 
598     return( 0 );
599 }
600 
601 /*
602  * DES-ECB block encryption/decryption
603  */
604 #if !defined(MBEDTLS_DES_CRYPT_ECB_ALT)
mbedtls_des_crypt_ecb(mbedtls_des_context * ctx,const unsigned char input[8],unsigned char output[8])605 int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx,
606                     const unsigned char input[8],
607                     unsigned char output[8] )
608 {
609     int i;
610     uint32_t X, Y, T, *SK;
611 
612     SK = ctx->sk;
613 
614     X = MBEDTLS_GET_UINT32_BE( input, 0 );
615     Y = MBEDTLS_GET_UINT32_BE( input, 4 );
616 
617     DES_IP( X, Y );
618 
619     for( i = 0; i < 8; i++ )
620     {
621         DES_ROUND( Y, X );
622         DES_ROUND( X, Y );
623     }
624 
625     DES_FP( Y, X );
626 
627     MBEDTLS_PUT_UINT32_BE( Y, output, 0 );
628     MBEDTLS_PUT_UINT32_BE( X, output, 4 );
629 
630     return( 0 );
631 }
632 #endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */
633 
634 #if defined(MBEDTLS_CIPHER_MODE_CBC)
635 /*
636  * DES-CBC buffer encryption/decryption
637  */
mbedtls_des_crypt_cbc(mbedtls_des_context * ctx,int mode,size_t length,unsigned char iv[8],const unsigned char * input,unsigned char * output)638 int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx,
639                     int mode,
640                     size_t length,
641                     unsigned char iv[8],
642                     const unsigned char *input,
643                     unsigned char *output )
644 {
645     int i;
646     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
647     unsigned char temp[8];
648 
649     if( length % 8 )
650         return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
651 
652     if( mode == MBEDTLS_DES_ENCRYPT )
653     {
654         while( length > 0 )
655         {
656             for( i = 0; i < 8; i++ )
657                 output[i] = (unsigned char)( input[i] ^ iv[i] );
658 
659             ret = mbedtls_des_crypt_ecb( ctx, output, output );
660             if( ret != 0 )
661                 goto exit;
662             memcpy( iv, output, 8 );
663 
664             input  += 8;
665             output += 8;
666             length -= 8;
667         }
668     }
669     else /* MBEDTLS_DES_DECRYPT */
670     {
671         while( length > 0 )
672         {
673             memcpy( temp, input, 8 );
674             ret = mbedtls_des_crypt_ecb( ctx, input, output );
675             if( ret != 0 )
676                 goto exit;
677 
678             for( i = 0; i < 8; i++ )
679                 output[i] = (unsigned char)( output[i] ^ iv[i] );
680 
681             memcpy( iv, temp, 8 );
682 
683             input  += 8;
684             output += 8;
685             length -= 8;
686         }
687     }
688     ret = 0;
689 
690 exit:
691     return( ret );
692 }
693 #endif /* MBEDTLS_CIPHER_MODE_CBC */
694 
695 /*
696  * 3DES-ECB block encryption/decryption
697  */
698 #if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
mbedtls_des3_crypt_ecb(mbedtls_des3_context * ctx,const unsigned char input[8],unsigned char output[8])699 int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx,
700                      const unsigned char input[8],
701                      unsigned char output[8] )
702 {
703     int i;
704     uint32_t X, Y, T, *SK;
705 
706     SK = ctx->sk;
707 
708     X = MBEDTLS_GET_UINT32_BE( input, 0 );
709     Y = MBEDTLS_GET_UINT32_BE( input, 4 );
710 
711     DES_IP( X, Y );
712 
713     for( i = 0; i < 8; i++ )
714     {
715         DES_ROUND( Y, X );
716         DES_ROUND( X, Y );
717     }
718 
719     for( i = 0; i < 8; i++ )
720     {
721         DES_ROUND( X, Y );
722         DES_ROUND( Y, X );
723     }
724 
725     for( i = 0; i < 8; i++ )
726     {
727         DES_ROUND( Y, X );
728         DES_ROUND( X, Y );
729     }
730 
731     DES_FP( Y, X );
732 
733     MBEDTLS_PUT_UINT32_BE( Y, output, 0 );
734     MBEDTLS_PUT_UINT32_BE( X, output, 4 );
735 
736     return( 0 );
737 }
738 #endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */
739 
740 #if defined(MBEDTLS_CIPHER_MODE_CBC)
741 /*
742  * 3DES-CBC buffer encryption/decryption
743  */
mbedtls_des3_crypt_cbc(mbedtls_des3_context * ctx,int mode,size_t length,unsigned char iv[8],const unsigned char * input,unsigned char * output)744 int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx,
745                      int mode,
746                      size_t length,
747                      unsigned char iv[8],
748                      const unsigned char *input,
749                      unsigned char *output )
750 {
751     int i;
752     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
753     unsigned char temp[8];
754 
755     if( length % 8 )
756         return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
757 
758     if( mode == MBEDTLS_DES_ENCRYPT )
759     {
760         while( length > 0 )
761         {
762             for( i = 0; i < 8; i++ )
763                 output[i] = (unsigned char)( input[i] ^ iv[i] );
764 
765             ret = mbedtls_des3_crypt_ecb( ctx, output, output );
766             if( ret != 0 )
767                 goto exit;
768             memcpy( iv, output, 8 );
769 
770             input  += 8;
771             output += 8;
772             length -= 8;
773         }
774     }
775     else /* MBEDTLS_DES_DECRYPT */
776     {
777         while( length > 0 )
778         {
779             memcpy( temp, input, 8 );
780             ret = mbedtls_des3_crypt_ecb( ctx, input, output );
781             if( ret != 0 )
782                 goto exit;
783 
784             for( i = 0; i < 8; i++ )
785                 output[i] = (unsigned char)( output[i] ^ iv[i] );
786 
787             memcpy( iv, temp, 8 );
788 
789             input  += 8;
790             output += 8;
791             length -= 8;
792         }
793     }
794     ret = 0;
795 
796 exit:
797     return( ret );
798 }
799 #endif /* MBEDTLS_CIPHER_MODE_CBC */
800 
801 #endif /* !MBEDTLS_DES_ALT */
802 
803 #if defined(MBEDTLS_SELF_TEST)
804 /*
805  * DES and 3DES test vectors from:
806  *
807  * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
808  */
809 static const unsigned char des3_test_keys[24] =
810 {
811     0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
812     0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
813     0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
814 };
815 
816 static const unsigned char des3_test_buf[8] =
817 {
818     0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
819 };
820 
821 static const unsigned char des3_test_ecb_dec[3][8] =
822 {
823     { 0x37, 0x2B, 0x98, 0xBF, 0x52, 0x65, 0xB0, 0x59 },
824     { 0xC2, 0x10, 0x19, 0x9C, 0x38, 0x5A, 0x65, 0xA1 },
825     { 0xA2, 0x70, 0x56, 0x68, 0x69, 0xE5, 0x15, 0x1D }
826 };
827 
828 static const unsigned char des3_test_ecb_enc[3][8] =
829 {
830     { 0x1C, 0xD5, 0x97, 0xEA, 0x84, 0x26, 0x73, 0xFB },
831     { 0xB3, 0x92, 0x4D, 0xF3, 0xC5, 0xB5, 0x42, 0x93 },
832     { 0xDA, 0x37, 0x64, 0x41, 0xBA, 0x6F, 0x62, 0x6F }
833 };
834 
835 #if defined(MBEDTLS_CIPHER_MODE_CBC)
836 static const unsigned char des3_test_iv[8] =
837 {
838     0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
839 };
840 
841 static const unsigned char des3_test_cbc_dec[3][8] =
842 {
843     { 0x58, 0xD9, 0x48, 0xEF, 0x85, 0x14, 0x65, 0x9A },
844     { 0x5F, 0xC8, 0x78, 0xD4, 0xD7, 0x92, 0xD9, 0x54 },
845     { 0x25, 0xF9, 0x75, 0x85, 0xA8, 0x1E, 0x48, 0xBF }
846 };
847 
848 static const unsigned char des3_test_cbc_enc[3][8] =
849 {
850     { 0x91, 0x1C, 0x6D, 0xCF, 0x48, 0xA7, 0xC3, 0x4D },
851     { 0x60, 0x1A, 0x76, 0x8F, 0xA1, 0xF9, 0x66, 0xF1 },
852     { 0xA1, 0x50, 0x0F, 0x99, 0xB2, 0xCD, 0x64, 0x76 }
853 };
854 #endif /* MBEDTLS_CIPHER_MODE_CBC */
855 
856 /*
857  * Checkup routine
858  */
mbedtls_des_self_test(int verbose)859 int mbedtls_des_self_test( int verbose )
860 {
861     int i, j, u, v, ret = 0;
862     mbedtls_des_context ctx;
863     mbedtls_des3_context ctx3;
864     unsigned char buf[8];
865 #if defined(MBEDTLS_CIPHER_MODE_CBC)
866     unsigned char prv[8];
867     unsigned char iv[8];
868 #endif
869 
870     mbedtls_des_init( &ctx );
871     mbedtls_des3_init( &ctx3 );
872     /*
873      * ECB mode
874      */
875     for( i = 0; i < 6; i++ )
876     {
877         u = i >> 1;
878         v = i  & 1;
879 
880         if( verbose != 0 )
881             mbedtls_printf( "  DES%c-ECB-%3d (%s): ",
882                              ( u == 0 ) ? ' ' : '3', 56 + u * 56,
883                              ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
884 
885         memcpy( buf, des3_test_buf, 8 );
886 
887         switch( i )
888         {
889         case 0:
890             ret = mbedtls_des_setkey_dec( &ctx, des3_test_keys );
891             break;
892 
893         case 1:
894             ret = mbedtls_des_setkey_enc( &ctx, des3_test_keys );
895             break;
896 
897         case 2:
898             ret = mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
899             break;
900 
901         case 3:
902             ret = mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
903             break;
904 
905         case 4:
906             ret = mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
907             break;
908 
909         case 5:
910             ret = mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
911             break;
912 
913         default:
914             return( 1 );
915         }
916         if( ret != 0 )
917             goto exit;
918 
919         for( j = 0; j < 100; j++ )
920         {
921             if( u == 0 )
922                 ret = mbedtls_des_crypt_ecb( &ctx, buf, buf );
923             else
924                 ret = mbedtls_des3_crypt_ecb( &ctx3, buf, buf );
925             if( ret != 0 )
926                 goto exit;
927         }
928 
929         if( ( v == MBEDTLS_DES_DECRYPT &&
930                 memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) ||
931             ( v != MBEDTLS_DES_DECRYPT &&
932                 memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) )
933         {
934             if( verbose != 0 )
935                 mbedtls_printf( "failed\n" );
936 
937             ret = 1;
938             goto exit;
939         }
940 
941         if( verbose != 0 )
942             mbedtls_printf( "passed\n" );
943     }
944 
945     if( verbose != 0 )
946         mbedtls_printf( "\n" );
947 
948 #if defined(MBEDTLS_CIPHER_MODE_CBC)
949     /*
950      * CBC mode
951      */
952     for( i = 0; i < 6; i++ )
953     {
954         u = i >> 1;
955         v = i  & 1;
956 
957         if( verbose != 0 )
958             mbedtls_printf( "  DES%c-CBC-%3d (%s): ",
959                              ( u == 0 ) ? ' ' : '3', 56 + u * 56,
960                              ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
961 
962         memcpy( iv,  des3_test_iv,  8 );
963         memcpy( prv, des3_test_iv,  8 );
964         memcpy( buf, des3_test_buf, 8 );
965 
966         switch( i )
967         {
968         case 0:
969             ret = mbedtls_des_setkey_dec( &ctx, des3_test_keys );
970             break;
971 
972         case 1:
973             ret = mbedtls_des_setkey_enc( &ctx, des3_test_keys );
974             break;
975 
976         case 2:
977             ret = mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
978             break;
979 
980         case 3:
981             ret = mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
982             break;
983 
984         case 4:
985             ret = mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
986             break;
987 
988         case 5:
989             ret = mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
990             break;
991 
992         default:
993             return( 1 );
994         }
995         if( ret != 0 )
996             goto exit;
997 
998         if( v == MBEDTLS_DES_DECRYPT )
999         {
1000             for( j = 0; j < 100; j++ )
1001             {
1002                 if( u == 0 )
1003                     ret = mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
1004                 else
1005                     ret = mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
1006                 if( ret != 0 )
1007                     goto exit;
1008             }
1009         }
1010         else
1011         {
1012             for( j = 0; j < 100; j++ )
1013             {
1014                 unsigned char tmp[8];
1015 
1016                 if( u == 0 )
1017                     ret = mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
1018                 else
1019                     ret = mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
1020                 if( ret != 0 )
1021                     goto exit;
1022 
1023                 memcpy( tmp, prv, 8 );
1024                 memcpy( prv, buf, 8 );
1025                 memcpy( buf, tmp, 8 );
1026             }
1027 
1028             memcpy( buf, prv, 8 );
1029         }
1030 
1031         if( ( v == MBEDTLS_DES_DECRYPT &&
1032                 memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) ||
1033             ( v != MBEDTLS_DES_DECRYPT &&
1034                 memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) )
1035         {
1036             if( verbose != 0 )
1037                 mbedtls_printf( "failed\n" );
1038 
1039             ret = 1;
1040             goto exit;
1041         }
1042 
1043         if( verbose != 0 )
1044             mbedtls_printf( "passed\n" );
1045     }
1046 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1047 
1048     if( verbose != 0 )
1049         mbedtls_printf( "\n" );
1050 
1051 exit:
1052     mbedtls_des_free( &ctx );
1053     mbedtls_des3_free( &ctx3 );
1054 
1055     if( ret != 0 )
1056         ret = 1;
1057     return( ret );
1058 }
1059 
1060 #endif /* MBEDTLS_SELF_TEST */
1061 
1062 #endif /* MBEDTLS_DES_C */
1063