Google Git
Sign in
pigweed / third_party / github / ARMmbed / mbedtls / 1ef83d66dd5a94a1b1985fd3e1706367e587e892 / . / library / des.c
blob: b40baf8fbea296f0c8f14caebe24d84b221bd9f6 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * FIPS-46-3 compliant Triple-DES implementation
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]4 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]5 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +0000[diff] [blame]7 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]8 *
Paul Bakker77b385e2009-07-28 17:23:11 +0000[diff] [blame]9 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +0000[diff] [blame]10 *
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25/*
26 * DES, on which TDES is based, was originally designed by Horst Feistel
27 * at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
28 *
29 * http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
30 */
31
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]32#include "polarssl/config.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]34#if defined(POLARSSL_DES_C)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]35
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]36#include "polarssl/des.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]37
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]38/*
39 * 32-bit integer manipulation macros (big endian)
40 */
41#ifndef GET_ULONG_BE
42#define GET_ULONG_BE(n,b,i) \
43{ \
44 (n) = ( (unsigned long) (b)[(i) ] << 24 ) \
45 | ( (unsigned long) (b)[(i) + 1] << 16 ) \
46 | ( (unsigned long) (b)[(i) + 2] << 8 ) \
47 | ( (unsigned long) (b)[(i) + 3] ); \
48}
49#endif
50
51#ifndef PUT_ULONG_BE
52#define PUT_ULONG_BE(n,b,i) \
53{ \
54 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
55 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
56 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
57 (b)[(i) + 3] = (unsigned char) ( (n) ); \
58}
59#endif
60
61/*
62 * Expanded DES S-boxes
63 */
64static const unsigned long SB1[64] =
65{
66 0x01010400, 0x00000000, 0x00010000, 0x01010404,
67 0x01010004, 0x00010404, 0x00000004, 0x00010000,
68 0x00000400, 0x01010400, 0x01010404, 0x00000400,
69 0x01000404, 0x01010004, 0x01000000, 0x00000004,
70 0x00000404, 0x01000400, 0x01000400, 0x00010400,
71 0x00010400, 0x01010000, 0x01010000, 0x01000404,
72 0x00010004, 0x01000004, 0x01000004, 0x00010004,
73 0x00000000, 0x00000404, 0x00010404, 0x01000000,
74 0x00010000, 0x01010404, 0x00000004, 0x01010000,
75 0x01010400, 0x01000000, 0x01000000, 0x00000400,
76 0x01010004, 0x00010000, 0x00010400, 0x01000004,
77 0x00000400, 0x00000004, 0x01000404, 0x00010404,
78 0x01010404, 0x00010004, 0x01010000, 0x01000404,
79 0x01000004, 0x00000404, 0x00010404, 0x01010400,
80 0x00000404, 0x01000400, 0x01000400, 0x00000000,
81 0x00010004, 0x00010400, 0x00000000, 0x01010004
82};
83
84static const unsigned long SB2[64] =
85{
86 0x80108020, 0x80008000, 0x00008000, 0x00108020,
87 0x00100000, 0x00000020, 0x80100020, 0x80008020,
88 0x80000020, 0x80108020, 0x80108000, 0x80000000,
89 0x80008000, 0x00100000, 0x00000020, 0x80100020,
90 0x00108000, 0x00100020, 0x80008020, 0x00000000,
91 0x80000000, 0x00008000, 0x00108020, 0x80100000,
92 0x00100020, 0x80000020, 0x00000000, 0x00108000,
93 0x00008020, 0x80108000, 0x80100000, 0x00008020,
94 0x00000000, 0x00108020, 0x80100020, 0x00100000,
95 0x80008020, 0x80100000, 0x80108000, 0x00008000,
96 0x80100000, 0x80008000, 0x00000020, 0x80108020,
97 0x00108020, 0x00000020, 0x00008000, 0x80000000,
98 0x00008020, 0x80108000, 0x00100000, 0x80000020,
99 0x00100020, 0x80008020, 0x80000020, 0x00100020,
100 0x00108000, 0x00000000, 0x80008000, 0x00008020,
101 0x80000000, 0x80100020, 0x80108020, 0x00108000
102};
103
104static const unsigned long SB3[64] =
105{
106 0x00000208, 0x08020200, 0x00000000, 0x08020008,
107 0x08000200, 0x00000000, 0x00020208, 0x08000200,
108 0x00020008, 0x08000008, 0x08000008, 0x00020000,
109 0x08020208, 0x00020008, 0x08020000, 0x00000208,
110 0x08000000, 0x00000008, 0x08020200, 0x00000200,
111 0x00020200, 0x08020000, 0x08020008, 0x00020208,
112 0x08000208, 0x00020200, 0x00020000, 0x08000208,
113 0x00000008, 0x08020208, 0x00000200, 0x08000000,
114 0x08020200, 0x08000000, 0x00020008, 0x00000208,
115 0x00020000, 0x08020200, 0x08000200, 0x00000000,
116 0x00000200, 0x00020008, 0x08020208, 0x08000200,
117 0x08000008, 0x00000200, 0x00000000, 0x08020008,
118 0x08000208, 0x00020000, 0x08000000, 0x08020208,
119 0x00000008, 0x00020208, 0x00020200, 0x08000008,
120 0x08020000, 0x08000208, 0x00000208, 0x08020000,
121 0x00020208, 0x00000008, 0x08020008, 0x00020200
122};
123
124static const unsigned long SB4[64] =
125{
126 0x00802001, 0x00002081, 0x00002081, 0x00000080,
127 0x00802080, 0x00800081, 0x00800001, 0x00002001,
128 0x00000000, 0x00802000, 0x00802000, 0x00802081,
129 0x00000081, 0x00000000, 0x00800080, 0x00800001,
130 0x00000001, 0x00002000, 0x00800000, 0x00802001,
131 0x00000080, 0x00800000, 0x00002001, 0x00002080,
132 0x00800081, 0x00000001, 0x00002080, 0x00800080,
133 0x00002000, 0x00802080, 0x00802081, 0x00000081,
134 0x00800080, 0x00800001, 0x00802000, 0x00802081,
135 0x00000081, 0x00000000, 0x00000000, 0x00802000,
136 0x00002080, 0x00800080, 0x00800081, 0x00000001,
137 0x00802001, 0x00002081, 0x00002081, 0x00000080,
138 0x00802081, 0x00000081, 0x00000001, 0x00002000,
139 0x00800001, 0x00002001, 0x00802080, 0x00800081,
140 0x00002001, 0x00002080, 0x00800000, 0x00802001,
141 0x00000080, 0x00800000, 0x00002000, 0x00802080
142};
143
144static const unsigned long SB5[64] =
145{
146 0x00000100, 0x02080100, 0x02080000, 0x42000100,
147 0x00080000, 0x00000100, 0x40000000, 0x02080000,
148 0x40080100, 0x00080000, 0x02000100, 0x40080100,
149 0x42000100, 0x42080000, 0x00080100, 0x40000000,
150 0x02000000, 0x40080000, 0x40080000, 0x00000000,
151 0x40000100, 0x42080100, 0x42080100, 0x02000100,
152 0x42080000, 0x40000100, 0x00000000, 0x42000000,
153 0x02080100, 0x02000000, 0x42000000, 0x00080100,
154 0x00080000, 0x42000100, 0x00000100, 0x02000000,
155 0x40000000, 0x02080000, 0x42000100, 0x40080100,
156 0x02000100, 0x40000000, 0x42080000, 0x02080100,
157 0x40080100, 0x00000100, 0x02000000, 0x42080000,
158 0x42080100, 0x00080100, 0x42000000, 0x42080100,
159 0x02080000, 0x00000000, 0x40080000, 0x42000000,
160 0x00080100, 0x02000100, 0x40000100, 0x00080000,
161 0x00000000, 0x40080000, 0x02080100, 0x40000100
162};
163
164static const unsigned long SB6[64] =
165{
166 0x20000010, 0x20400000, 0x00004000, 0x20404010,
167 0x20400000, 0x00000010, 0x20404010, 0x00400000,
168 0x20004000, 0x00404010, 0x00400000, 0x20000010,
169 0x00400010, 0x20004000, 0x20000000, 0x00004010,
170 0x00000000, 0x00400010, 0x20004010, 0x00004000,
171 0x00404000, 0x20004010, 0x00000010, 0x20400010,
172 0x20400010, 0x00000000, 0x00404010, 0x20404000,
173 0x00004010, 0x00404000, 0x20404000, 0x20000000,
174 0x20004000, 0x00000010, 0x20400010, 0x00404000,
175 0x20404010, 0x00400000, 0x00004010, 0x20000010,
176 0x00400000, 0x20004000, 0x20000000, 0x00004010,
177 0x20000010, 0x20404010, 0x00404000, 0x20400000,
178 0x00404010, 0x20404000, 0x00000000, 0x20400010,
179 0x00000010, 0x00004000, 0x20400000, 0x00404010,
180 0x00004000, 0x00400010, 0x20004010, 0x00000000,
181 0x20404000, 0x20000000, 0x00400010, 0x20004010
182};
183
184static const unsigned long SB7[64] =
185{
186 0x00200000, 0x04200002, 0x04000802, 0x00000000,
187 0x00000800, 0x04000802, 0x00200802, 0x04200800,
188 0x04200802, 0x00200000, 0x00000000, 0x04000002,
189 0x00000002, 0x04000000, 0x04200002, 0x00000802,
190 0x04000800, 0x00200802, 0x00200002, 0x04000800,
191 0x04000002, 0x04200000, 0x04200800, 0x00200002,
192 0x04200000, 0x00000800, 0x00000802, 0x04200802,
193 0x00200800, 0x00000002, 0x04000000, 0x00200800,
194 0x04000000, 0x00200800, 0x00200000, 0x04000802,
195 0x04000802, 0x04200002, 0x04200002, 0x00000002,
196 0x00200002, 0x04000000, 0x04000800, 0x00200000,
197 0x04200800, 0x00000802, 0x00200802, 0x04200800,
198 0x00000802, 0x04000002, 0x04200802, 0x04200000,
199 0x00200800, 0x00000000, 0x00000002, 0x04200802,
200 0x00000000, 0x00200802, 0x04200000, 0x00000800,
201 0x04000002, 0x04000800, 0x00000800, 0x00200002
202};
203
204static const unsigned long SB8[64] =
205{
206 0x10001040, 0x00001000, 0x00040000, 0x10041040,
207 0x10000000, 0x10001040, 0x00000040, 0x10000000,
208 0x00040040, 0x10040000, 0x10041040, 0x00041000,
209 0x10041000, 0x00041040, 0x00001000, 0x00000040,
210 0x10040000, 0x10000040, 0x10001000, 0x00001040,
211 0x00041000, 0x00040040, 0x10040040, 0x10041000,
212 0x00001040, 0x00000000, 0x00000000, 0x10040040,
213 0x10000040, 0x10001000, 0x00041040, 0x00040000,
214 0x00041040, 0x00040000, 0x10041000, 0x00001000,
215 0x00000040, 0x10040040, 0x00001000, 0x00041040,
216 0x10001000, 0x00000040, 0x10000040, 0x10040000,
217 0x10040040, 0x10000000, 0x00040000, 0x10001040,
218 0x00000000, 0x10041040, 0x00040040, 0x10000040,
219 0x10040000, 0x10001000, 0x10001040, 0x00000000,
220 0x10041040, 0x00041000, 0x00041000, 0x00001040,
221 0x00001040, 0x00040040, 0x10000000, 0x10041000
222};
223
224/*
225 * PC1: left and right halves bit-swap
226 */
227static const unsigned long LHs[16] =
228{
229 0x00000000, 0x00000001, 0x00000100, 0x00000101,
230 0x00010000, 0x00010001, 0x00010100, 0x00010101,
231 0x01000000, 0x01000001, 0x01000100, 0x01000101,
232 0x01010000, 0x01010001, 0x01010100, 0x01010101
233};
234
235static const unsigned long RHs[16] =
236{
237 0x00000000, 0x01000000, 0x00010000, 0x01010000,
238 0x00000100, 0x01000100, 0x00010100, 0x01010100,
239 0x00000001, 0x01000001, 0x00010001, 0x01010001,
240 0x00000101, 0x01000101, 0x00010101, 0x01010101,
241};
242
243/*
244 * Initial Permutation macro
245 */
246#define DES_IP(X,Y) \
247{ \
248 T = ((X >> 4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T << 4); \
249 T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16); \
250 T = ((Y >> 2) ^ X) & 0x33333333; X ^= T; Y ^= (T << 2); \
251 T = ((Y >> 8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T << 8); \
252 Y = ((Y << 1) | (Y >> 31)) & 0xFFFFFFFF; \
253 T = (X ^ Y) & 0xAAAAAAAA; Y ^= T; X ^= T; \
254 X = ((X << 1) | (X >> 31)) & 0xFFFFFFFF; \
255}
256
257/*
258 * Final Permutation macro
259 */
260#define DES_FP(X,Y) \
261{ \
262 X = ((X << 31) | (X >> 1)) & 0xFFFFFFFF; \
263 T = (X ^ Y) & 0xAAAAAAAA; X ^= T; Y ^= T; \
264 Y = ((Y << 31) | (Y >> 1)) & 0xFFFFFFFF; \
265 T = ((Y >> 8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T << 8); \
266 T = ((Y >> 2) ^ X) & 0x33333333; X ^= T; Y ^= (T << 2); \
267 T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16); \
268 T = ((X >> 4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T << 4); \
269}
270
271/*
272 * DES round macro
273 */
274#define DES_ROUND(X,Y) \
275{ \
276 T = *SK++ ^ X; \
277 Y ^= SB8[ (T ) & 0x3F ] ^ \
278 SB6[ (T >> 8) & 0x3F ] ^ \
279 SB4[ (T >> 16) & 0x3F ] ^ \
280 SB2[ (T >> 24) & 0x3F ]; \
281 \
282 T = *SK++ ^ ((X << 28) | (X >> 4)); \
283 Y ^= SB7[ (T ) & 0x3F ] ^ \
284 SB5[ (T >> 8) & 0x3F ] ^ \
285 SB3[ (T >> 16) & 0x3F ] ^ \
286 SB1[ (T >> 24) & 0x3F ]; \
287}
288
289#define SWAP(a,b) { unsigned long t = a; a = b; b = t; t = 0; }
290
Paul Bakker1f87fb62011-01-15 17:32:24 +0000[diff] [blame]291static const unsigned char odd_parity_table[128] = { 1, 2, 4, 7, 8,
292 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 35, 37, 38, 41, 42, 44,
293 47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 70, 73, 74, 76, 79, 81,
294 82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 104, 107, 109, 110, 112,
295 115, 117, 118, 121, 122, 124, 127, 128, 131, 133, 134, 137, 138, 140,
296 143, 145, 146, 148, 151, 152, 155, 157, 158, 161, 162, 164, 167, 168,
297 171, 173, 174, 176, 179, 181, 182, 185, 186, 188, 191, 193, 194, 196,
298 199, 200, 203, 205, 206, 208, 211, 213, 214, 217, 218, 220, 223, 224,
299 227, 229, 230, 233, 234, 236, 239, 241, 242, 244, 247, 248, 251, 253,
300 254 };
301
302void des_key_set_parity( unsigned char key[DES_KEY_SIZE] )
303{
304 int i;
305
306 for( i = 0; i < DES_KEY_SIZE; i++ )
307 key[i] = odd_parity_table[key[i] / 2];
308}
309
310/*
311 * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
312 */
313int des_key_check_key_parity( const unsigned char key[DES_KEY_SIZE] )
314{
315 int i;
316
317 for( i = 0; i < DES_KEY_SIZE; i++ )
318 if ( key[i] != odd_parity_table[key[i] / 2] )
319 return( 1 );
320
321 return( 0 );
322}
323
324/*
325 * Table of weak and semi-weak keys
326 *
327 * Source: http://en.wikipedia.org/wiki/Weak_key
328 *
329 * Weak:
330 * Alternating ones + zeros (0x0101010101010101)
331 * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
332 * '0xE0E0E0E0F1F1F1F1'
333 * '0x1F1F1F1F0E0E0E0E'
334 *
335 * Semi-weak:
336 * 0x011F011F010E010E and 0x1F011F010E010E01
337 * 0x01E001E001F101F1 and 0xE001E001F101F101
338 * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
339 * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
340 * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
341 * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
342 *
343 */
344
345#define WEAK_KEY_COUNT 16
346
347static const unsigned char weak_key_table[WEAK_KEY_COUNT][DES_KEY_SIZE] =
348{
349 { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
350 { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
351 { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
352 { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
353
354 { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
355 { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
356 { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
357 { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
358 { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
359 { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
360 { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
361 { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
362 { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
363 { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
364 { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
365 { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
366};
367
368int des_key_check_weak( const unsigned char key[DES_KEY_SIZE] )
369{
370 int i;
371
372 for( i = 0; i < WEAK_KEY_COUNT; i++ )
373 if( memcmp( weak_key_table[i], key, DES_KEY_SIZE) == 0)
Paul Bakker73206952011-07-06 14:37:33 +0000[diff] [blame]374 return( 1 );
Paul Bakker1f87fb62011-01-15 17:32:24 +0000[diff] [blame]375
Paul Bakker73206952011-07-06 14:37:33 +0000[diff] [blame]376 return( 0 );
Paul Bakker1f87fb62011-01-15 17:32:24 +0000[diff] [blame]377}
378
379static void des_setkey( unsigned long SK[32], const unsigned char key[DES_KEY_SIZE] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]380{
381 int i;
382 unsigned long X, Y, T;
383
384 GET_ULONG_BE( X, key, 0 );
385 GET_ULONG_BE( Y, key, 4 );
386
387 /*
388 * Permuted Choice 1
389 */
390 T = ((Y >> 4) ^ X) & 0x0F0F0F0F; X ^= T; Y ^= (T << 4);
391 T = ((Y ) ^ X) & 0x10101010; X ^= T; Y ^= (T );
392
393 X = (LHs[ (X ) & 0xF] << 3) | (LHs[ (X >> 8) & 0xF ] << 2)
394 | (LHs[ (X >> 16) & 0xF] << 1) | (LHs[ (X >> 24) & 0xF ] )
395 | (LHs[ (X >> 5) & 0xF] << 7) | (LHs[ (X >> 13) & 0xF ] << 6)
396 | (LHs[ (X >> 21) & 0xF] << 5) | (LHs[ (X >> 29) & 0xF ] << 4);
397
398 Y = (RHs[ (Y >> 1) & 0xF] << 3) | (RHs[ (Y >> 9) & 0xF ] << 2)
399 | (RHs[ (Y >> 17) & 0xF] << 1) | (RHs[ (Y >> 25) & 0xF ] )
400 | (RHs[ (Y >> 4) & 0xF] << 7) | (RHs[ (Y >> 12) & 0xF ] << 6)
401 | (RHs[ (Y >> 20) & 0xF] << 5) | (RHs[ (Y >> 28) & 0xF ] << 4);
402
403 X &= 0x0FFFFFFF;
404 Y &= 0x0FFFFFFF;
405
406 /*
407 * calculate subkeys
408 */
409 for( i = 0; i < 16; i++ )
410 {
411 if( i < 2 || i == 8 || i == 15 )
412 {
413 X = ((X << 1) | (X >> 27)) & 0x0FFFFFFF;
414 Y = ((Y << 1) | (Y >> 27)) & 0x0FFFFFFF;
415 }
416 else
417 {
418 X = ((X << 2) | (X >> 26)) & 0x0FFFFFFF;
419 Y = ((Y << 2) | (Y >> 26)) & 0x0FFFFFFF;
420 }
421
422 *SK++ = ((X << 4) & 0x24000000) | ((X << 28) & 0x10000000)
423 | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
424 | ((X << 6) & 0x01000000) | ((X << 9) & 0x00200000)
425 | ((X >> 1) & 0x00100000) | ((X << 10) & 0x00040000)
426 | ((X << 2) & 0x00020000) | ((X >> 10) & 0x00010000)
427 | ((Y >> 13) & 0x00002000) | ((Y >> 4) & 0x00001000)
428 | ((Y << 6) & 0x00000800) | ((Y >> 1) & 0x00000400)
429 | ((Y >> 14) & 0x00000200) | ((Y ) & 0x00000100)
430 | ((Y >> 5) & 0x00000020) | ((Y >> 10) & 0x00000010)
431 | ((Y >> 3) & 0x00000008) | ((Y >> 18) & 0x00000004)
432 | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
433
434 *SK++ = ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
435 | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
436 | ((X >> 2) & 0x02000000) | ((X << 1) & 0x01000000)
437 | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
438 | ((X << 3) & 0x00080000) | ((X >> 6) & 0x00040000)
439 | ((X << 15) & 0x00020000) | ((X >> 4) & 0x00010000)
440 | ((Y >> 2) & 0x00002000) | ((Y << 8) & 0x00001000)
441 | ((Y >> 14) & 0x00000808) | ((Y >> 9) & 0x00000400)
442 | ((Y ) & 0x00000200) | ((Y << 7) & 0x00000100)
443 | ((Y >> 7) & 0x00000020) | ((Y >> 3) & 0x00000011)
444 | ((Y << 2) & 0x00000004) | ((Y >> 21) & 0x00000002);
445 }
446}
447
448/*
449 * DES key schedule (56-bit, encryption)
450 */
Paul Bakker1f87fb62011-01-15 17:32:24 +0000[diff] [blame]451int des_setkey_enc( des_context *ctx, const unsigned char key[DES_KEY_SIZE] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]452{
453 des_setkey( ctx->sk, key );
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]454
455 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]456}
457
458/*
459 * DES key schedule (56-bit, decryption)
460 */
Paul Bakker1f87fb62011-01-15 17:32:24 +0000[diff] [blame]461int des_setkey_dec( des_context *ctx, const unsigned char key[DES_KEY_SIZE] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]462{
463 int i;
464
465 des_setkey( ctx->sk, key );
466
467 for( i = 0; i < 16; i += 2 )
468 {
469 SWAP( ctx->sk[i ], ctx->sk[30 - i] );
470 SWAP( ctx->sk[i + 1], ctx->sk[31 - i] );
471 }
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]472
473 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]474}
475
476static void des3_set2key( unsigned long esk[96],
477 unsigned long dsk[96],
Paul Bakker1f87fb62011-01-15 17:32:24 +0000[diff] [blame]478 const unsigned char key[DES_KEY_SIZE*2] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]479{
480 int i;
481
482 des_setkey( esk, key );
483 des_setkey( dsk + 32, key + 8 );
484
485 for( i = 0; i < 32; i += 2 )
486 {
487 dsk[i ] = esk[30 - i];
488 dsk[i + 1] = esk[31 - i];
489
490 esk[i + 32] = dsk[62 - i];
491 esk[i + 33] = dsk[63 - i];
492
493 esk[i + 64] = esk[i ];
494 esk[i + 65] = esk[i + 1];
495
496 dsk[i + 64] = dsk[i ];
497 dsk[i + 65] = dsk[i + 1];
498 }
499}
500
501/*
502 * Triple-DES key schedule (112-bit, encryption)
503 */
Paul Bakker1f87fb62011-01-15 17:32:24 +0000[diff] [blame]504int des3_set2key_enc( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 2] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]505{
506 unsigned long sk[96];
507
508 des3_set2key( ctx->sk, sk, key );
509 memset( sk, 0, sizeof( sk ) );
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]510
511 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]512}
513
514/*
515 * Triple-DES key schedule (112-bit, decryption)
516 */
Paul Bakker1f87fb62011-01-15 17:32:24 +0000[diff] [blame]517int des3_set2key_dec( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 2] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]518{
519 unsigned long sk[96];
520
521 des3_set2key( sk, ctx->sk, key );
522 memset( sk, 0, sizeof( sk ) );
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]523
524 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]525}
526
527static void des3_set3key( unsigned long esk[96],
528 unsigned long dsk[96],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]529 const unsigned char key[24] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]530{
531 int i;
532
533 des_setkey( esk, key );
534 des_setkey( dsk + 32, key + 8 );
535 des_setkey( esk + 64, key + 16 );
536
537 for( i = 0; i < 32; i += 2 )
538 {
539 dsk[i ] = esk[94 - i];
540 dsk[i + 1] = esk[95 - i];
541
542 esk[i + 32] = dsk[62 - i];
543 esk[i + 33] = dsk[63 - i];
544
545 dsk[i + 64] = esk[30 - i];
546 dsk[i + 65] = esk[31 - i];
547 }
548}
549
550/*
551 * Triple-DES key schedule (168-bit, encryption)
552 */
Paul Bakker1f87fb62011-01-15 17:32:24 +0000[diff] [blame]553int des3_set3key_enc( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 3] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]554{
555 unsigned long sk[96];
556
557 des3_set3key( ctx->sk, sk, key );
558 memset( sk, 0, sizeof( sk ) );
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]559
560 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]561}
562
563/*
564 * Triple-DES key schedule (168-bit, decryption)
565 */
Paul Bakker1f87fb62011-01-15 17:32:24 +0000[diff] [blame]566int des3_set3key_dec( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 3] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]567{
568 unsigned long sk[96];
569
570 des3_set3key( sk, ctx->sk, key );
571 memset( sk, 0, sizeof( sk ) );
Paul Bakker8123e9d2011-01-06 15:37:30 +0000[diff] [blame]572
573 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]574}
575
576/*
577 * DES-ECB block encryption/decryption
578 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]579int des_crypt_ecb( des_context *ctx,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]580 const unsigned char input[8],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]581 unsigned char output[8] )
582{
583 int i;
584 unsigned long X, Y, T, *SK;
585
586 SK = ctx->sk;
587
588 GET_ULONG_BE( X, input, 0 );
589 GET_ULONG_BE( Y, input, 4 );
590
591 DES_IP( X, Y );
592
593 for( i = 0; i < 8; i++ )
594 {
595 DES_ROUND( Y, X );
596 DES_ROUND( X, Y );
597 }
598
599 DES_FP( Y, X );
600
601 PUT_ULONG_BE( Y, output, 0 );
602 PUT_ULONG_BE( X, output, 4 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]603
604 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]605}
606
607/*
608 * DES-CBC buffer encryption/decryption
609 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]610int des_crypt_cbc( des_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]611 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]612 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]613 unsigned char iv[8],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]614 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]615 unsigned char *output )
616{
617 int i;
618 unsigned char temp[8];
619
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]620 if( length % 8 )
621 return( POLARSSL_ERR_DES_INVALID_INPUT_LENGTH );
622
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]623 if( mode == DES_ENCRYPT )
624 {
625 while( length > 0 )
626 {
627 for( i = 0; i < 8; i++ )
628 output[i] = (unsigned char)( input[i] ^ iv[i] );
629
630 des_crypt_ecb( ctx, output, output );
631 memcpy( iv, output, 8 );
632
633 input += 8;
634 output += 8;
635 length -= 8;
636 }
637 }
638 else /* DES_DECRYPT */
639 {
640 while( length > 0 )
641 {
642 memcpy( temp, input, 8 );
643 des_crypt_ecb( ctx, input, output );
644
645 for( i = 0; i < 8; i++ )
646 output[i] = (unsigned char)( output[i] ^ iv[i] );
647
648 memcpy( iv, temp, 8 );
649
650 input += 8;
651 output += 8;
652 length -= 8;
653 }
654 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]655
656 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]657}
658
659/*
660 * 3DES-ECB block encryption/decryption
661 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]662int des3_crypt_ecb( des3_context *ctx,
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]663 const unsigned char input[8],
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]664 unsigned char output[8] )
665{
666 int i;
667 unsigned long X, Y, T, *SK;
668
669 SK = ctx->sk;
670
671 GET_ULONG_BE( X, input, 0 );
672 GET_ULONG_BE( Y, input, 4 );
673
674 DES_IP( X, Y );
675
676 for( i = 0; i < 8; i++ )
677 {
678 DES_ROUND( Y, X );
679 DES_ROUND( X, Y );
680 }
681
682 for( i = 0; i < 8; i++ )
683 {
684 DES_ROUND( X, Y );
685 DES_ROUND( Y, X );
686 }
687
688 for( i = 0; i < 8; i++ )
689 {
690 DES_ROUND( Y, X );
691 DES_ROUND( X, Y );
692 }
693
694 DES_FP( Y, X );
695
696 PUT_ULONG_BE( Y, output, 0 );
697 PUT_ULONG_BE( X, output, 4 );
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]698
699 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]700}
701
702/*
703 * 3DES-CBC buffer encryption/decryption
704 */
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]705int des3_crypt_cbc( des3_context *ctx,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]706 int mode,
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]707 size_t length,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]708 unsigned char iv[8],
Paul Bakkerff60ee62010-03-16 21:09:09 +0000[diff] [blame]709 const unsigned char *input,
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]710 unsigned char *output )
711{
712 int i;
713 unsigned char temp[8];
714
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]715 if( length % 8 )
716 return( POLARSSL_ERR_DES_INVALID_INPUT_LENGTH );
717
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]718 if( mode == DES_ENCRYPT )
719 {
720 while( length > 0 )
721 {
722 for( i = 0; i < 8; i++ )
723 output[i] = (unsigned char)( input[i] ^ iv[i] );
724
725 des3_crypt_ecb( ctx, output, output );
726 memcpy( iv, output, 8 );
727
728 input += 8;
729 output += 8;
730 length -= 8;
731 }
732 }
733 else /* DES_DECRYPT */
734 {
735 while( length > 0 )
736 {
737 memcpy( temp, input, 8 );
738 des3_crypt_ecb( ctx, input, output );
739
740 for( i = 0; i < 8; i++ )
741 output[i] = (unsigned char)( output[i] ^ iv[i] );
742
743 memcpy( iv, temp, 8 );
744
745 input += 8;
746 output += 8;
747 length -= 8;
748 }
749 }
Paul Bakkerf3ccc682010-03-18 21:21:02 +0000[diff] [blame]750
751 return( 0 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]752}
753
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]754#if defined(POLARSSL_SELF_TEST)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]755
756#include <stdio.h>
757
758/*
759 * DES and 3DES test vectors from:
760 *
761 * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
762 */
763static const unsigned char des3_test_keys[24] =
764{
765 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
766 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
767 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
768};
769
770static const unsigned char des3_test_iv[8] =
771{
772 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
773};
774
775static const unsigned char des3_test_buf[8] =
776{
777 0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
778};
779
780static const unsigned char des3_test_ecb_dec[3][8] =
781{
782 { 0xCD, 0xD6, 0x4F, 0x2F, 0x94, 0x27, 0xC1, 0x5D },
783 { 0x69, 0x96, 0xC8, 0xFA, 0x47, 0xA2, 0xAB, 0xEB },
784 { 0x83, 0x25, 0x39, 0x76, 0x44, 0x09, 0x1A, 0x0A }
785};
786
787static const unsigned char des3_test_ecb_enc[3][8] =
788{
789 { 0x6A, 0x2A, 0x19, 0xF4, 0x1E, 0xCA, 0x85, 0x4B },
790 { 0x03, 0xE6, 0x9F, 0x5B, 0xFA, 0x58, 0xEB, 0x42 },
791 { 0xDD, 0x17, 0xE8, 0xB8, 0xB4, 0x37, 0xD2, 0x32 }
792};
793
794static const unsigned char des3_test_cbc_dec[3][8] =
795{
796 { 0x12, 0x9F, 0x40, 0xB9, 0xD2, 0x00, 0x56, 0xB3 },
797 { 0x47, 0x0E, 0xFC, 0x9A, 0x6B, 0x8E, 0xE3, 0x93 },
798 { 0xC5, 0xCE, 0xCF, 0x63, 0xEC, 0xEC, 0x51, 0x4C }
799};
800
801static const unsigned char des3_test_cbc_enc[3][8] =
802{
803 { 0x54, 0xF1, 0x5A, 0xF6, 0xEB, 0xE3, 0xA4, 0xB4 },
804 { 0x35, 0x76, 0x11, 0x56, 0x5F, 0xA1, 0x8E, 0x4D },
805 { 0xCB, 0x19, 0x1F, 0x85, 0xD1, 0xED, 0x84, 0x39 }
806};
807
808/*
809 * Checkup routine
810 */
811int des_self_test( int verbose )
812{
813 int i, j, u, v;
814 des_context ctx;
815 des3_context ctx3;
816 unsigned char key[24];
817 unsigned char buf[8];
818 unsigned char prv[8];
819 unsigned char iv[8];
820
821 memset( key, 0, 24 );
822
823 /*
824 * ECB mode
825 */
826 for( i = 0; i < 6; i++ )
827 {
828 u = i >> 1;
829 v = i & 1;
830
831 if( verbose != 0 )
832 printf( " DES%c-ECB-%3d (%s): ",
833 ( u == 0 ) ? ' ' : '3', 56 + u * 56,
834 ( v == DES_DECRYPT ) ? "dec" : "enc" );
835
836 memcpy( buf, des3_test_buf, 8 );
837
838 switch( i )
839 {
840 case 0:
841 des_setkey_dec( &ctx, (unsigned char *) des3_test_keys );
842 break;
843
844 case 1:
845 des_setkey_enc( &ctx, (unsigned char *) des3_test_keys );
846 break;
847
848 case 2:
849 des3_set2key_dec( &ctx3, (unsigned char *) des3_test_keys );
850 break;
851
852 case 3:
853 des3_set2key_enc( &ctx3, (unsigned char *) des3_test_keys );
854 break;
855
856 case 4:
857 des3_set3key_dec( &ctx3, (unsigned char *) des3_test_keys );
858 break;
859
860 case 5:
861 des3_set3key_enc( &ctx3, (unsigned char *) des3_test_keys );
862 break;
863
864 default:
865 return( 1 );
866 }
867
868 for( j = 0; j < 10000; j++ )
869 {
870 if( u == 0 )
871 des_crypt_ecb( &ctx, buf, buf );
872 else
873 des3_crypt_ecb( &ctx3, buf, buf );
874 }
875
876 if( ( v == DES_DECRYPT &&
877 memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) ||
878 ( v != DES_DECRYPT &&
879 memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) )
880 {
881 if( verbose != 0 )
882 printf( "failed\n" );
883
884 return( 1 );
885 }
886
887 if( verbose != 0 )
888 printf( "passed\n" );
889 }
890
891 if( verbose != 0 )
892 printf( "\n" );
893
894 /*
895 * CBC mode
896 */
897 for( i = 0; i < 6; i++ )
898 {
899 u = i >> 1;
900 v = i & 1;
901
902 if( verbose != 0 )
903 printf( " DES%c-CBC-%3d (%s): ",
904 ( u == 0 ) ? ' ' : '3', 56 + u * 56,
905 ( v == DES_DECRYPT ) ? "dec" : "enc" );
906
907 memcpy( iv, des3_test_iv, 8 );
908 memcpy( prv, des3_test_iv, 8 );
909 memcpy( buf, des3_test_buf, 8 );
910
911 switch( i )
912 {
913 case 0:
914 des_setkey_dec( &ctx, (unsigned char *) des3_test_keys );
915 break;
916
917 case 1:
918 des_setkey_enc( &ctx, (unsigned char *) des3_test_keys );
919 break;
920
921 case 2:
922 des3_set2key_dec( &ctx3, (unsigned char *) des3_test_keys );
923 break;
924
925 case 3:
926 des3_set2key_enc( &ctx3, (unsigned char *) des3_test_keys );
927 break;
928
929 case 4:
930 des3_set3key_dec( &ctx3, (unsigned char *) des3_test_keys );
931 break;
932
933 case 5:
934 des3_set3key_enc( &ctx3, (unsigned char *) des3_test_keys );
935 break;
936
937 default:
938 return( 1 );
939 }
940
941 if( v == DES_DECRYPT )
942 {
943 for( j = 0; j < 10000; j++ )
944 {
945 if( u == 0 )
946 des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
947 else
948 des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
949 }
950 }
951 else
952 {
953 for( j = 0; j < 10000; j++ )
954 {
955 unsigned char tmp[8];
956
957 if( u == 0 )
958 des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
959 else
960 des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
961
962 memcpy( tmp, prv, 8 );
963 memcpy( prv, buf, 8 );
964 memcpy( buf, tmp, 8 );
965 }
966
967 memcpy( buf, prv, 8 );
968 }
969
970 if( ( v == DES_DECRYPT &&
971 memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) ||
972 ( v != DES_DECRYPT &&
973 memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) )
974 {
975 if( verbose != 0 )
976 printf( "failed\n" );
977
978 return( 1 );
979 }
980
981 if( verbose != 0 )
982 printf( "passed\n" );
983 }
984
985 if( verbose != 0 )
986 printf( "\n" );
987
988 return( 0 );
989}
990
991#endif
992
993#endif