Line | Count | Source (jump to first uncovered line) |
1 | | // |
2 | | // 3des.c Routines for DES and 3DES |
3 | | // |
4 | | // Copyright (c) Microsoft Corporation. Licensed under the MIT license. |
5 | | // |
6 | | // This is an updated implementation that is carefully reviewed to be fully copyrighted by |
7 | | // Microsoft. Our previous implementation was partially based on a very old public domain |
8 | | // implementation. |
9 | | // According to Andrew Tucker (atucker) there was a claim many years ago about the copyright of |
10 | | // our DES code. Working with LCA (legal) it was determined that the DES implementation in RSA32.lib |
11 | | // was a Microsoft derivitive of a public-domain implementation, and therefore is clear of |
12 | | // any IP issues. To avoid any further claims we have now scrubbed this implementation from all |
13 | | // copyrightable elements derived from outside sources. |
14 | | // |
15 | | // We take non-copyrightable items from the old implementations such as |
16 | | // - lookup tables |
17 | | // - algorithm for various bit permutations |
18 | | // - Any variable & function names that are already MS-generated. |
19 | | // - Other MS-generated code elements (e.g. SymCrypt integration) |
20 | | // Some of the considerations we made are: |
21 | | // Most of the functionality of DES is required by the FIPS standard and there is not much |
22 | | // choice on how to code it; elements required by the standard are not copyright protected. |
23 | | // The lookup tables themselves are not copyrightable as they have no artistic expression. |
24 | | // The format of the lookup tables is almost completely determined by the standard and the algorithm |
25 | | // used to access them. Any further layout and structure are all standard C conventions. |
26 | | // Algorithm tricks such as Hoey's IP implementation are not copyrightable but are patentable. |
27 | | // Fortunately all the techniques we use have been around long enough that any patents have expired. |
28 | | // |
29 | | |
30 | | // |
31 | | // Feb 2018, Niels Ferguson |
32 | | // |
33 | | |
34 | | #include "precomp.h" |
35 | | |
36 | | // |
37 | | // Tables to describe the DES and 3DES block ciphers so that the generic |
38 | | // chaining mode functions can use them. |
39 | | // We have no optimized mode-specific code as the DES block is so slow that there is |
40 | | // very little to be gained. |
41 | | // |
42 | | |
43 | | const SYMCRYPT_BLOCKCIPHER SymCrypt3DesBlockCipher_default = { |
44 | | SymCrypt3DesExpandKey, // PSYMCRYPT_BLOCKCIPHER_EXPAND_KEY expandKeyFunc; |
45 | | SymCrypt3DesEncrypt, // PSYMCRYPT_BLOCKCIPHER_CRYPT encryptFunc; |
46 | | SymCrypt3DesDecrypt, // PSYMCRYPT_BLOCKCIPHER_CRYPT decryptFunc; |
47 | | NULL, // PSYMCRYPT_BLOCKCIPHER_CRYPT_ECB ecbEncryptFunc; |
48 | | NULL, // PSYMCRYPT_BLOCKCIPHER_CRYPT_ECB ecbDecryptFunc; |
49 | | NULL, // PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE cbcEncryptFunc; |
50 | | NULL, // PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE cbcDecryptFunc; |
51 | | NULL, // PSYMCRYPT_BLOCKCIPHER_MAC_MODE cbcMacFunc; |
52 | | NULL, // PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE ctrMsbFunc; |
53 | | NULL, // PSYMCRYPT_BLOCKCIPHER_AEADPART_MODE gcmEncryptPartFunc; |
54 | | NULL, // PSYMCRYPT_BLOCKCIPHER_AEADPART_MODE gcmDecryptPartFunc; |
55 | | 8, // SIZE_T blockSize; |
56 | | sizeof( SYMCRYPT_3DES_EXPANDED_KEY ), // SIZE_T expandedKeySize; // = sizeof( SYMCRYPT_XXX_EXPANDED_KEY ) |
57 | | }; |
58 | | |
59 | | const SYMCRYPT_BLOCKCIPHER SymCryptDesBlockCipher_default = { |
60 | | SymCryptDesExpandKey, // PSYMCRYPT_BLOCKCIPHER_EXPAND_KEY expandKeyFunc; |
61 | | SymCryptDesEncrypt, // PSYMCRYPT_BLOCKCIPHER_CRYPT encryptFunc; |
62 | | SymCryptDesDecrypt, // PSYMCRYPT_BLOCKCIPHER_CRYPT decryptFunc; |
63 | | NULL, // PSYMCRYPT_BLOCKCIPHER_CRYPT_ECB ecbEncryptFunc; |
64 | | NULL, // PSYMCRYPT_BLOCKCIPHER_CRYPT_ECB ecbDecryptFunc; |
65 | | NULL, // PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE cbcEncryptFunc; |
66 | | NULL, // PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE cbcDecryptFunc; |
67 | | NULL, // PSYMCRYPT_BLOCKCIPHER_MAC_MODE cbcMacFunc; |
68 | | NULL, // PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE ctrMsbFunc; |
69 | | NULL, // PSYMCRYPT_BLOCKCIPHER_AEADPART_MODE gcmEncryptPartFunc; |
70 | | NULL, // PSYMCRYPT_BLOCKCIPHER_AEADPART_MODE gcmDecryptPartFunc; |
71 | | 8, // SIZE_T blockSize; |
72 | | sizeof( SYMCRYPT_DES_EXPANDED_KEY ), // SIZE_T expandedKeySize; // = sizeof( SYMCRYPT_XXX_EXPANDED_KEY ) |
73 | | }; |
74 | | |
75 | | const PCSYMCRYPT_BLOCKCIPHER SymCrypt3DesBlockCipher = &SymCrypt3DesBlockCipher_default; |
76 | | const PCSYMCRYPT_BLOCKCIPHER SymCryptDesBlockCipher = &SymCryptDesBlockCipher_default; |
77 | | |
78 | | extern SYMCRYPT_ALIGN_AT(256) const UINT32 SymCryptDesSpbox[8][64]; // Combined S and P tables |
79 | | extern SYMCRYPT_ALIGN_AT(256) const UINT32 SymCryptDesKeySelect[8][64]; |
80 | | |
81 | | |
82 | | // |
83 | | // The SWAP_BITS_WITHIN_UINT32 macro swaps bits within a UINT32 value |
84 | | // SWAP_BITS_WITHIN_UINT32( _value, _shift, _mask ) |
85 | | // swaps each bit in _value selected by _mask with the bit _shift positions to the left |
86 | | // Thus it swaps (_value & _mask) with (_value & (_mask << _shift)) |
87 | | // |
88 | | |
89 | 0 | #define SWAP_BITS_WITHIN_UINT32( _value, _shift, _mask ) \ |
90 | 0 | { \ |
91 | 0 | UINT32 _tmp; \ |
92 | 0 | _tmp = ((_value) ^ ((_value) >> (_shift))) & (_mask ); \ |
93 | 0 | _value = (_value) ^ _tmp ^ (_tmp << (_shift)); \ |
94 | 0 | } |
95 | | |
96 | | // |
97 | | // The SWAP_BITS_BETWEEN_UINT32 macro swaps bits between two UINT32 values |
98 | | // SWAP_BITS_BETWEEN_UINT32( _v1, _v2, _shift, _mask ) |
99 | | // swaps bits in _v1 selected by _mask with bits in _v2 selected by _mask << _shift |
100 | | // |
101 | | |
102 | 0 | #define SWAP_BITS_BETWEEN_UINT32( _v1, _v2, _shift, _mask ) \ |
103 | 0 | { \ |
104 | 0 | UINT32 _tmp; \ |
105 | 0 | _tmp = ((_v1) ^ ((_v2) >> (_shift))) & (_mask); \ |
106 | 0 | _v1 ^= _tmp; \ |
107 | 0 | _v2 ^= (_tmp << (_shift )); \ |
108 | 0 | } |
109 | | |
110 | | // |
111 | | // For each round, a bit that states whether the key schedule shift registers are clocked twice |
112 | | // The data is straight from the standard. |
113 | | // |
114 | | static const BYTE SymCryptDesDoubleShift[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0}; |
115 | | |
116 | | ////////////////////////// |
117 | | // DES |
118 | | // We just implement DES as 3DES. |
119 | | // People using DES have bigger problems than bad performance. |
120 | | // |
121 | | |
122 | | SYMCRYPT_ERROR |
123 | | SYMCRYPT_CALL |
124 | | SymCryptDesExpandKey( |
125 | | _Out_ PSYMCRYPT_DES_EXPANDED_KEY pExpandedKey, |
126 | | _In_reads_( cbKey ) PCBYTE pbKey, |
127 | | SIZE_T cbKey ) |
128 | 0 | { |
129 | 0 | if( cbKey != 8 ) |
130 | 0 | { |
131 | | // |
132 | | // cbKey should be a compile-time constant in most cases, |
133 | | // so this should be optimized away |
134 | | // |
135 | 0 | return SYMCRYPT_WRONG_KEY_SIZE; |
136 | 0 | } |
137 | 0 | return SymCrypt3DesExpandKey( &pExpandedKey->threeDes, pbKey, cbKey ); |
138 | 0 | } |
139 | | |
140 | | VOID |
141 | | SYMCRYPT_CALL |
142 | | SymCryptDesEncrypt( |
143 | | _In_ PCSYMCRYPT_DES_EXPANDED_KEY pExpandedKey, |
144 | | _In_reads_( SYMCRYPT_DES_BLOCK_SIZE ) PCBYTE pbSrc, |
145 | | _Out_writes_( SYMCRYPT_DES_BLOCK_SIZE ) PBYTE pbDst ) |
146 | 0 | { |
147 | 0 | SymCrypt3DesEncrypt( &pExpandedKey->threeDes, pbSrc, pbDst ); |
148 | 0 | } |
149 | | |
150 | | VOID |
151 | | SYMCRYPT_CALL |
152 | | SymCryptDesDecrypt( |
153 | | _In_ PCSYMCRYPT_DES_EXPANDED_KEY pExpandedKey, |
154 | | _In_reads_( SYMCRYPT_DES_BLOCK_SIZE ) PCBYTE pbSrc, |
155 | | _Out_writes_( SYMCRYPT_DES_BLOCK_SIZE ) PBYTE pbDst ) |
156 | 0 | { |
157 | 0 | SymCrypt3DesDecrypt( &pExpandedKey->threeDes, pbSrc, pbDst ); |
158 | 0 | } |
159 | | |
160 | | // |
161 | | // The 3DesCbcEncrypt/Decrypt functions are used to make converting code from |
162 | | // older libraries to SymCrypt easier. |
163 | | // |
164 | | |
165 | | VOID |
166 | | SYMCRYPT_CALL |
167 | | SymCrypt3DesCbcEncrypt( |
168 | | _In_ PCSYMCRYPT_3DES_EXPANDED_KEY pExpandedKey, |
169 | | _Inout_updates_( SYMCRYPT_3DES_BLOCK_SIZE ) PBYTE pbChainingValue, |
170 | | _In_reads_( cbData ) PCBYTE pbSrc, |
171 | | _Out_writes_( cbData ) PBYTE pbDst, |
172 | | SIZE_T cbData ) |
173 | 0 | { |
174 | 0 | SYMCRYPT_ASSERT( SymCrypt3DesBlockCipher->blockSize == SYMCRYPT_3DES_BLOCK_SIZE ); |
175 | 0 | SymCryptCbcEncrypt( SymCrypt3DesBlockCipher, pExpandedKey, pbChainingValue, pbSrc, pbDst, cbData ); |
176 | 0 | } |
177 | | |
178 | | VOID |
179 | | SYMCRYPT_CALL |
180 | | SymCrypt3DesCbcDecrypt( |
181 | | _In_ PCSYMCRYPT_3DES_EXPANDED_KEY pExpandedKey, |
182 | | _Inout_updates_( SYMCRYPT_3DES_BLOCK_SIZE ) PBYTE pbChainingValue, |
183 | | _In_reads_( cbData ) PCBYTE pbSrc, |
184 | | _Out_writes_( cbData ) PBYTE pbDst, |
185 | | SIZE_T cbData ) |
186 | 0 | { |
187 | 0 | SYMCRYPT_ASSERT( SymCrypt3DesBlockCipher->blockSize == SYMCRYPT_3DES_BLOCK_SIZE ); |
188 | 0 | SymCryptCbcDecrypt( SymCrypt3DesBlockCipher, pExpandedKey, pbChainingValue, pbSrc, pbDst, cbData ); |
189 | 0 | } |
190 | | |
191 | | |
192 | | |
193 | | VOID |
194 | | SYMCRYPT_CALL |
195 | | SymCryptDesExpandSingleKey( |
196 | | _Out_writes_bytes_(128) UINT32 expandedKeyTable[16][2], |
197 | | _In_reads_(8) PCBYTE pKey ) |
198 | 0 | { |
199 | 0 | UINT32 Cr, Dr; // The C_r D_r values of FIPS 43 for round value r |
200 | 0 | UINT32 r; // round |
201 | 0 | UINT32 K1, K2; // round keys after the permuted choice 2 |
202 | 0 | UINT32 tmp; |
203 | | |
204 | | // |
205 | | // We follow the FIPS 43 flow quite closely and have not optimized the key expansion much. |
206 | | // Key expansion is not performance-critical. |
207 | | // |
208 | | |
209 | | // Load the key |
210 | 0 | Cr = SYMCRYPT_LOAD_LSBFIRST32( pKey ); |
211 | 0 | Dr = SYMCRYPT_LOAD_LSBFIRST32( pKey + 4 ); |
212 | | |
213 | | // |
214 | | // The Permuted Choice 1 can be done mostly with a sequence of bit swaps. |
215 | | // The algorithm we use is derived from our earlier implementation and might potentially |
216 | | // derive from an external source. |
217 | | // But the algorithm cannot be copyrighted, only patented, and if there were any patents |
218 | | // they have expired by now. |
219 | | // The expression of the algorithm in code is purely MS generated, and so not encumbered |
220 | | // by external copyrights. |
221 | | // This algorithm is really just a transposition of the bits when viewed as an 8x8 matrix |
222 | | // with an additional permutation on the output side. |
223 | | // |
224 | 0 | SWAP_BITS_BETWEEN_UINT32( Cr, Dr, 4, 0x0f0f0f0f ); |
225 | 0 | SWAP_BITS_WITHIN_UINT32( Dr, 18, 0x00003333 ); |
226 | 0 | SWAP_BITS_WITHIN_UINT32( Cr, 18, 0x00003333 ); |
227 | 0 | SWAP_BITS_BETWEEN_UINT32( Cr, Dr, 1, 0x55555555 ); |
228 | 0 | SWAP_BITS_BETWEEN_UINT32( Dr, Cr, 8, 0x00ff00ff ); |
229 | 0 | SWAP_BITS_BETWEEN_UINT32( Cr, Dr, 1, 0x55555555 ); |
230 | 0 | SWAP_BITS_WITHIN_UINT32( Dr, 16, 0xff ); |
231 | | |
232 | | // Have to re-arrange C and D a tiny bit so that each contains 28 bits and we throw away 8 bits |
233 | 0 | Dr = (Dr & 0x00ffffff) | ((Cr & 0xf0000000 ) >> 4 ); |
234 | 0 | Cr = (Cr & 0x0fffffff); |
235 | |
|
236 | 0 | for( r = 0; r < 16; r++) |
237 | 0 | { |
238 | | // |
239 | | // Cr and Dr are the two key shift registers, they are rotated once or twice for each round. |
240 | | // |
241 | |
|
242 | 0 | if( SymCryptDesDoubleShift[ r ] ) { |
243 | 0 | Cr = ((Cr >> 2) | (Cr << 26)); |
244 | 0 | Dr = ((Dr >> 2) | (Dr << 26)); |
245 | 0 | } else { |
246 | 0 | Cr = ((Cr >> 1) | (Cr << 27)); |
247 | 0 | Dr = ((Dr >> 1) | (Dr << 27)); |
248 | 0 | } |
249 | |
|
250 | 0 | Cr &= 0x0fffffff; |
251 | 0 | Dr &= 0x0fffffff; |
252 | | |
253 | | // |
254 | | // The Permuted Choice 2 is done using table lookups |
255 | | // Not all bits of C and D are used, so we cut those out using shifts and masks, |
256 | | // and then index 6 bits at a time into lookup tables that implement the bit relocation. |
257 | | // |
258 | |
|
259 | 0 | K1 = SymCryptDesKeySelect[0][ (Cr )&0x3f ] | |
260 | 0 | SymCryptDesKeySelect[1][((Cr >> 6)&0x03) | ((Cr >> 7)&0x3c)] | |
261 | 0 | SymCryptDesKeySelect[2][((Cr >> 13)&0x0f) | ((Cr >> 14)&0x30)] | |
262 | 0 | SymCryptDesKeySelect[3][((Cr >> 20)&0x01) | ((Cr >> 21)&0x06) | ((Cr >> 22)&0x38)]; |
263 | |
|
264 | 0 | K2 = SymCryptDesKeySelect[4][ (Dr )&0x3f ] | |
265 | 0 | SymCryptDesKeySelect[5][((Dr >> 7)&0x03) | ((Dr >> 8)&0x3c)] | |
266 | 0 | SymCryptDesKeySelect[6][ (Dr >> 15)&0x3f ] | |
267 | 0 | SymCryptDesKeySelect[7][((Dr >> 21)&0x0f) | ((Dr >> 22)&0x30)]; |
268 | | |
269 | | // |
270 | | // After this we still have to swap the halves of K1 and K2, that is done below |
271 | | // as part of the formatting of the round key |
272 | | // |
273 | | |
274 | | // |
275 | | // So far we have recreated the round keys per the standard. |
276 | | // The round keys are stored rotated by 2 as the encrypt/decrypt code finds that easier. |
277 | | // We could update the tables to do this, but key expansion is not used that frequently, |
278 | | // and it is not worth the effort to update the tables. |
279 | | // |
280 | | // We don't worry about extraneous bits in unused positions as the F function masks out unused bits. |
281 | | // |
282 | |
|
283 | 0 | tmp = ((K2 << 16) | (K1 & 0x0000ffff)) ; |
284 | 0 | expandedKeyTable[r][0] = ROL32(tmp, 2); |
285 | |
|
286 | 0 | tmp = ((K1 >> 16) | (K2 & 0xffff0000)); |
287 | 0 | expandedKeyTable[r][1] = ROL32(tmp, 6); |
288 | 0 | } |
289 | 0 | } |
290 | | |
291 | | |
292 | | SYMCRYPT_NOINLINE |
293 | | SYMCRYPT_ERROR |
294 | | SYMCRYPT_CALL |
295 | | SymCrypt3DesExpandKey( |
296 | | _Out_ PSYMCRYPT_3DES_EXPANDED_KEY pExpandedKey, |
297 | | _In_reads_(cbKey) PCBYTE pbKey, |
298 | | SIZE_T cbKey ) |
299 | 0 | { |
300 | 0 | SIZE_T keyIndex = 0; |
301 | 0 | int i; |
302 | |
|
303 | 0 | if( cbKey != 8 && cbKey != 16 && cbKey != 24 ) |
304 | 0 | { |
305 | 0 | return SYMCRYPT_WRONG_KEY_SIZE; |
306 | 0 | } |
307 | | |
308 | | // |
309 | | // A loop that goes over the provided key as a circular buffer provides |
310 | | // the right result with the least complexity. |
311 | | // This is inefficient for the cases cbKey=8 and cbKey=16, but those should |
312 | | // not be used anyway. |
313 | | // |
314 | 0 | for( i=0; i<3; i++ ) |
315 | 0 | { |
316 | 0 | SYMCRYPT_ASSERT( keyIndex <= cbKey - 8 ); // help PreFast |
317 | 0 | SymCryptDesExpandSingleKey( pExpandedKey->roundKey[i], pbKey + keyIndex ); |
318 | 0 | keyIndex = (keyIndex + 8) % cbKey; |
319 | 0 | } |
320 | |
|
321 | 0 | SYMCRYPT_SET_MAGIC( pExpandedKey ); |
322 | |
|
323 | 0 | return SYMCRYPT_NO_ERROR; |
324 | 0 | } |
325 | | |
326 | | |
327 | | // |
328 | | // The DES round function |
329 | | // This is straight from the standard. |
330 | | // Ta and Tb each contain 4 sets of 6 bits that are S-box inputs |
331 | | // We interleave the use of Ta and Tb to provide better CPU scheduling on weak compilers. |
332 | | // We ensure that the input bits appear in bits 2-7 of the index to avoid a scaled index |
333 | | // which can be slower on some CPUs. |
334 | | // |
335 | 0 | #define F(L, R, keyptr) { \ |
336 | 0 | Ta = keyptr[0] ^ R; \ |
337 | 0 | Tb = keyptr[1] ^ R; \ |
338 | 0 | Tb = ROR32(Tb, 4); \ |
339 | 0 | L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[0] + ( Ta & 0xfc)); \ |
340 | 0 | L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[1] + ( Tb & 0xfc)); \ |
341 | 0 | L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[2] + ((Ta>> 8)& 0xfc)); \ |
342 | 0 | L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[3] + ((Tb>> 8)& 0xfc)); \ |
343 | 0 | L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[4] + ((Ta>>16)& 0xfc)); \ |
344 | 0 | L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[5] + ((Tb>>16)& 0xfc)); \ |
345 | 0 | L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[6] + ((Ta>>24)& 0xfc)); \ |
346 | 0 | L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[7] + ((Tb>>24)& 0xfc)); } |
347 | | |
348 | | |
349 | | |
350 | | // |
351 | | // Block encryption. |
352 | | // The noinline stops the compiler from inlining the code and creating additional |
353 | | // implementations which would require separate FIPS selftests. |
354 | | // |
355 | | SYMCRYPT_NOINLINE |
356 | | VOID |
357 | | SYMCRYPT_CALL |
358 | | SymCrypt3DesEncrypt( |
359 | | _In_ PCSYMCRYPT_3DES_EXPANDED_KEY pExpandedKey, |
360 | | _In_reads_( SYMCRYPT_3DES_BLOCK_SIZE ) PCBYTE pbSrc, |
361 | | _Out_writes_( SYMCRYPT_3DES_BLOCK_SIZE ) PBYTE pbDst ) |
362 | 0 | { |
363 | 0 | UINT32 L, R, Ta, Tb; |
364 | 0 | int r; |
365 | |
|
366 | 0 | SYMCRYPT_CHECK_MAGIC( pExpandedKey ); |
367 | |
|
368 | 0 | R = SYMCRYPT_LOAD_LSBFIRST32( pbSrc ); |
369 | 0 | L = SYMCRYPT_LOAD_LSBFIRST32( pbSrc + 4 ); |
370 | | |
371 | | // |
372 | | // Hoey's wonderful initial permutation algorithm, from Outerbridge |
373 | | // (see Schneier p 478) |
374 | | // |
375 | | // The algorithm we use is derived (through several intermediate forms) from the mentioned source. |
376 | | // But the algorithm cannot be copyrighted, only patented, and if there were any patents |
377 | | // they have expired by now. |
378 | | // The expression of the algorithm in code is purely MS generated, |
379 | | // within the confines of implementing the algorithm in the best way such that even a simple |
380 | | // compiler will create good code. |
381 | | // |
382 | |
|
383 | 0 | R = ROL32(R, 4); |
384 | 0 | Ta = (L ^ R) & 0xf0f0f0f0; |
385 | 0 | L ^= Ta; |
386 | 0 | R ^= Ta; |
387 | |
|
388 | 0 | L = ROL32(L, 20); |
389 | 0 | Ta = (L ^ R) & 0xfff0000f; |
390 | 0 | R ^= Ta; |
391 | 0 | L ^= Ta; |
392 | |
|
393 | 0 | L = ROL32(L,14); |
394 | 0 | Ta = (L ^ R) & 0x33333333; |
395 | 0 | R ^= Ta; |
396 | 0 | L ^= Ta; |
397 | |
|
398 | 0 | R = ROL32(R, 22); |
399 | 0 | Ta = (L ^ R) & 0x03fc03fc; |
400 | 0 | R ^= Ta; |
401 | 0 | L ^= Ta; |
402 | |
|
403 | 0 | R = ROL32(R, 9); |
404 | 0 | Ta = (L ^ R) & 0xaaaaaaaa; |
405 | 0 | R ^= Ta; |
406 | 0 | L ^= Ta; |
407 | |
|
408 | 0 | L = ROL32(L, 1); |
409 | | |
410 | | // |
411 | | // First: encryption |
412 | | // |
413 | 0 | for( r=0; r<16; r += 2 ) |
414 | 0 | { |
415 | 0 | F( L, R, pExpandedKey->roundKey[0][r ] ); |
416 | 0 | F( R, L, pExpandedKey->roundKey[0][r+1] ); |
417 | 0 | } |
418 | | |
419 | | // |
420 | | // Second: decryption |
421 | | // Note that L and R are swapped here, and the round counter counts down. |
422 | | // |
423 | 0 | for( r=14; r>=0; r -= 2 ) |
424 | 0 | { |
425 | 0 | F( R, L, pExpandedKey->roundKey[1][r+1] ); |
426 | 0 | F( L, R, pExpandedKey->roundKey[1][r ] ); |
427 | 0 | } |
428 | | |
429 | | // |
430 | | // Third: encryption |
431 | | // |
432 | 0 | for( r=0; r<16; r += 2 ) |
433 | 0 | { |
434 | 0 | F( L, R, pExpandedKey->roundKey[2][r ] ); |
435 | 0 | F( R, L, pExpandedKey->roundKey[2][r+1] ); |
436 | 0 | } |
437 | |
|
438 | 0 | R = ROR32(R, 1); |
439 | 0 | Ta = (L ^ R) & 0xaaaaaaaa; |
440 | 0 | R ^= Ta; |
441 | 0 | L ^= Ta; |
442 | |
|
443 | 0 | L = ROR32(L, 9); |
444 | 0 | Ta = (L ^ R) & 0x03fc03fc; |
445 | 0 | R ^= Ta; |
446 | 0 | L ^= Ta; |
447 | |
|
448 | 0 | L = ROR32(L, 22); |
449 | 0 | Ta = (L ^ R) & 0x33333333; |
450 | 0 | R ^= Ta; |
451 | 0 | L ^= Ta; |
452 | |
|
453 | 0 | R = ROR32(R, 14); |
454 | 0 | Ta = (L ^ R) & 0xfff0000f; |
455 | 0 | R ^= Ta; |
456 | 0 | L ^= Ta; |
457 | |
|
458 | 0 | R = ROR32(R, 20); |
459 | 0 | Ta = (L ^ R) & 0xf0f0f0f0; |
460 | 0 | R ^= Ta; |
461 | 0 | L ^= Ta; |
462 | |
|
463 | 0 | L = ROR32(L, 4); |
464 | |
|
465 | 0 | SYMCRYPT_STORE_LSBFIRST32( pbDst, L ); |
466 | 0 | SYMCRYPT_STORE_LSBFIRST32( pbDst + 4, R ); |
467 | 0 | } |
468 | | |
469 | | |
470 | | // |
471 | | // Block decrypt |
472 | | // The noinline stops the compiler from inlining the code and creating additional |
473 | | // implementations which would require separate FIPS selftests. |
474 | | // |
475 | | SYMCRYPT_NOINLINE |
476 | | VOID |
477 | | SYMCRYPT_CALL |
478 | | SymCrypt3DesDecrypt( |
479 | | _In_ PCSYMCRYPT_3DES_EXPANDED_KEY pExpandedKey, |
480 | | _In_reads_( SYMCRYPT_3DES_BLOCK_SIZE ) PCBYTE pbSrc, |
481 | | _Out_writes_( SYMCRYPT_3DES_BLOCK_SIZE ) PBYTE pbDst ) |
482 | 0 | { |
483 | 0 | UINT32 L, R, Ta, Tb; |
484 | 0 | int r; |
485 | |
|
486 | 0 | SYMCRYPT_CHECK_MAGIC( pExpandedKey ); |
487 | |
|
488 | 0 | R = SYMCRYPT_LOAD_LSBFIRST32( pbSrc ); |
489 | 0 | L = SYMCRYPT_LOAD_LSBFIRST32( pbSrc + 4 ); |
490 | |
|
491 | 0 | R = ROL32(R, 4); |
492 | 0 | Ta = (L ^ R) & 0xf0f0f0f0; |
493 | 0 | L ^= Ta; |
494 | 0 | R ^= Ta; |
495 | |
|
496 | 0 | L = ROL32(L, 20); |
497 | 0 | Ta = (L ^ R) & 0xfff0000f; |
498 | 0 | L ^= Ta; |
499 | 0 | R ^= Ta; |
500 | |
|
501 | 0 | L = ROL32(L, 14); |
502 | 0 | Ta = (L ^ R) & 0x33333333; |
503 | 0 | L ^= Ta; |
504 | 0 | R ^= Ta; |
505 | |
|
506 | 0 | R = ROL32(R, 22); |
507 | 0 | Ta = (L ^ R) & 0x03fc03fc; |
508 | 0 | L ^= Ta; |
509 | 0 | R ^= Ta; |
510 | |
|
511 | 0 | R = ROL32(R, 9); |
512 | 0 | Ta = (L ^ R) & 0xaaaaaaaa; |
513 | 0 | L ^= Ta; |
514 | 0 | R ^= Ta; |
515 | |
|
516 | 0 | L = ROL32(L, 1); |
517 | | |
518 | | |
519 | | // Decrypt with key 2 |
520 | 0 | for( r=14; r>=0; r -= 2 ) |
521 | 0 | { |
522 | 0 | F( L, R, pExpandedKey->roundKey[2][r+1] ); |
523 | 0 | F( R, L, pExpandedKey->roundKey[2][r ] ); |
524 | 0 | } |
525 | | |
526 | | // Encrypt with key 1 |
527 | 0 | for( r=0; r<16; r += 2 ) |
528 | 0 | { |
529 | 0 | F( R, L, pExpandedKey->roundKey[1][r ] ); |
530 | 0 | F( L, R, pExpandedKey->roundKey[1][r+1] ); |
531 | 0 | } |
532 | | |
533 | | // Decrypt with key 0 |
534 | 0 | for( r=14; r>=0; r -= 2 ) |
535 | 0 | { |
536 | 0 | F( L, R, pExpandedKey->roundKey[0][r+1] ); |
537 | 0 | F( R, L, pExpandedKey->roundKey[0][r ] ); |
538 | 0 | } |
539 | | |
540 | | /* Inverse permutation, also from Hoey via Outerbridge and Schneier */ |
541 | |
|
542 | 0 | R = ROR32(R, 1); |
543 | 0 | Ta = (L ^ R) & 0xaaaaaaaa; |
544 | 0 | L ^= Ta; |
545 | 0 | R ^= Ta; |
546 | |
|
547 | 0 | L = ROR32(L, 9); |
548 | 0 | Ta = (L ^ R) & 0x03fc03fc; |
549 | 0 | L ^= Ta; |
550 | 0 | R ^= Ta; |
551 | |
|
552 | 0 | L = ROR32(L, 22); |
553 | 0 | Ta = (L ^ R) & 0x33333333; |
554 | 0 | L ^= Ta; |
555 | 0 | R ^= Ta; |
556 | |
|
557 | 0 | R = ROR32(R, 14); |
558 | 0 | Ta = (L ^ R) & 0xfff0000f; |
559 | 0 | L ^= Ta; |
560 | 0 | R ^= Ta; |
561 | |
|
562 | 0 | R = ROR32(R, 20); |
563 | 0 | Ta = (L ^ R) & 0xf0f0f0f0; |
564 | 0 | L ^= Ta; |
565 | 0 | R ^= Ta; |
566 | |
|
567 | 0 | L = ROR32(L, 4); |
568 | |
|
569 | 0 | SYMCRYPT_STORE_LSBFIRST32( pbDst, L ); |
570 | 0 | SYMCRYPT_STORE_LSBFIRST32( pbDst + 4, R ); |
571 | 0 | } |
572 | | |
573 | | |
574 | | |
575 | | VOID |
576 | | SYMCRYPT_CALL |
577 | | SymCryptDesSetOddParity( |
578 | | _Inout_updates_( cbData ) PBYTE pbData, |
579 | | _In_ SIZE_T cbData ) |
580 | | // |
581 | | // For each byte, set bit 0 such that the byte parity is odd. |
582 | | // This function is side-channel safe |
583 | | // |
584 | 0 | { |
585 | 0 | SIZE_T i; |
586 | 0 | BYTE b, t; |
587 | 0 | for( i=0; i<cbData; i++ ) |
588 | 0 | { |
589 | | // We obey the read-once write-once rule |
590 | 0 | b = *pbData; |
591 | |
|
592 | 0 | t = b ^ (b>>4); // parity(b) = parity( t & 0xf ) |
593 | 0 | t ^= t>>2; // = parity( t & 0x3 ) |
594 | 0 | t ^= t>>1; // = parity( t & 0x1 ) |
595 | 0 | *pbData++ = b ^ (t&1) ^ 1; |
596 | 0 | } |
597 | 0 | } |
598 | | |
599 | | |
600 | | // |
601 | | // Test vectors for self test |
602 | | // |
603 | | static const BYTE SP800_67Key[24] = { |
604 | | 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, |
605 | | 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, |
606 | | 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23, |
607 | | }; |
608 | | |
609 | | static const BYTE des3KnownPlaintext[8] = { |
610 | | 0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74, |
611 | | }; |
612 | | |
613 | | static const BYTE des3KnownCiphertext[8] = { |
614 | | 0x31, 0x4F, 0x83, 0x27, 0xFA, 0x7A, 0x09, 0xA8, |
615 | | }; |
616 | | |
617 | | static const BYTE desKnownCiphertext[8] = { |
618 | | 0x3F, 0xA4, 0x0E, 0x8A, 0x98, 0x4D, 0x48, 0x15, |
619 | | }; |
620 | | |
621 | | |
622 | | VOID |
623 | | SYMCRYPT_CALL |
624 | | SymCryptDesSelftest(void) |
625 | 0 | { |
626 | 0 | BYTE buf[SYMCRYPT_DES_BLOCK_SIZE]; |
627 | 0 | SYMCRYPT_DES_EXPANDED_KEY key; |
628 | |
|
629 | 0 | if( SymCryptDesExpandKey( &key, SP800_67Key, 8 ) != SYMCRYPT_NO_ERROR ) |
630 | 0 | { |
631 | 0 | SymCryptFatal( 'desa' ); |
632 | 0 | } |
633 | |
|
634 | 0 | SymCryptDesEncrypt( &key, des3KnownPlaintext, buf ); |
635 | |
|
636 | 0 | SymCryptInjectError( buf, SYMCRYPT_DES_BLOCK_SIZE ); |
637 | |
|
638 | 0 | if( memcmp( buf, desKnownCiphertext, SYMCRYPT_DES_BLOCK_SIZE ) != 0 ) |
639 | 0 | { |
640 | 0 | SymCryptFatal( 'desb' ); |
641 | 0 | } |
642 | |
|
643 | 0 | SymCryptDesDecrypt( &key, desKnownCiphertext, buf ); |
644 | |
|
645 | 0 | SymCryptInjectError( buf, SYMCRYPT_DES_BLOCK_SIZE ); |
646 | |
|
647 | 0 | if( memcmp( buf, des3KnownPlaintext, SYMCRYPT_DES_BLOCK_SIZE ) != 0 ) |
648 | 0 | { |
649 | 0 | SymCryptFatal( 'desc' ); |
650 | 0 | } |
651 | 0 | } |
652 | | |
653 | | |
654 | | VOID |
655 | | SYMCRYPT_CALL |
656 | | SymCrypt3DesSelftest(void) |
657 | 0 | { |
658 | 0 | BYTE buf[SYMCRYPT_3DES_BLOCK_SIZE]; |
659 | 0 | SYMCRYPT_3DES_EXPANDED_KEY key; |
660 | |
|
661 | 0 | if( SymCrypt3DesExpandKey( &key, SP800_67Key, 24 ) != SYMCRYPT_NO_ERROR ) |
662 | 0 | { |
663 | 0 | SymCryptFatal( 'des3' ); |
664 | 0 | } |
665 | |
|
666 | 0 | SymCrypt3DesEncrypt( &key, des3KnownPlaintext, buf ); |
667 | |
|
668 | 0 | SymCryptInjectError( buf, SYMCRYPT_3DES_BLOCK_SIZE ); |
669 | |
|
670 | 0 | if( memcmp( buf, des3KnownCiphertext, SYMCRYPT_3DES_BLOCK_SIZE ) != 0 ) |
671 | 0 | { |
672 | 0 | SymCryptFatal( 'des4' ); |
673 | 0 | } |
674 | |
|
675 | 0 | SymCrypt3DesDecrypt( &key, des3KnownCiphertext, buf ); |
676 | |
|
677 | 0 | SymCryptInjectError( buf, SYMCRYPT_3DES_BLOCK_SIZE ); |
678 | |
|
679 | 0 | if( memcmp( buf, des3KnownPlaintext, SYMCRYPT_3DES_BLOCK_SIZE ) != 0 ) |
680 | 0 | { |
681 | 0 | SymCryptFatal( 'des5' ); |
682 | 0 | } |
683 | 0 | } |
684 | | |
685 | | |
686 | | |
687 | | |
688 | | |
689 | | #if 0 |
690 | | //////////////////////////////////////////// |
691 | | // Useful tables, kept for future reference. |
692 | | // |
693 | | |
694 | | // Tables defined in the Data Encryption Standard documents |
695 | | // Three of these tables, the initial permutation, the final |
696 | | // permutation and the expansion operator, are regular enough that |
697 | | // for speed, we hard-code them. They're here for reference only. |
698 | | // Also, the S and P boxes are used by a separate program, gensp.c, |
699 | | // to build the combined SP box, Spbox[]. They're also here just |
700 | | // for reference. |
701 | | // |
702 | | // initial permutation IP |
703 | | static unsigned BYTE ip[] = { |
704 | | 58, 50, 42, 34, 26, 18, 10, 2, |
705 | | 60, 52, 44, 36, 28, 20, 12, 4, |
706 | | 62, 54, 46, 38, 30, 22, 14, 6, |
707 | | 64, 56, 48, 40, 32, 24, 16, 8, |
708 | | 57, 49, 41, 33, 25, 17, 9, 1, |
709 | | 59, 51, 43, 35, 27, 19, 11, 3, |
710 | | 61, 53, 45, 37, 29, 21, 13, 5, |
711 | | 63, 55, 47, 39, 31, 23, 15, 7 |
712 | | }; |
713 | | |
714 | | // final permutation IP^-1 |
715 | | static unsigned BYTE fp[] = { |
716 | | 40, 8, 48, 16, 56, 24, 64, 32, |
717 | | 39, 7, 47, 15, 55, 23, 63, 31, |
718 | | 38, 6, 46, 14, 54, 22, 62, 30, |
719 | | 37, 5, 45, 13, 53, 21, 61, 29, |
720 | | 36, 4, 44, 12, 52, 20, 60, 28, |
721 | | 35, 3, 43, 11, 51, 19, 59, 27, |
722 | | 34, 2, 42, 10, 50, 18, 58, 26, |
723 | | 33, 1, 41, 9, 49, 17, 57, 25 |
724 | | }; |
725 | | |
726 | | // expansion operation matrix |
727 | | static unsigned BYTE ei[] = { |
728 | | 32, 1, 2, 3, 4, 5, |
729 | | 4, 5, 6, 7, 8, 9, |
730 | | 8, 9, 10, 11, 12, 13, |
731 | | 12, 13, 14, 15, 16, 17, |
732 | | 16, 17, 18, 19, 20, 21, |
733 | | 20, 21, 22, 23, 24, 25, |
734 | | 24, 25, 26, 27, 28, 29, |
735 | | 28, 29, 30, 31, 32, 1 |
736 | | }; |
737 | | |
738 | | // The (in)famous S-boxes |
739 | | static unsigned BYTE sbox[8][64] = { |
740 | | // S1 |
741 | | 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, |
742 | | 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, |
743 | | 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, |
744 | | 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13, |
745 | | |
746 | | // S2 |
747 | | 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, |
748 | | 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, |
749 | | 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, |
750 | | 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9, |
751 | | |
752 | | // S3 |
753 | | 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, |
754 | | 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, |
755 | | 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, |
756 | | 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12, |
757 | | |
758 | | // S4 |
759 | | 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, |
760 | | 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, |
761 | | 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, |
762 | | 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14, |
763 | | |
764 | | // S5 |
765 | | 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, |
766 | | 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, |
767 | | 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, |
768 | | 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3, |
769 | | |
770 | | // S6 |
771 | | 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, |
772 | | 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, |
773 | | 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, |
774 | | 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13, |
775 | | |
776 | | // S7 |
777 | | 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, |
778 | | 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, |
779 | | 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, |
780 | | 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12, |
781 | | |
782 | | // S8 |
783 | | 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, |
784 | | 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, |
785 | | 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, |
786 | | 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 |
787 | | }; |
788 | | |
789 | | // 32-bit permutation function P used on the output of the S-boxes |
790 | | static unsigned BYTE p32i[] = { |
791 | | 16, 7, 20, 21, |
792 | | 29, 12, 28, 17, |
793 | | 1, 15, 23, 26, |
794 | | 5, 18, 31, 10, |
795 | | 2, 8, 24, 14, |
796 | | 32, 27, 3, 9, |
797 | | 19, 13, 30, 6, |
798 | | 22, 11, 4, 25 |
799 | | }; |
800 | | |
801 | | // permuted choice table (key) |
802 | | static unsigned BYTE pc1[] = { |
803 | | 57, 49, 41, 33, 25, 17, 9, |
804 | | 1, 58, 50, 42, 34, 26, 18, |
805 | | 10, 2, 59, 51, 43, 35, 27, |
806 | | 19, 11, 3, 60, 52, 44, 36, |
807 | | |
808 | | 63, 55, 47, 39, 31, 23, 15, |
809 | | 7, 62, 54, 46, 38, 30, 22, |
810 | | 14, 6, 61, 53, 45, 37, 29, |
811 | | 21, 13, 5, 28, 20, 12, 4 |
812 | | }; |
813 | | |
814 | | // number left rotations of pc1 |
815 | | static unsigned BYTE totrot[] = { |
816 | | 1,2,4,6,8,10,12,14,15,17,19,21,23,25,27,28 |
817 | | }; |
818 | | |
819 | | // permuted choice key (table) |
820 | | static unsigned BYTE pc2[] = { |
821 | | 14, 17, 11, 24, 1, 5, |
822 | | 3, 28, 15, 6, 21, 10, |
823 | | 23, 19, 12, 4, 26, 8, |
824 | | 16, 7, 27, 20, 13, 2, |
825 | | 41, 52, 31, 37, 47, 55, |
826 | | 30, 40, 51, 45, 33, 48, |
827 | | 44, 49, 39, 56, 34, 53, |
828 | | 46, 42, 50, 36, 29, 32 |
829 | | }; |
830 | | |
831 | | #endif |
832 | | |