PolarSSL v1.3.9
des.c
Go to the documentation of this file.
1 /*
2  * FIPS-46-3 compliant Triple-DES implementation
3  *
4  * Copyright (C) 2006-2014, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 /*
26  * DES, on which TDES is based, was originally designed by Horst Feistel
27  * at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
28  *
29  * http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
30  */
31 
32 #if !defined(POLARSSL_CONFIG_FILE)
33 #include "polarssl/config.h"
34 #else
35 #include POLARSSL_CONFIG_FILE
36 #endif
37 
38 #if defined(POLARSSL_DES_C)
39 
40 #include "polarssl/des.h"
41 
42 #if defined(POLARSSL_PLATFORM_C)
43 #include "polarssl/platform.h"
44 #else
45 #define polarssl_printf printf
46 #endif
47 
48 #if !defined(POLARSSL_DES_ALT)
49 
50 /* Implementation that should never be optimized out by the compiler */
51 static void polarssl_zeroize( void *v, size_t n ) {
52  volatile unsigned char *p = v; while( n-- ) *p++ = 0;
53 }
54 
55 /*
56  * 32-bit integer manipulation macros (big endian)
57  */
58 #ifndef GET_UINT32_BE
59 #define GET_UINT32_BE(n,b,i) \
60 { \
61  (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
62  | ( (uint32_t) (b)[(i) + 1] << 16 ) \
63  | ( (uint32_t) (b)[(i) + 2] << 8 ) \
64  | ( (uint32_t) (b)[(i) + 3] ); \
65 }
66 #endif
67 
68 #ifndef PUT_UINT32_BE
69 #define PUT_UINT32_BE(n,b,i) \
70 { \
71  (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
72  (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
73  (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
74  (b)[(i) + 3] = (unsigned char) ( (n) ); \
75 }
76 #endif
77 
78 /*
79  * Expanded DES S-boxes
80  */
81 static const uint32_t SB1[64] =
82 {
83  0x01010400, 0x00000000, 0x00010000, 0x01010404,
84  0x01010004, 0x00010404, 0x00000004, 0x00010000,
85  0x00000400, 0x01010400, 0x01010404, 0x00000400,
86  0x01000404, 0x01010004, 0x01000000, 0x00000004,
87  0x00000404, 0x01000400, 0x01000400, 0x00010400,
88  0x00010400, 0x01010000, 0x01010000, 0x01000404,
89  0x00010004, 0x01000004, 0x01000004, 0x00010004,
90  0x00000000, 0x00000404, 0x00010404, 0x01000000,
91  0x00010000, 0x01010404, 0x00000004, 0x01010000,
92  0x01010400, 0x01000000, 0x01000000, 0x00000400,
93  0x01010004, 0x00010000, 0x00010400, 0x01000004,
94  0x00000400, 0x00000004, 0x01000404, 0x00010404,
95  0x01010404, 0x00010004, 0x01010000, 0x01000404,
96  0x01000004, 0x00000404, 0x00010404, 0x01010400,
97  0x00000404, 0x01000400, 0x01000400, 0x00000000,
98  0x00010004, 0x00010400, 0x00000000, 0x01010004
99 };
100 
101 static const uint32_t SB2[64] =
102 {
103  0x80108020, 0x80008000, 0x00008000, 0x00108020,
104  0x00100000, 0x00000020, 0x80100020, 0x80008020,
105  0x80000020, 0x80108020, 0x80108000, 0x80000000,
106  0x80008000, 0x00100000, 0x00000020, 0x80100020,
107  0x00108000, 0x00100020, 0x80008020, 0x00000000,
108  0x80000000, 0x00008000, 0x00108020, 0x80100000,
109  0x00100020, 0x80000020, 0x00000000, 0x00108000,
110  0x00008020, 0x80108000, 0x80100000, 0x00008020,
111  0x00000000, 0x00108020, 0x80100020, 0x00100000,
112  0x80008020, 0x80100000, 0x80108000, 0x00008000,
113  0x80100000, 0x80008000, 0x00000020, 0x80108020,
114  0x00108020, 0x00000020, 0x00008000, 0x80000000,
115  0x00008020, 0x80108000, 0x00100000, 0x80000020,
116  0x00100020, 0x80008020, 0x80000020, 0x00100020,
117  0x00108000, 0x00000000, 0x80008000, 0x00008020,
118  0x80000000, 0x80100020, 0x80108020, 0x00108000
119 };
120 
121 static const uint32_t SB3[64] =
122 {
123  0x00000208, 0x08020200, 0x00000000, 0x08020008,
124  0x08000200, 0x00000000, 0x00020208, 0x08000200,
125  0x00020008, 0x08000008, 0x08000008, 0x00020000,
126  0x08020208, 0x00020008, 0x08020000, 0x00000208,
127  0x08000000, 0x00000008, 0x08020200, 0x00000200,
128  0x00020200, 0x08020000, 0x08020008, 0x00020208,
129  0x08000208, 0x00020200, 0x00020000, 0x08000208,
130  0x00000008, 0x08020208, 0x00000200, 0x08000000,
131  0x08020200, 0x08000000, 0x00020008, 0x00000208,
132  0x00020000, 0x08020200, 0x08000200, 0x00000000,
133  0x00000200, 0x00020008, 0x08020208, 0x08000200,
134  0x08000008, 0x00000200, 0x00000000, 0x08020008,
135  0x08000208, 0x00020000, 0x08000000, 0x08020208,
136  0x00000008, 0x00020208, 0x00020200, 0x08000008,
137  0x08020000, 0x08000208, 0x00000208, 0x08020000,
138  0x00020208, 0x00000008, 0x08020008, 0x00020200
139 };
140 
141 static const uint32_t SB4[64] =
142 {
143  0x00802001, 0x00002081, 0x00002081, 0x00000080,
144  0x00802080, 0x00800081, 0x00800001, 0x00002001,
145  0x00000000, 0x00802000, 0x00802000, 0x00802081,
146  0x00000081, 0x00000000, 0x00800080, 0x00800001,
147  0x00000001, 0x00002000, 0x00800000, 0x00802001,
148  0x00000080, 0x00800000, 0x00002001, 0x00002080,
149  0x00800081, 0x00000001, 0x00002080, 0x00800080,
150  0x00002000, 0x00802080, 0x00802081, 0x00000081,
151  0x00800080, 0x00800001, 0x00802000, 0x00802081,
152  0x00000081, 0x00000000, 0x00000000, 0x00802000,
153  0x00002080, 0x00800080, 0x00800081, 0x00000001,
154  0x00802001, 0x00002081, 0x00002081, 0x00000080,
155  0x00802081, 0x00000081, 0x00000001, 0x00002000,
156  0x00800001, 0x00002001, 0x00802080, 0x00800081,
157  0x00002001, 0x00002080, 0x00800000, 0x00802001,
158  0x00000080, 0x00800000, 0x00002000, 0x00802080
159 };
160 
161 static const uint32_t SB5[64] =
162 {
163  0x00000100, 0x02080100, 0x02080000, 0x42000100,
164  0x00080000, 0x00000100, 0x40000000, 0x02080000,
165  0x40080100, 0x00080000, 0x02000100, 0x40080100,
166  0x42000100, 0x42080000, 0x00080100, 0x40000000,
167  0x02000000, 0x40080000, 0x40080000, 0x00000000,
168  0x40000100, 0x42080100, 0x42080100, 0x02000100,
169  0x42080000, 0x40000100, 0x00000000, 0x42000000,
170  0x02080100, 0x02000000, 0x42000000, 0x00080100,
171  0x00080000, 0x42000100, 0x00000100, 0x02000000,
172  0x40000000, 0x02080000, 0x42000100, 0x40080100,
173  0x02000100, 0x40000000, 0x42080000, 0x02080100,
174  0x40080100, 0x00000100, 0x02000000, 0x42080000,
175  0x42080100, 0x00080100, 0x42000000, 0x42080100,
176  0x02080000, 0x00000000, 0x40080000, 0x42000000,
177  0x00080100, 0x02000100, 0x40000100, 0x00080000,
178  0x00000000, 0x40080000, 0x02080100, 0x40000100
179 };
180 
181 static const uint32_t SB6[64] =
182 {
183  0x20000010, 0x20400000, 0x00004000, 0x20404010,
184  0x20400000, 0x00000010, 0x20404010, 0x00400000,
185  0x20004000, 0x00404010, 0x00400000, 0x20000010,
186  0x00400010, 0x20004000, 0x20000000, 0x00004010,
187  0x00000000, 0x00400010, 0x20004010, 0x00004000,
188  0x00404000, 0x20004010, 0x00000010, 0x20400010,
189  0x20400010, 0x00000000, 0x00404010, 0x20404000,
190  0x00004010, 0x00404000, 0x20404000, 0x20000000,
191  0x20004000, 0x00000010, 0x20400010, 0x00404000,
192  0x20404010, 0x00400000, 0x00004010, 0x20000010,
193  0x00400000, 0x20004000, 0x20000000, 0x00004010,
194  0x20000010, 0x20404010, 0x00404000, 0x20400000,
195  0x00404010, 0x20404000, 0x00000000, 0x20400010,
196  0x00000010, 0x00004000, 0x20400000, 0x00404010,
197  0x00004000, 0x00400010, 0x20004010, 0x00000000,
198  0x20404000, 0x20000000, 0x00400010, 0x20004010
199 };
200 
201 static const uint32_t SB7[64] =
202 {
203  0x00200000, 0x04200002, 0x04000802, 0x00000000,
204  0x00000800, 0x04000802, 0x00200802, 0x04200800,
205  0x04200802, 0x00200000, 0x00000000, 0x04000002,
206  0x00000002, 0x04000000, 0x04200002, 0x00000802,
207  0x04000800, 0x00200802, 0x00200002, 0x04000800,
208  0x04000002, 0x04200000, 0x04200800, 0x00200002,
209  0x04200000, 0x00000800, 0x00000802, 0x04200802,
210  0x00200800, 0x00000002, 0x04000000, 0x00200800,
211  0x04000000, 0x00200800, 0x00200000, 0x04000802,
212  0x04000802, 0x04200002, 0x04200002, 0x00000002,
213  0x00200002, 0x04000000, 0x04000800, 0x00200000,
214  0x04200800, 0x00000802, 0x00200802, 0x04200800,
215  0x00000802, 0x04000002, 0x04200802, 0x04200000,
216  0x00200800, 0x00000000, 0x00000002, 0x04200802,
217  0x00000000, 0x00200802, 0x04200000, 0x00000800,
218  0x04000002, 0x04000800, 0x00000800, 0x00200002
219 };
220 
221 static const uint32_t SB8[64] =
222 {
223  0x10001040, 0x00001000, 0x00040000, 0x10041040,
224  0x10000000, 0x10001040, 0x00000040, 0x10000000,
225  0x00040040, 0x10040000, 0x10041040, 0x00041000,
226  0x10041000, 0x00041040, 0x00001000, 0x00000040,
227  0x10040000, 0x10000040, 0x10001000, 0x00001040,
228  0x00041000, 0x00040040, 0x10040040, 0x10041000,
229  0x00001040, 0x00000000, 0x00000000, 0x10040040,
230  0x10000040, 0x10001000, 0x00041040, 0x00040000,
231  0x00041040, 0x00040000, 0x10041000, 0x00001000,
232  0x00000040, 0x10040040, 0x00001000, 0x00041040,
233  0x10001000, 0x00000040, 0x10000040, 0x10040000,
234  0x10040040, 0x10000000, 0x00040000, 0x10001040,
235  0x00000000, 0x10041040, 0x00040040, 0x10000040,
236  0x10040000, 0x10001000, 0x10001040, 0x00000000,
237  0x10041040, 0x00041000, 0x00041000, 0x00001040,
238  0x00001040, 0x00040040, 0x10000000, 0x10041000
239 };
240 
241 /*
242  * PC1: left and right halves bit-swap
243  */
244 static const uint32_t LHs[16] =
245 {
246  0x00000000, 0x00000001, 0x00000100, 0x00000101,
247  0x00010000, 0x00010001, 0x00010100, 0x00010101,
248  0x01000000, 0x01000001, 0x01000100, 0x01000101,
249  0x01010000, 0x01010001, 0x01010100, 0x01010101
250 };
251 
252 static const uint32_t RHs[16] =
253 {
254  0x00000000, 0x01000000, 0x00010000, 0x01010000,
255  0x00000100, 0x01000100, 0x00010100, 0x01010100,
256  0x00000001, 0x01000001, 0x00010001, 0x01010001,
257  0x00000101, 0x01000101, 0x00010101, 0x01010101,
258 };
259 
260 /*
261  * Initial Permutation macro
262  */
263 #define DES_IP(X,Y) \
264 { \
265  T = ((X >> 4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T << 4); \
266  T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16); \
267  T = ((Y >> 2) ^ X) & 0x33333333; X ^= T; Y ^= (T << 2); \
268  T = ((Y >> 8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T << 8); \
269  Y = ((Y << 1) | (Y >> 31)) & 0xFFFFFFFF; \
270  T = (X ^ Y) & 0xAAAAAAAA; Y ^= T; X ^= T; \
271  X = ((X << 1) | (X >> 31)) & 0xFFFFFFFF; \
272 }
273 
274 /*
275  * Final Permutation macro
276  */
277 #define DES_FP(X,Y) \
278 { \
279  X = ((X << 31) | (X >> 1)) & 0xFFFFFFFF; \
280  T = (X ^ Y) & 0xAAAAAAAA; X ^= T; Y ^= T; \
281  Y = ((Y << 31) | (Y >> 1)) & 0xFFFFFFFF; \
282  T = ((Y >> 8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T << 8); \
283  T = ((Y >> 2) ^ X) & 0x33333333; X ^= T; Y ^= (T << 2); \
284  T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16); \
285  T = ((X >> 4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T << 4); \
286 }
287 
288 /*
289  * DES round macro
290  */
291 #define DES_ROUND(X,Y) \
292 { \
293  T = *SK++ ^ X; \
294  Y ^= SB8[ (T ) & 0x3F ] ^ \
295  SB6[ (T >> 8) & 0x3F ] ^ \
296  SB4[ (T >> 16) & 0x3F ] ^ \
297  SB2[ (T >> 24) & 0x3F ]; \
298  \
299  T = *SK++ ^ ((X << 28) | (X >> 4)); \
300  Y ^= SB7[ (T ) & 0x3F ] ^ \
301  SB5[ (T >> 8) & 0x3F ] ^ \
302  SB3[ (T >> 16) & 0x3F ] ^ \
303  SB1[ (T >> 24) & 0x3F ]; \
304 }
305 
306 #define SWAP(a,b) { uint32_t t = a; a = b; b = t; t = 0; }
307 
308 void des_init( des_context *ctx )
309 {
310  memset( ctx, 0, sizeof( des_context ) );
311 }
312 
313 void des_free( des_context *ctx )
314 {
315  if( ctx == NULL )
316  return;
317 
318  polarssl_zeroize( ctx, sizeof( des_context ) );
319 }
320 
321 void des3_init( des3_context *ctx )
322 {
323  memset( ctx, 0, sizeof( des3_context ) );
324 }
325 
326 void des3_free( des3_context *ctx )
327 {
328  if( ctx == NULL )
329  return;
330 
331  polarssl_zeroize( ctx, sizeof( des3_context ) );
332 }
333 
334 static const unsigned char odd_parity_table[128] = { 1, 2, 4, 7, 8,
335  11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 35, 37, 38, 41, 42, 44,
336  47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 70, 73, 74, 76, 79, 81,
337  82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 104, 107, 109, 110, 112,
338  115, 117, 118, 121, 122, 124, 127, 128, 131, 133, 134, 137, 138, 140,
339  143, 145, 146, 148, 151, 152, 155, 157, 158, 161, 162, 164, 167, 168,
340  171, 173, 174, 176, 179, 181, 182, 185, 186, 188, 191, 193, 194, 196,
341  199, 200, 203, 205, 206, 208, 211, 213, 214, 217, 218, 220, 223, 224,
342  227, 229, 230, 233, 234, 236, 239, 241, 242, 244, 247, 248, 251, 253,
343  254 };
344 
345 void des_key_set_parity( unsigned char key[DES_KEY_SIZE] )
346 {
347  int i;
348 
349  for( i = 0; i < DES_KEY_SIZE; i++ )
350  key[i] = odd_parity_table[key[i] / 2];
351 }
352 
353 /*
354  * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
355  */
356 int des_key_check_key_parity( const unsigned char key[DES_KEY_SIZE] )
357 {
358  int i;
359 
360  for( i = 0; i < DES_KEY_SIZE; i++ )
361  if( key[i] != odd_parity_table[key[i] / 2] )
362  return( 1 );
363 
364  return( 0 );
365 }
366 
367 /*
368  * Table of weak and semi-weak keys
369  *
370  * Source: http://en.wikipedia.org/wiki/Weak_key
371  *
372  * Weak:
373  * Alternating ones + zeros (0x0101010101010101)
374  * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
375  * '0xE0E0E0E0F1F1F1F1'
376  * '0x1F1F1F1F0E0E0E0E'
377  *
378  * Semi-weak:
379  * 0x011F011F010E010E and 0x1F011F010E010E01
380  * 0x01E001E001F101F1 and 0xE001E001F101F101
381  * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
382  * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
383  * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
384  * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
385  *
386  */
387 
388 #define WEAK_KEY_COUNT 16
389 
390 static const unsigned char weak_key_table[WEAK_KEY_COUNT][DES_KEY_SIZE] =
391 {
392  { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
393  { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
394  { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
395  { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
396 
397  { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
398  { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
399  { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
400  { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
401  { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
402  { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
403  { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
404  { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
405  { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
406  { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
407  { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
408  { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
409 };
410 
411 int des_key_check_weak( const unsigned char key[DES_KEY_SIZE] )
412 {
413  int i;
414 
415  for( i = 0; i < WEAK_KEY_COUNT; i++ )
416  if( memcmp( weak_key_table[i], key, DES_KEY_SIZE) == 0 )
417  return( 1 );
418 
419  return( 0 );
420 }
421 
422 static void des_setkey( uint32_t SK[32], const unsigned char key[DES_KEY_SIZE] )
423 {
424  int i;
425  uint32_t X, Y, T;
426 
427  GET_UINT32_BE( X, key, 0 );
428  GET_UINT32_BE( Y, key, 4 );
429 
430  /*
431  * Permuted Choice 1
432  */
433  T = ((Y >> 4) ^ X) & 0x0F0F0F0F; X ^= T; Y ^= (T << 4);
434  T = ((Y ) ^ X) & 0x10101010; X ^= T; Y ^= (T );
435 
436  X = (LHs[ (X ) & 0xF] << 3) | (LHs[ (X >> 8) & 0xF ] << 2)
437  | (LHs[ (X >> 16) & 0xF] << 1) | (LHs[ (X >> 24) & 0xF ] )
438  | (LHs[ (X >> 5) & 0xF] << 7) | (LHs[ (X >> 13) & 0xF ] << 6)
439  | (LHs[ (X >> 21) & 0xF] << 5) | (LHs[ (X >> 29) & 0xF ] << 4);
440 
441  Y = (RHs[ (Y >> 1) & 0xF] << 3) | (RHs[ (Y >> 9) & 0xF ] << 2)
442  | (RHs[ (Y >> 17) & 0xF] << 1) | (RHs[ (Y >> 25) & 0xF ] )
443  | (RHs[ (Y >> 4) & 0xF] << 7) | (RHs[ (Y >> 12) & 0xF ] << 6)
444  | (RHs[ (Y >> 20) & 0xF] << 5) | (RHs[ (Y >> 28) & 0xF ] << 4);
445 
446  X &= 0x0FFFFFFF;
447  Y &= 0x0FFFFFFF;
448 
449  /*
450  * calculate subkeys
451  */
452  for( i = 0; i < 16; i++ )
453  {
454  if( i < 2 || i == 8 || i == 15 )
455  {
456  X = ((X << 1) | (X >> 27)) & 0x0FFFFFFF;
457  Y = ((Y << 1) | (Y >> 27)) & 0x0FFFFFFF;
458  }
459  else
460  {
461  X = ((X << 2) | (X >> 26)) & 0x0FFFFFFF;
462  Y = ((Y << 2) | (Y >> 26)) & 0x0FFFFFFF;
463  }
464 
465  *SK++ = ((X << 4) & 0x24000000) | ((X << 28) & 0x10000000)
466  | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
467  | ((X << 6) & 0x01000000) | ((X << 9) & 0x00200000)
468  | ((X >> 1) & 0x00100000) | ((X << 10) & 0x00040000)
469  | ((X << 2) & 0x00020000) | ((X >> 10) & 0x00010000)
470  | ((Y >> 13) & 0x00002000) | ((Y >> 4) & 0x00001000)
471  | ((Y << 6) & 0x00000800) | ((Y >> 1) & 0x00000400)
472  | ((Y >> 14) & 0x00000200) | ((Y ) & 0x00000100)
473  | ((Y >> 5) & 0x00000020) | ((Y >> 10) & 0x00000010)
474  | ((Y >> 3) & 0x00000008) | ((Y >> 18) & 0x00000004)
475  | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
476 
477  *SK++ = ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
478  | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
479  | ((X >> 2) & 0x02000000) | ((X << 1) & 0x01000000)
480  | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
481  | ((X << 3) & 0x00080000) | ((X >> 6) & 0x00040000)
482  | ((X << 15) & 0x00020000) | ((X >> 4) & 0x00010000)
483  | ((Y >> 2) & 0x00002000) | ((Y << 8) & 0x00001000)
484  | ((Y >> 14) & 0x00000808) | ((Y >> 9) & 0x00000400)
485  | ((Y ) & 0x00000200) | ((Y << 7) & 0x00000100)
486  | ((Y >> 7) & 0x00000020) | ((Y >> 3) & 0x00000011)
487  | ((Y << 2) & 0x00000004) | ((Y >> 21) & 0x00000002);
488  }
489 }
490 
491 /*
492  * DES key schedule (56-bit, encryption)
493  */
494 int des_setkey_enc( des_context *ctx, const unsigned char key[DES_KEY_SIZE] )
495 {
496  des_setkey( ctx->sk, key );
497 
498  return( 0 );
499 }
500 
501 /*
502  * DES key schedule (56-bit, decryption)
503  */
504 int des_setkey_dec( des_context *ctx, const unsigned char key[DES_KEY_SIZE] )
505 {
506  int i;
507 
508  des_setkey( ctx->sk, key );
509 
510  for( i = 0; i < 16; i += 2 )
511  {
512  SWAP( ctx->sk[i ], ctx->sk[30 - i] );
513  SWAP( ctx->sk[i + 1], ctx->sk[31 - i] );
514  }
515 
516  return( 0 );
517 }
518 
519 static void des3_set2key( uint32_t esk[96],
520  uint32_t dsk[96],
521  const unsigned char key[DES_KEY_SIZE*2] )
522 {
523  int i;
524 
525  des_setkey( esk, key );
526  des_setkey( dsk + 32, key + 8 );
527 
528  for( i = 0; i < 32; i += 2 )
529  {
530  dsk[i ] = esk[30 - i];
531  dsk[i + 1] = esk[31 - i];
532 
533  esk[i + 32] = dsk[62 - i];
534  esk[i + 33] = dsk[63 - i];
535 
536  esk[i + 64] = esk[i ];
537  esk[i + 65] = esk[i + 1];
538 
539  dsk[i + 64] = dsk[i ];
540  dsk[i + 65] = dsk[i + 1];
541  }
542 }
543 
544 /*
545  * Triple-DES key schedule (112-bit, encryption)
546  */
548  const unsigned char key[DES_KEY_SIZE * 2] )
549 {
550  uint32_t sk[96];
551 
552  des3_set2key( ctx->sk, sk, key );
553  polarssl_zeroize( sk, sizeof( sk ) );
554 
555  return( 0 );
556 }
557 
558 /*
559  * Triple-DES key schedule (112-bit, decryption)
560  */
562  const unsigned char key[DES_KEY_SIZE * 2] )
563 {
564  uint32_t sk[96];
565 
566  des3_set2key( sk, ctx->sk, key );
567  polarssl_zeroize( sk, sizeof( sk ) );
568 
569  return( 0 );
570 }
571 
572 static void des3_set3key( uint32_t esk[96],
573  uint32_t dsk[96],
574  const unsigned char key[24] )
575 {
576  int i;
577 
578  des_setkey( esk, key );
579  des_setkey( dsk + 32, key + 8 );
580  des_setkey( esk + 64, key + 16 );
581 
582  for( i = 0; i < 32; i += 2 )
583  {
584  dsk[i ] = esk[94 - i];
585  dsk[i + 1] = esk[95 - i];
586 
587  esk[i + 32] = dsk[62 - i];
588  esk[i + 33] = dsk[63 - i];
589 
590  dsk[i + 64] = esk[30 - i];
591  dsk[i + 65] = esk[31 - i];
592  }
593 }
594 
595 /*
596  * Triple-DES key schedule (168-bit, encryption)
597  */
599  const unsigned char key[DES_KEY_SIZE * 3] )
600 {
601  uint32_t sk[96];
602 
603  des3_set3key( ctx->sk, sk, key );
604  polarssl_zeroize( sk, sizeof( sk ) );
605 
606  return( 0 );
607 }
608 
609 /*
610  * Triple-DES key schedule (168-bit, decryption)
611  */
613  const unsigned char key[DES_KEY_SIZE * 3] )
614 {
615  uint32_t sk[96];
616 
617  des3_set3key( sk, ctx->sk, key );
618  polarssl_zeroize( sk, sizeof( sk ) );
619 
620  return( 0 );
621 }
622 
623 /*
624  * DES-ECB block encryption/decryption
625  */
626 int des_crypt_ecb( des_context *ctx,
627  const unsigned char input[8],
628  unsigned char output[8] )
629 {
630  int i;
631  uint32_t X, Y, T, *SK;
632 
633  SK = ctx->sk;
634 
635  GET_UINT32_BE( X, input, 0 );
636  GET_UINT32_BE( Y, input, 4 );
637 
638  DES_IP( X, Y );
639 
640  for( i = 0; i < 8; i++ )
641  {
642  DES_ROUND( Y, X );
643  DES_ROUND( X, Y );
644  }
645 
646  DES_FP( Y, X );
647 
648  PUT_UINT32_BE( Y, output, 0 );
649  PUT_UINT32_BE( X, output, 4 );
650 
651  return( 0 );
652 }
653 
654 #if defined(POLARSSL_CIPHER_MODE_CBC)
655 /*
656  * DES-CBC buffer encryption/decryption
657  */
658 int des_crypt_cbc( des_context *ctx,
659  int mode,
660  size_t length,
661  unsigned char iv[8],
662  const unsigned char *input,
663  unsigned char *output )
664 {
665  int i;
666  unsigned char temp[8];
667 
668  if( length % 8 )
670 
671  if( mode == DES_ENCRYPT )
672  {
673  while( length > 0 )
674  {
675  for( i = 0; i < 8; i++ )
676  output[i] = (unsigned char)( input[i] ^ iv[i] );
677 
678  des_crypt_ecb( ctx, output, output );
679  memcpy( iv, output, 8 );
680 
681  input += 8;
682  output += 8;
683  length -= 8;
684  }
685  }
686  else /* DES_DECRYPT */
687  {
688  while( length > 0 )
689  {
690  memcpy( temp, input, 8 );
691  des_crypt_ecb( ctx, input, output );
692 
693  for( i = 0; i < 8; i++ )
694  output[i] = (unsigned char)( output[i] ^ iv[i] );
695 
696  memcpy( iv, temp, 8 );
697 
698  input += 8;
699  output += 8;
700  length -= 8;
701  }
702  }
703 
704  return( 0 );
705 }
706 #endif /* POLARSSL_CIPHER_MODE_CBC */
707 
708 /*
709  * 3DES-ECB block encryption/decryption
710  */
711 int des3_crypt_ecb( des3_context *ctx,
712  const unsigned char input[8],
713  unsigned char output[8] )
714 {
715  int i;
716  uint32_t X, Y, T, *SK;
717 
718  SK = ctx->sk;
719 
720  GET_UINT32_BE( X, input, 0 );
721  GET_UINT32_BE( Y, input, 4 );
722 
723  DES_IP( X, Y );
724 
725  for( i = 0; i < 8; i++ )
726  {
727  DES_ROUND( Y, X );
728  DES_ROUND( X, Y );
729  }
730 
731  for( i = 0; i < 8; i++ )
732  {
733  DES_ROUND( X, Y );
734  DES_ROUND( Y, X );
735  }
736 
737  for( i = 0; i < 8; i++ )
738  {
739  DES_ROUND( Y, X );
740  DES_ROUND( X, Y );
741  }
742 
743  DES_FP( Y, X );
744 
745  PUT_UINT32_BE( Y, output, 0 );
746  PUT_UINT32_BE( X, output, 4 );
747 
748  return( 0 );
749 }
750 
751 #if defined(POLARSSL_CIPHER_MODE_CBC)
752 /*
753  * 3DES-CBC buffer encryption/decryption
754  */
755 int des3_crypt_cbc( des3_context *ctx,
756  int mode,
757  size_t length,
758  unsigned char iv[8],
759  const unsigned char *input,
760  unsigned char *output )
761 {
762  int i;
763  unsigned char temp[8];
764 
765  if( length % 8 )
767 
768  if( mode == DES_ENCRYPT )
769  {
770  while( length > 0 )
771  {
772  for( i = 0; i < 8; i++ )
773  output[i] = (unsigned char)( input[i] ^ iv[i] );
774 
775  des3_crypt_ecb( ctx, output, output );
776  memcpy( iv, output, 8 );
777 
778  input += 8;
779  output += 8;
780  length -= 8;
781  }
782  }
783  else /* DES_DECRYPT */
784  {
785  while( length > 0 )
786  {
787  memcpy( temp, input, 8 );
788  des3_crypt_ecb( ctx, input, output );
789 
790  for( i = 0; i < 8; i++ )
791  output[i] = (unsigned char)( output[i] ^ iv[i] );
792 
793  memcpy( iv, temp, 8 );
794 
795  input += 8;
796  output += 8;
797  length -= 8;
798  }
799  }
800 
801  return( 0 );
802 }
803 #endif /* POLARSSL_CIPHER_MODE_CBC */
804 
805 #endif /* !POLARSSL_DES_ALT */
806 
807 #if defined(POLARSSL_SELF_TEST)
808 
809 #include <stdio.h>
810 
811 /*
812  * DES and 3DES test vectors from:
813  *
814  * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
815  */
816 static const unsigned char des3_test_keys[24] =
817 {
818  0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
819  0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
820  0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
821 };
822 
823 static const unsigned char des3_test_buf[8] =
824 {
825  0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
826 };
827 
828 static const unsigned char des3_test_ecb_dec[3][8] =
829 {
830  { 0xCD, 0xD6, 0x4F, 0x2F, 0x94, 0x27, 0xC1, 0x5D },
831  { 0x69, 0x96, 0xC8, 0xFA, 0x47, 0xA2, 0xAB, 0xEB },
832  { 0x83, 0x25, 0x39, 0x76, 0x44, 0x09, 0x1A, 0x0A }
833 };
834 
835 static const unsigned char des3_test_ecb_enc[3][8] =
836 {
837  { 0x6A, 0x2A, 0x19, 0xF4, 0x1E, 0xCA, 0x85, 0x4B },
838  { 0x03, 0xE6, 0x9F, 0x5B, 0xFA, 0x58, 0xEB, 0x42 },
839  { 0xDD, 0x17, 0xE8, 0xB8, 0xB4, 0x37, 0xD2, 0x32 }
840 };
841 
842 #if defined(POLARSSL_CIPHER_MODE_CBC)
843 static const unsigned char des3_test_iv[8] =
844 {
845  0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
846 };
847 
848 static const unsigned char des3_test_cbc_dec[3][8] =
849 {
850  { 0x12, 0x9F, 0x40, 0xB9, 0xD2, 0x00, 0x56, 0xB3 },
851  { 0x47, 0x0E, 0xFC, 0x9A, 0x6B, 0x8E, 0xE3, 0x93 },
852  { 0xC5, 0xCE, 0xCF, 0x63, 0xEC, 0xEC, 0x51, 0x4C }
853 };
854 
855 static const unsigned char des3_test_cbc_enc[3][8] =
856 {
857  { 0x54, 0xF1, 0x5A, 0xF6, 0xEB, 0xE3, 0xA4, 0xB4 },
858  { 0x35, 0x76, 0x11, 0x56, 0x5F, 0xA1, 0x8E, 0x4D },
859  { 0xCB, 0x19, 0x1F, 0x85, 0xD1, 0xED, 0x84, 0x39 }
860 };
861 #endif /* POLARSSL_CIPHER_MODE_CBC */
862 
863 /*
864  * Checkup routine
865  */
866 int des_self_test( int verbose )
867 {
868  int i, j, u, v, ret = 0;
869  des_context ctx;
870  des3_context ctx3;
871  unsigned char buf[8];
872 #if defined(POLARSSL_CIPHER_MODE_CBC)
873  unsigned char prv[8];
874  unsigned char iv[8];
875 #endif
876 
877  des_init( &ctx );
878  des3_init( &ctx3 );
879  /*
880  * ECB mode
881  */
882  for( i = 0; i < 6; i++ )
883  {
884  u = i >> 1;
885  v = i & 1;
886 
887  if( verbose != 0 )
888  polarssl_printf( " DES%c-ECB-%3d (%s): ",
889  ( u == 0 ) ? ' ' : '3', 56 + u * 56,
890  ( v == DES_DECRYPT ) ? "dec" : "enc" );
891 
892  memcpy( buf, des3_test_buf, 8 );
893 
894  switch( i )
895  {
896  case 0:
897  des_setkey_dec( &ctx, des3_test_keys );
898  break;
899 
900  case 1:
901  des_setkey_enc( &ctx, des3_test_keys );
902  break;
903 
904  case 2:
905  des3_set2key_dec( &ctx3, des3_test_keys );
906  break;
907 
908  case 3:
909  des3_set2key_enc( &ctx3, des3_test_keys );
910  break;
911 
912  case 4:
913  des3_set3key_dec( &ctx3, des3_test_keys );
914  break;
915 
916  case 5:
917  des3_set3key_enc( &ctx3, des3_test_keys );
918  break;
919 
920  default:
921  return( 1 );
922  }
923 
924  for( j = 0; j < 10000; j++ )
925  {
926  if( u == 0 )
927  des_crypt_ecb( &ctx, buf, buf );
928  else
929  des3_crypt_ecb( &ctx3, buf, buf );
930  }
931 
932  if( ( v == DES_DECRYPT &&
933  memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) ||
934  ( v != DES_DECRYPT &&
935  memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) )
936  {
937  if( verbose != 0 )
938  polarssl_printf( "failed\n" );
939 
940  ret = 1;
941  goto exit;
942  }
943 
944  if( verbose != 0 )
945  polarssl_printf( "passed\n" );
946  }
947 
948  if( verbose != 0 )
949  polarssl_printf( "\n" );
950 
951 #if defined(POLARSSL_CIPHER_MODE_CBC)
952  /*
953  * CBC mode
954  */
955  for( i = 0; i < 6; i++ )
956  {
957  u = i >> 1;
958  v = i & 1;
959 
960  if( verbose != 0 )
961  polarssl_printf( " DES%c-CBC-%3d (%s): ",
962  ( u == 0 ) ? ' ' : '3', 56 + u * 56,
963  ( v == DES_DECRYPT ) ? "dec" : "enc" );
964 
965  memcpy( iv, des3_test_iv, 8 );
966  memcpy( prv, des3_test_iv, 8 );
967  memcpy( buf, des3_test_buf, 8 );
968 
969  switch( i )
970  {
971  case 0:
972  des_setkey_dec( &ctx, des3_test_keys );
973  break;
974 
975  case 1:
976  des_setkey_enc( &ctx, des3_test_keys );
977  break;
978 
979  case 2:
980  des3_set2key_dec( &ctx3, des3_test_keys );
981  break;
982 
983  case 3:
984  des3_set2key_enc( &ctx3, des3_test_keys );
985  break;
986 
987  case 4:
988  des3_set3key_dec( &ctx3, des3_test_keys );
989  break;
990 
991  case 5:
992  des3_set3key_enc( &ctx3, des3_test_keys );
993  break;
994 
995  default:
996  return( 1 );
997  }
998 
999  if( v == DES_DECRYPT )
1000  {
1001  for( j = 0; j < 10000; j++ )
1002  {
1003  if( u == 0 )
1004  des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
1005  else
1006  des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
1007  }
1008  }
1009  else
1010  {
1011  for( j = 0; j < 10000; j++ )
1012  {
1013  unsigned char tmp[8];
1014 
1015  if( u == 0 )
1016  des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
1017  else
1018  des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
1019 
1020  memcpy( tmp, prv, 8 );
1021  memcpy( prv, buf, 8 );
1022  memcpy( buf, tmp, 8 );
1023  }
1024 
1025  memcpy( buf, prv, 8 );
1026  }
1027 
1028  if( ( v == DES_DECRYPT &&
1029  memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) ||
1030  ( v != DES_DECRYPT &&
1031  memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) )
1032  {
1033  if( verbose != 0 )
1034  polarssl_printf( "failed\n" );
1035 
1036  ret = 1;
1037  goto exit;
1038  }
1039 
1040  if( verbose != 0 )
1041  polarssl_printf( "passed\n" );
1042  }
1043 #endif /* POLARSSL_CIPHER_MODE_CBC */
1044 
1045  if( verbose != 0 )
1046  polarssl_printf( "\n" );
1047 
1048 exit:
1049  des_free( &ctx );
1050  des3_free( &ctx3 );
1051 
1052  return( ret );
1053 }
1054 
1055 #endif /* POLARSSL_SELF_TEST */
1056 
1057 #endif /* POLARSSL_DES_C */