Coverage Report

Created: 2025-07-01 06:54

/work/mbedtls-2.28.8/library/des.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 *  FIPS-46-3 compliant Triple-DES implementation
3
 *
4
 *  Copyright The Mbed TLS Contributors
5
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6
 */
7
/*
8
 *  DES, on which TDES is based, was originally designed by Horst Feistel
9
 *  at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
10
 *
11
 *  http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
12
 */
13
14
#include "common.h"
15
16
#if defined(MBEDTLS_DES_C)
17
18
#include "mbedtls/des.h"
19
#include "mbedtls/error.h"
20
#include "mbedtls/platform_util.h"
21
22
#include <string.h>
23
24
#include "mbedtls/platform.h"
25
26
#if !defined(MBEDTLS_DES_ALT)
27
28
/*
29
 * Expanded DES S-boxes
30
 */
31
static const uint32_t SB1[64] =
32
{
33
    0x01010400, 0x00000000, 0x00010000, 0x01010404,
34
    0x01010004, 0x00010404, 0x00000004, 0x00010000,
35
    0x00000400, 0x01010400, 0x01010404, 0x00000400,
36
    0x01000404, 0x01010004, 0x01000000, 0x00000004,
37
    0x00000404, 0x01000400, 0x01000400, 0x00010400,
38
    0x00010400, 0x01010000, 0x01010000, 0x01000404,
39
    0x00010004, 0x01000004, 0x01000004, 0x00010004,
40
    0x00000000, 0x00000404, 0x00010404, 0x01000000,
41
    0x00010000, 0x01010404, 0x00000004, 0x01010000,
42
    0x01010400, 0x01000000, 0x01000000, 0x00000400,
43
    0x01010004, 0x00010000, 0x00010400, 0x01000004,
44
    0x00000400, 0x00000004, 0x01000404, 0x00010404,
45
    0x01010404, 0x00010004, 0x01010000, 0x01000404,
46
    0x01000004, 0x00000404, 0x00010404, 0x01010400,
47
    0x00000404, 0x01000400, 0x01000400, 0x00000000,
48
    0x00010004, 0x00010400, 0x00000000, 0x01010004
49
};
50
51
static const uint32_t SB2[64] =
52
{
53
    0x80108020, 0x80008000, 0x00008000, 0x00108020,
54
    0x00100000, 0x00000020, 0x80100020, 0x80008020,
55
    0x80000020, 0x80108020, 0x80108000, 0x80000000,
56
    0x80008000, 0x00100000, 0x00000020, 0x80100020,
57
    0x00108000, 0x00100020, 0x80008020, 0x00000000,
58
    0x80000000, 0x00008000, 0x00108020, 0x80100000,
59
    0x00100020, 0x80000020, 0x00000000, 0x00108000,
60
    0x00008020, 0x80108000, 0x80100000, 0x00008020,
61
    0x00000000, 0x00108020, 0x80100020, 0x00100000,
62
    0x80008020, 0x80100000, 0x80108000, 0x00008000,
63
    0x80100000, 0x80008000, 0x00000020, 0x80108020,
64
    0x00108020, 0x00000020, 0x00008000, 0x80000000,
65
    0x00008020, 0x80108000, 0x00100000, 0x80000020,
66
    0x00100020, 0x80008020, 0x80000020, 0x00100020,
67
    0x00108000, 0x00000000, 0x80008000, 0x00008020,
68
    0x80000000, 0x80100020, 0x80108020, 0x00108000
69
};
70
71
static const uint32_t SB3[64] =
72
{
73
    0x00000208, 0x08020200, 0x00000000, 0x08020008,
74
    0x08000200, 0x00000000, 0x00020208, 0x08000200,
75
    0x00020008, 0x08000008, 0x08000008, 0x00020000,
76
    0x08020208, 0x00020008, 0x08020000, 0x00000208,
77
    0x08000000, 0x00000008, 0x08020200, 0x00000200,
78
    0x00020200, 0x08020000, 0x08020008, 0x00020208,
79
    0x08000208, 0x00020200, 0x00020000, 0x08000208,
80
    0x00000008, 0x08020208, 0x00000200, 0x08000000,
81
    0x08020200, 0x08000000, 0x00020008, 0x00000208,
82
    0x00020000, 0x08020200, 0x08000200, 0x00000000,
83
    0x00000200, 0x00020008, 0x08020208, 0x08000200,
84
    0x08000008, 0x00000200, 0x00000000, 0x08020008,
85
    0x08000208, 0x00020000, 0x08000000, 0x08020208,
86
    0x00000008, 0x00020208, 0x00020200, 0x08000008,
87
    0x08020000, 0x08000208, 0x00000208, 0x08020000,
88
    0x00020208, 0x00000008, 0x08020008, 0x00020200
89
};
90
91
static const uint32_t SB4[64] =
92
{
93
    0x00802001, 0x00002081, 0x00002081, 0x00000080,
94
    0x00802080, 0x00800081, 0x00800001, 0x00002001,
95
    0x00000000, 0x00802000, 0x00802000, 0x00802081,
96
    0x00000081, 0x00000000, 0x00800080, 0x00800001,
97
    0x00000001, 0x00002000, 0x00800000, 0x00802001,
98
    0x00000080, 0x00800000, 0x00002001, 0x00002080,
99
    0x00800081, 0x00000001, 0x00002080, 0x00800080,
100
    0x00002000, 0x00802080, 0x00802081, 0x00000081,
101
    0x00800080, 0x00800001, 0x00802000, 0x00802081,
102
    0x00000081, 0x00000000, 0x00000000, 0x00802000,
103
    0x00002080, 0x00800080, 0x00800081, 0x00000001,
104
    0x00802001, 0x00002081, 0x00002081, 0x00000080,
105
    0x00802081, 0x00000081, 0x00000001, 0x00002000,
106
    0x00800001, 0x00002001, 0x00802080, 0x00800081,
107
    0x00002001, 0x00002080, 0x00800000, 0x00802001,
108
    0x00000080, 0x00800000, 0x00002000, 0x00802080
109
};
110
111
static const uint32_t SB5[64] =
112
{
113
    0x00000100, 0x02080100, 0x02080000, 0x42000100,
114
    0x00080000, 0x00000100, 0x40000000, 0x02080000,
115
    0x40080100, 0x00080000, 0x02000100, 0x40080100,
116
    0x42000100, 0x42080000, 0x00080100, 0x40000000,
117
    0x02000000, 0x40080000, 0x40080000, 0x00000000,
118
    0x40000100, 0x42080100, 0x42080100, 0x02000100,
119
    0x42080000, 0x40000100, 0x00000000, 0x42000000,
120
    0x02080100, 0x02000000, 0x42000000, 0x00080100,
121
    0x00080000, 0x42000100, 0x00000100, 0x02000000,
122
    0x40000000, 0x02080000, 0x42000100, 0x40080100,
123
    0x02000100, 0x40000000, 0x42080000, 0x02080100,
124
    0x40080100, 0x00000100, 0x02000000, 0x42080000,
125
    0x42080100, 0x00080100, 0x42000000, 0x42080100,
126
    0x02080000, 0x00000000, 0x40080000, 0x42000000,
127
    0x00080100, 0x02000100, 0x40000100, 0x00080000,
128
    0x00000000, 0x40080000, 0x02080100, 0x40000100
129
};
130
131
static const uint32_t SB6[64] =
132
{
133
    0x20000010, 0x20400000, 0x00004000, 0x20404010,
134
    0x20400000, 0x00000010, 0x20404010, 0x00400000,
135
    0x20004000, 0x00404010, 0x00400000, 0x20000010,
136
    0x00400010, 0x20004000, 0x20000000, 0x00004010,
137
    0x00000000, 0x00400010, 0x20004010, 0x00004000,
138
    0x00404000, 0x20004010, 0x00000010, 0x20400010,
139
    0x20400010, 0x00000000, 0x00404010, 0x20404000,
140
    0x00004010, 0x00404000, 0x20404000, 0x20000000,
141
    0x20004000, 0x00000010, 0x20400010, 0x00404000,
142
    0x20404010, 0x00400000, 0x00004010, 0x20000010,
143
    0x00400000, 0x20004000, 0x20000000, 0x00004010,
144
    0x20000010, 0x20404010, 0x00404000, 0x20400000,
145
    0x00404010, 0x20404000, 0x00000000, 0x20400010,
146
    0x00000010, 0x00004000, 0x20400000, 0x00404010,
147
    0x00004000, 0x00400010, 0x20004010, 0x00000000,
148
    0x20404000, 0x20000000, 0x00400010, 0x20004010
149
};
150
151
static const uint32_t SB7[64] =
152
{
153
    0x00200000, 0x04200002, 0x04000802, 0x00000000,
154
    0x00000800, 0x04000802, 0x00200802, 0x04200800,
155
    0x04200802, 0x00200000, 0x00000000, 0x04000002,
156
    0x00000002, 0x04000000, 0x04200002, 0x00000802,
157
    0x04000800, 0x00200802, 0x00200002, 0x04000800,
158
    0x04000002, 0x04200000, 0x04200800, 0x00200002,
159
    0x04200000, 0x00000800, 0x00000802, 0x04200802,
160
    0x00200800, 0x00000002, 0x04000000, 0x00200800,
161
    0x04000000, 0x00200800, 0x00200000, 0x04000802,
162
    0x04000802, 0x04200002, 0x04200002, 0x00000002,
163
    0x00200002, 0x04000000, 0x04000800, 0x00200000,
164
    0x04200800, 0x00000802, 0x00200802, 0x04200800,
165
    0x00000802, 0x04000002, 0x04200802, 0x04200000,
166
    0x00200800, 0x00000000, 0x00000002, 0x04200802,
167
    0x00000000, 0x00200802, 0x04200000, 0x00000800,
168
    0x04000002, 0x04000800, 0x00000800, 0x00200002
169
};
170
171
static const uint32_t SB8[64] =
172
{
173
    0x10001040, 0x00001000, 0x00040000, 0x10041040,
174
    0x10000000, 0x10001040, 0x00000040, 0x10000000,
175
    0x00040040, 0x10040000, 0x10041040, 0x00041000,
176
    0x10041000, 0x00041040, 0x00001000, 0x00000040,
177
    0x10040000, 0x10000040, 0x10001000, 0x00001040,
178
    0x00041000, 0x00040040, 0x10040040, 0x10041000,
179
    0x00001040, 0x00000000, 0x00000000, 0x10040040,
180
    0x10000040, 0x10001000, 0x00041040, 0x00040000,
181
    0x00041040, 0x00040000, 0x10041000, 0x00001000,
182
    0x00000040, 0x10040040, 0x00001000, 0x00041040,
183
    0x10001000, 0x00000040, 0x10000040, 0x10040000,
184
    0x10040040, 0x10000000, 0x00040000, 0x10001040,
185
    0x00000000, 0x10041040, 0x00040040, 0x10000040,
186
    0x10040000, 0x10001000, 0x10001040, 0x00000000,
187
    0x10041040, 0x00041000, 0x00041000, 0x00001040,
188
    0x00001040, 0x00040040, 0x10000000, 0x10041000
189
};
190
191
/*
192
 * PC1: left and right halves bit-swap
193
 */
194
static const uint32_t LHs[16] =
195
{
196
    0x00000000, 0x00000001, 0x00000100, 0x00000101,
197
    0x00010000, 0x00010001, 0x00010100, 0x00010101,
198
    0x01000000, 0x01000001, 0x01000100, 0x01000101,
199
    0x01010000, 0x01010001, 0x01010100, 0x01010101
200
};
201
202
static const uint32_t RHs[16] =
203
{
204
    0x00000000, 0x01000000, 0x00010000, 0x01010000,
205
    0x00000100, 0x01000100, 0x00010100, 0x01010100,
206
    0x00000001, 0x01000001, 0x00010001, 0x01010001,
207
    0x00000101, 0x01000101, 0x00010101, 0x01010101,
208
};
209
210
/*
211
 * Initial Permutation macro
212
 */
213
#define DES_IP(X, Y)                                                       \
214
0
    do                                                                    \
215
0
    {                                                                     \
216
0
        T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
217
0
        T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
218
0
        T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
219
0
        T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
220
0
        (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF;                    \
221
0
        T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T;                 \
222
0
        (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF;                    \
223
0
    } while (0)
224
225
/*
226
 * Final Permutation macro
227
 */
228
#define DES_FP(X, Y)                                                       \
229
0
    do                                                                    \
230
0
    {                                                                     \
231
0
        (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF;                    \
232
0
        T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T;                 \
233
0
        (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF;                    \
234
0
        T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
235
0
        T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
236
0
        T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
237
0
        T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
238
0
    } while (0)
239
240
/*
241
 * DES round macro
242
 */
243
#define DES_ROUND(X, Y)                              \
244
0
    do                                              \
245
0
    {                                               \
246
0
        T = *SK++ ^ (X);                            \
247
0
        (Y) ^= SB8[(T) & 0x3F] ^            \
248
0
               SB6[(T >>  8) & 0x3F] ^            \
249
0
               SB4[(T >> 16) & 0x3F] ^            \
250
0
               SB2[(T >> 24) & 0x3F];             \
251
0
                                                    \
252
0
        T = *SK++ ^ (((X) << 28) | ((X) >> 4));     \
253
0
        (Y) ^= SB7[(T) & 0x3F] ^            \
254
0
               SB5[(T >>  8) & 0x3F] ^            \
255
0
               SB3[(T >> 16) & 0x3F] ^            \
256
0
               SB1[(T >> 24) & 0x3F];             \
257
0
    } while (0)
258
259
#define SWAP(a, b)                                       \
260
0
    do                                                  \
261
0
    {                                                   \
262
0
        uint32_t t = (a); (a) = (b); (b) = t; t = 0;    \
263
0
    } while (0)
264
265
void mbedtls_des_init(mbedtls_des_context *ctx)
266
0
{
267
0
    memset(ctx, 0, sizeof(mbedtls_des_context));
268
0
}
269
270
void mbedtls_des_free(mbedtls_des_context *ctx)
271
0
{
272
0
    if (ctx == NULL) {
273
0
        return;
274
0
    }
275
276
0
    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_des_context));
277
0
}
278
279
void mbedtls_des3_init(mbedtls_des3_context *ctx)
280
0
{
281
0
    memset(ctx, 0, sizeof(mbedtls_des3_context));
282
0
}
283
284
void mbedtls_des3_free(mbedtls_des3_context *ctx)
285
0
{
286
0
    if (ctx == NULL) {
287
0
        return;
288
0
    }
289
290
0
    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_des3_context));
291
0
}
292
293
static const unsigned char odd_parity_table[128] = { 1,  2,  4,  7,  8,
294
                                                     11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32,
295
                                                     35, 37, 38, 41, 42, 44,
296
                                                     47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69,
297
                                                     70, 73, 74, 76, 79, 81,
298
                                                     82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103,
299
                                                     104, 107, 109, 110, 112,
300
                                                     115, 117, 118, 121, 122, 124, 127, 128, 131,
301
                                                     133, 134, 137, 138, 140,
302
                                                     143, 145, 146, 148, 151, 152, 155, 157, 158,
303
                                                     161, 162, 164, 167, 168,
304
                                                     171, 173, 174, 176, 179, 181, 182, 185, 186,
305
                                                     188, 191, 193, 194, 196,
306
                                                     199, 200, 203, 205, 206, 208, 211, 213, 214,
307
                                                     217, 218, 220, 223, 224,
308
                                                     227, 229, 230, 233, 234, 236, 239, 241, 242,
309
                                                     244, 247, 248, 251, 253,
310
                                                     254 };
311
312
void mbedtls_des_key_set_parity(unsigned char key[MBEDTLS_DES_KEY_SIZE])
313
0
{
314
0
    int i;
315
316
0
    for (i = 0; i < MBEDTLS_DES_KEY_SIZE; i++) {
317
0
        key[i] = odd_parity_table[key[i] / 2];
318
0
    }
319
0
}
320
321
/*
322
 * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
323
 */
324
int mbedtls_des_key_check_key_parity(const unsigned char key[MBEDTLS_DES_KEY_SIZE])
325
0
{
326
0
    int i;
327
328
0
    for (i = 0; i < MBEDTLS_DES_KEY_SIZE; i++) {
329
0
        if (key[i] != odd_parity_table[key[i] / 2]) {
330
0
            return 1;
331
0
        }
332
0
    }
333
334
0
    return 0;
335
0
}
336
337
/*
338
 * Table of weak and semi-weak keys
339
 *
340
 * Source: http://en.wikipedia.org/wiki/Weak_key
341
 *
342
 * Weak:
343
 * Alternating ones + zeros (0x0101010101010101)
344
 * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
345
 * '0xE0E0E0E0F1F1F1F1'
346
 * '0x1F1F1F1F0E0E0E0E'
347
 *
348
 * Semi-weak:
349
 * 0x011F011F010E010E and 0x1F011F010E010E01
350
 * 0x01E001E001F101F1 and 0xE001E001F101F101
351
 * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
352
 * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
353
 * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
354
 * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
355
 *
356
 */
357
358
0
#define WEAK_KEY_COUNT 16
359
360
static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] =
361
{
362
    { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
363
    { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
364
    { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
365
    { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
366
367
    { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
368
    { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
369
    { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
370
    { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
371
    { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
372
    { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
373
    { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
374
    { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
375
    { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
376
    { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
377
    { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
378
    { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
379
};
380
381
int mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE])
382
0
{
383
0
    int i;
384
385
0
    for (i = 0; i < WEAK_KEY_COUNT; i++) {
386
0
        if (memcmp(weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0) {
387
0
            return 1;
388
0
        }
389
0
    }
390
391
0
    return 0;
392
0
}
393
394
#if !defined(MBEDTLS_DES_SETKEY_ALT)
395
void mbedtls_des_setkey(uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE])
396
0
{
397
0
    int i;
398
0
    uint32_t X, Y, T;
399
400
0
    X = MBEDTLS_GET_UINT32_BE(key, 0);
401
0
    Y = MBEDTLS_GET_UINT32_BE(key, 4);
402
403
    /*
404
     * Permuted Choice 1
405
     */
406
0
    T =  ((Y >>  4) ^ X) & 0x0F0F0F0F;  X ^= T; Y ^= (T <<  4);
407
0
    T =  ((Y) ^ X) & 0x10101010;  X ^= T; Y ^= (T);
408
409
0
    X =   (LHs[(X) & 0xF] << 3) | (LHs[(X >>  8) & 0xF] << 2)
410
0
        | (LHs[(X >> 16) & 0xF] << 1) | (LHs[(X >> 24) & 0xF])
411
0
        | (LHs[(X >>  5) & 0xF] << 7) | (LHs[(X >> 13) & 0xF] << 6)
412
0
        | (LHs[(X >> 21) & 0xF] << 5) | (LHs[(X >> 29) & 0xF] << 4);
413
414
0
    Y =   (RHs[(Y >>  1) & 0xF] << 3) | (RHs[(Y >>  9) & 0xF] << 2)
415
0
        | (RHs[(Y >> 17) & 0xF] << 1) | (RHs[(Y >> 25) & 0xF])
416
0
        | (RHs[(Y >>  4) & 0xF] << 7) | (RHs[(Y >> 12) & 0xF] << 6)
417
0
        | (RHs[(Y >> 20) & 0xF] << 5) | (RHs[(Y >> 28) & 0xF] << 4);
418
419
0
    X &= 0x0FFFFFFF;
420
0
    Y &= 0x0FFFFFFF;
421
422
    /*
423
     * calculate subkeys
424
     */
425
0
    for (i = 0; i < 16; i++) {
426
0
        if (i < 2 || i == 8 || i == 15) {
427
0
            X = ((X <<  1) | (X >> 27)) & 0x0FFFFFFF;
428
0
            Y = ((Y <<  1) | (Y >> 27)) & 0x0FFFFFFF;
429
0
        } else {
430
0
            X = ((X <<  2) | (X >> 26)) & 0x0FFFFFFF;
431
0
            Y = ((Y <<  2) | (Y >> 26)) & 0x0FFFFFFF;
432
0
        }
433
434
0
        *SK++ =   ((X <<  4) & 0x24000000) | ((X << 28) & 0x10000000)
435
0
                | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
436
0
                | ((X <<  6) & 0x01000000) | ((X <<  9) & 0x00200000)
437
0
                | ((X >>  1) & 0x00100000) | ((X << 10) & 0x00040000)
438
0
                | ((X <<  2) & 0x00020000) | ((X >> 10) & 0x00010000)
439
0
                | ((Y >> 13) & 0x00002000) | ((Y >>  4) & 0x00001000)
440
0
                | ((Y <<  6) & 0x00000800) | ((Y >>  1) & 0x00000400)
441
0
                | ((Y >> 14) & 0x00000200) | ((Y) & 0x00000100)
442
0
                | ((Y >>  5) & 0x00000020) | ((Y >> 10) & 0x00000010)
443
0
                | ((Y >>  3) & 0x00000008) | ((Y >> 18) & 0x00000004)
444
0
                | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
445
446
0
        *SK++ =   ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
447
0
                | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
448
0
                | ((X >>  2) & 0x02000000) | ((X <<  1) & 0x01000000)
449
0
                | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
450
0
                | ((X <<  3) & 0x00080000) | ((X >>  6) & 0x00040000)
451
0
                | ((X << 15) & 0x00020000) | ((X >>  4) & 0x00010000)
452
0
                | ((Y >>  2) & 0x00002000) | ((Y <<  8) & 0x00001000)
453
0
                | ((Y >> 14) & 0x00000808) | ((Y >>  9) & 0x00000400)
454
0
                | ((Y) & 0x00000200) | ((Y <<  7) & 0x00000100)
455
0
                | ((Y >>  7) & 0x00000020) | ((Y >>  3) & 0x00000011)
456
0
                | ((Y <<  2) & 0x00000004) | ((Y >> 21) & 0x00000002);
457
0
    }
458
0
}
459
#endif /* !MBEDTLS_DES_SETKEY_ALT */
460
461
/*
462
 * DES key schedule (56-bit, encryption)
463
 */
464
int mbedtls_des_setkey_enc(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE])
465
0
{
466
0
    mbedtls_des_setkey(ctx->sk, key);
467
468
0
    return 0;
469
0
}
470
471
/*
472
 * DES key schedule (56-bit, decryption)
473
 */
474
int mbedtls_des_setkey_dec(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE])
475
0
{
476
0
    int i;
477
478
0
    mbedtls_des_setkey(ctx->sk, key);
479
480
0
    for (i = 0; i < 16; i += 2) {
481
0
        SWAP(ctx->sk[i], ctx->sk[30 - i]);
482
0
        SWAP(ctx->sk[i + 1], ctx->sk[31 - i]);
483
0
    }
484
485
0
    return 0;
486
0
}
487
488
static void des3_set2key(uint32_t esk[96],
489
                         uint32_t dsk[96],
490
                         const unsigned char key[MBEDTLS_DES_KEY_SIZE*2])
491
0
{
492
0
    int i;
493
494
0
    mbedtls_des_setkey(esk, key);
495
0
    mbedtls_des_setkey(dsk + 32, key + 8);
496
497
0
    for (i = 0; i < 32; i += 2) {
498
0
        dsk[i] = esk[30 - i];
499
0
        dsk[i +  1] = esk[31 - i];
500
501
0
        esk[i + 32] = dsk[62 - i];
502
0
        esk[i + 33] = dsk[63 - i];
503
504
0
        esk[i + 64] = esk[i];
505
0
        esk[i + 65] = esk[i + 1];
506
507
0
        dsk[i + 64] = dsk[i];
508
0
        dsk[i + 65] = dsk[i + 1];
509
0
    }
510
0
}
511
512
/*
513
 * Triple-DES key schedule (112-bit, encryption)
514
 */
515
int mbedtls_des3_set2key_enc(mbedtls_des3_context *ctx,
516
                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])
517
0
{
518
0
    uint32_t sk[96];
519
520
0
    des3_set2key(ctx->sk, sk, key);
521
0
    mbedtls_platform_zeroize(sk,  sizeof(sk));
522
523
0
    return 0;
524
0
}
525
526
/*
527
 * Triple-DES key schedule (112-bit, decryption)
528
 */
529
int mbedtls_des3_set2key_dec(mbedtls_des3_context *ctx,
530
                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])
531
0
{
532
0
    uint32_t sk[96];
533
534
0
    des3_set2key(sk, ctx->sk, key);
535
0
    mbedtls_platform_zeroize(sk,  sizeof(sk));
536
537
0
    return 0;
538
0
}
539
540
static void des3_set3key(uint32_t esk[96],
541
                         uint32_t dsk[96],
542
                         const unsigned char key[24])
543
0
{
544
0
    int i;
545
546
0
    mbedtls_des_setkey(esk, key);
547
0
    mbedtls_des_setkey(dsk + 32, key +  8);
548
0
    mbedtls_des_setkey(esk + 64, key + 16);
549
550
0
    for (i = 0; i < 32; i += 2) {
551
0
        dsk[i] = esk[94 - i];
552
0
        dsk[i +  1] = esk[95 - i];
553
554
0
        esk[i + 32] = dsk[62 - i];
555
0
        esk[i + 33] = dsk[63 - i];
556
557
0
        dsk[i + 64] = esk[30 - i];
558
0
        dsk[i + 65] = esk[31 - i];
559
0
    }
560
0
}
561
562
/*
563
 * Triple-DES key schedule (168-bit, encryption)
564
 */
565
int mbedtls_des3_set3key_enc(mbedtls_des3_context *ctx,
566
                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])
567
0
{
568
0
    uint32_t sk[96];
569
570
0
    des3_set3key(ctx->sk, sk, key);
571
0
    mbedtls_platform_zeroize(sk,  sizeof(sk));
572
573
0
    return 0;
574
0
}
575
576
/*
577
 * Triple-DES key schedule (168-bit, decryption)
578
 */
579
int mbedtls_des3_set3key_dec(mbedtls_des3_context *ctx,
580
                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])
581
0
{
582
0
    uint32_t sk[96];
583
584
0
    des3_set3key(sk, ctx->sk, key);
585
0
    mbedtls_platform_zeroize(sk,  sizeof(sk));
586
587
0
    return 0;
588
0
}
589
590
/*
591
 * DES-ECB block encryption/decryption
592
 */
593
#if !defined(MBEDTLS_DES_CRYPT_ECB_ALT)
594
int mbedtls_des_crypt_ecb(mbedtls_des_context *ctx,
595
                          const unsigned char input[8],
596
                          unsigned char output[8])
597
0
{
598
0
    int i;
599
0
    uint32_t X, Y, T, *SK;
600
601
0
    SK = ctx->sk;
602
603
0
    X = MBEDTLS_GET_UINT32_BE(input, 0);
604
0
    Y = MBEDTLS_GET_UINT32_BE(input, 4);
605
606
0
    DES_IP(X, Y);
607
608
0
    for (i = 0; i < 8; i++) {
609
0
        DES_ROUND(Y, X);
610
0
        DES_ROUND(X, Y);
611
0
    }
612
613
0
    DES_FP(Y, X);
614
615
0
    MBEDTLS_PUT_UINT32_BE(Y, output, 0);
616
0
    MBEDTLS_PUT_UINT32_BE(X, output, 4);
617
618
0
    return 0;
619
0
}
620
#endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */
621
622
#if defined(MBEDTLS_CIPHER_MODE_CBC)
623
/*
624
 * DES-CBC buffer encryption/decryption
625
 */
626
int mbedtls_des_crypt_cbc(mbedtls_des_context *ctx,
627
                          int mode,
628
                          size_t length,
629
                          unsigned char iv[8],
630
                          const unsigned char *input,
631
                          unsigned char *output)
632
0
{
633
0
    int i;
634
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
635
0
    unsigned char temp[8];
636
637
0
    if (length % 8) {
638
0
        return MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH;
639
0
    }
640
641
0
    if (mode == MBEDTLS_DES_ENCRYPT) {
642
0
        while (length > 0) {
643
0
            for (i = 0; i < 8; i++) {
644
0
                output[i] = (unsigned char) (input[i] ^ iv[i]);
645
0
            }
646
647
0
            ret = mbedtls_des_crypt_ecb(ctx, output, output);
648
0
            if (ret != 0) {
649
0
                goto exit;
650
0
            }
651
0
            memcpy(iv, output, 8);
652
653
0
            input  += 8;
654
0
            output += 8;
655
0
            length -= 8;
656
0
        }
657
0
    } else { /* MBEDTLS_DES_DECRYPT */
658
0
        while (length > 0) {
659
0
            memcpy(temp, input, 8);
660
0
            ret = mbedtls_des_crypt_ecb(ctx, input, output);
661
0
            if (ret != 0) {
662
0
                goto exit;
663
0
            }
664
665
0
            for (i = 0; i < 8; i++) {
666
0
                output[i] = (unsigned char) (output[i] ^ iv[i]);
667
0
            }
668
669
0
            memcpy(iv, temp, 8);
670
671
0
            input  += 8;
672
0
            output += 8;
673
0
            length -= 8;
674
0
        }
675
0
    }
676
0
    ret = 0;
677
678
0
exit:
679
0
    return ret;
680
0
}
681
#endif /* MBEDTLS_CIPHER_MODE_CBC */
682
683
/*
684
 * 3DES-ECB block encryption/decryption
685
 */
686
#if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
687
int mbedtls_des3_crypt_ecb(mbedtls_des3_context *ctx,
688
                           const unsigned char input[8],
689
                           unsigned char output[8])
690
0
{
691
0
    int i;
692
0
    uint32_t X, Y, T, *SK;
693
694
0
    SK = ctx->sk;
695
696
0
    X = MBEDTLS_GET_UINT32_BE(input, 0);
697
0
    Y = MBEDTLS_GET_UINT32_BE(input, 4);
698
699
0
    DES_IP(X, Y);
700
701
0
    for (i = 0; i < 8; i++) {
702
0
        DES_ROUND(Y, X);
703
0
        DES_ROUND(X, Y);
704
0
    }
705
706
0
    for (i = 0; i < 8; i++) {
707
0
        DES_ROUND(X, Y);
708
0
        DES_ROUND(Y, X);
709
0
    }
710
711
0
    for (i = 0; i < 8; i++) {
712
0
        DES_ROUND(Y, X);
713
0
        DES_ROUND(X, Y);
714
0
    }
715
716
0
    DES_FP(Y, X);
717
718
0
    MBEDTLS_PUT_UINT32_BE(Y, output, 0);
719
0
    MBEDTLS_PUT_UINT32_BE(X, output, 4);
720
721
0
    return 0;
722
0
}
723
#endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */
724
725
#if defined(MBEDTLS_CIPHER_MODE_CBC)
726
/*
727
 * 3DES-CBC buffer encryption/decryption
728
 */
729
int mbedtls_des3_crypt_cbc(mbedtls_des3_context *ctx,
730
                           int mode,
731
                           size_t length,
732
                           unsigned char iv[8],
733
                           const unsigned char *input,
734
                           unsigned char *output)
735
0
{
736
0
    int i;
737
0
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
738
0
    unsigned char temp[8];
739
740
0
    if (length % 8) {
741
0
        return MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH;
742
0
    }
743
744
0
    if (mode == MBEDTLS_DES_ENCRYPT) {
745
0
        while (length > 0) {
746
0
            for (i = 0; i < 8; i++) {
747
0
                output[i] = (unsigned char) (input[i] ^ iv[i]);
748
0
            }
749
750
0
            ret = mbedtls_des3_crypt_ecb(ctx, output, output);
751
0
            if (ret != 0) {
752
0
                goto exit;
753
0
            }
754
0
            memcpy(iv, output, 8);
755
756
0
            input  += 8;
757
0
            output += 8;
758
0
            length -= 8;
759
0
        }
760
0
    } else { /* MBEDTLS_DES_DECRYPT */
761
0
        while (length > 0) {
762
0
            memcpy(temp, input, 8);
763
0
            ret = mbedtls_des3_crypt_ecb(ctx, input, output);
764
0
            if (ret != 0) {
765
0
                goto exit;
766
0
            }
767
768
0
            for (i = 0; i < 8; i++) {
769
0
                output[i] = (unsigned char) (output[i] ^ iv[i]);
770
0
            }
771
772
0
            memcpy(iv, temp, 8);
773
774
0
            input  += 8;
775
0
            output += 8;
776
0
            length -= 8;
777
0
        }
778
0
    }
779
0
    ret = 0;
780
781
0
exit:
782
0
    return ret;
783
0
}
784
#endif /* MBEDTLS_CIPHER_MODE_CBC */
785
786
#endif /* !MBEDTLS_DES_ALT */
787
788
#if defined(MBEDTLS_SELF_TEST)
789
/*
790
 * DES and 3DES test vectors from:
791
 *
792
 * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
793
 */
794
static const unsigned char des3_test_keys[24] =
795
{
796
    0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
797
    0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
798
    0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
799
};
800
801
static const unsigned char des3_test_buf[8] =
802
{
803
    0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
804
};
805
806
static const unsigned char des3_test_ecb_dec[3][8] =
807
{
808
    { 0x37, 0x2B, 0x98, 0xBF, 0x52, 0x65, 0xB0, 0x59 },
809
    { 0xC2, 0x10, 0x19, 0x9C, 0x38, 0x5A, 0x65, 0xA1 },
810
    { 0xA2, 0x70, 0x56, 0x68, 0x69, 0xE5, 0x15, 0x1D }
811
};
812
813
static const unsigned char des3_test_ecb_enc[3][8] =
814
{
815
    { 0x1C, 0xD5, 0x97, 0xEA, 0x84, 0x26, 0x73, 0xFB },
816
    { 0xB3, 0x92, 0x4D, 0xF3, 0xC5, 0xB5, 0x42, 0x93 },
817
    { 0xDA, 0x37, 0x64, 0x41, 0xBA, 0x6F, 0x62, 0x6F }
818
};
819
820
#if defined(MBEDTLS_CIPHER_MODE_CBC)
821
static const unsigned char des3_test_iv[8] =
822
{
823
    0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
824
};
825
826
static const unsigned char des3_test_cbc_dec[3][8] =
827
{
828
    { 0x58, 0xD9, 0x48, 0xEF, 0x85, 0x14, 0x65, 0x9A },
829
    { 0x5F, 0xC8, 0x78, 0xD4, 0xD7, 0x92, 0xD9, 0x54 },
830
    { 0x25, 0xF9, 0x75, 0x85, 0xA8, 0x1E, 0x48, 0xBF }
831
};
832
833
static const unsigned char des3_test_cbc_enc[3][8] =
834
{
835
    { 0x91, 0x1C, 0x6D, 0xCF, 0x48, 0xA7, 0xC3, 0x4D },
836
    { 0x60, 0x1A, 0x76, 0x8F, 0xA1, 0xF9, 0x66, 0xF1 },
837
    { 0xA1, 0x50, 0x0F, 0x99, 0xB2, 0xCD, 0x64, 0x76 }
838
};
839
#endif /* MBEDTLS_CIPHER_MODE_CBC */
840
841
/*
842
 * Checkup routine
843
 */
844
int mbedtls_des_self_test(int verbose)
845
0
{
846
0
    int i, j, u, v, ret = 0;
847
0
    mbedtls_des_context ctx;
848
0
    mbedtls_des3_context ctx3;
849
0
    unsigned char buf[8];
850
0
#if defined(MBEDTLS_CIPHER_MODE_CBC)
851
0
    unsigned char prv[8];
852
0
    unsigned char iv[8];
853
0
#endif
854
855
0
    mbedtls_des_init(&ctx);
856
0
    mbedtls_des3_init(&ctx3);
857
    /*
858
     * ECB mode
859
     */
860
0
    for (i = 0; i < 6; i++) {
861
0
        u = i >> 1;
862
0
        v = i  & 1;
863
864
0
        if (verbose != 0) {
865
0
            mbedtls_printf("  DES%c-ECB-%3d (%s): ",
866
0
                           (u == 0) ? ' ' : '3', 56 + u * 56,
867
0
                           (v == MBEDTLS_DES_DECRYPT) ? "dec" : "enc");
868
0
        }
869
870
0
        memcpy(buf, des3_test_buf, 8);
871
872
0
        switch (i) {
873
0
            case 0:
874
0
                ret = mbedtls_des_setkey_dec(&ctx, des3_test_keys);
875
0
                break;
876
877
0
            case 1:
878
0
                ret = mbedtls_des_setkey_enc(&ctx, des3_test_keys);
879
0
                break;
880
881
0
            case 2:
882
0
                ret = mbedtls_des3_set2key_dec(&ctx3, des3_test_keys);
883
0
                break;
884
885
0
            case 3:
886
0
                ret = mbedtls_des3_set2key_enc(&ctx3, des3_test_keys);
887
0
                break;
888
889
0
            case 4:
890
0
                ret = mbedtls_des3_set3key_dec(&ctx3, des3_test_keys);
891
0
                break;
892
893
0
            case 5:
894
0
                ret = mbedtls_des3_set3key_enc(&ctx3, des3_test_keys);
895
0
                break;
896
897
0
            default:
898
0
                return 1;
899
0
        }
900
0
        if (ret != 0) {
901
0
            goto exit;
902
0
        }
903
904
0
        for (j = 0; j < 100; j++) {
905
0
            if (u == 0) {
906
0
                ret = mbedtls_des_crypt_ecb(&ctx, buf, buf);
907
0
            } else {
908
0
                ret = mbedtls_des3_crypt_ecb(&ctx3, buf, buf);
909
0
            }
910
0
            if (ret != 0) {
911
0
                goto exit;
912
0
            }
913
0
        }
914
915
0
        if ((v == MBEDTLS_DES_DECRYPT &&
916
0
             memcmp(buf, des3_test_ecb_dec[u], 8) != 0) ||
917
0
            (v != MBEDTLS_DES_DECRYPT &&
918
0
             memcmp(buf, des3_test_ecb_enc[u], 8) != 0)) {
919
0
            if (verbose != 0) {
920
0
                mbedtls_printf("failed\n");
921
0
            }
922
923
0
            ret = 1;
924
0
            goto exit;
925
0
        }
926
927
0
        if (verbose != 0) {
928
0
            mbedtls_printf("passed\n");
929
0
        }
930
0
    }
931
932
0
    if (verbose != 0) {
933
0
        mbedtls_printf("\n");
934
0
    }
935
936
0
#if defined(MBEDTLS_CIPHER_MODE_CBC)
937
    /*
938
     * CBC mode
939
     */
940
0
    for (i = 0; i < 6; i++) {
941
0
        u = i >> 1;
942
0
        v = i  & 1;
943
944
0
        if (verbose != 0) {
945
0
            mbedtls_printf("  DES%c-CBC-%3d (%s): ",
946
0
                           (u == 0) ? ' ' : '3', 56 + u * 56,
947
0
                           (v == MBEDTLS_DES_DECRYPT) ? "dec" : "enc");
948
0
        }
949
950
0
        memcpy(iv,  des3_test_iv,  8);
951
0
        memcpy(prv, des3_test_iv,  8);
952
0
        memcpy(buf, des3_test_buf, 8);
953
954
0
        switch (i) {
955
0
            case 0:
956
0
                ret = mbedtls_des_setkey_dec(&ctx, des3_test_keys);
957
0
                break;
958
959
0
            case 1:
960
0
                ret = mbedtls_des_setkey_enc(&ctx, des3_test_keys);
961
0
                break;
962
963
0
            case 2:
964
0
                ret = mbedtls_des3_set2key_dec(&ctx3, des3_test_keys);
965
0
                break;
966
967
0
            case 3:
968
0
                ret = mbedtls_des3_set2key_enc(&ctx3, des3_test_keys);
969
0
                break;
970
971
0
            case 4:
972
0
                ret = mbedtls_des3_set3key_dec(&ctx3, des3_test_keys);
973
0
                break;
974
975
0
            case 5:
976
0
                ret = mbedtls_des3_set3key_enc(&ctx3, des3_test_keys);
977
0
                break;
978
979
0
            default:
980
0
                return 1;
981
0
        }
982
0
        if (ret != 0) {
983
0
            goto exit;
984
0
        }
985
986
0
        if (v == MBEDTLS_DES_DECRYPT) {
987
0
            for (j = 0; j < 100; j++) {
988
0
                if (u == 0) {
989
0
                    ret = mbedtls_des_crypt_cbc(&ctx, v, 8, iv, buf, buf);
990
0
                } else {
991
0
                    ret = mbedtls_des3_crypt_cbc(&ctx3, v, 8, iv, buf, buf);
992
0
                }
993
0
                if (ret != 0) {
994
0
                    goto exit;
995
0
                }
996
0
            }
997
0
        } else {
998
0
            for (j = 0; j < 100; j++) {
999
0
                unsigned char tmp[8];
1000
1001
0
                if (u == 0) {
1002
0
                    ret = mbedtls_des_crypt_cbc(&ctx, v, 8, iv, buf, buf);
1003
0
                } else {
1004
0
                    ret = mbedtls_des3_crypt_cbc(&ctx3, v, 8, iv, buf, buf);
1005
0
                }
1006
0
                if (ret != 0) {
1007
0
                    goto exit;
1008
0
                }
1009
1010
0
                memcpy(tmp, prv, 8);
1011
0
                memcpy(prv, buf, 8);
1012
0
                memcpy(buf, tmp, 8);
1013
0
            }
1014
1015
0
            memcpy(buf, prv, 8);
1016
0
        }
1017
1018
0
        if ((v == MBEDTLS_DES_DECRYPT &&
1019
0
             memcmp(buf, des3_test_cbc_dec[u], 8) != 0) ||
1020
0
            (v != MBEDTLS_DES_DECRYPT &&
1021
0
             memcmp(buf, des3_test_cbc_enc[u], 8) != 0)) {
1022
0
            if (verbose != 0) {
1023
0
                mbedtls_printf("failed\n");
1024
0
            }
1025
1026
0
            ret = 1;
1027
0
            goto exit;
1028
0
        }
1029
1030
0
        if (verbose != 0) {
1031
0
            mbedtls_printf("passed\n");
1032
0
        }
1033
0
    }
1034
0
#endif /* MBEDTLS_CIPHER_MODE_CBC */
1035
1036
0
    if (verbose != 0) {
1037
0
        mbedtls_printf("\n");
1038
0
    }
1039
1040
0
exit:
1041
0
    mbedtls_des_free(&ctx);
1042
0
    mbedtls_des3_free(&ctx3);
1043
1044
0
    if (ret != 0) {
1045
0
        ret = 1;
1046
0
    }
1047
0
    return ret;
1048
0
}
1049
1050
#endif /* MBEDTLS_SELF_TEST */
1051
1052
#endif /* MBEDTLS_DES_C */