/src/libgcrypt/cipher/des.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* des.c - DES and Triple-DES encryption/decryption Algorithm |
2 | | * Copyright (C) 1998, 1999, 2001, 2002, 2003, |
3 | | * 2008 Free Software Foundation, Inc. |
4 | | * |
5 | | * This file is part of Libgcrypt. |
6 | | * |
7 | | * Libgcrypt is free software; you can redistribute it and/or modify |
8 | | * it under the terms of the GNU Lesser general Public License as |
9 | | * published by the Free Software Foundation; either version 2.1 of |
10 | | * the License, or (at your option) any later version. |
11 | | * |
12 | | * Libgcrypt is distributed in the hope that it will be useful, |
13 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
15 | | * GNU Lesser General Public License for more details. |
16 | | * |
17 | | * You should have received a copy of the GNU Lesser General Public |
18 | | * License along with this program; if not, write to the Free Software |
19 | | * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA |
20 | | * |
21 | | * For a description of triple encryption, see: |
22 | | * Bruce Schneier: Applied Cryptography. Second Edition. |
23 | | * John Wiley & Sons, 1996. ISBN 0-471-12845-7. Pages 358 ff. |
24 | | * This implementation is according to the definition of DES in FIPS |
25 | | * PUB 46-2 from December 1993. |
26 | | */ |
27 | | |
28 | | |
29 | | /* |
30 | | * Written by Michael Roth <mroth@nessie.de>, September 1998 |
31 | | */ |
32 | | |
33 | | |
34 | | /* |
35 | | * U S A G E |
36 | | * =========== |
37 | | * |
38 | | * For DES or Triple-DES encryption/decryption you must initialize a proper |
39 | | * encryption context with a key. |
40 | | * |
41 | | * A DES key is 64bit wide but only 56bits of the key are used. The remaining |
42 | | * bits are parity bits and they will _not_ checked in this implementation, but |
43 | | * simply ignored. |
44 | | * |
45 | | * For Triple-DES you could use either two 64bit keys or three 64bit keys. |
46 | | * The parity bits will _not_ checked, too. |
47 | | * |
48 | | * After initializing a context with a key you could use this context to |
49 | | * encrypt or decrypt data in 64bit blocks in Electronic Codebook Mode. |
50 | | * |
51 | | * (In the examples below the slashes at the beginning and ending of comments |
52 | | * are omitted.) |
53 | | * |
54 | | * DES Example |
55 | | * ----------- |
56 | | * unsigned char key[8]; |
57 | | * unsigned char plaintext[8]; |
58 | | * unsigned char ciphertext[8]; |
59 | | * unsigned char recoverd[8]; |
60 | | * des_ctx context; |
61 | | * |
62 | | * * Fill 'key' and 'plaintext' with some data * |
63 | | * .... |
64 | | * |
65 | | * * Set up the DES encryption context * |
66 | | * des_setkey(context, key); |
67 | | * |
68 | | * * Encrypt the plaintext * |
69 | | * des_ecb_encrypt(context, plaintext, ciphertext); |
70 | | * |
71 | | * * To recover the original plaintext from ciphertext use: * |
72 | | * des_ecb_decrypt(context, ciphertext, recoverd); |
73 | | * |
74 | | * |
75 | | * Triple-DES Example |
76 | | * ------------------ |
77 | | * unsigned char key1[8]; |
78 | | * unsigned char key2[8]; |
79 | | * unsigned char key3[8]; |
80 | | * unsigned char plaintext[8]; |
81 | | * unsigned char ciphertext[8]; |
82 | | * unsigned char recoverd[8]; |
83 | | * tripledes_ctx context; |
84 | | * |
85 | | * * If you would like to use two 64bit keys, fill 'key1' and'key2' |
86 | | * then setup the encryption context: * |
87 | | * tripledes_set2keys(context, key1, key2); |
88 | | * |
89 | | * * To use three 64bit keys with Triple-DES use: * |
90 | | * tripledes_set3keys(context, key1, key2, key3); |
91 | | * |
92 | | * * Encrypting plaintext with Triple-DES * |
93 | | * tripledes_ecb_encrypt(context, plaintext, ciphertext); |
94 | | * |
95 | | * * Decrypting ciphertext to recover the plaintext with Triple-DES * |
96 | | * tripledes_ecb_decrypt(context, ciphertext, recoverd); |
97 | | * |
98 | | * |
99 | | * Selftest |
100 | | * -------- |
101 | | * char *error_msg; |
102 | | * |
103 | | * * To perform a selftest of this DES/Triple-DES implementation use the |
104 | | * function selftest(). It will return an error string if there are |
105 | | * some problems with this library. * |
106 | | * |
107 | | * if ( (error_msg = selftest()) ) |
108 | | * { |
109 | | * fprintf(stderr, "An error in the DES/Triple-DES implementation occurred: %s\n", error_msg); |
110 | | * abort(); |
111 | | * } |
112 | | */ |
113 | | |
114 | | |
115 | | #include <config.h> |
116 | | #include <stdio.h> |
117 | | #include <string.h> /* memcpy, memcmp */ |
118 | | #include "types.h" /* for byte and u32 typedefs */ |
119 | | #include "g10lib.h" |
120 | | #include "cipher.h" |
121 | | #include "bufhelp.h" |
122 | | #include "cipher-internal.h" |
123 | | |
124 | | |
125 | 0 | #define DES_BLOCKSIZE 8 |
126 | | |
127 | | |
128 | | /* USE_AMD64_ASM indicates whether to use AMD64 assembly code. */ |
129 | | #undef USE_AMD64_ASM |
130 | | #if defined(__x86_64__) && (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \ |
131 | | defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) |
132 | | # define USE_AMD64_ASM 1 |
133 | | #endif |
134 | | |
135 | | /* Helper macro to force alignment to 16 bytes. */ |
136 | | #ifdef HAVE_GCC_ATTRIBUTE_ALIGNED |
137 | | # define ATTR_ALIGNED_16 __attribute__ ((aligned (16))) |
138 | | #else |
139 | | # define ATTR_ALIGNED_16 |
140 | | #endif |
141 | | |
142 | | #if defined(__GNUC__) && defined(__GNU_LIBRARY__) |
143 | 0 | # define working_memcmp memcmp |
144 | | #else |
145 | | /* |
146 | | * According to the SunOS man page, memcmp returns indeterminate sign |
147 | | * depending on whether characters are signed or not. |
148 | | */ |
149 | | static int |
150 | | working_memcmp( const void *_a, const void *_b, size_t n ) |
151 | | { |
152 | | const char *a = _a; |
153 | | const char *b = _b; |
154 | | for( ; n; n--, a++, b++ ) |
155 | | if( *a != *b ) |
156 | | return (int)(*(byte*)a) - (int)(*(byte*)b); |
157 | | return 0; |
158 | | } |
159 | | #endif |
160 | | |
161 | | /* |
162 | | * Encryption/Decryption context of DES |
163 | | */ |
164 | | typedef struct _des_ctx |
165 | | { |
166 | | u32 encrypt_subkeys[32]; |
167 | | u32 decrypt_subkeys[32]; |
168 | | } |
169 | | des_ctx[1]; |
170 | | |
171 | | /* |
172 | | * Encryption/Decryption context of Triple-DES |
173 | | */ |
174 | | typedef struct _tripledes_ctx |
175 | | { |
176 | | u32 encrypt_subkeys[96]; |
177 | | u32 decrypt_subkeys[96]; |
178 | | struct { |
179 | | int no_weak_key; |
180 | | } flags; |
181 | | } |
182 | | tripledes_ctx[1]; |
183 | | |
184 | | static void des_key_schedule (const byte *, u32 *); |
185 | | static int des_setkey (struct _des_ctx *, const byte *); |
186 | | static int des_ecb_crypt (struct _des_ctx *, const byte *, byte *, int); |
187 | | static int tripledes_set2keys (struct _tripledes_ctx *, |
188 | | const byte *, const byte *); |
189 | | static int tripledes_set3keys (struct _tripledes_ctx *, |
190 | | const byte *, const byte *, const byte *); |
191 | | static int tripledes_ecb_crypt (struct _tripledes_ctx *, |
192 | | const byte *, byte *, int); |
193 | | static int is_weak_key ( const byte *key ); |
194 | | static const char *selftest (void); |
195 | | static unsigned int do_tripledes_encrypt(void *context, byte *outbuf, |
196 | | const byte *inbuf ); |
197 | | static unsigned int do_tripledes_decrypt(void *context, byte *outbuf, |
198 | | const byte *inbuf ); |
199 | | static gcry_err_code_t do_tripledes_setkey(void *context, const byte *key, |
200 | | unsigned keylen, |
201 | | cipher_bulk_ops_t *bulk_ops); |
202 | | |
203 | | static int initialized; |
204 | | |
205 | | |
206 | | |
207 | | |
208 | | /* |
209 | | * The s-box values are permuted according to the 'primitive function P' |
210 | | * and are rotated one bit to the left. |
211 | | */ |
212 | | static u32 sbox1[64] = |
213 | | { |
214 | | 0x01010400, 0x00000000, 0x00010000, 0x01010404, 0x01010004, 0x00010404, 0x00000004, 0x00010000, |
215 | | 0x00000400, 0x01010400, 0x01010404, 0x00000400, 0x01000404, 0x01010004, 0x01000000, 0x00000004, |
216 | | 0x00000404, 0x01000400, 0x01000400, 0x00010400, 0x00010400, 0x01010000, 0x01010000, 0x01000404, |
217 | | 0x00010004, 0x01000004, 0x01000004, 0x00010004, 0x00000000, 0x00000404, 0x00010404, 0x01000000, |
218 | | 0x00010000, 0x01010404, 0x00000004, 0x01010000, 0x01010400, 0x01000000, 0x01000000, 0x00000400, |
219 | | 0x01010004, 0x00010000, 0x00010400, 0x01000004, 0x00000400, 0x00000004, 0x01000404, 0x00010404, |
220 | | 0x01010404, 0x00010004, 0x01010000, 0x01000404, 0x01000004, 0x00000404, 0x00010404, 0x01010400, |
221 | | 0x00000404, 0x01000400, 0x01000400, 0x00000000, 0x00010004, 0x00010400, 0x00000000, 0x01010004 |
222 | | }; |
223 | | |
224 | | static u32 sbox2[64] = |
225 | | { |
226 | | 0x80108020, 0x80008000, 0x00008000, 0x00108020, 0x00100000, 0x00000020, 0x80100020, 0x80008020, |
227 | | 0x80000020, 0x80108020, 0x80108000, 0x80000000, 0x80008000, 0x00100000, 0x00000020, 0x80100020, |
228 | | 0x00108000, 0x00100020, 0x80008020, 0x00000000, 0x80000000, 0x00008000, 0x00108020, 0x80100000, |
229 | | 0x00100020, 0x80000020, 0x00000000, 0x00108000, 0x00008020, 0x80108000, 0x80100000, 0x00008020, |
230 | | 0x00000000, 0x00108020, 0x80100020, 0x00100000, 0x80008020, 0x80100000, 0x80108000, 0x00008000, |
231 | | 0x80100000, 0x80008000, 0x00000020, 0x80108020, 0x00108020, 0x00000020, 0x00008000, 0x80000000, |
232 | | 0x00008020, 0x80108000, 0x00100000, 0x80000020, 0x00100020, 0x80008020, 0x80000020, 0x00100020, |
233 | | 0x00108000, 0x00000000, 0x80008000, 0x00008020, 0x80000000, 0x80100020, 0x80108020, 0x00108000 |
234 | | }; |
235 | | |
236 | | static u32 sbox3[64] = |
237 | | { |
238 | | 0x00000208, 0x08020200, 0x00000000, 0x08020008, 0x08000200, 0x00000000, 0x00020208, 0x08000200, |
239 | | 0x00020008, 0x08000008, 0x08000008, 0x00020000, 0x08020208, 0x00020008, 0x08020000, 0x00000208, |
240 | | 0x08000000, 0x00000008, 0x08020200, 0x00000200, 0x00020200, 0x08020000, 0x08020008, 0x00020208, |
241 | | 0x08000208, 0x00020200, 0x00020000, 0x08000208, 0x00000008, 0x08020208, 0x00000200, 0x08000000, |
242 | | 0x08020200, 0x08000000, 0x00020008, 0x00000208, 0x00020000, 0x08020200, 0x08000200, 0x00000000, |
243 | | 0x00000200, 0x00020008, 0x08020208, 0x08000200, 0x08000008, 0x00000200, 0x00000000, 0x08020008, |
244 | | 0x08000208, 0x00020000, 0x08000000, 0x08020208, 0x00000008, 0x00020208, 0x00020200, 0x08000008, |
245 | | 0x08020000, 0x08000208, 0x00000208, 0x08020000, 0x00020208, 0x00000008, 0x08020008, 0x00020200 |
246 | | }; |
247 | | |
248 | | static u32 sbox4[64] = |
249 | | { |
250 | | 0x00802001, 0x00002081, 0x00002081, 0x00000080, 0x00802080, 0x00800081, 0x00800001, 0x00002001, |
251 | | 0x00000000, 0x00802000, 0x00802000, 0x00802081, 0x00000081, 0x00000000, 0x00800080, 0x00800001, |
252 | | 0x00000001, 0x00002000, 0x00800000, 0x00802001, 0x00000080, 0x00800000, 0x00002001, 0x00002080, |
253 | | 0x00800081, 0x00000001, 0x00002080, 0x00800080, 0x00002000, 0x00802080, 0x00802081, 0x00000081, |
254 | | 0x00800080, 0x00800001, 0x00802000, 0x00802081, 0x00000081, 0x00000000, 0x00000000, 0x00802000, |
255 | | 0x00002080, 0x00800080, 0x00800081, 0x00000001, 0x00802001, 0x00002081, 0x00002081, 0x00000080, |
256 | | 0x00802081, 0x00000081, 0x00000001, 0x00002000, 0x00800001, 0x00002001, 0x00802080, 0x00800081, |
257 | | 0x00002001, 0x00002080, 0x00800000, 0x00802001, 0x00000080, 0x00800000, 0x00002000, 0x00802080 |
258 | | }; |
259 | | |
260 | | static u32 sbox5[64] = |
261 | | { |
262 | | 0x00000100, 0x02080100, 0x02080000, 0x42000100, 0x00080000, 0x00000100, 0x40000000, 0x02080000, |
263 | | 0x40080100, 0x00080000, 0x02000100, 0x40080100, 0x42000100, 0x42080000, 0x00080100, 0x40000000, |
264 | | 0x02000000, 0x40080000, 0x40080000, 0x00000000, 0x40000100, 0x42080100, 0x42080100, 0x02000100, |
265 | | 0x42080000, 0x40000100, 0x00000000, 0x42000000, 0x02080100, 0x02000000, 0x42000000, 0x00080100, |
266 | | 0x00080000, 0x42000100, 0x00000100, 0x02000000, 0x40000000, 0x02080000, 0x42000100, 0x40080100, |
267 | | 0x02000100, 0x40000000, 0x42080000, 0x02080100, 0x40080100, 0x00000100, 0x02000000, 0x42080000, |
268 | | 0x42080100, 0x00080100, 0x42000000, 0x42080100, 0x02080000, 0x00000000, 0x40080000, 0x42000000, |
269 | | 0x00080100, 0x02000100, 0x40000100, 0x00080000, 0x00000000, 0x40080000, 0x02080100, 0x40000100 |
270 | | }; |
271 | | |
272 | | static u32 sbox6[64] = |
273 | | { |
274 | | 0x20000010, 0x20400000, 0x00004000, 0x20404010, 0x20400000, 0x00000010, 0x20404010, 0x00400000, |
275 | | 0x20004000, 0x00404010, 0x00400000, 0x20000010, 0x00400010, 0x20004000, 0x20000000, 0x00004010, |
276 | | 0x00000000, 0x00400010, 0x20004010, 0x00004000, 0x00404000, 0x20004010, 0x00000010, 0x20400010, |
277 | | 0x20400010, 0x00000000, 0x00404010, 0x20404000, 0x00004010, 0x00404000, 0x20404000, 0x20000000, |
278 | | 0x20004000, 0x00000010, 0x20400010, 0x00404000, 0x20404010, 0x00400000, 0x00004010, 0x20000010, |
279 | | 0x00400000, 0x20004000, 0x20000000, 0x00004010, 0x20000010, 0x20404010, 0x00404000, 0x20400000, |
280 | | 0x00404010, 0x20404000, 0x00000000, 0x20400010, 0x00000010, 0x00004000, 0x20400000, 0x00404010, |
281 | | 0x00004000, 0x00400010, 0x20004010, 0x00000000, 0x20404000, 0x20000000, 0x00400010, 0x20004010 |
282 | | }; |
283 | | |
284 | | static u32 sbox7[64] = |
285 | | { |
286 | | 0x00200000, 0x04200002, 0x04000802, 0x00000000, 0x00000800, 0x04000802, 0x00200802, 0x04200800, |
287 | | 0x04200802, 0x00200000, 0x00000000, 0x04000002, 0x00000002, 0x04000000, 0x04200002, 0x00000802, |
288 | | 0x04000800, 0x00200802, 0x00200002, 0x04000800, 0x04000002, 0x04200000, 0x04200800, 0x00200002, |
289 | | 0x04200000, 0x00000800, 0x00000802, 0x04200802, 0x00200800, 0x00000002, 0x04000000, 0x00200800, |
290 | | 0x04000000, 0x00200800, 0x00200000, 0x04000802, 0x04000802, 0x04200002, 0x04200002, 0x00000002, |
291 | | 0x00200002, 0x04000000, 0x04000800, 0x00200000, 0x04200800, 0x00000802, 0x00200802, 0x04200800, |
292 | | 0x00000802, 0x04000002, 0x04200802, 0x04200000, 0x00200800, 0x00000000, 0x00000002, 0x04200802, |
293 | | 0x00000000, 0x00200802, 0x04200000, 0x00000800, 0x04000002, 0x04000800, 0x00000800, 0x00200002 |
294 | | }; |
295 | | |
296 | | static u32 sbox8[64] = |
297 | | { |
298 | | 0x10001040, 0x00001000, 0x00040000, 0x10041040, 0x10000000, 0x10001040, 0x00000040, 0x10000000, |
299 | | 0x00040040, 0x10040000, 0x10041040, 0x00041000, 0x10041000, 0x00041040, 0x00001000, 0x00000040, |
300 | | 0x10040000, 0x10000040, 0x10001000, 0x00001040, 0x00041000, 0x00040040, 0x10040040, 0x10041000, |
301 | | 0x00001040, 0x00000000, 0x00000000, 0x10040040, 0x10000040, 0x10001000, 0x00041040, 0x00040000, |
302 | | 0x00041040, 0x00040000, 0x10041000, 0x00001000, 0x00000040, 0x10040040, 0x00001000, 0x00041040, |
303 | | 0x10001000, 0x00000040, 0x10000040, 0x10040000, 0x10040040, 0x10000000, 0x00040000, 0x10001040, |
304 | | 0x00000000, 0x10041040, 0x00040040, 0x10000040, 0x10040000, 0x10001000, 0x10001040, 0x00000000, |
305 | | 0x10041040, 0x00041000, 0x00041000, 0x00001040, 0x00001040, 0x00040040, 0x10000000, 0x10041000 |
306 | | }; |
307 | | |
308 | | |
309 | | /* |
310 | | * These two tables are part of the 'permuted choice 1' function. |
311 | | * In this implementation several speed improvements are done. |
312 | | */ |
313 | | static u32 leftkey_swap[16] = |
314 | | { |
315 | | 0x00000000, 0x00000001, 0x00000100, 0x00000101, |
316 | | 0x00010000, 0x00010001, 0x00010100, 0x00010101, |
317 | | 0x01000000, 0x01000001, 0x01000100, 0x01000101, |
318 | | 0x01010000, 0x01010001, 0x01010100, 0x01010101 |
319 | | }; |
320 | | |
321 | | static u32 rightkey_swap[16] = |
322 | | { |
323 | | 0x00000000, 0x01000000, 0x00010000, 0x01010000, |
324 | | 0x00000100, 0x01000100, 0x00010100, 0x01010100, |
325 | | 0x00000001, 0x01000001, 0x00010001, 0x01010001, |
326 | | 0x00000101, 0x01000101, 0x00010101, 0x01010101, |
327 | | }; |
328 | | |
329 | | |
330 | | |
331 | | /* |
332 | | * Numbers of left shifts per round for encryption subkeys. |
333 | | * To calculate the decryption subkeys we just reverse the |
334 | | * ordering of the calculated encryption subkeys. So their |
335 | | * is no need for a decryption rotate tab. |
336 | | */ |
337 | | static byte encrypt_rotate_tab[16] = |
338 | | { |
339 | | 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 |
340 | | }; |
341 | | |
342 | | |
343 | | |
344 | | /* |
345 | | * Table with weak DES keys sorted in ascending order. |
346 | | * In DES their are 64 known keys which are weak. They are weak |
347 | | * because they produce only one, two or four different |
348 | | * subkeys in the subkey scheduling process. |
349 | | * The keys in this table have all their parity bits cleared. |
350 | | */ |
351 | | static byte weak_keys[64][8] = |
352 | | { |
353 | | { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, /*w*/ |
354 | | { 0x00, 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e }, |
355 | | { 0x00, 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0 }, |
356 | | { 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe }, |
357 | | { 0x00, 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e }, /*sw*/ |
358 | | { 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00 }, |
359 | | { 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe }, |
360 | | { 0x00, 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0 }, |
361 | | { 0x00, 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0 }, /*sw*/ |
362 | | { 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe }, |
363 | | { 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00 }, |
364 | | { 0x00, 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e }, |
365 | | { 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe }, /*sw*/ |
366 | | { 0x00, 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0 }, |
367 | | { 0x00, 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e }, |
368 | | { 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00 }, |
369 | | { 0x1e, 0x00, 0x00, 0x1e, 0x0e, 0x00, 0x00, 0x0e }, |
370 | | { 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e, 0x00 }, /*sw*/ |
371 | | { 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0, 0xfe }, |
372 | | { 0x1e, 0x00, 0xfe, 0xe0, 0x0e, 0x00, 0xfe, 0xf0 }, |
373 | | { 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00, 0x00 }, |
374 | | { 0x1e, 0x1e, 0x1e, 0x1e, 0x0e, 0x0e, 0x0e, 0x0e }, /*w*/ |
375 | | { 0x1e, 0x1e, 0xe0, 0xe0, 0x0e, 0x0e, 0xf0, 0xf0 }, |
376 | | { 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe, 0xfe }, |
377 | | { 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00, 0xfe }, |
378 | | { 0x1e, 0xe0, 0x1e, 0xe0, 0x0e, 0xf0, 0x0e, 0xf0 }, /*sw*/ |
379 | | { 0x1e, 0xe0, 0xe0, 0x1e, 0x0e, 0xf0, 0xf0, 0x0e }, |
380 | | { 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe, 0x00 }, |
381 | | { 0x1e, 0xfe, 0x00, 0xe0, 0x0e, 0xfe, 0x00, 0xf0 }, |
382 | | { 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe }, /*sw*/ |
383 | | { 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0, 0x00 }, |
384 | | { 0x1e, 0xfe, 0xfe, 0x1e, 0x0e, 0xfe, 0xfe, 0x0e }, |
385 | | { 0xe0, 0x00, 0x00, 0xe0, 0xf0, 0x00, 0x00, 0xf0 }, |
386 | | { 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e, 0xfe }, |
387 | | { 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0, 0x00 }, /*sw*/ |
388 | | { 0xe0, 0x00, 0xfe, 0x1e, 0xf0, 0x00, 0xfe, 0x0e }, |
389 | | { 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00, 0xfe }, |
390 | | { 0xe0, 0x1e, 0x1e, 0xe0, 0xf0, 0x0e, 0x0e, 0xf0 }, |
391 | | { 0xe0, 0x1e, 0xe0, 0x1e, 0xf0, 0x0e, 0xf0, 0x0e }, /*sw*/ |
392 | | { 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe, 0x00 }, |
393 | | { 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00, 0x00 }, |
394 | | { 0xe0, 0xe0, 0x1e, 0x1e, 0xf0, 0xf0, 0x0e, 0x0e }, |
395 | | { 0xe0, 0xe0, 0xe0, 0xe0, 0xf0, 0xf0, 0xf0, 0xf0 }, /*w*/ |
396 | | { 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe, 0xfe }, |
397 | | { 0xe0, 0xfe, 0x00, 0x1e, 0xf0, 0xfe, 0x00, 0x0e }, |
398 | | { 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e, 0x00 }, |
399 | | { 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0, 0xfe }, /*sw*/ |
400 | | { 0xe0, 0xfe, 0xfe, 0xe0, 0xf0, 0xfe, 0xfe, 0xf0 }, |
401 | | { 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe }, |
402 | | { 0xfe, 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0 }, |
403 | | { 0xfe, 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e }, |
404 | | { 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00 }, /*sw*/ |
405 | | { 0xfe, 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0 }, |
406 | | { 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe }, |
407 | | { 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00 }, |
408 | | { 0xfe, 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e }, /*sw*/ |
409 | | { 0xfe, 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e }, |
410 | | { 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00 }, |
411 | | { 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe }, |
412 | | { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0 }, /*sw*/ |
413 | | { 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00 }, |
414 | | { 0xfe, 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e }, |
415 | | { 0xfe, 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0 }, |
416 | | { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe } /*w*/ |
417 | | }; |
418 | | static unsigned char weak_keys_chksum[20] = { |
419 | | 0xD0, 0xCF, 0x07, 0x38, 0x93, 0x70, 0x8A, 0x83, 0x7D, 0xD7, |
420 | | 0x8A, 0x36, 0x65, 0x29, 0x6C, 0x1F, 0x7C, 0x3F, 0xD3, 0x41 |
421 | | }; |
422 | | |
423 | | |
424 | | |
425 | | /* |
426 | | * Macro to swap bits across two words. |
427 | | */ |
428 | | #define DO_PERMUTATION(a, temp, b, offset, mask) \ |
429 | 0 | temp = ((a>>offset) ^ b) & mask; \ |
430 | 0 | b ^= temp; \ |
431 | 0 | a ^= temp<<offset; |
432 | | |
433 | | |
434 | | /* |
435 | | * This performs the 'initial permutation' of the data to be encrypted |
436 | | * or decrypted. Additionally the resulting two words are rotated one bit |
437 | | * to the left. |
438 | | */ |
439 | | #define INITIAL_PERMUTATION(left, temp, right) \ |
440 | 0 | DO_PERMUTATION(left, temp, right, 4, 0x0f0f0f0f) \ |
441 | 0 | DO_PERMUTATION(left, temp, right, 16, 0x0000ffff) \ |
442 | 0 | DO_PERMUTATION(right, temp, left, 2, 0x33333333) \ |
443 | 0 | DO_PERMUTATION(right, temp, left, 8, 0x00ff00ff) \ |
444 | 0 | right = (right << 1) | (right >> 31); \ |
445 | 0 | temp = (left ^ right) & 0xaaaaaaaa; \ |
446 | 0 | right ^= temp; \ |
447 | 0 | left ^= temp; \ |
448 | 0 | left = (left << 1) | (left >> 31); |
449 | | |
450 | | /* |
451 | | * The 'inverse initial permutation'. |
452 | | */ |
453 | | #define FINAL_PERMUTATION(left, temp, right) \ |
454 | 0 | left = (left << 31) | (left >> 1); \ |
455 | 0 | temp = (left ^ right) & 0xaaaaaaaa; \ |
456 | 0 | left ^= temp; \ |
457 | 0 | right ^= temp; \ |
458 | 0 | right = (right << 31) | (right >> 1); \ |
459 | 0 | DO_PERMUTATION(right, temp, left, 8, 0x00ff00ff) \ |
460 | 0 | DO_PERMUTATION(right, temp, left, 2, 0x33333333) \ |
461 | 0 | DO_PERMUTATION(left, temp, right, 16, 0x0000ffff) \ |
462 | 0 | DO_PERMUTATION(left, temp, right, 4, 0x0f0f0f0f) |
463 | | |
464 | | |
465 | | /* |
466 | | * A full DES round including 'expansion function', 'sbox substitution' |
467 | | * and 'primitive function P' but without swapping the left and right word. |
468 | | * Please note: The data in 'from' and 'to' is already rotated one bit to |
469 | | * the left, done in the initial permutation. |
470 | | */ |
471 | | #define DES_ROUND(from, to, work, subkey) \ |
472 | 0 | work = from ^ *subkey++; \ |
473 | 0 | to ^= sbox8[ work & 0x3f ]; \ |
474 | 0 | to ^= sbox6[ (work>>8) & 0x3f ]; \ |
475 | 0 | to ^= sbox4[ (work>>16) & 0x3f ]; \ |
476 | 0 | to ^= sbox2[ (work>>24) & 0x3f ]; \ |
477 | 0 | work = ((from << 28) | (from >> 4)) ^ *subkey++; \ |
478 | 0 | to ^= sbox7[ work & 0x3f ]; \ |
479 | 0 | to ^= sbox5[ (work>>8) & 0x3f ]; \ |
480 | 0 | to ^= sbox3[ (work>>16) & 0x3f ]; \ |
481 | 0 | to ^= sbox1[ (work>>24) & 0x3f ]; |
482 | | |
483 | | /* |
484 | | * Macros to convert 8 bytes from/to 32bit words. |
485 | | */ |
486 | | #define READ_64BIT_DATA(data, left, right) \ |
487 | 0 | left = buf_get_be32(data + 0); \ |
488 | 0 | right = buf_get_be32(data + 4); |
489 | | |
490 | | #define WRITE_64BIT_DATA(data, left, right) \ |
491 | 0 | buf_put_be32(data + 0, left); \ |
492 | 0 | buf_put_be32(data + 4, right); |
493 | | |
494 | | /* |
495 | | * Handy macros for encryption and decryption of data |
496 | | */ |
497 | 0 | #define des_ecb_encrypt(ctx, from, to) des_ecb_crypt(ctx, from, to, 0) |
498 | 0 | #define des_ecb_decrypt(ctx, from, to) des_ecb_crypt(ctx, from, to, 1) |
499 | 0 | #define tripledes_ecb_encrypt(ctx, from, to) tripledes_ecb_crypt(ctx,from,to,0) |
500 | 0 | #define tripledes_ecb_decrypt(ctx, from, to) tripledes_ecb_crypt(ctx,from,to,1) |
501 | | |
502 | | |
503 | | |
504 | | |
505 | | |
506 | | |
507 | | /* |
508 | | * des_key_schedule(): Calculate 16 subkeys pairs (even/odd) for |
509 | | * 16 encryption rounds. |
510 | | * To calculate subkeys for decryption the caller |
511 | | * have to reorder the generated subkeys. |
512 | | * |
513 | | * rawkey: 8 Bytes of key data |
514 | | * subkey: Array of at least 32 u32s. Will be filled |
515 | | * with calculated subkeys. |
516 | | * |
517 | | */ |
518 | | static void |
519 | | des_key_schedule (const byte * rawkey, u32 * subkey) |
520 | 0 | { |
521 | 0 | u32 left, right, work; |
522 | 0 | int round; |
523 | |
|
524 | 0 | READ_64BIT_DATA (rawkey, left, right) |
525 | |
|
526 | 0 | DO_PERMUTATION (right, work, left, 4, 0x0f0f0f0f) |
527 | 0 | DO_PERMUTATION (right, work, left, 0, 0x10101010) |
528 | |
|
529 | 0 | left = ((leftkey_swap[(left >> 0) & 0xf] << 3) |
530 | 0 | | (leftkey_swap[(left >> 8) & 0xf] << 2) |
531 | 0 | | (leftkey_swap[(left >> 16) & 0xf] << 1) |
532 | 0 | | (leftkey_swap[(left >> 24) & 0xf]) |
533 | 0 | | (leftkey_swap[(left >> 5) & 0xf] << 7) |
534 | 0 | | (leftkey_swap[(left >> 13) & 0xf] << 6) |
535 | 0 | | (leftkey_swap[(left >> 21) & 0xf] << 5) |
536 | 0 | | (leftkey_swap[(left >> 29) & 0xf] << 4)); |
537 | |
|
538 | 0 | left &= 0x0fffffff; |
539 | |
|
540 | 0 | right = ((rightkey_swap[(right >> 1) & 0xf] << 3) |
541 | 0 | | (rightkey_swap[(right >> 9) & 0xf] << 2) |
542 | 0 | | (rightkey_swap[(right >> 17) & 0xf] << 1) |
543 | 0 | | (rightkey_swap[(right >> 25) & 0xf]) |
544 | 0 | | (rightkey_swap[(right >> 4) & 0xf] << 7) |
545 | 0 | | (rightkey_swap[(right >> 12) & 0xf] << 6) |
546 | 0 | | (rightkey_swap[(right >> 20) & 0xf] << 5) |
547 | 0 | | (rightkey_swap[(right >> 28) & 0xf] << 4)); |
548 | |
|
549 | 0 | right &= 0x0fffffff; |
550 | |
|
551 | 0 | for (round = 0; round < 16; ++round) |
552 | 0 | { |
553 | 0 | left = ((left << encrypt_rotate_tab[round]) |
554 | 0 | | (left >> (28 - encrypt_rotate_tab[round]))) & 0x0fffffff; |
555 | 0 | right = ((right << encrypt_rotate_tab[round]) |
556 | 0 | | (right >> (28 - encrypt_rotate_tab[round]))) & 0x0fffffff; |
557 | |
|
558 | 0 | *subkey++ = (((left << 4) & 0x24000000) |
559 | 0 | | ((left << 28) & 0x10000000) |
560 | 0 | | ((left << 14) & 0x08000000) |
561 | 0 | | ((left << 18) & 0x02080000) |
562 | 0 | | ((left << 6) & 0x01000000) |
563 | 0 | | ((left << 9) & 0x00200000) |
564 | 0 | | ((left >> 1) & 0x00100000) |
565 | 0 | | ((left << 10) & 0x00040000) |
566 | 0 | | ((left << 2) & 0x00020000) |
567 | 0 | | ((left >> 10) & 0x00010000) |
568 | 0 | | ((right >> 13) & 0x00002000) |
569 | 0 | | ((right >> 4) & 0x00001000) |
570 | 0 | | ((right << 6) & 0x00000800) |
571 | 0 | | ((right >> 1) & 0x00000400) |
572 | 0 | | ((right >> 14) & 0x00000200) |
573 | 0 | | (right & 0x00000100) |
574 | 0 | | ((right >> 5) & 0x00000020) |
575 | 0 | | ((right >> 10) & 0x00000010) |
576 | 0 | | ((right >> 3) & 0x00000008) |
577 | 0 | | ((right >> 18) & 0x00000004) |
578 | 0 | | ((right >> 26) & 0x00000002) |
579 | 0 | | ((right >> 24) & 0x00000001)); |
580 | |
|
581 | 0 | *subkey++ = (((left << 15) & 0x20000000) |
582 | 0 | | ((left << 17) & 0x10000000) |
583 | 0 | | ((left << 10) & 0x08000000) |
584 | 0 | | ((left << 22) & 0x04000000) |
585 | 0 | | ((left >> 2) & 0x02000000) |
586 | 0 | | ((left << 1) & 0x01000000) |
587 | 0 | | ((left << 16) & 0x00200000) |
588 | 0 | | ((left << 11) & 0x00100000) |
589 | 0 | | ((left << 3) & 0x00080000) |
590 | 0 | | ((left >> 6) & 0x00040000) |
591 | 0 | | ((left << 15) & 0x00020000) |
592 | 0 | | ((left >> 4) & 0x00010000) |
593 | 0 | | ((right >> 2) & 0x00002000) |
594 | 0 | | ((right << 8) & 0x00001000) |
595 | 0 | | ((right >> 14) & 0x00000808) |
596 | 0 | | ((right >> 9) & 0x00000400) |
597 | 0 | | ((right) & 0x00000200) |
598 | 0 | | ((right << 7) & 0x00000100) |
599 | 0 | | ((right >> 7) & 0x00000020) |
600 | 0 | | ((right >> 3) & 0x00000011) |
601 | 0 | | ((right << 2) & 0x00000004) |
602 | 0 | | ((right >> 21) & 0x00000002)); |
603 | 0 | } |
604 | 0 | } |
605 | | |
606 | | |
607 | | /* |
608 | | * Fill a DES context with subkeys calculated from a 64bit key. |
609 | | * Does not check parity bits, but simply ignore them. |
610 | | * Does not check for weak keys. |
611 | | */ |
612 | | static int |
613 | | des_setkey (struct _des_ctx *ctx, const byte * key) |
614 | 0 | { |
615 | 0 | static const char *selftest_failed; |
616 | 0 | int i; |
617 | |
|
618 | 0 | if (!fips_mode () && !initialized) |
619 | 0 | { |
620 | 0 | initialized = 1; |
621 | 0 | selftest_failed = selftest (); |
622 | |
|
623 | 0 | if (selftest_failed) |
624 | 0 | log_error ("%s\n", selftest_failed); |
625 | 0 | } |
626 | 0 | if (selftest_failed) |
627 | 0 | return GPG_ERR_SELFTEST_FAILED; |
628 | | |
629 | 0 | des_key_schedule (key, ctx->encrypt_subkeys); |
630 | 0 | _gcry_burn_stack (32); |
631 | |
|
632 | 0 | for(i=0; i<32; i+=2) |
633 | 0 | { |
634 | 0 | ctx->decrypt_subkeys[i] = ctx->encrypt_subkeys[30-i]; |
635 | 0 | ctx->decrypt_subkeys[i+1] = ctx->encrypt_subkeys[31-i]; |
636 | 0 | } |
637 | |
|
638 | 0 | return 0; |
639 | 0 | } |
640 | | |
641 | | |
642 | | |
643 | | /* |
644 | | * Electronic Codebook Mode DES encryption/decryption of data according |
645 | | * to 'mode'. |
646 | | */ |
647 | | static int |
648 | | des_ecb_crypt (struct _des_ctx *ctx, const byte * from, byte * to, int mode) |
649 | 0 | { |
650 | 0 | u32 left, right, work; |
651 | 0 | u32 *keys; |
652 | |
|
653 | 0 | keys = mode ? ctx->decrypt_subkeys : ctx->encrypt_subkeys; |
654 | |
|
655 | 0 | READ_64BIT_DATA (from, left, right) |
656 | 0 | INITIAL_PERMUTATION (left, work, right) |
657 | |
|
658 | 0 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
659 | 0 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
660 | 0 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
661 | 0 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
662 | 0 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
663 | 0 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
664 | 0 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
665 | 0 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
666 | |
|
667 | 0 | FINAL_PERMUTATION (right, work, left) |
668 | 0 | WRITE_64BIT_DATA (to, right, left) |
669 | |
|
670 | 0 | return 0; |
671 | 0 | } |
672 | | |
673 | | |
674 | | |
675 | | /* |
676 | | * Fill a Triple-DES context with subkeys calculated from two 64bit keys. |
677 | | * Does not check the parity bits of the keys, but simply ignore them. |
678 | | * Does not check for weak keys. |
679 | | */ |
680 | | static int |
681 | | tripledes_set2keys (struct _tripledes_ctx *ctx, |
682 | | const byte * key1, |
683 | | const byte * key2) |
684 | 0 | { |
685 | 0 | int i; |
686 | |
|
687 | 0 | des_key_schedule (key1, ctx->encrypt_subkeys); |
688 | 0 | des_key_schedule (key2, &(ctx->decrypt_subkeys[32])); |
689 | 0 | _gcry_burn_stack (32); |
690 | |
|
691 | 0 | for(i=0; i<32; i+=2) |
692 | 0 | { |
693 | 0 | ctx->decrypt_subkeys[i] = ctx->encrypt_subkeys[30-i]; |
694 | 0 | ctx->decrypt_subkeys[i+1] = ctx->encrypt_subkeys[31-i]; |
695 | |
|
696 | 0 | ctx->encrypt_subkeys[i+32] = ctx->decrypt_subkeys[62-i]; |
697 | 0 | ctx->encrypt_subkeys[i+33] = ctx->decrypt_subkeys[63-i]; |
698 | |
|
699 | 0 | ctx->encrypt_subkeys[i+64] = ctx->encrypt_subkeys[i]; |
700 | 0 | ctx->encrypt_subkeys[i+65] = ctx->encrypt_subkeys[i+1]; |
701 | |
|
702 | 0 | ctx->decrypt_subkeys[i+64] = ctx->decrypt_subkeys[i]; |
703 | 0 | ctx->decrypt_subkeys[i+65] = ctx->decrypt_subkeys[i+1]; |
704 | 0 | } |
705 | |
|
706 | 0 | return 0; |
707 | 0 | } |
708 | | |
709 | | |
710 | | |
711 | | /* |
712 | | * Fill a Triple-DES context with subkeys calculated from three 64bit keys. |
713 | | * Does not check the parity bits of the keys, but simply ignore them. |
714 | | * Does not check for weak keys. |
715 | | */ |
716 | | static int |
717 | | tripledes_set3keys (struct _tripledes_ctx *ctx, |
718 | | const byte * key1, |
719 | | const byte * key2, |
720 | | const byte * key3) |
721 | 0 | { |
722 | 0 | static const char *selftest_failed; |
723 | 0 | int i; |
724 | |
|
725 | 0 | if (!fips_mode () && !initialized) |
726 | 0 | { |
727 | 0 | initialized = 1; |
728 | 0 | selftest_failed = selftest (); |
729 | |
|
730 | 0 | if (selftest_failed) |
731 | 0 | log_error ("%s\n", selftest_failed); |
732 | 0 | } |
733 | 0 | if (selftest_failed) |
734 | 0 | return GPG_ERR_SELFTEST_FAILED; |
735 | | |
736 | 0 | des_key_schedule (key1, ctx->encrypt_subkeys); |
737 | 0 | des_key_schedule (key2, &(ctx->decrypt_subkeys[32])); |
738 | 0 | des_key_schedule (key3, &(ctx->encrypt_subkeys[64])); |
739 | 0 | _gcry_burn_stack (32); |
740 | |
|
741 | 0 | for(i=0; i<32; i+=2) |
742 | 0 | { |
743 | 0 | ctx->decrypt_subkeys[i] = ctx->encrypt_subkeys[94-i]; |
744 | 0 | ctx->decrypt_subkeys[i+1] = ctx->encrypt_subkeys[95-i]; |
745 | |
|
746 | 0 | ctx->encrypt_subkeys[i+32] = ctx->decrypt_subkeys[62-i]; |
747 | 0 | ctx->encrypt_subkeys[i+33] = ctx->decrypt_subkeys[63-i]; |
748 | |
|
749 | 0 | ctx->decrypt_subkeys[i+64] = ctx->encrypt_subkeys[30-i]; |
750 | 0 | ctx->decrypt_subkeys[i+65] = ctx->encrypt_subkeys[31-i]; |
751 | 0 | } |
752 | |
|
753 | 0 | return 0; |
754 | 0 | } |
755 | | |
756 | | |
757 | | |
758 | | #ifdef USE_AMD64_ASM |
759 | | |
760 | | /* Assembly implementation of triple-DES. */ |
761 | | extern void _gcry_3des_amd64_crypt_block(const void *keys, byte *out, |
762 | | const byte *in); |
763 | | |
764 | | /* These assembly implementations process three blocks in parallel. */ |
765 | | extern void _gcry_3des_amd64_ctr_enc(const void *keys, byte *out, |
766 | | const byte *in, byte *ctr); |
767 | | |
768 | | extern void _gcry_3des_amd64_cbc_dec(const void *keys, byte *out, |
769 | | const byte *in, byte *iv); |
770 | | |
771 | | extern void _gcry_3des_amd64_cfb_dec(const void *keys, byte *out, |
772 | | const byte *in, byte *iv); |
773 | | |
774 | 0 | #define TRIPLEDES_ECB_BURN_STACK (8 * sizeof(void *)) |
775 | | |
776 | | |
777 | | /* |
778 | | * Electronic Codebook Mode Triple-DES encryption/decryption of data |
779 | | * according to 'mode'. Sometimes this mode is named 'EDE' mode |
780 | | * (Encryption-Decryption-Encryption). |
781 | | */ |
782 | | static inline int |
783 | | tripledes_ecb_crypt (struct _tripledes_ctx *ctx, const byte * from, |
784 | | byte * to, int mode) |
785 | 0 | { |
786 | 0 | u32 *keys; |
787 | |
|
788 | 0 | keys = mode ? ctx->decrypt_subkeys : ctx->encrypt_subkeys; |
789 | |
|
790 | 0 | _gcry_3des_amd64_crypt_block(keys, to, from); |
791 | |
|
792 | 0 | return 0; |
793 | 0 | } |
794 | | |
795 | | static inline void |
796 | | tripledes_amd64_ctr_enc(const void *keys, byte *out, const byte *in, byte *ctr) |
797 | 0 | { |
798 | 0 | _gcry_3des_amd64_ctr_enc(keys, out, in, ctr); |
799 | 0 | } |
800 | | |
801 | | static inline void |
802 | | tripledes_amd64_cbc_dec(const void *keys, byte *out, const byte *in, byte *iv) |
803 | 0 | { |
804 | 0 | _gcry_3des_amd64_cbc_dec(keys, out, in, iv); |
805 | 0 | } |
806 | | |
807 | | static inline void |
808 | | tripledes_amd64_cfb_dec(const void *keys, byte *out, const byte *in, byte *iv) |
809 | 0 | { |
810 | 0 | _gcry_3des_amd64_cfb_dec(keys, out, in, iv); |
811 | 0 | } |
812 | | |
813 | | #else /*USE_AMD64_ASM*/ |
814 | | |
815 | | #define TRIPLEDES_ECB_BURN_STACK 32 |
816 | | |
817 | | /* |
818 | | * Electronic Codebook Mode Triple-DES encryption/decryption of data |
819 | | * according to 'mode'. Sometimes this mode is named 'EDE' mode |
820 | | * (Encryption-Decryption-Encryption). |
821 | | */ |
822 | | static int |
823 | | tripledes_ecb_crypt (struct _tripledes_ctx *ctx, const byte * from, |
824 | | byte * to, int mode) |
825 | | { |
826 | | u32 left, right, work; |
827 | | u32 *keys; |
828 | | |
829 | | keys = mode ? ctx->decrypt_subkeys : ctx->encrypt_subkeys; |
830 | | |
831 | | READ_64BIT_DATA (from, left, right) |
832 | | INITIAL_PERMUTATION (left, work, right) |
833 | | |
834 | | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
835 | | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
836 | | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
837 | | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
838 | | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
839 | | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
840 | | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
841 | | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
842 | | |
843 | | DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) |
844 | | DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) |
845 | | DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) |
846 | | DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) |
847 | | DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) |
848 | | DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) |
849 | | DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) |
850 | | DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) |
851 | | |
852 | | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
853 | | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
854 | | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
855 | | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
856 | | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
857 | | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
858 | | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
859 | | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
860 | | |
861 | | FINAL_PERMUTATION (right, work, left) |
862 | | WRITE_64BIT_DATA (to, right, left) |
863 | | |
864 | | return 0; |
865 | | } |
866 | | |
867 | | #endif /*!USE_AMD64_ASM*/ |
868 | | |
869 | | |
870 | | |
871 | | /* Bulk encryption of complete blocks in CTR mode. This function is only |
872 | | intended for the bulk encryption feature of cipher.c. CTR is expected to be |
873 | | of size DES_BLOCKSIZE. */ |
874 | | static void |
875 | | _gcry_3des_ctr_enc(void *context, unsigned char *ctr, void *outbuf_arg, |
876 | | const void *inbuf_arg, size_t nblocks) |
877 | 0 | { |
878 | 0 | struct _tripledes_ctx *ctx = context; |
879 | 0 | unsigned char *outbuf = outbuf_arg; |
880 | 0 | const unsigned char *inbuf = inbuf_arg; |
881 | 0 | unsigned char tmpbuf[DES_BLOCKSIZE]; |
882 | 0 | int burn_stack_depth = TRIPLEDES_ECB_BURN_STACK; |
883 | |
|
884 | 0 | #ifdef USE_AMD64_ASM |
885 | 0 | { |
886 | 0 | int asm_burn_depth = 9 * sizeof(void *); |
887 | |
|
888 | 0 | if (nblocks >= 3 && burn_stack_depth < asm_burn_depth) |
889 | 0 | burn_stack_depth = asm_burn_depth; |
890 | | |
891 | | /* Process data in 3 block chunks. */ |
892 | 0 | while (nblocks >= 3) |
893 | 0 | { |
894 | 0 | tripledes_amd64_ctr_enc(ctx->encrypt_subkeys, outbuf, inbuf, ctr); |
895 | |
|
896 | 0 | nblocks -= 3; |
897 | 0 | outbuf += 3 * DES_BLOCKSIZE; |
898 | 0 | inbuf += 3 * DES_BLOCKSIZE; |
899 | 0 | } |
900 | | |
901 | | /* Use generic code to handle smaller chunks... */ |
902 | 0 | } |
903 | 0 | #endif |
904 | |
|
905 | 0 | for ( ;nblocks; nblocks-- ) |
906 | 0 | { |
907 | | /* Encrypt the counter. */ |
908 | 0 | tripledes_ecb_encrypt (ctx, ctr, tmpbuf); |
909 | | /* XOR the input with the encrypted counter and store in output. */ |
910 | 0 | cipher_block_xor(outbuf, tmpbuf, inbuf, DES_BLOCKSIZE); |
911 | 0 | outbuf += DES_BLOCKSIZE; |
912 | 0 | inbuf += DES_BLOCKSIZE; |
913 | | /* Increment the counter. */ |
914 | 0 | cipher_block_add(ctr, 1, DES_BLOCKSIZE); |
915 | 0 | } |
916 | |
|
917 | 0 | wipememory(tmpbuf, sizeof(tmpbuf)); |
918 | 0 | _gcry_burn_stack(burn_stack_depth); |
919 | 0 | } |
920 | | |
921 | | |
922 | | /* Bulk decryption of complete blocks in CBC mode. This function is only |
923 | | intended for the bulk encryption feature of cipher.c. */ |
924 | | static void |
925 | | _gcry_3des_cbc_dec(void *context, unsigned char *iv, void *outbuf_arg, |
926 | | const void *inbuf_arg, size_t nblocks) |
927 | 0 | { |
928 | 0 | struct _tripledes_ctx *ctx = context; |
929 | 0 | unsigned char *outbuf = outbuf_arg; |
930 | 0 | const unsigned char *inbuf = inbuf_arg; |
931 | 0 | unsigned char savebuf[DES_BLOCKSIZE]; |
932 | 0 | int burn_stack_depth = TRIPLEDES_ECB_BURN_STACK; |
933 | |
|
934 | 0 | #ifdef USE_AMD64_ASM |
935 | 0 | { |
936 | 0 | int asm_burn_depth = 10 * sizeof(void *); |
937 | |
|
938 | 0 | if (nblocks >= 3 && burn_stack_depth < asm_burn_depth) |
939 | 0 | burn_stack_depth = asm_burn_depth; |
940 | | |
941 | | /* Process data in 3 block chunks. */ |
942 | 0 | while (nblocks >= 3) |
943 | 0 | { |
944 | 0 | tripledes_amd64_cbc_dec(ctx->decrypt_subkeys, outbuf, inbuf, iv); |
945 | |
|
946 | 0 | nblocks -= 3; |
947 | 0 | outbuf += 3 * DES_BLOCKSIZE; |
948 | 0 | inbuf += 3 * DES_BLOCKSIZE; |
949 | 0 | } |
950 | | |
951 | | /* Use generic code to handle smaller chunks... */ |
952 | 0 | } |
953 | 0 | #endif |
954 | |
|
955 | 0 | for ( ;nblocks; nblocks-- ) |
956 | 0 | { |
957 | | /* INBUF is needed later and it may be identical to OUTBUF, so store |
958 | | the intermediate result to SAVEBUF. */ |
959 | 0 | tripledes_ecb_decrypt (ctx, inbuf, savebuf); |
960 | |
|
961 | 0 | cipher_block_xor_n_copy_2(outbuf, savebuf, iv, inbuf, DES_BLOCKSIZE); |
962 | 0 | inbuf += DES_BLOCKSIZE; |
963 | 0 | outbuf += DES_BLOCKSIZE; |
964 | 0 | } |
965 | |
|
966 | 0 | wipememory(savebuf, sizeof(savebuf)); |
967 | 0 | _gcry_burn_stack(burn_stack_depth); |
968 | 0 | } |
969 | | |
970 | | |
971 | | /* Bulk decryption of complete blocks in CFB mode. This function is only |
972 | | intended for the bulk encryption feature of cipher.c. */ |
973 | | static void |
974 | | _gcry_3des_cfb_dec(void *context, unsigned char *iv, void *outbuf_arg, |
975 | | const void *inbuf_arg, size_t nblocks) |
976 | 0 | { |
977 | 0 | struct _tripledes_ctx *ctx = context; |
978 | 0 | unsigned char *outbuf = outbuf_arg; |
979 | 0 | const unsigned char *inbuf = inbuf_arg; |
980 | 0 | int burn_stack_depth = TRIPLEDES_ECB_BURN_STACK; |
981 | |
|
982 | 0 | #ifdef USE_AMD64_ASM |
983 | 0 | { |
984 | 0 | int asm_burn_depth = 9 * sizeof(void *); |
985 | |
|
986 | 0 | if (nblocks >= 3 && burn_stack_depth < asm_burn_depth) |
987 | 0 | burn_stack_depth = asm_burn_depth; |
988 | | |
989 | | /* Process data in 3 block chunks. */ |
990 | 0 | while (nblocks >= 3) |
991 | 0 | { |
992 | 0 | tripledes_amd64_cfb_dec(ctx->encrypt_subkeys, outbuf, inbuf, iv); |
993 | |
|
994 | 0 | nblocks -= 3; |
995 | 0 | outbuf += 3 * DES_BLOCKSIZE; |
996 | 0 | inbuf += 3 * DES_BLOCKSIZE; |
997 | 0 | } |
998 | | |
999 | | /* Use generic code to handle smaller chunks... */ |
1000 | 0 | } |
1001 | 0 | #endif |
1002 | |
|
1003 | 0 | for ( ;nblocks; nblocks-- ) |
1004 | 0 | { |
1005 | 0 | tripledes_ecb_encrypt (ctx, iv, iv); |
1006 | 0 | cipher_block_xor_n_copy(outbuf, iv, inbuf, DES_BLOCKSIZE); |
1007 | 0 | outbuf += DES_BLOCKSIZE; |
1008 | 0 | inbuf += DES_BLOCKSIZE; |
1009 | 0 | } |
1010 | |
|
1011 | 0 | _gcry_burn_stack(burn_stack_depth); |
1012 | 0 | } |
1013 | | |
1014 | | |
1015 | | /* |
1016 | | * Check whether the 8 byte key is weak. |
1017 | | * Does not check the parity bits of the key but simple ignore them. |
1018 | | */ |
1019 | | static int |
1020 | | is_weak_key ( const byte *key ) |
1021 | 0 | { |
1022 | 0 | byte work[8]; |
1023 | 0 | int i, left, right, middle, cmp_result; |
1024 | | |
1025 | | /* clear parity bits */ |
1026 | 0 | for(i=0; i<8; ++i) |
1027 | 0 | work[i] = key[i] & 0xfe; |
1028 | | |
1029 | | /* binary search in the weak key table */ |
1030 | 0 | left = 0; |
1031 | 0 | right = 63; |
1032 | 0 | while(left <= right) |
1033 | 0 | { |
1034 | 0 | middle = (left + right) / 2; |
1035 | |
|
1036 | 0 | if ( !(cmp_result=working_memcmp(work, weak_keys[middle], 8)) ) |
1037 | 0 | return -1; |
1038 | | |
1039 | 0 | if ( cmp_result > 0 ) |
1040 | 0 | left = middle + 1; |
1041 | 0 | else |
1042 | 0 | right = middle - 1; |
1043 | 0 | } |
1044 | | |
1045 | 0 | return 0; |
1046 | 0 | } |
1047 | | |
1048 | | |
1049 | | /* |
1050 | | * Performs a selftest of this DES/Triple-DES implementation. |
1051 | | * Returns an string with the error text on failure. |
1052 | | * Returns NULL if all is ok. |
1053 | | */ |
1054 | | static const char * |
1055 | | selftest (void) |
1056 | 0 | { |
1057 | | /* |
1058 | | * Check if 'u32' is really 32 bits wide. This DES / 3DES implementation |
1059 | | * need this. |
1060 | | */ |
1061 | 0 | if (sizeof (u32) != 4) |
1062 | 0 | return "Wrong word size for DES configured."; |
1063 | | |
1064 | | /* |
1065 | | * DES Maintenance Test |
1066 | | */ |
1067 | 0 | { |
1068 | 0 | int i; |
1069 | 0 | byte key[8] = |
1070 | 0 | {0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55}; |
1071 | 0 | byte input[8] = |
1072 | 0 | {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; |
1073 | 0 | byte result[8] = |
1074 | 0 | {0x24, 0x6e, 0x9d, 0xb9, 0xc5, 0x50, 0x38, 0x1a}; |
1075 | 0 | byte temp1[8], temp2[8], temp3[8]; |
1076 | 0 | des_ctx des; |
1077 | |
|
1078 | 0 | for (i = 0; i < 64; ++i) |
1079 | 0 | { |
1080 | 0 | des_setkey (des, key); |
1081 | 0 | des_ecb_encrypt (des, input, temp1); |
1082 | 0 | des_ecb_encrypt (des, temp1, temp2); |
1083 | 0 | des_setkey (des, temp2); |
1084 | 0 | des_ecb_decrypt (des, temp1, temp3); |
1085 | 0 | memcpy (key, temp3, 8); |
1086 | 0 | memcpy (input, temp1, 8); |
1087 | 0 | } |
1088 | 0 | if (memcmp (temp3, result, 8)) |
1089 | 0 | return "DES maintenance test failed."; |
1090 | 0 | } |
1091 | | |
1092 | | |
1093 | | /* |
1094 | | * Self made Triple-DES test (Does somebody know an official test?) |
1095 | | */ |
1096 | 0 | { |
1097 | 0 | int i; |
1098 | 0 | byte input[8] = |
1099 | 0 | {0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10}; |
1100 | 0 | byte key1[8] = |
1101 | 0 | {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}; |
1102 | 0 | byte key2[8] = |
1103 | 0 | {0x11, 0x22, 0x33, 0x44, 0xff, 0xaa, 0xcc, 0xdd}; |
1104 | 0 | byte result[8] = |
1105 | 0 | {0x7b, 0x38, 0x3b, 0x23, 0xa2, 0x7d, 0x26, 0xd3}; |
1106 | |
|
1107 | 0 | tripledes_ctx des3; |
1108 | |
|
1109 | 0 | for (i = 0; i < 16; ++i) |
1110 | 0 | { |
1111 | 0 | tripledes_set2keys (des3, key1, key2); |
1112 | 0 | tripledes_ecb_encrypt (des3, input, key1); |
1113 | 0 | tripledes_ecb_decrypt (des3, input, key2); |
1114 | 0 | tripledes_set3keys (des3, key1, input, key2); |
1115 | 0 | tripledes_ecb_encrypt (des3, input, input); |
1116 | 0 | } |
1117 | 0 | if (memcmp (input, result, 8)) |
1118 | 0 | return "Triple-DES test failed."; |
1119 | 0 | } |
1120 | | |
1121 | | /* |
1122 | | * More Triple-DES test. These are testvectors as used by SSLeay, |
1123 | | * thanks to Jeroen C. van Gelderen. |
1124 | | */ |
1125 | 0 | { |
1126 | 0 | static const struct { byte key[24]; byte plain[8]; byte cipher[8]; } |
1127 | 0 | testdata[] = { |
1128 | 0 | { { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, |
1129 | 0 | 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, |
1130 | 0 | 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01 }, |
1131 | 0 | { 0x95,0xF8,0xA5,0xE5,0xDD,0x31,0xD9,0x00 }, |
1132 | 0 | { 0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00 } |
1133 | 0 | }, |
1134 | |
|
1135 | 0 | { { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, |
1136 | 0 | 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, |
1137 | 0 | 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01 }, |
1138 | 0 | { 0x9D,0x64,0x55,0x5A,0x9A,0x10,0xB8,0x52, }, |
1139 | 0 | { 0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x00 } |
1140 | 0 | }, |
1141 | 0 | { { 0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E, |
1142 | 0 | 0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E, |
1143 | 0 | 0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E }, |
1144 | 0 | { 0x51,0x45,0x4B,0x58,0x2D,0xDF,0x44,0x0A }, |
1145 | 0 | { 0x71,0x78,0x87,0x6E,0x01,0xF1,0x9B,0x2A } |
1146 | 0 | }, |
1147 | 0 | { { 0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6, |
1148 | 0 | 0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6, |
1149 | 0 | 0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6 }, |
1150 | 0 | { 0x42,0xFD,0x44,0x30,0x59,0x57,0x7F,0xA2 }, |
1151 | 0 | { 0xAF,0x37,0xFB,0x42,0x1F,0x8C,0x40,0x95 } |
1152 | 0 | }, |
1153 | 0 | { { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, |
1154 | 0 | 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, |
1155 | 0 | 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF }, |
1156 | 0 | { 0x73,0x6F,0x6D,0x65,0x64,0x61,0x74,0x61 }, |
1157 | 0 | { 0x3D,0x12,0x4F,0xE2,0x19,0x8B,0xA3,0x18 } |
1158 | 0 | }, |
1159 | 0 | { { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, |
1160 | 0 | 0x55,0x55,0x55,0x55,0x55,0x55,0x55,0x55, |
1161 | 0 | 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF }, |
1162 | 0 | { 0x73,0x6F,0x6D,0x65,0x64,0x61,0x74,0x61 }, |
1163 | 0 | { 0xFB,0xAB,0xA1,0xFF,0x9D,0x05,0xE9,0xB1 } |
1164 | 0 | }, |
1165 | 0 | { { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, |
1166 | 0 | 0x55,0x55,0x55,0x55,0x55,0x55,0x55,0x55, |
1167 | 0 | 0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10 }, |
1168 | 0 | { 0x73,0x6F,0x6D,0x65,0x64,0x61,0x74,0x61 }, |
1169 | 0 | { 0x18,0xd7,0x48,0xe5,0x63,0x62,0x05,0x72 } |
1170 | 0 | }, |
1171 | 0 | { { 0x03,0x52,0x02,0x07,0x67,0x20,0x82,0x17, |
1172 | 0 | 0x86,0x02,0x87,0x66,0x59,0x08,0x21,0x98, |
1173 | 0 | 0x64,0x05,0x6A,0xBD,0xFE,0xA9,0x34,0x57 }, |
1174 | 0 | { 0x73,0x71,0x75,0x69,0x67,0x67,0x6C,0x65 }, |
1175 | 0 | { 0xc0,0x7d,0x2a,0x0f,0xa5,0x66,0xfa,0x30 } |
1176 | 0 | }, |
1177 | 0 | { { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, |
1178 | 0 | 0x80,0x01,0x01,0x01,0x01,0x01,0x01,0x01, |
1179 | 0 | 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x02 }, |
1180 | 0 | { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }, |
1181 | 0 | { 0xe6,0xe6,0xdd,0x5b,0x7e,0x72,0x29,0x74 } |
1182 | 0 | }, |
1183 | 0 | { { 0x10,0x46,0x10,0x34,0x89,0x98,0x80,0x20, |
1184 | 0 | 0x91,0x07,0xD0,0x15,0x89,0x19,0x01,0x01, |
1185 | 0 | 0x19,0x07,0x92,0x10,0x98,0x1A,0x01,0x01 }, |
1186 | 0 | { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }, |
1187 | 0 | { 0xe1,0xef,0x62,0xc3,0x32,0xfe,0x82,0x5b } |
1188 | 0 | } |
1189 | 0 | }; |
1190 | |
|
1191 | 0 | byte result[8]; |
1192 | 0 | int i; |
1193 | 0 | tripledes_ctx des3; |
1194 | |
|
1195 | 0 | for (i=0; i<sizeof(testdata)/sizeof(*testdata); ++i) |
1196 | 0 | { |
1197 | 0 | tripledes_set3keys (des3, testdata[i].key, |
1198 | 0 | testdata[i].key + 8, testdata[i].key + 16); |
1199 | |
|
1200 | 0 | tripledes_ecb_encrypt (des3, testdata[i].plain, result); |
1201 | 0 | if (memcmp (testdata[i].cipher, result, 8)) |
1202 | 0 | return "Triple-DES SSLeay test failed on encryption."; |
1203 | | |
1204 | 0 | tripledes_ecb_decrypt (des3, testdata[i].cipher, result); |
1205 | 0 | if (memcmp (testdata[i].plain, result, 8)) |
1206 | 0 | return "Triple-DES SSLeay test failed on decryption.";; |
1207 | 0 | } |
1208 | 0 | } |
1209 | | |
1210 | | /* |
1211 | | * Check the weak key detection. We simply assume that the table |
1212 | | * with weak keys is ok and check every key in the table if it is |
1213 | | * detected... (This test is a little bit stupid). |
1214 | | */ |
1215 | 0 | { |
1216 | 0 | int i; |
1217 | 0 | unsigned char *p; |
1218 | 0 | gcry_md_hd_t h; |
1219 | |
|
1220 | 0 | if (_gcry_md_open (&h, GCRY_MD_SHA1, 0)) |
1221 | 0 | return "SHA1 not available"; |
1222 | | |
1223 | 0 | for (i = 0; i < 64; ++i) |
1224 | 0 | _gcry_md_write (h, weak_keys[i], 8); |
1225 | 0 | p = _gcry_md_read (h, GCRY_MD_SHA1); |
1226 | 0 | i = memcmp (p, weak_keys_chksum, 20); |
1227 | 0 | _gcry_md_close (h); |
1228 | 0 | if (i) |
1229 | 0 | return "weak key table defect"; |
1230 | | |
1231 | 0 | for (i = 0; i < 64; ++i) |
1232 | 0 | if (!is_weak_key(weak_keys[i])) |
1233 | 0 | return "DES weak key detection failed"; |
1234 | 0 | } |
1235 | | |
1236 | 0 | return 0; |
1237 | 0 | } |
1238 | | |
1239 | | |
1240 | | static gcry_err_code_t |
1241 | | do_tripledes_setkey ( void *context, const byte *key, unsigned keylen, |
1242 | | cipher_bulk_ops_t *bulk_ops ) |
1243 | 0 | { |
1244 | 0 | struct _tripledes_ctx *ctx = (struct _tripledes_ctx *) context; |
1245 | |
|
1246 | 0 | if( keylen != 24 ) |
1247 | 0 | return GPG_ERR_INV_KEYLEN; |
1248 | | |
1249 | | /* Setup bulk encryption routines. */ |
1250 | 0 | memset (bulk_ops, 0, sizeof(*bulk_ops)); |
1251 | 0 | bulk_ops->cbc_dec = _gcry_3des_cbc_dec; |
1252 | 0 | bulk_ops->cfb_dec = _gcry_3des_cfb_dec; |
1253 | 0 | bulk_ops->ctr_enc = _gcry_3des_ctr_enc; |
1254 | |
|
1255 | 0 | tripledes_set3keys ( ctx, key, key+8, key+16); |
1256 | |
|
1257 | 0 | if (ctx->flags.no_weak_key) |
1258 | 0 | ; /* Detection has been disabled. */ |
1259 | 0 | else if (is_weak_key (key) || is_weak_key (key+8) || is_weak_key (key+16)) |
1260 | 0 | { |
1261 | 0 | _gcry_burn_stack (64); |
1262 | 0 | return GPG_ERR_WEAK_KEY; |
1263 | 0 | } |
1264 | 0 | _gcry_burn_stack (64); |
1265 | |
|
1266 | 0 | return GPG_ERR_NO_ERROR; |
1267 | 0 | } |
1268 | | |
1269 | | |
1270 | | static gcry_err_code_t |
1271 | | do_tripledes_set_extra_info (void *context, int what, |
1272 | | const void *buffer, size_t buflen) |
1273 | 0 | { |
1274 | 0 | struct _tripledes_ctx *ctx = (struct _tripledes_ctx *)context; |
1275 | 0 | gpg_err_code_t ec = 0; |
1276 | |
|
1277 | 0 | (void)buffer; |
1278 | 0 | (void)buflen; |
1279 | |
|
1280 | 0 | switch (what) |
1281 | 0 | { |
1282 | 0 | case CIPHER_INFO_NO_WEAK_KEY: |
1283 | 0 | ctx->flags.no_weak_key = 1; |
1284 | 0 | break; |
1285 | | |
1286 | 0 | default: |
1287 | 0 | ec = GPG_ERR_INV_OP; |
1288 | 0 | break; |
1289 | 0 | } |
1290 | 0 | return ec; |
1291 | 0 | } |
1292 | | |
1293 | | |
1294 | | static unsigned int |
1295 | | do_tripledes_encrypt( void *context, byte *outbuf, const byte *inbuf ) |
1296 | 0 | { |
1297 | 0 | struct _tripledes_ctx *ctx = (struct _tripledes_ctx *) context; |
1298 | |
|
1299 | 0 | tripledes_ecb_encrypt ( ctx, inbuf, outbuf ); |
1300 | 0 | return /*burn_stack*/ TRIPLEDES_ECB_BURN_STACK; |
1301 | 0 | } |
1302 | | |
1303 | | static unsigned int |
1304 | | do_tripledes_decrypt( void *context, byte *outbuf, const byte *inbuf ) |
1305 | 0 | { |
1306 | 0 | struct _tripledes_ctx *ctx = (struct _tripledes_ctx *) context; |
1307 | 0 | tripledes_ecb_decrypt ( ctx, inbuf, outbuf ); |
1308 | 0 | return /*burn_stack*/ TRIPLEDES_ECB_BURN_STACK; |
1309 | 0 | } |
1310 | | |
1311 | | static gcry_err_code_t |
1312 | | do_des_setkey (void *context, const byte *key, unsigned keylen, |
1313 | | cipher_bulk_ops_t *bulk_ops) |
1314 | 0 | { |
1315 | 0 | struct _des_ctx *ctx = (struct _des_ctx *) context; |
1316 | |
|
1317 | 0 | (void)bulk_ops; |
1318 | |
|
1319 | 0 | if (keylen != 8) |
1320 | 0 | return GPG_ERR_INV_KEYLEN; |
1321 | | |
1322 | 0 | des_setkey (ctx, key); |
1323 | |
|
1324 | 0 | if (is_weak_key (key)) { |
1325 | 0 | _gcry_burn_stack (64); |
1326 | 0 | return GPG_ERR_WEAK_KEY; |
1327 | 0 | } |
1328 | 0 | _gcry_burn_stack (64); |
1329 | |
|
1330 | 0 | return GPG_ERR_NO_ERROR; |
1331 | 0 | } |
1332 | | |
1333 | | |
1334 | | static unsigned int |
1335 | | do_des_encrypt( void *context, byte *outbuf, const byte *inbuf ) |
1336 | 0 | { |
1337 | 0 | struct _des_ctx *ctx = (struct _des_ctx *) context; |
1338 | |
|
1339 | 0 | des_ecb_encrypt ( ctx, inbuf, outbuf ); |
1340 | 0 | return /*burn_stack*/ (32); |
1341 | 0 | } |
1342 | | |
1343 | | static unsigned int |
1344 | | do_des_decrypt( void *context, byte *outbuf, const byte *inbuf ) |
1345 | 0 | { |
1346 | 0 | struct _des_ctx *ctx = (struct _des_ctx *) context; |
1347 | |
|
1348 | 0 | des_ecb_decrypt ( ctx, inbuf, outbuf ); |
1349 | 0 | return /*burn_stack*/ (32); |
1350 | 0 | } |
1351 | | |
1352 | | |
1353 | | |
1354 | | � |
1355 | | /* |
1356 | | Self-test section. |
1357 | | */ |
1358 | | |
1359 | | |
1360 | | /* Selftest for TripleDES. */ |
1361 | | static gpg_err_code_t |
1362 | | selftest_fips (int extended, selftest_report_func_t report) |
1363 | 0 | { |
1364 | 0 | const char *what; |
1365 | 0 | const char *errtxt; |
1366 | |
|
1367 | 0 | (void)extended; /* No extended tests available. */ |
1368 | |
|
1369 | 0 | what = "low-level"; |
1370 | 0 | errtxt = selftest (); |
1371 | 0 | if (errtxt) |
1372 | 0 | goto failed; |
1373 | | |
1374 | | /* The low-level self-tests are quite extensive and thus we can do |
1375 | | without high level tests. This is also justified because we have |
1376 | | no custom block code implementation for 3des but always use the |
1377 | | standard high level block code. */ |
1378 | | |
1379 | 0 | return 0; /* Succeeded. */ |
1380 | | |
1381 | 0 | failed: |
1382 | 0 | if (report) |
1383 | 0 | report ("cipher", GCRY_CIPHER_3DES, what, errtxt); |
1384 | 0 | return GPG_ERR_SELFTEST_FAILED; |
1385 | 0 | } |
1386 | | |
1387 | | |
1388 | | |
1389 | | /* Run a full self-test for ALGO and return 0 on success. */ |
1390 | | static gpg_err_code_t |
1391 | | run_selftests (int algo, int extended, selftest_report_func_t report) |
1392 | 0 | { |
1393 | 0 | gpg_err_code_t ec; |
1394 | |
|
1395 | 0 | switch (algo) |
1396 | 0 | { |
1397 | 0 | case GCRY_CIPHER_3DES: |
1398 | 0 | ec = selftest_fips (extended, report); |
1399 | 0 | break; |
1400 | 0 | default: |
1401 | 0 | ec = GPG_ERR_CIPHER_ALGO; |
1402 | 0 | break; |
1403 | |
|
1404 | 0 | } |
1405 | 0 | return ec; |
1406 | 0 | } |
1407 | | |
1408 | | |
1409 | | � |
1410 | | gcry_cipher_spec_t _gcry_cipher_spec_des = |
1411 | | { |
1412 | | GCRY_CIPHER_DES, {0, 0}, |
1413 | | "DES", NULL, NULL, 8, 64, sizeof (struct _des_ctx), |
1414 | | do_des_setkey, do_des_encrypt, do_des_decrypt |
1415 | | }; |
1416 | | |
1417 | | static const gcry_cipher_oid_spec_t oids_tripledes[] = |
1418 | | { |
1419 | | { "1.2.840.113549.3.7", GCRY_CIPHER_MODE_CBC }, |
1420 | | /* Teletrust specific OID for 3DES. */ |
1421 | | { "1.3.36.3.1.3.2.1", GCRY_CIPHER_MODE_CBC }, |
1422 | | /* pbeWithSHAAnd3_KeyTripleDES_CBC */ |
1423 | | { "1.2.840.113549.1.12.1.3", GCRY_CIPHER_MODE_CBC }, |
1424 | | { NULL } |
1425 | | }; |
1426 | | |
1427 | | gcry_cipher_spec_t _gcry_cipher_spec_tripledes = |
1428 | | { |
1429 | | GCRY_CIPHER_3DES, {0, 0}, |
1430 | | "3DES", NULL, oids_tripledes, 8, 192, sizeof (struct _tripledes_ctx), |
1431 | | do_tripledes_setkey, do_tripledes_encrypt, do_tripledes_decrypt, |
1432 | | NULL, NULL, |
1433 | | run_selftests, |
1434 | | do_tripledes_set_extra_info |
1435 | | }; |