1 /*
2 * FIPS-46-3 compliant Triple-DES implementation
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7 /*
8 * DES, on which TDES is based, was originally designed by Horst Feistel
9 * at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
10 *
11 * http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
12 */
13
14 #include "common.h"
15
16 #if defined(MBEDTLS_DES_C)
17
18 #include "mbedtls/des.h"
19 #include "mbedtls/error.h"
20 #include "mbedtls/platform_util.h"
21
22 #include <string.h>
23
24 #include "mbedtls/platform.h"
25
26 #if !defined(MBEDTLS_DES_ALT)
27
28 /*
29 * Expanded DES S-boxes
30 */
31 static const uint32_t SB1[64] =
32 {
33 0x01010400, 0x00000000, 0x00010000, 0x01010404,
34 0x01010004, 0x00010404, 0x00000004, 0x00010000,
35 0x00000400, 0x01010400, 0x01010404, 0x00000400,
36 0x01000404, 0x01010004, 0x01000000, 0x00000004,
37 0x00000404, 0x01000400, 0x01000400, 0x00010400,
38 0x00010400, 0x01010000, 0x01010000, 0x01000404,
39 0x00010004, 0x01000004, 0x01000004, 0x00010004,
40 0x00000000, 0x00000404, 0x00010404, 0x01000000,
41 0x00010000, 0x01010404, 0x00000004, 0x01010000,
42 0x01010400, 0x01000000, 0x01000000, 0x00000400,
43 0x01010004, 0x00010000, 0x00010400, 0x01000004,
44 0x00000400, 0x00000004, 0x01000404, 0x00010404,
45 0x01010404, 0x00010004, 0x01010000, 0x01000404,
46 0x01000004, 0x00000404, 0x00010404, 0x01010400,
47 0x00000404, 0x01000400, 0x01000400, 0x00000000,
48 0x00010004, 0x00010400, 0x00000000, 0x01010004
49 };
50
51 static const uint32_t SB2[64] =
52 {
53 0x80108020, 0x80008000, 0x00008000, 0x00108020,
54 0x00100000, 0x00000020, 0x80100020, 0x80008020,
55 0x80000020, 0x80108020, 0x80108000, 0x80000000,
56 0x80008000, 0x00100000, 0x00000020, 0x80100020,
57 0x00108000, 0x00100020, 0x80008020, 0x00000000,
58 0x80000000, 0x00008000, 0x00108020, 0x80100000,
59 0x00100020, 0x80000020, 0x00000000, 0x00108000,
60 0x00008020, 0x80108000, 0x80100000, 0x00008020,
61 0x00000000, 0x00108020, 0x80100020, 0x00100000,
62 0x80008020, 0x80100000, 0x80108000, 0x00008000,
63 0x80100000, 0x80008000, 0x00000020, 0x80108020,
64 0x00108020, 0x00000020, 0x00008000, 0x80000000,
65 0x00008020, 0x80108000, 0x00100000, 0x80000020,
66 0x00100020, 0x80008020, 0x80000020, 0x00100020,
67 0x00108000, 0x00000000, 0x80008000, 0x00008020,
68 0x80000000, 0x80100020, 0x80108020, 0x00108000
69 };
70
71 static const uint32_t SB3[64] =
72 {
73 0x00000208, 0x08020200, 0x00000000, 0x08020008,
74 0x08000200, 0x00000000, 0x00020208, 0x08000200,
75 0x00020008, 0x08000008, 0x08000008, 0x00020000,
76 0x08020208, 0x00020008, 0x08020000, 0x00000208,
77 0x08000000, 0x00000008, 0x08020200, 0x00000200,
78 0x00020200, 0x08020000, 0x08020008, 0x00020208,
79 0x08000208, 0x00020200, 0x00020000, 0x08000208,
80 0x00000008, 0x08020208, 0x00000200, 0x08000000,
81 0x08020200, 0x08000000, 0x00020008, 0x00000208,
82 0x00020000, 0x08020200, 0x08000200, 0x00000000,
83 0x00000200, 0x00020008, 0x08020208, 0x08000200,
84 0x08000008, 0x00000200, 0x00000000, 0x08020008,
85 0x08000208, 0x00020000, 0x08000000, 0x08020208,
86 0x00000008, 0x00020208, 0x00020200, 0x08000008,
87 0x08020000, 0x08000208, 0x00000208, 0x08020000,
88 0x00020208, 0x00000008, 0x08020008, 0x00020200
89 };
90
91 static const uint32_t SB4[64] =
92 {
93 0x00802001, 0x00002081, 0x00002081, 0x00000080,
94 0x00802080, 0x00800081, 0x00800001, 0x00002001,
95 0x00000000, 0x00802000, 0x00802000, 0x00802081,
96 0x00000081, 0x00000000, 0x00800080, 0x00800001,
97 0x00000001, 0x00002000, 0x00800000, 0x00802001,
98 0x00000080, 0x00800000, 0x00002001, 0x00002080,
99 0x00800081, 0x00000001, 0x00002080, 0x00800080,
100 0x00002000, 0x00802080, 0x00802081, 0x00000081,
101 0x00800080, 0x00800001, 0x00802000, 0x00802081,
102 0x00000081, 0x00000000, 0x00000000, 0x00802000,
103 0x00002080, 0x00800080, 0x00800081, 0x00000001,
104 0x00802001, 0x00002081, 0x00002081, 0x00000080,
105 0x00802081, 0x00000081, 0x00000001, 0x00002000,
106 0x00800001, 0x00002001, 0x00802080, 0x00800081,
107 0x00002001, 0x00002080, 0x00800000, 0x00802001,
108 0x00000080, 0x00800000, 0x00002000, 0x00802080
109 };
110
111 static const uint32_t SB5[64] =
112 {
113 0x00000100, 0x02080100, 0x02080000, 0x42000100,
114 0x00080000, 0x00000100, 0x40000000, 0x02080000,
115 0x40080100, 0x00080000, 0x02000100, 0x40080100,
116 0x42000100, 0x42080000, 0x00080100, 0x40000000,
117 0x02000000, 0x40080000, 0x40080000, 0x00000000,
118 0x40000100, 0x42080100, 0x42080100, 0x02000100,
119 0x42080000, 0x40000100, 0x00000000, 0x42000000,
120 0x02080100, 0x02000000, 0x42000000, 0x00080100,
121 0x00080000, 0x42000100, 0x00000100, 0x02000000,
122 0x40000000, 0x02080000, 0x42000100, 0x40080100,
123 0x02000100, 0x40000000, 0x42080000, 0x02080100,
124 0x40080100, 0x00000100, 0x02000000, 0x42080000,
125 0x42080100, 0x00080100, 0x42000000, 0x42080100,
126 0x02080000, 0x00000000, 0x40080000, 0x42000000,
127 0x00080100, 0x02000100, 0x40000100, 0x00080000,
128 0x00000000, 0x40080000, 0x02080100, 0x40000100
129 };
130
131 static const uint32_t SB6[64] =
132 {
133 0x20000010, 0x20400000, 0x00004000, 0x20404010,
134 0x20400000, 0x00000010, 0x20404010, 0x00400000,
135 0x20004000, 0x00404010, 0x00400000, 0x20000010,
136 0x00400010, 0x20004000, 0x20000000, 0x00004010,
137 0x00000000, 0x00400010, 0x20004010, 0x00004000,
138 0x00404000, 0x20004010, 0x00000010, 0x20400010,
139 0x20400010, 0x00000000, 0x00404010, 0x20404000,
140 0x00004010, 0x00404000, 0x20404000, 0x20000000,
141 0x20004000, 0x00000010, 0x20400010, 0x00404000,
142 0x20404010, 0x00400000, 0x00004010, 0x20000010,
143 0x00400000, 0x20004000, 0x20000000, 0x00004010,
144 0x20000010, 0x20404010, 0x00404000, 0x20400000,
145 0x00404010, 0x20404000, 0x00000000, 0x20400010,
146 0x00000010, 0x00004000, 0x20400000, 0x00404010,
147 0x00004000, 0x00400010, 0x20004010, 0x00000000,
148 0x20404000, 0x20000000, 0x00400010, 0x20004010
149 };
150
151 static const uint32_t SB7[64] =
152 {
153 0x00200000, 0x04200002, 0x04000802, 0x00000000,
154 0x00000800, 0x04000802, 0x00200802, 0x04200800,
155 0x04200802, 0x00200000, 0x00000000, 0x04000002,
156 0x00000002, 0x04000000, 0x04200002, 0x00000802,
157 0x04000800, 0x00200802, 0x00200002, 0x04000800,
158 0x04000002, 0x04200000, 0x04200800, 0x00200002,
159 0x04200000, 0x00000800, 0x00000802, 0x04200802,
160 0x00200800, 0x00000002, 0x04000000, 0x00200800,
161 0x04000000, 0x00200800, 0x00200000, 0x04000802,
162 0x04000802, 0x04200002, 0x04200002, 0x00000002,
163 0x00200002, 0x04000000, 0x04000800, 0x00200000,
164 0x04200800, 0x00000802, 0x00200802, 0x04200800,
165 0x00000802, 0x04000002, 0x04200802, 0x04200000,
166 0x00200800, 0x00000000, 0x00000002, 0x04200802,
167 0x00000000, 0x00200802, 0x04200000, 0x00000800,
168 0x04000002, 0x04000800, 0x00000800, 0x00200002
169 };
170
171 static const uint32_t SB8[64] =
172 {
173 0x10001040, 0x00001000, 0x00040000, 0x10041040,
174 0x10000000, 0x10001040, 0x00000040, 0x10000000,
175 0x00040040, 0x10040000, 0x10041040, 0x00041000,
176 0x10041000, 0x00041040, 0x00001000, 0x00000040,
177 0x10040000, 0x10000040, 0x10001000, 0x00001040,
178 0x00041000, 0x00040040, 0x10040040, 0x10041000,
179 0x00001040, 0x00000000, 0x00000000, 0x10040040,
180 0x10000040, 0x10001000, 0x00041040, 0x00040000,
181 0x00041040, 0x00040000, 0x10041000, 0x00001000,
182 0x00000040, 0x10040040, 0x00001000, 0x00041040,
183 0x10001000, 0x00000040, 0x10000040, 0x10040000,
184 0x10040040, 0x10000000, 0x00040000, 0x10001040,
185 0x00000000, 0x10041040, 0x00040040, 0x10000040,
186 0x10040000, 0x10001000, 0x10001040, 0x00000000,
187 0x10041040, 0x00041000, 0x00041000, 0x00001040,
188 0x00001040, 0x00040040, 0x10000000, 0x10041000
189 };
190
191 /*
192 * PC1: left and right halves bit-swap
193 */
194 static const uint32_t LHs[16] =
195 {
196 0x00000000, 0x00000001, 0x00000100, 0x00000101,
197 0x00010000, 0x00010001, 0x00010100, 0x00010101,
198 0x01000000, 0x01000001, 0x01000100, 0x01000101,
199 0x01010000, 0x01010001, 0x01010100, 0x01010101
200 };
201
202 static const uint32_t RHs[16] =
203 {
204 0x00000000, 0x01000000, 0x00010000, 0x01010000,
205 0x00000100, 0x01000100, 0x00010100, 0x01010100,
206 0x00000001, 0x01000001, 0x00010001, 0x01010001,
207 0x00000101, 0x01000101, 0x00010101, 0x01010101,
208 };
209
210 /*
211 * Initial Permutation macro
212 */
213 #define DES_IP(X, Y) \
214 do \
215 { \
216 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \
217 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
218 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \
219 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \
220 (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF; \
221 T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T; \
222 (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF; \
223 } while (0)
224
225 /*
226 * Final Permutation macro
227 */
228 #define DES_FP(X, Y) \
229 do \
230 { \
231 (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF; \
232 T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T; \
233 (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF; \
234 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \
235 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \
236 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
237 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \
238 } while (0)
239
240 /*
241 * DES round macro
242 */
243 #define DES_ROUND(X, Y) \
244 do \
245 { \
246 T = *SK++ ^ (X); \
247 (Y) ^= SB8[(T) & 0x3F] ^ \
248 SB6[(T >> 8) & 0x3F] ^ \
249 SB4[(T >> 16) & 0x3F] ^ \
250 SB2[(T >> 24) & 0x3F]; \
251 \
252 T = *SK++ ^ (((X) << 28) | ((X) >> 4)); \
253 (Y) ^= SB7[(T) & 0x3F] ^ \
254 SB5[(T >> 8) & 0x3F] ^ \
255 SB3[(T >> 16) & 0x3F] ^ \
256 SB1[(T >> 24) & 0x3F]; \
257 } while (0)
258
259 #define SWAP(a, b) \
260 do \
261 { \
262 uint32_t t = (a); (a) = (b); (b) = t; t = 0; \
263 } while (0)
264
mbedtls_des_init(mbedtls_des_context * ctx)265 void mbedtls_des_init(mbedtls_des_context *ctx)
266 {
267 memset(ctx, 0, sizeof(mbedtls_des_context));
268 }
269
mbedtls_des_free(mbedtls_des_context * ctx)270 void mbedtls_des_free(mbedtls_des_context *ctx)
271 {
272 if (ctx == NULL) {
273 return;
274 }
275
276 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_des_context));
277 }
278
mbedtls_des3_init(mbedtls_des3_context * ctx)279 void mbedtls_des3_init(mbedtls_des3_context *ctx)
280 {
281 memset(ctx, 0, sizeof(mbedtls_des3_context));
282 }
283
mbedtls_des3_free(mbedtls_des3_context * ctx)284 void mbedtls_des3_free(mbedtls_des3_context *ctx)
285 {
286 if (ctx == NULL) {
287 return;
288 }
289
290 mbedtls_platform_zeroize(ctx, sizeof(mbedtls_des3_context));
291 }
292
293 static const unsigned char odd_parity_table[128] = { 1, 2, 4, 7, 8,
294 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32,
295 35, 37, 38, 41, 42, 44,
296 47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69,
297 70, 73, 74, 76, 79, 81,
298 82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103,
299 104, 107, 109, 110, 112,
300 115, 117, 118, 121, 122, 124, 127, 128, 131,
301 133, 134, 137, 138, 140,
302 143, 145, 146, 148, 151, 152, 155, 157, 158,
303 161, 162, 164, 167, 168,
304 171, 173, 174, 176, 179, 181, 182, 185, 186,
305 188, 191, 193, 194, 196,
306 199, 200, 203, 205, 206, 208, 211, 213, 214,
307 217, 218, 220, 223, 224,
308 227, 229, 230, 233, 234, 236, 239, 241, 242,
309 244, 247, 248, 251, 253,
310 254 };
311
mbedtls_des_key_set_parity(unsigned char key[MBEDTLS_DES_KEY_SIZE])312 void mbedtls_des_key_set_parity(unsigned char key[MBEDTLS_DES_KEY_SIZE])
313 {
314 int i;
315
316 for (i = 0; i < MBEDTLS_DES_KEY_SIZE; i++) {
317 key[i] = odd_parity_table[key[i] / 2];
318 }
319 }
320
321 /*
322 * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
323 */
mbedtls_des_key_check_key_parity(const unsigned char key[MBEDTLS_DES_KEY_SIZE])324 int mbedtls_des_key_check_key_parity(const unsigned char key[MBEDTLS_DES_KEY_SIZE])
325 {
326 int i;
327
328 for (i = 0; i < MBEDTLS_DES_KEY_SIZE; i++) {
329 if (key[i] != odd_parity_table[key[i] / 2]) {
330 return 1;
331 }
332 }
333
334 return 0;
335 }
336
337 /*
338 * Table of weak and semi-weak keys
339 *
340 * Source: http://en.wikipedia.org/wiki/Weak_key
341 *
342 * Weak:
343 * Alternating ones + zeros (0x0101010101010101)
344 * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
345 * '0xE0E0E0E0F1F1F1F1'
346 * '0x1F1F1F1F0E0E0E0E'
347 *
348 * Semi-weak:
349 * 0x011F011F010E010E and 0x1F011F010E010E01
350 * 0x01E001E001F101F1 and 0xE001E001F101F101
351 * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
352 * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
353 * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
354 * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
355 *
356 */
357
358 #define WEAK_KEY_COUNT 16
359
360 static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] =
361 {
362 { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
363 { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
364 { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
365 { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
366
367 { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
368 { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
369 { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
370 { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
371 { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
372 { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
373 { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
374 { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
375 { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
376 { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
377 { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
378 { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
379 };
380
mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE])381 int mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE])
382 {
383 int i;
384
385 for (i = 0; i < WEAK_KEY_COUNT; i++) {
386 if (memcmp(weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0) {
387 return 1;
388 }
389 }
390
391 return 0;
392 }
393
394 #if !defined(MBEDTLS_DES_SETKEY_ALT)
mbedtls_des_setkey(uint32_t SK[32],const unsigned char key[MBEDTLS_DES_KEY_SIZE])395 void mbedtls_des_setkey(uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE])
396 {
397 int i;
398 uint32_t X, Y, T;
399
400 X = MBEDTLS_GET_UINT32_BE(key, 0);
401 Y = MBEDTLS_GET_UINT32_BE(key, 4);
402
403 /*
404 * Permuted Choice 1
405 */
406 T = ((Y >> 4) ^ X) & 0x0F0F0F0F; X ^= T; Y ^= (T << 4);
407 T = ((Y) ^ X) & 0x10101010; X ^= T; Y ^= (T);
408
409 X = (LHs[(X) & 0xF] << 3) | (LHs[(X >> 8) & 0xF] << 2)
410 | (LHs[(X >> 16) & 0xF] << 1) | (LHs[(X >> 24) & 0xF])
411 | (LHs[(X >> 5) & 0xF] << 7) | (LHs[(X >> 13) & 0xF] << 6)
412 | (LHs[(X >> 21) & 0xF] << 5) | (LHs[(X >> 29) & 0xF] << 4);
413
414 Y = (RHs[(Y >> 1) & 0xF] << 3) | (RHs[(Y >> 9) & 0xF] << 2)
415 | (RHs[(Y >> 17) & 0xF] << 1) | (RHs[(Y >> 25) & 0xF])
416 | (RHs[(Y >> 4) & 0xF] << 7) | (RHs[(Y >> 12) & 0xF] << 6)
417 | (RHs[(Y >> 20) & 0xF] << 5) | (RHs[(Y >> 28) & 0xF] << 4);
418
419 X &= 0x0FFFFFFF;
420 Y &= 0x0FFFFFFF;
421
422 /*
423 * calculate subkeys
424 */
425 for (i = 0; i < 16; i++) {
426 if (i < 2 || i == 8 || i == 15) {
427 X = ((X << 1) | (X >> 27)) & 0x0FFFFFFF;
428 Y = ((Y << 1) | (Y >> 27)) & 0x0FFFFFFF;
429 } else {
430 X = ((X << 2) | (X >> 26)) & 0x0FFFFFFF;
431 Y = ((Y << 2) | (Y >> 26)) & 0x0FFFFFFF;
432 }
433
434 *SK++ = ((X << 4) & 0x24000000) | ((X << 28) & 0x10000000)
435 | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
436 | ((X << 6) & 0x01000000) | ((X << 9) & 0x00200000)
437 | ((X >> 1) & 0x00100000) | ((X << 10) & 0x00040000)
438 | ((X << 2) & 0x00020000) | ((X >> 10) & 0x00010000)
439 | ((Y >> 13) & 0x00002000) | ((Y >> 4) & 0x00001000)
440 | ((Y << 6) & 0x00000800) | ((Y >> 1) & 0x00000400)
441 | ((Y >> 14) & 0x00000200) | ((Y) & 0x00000100)
442 | ((Y >> 5) & 0x00000020) | ((Y >> 10) & 0x00000010)
443 | ((Y >> 3) & 0x00000008) | ((Y >> 18) & 0x00000004)
444 | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
445
446 *SK++ = ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
447 | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
448 | ((X >> 2) & 0x02000000) | ((X << 1) & 0x01000000)
449 | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
450 | ((X << 3) & 0x00080000) | ((X >> 6) & 0x00040000)
451 | ((X << 15) & 0x00020000) | ((X >> 4) & 0x00010000)
452 | ((Y >> 2) & 0x00002000) | ((Y << 8) & 0x00001000)
453 | ((Y >> 14) & 0x00000808) | ((Y >> 9) & 0x00000400)
454 | ((Y) & 0x00000200) | ((Y << 7) & 0x00000100)
455 | ((Y >> 7) & 0x00000020) | ((Y >> 3) & 0x00000011)
456 | ((Y << 2) & 0x00000004) | ((Y >> 21) & 0x00000002);
457 }
458 }
459 #endif /* !MBEDTLS_DES_SETKEY_ALT */
460
461 /*
462 * DES key schedule (56-bit, encryption)
463 */
mbedtls_des_setkey_enc(mbedtls_des_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE])464 int mbedtls_des_setkey_enc(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE])
465 {
466 mbedtls_des_setkey(ctx->sk, key);
467
468 return 0;
469 }
470
471 /*
472 * DES key schedule (56-bit, decryption)
473 */
mbedtls_des_setkey_dec(mbedtls_des_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE])474 int mbedtls_des_setkey_dec(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE])
475 {
476 int i;
477
478 mbedtls_des_setkey(ctx->sk, key);
479
480 for (i = 0; i < 16; i += 2) {
481 SWAP(ctx->sk[i], ctx->sk[30 - i]);
482 SWAP(ctx->sk[i + 1], ctx->sk[31 - i]);
483 }
484
485 return 0;
486 }
487
des3_set2key(uint32_t esk[96],uint32_t dsk[96],const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])488 static void des3_set2key(uint32_t esk[96],
489 uint32_t dsk[96],
490 const unsigned char key[MBEDTLS_DES_KEY_SIZE*2])
491 {
492 int i;
493
494 mbedtls_des_setkey(esk, key);
495 mbedtls_des_setkey(dsk + 32, key + 8);
496
497 for (i = 0; i < 32; i += 2) {
498 dsk[i] = esk[30 - i];
499 dsk[i + 1] = esk[31 - i];
500
501 esk[i + 32] = dsk[62 - i];
502 esk[i + 33] = dsk[63 - i];
503
504 esk[i + 64] = esk[i];
505 esk[i + 65] = esk[i + 1];
506
507 dsk[i + 64] = dsk[i];
508 dsk[i + 65] = dsk[i + 1];
509 }
510 }
511
512 /*
513 * Triple-DES key schedule (112-bit, encryption)
514 */
mbedtls_des3_set2key_enc(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])515 int mbedtls_des3_set2key_enc(mbedtls_des3_context *ctx,
516 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])
517 {
518 uint32_t sk[96];
519
520 des3_set2key(ctx->sk, sk, key);
521 mbedtls_platform_zeroize(sk, sizeof(sk));
522
523 return 0;
524 }
525
526 /*
527 * Triple-DES key schedule (112-bit, decryption)
528 */
mbedtls_des3_set2key_dec(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])529 int mbedtls_des3_set2key_dec(mbedtls_des3_context *ctx,
530 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])
531 {
532 uint32_t sk[96];
533
534 des3_set2key(sk, ctx->sk, key);
535 mbedtls_platform_zeroize(sk, sizeof(sk));
536
537 return 0;
538 }
539
des3_set3key(uint32_t esk[96],uint32_t dsk[96],const unsigned char key[24])540 static void des3_set3key(uint32_t esk[96],
541 uint32_t dsk[96],
542 const unsigned char key[24])
543 {
544 int i;
545
546 mbedtls_des_setkey(esk, key);
547 mbedtls_des_setkey(dsk + 32, key + 8);
548 mbedtls_des_setkey(esk + 64, key + 16);
549
550 for (i = 0; i < 32; i += 2) {
551 dsk[i] = esk[94 - i];
552 dsk[i + 1] = esk[95 - i];
553
554 esk[i + 32] = dsk[62 - i];
555 esk[i + 33] = dsk[63 - i];
556
557 dsk[i + 64] = esk[30 - i];
558 dsk[i + 65] = esk[31 - i];
559 }
560 }
561
562 /*
563 * Triple-DES key schedule (168-bit, encryption)
564 */
mbedtls_des3_set3key_enc(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])565 int mbedtls_des3_set3key_enc(mbedtls_des3_context *ctx,
566 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])
567 {
568 uint32_t sk[96];
569
570 des3_set3key(ctx->sk, sk, key);
571 mbedtls_platform_zeroize(sk, sizeof(sk));
572
573 return 0;
574 }
575
576 /*
577 * Triple-DES key schedule (168-bit, decryption)
578 */
mbedtls_des3_set3key_dec(mbedtls_des3_context * ctx,const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])579 int mbedtls_des3_set3key_dec(mbedtls_des3_context *ctx,
580 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])
581 {
582 uint32_t sk[96];
583
584 des3_set3key(sk, ctx->sk, key);
585 mbedtls_platform_zeroize(sk, sizeof(sk));
586
587 return 0;
588 }
589
590 /*
591 * DES-ECB block encryption/decryption
592 */
593 #if !defined(MBEDTLS_DES_CRYPT_ECB_ALT)
mbedtls_des_crypt_ecb(mbedtls_des_context * ctx,const unsigned char input[8],unsigned char output[8])594 int mbedtls_des_crypt_ecb(mbedtls_des_context *ctx,
595 const unsigned char input[8],
596 unsigned char output[8])
597 {
598 int i;
599 uint32_t X, Y, T, *SK;
600
601 SK = ctx->sk;
602
603 X = MBEDTLS_GET_UINT32_BE(input, 0);
604 Y = MBEDTLS_GET_UINT32_BE(input, 4);
605
606 DES_IP(X, Y);
607
608 for (i = 0; i < 8; i++) {
609 DES_ROUND(Y, X);
610 DES_ROUND(X, Y);
611 }
612
613 DES_FP(Y, X);
614
615 MBEDTLS_PUT_UINT32_BE(Y, output, 0);
616 MBEDTLS_PUT_UINT32_BE(X, output, 4);
617
618 return 0;
619 }
620 #endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */
621
622 #if defined(MBEDTLS_CIPHER_MODE_CBC)
623 /*
624 * DES-CBC buffer encryption/decryption
625 */
mbedtls_des_crypt_cbc(mbedtls_des_context * ctx,int mode,size_t length,unsigned char iv[8],const unsigned char * input,unsigned char * output)626 int mbedtls_des_crypt_cbc(mbedtls_des_context *ctx,
627 int mode,
628 size_t length,
629 unsigned char iv[8],
630 const unsigned char *input,
631 unsigned char *output)
632 {
633 int i;
634 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
635 unsigned char temp[8];
636
637 if (length % 8) {
638 return MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH;
639 }
640
641 if (mode == MBEDTLS_DES_ENCRYPT) {
642 while (length > 0) {
643 for (i = 0; i < 8; i++) {
644 output[i] = (unsigned char) (input[i] ^ iv[i]);
645 }
646
647 ret = mbedtls_des_crypt_ecb(ctx, output, output);
648 if (ret != 0) {
649 goto exit;
650 }
651 memcpy(iv, output, 8);
652
653 input += 8;
654 output += 8;
655 length -= 8;
656 }
657 } else { /* MBEDTLS_DES_DECRYPT */
658 while (length > 0) {
659 memcpy(temp, input, 8);
660 ret = mbedtls_des_crypt_ecb(ctx, input, output);
661 if (ret != 0) {
662 goto exit;
663 }
664
665 for (i = 0; i < 8; i++) {
666 output[i] = (unsigned char) (output[i] ^ iv[i]);
667 }
668
669 memcpy(iv, temp, 8);
670
671 input += 8;
672 output += 8;
673 length -= 8;
674 }
675 }
676 ret = 0;
677
678 exit:
679 return ret;
680 }
681 #endif /* MBEDTLS_CIPHER_MODE_CBC */
682
683 /*
684 * 3DES-ECB block encryption/decryption
685 */
686 #if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
mbedtls_des3_crypt_ecb(mbedtls_des3_context * ctx,const unsigned char input[8],unsigned char output[8])687 int mbedtls_des3_crypt_ecb(mbedtls_des3_context *ctx,
688 const unsigned char input[8],
689 unsigned char output[8])
690 {
691 int i;
692 uint32_t X, Y, T, *SK;
693
694 SK = ctx->sk;
695
696 X = MBEDTLS_GET_UINT32_BE(input, 0);
697 Y = MBEDTLS_GET_UINT32_BE(input, 4);
698
699 DES_IP(X, Y);
700
701 for (i = 0; i < 8; i++) {
702 DES_ROUND(Y, X);
703 DES_ROUND(X, Y);
704 }
705
706 for (i = 0; i < 8; i++) {
707 DES_ROUND(X, Y);
708 DES_ROUND(Y, X);
709 }
710
711 for (i = 0; i < 8; i++) {
712 DES_ROUND(Y, X);
713 DES_ROUND(X, Y);
714 }
715
716 DES_FP(Y, X);
717
718 MBEDTLS_PUT_UINT32_BE(Y, output, 0);
719 MBEDTLS_PUT_UINT32_BE(X, output, 4);
720
721 return 0;
722 }
723 #endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */
724
725 #if defined(MBEDTLS_CIPHER_MODE_CBC)
726 /*
727 * 3DES-CBC buffer encryption/decryption
728 */
mbedtls_des3_crypt_cbc(mbedtls_des3_context * ctx,int mode,size_t length,unsigned char iv[8],const unsigned char * input,unsigned char * output)729 int mbedtls_des3_crypt_cbc(mbedtls_des3_context *ctx,
730 int mode,
731 size_t length,
732 unsigned char iv[8],
733 const unsigned char *input,
734 unsigned char *output)
735 {
736 int i;
737 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
738 unsigned char temp[8];
739
740 if (length % 8) {
741 return MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH;
742 }
743
744 if (mode == MBEDTLS_DES_ENCRYPT) {
745 while (length > 0) {
746 for (i = 0; i < 8; i++) {
747 output[i] = (unsigned char) (input[i] ^ iv[i]);
748 }
749
750 ret = mbedtls_des3_crypt_ecb(ctx, output, output);
751 if (ret != 0) {
752 goto exit;
753 }
754 memcpy(iv, output, 8);
755
756 input += 8;
757 output += 8;
758 length -= 8;
759 }
760 } else { /* MBEDTLS_DES_DECRYPT */
761 while (length > 0) {
762 memcpy(temp, input, 8);
763 ret = mbedtls_des3_crypt_ecb(ctx, input, output);
764 if (ret != 0) {
765 goto exit;
766 }
767
768 for (i = 0; i < 8; i++) {
769 output[i] = (unsigned char) (output[i] ^ iv[i]);
770 }
771
772 memcpy(iv, temp, 8);
773
774 input += 8;
775 output += 8;
776 length -= 8;
777 }
778 }
779 ret = 0;
780
781 exit:
782 return ret;
783 }
784 #endif /* MBEDTLS_CIPHER_MODE_CBC */
785
786 #endif /* !MBEDTLS_DES_ALT */
787
788 #if defined(MBEDTLS_SELF_TEST)
789 /*
790 * DES and 3DES test vectors from:
791 *
792 * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
793 */
794 static const unsigned char des3_test_keys[24] =
795 {
796 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
797 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
798 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
799 };
800
801 static const unsigned char des3_test_buf[8] =
802 {
803 0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
804 };
805
806 static const unsigned char des3_test_ecb_dec[3][8] =
807 {
808 { 0x37, 0x2B, 0x98, 0xBF, 0x52, 0x65, 0xB0, 0x59 },
809 { 0xC2, 0x10, 0x19, 0x9C, 0x38, 0x5A, 0x65, 0xA1 },
810 { 0xA2, 0x70, 0x56, 0x68, 0x69, 0xE5, 0x15, 0x1D }
811 };
812
813 static const unsigned char des3_test_ecb_enc[3][8] =
814 {
815 { 0x1C, 0xD5, 0x97, 0xEA, 0x84, 0x26, 0x73, 0xFB },
816 { 0xB3, 0x92, 0x4D, 0xF3, 0xC5, 0xB5, 0x42, 0x93 },
817 { 0xDA, 0x37, 0x64, 0x41, 0xBA, 0x6F, 0x62, 0x6F }
818 };
819
820 #if defined(MBEDTLS_CIPHER_MODE_CBC)
821 static const unsigned char des3_test_iv[8] =
822 {
823 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
824 };
825
826 static const unsigned char des3_test_cbc_dec[3][8] =
827 {
828 { 0x58, 0xD9, 0x48, 0xEF, 0x85, 0x14, 0x65, 0x9A },
829 { 0x5F, 0xC8, 0x78, 0xD4, 0xD7, 0x92, 0xD9, 0x54 },
830 { 0x25, 0xF9, 0x75, 0x85, 0xA8, 0x1E, 0x48, 0xBF }
831 };
832
833 static const unsigned char des3_test_cbc_enc[3][8] =
834 {
835 { 0x91, 0x1C, 0x6D, 0xCF, 0x48, 0xA7, 0xC3, 0x4D },
836 { 0x60, 0x1A, 0x76, 0x8F, 0xA1, 0xF9, 0x66, 0xF1 },
837 { 0xA1, 0x50, 0x0F, 0x99, 0xB2, 0xCD, 0x64, 0x76 }
838 };
839 #endif /* MBEDTLS_CIPHER_MODE_CBC */
840
841 /*
842 * Checkup routine
843 */
mbedtls_des_self_test(int verbose)844 int mbedtls_des_self_test(int verbose)
845 {
846 int i, j, u, v, ret = 0;
847 mbedtls_des_context ctx;
848 mbedtls_des3_context ctx3;
849 unsigned char buf[8];
850 #if defined(MBEDTLS_CIPHER_MODE_CBC)
851 unsigned char prv[8];
852 unsigned char iv[8];
853 #endif
854
855 mbedtls_des_init(&ctx);
856 mbedtls_des3_init(&ctx3);
857 /*
858 * ECB mode
859 */
860 for (i = 0; i < 6; i++) {
861 u = i >> 1;
862 v = i & 1;
863
864 if (verbose != 0) {
865 mbedtls_printf(" DES%c-ECB-%3d (%s): ",
866 (u == 0) ? ' ' : '3', 56 + u * 56,
867 (v == MBEDTLS_DES_DECRYPT) ? "dec" : "enc");
868 }
869
870 memcpy(buf, des3_test_buf, 8);
871
872 switch (i) {
873 case 0:
874 ret = mbedtls_des_setkey_dec(&ctx, des3_test_keys);
875 break;
876
877 case 1:
878 ret = mbedtls_des_setkey_enc(&ctx, des3_test_keys);
879 break;
880
881 case 2:
882 ret = mbedtls_des3_set2key_dec(&ctx3, des3_test_keys);
883 break;
884
885 case 3:
886 ret = mbedtls_des3_set2key_enc(&ctx3, des3_test_keys);
887 break;
888
889 case 4:
890 ret = mbedtls_des3_set3key_dec(&ctx3, des3_test_keys);
891 break;
892
893 case 5:
894 ret = mbedtls_des3_set3key_enc(&ctx3, des3_test_keys);
895 break;
896
897 default:
898 return 1;
899 }
900 if (ret != 0) {
901 goto exit;
902 }
903
904 for (j = 0; j < 100; j++) {
905 if (u == 0) {
906 ret = mbedtls_des_crypt_ecb(&ctx, buf, buf);
907 } else {
908 ret = mbedtls_des3_crypt_ecb(&ctx3, buf, buf);
909 }
910 if (ret != 0) {
911 goto exit;
912 }
913 }
914
915 if ((v == MBEDTLS_DES_DECRYPT &&
916 memcmp(buf, des3_test_ecb_dec[u], 8) != 0) ||
917 (v != MBEDTLS_DES_DECRYPT &&
918 memcmp(buf, des3_test_ecb_enc[u], 8) != 0)) {
919 if (verbose != 0) {
920 mbedtls_printf("failed\n");
921 }
922
923 ret = 1;
924 goto exit;
925 }
926
927 if (verbose != 0) {
928 mbedtls_printf("passed\n");
929 }
930 }
931
932 if (verbose != 0) {
933 mbedtls_printf("\n");
934 }
935
936 #if defined(MBEDTLS_CIPHER_MODE_CBC)
937 /*
938 * CBC mode
939 */
940 for (i = 0; i < 6; i++) {
941 u = i >> 1;
942 v = i & 1;
943
944 if (verbose != 0) {
945 mbedtls_printf(" DES%c-CBC-%3d (%s): ",
946 (u == 0) ? ' ' : '3', 56 + u * 56,
947 (v == MBEDTLS_DES_DECRYPT) ? "dec" : "enc");
948 }
949
950 memcpy(iv, des3_test_iv, 8);
951 memcpy(prv, des3_test_iv, 8);
952 memcpy(buf, des3_test_buf, 8);
953
954 switch (i) {
955 case 0:
956 ret = mbedtls_des_setkey_dec(&ctx, des3_test_keys);
957 break;
958
959 case 1:
960 ret = mbedtls_des_setkey_enc(&ctx, des3_test_keys);
961 break;
962
963 case 2:
964 ret = mbedtls_des3_set2key_dec(&ctx3, des3_test_keys);
965 break;
966
967 case 3:
968 ret = mbedtls_des3_set2key_enc(&ctx3, des3_test_keys);
969 break;
970
971 case 4:
972 ret = mbedtls_des3_set3key_dec(&ctx3, des3_test_keys);
973 break;
974
975 case 5:
976 ret = mbedtls_des3_set3key_enc(&ctx3, des3_test_keys);
977 break;
978
979 default:
980 return 1;
981 }
982 if (ret != 0) {
983 goto exit;
984 }
985
986 if (v == MBEDTLS_DES_DECRYPT) {
987 for (j = 0; j < 100; j++) {
988 if (u == 0) {
989 ret = mbedtls_des_crypt_cbc(&ctx, v, 8, iv, buf, buf);
990 } else {
991 ret = mbedtls_des3_crypt_cbc(&ctx3, v, 8, iv, buf, buf);
992 }
993 if (ret != 0) {
994 goto exit;
995 }
996 }
997 } else {
998 for (j = 0; j < 100; j++) {
999 unsigned char tmp[8];
1000
1001 if (u == 0) {
1002 ret = mbedtls_des_crypt_cbc(&ctx, v, 8, iv, buf, buf);
1003 } else {
1004 ret = mbedtls_des3_crypt_cbc(&ctx3, v, 8, iv, buf, buf);
1005 }
1006 if (ret != 0) {
1007 goto exit;
1008 }
1009
1010 memcpy(tmp, prv, 8);
1011 memcpy(prv, buf, 8);
1012 memcpy(buf, tmp, 8);
1013 }
1014
1015 memcpy(buf, prv, 8);
1016 }
1017
1018 if ((v == MBEDTLS_DES_DECRYPT &&
1019 memcmp(buf, des3_test_cbc_dec[u], 8) != 0) ||
1020 (v != MBEDTLS_DES_DECRYPT &&
1021 memcmp(buf, des3_test_cbc_enc[u], 8) != 0)) {
1022 if (verbose != 0) {
1023 mbedtls_printf("failed\n");
1024 }
1025
1026 ret = 1;
1027 goto exit;
1028 }
1029
1030 if (verbose != 0) {
1031 mbedtls_printf("passed\n");
1032 }
1033 }
1034 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1035
1036 if (verbose != 0) {
1037 mbedtls_printf("\n");
1038 }
1039
1040 exit:
1041 mbedtls_des_free(&ctx);
1042 mbedtls_des3_free(&ctx3);
1043
1044 if (ret != 0) {
1045 ret = 1;
1046 }
1047 return ret;
1048 }
1049
1050 #endif /* MBEDTLS_SELF_TEST */
1051
1052 #endif /* MBEDTLS_DES_C */
1053