Coverage Report

Created: 2024-11-21 07:03

/src/libgcrypt/cipher/des.c
Line
Count
Source (jump to first uncovered line)
1
/* des.c - DES and Triple-DES encryption/decryption Algorithm
2
 * Copyright (C) 1998, 1999, 2001, 2002, 2003,
3
 *               2008  Free Software Foundation, Inc.
4
 *
5
 * This file is part of Libgcrypt.
6
 *
7
 * Libgcrypt is free software; you can redistribute it and/or modify
8
 * it under the terms of the GNU Lesser General Public License as
9
 * published by the Free Software Foundation; either version 2.1 of
10
 * the License, or (at your option) any later version.
11
 *
12
 * Libgcrypt is distributed in the hope that it will be useful,
13
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15
 * GNU Lesser General Public License for more details.
16
 *
17
 * You should have received a copy of the GNU Lesser General Public
18
 * License along with this program; if not, see <https://www.gnu.org/licenses/>.
19
 * SPDX-License-Identifier: LGPL-2.1-or-later
20
 *
21
 * For a description of triple encryption, see:
22
 *   Bruce Schneier: Applied Cryptography. Second Edition.
23
 *   John Wiley & Sons, 1996. ISBN 0-471-12845-7. Pages 358 ff.
24
 * This implementation is according to the definition of DES in FIPS
25
 * PUB 46-2 from December 1993.
26
 */
27
28
29
/*
30
 * Written by Michael Roth <mroth@nessie.de>, September 1998
31
 */
32
33
34
/*
35
 *  U S A G E
36
 * ===========
37
 *
38
 * For DES or Triple-DES encryption/decryption you must initialize a proper
39
 * encryption context with a key.
40
 *
41
 * A DES key is 64bit wide but only 56bits of the key are used. The remaining
42
 * bits are parity bits and they will _not_ checked in this implementation, but
43
 * simply ignored.
44
 *
45
 * For Triple-DES you could use either two 64bit keys or three 64bit keys.
46
 * The parity bits will _not_ checked, too.
47
 *
48
 * After initializing a context with a key you could use this context to
49
 * encrypt or decrypt data in 64bit blocks in Electronic Codebook Mode.
50
 *
51
 * (In the examples below the slashes at the beginning and ending of comments
52
 * are omitted.)
53
 *
54
 * DES Example
55
 * -----------
56
 *     unsigned char key[8];
57
 *     unsigned char plaintext[8];
58
 *     unsigned char ciphertext[8];
59
 *     unsigned char recoverd[8];
60
 *     des_ctx context;
61
 *
62
 *     * Fill 'key' and 'plaintext' with some data *
63
 *     ....
64
 *
65
 *     * Set up the DES encryption context *
66
 *     des_setkey(context, key);
67
 *
68
 *     * Encrypt the plaintext *
69
 *     des_ecb_encrypt(context, plaintext, ciphertext);
70
 *
71
 *     * To recover the original plaintext from ciphertext use: *
72
 *     des_ecb_decrypt(context, ciphertext, recoverd);
73
 *
74
 *
75
 * Triple-DES Example
76
 * ------------------
77
 *     unsigned char key1[8];
78
 *     unsigned char key2[8];
79
 *     unsigned char key3[8];
80
 *     unsigned char plaintext[8];
81
 *     unsigned char ciphertext[8];
82
 *     unsigned char recoverd[8];
83
 *     tripledes_ctx context;
84
 *
85
 *     * If you would like to use two 64bit keys, fill 'key1' and'key2'
86
 *   then setup the encryption context: *
87
 *     tripledes_set2keys(context, key1, key2);
88
 *
89
 *     * To use three 64bit keys with Triple-DES use: *
90
 *     tripledes_set3keys(context, key1, key2, key3);
91
 *
92
 *     * Encrypting plaintext with Triple-DES *
93
 *     tripledes_ecb_encrypt(context, plaintext, ciphertext);
94
 *
95
 *     * Decrypting ciphertext to recover the plaintext with Triple-DES *
96
 *     tripledes_ecb_decrypt(context, ciphertext, recoverd);
97
 *
98
 *
99
 * Selftest
100
 * --------
101
 *     char *error_msg;
102
 *
103
 *     * To perform a selftest of this DES/Triple-DES implementation use the
104
 *   function selftest(). It will return an error string if there are
105
 *   some problems with this library. *
106
 *
107
 *     if ( (error_msg = selftest()) )
108
 *     {
109
 *     fprintf(stderr, "An error in the DES/Triple-DES implementation occurred: %s\n", error_msg);
110
 *     abort();
111
 *     }
112
 */
113
114
115
#include <config.h>
116
#include <stdio.h>
117
#include <string.h>        /* memcpy, memcmp */
118
#include "types.h"             /* for byte and u32 typedefs */
119
#include "g10lib.h"
120
#include "cipher.h"
121
#include "bufhelp.h"
122
#include "cipher-internal.h"
123
124
125
0
#define DES_BLOCKSIZE 8
126
127
128
/* USE_AMD64_ASM indicates whether to use AMD64 assembly code. */
129
#undef USE_AMD64_ASM
130
#if defined(__x86_64__) && (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \
131
    defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS))
132
# define USE_AMD64_ASM 1
133
#endif
134
135
/* Helper macro to force alignment to 16 bytes.  */
136
#ifdef HAVE_GCC_ATTRIBUTE_ALIGNED
137
# define ATTR_ALIGNED_16  __attribute__ ((aligned (16)))
138
#else
139
# define ATTR_ALIGNED_16
140
#endif
141
142
#if defined(__GNUC__) && defined(__GNU_LIBRARY__)
143
334
# define working_memcmp memcmp
144
#else
145
/*
146
 * According to the SunOS man page, memcmp returns indeterminate sign
147
 * depending on whether characters are signed or not.
148
 */
149
static int
150
working_memcmp( const void *_a, const void *_b, size_t n )
151
{
152
    const char *a = _a;
153
    const char *b = _b;
154
    for( ; n; n--, a++, b++ )
155
  if( *a != *b )
156
      return (int)(*(byte*)a) - (int)(*(byte*)b);
157
    return 0;
158
}
159
#endif
160
161
/*
162
 * Encryption/Decryption context of DES
163
 */
164
typedef struct _des_ctx
165
  {
166
    u32 encrypt_subkeys[32];
167
    u32 decrypt_subkeys[32];
168
  }
169
des_ctx[1];
170
171
/*
172
 * Encryption/Decryption context of Triple-DES
173
 */
174
typedef struct _tripledes_ctx
175
  {
176
    u32 encrypt_subkeys[96];
177
    u32 decrypt_subkeys[96];
178
    struct {
179
      int no_weak_key;
180
    } flags;
181
  }
182
tripledes_ctx[1];
183
184
static void des_key_schedule (const byte *, u32 *);
185
static int des_setkey (struct _des_ctx *, const byte *);
186
static int des_ecb_crypt (struct _des_ctx *, const byte *, byte *, int);
187
static int tripledes_set2keys (struct _tripledes_ctx *,
188
                               const byte *, const byte *);
189
static int tripledes_set3keys (struct _tripledes_ctx *,
190
                               const byte *, const byte *, const byte *);
191
static int tripledes_ecb_crypt (struct _tripledes_ctx *,
192
                                const byte *, byte *, int);
193
static int is_weak_key ( const byte *key );
194
static const char *selftest (void);
195
static unsigned int do_tripledes_encrypt(void *context, byte *outbuf,
196
           const byte *inbuf );
197
static unsigned int do_tripledes_decrypt(void *context, byte *outbuf,
198
           const byte *inbuf );
199
static gcry_err_code_t do_tripledes_setkey(void *context, const byte *key,
200
                                           unsigned keylen,
201
                                           cipher_bulk_ops_t *bulk_ops);
202
203
static int initialized;
204
205
206
207
208
/*
209
 * The s-box values are permuted according to the 'primitive function P'
210
 * and are rotated one bit to the left.
211
 */
212
static u32 sbox1[64] =
213
{
214
  0x01010400, 0x00000000, 0x00010000, 0x01010404, 0x01010004, 0x00010404, 0x00000004, 0x00010000,
215
  0x00000400, 0x01010400, 0x01010404, 0x00000400, 0x01000404, 0x01010004, 0x01000000, 0x00000004,
216
  0x00000404, 0x01000400, 0x01000400, 0x00010400, 0x00010400, 0x01010000, 0x01010000, 0x01000404,
217
  0x00010004, 0x01000004, 0x01000004, 0x00010004, 0x00000000, 0x00000404, 0x00010404, 0x01000000,
218
  0x00010000, 0x01010404, 0x00000004, 0x01010000, 0x01010400, 0x01000000, 0x01000000, 0x00000400,
219
  0x01010004, 0x00010000, 0x00010400, 0x01000004, 0x00000400, 0x00000004, 0x01000404, 0x00010404,
220
  0x01010404, 0x00010004, 0x01010000, 0x01000404, 0x01000004, 0x00000404, 0x00010404, 0x01010400,
221
  0x00000404, 0x01000400, 0x01000400, 0x00000000, 0x00010004, 0x00010400, 0x00000000, 0x01010004
222
};
223
224
static u32 sbox2[64] =
225
{
226
  0x80108020, 0x80008000, 0x00008000, 0x00108020, 0x00100000, 0x00000020, 0x80100020, 0x80008020,
227
  0x80000020, 0x80108020, 0x80108000, 0x80000000, 0x80008000, 0x00100000, 0x00000020, 0x80100020,
228
  0x00108000, 0x00100020, 0x80008020, 0x00000000, 0x80000000, 0x00008000, 0x00108020, 0x80100000,
229
  0x00100020, 0x80000020, 0x00000000, 0x00108000, 0x00008020, 0x80108000, 0x80100000, 0x00008020,
230
  0x00000000, 0x00108020, 0x80100020, 0x00100000, 0x80008020, 0x80100000, 0x80108000, 0x00008000,
231
  0x80100000, 0x80008000, 0x00000020, 0x80108020, 0x00108020, 0x00000020, 0x00008000, 0x80000000,
232
  0x00008020, 0x80108000, 0x00100000, 0x80000020, 0x00100020, 0x80008020, 0x80000020, 0x00100020,
233
  0x00108000, 0x00000000, 0x80008000, 0x00008020, 0x80000000, 0x80100020, 0x80108020, 0x00108000
234
};
235
236
static u32 sbox3[64] =
237
{
238
  0x00000208, 0x08020200, 0x00000000, 0x08020008, 0x08000200, 0x00000000, 0x00020208, 0x08000200,
239
  0x00020008, 0x08000008, 0x08000008, 0x00020000, 0x08020208, 0x00020008, 0x08020000, 0x00000208,
240
  0x08000000, 0x00000008, 0x08020200, 0x00000200, 0x00020200, 0x08020000, 0x08020008, 0x00020208,
241
  0x08000208, 0x00020200, 0x00020000, 0x08000208, 0x00000008, 0x08020208, 0x00000200, 0x08000000,
242
  0x08020200, 0x08000000, 0x00020008, 0x00000208, 0x00020000, 0x08020200, 0x08000200, 0x00000000,
243
  0x00000200, 0x00020008, 0x08020208, 0x08000200, 0x08000008, 0x00000200, 0x00000000, 0x08020008,
244
  0x08000208, 0x00020000, 0x08000000, 0x08020208, 0x00000008, 0x00020208, 0x00020200, 0x08000008,
245
  0x08020000, 0x08000208, 0x00000208, 0x08020000, 0x00020208, 0x00000008, 0x08020008, 0x00020200
246
};
247
248
static u32 sbox4[64] =
249
{
250
  0x00802001, 0x00002081, 0x00002081, 0x00000080, 0x00802080, 0x00800081, 0x00800001, 0x00002001,
251
  0x00000000, 0x00802000, 0x00802000, 0x00802081, 0x00000081, 0x00000000, 0x00800080, 0x00800001,
252
  0x00000001, 0x00002000, 0x00800000, 0x00802001, 0x00000080, 0x00800000, 0x00002001, 0x00002080,
253
  0x00800081, 0x00000001, 0x00002080, 0x00800080, 0x00002000, 0x00802080, 0x00802081, 0x00000081,
254
  0x00800080, 0x00800001, 0x00802000, 0x00802081, 0x00000081, 0x00000000, 0x00000000, 0x00802000,
255
  0x00002080, 0x00800080, 0x00800081, 0x00000001, 0x00802001, 0x00002081, 0x00002081, 0x00000080,
256
  0x00802081, 0x00000081, 0x00000001, 0x00002000, 0x00800001, 0x00002001, 0x00802080, 0x00800081,
257
  0x00002001, 0x00002080, 0x00800000, 0x00802001, 0x00000080, 0x00800000, 0x00002000, 0x00802080
258
};
259
260
static u32 sbox5[64] =
261
{
262
  0x00000100, 0x02080100, 0x02080000, 0x42000100, 0x00080000, 0x00000100, 0x40000000, 0x02080000,
263
  0x40080100, 0x00080000, 0x02000100, 0x40080100, 0x42000100, 0x42080000, 0x00080100, 0x40000000,
264
  0x02000000, 0x40080000, 0x40080000, 0x00000000, 0x40000100, 0x42080100, 0x42080100, 0x02000100,
265
  0x42080000, 0x40000100, 0x00000000, 0x42000000, 0x02080100, 0x02000000, 0x42000000, 0x00080100,
266
  0x00080000, 0x42000100, 0x00000100, 0x02000000, 0x40000000, 0x02080000, 0x42000100, 0x40080100,
267
  0x02000100, 0x40000000, 0x42080000, 0x02080100, 0x40080100, 0x00000100, 0x02000000, 0x42080000,
268
  0x42080100, 0x00080100, 0x42000000, 0x42080100, 0x02080000, 0x00000000, 0x40080000, 0x42000000,
269
  0x00080100, 0x02000100, 0x40000100, 0x00080000, 0x00000000, 0x40080000, 0x02080100, 0x40000100
270
};
271
272
static u32 sbox6[64] =
273
{
274
  0x20000010, 0x20400000, 0x00004000, 0x20404010, 0x20400000, 0x00000010, 0x20404010, 0x00400000,
275
  0x20004000, 0x00404010, 0x00400000, 0x20000010, 0x00400010, 0x20004000, 0x20000000, 0x00004010,
276
  0x00000000, 0x00400010, 0x20004010, 0x00004000, 0x00404000, 0x20004010, 0x00000010, 0x20400010,
277
  0x20400010, 0x00000000, 0x00404010, 0x20404000, 0x00004010, 0x00404000, 0x20404000, 0x20000000,
278
  0x20004000, 0x00000010, 0x20400010, 0x00404000, 0x20404010, 0x00400000, 0x00004010, 0x20000010,
279
  0x00400000, 0x20004000, 0x20000000, 0x00004010, 0x20000010, 0x20404010, 0x00404000, 0x20400000,
280
  0x00404010, 0x20404000, 0x00000000, 0x20400010, 0x00000010, 0x00004000, 0x20400000, 0x00404010,
281
  0x00004000, 0x00400010, 0x20004010, 0x00000000, 0x20404000, 0x20000000, 0x00400010, 0x20004010
282
};
283
284
static u32 sbox7[64] =
285
{
286
  0x00200000, 0x04200002, 0x04000802, 0x00000000, 0x00000800, 0x04000802, 0x00200802, 0x04200800,
287
  0x04200802, 0x00200000, 0x00000000, 0x04000002, 0x00000002, 0x04000000, 0x04200002, 0x00000802,
288
  0x04000800, 0x00200802, 0x00200002, 0x04000800, 0x04000002, 0x04200000, 0x04200800, 0x00200002,
289
  0x04200000, 0x00000800, 0x00000802, 0x04200802, 0x00200800, 0x00000002, 0x04000000, 0x00200800,
290
  0x04000000, 0x00200800, 0x00200000, 0x04000802, 0x04000802, 0x04200002, 0x04200002, 0x00000002,
291
  0x00200002, 0x04000000, 0x04000800, 0x00200000, 0x04200800, 0x00000802, 0x00200802, 0x04200800,
292
  0x00000802, 0x04000002, 0x04200802, 0x04200000, 0x00200800, 0x00000000, 0x00000002, 0x04200802,
293
  0x00000000, 0x00200802, 0x04200000, 0x00000800, 0x04000002, 0x04000800, 0x00000800, 0x00200002
294
};
295
296
static u32 sbox8[64] =
297
{
298
  0x10001040, 0x00001000, 0x00040000, 0x10041040, 0x10000000, 0x10001040, 0x00000040, 0x10000000,
299
  0x00040040, 0x10040000, 0x10041040, 0x00041000, 0x10041000, 0x00041040, 0x00001000, 0x00000040,
300
  0x10040000, 0x10000040, 0x10001000, 0x00001040, 0x00041000, 0x00040040, 0x10040040, 0x10041000,
301
  0x00001040, 0x00000000, 0x00000000, 0x10040040, 0x10000040, 0x10001000, 0x00041040, 0x00040000,
302
  0x00041040, 0x00040000, 0x10041000, 0x00001000, 0x00000040, 0x10040040, 0x00001000, 0x00041040,
303
  0x10001000, 0x00000040, 0x10000040, 0x10040000, 0x10040040, 0x10000000, 0x00040000, 0x10001040,
304
  0x00000000, 0x10041040, 0x00040040, 0x10000040, 0x10040000, 0x10001000, 0x10001040, 0x00000000,
305
  0x10041040, 0x00041000, 0x00041000, 0x00001040, 0x00001040, 0x00040040, 0x10000000, 0x10041000
306
};
307
308
309
/*
310
 * These two tables are part of the 'permuted choice 1' function.
311
 * In this implementation several speed improvements are done.
312
 */
313
static u32 leftkey_swap[16] =
314
{
315
  0x00000000, 0x00000001, 0x00000100, 0x00000101,
316
  0x00010000, 0x00010001, 0x00010100, 0x00010101,
317
  0x01000000, 0x01000001, 0x01000100, 0x01000101,
318
  0x01010000, 0x01010001, 0x01010100, 0x01010101
319
};
320
321
static u32 rightkey_swap[16] =
322
{
323
  0x00000000, 0x01000000, 0x00010000, 0x01010000,
324
  0x00000100, 0x01000100, 0x00010100, 0x01010100,
325
  0x00000001, 0x01000001, 0x00010001, 0x01010001,
326
  0x00000101, 0x01000101, 0x00010101, 0x01010101,
327
};
328
329
330
331
/*
332
 * Numbers of left shifts per round for encryption subkeys.
333
 * To calculate the decryption subkeys we just reverse the
334
 * ordering of the calculated encryption subkeys. So their
335
 * is no need for a decryption rotate tab.
336
 */
337
static byte encrypt_rotate_tab[16] =
338
{
339
  1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
340
};
341
342
343
344
/*
345
 * Table with weak DES keys sorted in ascending order.
346
 * In DES their are 64 known keys which are weak. They are weak
347
 * because they produce only one, two or four different
348
 * subkeys in the subkey scheduling process.
349
 * The keys in this table have all their parity bits cleared.
350
 */
351
static byte weak_keys[64][8] =
352
{
353
  { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, /*w*/
354
  { 0x00, 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e },
355
  { 0x00, 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0 },
356
  { 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe },
357
  { 0x00, 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e }, /*sw*/
358
  { 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00 },
359
  { 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe },
360
  { 0x00, 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0 },
361
  { 0x00, 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0 }, /*sw*/
362
  { 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe },
363
  { 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00 },
364
  { 0x00, 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e },
365
  { 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe }, /*sw*/
366
  { 0x00, 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0 },
367
  { 0x00, 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e },
368
  { 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00 },
369
  { 0x1e, 0x00, 0x00, 0x1e, 0x0e, 0x00, 0x00, 0x0e },
370
  { 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e, 0x00 }, /*sw*/
371
  { 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0, 0xfe },
372
  { 0x1e, 0x00, 0xfe, 0xe0, 0x0e, 0x00, 0xfe, 0xf0 },
373
  { 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00, 0x00 },
374
  { 0x1e, 0x1e, 0x1e, 0x1e, 0x0e, 0x0e, 0x0e, 0x0e }, /*w*/
375
  { 0x1e, 0x1e, 0xe0, 0xe0, 0x0e, 0x0e, 0xf0, 0xf0 },
376
  { 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe, 0xfe },
377
  { 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00, 0xfe },
378
  { 0x1e, 0xe0, 0x1e, 0xe0, 0x0e, 0xf0, 0x0e, 0xf0 }, /*sw*/
379
  { 0x1e, 0xe0, 0xe0, 0x1e, 0x0e, 0xf0, 0xf0, 0x0e },
380
  { 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe, 0x00 },
381
  { 0x1e, 0xfe, 0x00, 0xe0, 0x0e, 0xfe, 0x00, 0xf0 },
382
  { 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe }, /*sw*/
383
  { 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0, 0x00 },
384
  { 0x1e, 0xfe, 0xfe, 0x1e, 0x0e, 0xfe, 0xfe, 0x0e },
385
  { 0xe0, 0x00, 0x00, 0xe0, 0xf0, 0x00, 0x00, 0xf0 },
386
  { 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e, 0xfe },
387
  { 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0, 0x00 }, /*sw*/
388
  { 0xe0, 0x00, 0xfe, 0x1e, 0xf0, 0x00, 0xfe, 0x0e },
389
  { 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00, 0xfe },
390
  { 0xe0, 0x1e, 0x1e, 0xe0, 0xf0, 0x0e, 0x0e, 0xf0 },
391
  { 0xe0, 0x1e, 0xe0, 0x1e, 0xf0, 0x0e, 0xf0, 0x0e }, /*sw*/
392
  { 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe, 0x00 },
393
  { 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00, 0x00 },
394
  { 0xe0, 0xe0, 0x1e, 0x1e, 0xf0, 0xf0, 0x0e, 0x0e },
395
  { 0xe0, 0xe0, 0xe0, 0xe0, 0xf0, 0xf0, 0xf0, 0xf0 }, /*w*/
396
  { 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe, 0xfe },
397
  { 0xe0, 0xfe, 0x00, 0x1e, 0xf0, 0xfe, 0x00, 0x0e },
398
  { 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e, 0x00 },
399
  { 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0, 0xfe }, /*sw*/
400
  { 0xe0, 0xfe, 0xfe, 0xe0, 0xf0, 0xfe, 0xfe, 0xf0 },
401
  { 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe },
402
  { 0xfe, 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0 },
403
  { 0xfe, 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e },
404
  { 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00 }, /*sw*/
405
  { 0xfe, 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0 },
406
  { 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe },
407
  { 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00 },
408
  { 0xfe, 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e }, /*sw*/
409
  { 0xfe, 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e },
410
  { 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00 },
411
  { 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe },
412
  { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0 }, /*sw*/
413
  { 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00 },
414
  { 0xfe, 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e },
415
  { 0xfe, 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0 },
416
  { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe }  /*w*/
417
};
418
static unsigned char weak_keys_chksum[20] = {
419
  0xD0, 0xCF, 0x07, 0x38, 0x93, 0x70, 0x8A, 0x83, 0x7D, 0xD7,
420
  0x8A, 0x36, 0x65, 0x29, 0x6C, 0x1F, 0x7C, 0x3F, 0xD3, 0x41
421
};
422
423
424
425
/*
426
 * Macro to swap bits across two words.
427
 */
428
#define DO_PERMUTATION(a, temp, b, offset, mask)  \
429
2.03k
    temp = ((a>>offset) ^ b) & mask;      \
430
2.03k
    b ^= temp;            \
431
2.03k
    a ^= temp<<offset;
432
433
434
/*
435
 * This performs the 'initial permutation' of the data to be encrypted
436
 * or decrypted. Additionally the resulting two words are rotated one bit
437
 * to the left.
438
 */
439
#define INITIAL_PERMUTATION(left, temp, right)    \
440
194
    DO_PERMUTATION(left, temp, right, 4, 0x0f0f0f0f)  \
441
194
    DO_PERMUTATION(left, temp, right, 16, 0x0000ffff) \
442
194
    DO_PERMUTATION(right, temp, left, 2, 0x33333333)  \
443
194
    DO_PERMUTATION(right, temp, left, 8, 0x00ff00ff)  \
444
194
    right =  (right << 1) | (right >> 31);    \
445
194
    temp  =  (left ^ right) & 0xaaaaaaaa;   \
446
194
    right ^= temp;          \
447
194
    left  ^= temp;          \
448
194
    left  =  (left << 1) | (left >> 31);
449
450
/*
451
 * The 'inverse initial permutation'.
452
 */
453
#define FINAL_PERMUTATION(left, temp, right)    \
454
194
    left  =  (left << 31) | (left >> 1);    \
455
194
    temp  =  (left ^ right) & 0xaaaaaaaa;   \
456
194
    left  ^= temp;          \
457
194
    right ^= temp;          \
458
194
    right  =  (right << 31) | (right >> 1);   \
459
194
    DO_PERMUTATION(right, temp, left, 8, 0x00ff00ff)  \
460
194
    DO_PERMUTATION(right, temp, left, 2, 0x33333333)  \
461
194
    DO_PERMUTATION(left, temp, right, 16, 0x0000ffff) \
462
194
    DO_PERMUTATION(left, temp, right, 4, 0x0f0f0f0f)
463
464
465
/*
466
 * A full DES round including 'expansion function', 'sbox substitution'
467
 * and 'primitive function P' but without swapping the left and right word.
468
 * Please note: The data in 'from' and 'to' is already rotated one bit to
469
 * the left, done in the initial permutation.
470
 */
471
#define DES_ROUND(from, to, work, subkey)   \
472
3.10k
    work = from ^ *subkey++;        \
473
3.10k
    to ^= sbox8[  work      & 0x3f ];     \
474
3.10k
    to ^= sbox6[ (work>>8)  & 0x3f ];     \
475
3.10k
    to ^= sbox4[ (work>>16) & 0x3f ];     \
476
3.10k
    to ^= sbox2[ (work>>24) & 0x3f ];     \
477
3.10k
    work = ((from << 28) | (from >> 4)) ^ *subkey++;  \
478
3.10k
    to ^= sbox7[  work      & 0x3f ];     \
479
3.10k
    to ^= sbox5[ (work>>8)  & 0x3f ];     \
480
3.10k
    to ^= sbox3[ (work>>16) & 0x3f ];     \
481
3.10k
    to ^= sbox1[ (work>>24) & 0x3f ];
482
483
/*
484
 * Macros to convert 8 bytes from/to 32bit words.
485
 */
486
#define READ_64BIT_DATA(data, left, right)           \
487
433
    left = buf_get_be32(data + 0);             \
488
433
    right = buf_get_be32(data + 4);
489
490
#define WRITE_64BIT_DATA(data, left, right)          \
491
194
    buf_put_be32(data + 0, left);            \
492
194
    buf_put_be32(data + 4, right);
493
494
/*
495
 * Handy macros for encryption and decryption of data
496
 */
497
128
#define des_ecb_encrypt(ctx, from, to)        des_ecb_crypt(ctx, from, to, 0)
498
66
#define des_ecb_decrypt(ctx, from, to)        des_ecb_crypt(ctx, from, to, 1)
499
42
#define tripledes_ecb_encrypt(ctx, from, to) tripledes_ecb_crypt(ctx,from,to,0)
500
26
#define tripledes_ecb_decrypt(ctx, from, to) tripledes_ecb_crypt(ctx,from,to,1)
501
502
503
504
505
506
507
/*
508
 * des_key_schedule():    Calculate 16 subkeys pairs (even/odd) for
509
 *        16 encryption rounds.
510
 *        To calculate subkeys for decryption the caller
511
 *        have to reorder the generated subkeys.
512
 *
513
 *    rawkey:     8 Bytes of key data
514
 *    subkey:     Array of at least 32 u32s. Will be filled
515
 *        with calculated subkeys.
516
 *
517
 */
518
static void
519
des_key_schedule (const byte * rawkey, u32 * subkey)
520
239
{
521
239
  u32 left, right, work;
522
239
  int round;
523
524
239
  READ_64BIT_DATA (rawkey, left, right)
525
526
239
  DO_PERMUTATION (right, work, left, 4, 0x0f0f0f0f)
527
239
  DO_PERMUTATION (right, work, left, 0, 0x10101010)
528
529
239
  left = ((leftkey_swap[(left >> 0) & 0xf] << 3)
530
239
          | (leftkey_swap[(left >> 8) & 0xf] << 2)
531
239
          | (leftkey_swap[(left >> 16) & 0xf] << 1)
532
239
          | (leftkey_swap[(left >> 24) & 0xf])
533
239
          | (leftkey_swap[(left >> 5) & 0xf] << 7)
534
239
          | (leftkey_swap[(left >> 13) & 0xf] << 6)
535
239
          | (leftkey_swap[(left >> 21) & 0xf] << 5)
536
239
          | (leftkey_swap[(left >> 29) & 0xf] << 4));
537
538
239
  left &= 0x0fffffff;
539
540
239
  right = ((rightkey_swap[(right >> 1) & 0xf] << 3)
541
239
           | (rightkey_swap[(right >> 9) & 0xf] << 2)
542
239
           | (rightkey_swap[(right >> 17) & 0xf] << 1)
543
239
           | (rightkey_swap[(right >> 25) & 0xf])
544
239
           | (rightkey_swap[(right >> 4) & 0xf] << 7)
545
239
           | (rightkey_swap[(right >> 12) & 0xf] << 6)
546
239
           | (rightkey_swap[(right >> 20) & 0xf] << 5)
547
239
           | (rightkey_swap[(right >> 28) & 0xf] << 4));
548
549
239
  right &= 0x0fffffff;
550
551
4.06k
  for (round = 0; round < 16; ++round)
552
3.82k
    {
553
3.82k
      left = ((left << encrypt_rotate_tab[round])
554
3.82k
              | (left >> (28 - encrypt_rotate_tab[round]))) & 0x0fffffff;
555
3.82k
      right = ((right << encrypt_rotate_tab[round])
556
3.82k
               | (right >> (28 - encrypt_rotate_tab[round]))) & 0x0fffffff;
557
558
3.82k
      *subkey++ = (((left << 4) & 0x24000000)
559
3.82k
                   | ((left << 28) & 0x10000000)
560
3.82k
                   | ((left << 14) & 0x08000000)
561
3.82k
                   | ((left << 18) & 0x02080000)
562
3.82k
                   | ((left << 6) & 0x01000000)
563
3.82k
                   | ((left << 9) & 0x00200000)
564
3.82k
                   | ((left >> 1) & 0x00100000)
565
3.82k
                   | ((left << 10) & 0x00040000)
566
3.82k
                   | ((left << 2) & 0x00020000)
567
3.82k
                   | ((left >> 10) & 0x00010000)
568
3.82k
                   | ((right >> 13) & 0x00002000)
569
3.82k
                   | ((right >> 4) & 0x00001000)
570
3.82k
                   | ((right << 6) & 0x00000800)
571
3.82k
                   | ((right >> 1) & 0x00000400)
572
3.82k
                   | ((right >> 14) & 0x00000200)
573
3.82k
                   | (right & 0x00000100)
574
3.82k
                   | ((right >> 5) & 0x00000020)
575
3.82k
                   | ((right >> 10) & 0x00000010)
576
3.82k
                   | ((right >> 3) & 0x00000008)
577
3.82k
                   | ((right >> 18) & 0x00000004)
578
3.82k
                   | ((right >> 26) & 0x00000002)
579
3.82k
                   | ((right >> 24) & 0x00000001));
580
581
3.82k
      *subkey++ = (((left << 15) & 0x20000000)
582
3.82k
                   | ((left << 17) & 0x10000000)
583
3.82k
                   | ((left << 10) & 0x08000000)
584
3.82k
                   | ((left << 22) & 0x04000000)
585
3.82k
                   | ((left >> 2) & 0x02000000)
586
3.82k
                   | ((left << 1) & 0x01000000)
587
3.82k
                   | ((left << 16) & 0x00200000)
588
3.82k
                   | ((left << 11) & 0x00100000)
589
3.82k
                   | ((left << 3) & 0x00080000)
590
3.82k
                   | ((left >> 6) & 0x00040000)
591
3.82k
                   | ((left << 15) & 0x00020000)
592
3.82k
                   | ((left >> 4) & 0x00010000)
593
3.82k
                   | ((right >> 2) & 0x00002000)
594
3.82k
                   | ((right << 8) & 0x00001000)
595
3.82k
                   | ((right >> 14) & 0x00000808)
596
3.82k
                   | ((right >> 9) & 0x00000400)
597
3.82k
                   | ((right) & 0x00000200)
598
3.82k
                   | ((right << 7) & 0x00000100)
599
3.82k
                   | ((right >> 7) & 0x00000020)
600
3.82k
                   | ((right >> 3) & 0x00000011)
601
3.82k
                   | ((right << 2) & 0x00000004)
602
3.82k
                   | ((right >> 21) & 0x00000002));
603
3.82k
    }
604
239
}
605
606
607
/*
608
 * Fill a DES context with subkeys calculated from a 64bit key.
609
 * Does not check parity bits, but simply ignore them.
610
 * Does not check for weak keys.
611
 */
612
static int
613
des_setkey (struct _des_ctx *ctx, const byte * key)
614
129
{
615
129
  static const char *selftest_failed;
616
129
  int i;
617
618
129
  if (!fips_mode () && !initialized)
619
1
    {
620
1
      initialized = 1;
621
1
      selftest_failed = selftest ();
622
623
1
      if (selftest_failed)
624
0
  log_error ("%s\n", selftest_failed);
625
1
    }
626
129
  if (selftest_failed)
627
0
    return GPG_ERR_SELFTEST_FAILED;
628
629
129
  des_key_schedule (key, ctx->encrypt_subkeys);
630
129
  _gcry_burn_stack (32);
631
632
2.19k
  for(i=0; i<32; i+=2)
633
2.06k
    {
634
2.06k
      ctx->decrypt_subkeys[i] = ctx->encrypt_subkeys[30-i];
635
2.06k
      ctx->decrypt_subkeys[i+1] = ctx->encrypt_subkeys[31-i];
636
2.06k
    }
637
638
129
  return 0;
639
129
}
640
641
642
643
/*
644
 * Electronic Codebook Mode DES encryption/decryption of data according
645
 * to 'mode'.
646
 */
647
static int
648
des_ecb_crypt (struct _des_ctx *ctx, const byte * from, byte * to, int mode)
649
194
{
650
194
  u32 left, right, work;
651
194
  u32 *keys;
652
653
194
  keys = mode ? ctx->decrypt_subkeys : ctx->encrypt_subkeys;
654
655
194
  READ_64BIT_DATA (from, left, right)
656
194
  INITIAL_PERMUTATION (left, work, right)
657
658
194
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
659
194
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
660
194
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
661
194
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
662
194
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
663
194
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
664
194
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
665
194
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
666
667
194
  FINAL_PERMUTATION (right, work, left)
668
194
  WRITE_64BIT_DATA (to, right, left)
669
670
194
  return 0;
671
194
}
672
673
674
675
/*
676
 * Fill a Triple-DES context with subkeys calculated from two 64bit keys.
677
 * Does not check the parity bits of the keys, but simply ignore them.
678
 * Does not check for weak keys.
679
 */
680
static int
681
tripledes_set2keys (struct _tripledes_ctx *ctx,
682
        const byte * key1,
683
        const byte * key2)
684
16
{
685
16
  int i;
686
687
16
  des_key_schedule (key1, ctx->encrypt_subkeys);
688
16
  des_key_schedule (key2, &(ctx->decrypt_subkeys[32]));
689
16
  _gcry_burn_stack (32);
690
691
272
  for(i=0; i<32; i+=2)
692
256
    {
693
256
      ctx->decrypt_subkeys[i]  = ctx->encrypt_subkeys[30-i];
694
256
      ctx->decrypt_subkeys[i+1]  = ctx->encrypt_subkeys[31-i];
695
696
256
      ctx->encrypt_subkeys[i+32] = ctx->decrypt_subkeys[62-i];
697
256
      ctx->encrypt_subkeys[i+33] = ctx->decrypt_subkeys[63-i];
698
699
256
      ctx->encrypt_subkeys[i+64] = ctx->encrypt_subkeys[i];
700
256
      ctx->encrypt_subkeys[i+65] = ctx->encrypt_subkeys[i+1];
701
702
256
      ctx->decrypt_subkeys[i+64] = ctx->decrypt_subkeys[i];
703
256
      ctx->decrypt_subkeys[i+65] = ctx->decrypt_subkeys[i+1];
704
256
    }
705
706
16
  return 0;
707
16
}
708
709
710
711
/*
712
 * Fill a Triple-DES context with subkeys calculated from three 64bit keys.
713
 * Does not check the parity bits of the keys, but simply ignore them.
714
 * Does not check for weak keys.
715
 */
716
static int
717
tripledes_set3keys (struct _tripledes_ctx *ctx,
718
        const byte * key1,
719
        const byte * key2,
720
        const byte * key3)
721
26
{
722
26
  static const char *selftest_failed;
723
26
  int i;
724
725
26
  if (!fips_mode () && !initialized)
726
0
    {
727
0
      initialized = 1;
728
0
      selftest_failed = selftest ();
729
730
0
      if (selftest_failed)
731
0
  log_error ("%s\n", selftest_failed);
732
0
    }
733
26
  if (selftest_failed)
734
0
    return GPG_ERR_SELFTEST_FAILED;
735
736
26
  des_key_schedule (key1, ctx->encrypt_subkeys);
737
26
  des_key_schedule (key2, &(ctx->decrypt_subkeys[32]));
738
26
  des_key_schedule (key3, &(ctx->encrypt_subkeys[64]));
739
26
  _gcry_burn_stack (32);
740
741
442
  for(i=0; i<32; i+=2)
742
416
    {
743
416
      ctx->decrypt_subkeys[i]  = ctx->encrypt_subkeys[94-i];
744
416
      ctx->decrypt_subkeys[i+1]  = ctx->encrypt_subkeys[95-i];
745
746
416
      ctx->encrypt_subkeys[i+32] = ctx->decrypt_subkeys[62-i];
747
416
      ctx->encrypt_subkeys[i+33] = ctx->decrypt_subkeys[63-i];
748
749
416
      ctx->decrypt_subkeys[i+64] = ctx->encrypt_subkeys[30-i];
750
416
      ctx->decrypt_subkeys[i+65] = ctx->encrypt_subkeys[31-i];
751
416
     }
752
753
26
  return 0;
754
26
}
755
756
757
758
#ifdef USE_AMD64_ASM
759
760
/* Assembly implementation of triple-DES. */
761
extern void _gcry_3des_amd64_crypt_block(const void *keys, byte *out,
762
                                         const byte *in);
763
764
/* These assembly implementations process three blocks in parallel. */
765
extern void _gcry_3des_amd64_ctr_enc(const void *keys, byte *out,
766
                                     const byte *in, byte *ctr);
767
768
extern void _gcry_3des_amd64_cbc_dec(const void *keys, byte *out,
769
                                     const byte *in, byte *iv);
770
771
extern void _gcry_3des_amd64_cfb_dec(const void *keys, byte *out,
772
                                     const byte *in, byte *iv);
773
774
0
#define TRIPLEDES_ECB_BURN_STACK (8 * sizeof(void *))
775
776
777
/*
778
 * Electronic Codebook Mode Triple-DES encryption/decryption of data
779
 * according to 'mode'.  Sometimes this mode is named 'EDE' mode
780
 * (Encryption-Decryption-Encryption).
781
 */
782
static inline int
783
tripledes_ecb_crypt (struct _tripledes_ctx *ctx, const byte * from,
784
                     byte * to, int mode)
785
68
{
786
68
  u32 *keys;
787
788
68
  keys = mode ? ctx->decrypt_subkeys : ctx->encrypt_subkeys;
789
790
68
  _gcry_3des_amd64_crypt_block(keys, to, from);
791
792
68
  return 0;
793
68
}
794
795
static inline void
796
tripledes_amd64_ctr_enc(const void *keys, byte *out, const byte *in, byte *ctr)
797
0
{
798
0
  _gcry_3des_amd64_ctr_enc(keys, out, in, ctr);
799
0
}
800
801
static inline void
802
tripledes_amd64_cbc_dec(const void *keys, byte *out, const byte *in, byte *iv)
803
0
{
804
0
  _gcry_3des_amd64_cbc_dec(keys, out, in, iv);
805
0
}
806
807
static inline void
808
tripledes_amd64_cfb_dec(const void *keys, byte *out, const byte *in, byte *iv)
809
0
{
810
0
  _gcry_3des_amd64_cfb_dec(keys, out, in, iv);
811
0
}
812
813
#else /*USE_AMD64_ASM*/
814
815
#define TRIPLEDES_ECB_BURN_STACK 32
816
817
/*
818
 * Electronic Codebook Mode Triple-DES encryption/decryption of data
819
 * according to 'mode'.  Sometimes this mode is named 'EDE' mode
820
 * (Encryption-Decryption-Encryption).
821
 */
822
static int
823
tripledes_ecb_crypt (struct _tripledes_ctx *ctx, const byte * from,
824
                     byte * to, int mode)
825
{
826
  u32 left, right, work;
827
  u32 *keys;
828
829
  keys = mode ? ctx->decrypt_subkeys : ctx->encrypt_subkeys;
830
831
  READ_64BIT_DATA (from, left, right)
832
  INITIAL_PERMUTATION (left, work, right)
833
834
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
835
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
836
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
837
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
838
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
839
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
840
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
841
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
842
843
  DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
844
  DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
845
  DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
846
  DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
847
  DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
848
  DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
849
  DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
850
  DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
851
852
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
853
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
854
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
855
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
856
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
857
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
858
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
859
  DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
860
861
  FINAL_PERMUTATION (right, work, left)
862
  WRITE_64BIT_DATA (to, right, left)
863
864
  return 0;
865
}
866
867
#endif /*!USE_AMD64_ASM*/
868
869
870
871
/* Bulk encryption of complete blocks in CTR mode.  This function is only
872
   intended for the bulk encryption feature of cipher.c.  CTR is expected to be
873
   of size DES_BLOCKSIZE. */
874
static void
875
_gcry_3des_ctr_enc(void *context, unsigned char *ctr, void *outbuf_arg,
876
                   const void *inbuf_arg, size_t nblocks)
877
0
{
878
0
  struct _tripledes_ctx *ctx = context;
879
0
  unsigned char *outbuf = outbuf_arg;
880
0
  const unsigned char *inbuf = inbuf_arg;
881
0
  unsigned char tmpbuf[DES_BLOCKSIZE];
882
0
  int burn_stack_depth = TRIPLEDES_ECB_BURN_STACK;
883
884
0
#ifdef USE_AMD64_ASM
885
0
  {
886
0
    int asm_burn_depth = 9 * sizeof(void *);
887
888
0
    if (nblocks >= 3 && burn_stack_depth < asm_burn_depth)
889
0
      burn_stack_depth = asm_burn_depth;
890
891
    /* Process data in 3 block chunks. */
892
0
    while (nblocks >= 3)
893
0
      {
894
0
        tripledes_amd64_ctr_enc(ctx->encrypt_subkeys, outbuf, inbuf, ctr);
895
896
0
        nblocks -= 3;
897
0
        outbuf += 3 * DES_BLOCKSIZE;
898
0
        inbuf  += 3 * DES_BLOCKSIZE;
899
0
      }
900
901
    /* Use generic code to handle smaller chunks... */
902
0
  }
903
0
#endif
904
905
0
  for ( ;nblocks; nblocks-- )
906
0
    {
907
      /* Encrypt the counter. */
908
0
      tripledes_ecb_encrypt (ctx, ctr, tmpbuf);
909
      /* XOR the input with the encrypted counter and store in output.  */
910
0
      cipher_block_xor(outbuf, tmpbuf, inbuf, DES_BLOCKSIZE);
911
0
      outbuf += DES_BLOCKSIZE;
912
0
      inbuf  += DES_BLOCKSIZE;
913
      /* Increment the counter.  */
914
0
      cipher_block_add(ctr, 1, DES_BLOCKSIZE);
915
0
    }
916
917
0
  wipememory(tmpbuf, sizeof(tmpbuf));
918
0
  _gcry_burn_stack(burn_stack_depth);
919
0
}
920
921
922
/* Bulk decryption of complete blocks in CBC mode.  This function is only
923
   intended for the bulk encryption feature of cipher.c. */
924
static void
925
_gcry_3des_cbc_dec(void *context, unsigned char *iv, void *outbuf_arg,
926
                   const void *inbuf_arg, size_t nblocks)
927
0
{
928
0
  struct _tripledes_ctx *ctx = context;
929
0
  unsigned char *outbuf = outbuf_arg;
930
0
  const unsigned char *inbuf = inbuf_arg;
931
0
  unsigned char savebuf[DES_BLOCKSIZE];
932
0
  int burn_stack_depth = TRIPLEDES_ECB_BURN_STACK;
933
934
0
#ifdef USE_AMD64_ASM
935
0
  {
936
0
    int asm_burn_depth = 10 * sizeof(void *);
937
938
0
    if (nblocks >= 3 && burn_stack_depth < asm_burn_depth)
939
0
      burn_stack_depth = asm_burn_depth;
940
941
    /* Process data in 3 block chunks. */
942
0
    while (nblocks >= 3)
943
0
      {
944
0
        tripledes_amd64_cbc_dec(ctx->decrypt_subkeys, outbuf, inbuf, iv);
945
946
0
        nblocks -= 3;
947
0
        outbuf += 3 * DES_BLOCKSIZE;
948
0
        inbuf  += 3 * DES_BLOCKSIZE;
949
0
      }
950
951
    /* Use generic code to handle smaller chunks... */
952
0
  }
953
0
#endif
954
955
0
  for ( ;nblocks; nblocks-- )
956
0
    {
957
      /* INBUF is needed later and it may be identical to OUTBUF, so store
958
         the intermediate result to SAVEBUF.  */
959
0
      tripledes_ecb_decrypt (ctx, inbuf, savebuf);
960
961
0
      cipher_block_xor_n_copy_2(outbuf, savebuf, iv, inbuf, DES_BLOCKSIZE);
962
0
      inbuf += DES_BLOCKSIZE;
963
0
      outbuf += DES_BLOCKSIZE;
964
0
    }
965
966
0
  wipememory(savebuf, sizeof(savebuf));
967
0
  _gcry_burn_stack(burn_stack_depth);
968
0
}
969
970
971
/* Bulk decryption of complete blocks in CFB mode.  This function is only
972
   intended for the bulk encryption feature of cipher.c. */
973
static void
974
_gcry_3des_cfb_dec(void *context, unsigned char *iv, void *outbuf_arg,
975
       const void *inbuf_arg, size_t nblocks)
976
0
{
977
0
  struct _tripledes_ctx *ctx = context;
978
0
  unsigned char *outbuf = outbuf_arg;
979
0
  const unsigned char *inbuf = inbuf_arg;
980
0
  int burn_stack_depth = TRIPLEDES_ECB_BURN_STACK;
981
982
0
#ifdef USE_AMD64_ASM
983
0
  {
984
0
    int asm_burn_depth = 9 * sizeof(void *);
985
986
0
    if (nblocks >= 3 && burn_stack_depth < asm_burn_depth)
987
0
      burn_stack_depth = asm_burn_depth;
988
989
    /* Process data in 3 block chunks. */
990
0
    while (nblocks >= 3)
991
0
      {
992
0
        tripledes_amd64_cfb_dec(ctx->encrypt_subkeys, outbuf, inbuf, iv);
993
994
0
        nblocks -= 3;
995
0
        outbuf += 3 * DES_BLOCKSIZE;
996
0
        inbuf  += 3 * DES_BLOCKSIZE;
997
0
      }
998
999
    /* Use generic code to handle smaller chunks... */
1000
0
  }
1001
0
#endif
1002
1003
0
  for ( ;nblocks; nblocks-- )
1004
0
    {
1005
0
      tripledes_ecb_encrypt (ctx, iv, iv);
1006
0
      cipher_block_xor_n_copy(outbuf, iv, inbuf, DES_BLOCKSIZE);
1007
0
      outbuf += DES_BLOCKSIZE;
1008
0
      inbuf  += DES_BLOCKSIZE;
1009
0
    }
1010
1011
0
  _gcry_burn_stack(burn_stack_depth);
1012
0
}
1013
1014
1015
/*
1016
 * Check whether the 8 byte key is weak.
1017
 * Does not check the parity bits of the key but simple ignore them.
1018
 */
1019
static int
1020
is_weak_key ( const byte *key )
1021
65
{
1022
65
  byte work[8];
1023
65
  int i, left, right, middle, cmp_result;
1024
1025
  /* clear parity bits */
1026
585
  for(i=0; i<8; ++i)
1027
520
     work[i] = key[i] & 0xfe;
1028
1029
  /* binary search in the weak key table */
1030
65
  left = 0;
1031
65
  right = 63;
1032
335
  while(left <= right)
1033
334
    {
1034
334
      middle = (left + right) / 2;
1035
1036
334
      if ( !(cmp_result=working_memcmp(work, weak_keys[middle], 8)) )
1037
64
    return -1;
1038
1039
270
      if ( cmp_result > 0 )
1040
136
    left = middle + 1;
1041
134
      else
1042
134
    right = middle - 1;
1043
270
    }
1044
1045
1
  return 0;
1046
65
}
1047
1048
1049
/*
1050
 * Performs a selftest of this DES/Triple-DES implementation.
1051
 * Returns an string with the error text on failure.
1052
 * Returns NULL if all is ok.
1053
 */
1054
static const char *
1055
selftest (void)
1056
1
{
1057
  /*
1058
   * Check if 'u32' is really 32 bits wide. This DES / 3DES implementation
1059
   * need this.
1060
   */
1061
1
  if (sizeof (u32) != 4)
1062
0
    return "Wrong word size for DES configured.";
1063
1064
  /*
1065
   * DES Maintenance Test
1066
   */
1067
1
  {
1068
1
    int i;
1069
1
    byte key[8] =
1070
1
      {0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55};
1071
1
    byte input[8] =
1072
1
      {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
1073
1
    byte result[8] =
1074
1
      {0x24, 0x6e, 0x9d, 0xb9, 0xc5, 0x50, 0x38, 0x1a};
1075
1
    byte temp1[8], temp2[8], temp3[8];
1076
1
    des_ctx des;
1077
1078
65
    for (i = 0; i < 64; ++i)
1079
64
      {
1080
64
  des_setkey (des, key);
1081
64
  des_ecb_encrypt (des, input, temp1);
1082
64
  des_ecb_encrypt (des, temp1, temp2);
1083
64
  des_setkey (des, temp2);
1084
64
  des_ecb_decrypt (des, temp1, temp3);
1085
64
  memcpy (key, temp3, 8);
1086
64
  memcpy (input, temp1, 8);
1087
64
      }
1088
1
    if (memcmp (temp3, result, 8))
1089
0
      return "DES maintenance test failed.";
1090
1
  }
1091
1092
1093
  /*
1094
   * Self made Triple-DES test  (Does somebody know an official test?)
1095
   */
1096
1
  {
1097
1
    int i;
1098
1
    byte input[8] =
1099
1
      {0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10};
1100
1
    byte key1[8] =
1101
1
      {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0};
1102
1
    byte key2[8] =
1103
1
      {0x11, 0x22, 0x33, 0x44, 0xff, 0xaa, 0xcc, 0xdd};
1104
1
    byte result[8] =
1105
1
      {0x7b, 0x38, 0x3b, 0x23, 0xa2, 0x7d, 0x26, 0xd3};
1106
1107
1
    tripledes_ctx des3;
1108
1109
17
    for (i = 0; i < 16; ++i)
1110
16
      {
1111
16
  tripledes_set2keys (des3, key1, key2);
1112
16
  tripledes_ecb_encrypt (des3, input, key1);
1113
16
  tripledes_ecb_decrypt (des3, input, key2);
1114
16
  tripledes_set3keys (des3, key1, input, key2);
1115
16
  tripledes_ecb_encrypt (des3, input, input);
1116
16
      }
1117
1
    if (memcmp (input, result, 8))
1118
0
      return "Triple-DES test failed.";
1119
1
  }
1120
1121
  /*
1122
   * More Triple-DES test.  These are testvectors as used by SSLeay,
1123
   * thanks to Jeroen C. van Gelderen.
1124
   */
1125
1
  {
1126
1
    static const struct { byte key[24]; byte plain[8]; byte cipher[8]; }
1127
1
      testdata[] = {
1128
1
      { { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,
1129
1
          0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,
1130
1
          0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01  },
1131
1
        { 0x95,0xF8,0xA5,0xE5,0xDD,0x31,0xD9,0x00  },
1132
1
        { 0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00  }
1133
1
      },
1134
1135
1
      { { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,
1136
1
          0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,
1137
1
          0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01  },
1138
1
        { 0x9D,0x64,0x55,0x5A,0x9A,0x10,0xB8,0x52, },
1139
1
        { 0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x00  }
1140
1
      },
1141
1
      { { 0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E,
1142
1
          0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E,
1143
1
          0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E  },
1144
1
        { 0x51,0x45,0x4B,0x58,0x2D,0xDF,0x44,0x0A  },
1145
1
        { 0x71,0x78,0x87,0x6E,0x01,0xF1,0x9B,0x2A  }
1146
1
      },
1147
1
      { { 0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6,
1148
1
          0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6,
1149
1
          0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6  },
1150
1
        { 0x42,0xFD,0x44,0x30,0x59,0x57,0x7F,0xA2  },
1151
1
        { 0xAF,0x37,0xFB,0x42,0x1F,0x8C,0x40,0x95  }
1152
1
      },
1153
1
      { { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
1154
1
          0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
1155
1
          0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF  },
1156
1
        { 0x73,0x6F,0x6D,0x65,0x64,0x61,0x74,0x61  },
1157
1
        { 0x3D,0x12,0x4F,0xE2,0x19,0x8B,0xA3,0x18  }
1158
1
      },
1159
1
      { { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
1160
1
          0x55,0x55,0x55,0x55,0x55,0x55,0x55,0x55,
1161
1
          0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF  },
1162
1
        { 0x73,0x6F,0x6D,0x65,0x64,0x61,0x74,0x61  },
1163
1
        { 0xFB,0xAB,0xA1,0xFF,0x9D,0x05,0xE9,0xB1  }
1164
1
      },
1165
1
      { { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
1166
1
          0x55,0x55,0x55,0x55,0x55,0x55,0x55,0x55,
1167
1
          0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10  },
1168
1
        { 0x73,0x6F,0x6D,0x65,0x64,0x61,0x74,0x61  },
1169
1
        { 0x18,0xd7,0x48,0xe5,0x63,0x62,0x05,0x72  }
1170
1
      },
1171
1
      { { 0x03,0x52,0x02,0x07,0x67,0x20,0x82,0x17,
1172
1
          0x86,0x02,0x87,0x66,0x59,0x08,0x21,0x98,
1173
1
          0x64,0x05,0x6A,0xBD,0xFE,0xA9,0x34,0x57  },
1174
1
        { 0x73,0x71,0x75,0x69,0x67,0x67,0x6C,0x65  },
1175
1
        { 0xc0,0x7d,0x2a,0x0f,0xa5,0x66,0xfa,0x30  }
1176
1
      },
1177
1
      { { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,
1178
1
          0x80,0x01,0x01,0x01,0x01,0x01,0x01,0x01,
1179
1
          0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x02  },
1180
1
        { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00  },
1181
1
        { 0xe6,0xe6,0xdd,0x5b,0x7e,0x72,0x29,0x74  }
1182
1
      },
1183
1
      { { 0x10,0x46,0x10,0x34,0x89,0x98,0x80,0x20,
1184
1
          0x91,0x07,0xD0,0x15,0x89,0x19,0x01,0x01,
1185
1
          0x19,0x07,0x92,0x10,0x98,0x1A,0x01,0x01  },
1186
1
        { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00  },
1187
1
        { 0xe1,0xef,0x62,0xc3,0x32,0xfe,0x82,0x5b  }
1188
1
      }
1189
1
    };
1190
1191
1
    byte    result[8];
1192
1
    int   i;
1193
1
    tripledes_ctx des3;
1194
1195
11
    for (i=0; i<sizeof(testdata)/sizeof(*testdata); ++i)
1196
10
      {
1197
10
        tripledes_set3keys (des3, testdata[i].key,
1198
10
                            testdata[i].key + 8, testdata[i].key + 16);
1199
1200
10
        tripledes_ecb_encrypt (des3, testdata[i].plain, result);
1201
10
        if (memcmp (testdata[i].cipher, result, 8))
1202
0
          return "Triple-DES SSLeay test failed on encryption.";
1203
1204
10
        tripledes_ecb_decrypt (des3, testdata[i].cipher, result);
1205
10
        if (memcmp (testdata[i].plain, result, 8))
1206
10
          return  "Triple-DES SSLeay test failed on decryption.";;
1207
10
      }
1208
1
  }
1209
1210
  /*
1211
   * Check the weak key detection. We simply assume that the table
1212
   * with weak keys is ok and check every key in the table if it is
1213
   * detected... (This test is a little bit stupid).
1214
   */
1215
1
  {
1216
1
    int i;
1217
1
    unsigned char *p;
1218
1
    gcry_md_hd_t h;
1219
1220
1
    if (_gcry_md_open (&h, GCRY_MD_SHA1, 0))
1221
0
      return "SHA1 not available";
1222
1223
65
    for (i = 0; i < 64; ++i)
1224
64
      _gcry_md_write (h, weak_keys[i], 8);
1225
1
    p = _gcry_md_read (h, GCRY_MD_SHA1);
1226
1
    i = memcmp (p, weak_keys_chksum, 20);
1227
1
    _gcry_md_close (h);
1228
1
    if (i)
1229
0
      return "weak key table defect";
1230
1231
65
    for (i = 0; i < 64; ++i)
1232
64
      if (!is_weak_key(weak_keys[i]))
1233
0
        return "DES weak key detection failed";
1234
1
  }
1235
1236
1
  return 0;
1237
1
}
1238
1239
1240
static gcry_err_code_t
1241
do_tripledes_setkey ( void *context, const byte *key, unsigned keylen,
1242
                      cipher_bulk_ops_t *bulk_ops )
1243
0
{
1244
0
  struct _tripledes_ctx *ctx = (struct _tripledes_ctx *) context;
1245
1246
0
  if( keylen != 24 )
1247
0
    return GPG_ERR_INV_KEYLEN;
1248
1249
  /* Setup bulk encryption routines.  */
1250
0
  memset (bulk_ops, 0, sizeof(*bulk_ops));
1251
0
  bulk_ops->cbc_dec =  _gcry_3des_cbc_dec;
1252
0
  bulk_ops->cfb_dec =  _gcry_3des_cfb_dec;
1253
0
  bulk_ops->ctr_enc =  _gcry_3des_ctr_enc;
1254
1255
0
  tripledes_set3keys ( ctx, key, key+8, key+16);
1256
1257
0
  if (ctx->flags.no_weak_key)
1258
0
    ; /* Detection has been disabled.  */
1259
0
  else if (is_weak_key (key) || is_weak_key (key+8) || is_weak_key (key+16))
1260
0
    {
1261
0
      _gcry_burn_stack (64);
1262
0
      return GPG_ERR_WEAK_KEY;
1263
0
    }
1264
0
  _gcry_burn_stack (64);
1265
1266
0
  return GPG_ERR_NO_ERROR;
1267
0
}
1268
1269
1270
static gcry_err_code_t
1271
do_tripledes_set_extra_info (void *context, int what,
1272
                             const void *buffer, size_t buflen)
1273
0
{
1274
0
  struct _tripledes_ctx *ctx = (struct _tripledes_ctx *)context;
1275
0
  gpg_err_code_t ec = 0;
1276
1277
0
  (void)buffer;
1278
0
  (void)buflen;
1279
1280
0
  switch (what)
1281
0
    {
1282
0
    case CIPHER_INFO_NO_WEAK_KEY:
1283
0
      ctx->flags.no_weak_key = 1;
1284
0
      break;
1285
1286
0
    default:
1287
0
      ec = GPG_ERR_INV_OP;
1288
0
      break;
1289
0
    }
1290
0
  return ec;
1291
0
}
1292
1293
1294
static unsigned int
1295
do_tripledes_encrypt( void *context, byte *outbuf, const byte *inbuf )
1296
0
{
1297
0
  struct _tripledes_ctx *ctx = (struct _tripledes_ctx *) context;
1298
1299
0
  tripledes_ecb_encrypt ( ctx, inbuf, outbuf );
1300
0
  return /*burn_stack*/ TRIPLEDES_ECB_BURN_STACK;
1301
0
}
1302
1303
static unsigned int
1304
do_tripledes_decrypt( void *context, byte *outbuf, const byte *inbuf )
1305
0
{
1306
0
  struct _tripledes_ctx *ctx = (struct _tripledes_ctx *) context;
1307
0
  tripledes_ecb_decrypt ( ctx, inbuf, outbuf );
1308
0
  return /*burn_stack*/ TRIPLEDES_ECB_BURN_STACK;
1309
0
}
1310
1311
static gcry_err_code_t
1312
do_des_setkey (void *context, const byte *key, unsigned keylen,
1313
               cipher_bulk_ops_t *bulk_ops)
1314
1
{
1315
1
  struct _des_ctx *ctx = (struct _des_ctx *) context;
1316
1317
1
  (void)bulk_ops;
1318
1319
1
  if (keylen != 8)
1320
0
    return GPG_ERR_INV_KEYLEN;
1321
1322
1
  des_setkey (ctx, key);
1323
1324
1
  if (is_weak_key (key)) {
1325
0
    _gcry_burn_stack (64);
1326
0
    return GPG_ERR_WEAK_KEY;
1327
0
  }
1328
1
  _gcry_burn_stack (64);
1329
1330
1
  return GPG_ERR_NO_ERROR;
1331
1
}
1332
1333
1334
static unsigned int
1335
do_des_encrypt( void *context, byte *outbuf, const byte *inbuf )
1336
0
{
1337
0
  struct _des_ctx *ctx = (struct _des_ctx *) context;
1338
1339
0
  des_ecb_encrypt ( ctx, inbuf, outbuf );
1340
0
  return /*burn_stack*/ (32);
1341
0
}
1342
1343
static unsigned int
1344
do_des_decrypt( void *context, byte *outbuf, const byte *inbuf )
1345
2
{
1346
2
  struct _des_ctx *ctx = (struct _des_ctx *) context;
1347
1348
2
  des_ecb_decrypt ( ctx, inbuf, outbuf );
1349
2
  return /*burn_stack*/ (32);
1350
2
}
1351
1352
1353
1354

1355
/*
1356
     Self-test section.
1357
 */
1358
1359
1360
/* Selftest for TripleDES.  */
1361
static gpg_err_code_t
1362
selftest_fips (int extended, selftest_report_func_t report)
1363
0
{
1364
0
  const char *what;
1365
0
  const char *errtxt;
1366
1367
0
  (void)extended; /* No extended tests available.  */
1368
1369
0
  what = "low-level";
1370
0
  errtxt = selftest ();
1371
0
  if (errtxt)
1372
0
    goto failed;
1373
1374
  /* The low-level self-tests are quite extensive and thus we can do
1375
     without high level tests.  This is also justified because we have
1376
     no custom block code implementation for 3des but always use the
1377
     standard high level block code.  */
1378
1379
0
  return 0; /* Succeeded. */
1380
1381
0
 failed:
1382
0
  if (report)
1383
0
    report ("cipher", GCRY_CIPHER_3DES, what, errtxt);
1384
0
  return GPG_ERR_SELFTEST_FAILED;
1385
0
}
1386
1387
1388
1389
/* Run a full self-test for ALGO and return 0 on success.  */
1390
static gpg_err_code_t
1391
run_selftests (int algo, int extended, selftest_report_func_t report)
1392
0
{
1393
0
  gpg_err_code_t ec;
1394
1395
0
  switch (algo)
1396
0
    {
1397
0
    case GCRY_CIPHER_3DES:
1398
0
      ec = selftest_fips (extended, report);
1399
0
      break;
1400
0
    default:
1401
0
      ec = GPG_ERR_CIPHER_ALGO;
1402
0
      break;
1403
1404
0
    }
1405
0
  return ec;
1406
0
}
1407
1408
1409

1410
gcry_cipher_spec_t _gcry_cipher_spec_des =
1411
  {
1412
    GCRY_CIPHER_DES, {0, 0},
1413
    "DES", NULL, NULL, 8, 64, sizeof (struct _des_ctx),
1414
    do_des_setkey, do_des_encrypt, do_des_decrypt
1415
  };
1416
1417
static const gcry_cipher_oid_spec_t oids_tripledes[] =
1418
  {
1419
    { "1.2.840.113549.3.7", GCRY_CIPHER_MODE_CBC },
1420
    /* Teletrust specific OID for 3DES. */
1421
    { "1.3.36.3.1.3.2.1",   GCRY_CIPHER_MODE_CBC },
1422
    /* pbeWithSHAAnd3_KeyTripleDES_CBC */
1423
    { "1.2.840.113549.1.12.1.3", GCRY_CIPHER_MODE_CBC },
1424
    { NULL }
1425
  };
1426
1427
gcry_cipher_spec_t _gcry_cipher_spec_tripledes =
1428
  {
1429
    GCRY_CIPHER_3DES, {0, 0},
1430
    "3DES", NULL, oids_tripledes, 8, 192, sizeof (struct _tripledes_ctx),
1431
    do_tripledes_setkey, do_tripledes_encrypt, do_tripledes_decrypt,
1432
    NULL, NULL,
1433
    run_selftests,
1434
    do_tripledes_set_extra_info
1435
  };