Coverage Report

Created: 2024-11-21 07:03

/src/SymCrypt/lib/3des.c
Line
Count
Source (jump to first uncovered line)
1
//
2
// 3des.c Routines for DES and 3DES
3
//
4
// Copyright (c) Microsoft Corporation. Licensed under the MIT license.
5
//
6
// This is an updated implementation that is carefully reviewed to be fully copyrighted by
7
// Microsoft. Our previous implementation was partially based on a very old public domain
8
// implementation.
9
// According to Andrew Tucker (atucker) there was a claim many years ago about the copyright of
10
// our DES code. Working with LCA (legal) it was determined that the DES implementation in RSA32.lib
11
// was a Microsoft derivitive of a public-domain implementation, and therefore is clear of
12
// any IP issues. To avoid any further claims we have now scrubbed this implementation from all
13
// copyrightable elements derived from outside sources.
14
//
15
// We take non-copyrightable items from the old implementations such as
16
// - lookup tables
17
// - algorithm for various bit permutations
18
// - Any variable & function names that are already MS-generated.
19
// - Other MS-generated code elements (e.g. SymCrypt integration)
20
// Some of the considerations we made are:
21
// Most of the functionality of DES is required by the FIPS standard and there is not much
22
// choice on how to code it; elements required by the standard are not copyright protected.
23
// The lookup tables themselves are not copyrightable as they have no artistic expression.
24
// The format of the lookup tables is almost completely determined by the standard and the algorithm
25
// used to access them. Any further layout and structure are all standard C conventions.
26
// Algorithm tricks such as Hoey's IP implementation are not copyrightable but are patentable.
27
// Fortunately all the techniques we use have been around long enough that any patents have expired.
28
//
29
30
//
31
// Feb 2018, Niels Ferguson
32
//
33
34
#include "precomp.h"
35
36
//
37
// Tables to describe the DES and 3DES block ciphers so that the generic
38
// chaining mode functions can use them.
39
// We have no optimized mode-specific code as the DES block is so slow that there is
40
// very little to be gained.
41
//
42
43
const SYMCRYPT_BLOCKCIPHER SymCrypt3DesBlockCipher_default = {
44
    SymCrypt3DesExpandKey,  // PSYMCRYPT_BLOCKCIPHER_EXPAND_KEY    expandKeyFunc;
45
    SymCrypt3DesEncrypt,    // PSYMCRYPT_BLOCKCIPHER_CRYPT         encryptFunc;
46
    SymCrypt3DesDecrypt,    // PSYMCRYPT_BLOCKCIPHER_CRYPT         decryptFunc;
47
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_ECB     ecbEncryptFunc;
48
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_ECB     ecbDecryptFunc;
49
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE    cbcEncryptFunc;
50
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE    cbcDecryptFunc;
51
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_MAC_MODE      cbcMacFunc;
52
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE    ctrMsbFunc;
53
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_AEADPART_MODE gcmEncryptPartFunc;
54
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_AEADPART_MODE gcmDecryptPartFunc;
55
    8,                      // SIZE_T                              blockSize;
56
    sizeof( SYMCRYPT_3DES_EXPANDED_KEY ), // SIZE_T  expandedKeySize;    // = sizeof( SYMCRYPT_XXX_EXPANDED_KEY )
57
};
58
59
const SYMCRYPT_BLOCKCIPHER SymCryptDesBlockCipher_default = {
60
    SymCryptDesExpandKey,   // PSYMCRYPT_BLOCKCIPHER_EXPAND_KEY    expandKeyFunc;
61
    SymCryptDesEncrypt,     // PSYMCRYPT_BLOCKCIPHER_CRYPT         encryptFunc;
62
    SymCryptDesDecrypt,     // PSYMCRYPT_BLOCKCIPHER_CRYPT         decryptFunc;
63
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_ECB     ecbEncryptFunc;
64
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_ECB     ecbDecryptFunc;
65
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE    cbcEncryptFunc;
66
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE    cbcDecryptFunc;
67
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_MAC_MODE      cbcMacFunc;
68
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE    ctrMsbFunc;
69
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_AEADPART_MODE gcmEncryptPartFunc;
70
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_AEADPART_MODE gcmDecryptPartFunc;
71
    8,                      // SIZE_T                              blockSize;
72
    sizeof( SYMCRYPT_DES_EXPANDED_KEY ), // SIZE_T  expandedKeySize;    // = sizeof( SYMCRYPT_XXX_EXPANDED_KEY )
73
};
74
75
const PCSYMCRYPT_BLOCKCIPHER SymCrypt3DesBlockCipher = &SymCrypt3DesBlockCipher_default;
76
const PCSYMCRYPT_BLOCKCIPHER SymCryptDesBlockCipher = &SymCryptDesBlockCipher_default;
77
78
extern SYMCRYPT_ALIGN_AT(256) const UINT32 SymCryptDesSpbox[8][64];      // Combined S and P tables
79
extern SYMCRYPT_ALIGN_AT(256) const UINT32 SymCryptDesKeySelect[8][64];
80
81
82
//
83
// The SWAP_BITS_WITHIN_UINT32 macro swaps bits within a UINT32 value
84
// SWAP_BITS_WITHIN_UINT32( _value, _shift, _mask )
85
// swaps each bit in _value selected by _mask with the bit _shift positions to the left
86
// Thus it swaps (_value & _mask) with (_value & (_mask << _shift))
87
//
88
89
0
#define SWAP_BITS_WITHIN_UINT32( _value, _shift, _mask ) \
90
0
{ \
91
0
    UINT32  _tmp; \
92
0
    _tmp = ((_value) ^ ((_value) >> (_shift))) & (_mask ); \
93
0
    _value = (_value) ^ _tmp ^ (_tmp << (_shift)); \
94
0
}
95
96
//
97
// The SWAP_BITS_BETWEEN_UINT32 macro swaps bits between two UINT32 values
98
// SWAP_BITS_BETWEEN_UINT32( _v1, _v2, _shift, _mask )
99
// swaps bits in _v1 selected by _mask with bits in _v2 selected by _mask << _shift
100
//
101
102
0
#define SWAP_BITS_BETWEEN_UINT32( _v1, _v2, _shift, _mask ) \
103
0
{ \
104
0
    UINT32  _tmp; \
105
0
    _tmp = ((_v1) ^ ((_v2) >> (_shift))) & (_mask); \
106
0
    _v1 ^= _tmp; \
107
0
    _v2 ^= (_tmp << (_shift )); \
108
0
}
109
110
//
111
// For each round, a bit that states whether the key schedule shift registers are clocked twice
112
// The data is straight from the standard.
113
//
114
static const BYTE SymCryptDesDoubleShift[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
115
116
//////////////////////////
117
//  DES
118
// We just implement DES as 3DES.
119
// People using DES have bigger problems than bad performance.
120
//
121
122
SYMCRYPT_ERROR
123
SYMCRYPT_CALL
124
SymCryptDesExpandKey(
125
    _Out_               PSYMCRYPT_DES_EXPANDED_KEY  pExpandedKey,
126
    _In_reads_( cbKey ) PCBYTE                      pbKey,
127
                        SIZE_T                      cbKey )
128
0
{
129
0
    if( cbKey != 8 )
130
0
    {
131
        //
132
        // cbKey should be a compile-time constant in most cases,
133
        // so this should be optimized away
134
        //
135
0
        return SYMCRYPT_WRONG_KEY_SIZE;
136
0
    }
137
0
    return SymCrypt3DesExpandKey( &pExpandedKey->threeDes, pbKey, cbKey );
138
0
}
139
140
VOID
141
SYMCRYPT_CALL
142
SymCryptDesEncrypt(
143
    _In_                                    PCSYMCRYPT_DES_EXPANDED_KEY pExpandedKey,
144
    _In_reads_( SYMCRYPT_DES_BLOCK_SIZE )   PCBYTE                      pbSrc,
145
    _Out_writes_( SYMCRYPT_DES_BLOCK_SIZE ) PBYTE                       pbDst )
146
0
{
147
0
    SymCrypt3DesEncrypt( &pExpandedKey->threeDes, pbSrc, pbDst );
148
0
}
149
150
VOID
151
SYMCRYPT_CALL
152
SymCryptDesDecrypt(
153
    _In_                                    PCSYMCRYPT_DES_EXPANDED_KEY pExpandedKey,
154
    _In_reads_( SYMCRYPT_DES_BLOCK_SIZE )   PCBYTE                      pbSrc,
155
    _Out_writes_( SYMCRYPT_DES_BLOCK_SIZE ) PBYTE                       pbDst )
156
0
{
157
0
    SymCrypt3DesDecrypt( &pExpandedKey->threeDes, pbSrc, pbDst );
158
0
}
159
160
//
161
// The 3DesCbcEncrypt/Decrypt functions are used to make converting code from
162
// older libraries to SymCrypt easier.
163
//
164
165
VOID
166
SYMCRYPT_CALL
167
SymCrypt3DesCbcEncrypt(
168
    _In_                                        PCSYMCRYPT_3DES_EXPANDED_KEY    pExpandedKey,
169
    _Inout_updates_( SYMCRYPT_3DES_BLOCK_SIZE ) PBYTE                           pbChainingValue,
170
    _In_reads_( cbData )                        PCBYTE                          pbSrc,
171
    _Out_writes_( cbData )                      PBYTE                           pbDst,
172
                                                SIZE_T                          cbData )
173
0
{
174
0
    SYMCRYPT_ASSERT( SymCrypt3DesBlockCipher->blockSize == SYMCRYPT_3DES_BLOCK_SIZE );
175
0
    SymCryptCbcEncrypt( SymCrypt3DesBlockCipher, pExpandedKey, pbChainingValue, pbSrc, pbDst, cbData );
176
0
}
177
178
VOID
179
SYMCRYPT_CALL
180
SymCrypt3DesCbcDecrypt(
181
    _In_                                        PCSYMCRYPT_3DES_EXPANDED_KEY    pExpandedKey,
182
    _Inout_updates_( SYMCRYPT_3DES_BLOCK_SIZE ) PBYTE                           pbChainingValue,
183
    _In_reads_( cbData )                        PCBYTE                          pbSrc,
184
    _Out_writes_( cbData )                      PBYTE                           pbDst,
185
                                                SIZE_T                          cbData )
186
0
{
187
0
    SYMCRYPT_ASSERT( SymCrypt3DesBlockCipher->blockSize == SYMCRYPT_3DES_BLOCK_SIZE );
188
0
    SymCryptCbcDecrypt( SymCrypt3DesBlockCipher, pExpandedKey, pbChainingValue, pbSrc, pbDst, cbData );
189
0
}
190
191
192
193
VOID
194
SYMCRYPT_CALL
195
SymCryptDesExpandSingleKey(
196
        _Out_writes_bytes_(128) UINT32  expandedKeyTable[16][2],
197
        _In_reads_(8)           PCBYTE  pKey )
198
0
{
199
0
    UINT32 Cr, Dr;      // The C_r D_r values of FIPS 43 for round value r
200
0
    UINT32 r;           // round
201
0
    UINT32 K1, K2;      // round keys after the permuted choice 2
202
0
    UINT32 tmp;
203
204
    //
205
    // We follow the FIPS 43 flow quite closely and have not optimized the key expansion much.
206
    // Key expansion is not performance-critical.
207
    //
208
209
    // Load the key
210
0
    Cr = SYMCRYPT_LOAD_LSBFIRST32( pKey );
211
0
    Dr = SYMCRYPT_LOAD_LSBFIRST32( pKey + 4 );
212
213
    //
214
    // The Permuted Choice 1 can be done mostly with a sequence of bit swaps.
215
    // The algorithm we use is derived from our earlier implementation and might potentially
216
    // derive from an external source.
217
    // But the algorithm cannot be copyrighted, only patented, and if there were any patents
218
    // they have expired by now.
219
    // The expression of the algorithm in code is purely MS generated, and so not encumbered
220
    // by external copyrights.
221
    // This algorithm is really just a transposition of the bits when viewed as an 8x8 matrix
222
    // with an additional permutation on the output side.
223
    //
224
0
    SWAP_BITS_BETWEEN_UINT32( Cr, Dr, 4, 0x0f0f0f0f );
225
0
    SWAP_BITS_WITHIN_UINT32( Dr, 18, 0x00003333 );
226
0
    SWAP_BITS_WITHIN_UINT32( Cr, 18, 0x00003333 );
227
0
    SWAP_BITS_BETWEEN_UINT32( Cr, Dr, 1, 0x55555555 );
228
0
    SWAP_BITS_BETWEEN_UINT32( Dr, Cr, 8, 0x00ff00ff );
229
0
    SWAP_BITS_BETWEEN_UINT32( Cr, Dr, 1, 0x55555555 );
230
0
    SWAP_BITS_WITHIN_UINT32( Dr, 16, 0xff );
231
232
    // Have to re-arrange C and D a tiny bit so that each contains 28 bits and we throw away 8 bits
233
0
    Dr = (Dr & 0x00ffffff) | ((Cr & 0xf0000000 ) >> 4 );
234
0
    Cr = (Cr & 0x0fffffff);
235
236
0
    for( r = 0; r < 16; r++)
237
0
    {
238
        //
239
        // Cr and Dr are the two key shift registers, they are rotated once or twice for each round.
240
        //
241
242
0
        if( SymCryptDesDoubleShift[ r ] ) {
243
0
            Cr = ((Cr >> 2) | (Cr << 26));
244
0
            Dr = ((Dr >> 2) | (Dr << 26));
245
0
        } else {
246
0
            Cr = ((Cr >> 1) | (Cr << 27));
247
0
            Dr = ((Dr >> 1) | (Dr << 27));
248
0
        }
249
250
0
        Cr &= 0x0fffffff;
251
0
        Dr &= 0x0fffffff;
252
253
        //
254
        // The Permuted Choice 2 is done using table lookups
255
        // Not all bits of C and D are used, so we cut those out using shifts and masks,
256
        // and then index 6 bits at a time into lookup tables that implement the bit relocation.
257
        //
258
259
0
        K1 = SymCryptDesKeySelect[0][ (Cr      )&0x3f                     ] |
260
0
             SymCryptDesKeySelect[1][((Cr >>  6)&0x03) | ((Cr >>  7)&0x3c)] |
261
0
             SymCryptDesKeySelect[2][((Cr >> 13)&0x0f) | ((Cr >> 14)&0x30)] |
262
0
             SymCryptDesKeySelect[3][((Cr >> 20)&0x01) | ((Cr >> 21)&0x06) | ((Cr >> 22)&0x38)];
263
264
0
        K2 = SymCryptDesKeySelect[4][ (Dr      )&0x3f                     ] |
265
0
             SymCryptDesKeySelect[5][((Dr >>  7)&0x03) | ((Dr >>  8)&0x3c)] |
266
0
             SymCryptDesKeySelect[6][ (Dr >> 15)&0x3f                     ] |
267
0
             SymCryptDesKeySelect[7][((Dr >> 21)&0x0f) | ((Dr >> 22)&0x30)];
268
269
        //
270
        // After this we still have to swap the halves of K1 and K2, that is done below
271
        // as part of the formatting of the round key
272
        //
273
274
        //
275
        // So far we have recreated the round keys per the standard.
276
        // The round keys are stored rotated by 2 as the encrypt/decrypt code finds that easier.
277
        // We could update the tables to do this, but key expansion is not used that frequently,
278
        // and it is not worth the effort to update the tables.
279
        //
280
        // We don't worry about extraneous bits in unused positions as the F function masks out unused bits.
281
        //
282
283
0
        tmp = ((K2 << 16) | (K1 & 0x0000ffff)) ;
284
0
        expandedKeyTable[r][0] = ROL32(tmp, 2);
285
286
0
        tmp = ((K1 >> 16) | (K2 & 0xffff0000));
287
0
        expandedKeyTable[r][1] = ROL32(tmp, 6);
288
0
    }
289
0
}
290
291
292
SYMCRYPT_NOINLINE
293
SYMCRYPT_ERROR
294
SYMCRYPT_CALL
295
SymCrypt3DesExpandKey(
296
    _Out_               PSYMCRYPT_3DES_EXPANDED_KEY pExpandedKey,
297
    _In_reads_(cbKey)   PCBYTE                      pbKey,
298
                        SIZE_T                      cbKey )
299
0
{
300
0
    SIZE_T keyIndex = 0;
301
0
    int i;
302
303
0
    if( cbKey != 8 && cbKey != 16 && cbKey != 24 )
304
0
    {
305
0
        return SYMCRYPT_WRONG_KEY_SIZE;
306
0
    }
307
308
    //
309
    // A loop that goes over the provided key as a circular buffer provides
310
    // the right result with the least complexity.
311
    // This is inefficient for the cases cbKey=8 and cbKey=16, but those should
312
    // not be used anyway.
313
    //
314
0
    for( i=0; i<3; i++ )
315
0
    {
316
0
        SYMCRYPT_ASSERT( keyIndex <= cbKey - 8 );       // help PreFast
317
0
        SymCryptDesExpandSingleKey( pExpandedKey->roundKey[i], pbKey + keyIndex );
318
0
        keyIndex = (keyIndex + 8) % cbKey;
319
0
    }
320
321
0
    SYMCRYPT_SET_MAGIC( pExpandedKey );
322
323
0
    return SYMCRYPT_NO_ERROR;
324
0
}
325
326
327
//
328
// The DES round function
329
// This is straight from the standard.
330
// Ta and Tb each contain 4 sets of 6 bits that are S-box inputs
331
// We interleave the use of Ta and Tb to provide better CPU scheduling on weak compilers.
332
// We ensure that the input bits appear in bits 2-7 of the index to avoid a scaled index
333
// which can be slower on some CPUs.
334
//
335
0
#define F(L, R, keyptr) { \
336
0
    Ta = keyptr[0] ^ R; \
337
0
    Tb = keyptr[1] ^ R; \
338
0
    Tb = ROR32(Tb, 4); \
339
0
    L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[0] + ( Ta     & 0xfc)); \
340
0
    L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[1] + ( Tb     & 0xfc)); \
341
0
    L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[2] + ((Ta>> 8)& 0xfc)); \
342
0
    L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[3] + ((Tb>> 8)& 0xfc)); \
343
0
    L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[4] + ((Ta>>16)& 0xfc)); \
344
0
    L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[5] + ((Tb>>16)& 0xfc)); \
345
0
    L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[6] + ((Ta>>24)& 0xfc)); \
346
0
    L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[7] + ((Tb>>24)& 0xfc)); }
347
348
349
350
//
351
// Block encryption.
352
// The noinline stops the compiler from inlining the code and creating additional
353
// implementations which would require separate FIPS selftests.
354
//
355
SYMCRYPT_NOINLINE
356
VOID
357
SYMCRYPT_CALL
358
SymCrypt3DesEncrypt(
359
    _In_                                        PCSYMCRYPT_3DES_EXPANDED_KEY    pExpandedKey,
360
    _In_reads_( SYMCRYPT_3DES_BLOCK_SIZE )      PCBYTE                          pbSrc,
361
    _Out_writes_( SYMCRYPT_3DES_BLOCK_SIZE )    PBYTE                           pbDst )
362
0
{
363
0
    UINT32   L, R, Ta, Tb;
364
0
    int r;
365
366
0
    SYMCRYPT_CHECK_MAGIC( pExpandedKey );
367
368
0
    R = SYMCRYPT_LOAD_LSBFIRST32( pbSrc );
369
0
    L = SYMCRYPT_LOAD_LSBFIRST32( pbSrc + 4 );
370
371
    //
372
    // Hoey's wonderful initial permutation algorithm, from Outerbridge
373
    // (see Schneier p 478)
374
    //
375
    // The algorithm we use is derived (through several intermediate forms) from the mentioned source.
376
    // But the algorithm cannot be copyrighted, only patented, and if there were any patents
377
    // they have expired by now.
378
    // The expression of the algorithm in code is purely MS generated,
379
    // within the confines of implementing the algorithm in the best way such that even a simple
380
    // compiler will create good code.
381
    //
382
383
0
    R = ROL32(R, 4);
384
0
    Ta = (L ^ R) & 0xf0f0f0f0;
385
0
    L ^= Ta;
386
0
    R ^= Ta;
387
388
0
    L = ROL32(L, 20);
389
0
    Ta = (L ^ R) & 0xfff0000f;
390
0
    R ^= Ta;
391
0
    L ^= Ta;
392
393
0
    L = ROL32(L,14);
394
0
    Ta = (L ^ R) & 0x33333333;
395
0
    R ^= Ta;
396
0
    L ^= Ta;
397
398
0
    R = ROL32(R, 22);
399
0
    Ta = (L ^ R) & 0x03fc03fc;
400
0
    R ^= Ta;
401
0
    L ^= Ta;
402
403
0
    R = ROL32(R, 9);
404
0
    Ta = (L ^ R) & 0xaaaaaaaa;
405
0
    R ^= Ta;
406
0
    L ^= Ta;
407
408
0
    L = ROL32(L, 1);
409
410
    //
411
    // First: encryption
412
    //
413
0
    for( r=0; r<16; r += 2 )
414
0
    {
415
0
        F( L, R, pExpandedKey->roundKey[0][r  ] );
416
0
        F( R, L, pExpandedKey->roundKey[0][r+1] );
417
0
    }
418
419
    //
420
    // Second: decryption
421
    // Note that L and R are swapped here, and the round counter counts down.
422
    //
423
0
    for( r=14; r>=0; r -= 2 )
424
0
    {
425
0
        F( R, L, pExpandedKey->roundKey[1][r+1] );
426
0
        F( L, R, pExpandedKey->roundKey[1][r  ] );
427
0
    }
428
429
    //
430
    // Third: encryption
431
    //
432
0
    for( r=0; r<16; r += 2 )
433
0
    {
434
0
        F( L, R, pExpandedKey->roundKey[2][r  ] );
435
0
        F( R, L, pExpandedKey->roundKey[2][r+1] );
436
0
    }
437
438
0
    R = ROR32(R, 1);
439
0
    Ta = (L ^ R) & 0xaaaaaaaa;
440
0
    R ^= Ta;
441
0
    L ^= Ta;
442
443
0
    L = ROR32(L, 9);
444
0
    Ta = (L ^ R) & 0x03fc03fc;
445
0
    R ^= Ta;
446
0
    L ^= Ta;
447
448
0
    L = ROR32(L, 22);
449
0
    Ta = (L ^ R) & 0x33333333;
450
0
    R ^= Ta;
451
0
    L ^= Ta;
452
453
0
    R = ROR32(R, 14);
454
0
    Ta = (L ^ R) & 0xfff0000f;
455
0
    R ^= Ta;
456
0
    L ^= Ta;
457
458
0
    R = ROR32(R, 20);
459
0
    Ta = (L ^ R) & 0xf0f0f0f0;
460
0
    R ^= Ta;
461
0
    L ^= Ta;
462
463
0
    L = ROR32(L, 4);
464
465
0
    SYMCRYPT_STORE_LSBFIRST32( pbDst, L );
466
0
    SYMCRYPT_STORE_LSBFIRST32( pbDst + 4, R );
467
0
}
468
469
470
//
471
// Block decrypt
472
// The noinline stops the compiler from inlining the code and creating additional
473
// implementations which would require separate FIPS selftests.
474
//
475
SYMCRYPT_NOINLINE
476
VOID
477
SYMCRYPT_CALL
478
SymCrypt3DesDecrypt(
479
    _In_                                        PCSYMCRYPT_3DES_EXPANDED_KEY    pExpandedKey,
480
    _In_reads_( SYMCRYPT_3DES_BLOCK_SIZE )      PCBYTE                          pbSrc,
481
    _Out_writes_( SYMCRYPT_3DES_BLOCK_SIZE )    PBYTE                           pbDst )
482
0
{
483
0
    UINT32   L, R, Ta, Tb;
484
0
    int r;
485
486
0
    SYMCRYPT_CHECK_MAGIC( pExpandedKey );
487
488
0
    R = SYMCRYPT_LOAD_LSBFIRST32( pbSrc );
489
0
    L = SYMCRYPT_LOAD_LSBFIRST32( pbSrc + 4 );
490
491
0
    R = ROL32(R, 4);
492
0
    Ta = (L ^ R) & 0xf0f0f0f0;
493
0
    L ^= Ta;
494
0
    R ^= Ta;
495
496
0
    L = ROL32(L, 20);
497
0
    Ta = (L ^ R) & 0xfff0000f;
498
0
    L ^= Ta;
499
0
    R ^= Ta;
500
501
0
    L = ROL32(L, 14);
502
0
    Ta = (L ^ R) & 0x33333333;
503
0
    L ^= Ta;
504
0
    R ^= Ta;
505
506
0
    R = ROL32(R, 22);
507
0
    Ta = (L ^ R) & 0x03fc03fc;
508
0
    L ^= Ta;
509
0
    R ^= Ta;
510
511
0
    R = ROL32(R, 9);
512
0
    Ta = (L ^ R) & 0xaaaaaaaa;
513
0
    L ^= Ta;
514
0
    R ^= Ta;
515
516
0
    L = ROL32(L, 1);
517
518
519
    // Decrypt with key 2
520
0
    for( r=14; r>=0; r -= 2 )
521
0
    {
522
0
        F( L, R, pExpandedKey->roundKey[2][r+1] );
523
0
        F( R, L, pExpandedKey->roundKey[2][r  ] );
524
0
    }
525
526
    // Encrypt with key 1
527
0
    for( r=0; r<16; r += 2 )
528
0
    {
529
0
        F( R, L, pExpandedKey->roundKey[1][r  ] );
530
0
        F( L, R, pExpandedKey->roundKey[1][r+1] );
531
0
    }
532
533
    // Decrypt with key 0
534
0
    for( r=14; r>=0; r -= 2 )
535
0
    {
536
0
        F( L, R, pExpandedKey->roundKey[0][r+1] );
537
0
        F( R, L, pExpandedKey->roundKey[0][r  ] );
538
0
    }
539
540
    /* Inverse permutation, also from Hoey via Outerbridge and Schneier */
541
542
0
    R = ROR32(R, 1);
543
0
    Ta = (L ^ R) & 0xaaaaaaaa;
544
0
    L ^= Ta;
545
0
    R ^= Ta;
546
547
0
    L = ROR32(L, 9);
548
0
    Ta = (L ^ R) & 0x03fc03fc;
549
0
    L ^= Ta;
550
0
    R ^= Ta;
551
552
0
    L = ROR32(L, 22);
553
0
    Ta = (L ^ R) & 0x33333333;
554
0
    L ^= Ta;
555
0
    R ^= Ta;
556
557
0
    R = ROR32(R, 14);
558
0
    Ta = (L ^ R) & 0xfff0000f;
559
0
    L ^= Ta;
560
0
    R ^= Ta;
561
562
0
    R = ROR32(R, 20);
563
0
    Ta = (L ^ R) & 0xf0f0f0f0;
564
0
    L ^= Ta;
565
0
    R ^= Ta;
566
567
0
    L = ROR32(L, 4);
568
569
0
    SYMCRYPT_STORE_LSBFIRST32( pbDst, L );
570
0
    SYMCRYPT_STORE_LSBFIRST32( pbDst + 4, R );
571
0
}
572
573
574
575
VOID
576
SYMCRYPT_CALL
577
SymCryptDesSetOddParity(
578
    _Inout_updates_( cbData )   PBYTE   pbData,
579
    _In_                        SIZE_T  cbData )
580
//
581
// For each byte, set bit 0 such that the byte parity is odd.
582
// This function is side-channel safe
583
//
584
0
{
585
0
    SIZE_T i;
586
0
    BYTE b, t;
587
0
    for( i=0; i<cbData; i++ )
588
0
    {
589
        // We obey the read-once write-once rule
590
0
        b = *pbData;
591
592
0
        t = b ^ (b>>4);     // parity(b) = parity( t & 0xf )
593
0
        t ^= t>>2;          //           = parity( t & 0x3 )
594
0
        t ^= t>>1;          //           = parity( t & 0x1 )
595
0
        *pbData++ = b ^ (t&1) ^ 1;
596
0
    }
597
0
}
598
599
600
//
601
// Test vectors for self test
602
//
603
static const BYTE SP800_67Key[24] = {
604
    0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
605
    0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
606
    0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23,
607
};
608
609
static const BYTE des3KnownPlaintext[8] = {
610
    0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74,
611
};
612
613
static const BYTE des3KnownCiphertext[8] = {
614
    0x31, 0x4F, 0x83, 0x27, 0xFA, 0x7A, 0x09, 0xA8,
615
};
616
617
static const BYTE desKnownCiphertext[8] = {
618
    0x3F, 0xA4, 0x0E, 0x8A, 0x98, 0x4D, 0x48, 0x15,
619
};
620
621
622
VOID
623
SYMCRYPT_CALL
624
SymCryptDesSelftest(void)
625
0
{
626
0
    BYTE                        buf[SYMCRYPT_DES_BLOCK_SIZE];
627
0
    SYMCRYPT_DES_EXPANDED_KEY   key;
628
629
0
    if( SymCryptDesExpandKey( &key, SP800_67Key, 8 ) != SYMCRYPT_NO_ERROR )
630
0
    {
631
0
        SymCryptFatal( 'desa' );
632
0
    }
633
634
0
    SymCryptDesEncrypt( &key, des3KnownPlaintext, buf );
635
636
0
    SymCryptInjectError( buf, SYMCRYPT_DES_BLOCK_SIZE );
637
638
0
    if( memcmp( buf, desKnownCiphertext, SYMCRYPT_DES_BLOCK_SIZE ) != 0 )
639
0
    {
640
0
        SymCryptFatal( 'desb' );
641
0
    }
642
643
0
    SymCryptDesDecrypt( &key, desKnownCiphertext, buf );
644
645
0
    SymCryptInjectError( buf, SYMCRYPT_DES_BLOCK_SIZE );
646
647
0
    if( memcmp( buf, des3KnownPlaintext, SYMCRYPT_DES_BLOCK_SIZE ) != 0 )
648
0
    {
649
0
        SymCryptFatal( 'desc' );
650
0
    }
651
0
}
652
653
654
VOID
655
SYMCRYPT_CALL
656
SymCrypt3DesSelftest(void)
657
0
{
658
0
    BYTE                        buf[SYMCRYPT_3DES_BLOCK_SIZE];
659
0
    SYMCRYPT_3DES_EXPANDED_KEY  key;
660
661
0
    if( SymCrypt3DesExpandKey( &key, SP800_67Key, 24 ) != SYMCRYPT_NO_ERROR )
662
0
    {
663
0
        SymCryptFatal( 'des3' );
664
0
    }
665
666
0
    SymCrypt3DesEncrypt( &key, des3KnownPlaintext, buf );
667
668
0
    SymCryptInjectError( buf, SYMCRYPT_3DES_BLOCK_SIZE );
669
670
0
    if( memcmp( buf, des3KnownCiphertext, SYMCRYPT_3DES_BLOCK_SIZE ) != 0 )
671
0
    {
672
0
        SymCryptFatal( 'des4' );
673
0
    }
674
675
0
    SymCrypt3DesDecrypt( &key, des3KnownCiphertext, buf );
676
677
0
    SymCryptInjectError( buf, SYMCRYPT_3DES_BLOCK_SIZE );
678
679
0
    if( memcmp( buf, des3KnownPlaintext, SYMCRYPT_3DES_BLOCK_SIZE ) != 0 )
680
0
    {
681
0
        SymCryptFatal( 'des5' );
682
0
    }
683
0
}
684
685
686
687
688
689
#if 0
690
////////////////////////////////////////////
691
// Useful tables, kept for future reference.
692
//
693
694
// Tables defined in the Data Encryption Standard documents
695
// Three of these tables, the initial permutation, the final
696
// permutation and the expansion operator, are regular enough that
697
// for speed, we hard-code them. They're here for reference only.
698
// Also, the S and P boxes are used by a separate program, gensp.c,
699
// to build the combined SP box, Spbox[]. They're also here just
700
// for reference.
701
//
702
// initial permutation IP
703
static unsigned BYTE ip[] = {
704
    58, 50, 42, 34, 26, 18, 10,  2,
705
    60, 52, 44, 36, 28, 20, 12,  4,
706
    62, 54, 46, 38, 30, 22, 14,  6,
707
    64, 56, 48, 40, 32, 24, 16,  8,
708
    57, 49, 41, 33, 25, 17,  9,  1,
709
    59, 51, 43, 35, 27, 19, 11,  3,
710
    61, 53, 45, 37, 29, 21, 13,  5,
711
    63, 55, 47, 39, 31, 23, 15,  7
712
};
713
714
// final permutation IP^-1
715
static unsigned BYTE fp[] = {
716
    40,  8, 48, 16, 56, 24, 64, 32,
717
    39,  7, 47, 15, 55, 23, 63, 31,
718
    38,  6, 46, 14, 54, 22, 62, 30,
719
    37,  5, 45, 13, 53, 21, 61, 29,
720
    36,  4, 44, 12, 52, 20, 60, 28,
721
    35,  3, 43, 11, 51, 19, 59, 27,
722
    34,  2, 42, 10, 50, 18, 58, 26,
723
    33,  1, 41,  9, 49, 17, 57, 25
724
};
725
726
// expansion operation matrix
727
static unsigned BYTE ei[] = {
728
    32,  1,  2,  3,  4,  5,
729
     4,  5,  6,  7,  8,  9,
730
     8,  9, 10, 11, 12, 13,
731
    12, 13, 14, 15, 16, 17,
732
    16, 17, 18, 19, 20, 21,
733
    20, 21, 22, 23, 24, 25,
734
    24, 25, 26, 27, 28, 29,
735
    28, 29, 30, 31, 32,  1
736
};
737
738
// The (in)famous S-boxes
739
static unsigned BYTE sbox[8][64] = {
740
    // S1
741
    14,  4, 13,  1,  2, 15, 11,  8,  3, 10,  6, 12,  5,  9,  0,  7,
742
     0, 15,  7,  4, 14,  2, 13,  1, 10,  6, 12, 11,  9,  5,  3,  8,
743
     4,  1, 14,  8, 13,  6,  2, 11, 15, 12,  9,  7,  3, 10,  5,  0,
744
    15, 12,  8,  2,  4,  9,  1,  7,  5, 11,  3, 14, 10,  0,  6, 13,
745
746
    // S2
747
    15,  1,  8, 14,  6, 11,  3,  4,  9,  7,  2, 13, 12,  0,  5, 10,
748
     3, 13,  4,  7, 15,  2,  8, 14, 12,  0,  1, 10,  6,  9, 11,  5,
749
     0, 14,  7, 11, 10,  4, 13,  1,  5,  8, 12,  6,  9,  3,  2, 15,
750
    13,  8, 10,  1,  3, 15,  4,  2, 11,  6,  7, 12,  0,  5, 14,  9,
751
752
    // S3
753
    10,  0,  9, 14,  6,  3, 15,  5,  1, 13, 12,  7, 11,  4,  2,  8,
754
    13,  7,  0,  9,  3,  4,  6, 10,  2,  8,  5, 14, 12, 11, 15,  1,
755
    13,  6,  4,  9,  8, 15,  3,  0, 11,  1,  2, 12,  5, 10, 14,  7,
756
     1, 10, 13,  0,  6,  9,  8,  7,  4, 15, 14,  3, 11,  5,  2, 12,
757
758
    // S4
759
     7, 13, 14,  3,  0,  6,  9, 10,  1,  2,  8,  5, 11, 12,  4, 15,
760
    13,  8, 11,  5,  6, 15,  0,  3,  4,  7,  2, 12,  1, 10, 14,  9,
761
    10,  6,  9,  0, 12, 11,  7, 13, 15,  1,  3, 14,  5,  2,  8,  4,
762
     3, 15,  0,  6, 10,  1, 13,  8,  9,  4,  5, 11, 12,  7,  2, 14,
763
764
    // S5
765
     2, 12,  4,  1,  7, 10, 11,  6,  8,  5,  3, 15, 13,  0, 14,  9,
766
    14, 11,  2, 12,  4,  7, 13,  1,  5,  0, 15, 10,  3,  9,  8,  6,
767
     4,  2,  1, 11, 10, 13,  7,  8, 15,  9, 12,  5,  6,  3,  0, 14,
768
    11,  8, 12,  7,  1, 14,  2, 13,  6, 15,  0,  9, 10,  4,  5,  3,
769
770
    // S6
771
    12,  1, 10, 15,  9,  2,  6,  8,  0, 13,  3,  4, 14,  7,  5, 11,
772
    10, 15,  4,  2,  7, 12,  9,  5,  6,  1, 13, 14,  0, 11,  3,  8,
773
     9, 14, 15,  5,  2,  8, 12,  3,  7,  0,  4, 10,  1, 13, 11,  6,
774
     4,  3,  2, 12,  9,  5, 15, 10, 11, 14,  1,  7,  6,  0,  8, 13,
775
776
    // S7
777
     4, 11,  2, 14, 15,  0,  8, 13,  3, 12,  9,  7,  5, 10,  6,  1,
778
    13,  0, 11,  7,  4,  9,  1, 10, 14,  3,  5, 12,  2, 15,  8,  6,
779
     1,  4, 11, 13, 12,  3,  7, 14, 10, 15,  6,  8,  0,  5,  9,  2,
780
     6, 11, 13,  8,  1,  4, 10,  7,  9,  5,  0, 15, 14,  2,  3, 12,
781
782
    // S8
783
    13,  2,  8,  4,  6, 15, 11,  1, 10,  9,  3, 14,  5,  0, 12,  7,
784
     1, 15, 13,  8, 10,  3,  7,  4, 12,  5,  6, 11,  0, 14,  9,  2,
785
     7, 11,  4,  1,  9, 12, 14,  2,  0,  6, 10, 13, 15,  3,  5,  8,
786
     2,  1, 14,  7,  4, 10,  8, 13, 15, 12,  9,  0,  3,  5,  6, 11
787
};
788
789
// 32-bit permutation function P used on the output of the S-boxes
790
static unsigned BYTE p32i[] = {
791
    16,  7, 20, 21,
792
    29, 12, 28, 17,
793
     1, 15, 23, 26,
794
     5, 18, 31, 10,
795
     2,  8, 24, 14,
796
    32, 27,  3,  9,
797
    19, 13, 30,  6,
798
    22, 11,  4, 25
799
};
800
801
// permuted choice table (key)
802
static unsigned BYTE pc1[] = {
803
    57, 49, 41, 33, 25, 17,  9,
804
     1, 58, 50, 42, 34, 26, 18,
805
    10,  2, 59, 51, 43, 35, 27,
806
    19, 11,  3, 60, 52, 44, 36,
807
808
    63, 55, 47, 39, 31, 23, 15,
809
     7, 62, 54, 46, 38, 30, 22,
810
    14,  6, 61, 53, 45, 37, 29,
811
    21, 13,  5, 28, 20, 12,  4
812
};
813
814
// number left rotations of pc1
815
static unsigned BYTE totrot[] = {
816
    1,2,4,6,8,10,12,14,15,17,19,21,23,25,27,28
817
};
818
819
// permuted choice key (table)
820
static unsigned BYTE pc2[] = {
821
    14, 17, 11, 24,  1,  5,
822
     3, 28, 15,  6, 21, 10,
823
    23, 19, 12,  4, 26,  8,
824
    16,  7, 27, 20, 13,  2,
825
    41, 52, 31, 37, 47, 55,
826
    30, 40, 51, 45, 33, 48,
827
    44, 49, 39, 56, 34, 53,
828
    46, 42, 50, 36, 29, 32
829
};
830
831
#endif
832