1
/*
2
 *  FIPS-46-3 compliant Triple-DES implementation
3
 *
4
 *  Copyright The Mbed TLS Contributors
5
 *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6
 */
7
/*
8
 *  DES, on which TDES is based, was originally designed by Horst Feistel
9
 *  at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
10
 *
11
 *  http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
12
 */
13

14
#include "common.h"
15

16
#if defined(MBEDTLS_DES_C)
17

18
#include "mbedtls/des.h"
19
#include "mbedtls/error.h"
20
#include "mbedtls/platform_util.h"
21

22
#include <string.h>
23

24
#include "mbedtls/platform.h"
25

26
#if !defined(MBEDTLS_DES_ALT)
27

28
/*
29
 * Expanded DES S-boxes
30
 */
31
static const uint32_t SB1[64] =
32
{
33
    0x01010400, 0x00000000, 0x00010000, 0x01010404,
34
    0x01010004, 0x00010404, 0x00000004, 0x00010000,
35
    0x00000400, 0x01010400, 0x01010404, 0x00000400,
36
    0x01000404, 0x01010004, 0x01000000, 0x00000004,
37
    0x00000404, 0x01000400, 0x01000400, 0x00010400,
38
    0x00010400, 0x01010000, 0x01010000, 0x01000404,
39
    0x00010004, 0x01000004, 0x01000004, 0x00010004,
40
    0x00000000, 0x00000404, 0x00010404, 0x01000000,
41
    0x00010000, 0x01010404, 0x00000004, 0x01010000,
42
    0x01010400, 0x01000000, 0x01000000, 0x00000400,
43
    0x01010004, 0x00010000, 0x00010400, 0x01000004,
44
    0x00000400, 0x00000004, 0x01000404, 0x00010404,
45
    0x01010404, 0x00010004, 0x01010000, 0x01000404,
46
    0x01000004, 0x00000404, 0x00010404, 0x01010400,
47
    0x00000404, 0x01000400, 0x01000400, 0x00000000,
48
    0x00010004, 0x00010400, 0x00000000, 0x01010004
49
};
50

51
static const uint32_t SB2[64] =
52
{
53
    0x80108020, 0x80008000, 0x00008000, 0x00108020,
54
    0x00100000, 0x00000020, 0x80100020, 0x80008020,
55
    0x80000020, 0x80108020, 0x80108000, 0x80000000,
56
    0x80008000, 0x00100000, 0x00000020, 0x80100020,
57
    0x00108000, 0x00100020, 0x80008020, 0x00000000,
58
    0x80000000, 0x00008000, 0x00108020, 0x80100000,
59
    0x00100020, 0x80000020, 0x00000000, 0x00108000,
60
    0x00008020, 0x80108000, 0x80100000, 0x00008020,
61
    0x00000000, 0x00108020, 0x80100020, 0x00100000,
62
    0x80008020, 0x80100000, 0x80108000, 0x00008000,
63
    0x80100000, 0x80008000, 0x00000020, 0x80108020,
64
    0x00108020, 0x00000020, 0x00008000, 0x80000000,
65
    0x00008020, 0x80108000, 0x00100000, 0x80000020,
66
    0x00100020, 0x80008020, 0x80000020, 0x00100020,
67
    0x00108000, 0x00000000, 0x80008000, 0x00008020,
68
    0x80000000, 0x80100020, 0x80108020, 0x00108000
69
};
70

71
static const uint32_t SB3[64] =
72
{
73
    0x00000208, 0x08020200, 0x00000000, 0x08020008,
74
    0x08000200, 0x00000000, 0x00020208, 0x08000200,
75
    0x00020008, 0x08000008, 0x08000008, 0x00020000,
76
    0x08020208, 0x00020008, 0x08020000, 0x00000208,
77
    0x08000000, 0x00000008, 0x08020200, 0x00000200,
78
    0x00020200, 0x08020000, 0x08020008, 0x00020208,
79
    0x08000208, 0x00020200, 0x00020000, 0x08000208,
80
    0x00000008, 0x08020208, 0x00000200, 0x08000000,
81
    0x08020200, 0x08000000, 0x00020008, 0x00000208,
82
    0x00020000, 0x08020200, 0x08000200, 0x00000000,
83
    0x00000200, 0x00020008, 0x08020208, 0x08000200,
84
    0x08000008, 0x00000200, 0x00000000, 0x08020008,
85
    0x08000208, 0x00020000, 0x08000000, 0x08020208,
86
    0x00000008, 0x00020208, 0x00020200, 0x08000008,
87
    0x08020000, 0x08000208, 0x00000208, 0x08020000,
88
    0x00020208, 0x00000008, 0x08020008, 0x00020200
89
};
90

91
static const uint32_t SB4[64] =
92
{
93
    0x00802001, 0x00002081, 0x00002081, 0x00000080,
94
    0x00802080, 0x00800081, 0x00800001, 0x00002001,
95
    0x00000000, 0x00802000, 0x00802000, 0x00802081,
96
    0x00000081, 0x00000000, 0x00800080, 0x00800001,
97
    0x00000001, 0x00002000, 0x00800000, 0x00802001,
98
    0x00000080, 0x00800000, 0x00002001, 0x00002080,
99
    0x00800081, 0x00000001, 0x00002080, 0x00800080,
100
    0x00002000, 0x00802080, 0x00802081, 0x00000081,
101
    0x00800080, 0x00800001, 0x00802000, 0x00802081,
102
    0x00000081, 0x00000000, 0x00000000, 0x00802000,
103
    0x00002080, 0x00800080, 0x00800081, 0x00000001,
104
    0x00802001, 0x00002081, 0x00002081, 0x00000080,
105
    0x00802081, 0x00000081, 0x00000001, 0x00002000,
106
    0x00800001, 0x00002001, 0x00802080, 0x00800081,
107
    0x00002001, 0x00002080, 0x00800000, 0x00802001,
108
    0x00000080, 0x00800000, 0x00002000, 0x00802080
109
};
110

111
static const uint32_t SB5[64] =
112
{
113
    0x00000100, 0x02080100, 0x02080000, 0x42000100,
114
    0x00080000, 0x00000100, 0x40000000, 0x02080000,
115
    0x40080100, 0x00080000, 0x02000100, 0x40080100,
116
    0x42000100, 0x42080000, 0x00080100, 0x40000000,
117
    0x02000000, 0x40080000, 0x40080000, 0x00000000,
118
    0x40000100, 0x42080100, 0x42080100, 0x02000100,
119
    0x42080000, 0x40000100, 0x00000000, 0x42000000,
120
    0x02080100, 0x02000000, 0x42000000, 0x00080100,
121
    0x00080000, 0x42000100, 0x00000100, 0x02000000,
122
    0x40000000, 0x02080000, 0x42000100, 0x40080100,
123
    0x02000100, 0x40000000, 0x42080000, 0x02080100,
124
    0x40080100, 0x00000100, 0x02000000, 0x42080000,
125
    0x42080100, 0x00080100, 0x42000000, 0x42080100,
126
    0x02080000, 0x00000000, 0x40080000, 0x42000000,
127
    0x00080100, 0x02000100, 0x40000100, 0x00080000,
128
    0x00000000, 0x40080000, 0x02080100, 0x40000100
129
};
130

131
static const uint32_t SB6[64] =
132
{
133
    0x20000010, 0x20400000, 0x00004000, 0x20404010,
134
    0x20400000, 0x00000010, 0x20404010, 0x00400000,
135
    0x20004000, 0x00404010, 0x00400000, 0x20000010,
136
    0x00400010, 0x20004000, 0x20000000, 0x00004010,
137
    0x00000000, 0x00400010, 0x20004010, 0x00004000,
138
    0x00404000, 0x20004010, 0x00000010, 0x20400010,
139
    0x20400010, 0x00000000, 0x00404010, 0x20404000,
140
    0x00004010, 0x00404000, 0x20404000, 0x20000000,
141
    0x20004000, 0x00000010, 0x20400010, 0x00404000,
142
    0x20404010, 0x00400000, 0x00004010, 0x20000010,
143
    0x00400000, 0x20004000, 0x20000000, 0x00004010,
144
    0x20000010, 0x20404010, 0x00404000, 0x20400000,
145
    0x00404010, 0x20404000, 0x00000000, 0x20400010,
146
    0x00000010, 0x00004000, 0x20400000, 0x00404010,
147
    0x00004000, 0x00400010, 0x20004010, 0x00000000,
148
    0x20404000, 0x20000000, 0x00400010, 0x20004010
149
};
150

151
static const uint32_t SB7[64] =
152
{
153
    0x00200000, 0x04200002, 0x04000802, 0x00000000,
154
    0x00000800, 0x04000802, 0x00200802, 0x04200800,
155
    0x04200802, 0x00200000, 0x00000000, 0x04000002,
156
    0x00000002, 0x04000000, 0x04200002, 0x00000802,
157
    0x04000800, 0x00200802, 0x00200002, 0x04000800,
158
    0x04000002, 0x04200000, 0x04200800, 0x00200002,
159
    0x04200000, 0x00000800, 0x00000802, 0x04200802,
160
    0x00200800, 0x00000002, 0x04000000, 0x00200800,
161
    0x04000000, 0x00200800, 0x00200000, 0x04000802,
162
    0x04000802, 0x04200002, 0x04200002, 0x00000002,
163
    0x00200002, 0x04000000, 0x04000800, 0x00200000,
164
    0x04200800, 0x00000802, 0x00200802, 0x04200800,
165
    0x00000802, 0x04000002, 0x04200802, 0x04200000,
166
    0x00200800, 0x00000000, 0x00000002, 0x04200802,
167
    0x00000000, 0x00200802, 0x04200000, 0x00000800,
168
    0x04000002, 0x04000800, 0x00000800, 0x00200002
169
};
170

171
static const uint32_t SB8[64] =
172
{
173
    0x10001040, 0x00001000, 0x00040000, 0x10041040,
174
    0x10000000, 0x10001040, 0x00000040, 0x10000000,
175
    0x00040040, 0x10040000, 0x10041040, 0x00041000,
176
    0x10041000, 0x00041040, 0x00001000, 0x00000040,
177
    0x10040000, 0x10000040, 0x10001000, 0x00001040,
178
    0x00041000, 0x00040040, 0x10040040, 0x10041000,
179
    0x00001040, 0x00000000, 0x00000000, 0x10040040,
180
    0x10000040, 0x10001000, 0x00041040, 0x00040000,
181
    0x00041040, 0x00040000, 0x10041000, 0x00001000,
182
    0x00000040, 0x10040040, 0x00001000, 0x00041040,
183
    0x10001000, 0x00000040, 0x10000040, 0x10040000,
184
    0x10040040, 0x10000000, 0x00040000, 0x10001040,
185
    0x00000000, 0x10041040, 0x00040040, 0x10000040,
186
    0x10040000, 0x10001000, 0x10001040, 0x00000000,
187
    0x10041040, 0x00041000, 0x00041000, 0x00001040,
188
    0x00001040, 0x00040040, 0x10000000, 0x10041000
189
};
190

191
/*
192
 * PC1: left and right halves bit-swap
193
 */
194
static const uint32_t LHs[16] =
195
{
196
    0x00000000, 0x00000001, 0x00000100, 0x00000101,
197
    0x00010000, 0x00010001, 0x00010100, 0x00010101,
198
    0x01000000, 0x01000001, 0x01000100, 0x01000101,
199
    0x01010000, 0x01010001, 0x01010100, 0x01010101
200
};
201

202
static const uint32_t RHs[16] =
203
{
204
    0x00000000, 0x01000000, 0x00010000, 0x01010000,
205
    0x00000100, 0x01000100, 0x00010100, 0x01010100,
206
    0x00000001, 0x01000001, 0x00010001, 0x01010001,
207
    0x00000101, 0x01000101, 0x00010101, 0x01010101,
208
};
209

210
/*
211
 * Initial Permutation macro
212
 */
213
#define DES_IP(X, Y)                                                       \
214
    do                                                                    \
215
    {                                                                     \
216
        T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
217
        T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
218
        T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
219
        T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
220
        (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF;                    \
221
        T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T;                 \
222
        (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF;                    \
223
    } while (0)
224

225
/*
226
 * Final Permutation macro
227
 */
228
#define DES_FP(X, Y)                                                       \
229
    do                                                                    \
230
    {                                                                     \
231
        (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF;                    \
232
        T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T;                 \
233
        (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF;                    \
234
        T = (((Y) >>  8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T <<  8); \
235
        T = (((Y) >>  2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T <<  2); \
236
        T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
237
        T = (((X) >>  4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T <<  4); \
238
    } while (0)
239

240
/*
241
 * DES round macro
242
 */
243
#define DES_ROUND(X, Y)                              \
244
    do                                              \
245
    {                                               \
246
        T = *SK++ ^ (X);                            \
247
        (Y) ^= SB8[(T) & 0x3F] ^            \
248
               SB6[(T >>  8) & 0x3F] ^            \
249
               SB4[(T >> 16) & 0x3F] ^            \
250
               SB2[(T >> 24) & 0x3F];             \
251
                                                    \
252
        T = *SK++ ^ (((X) << 28) | ((X) >> 4));     \
253
        (Y) ^= SB7[(T) & 0x3F] ^            \
254
               SB5[(T >>  8) & 0x3F] ^            \
255
               SB3[(T >> 16) & 0x3F] ^            \
256
               SB1[(T >> 24) & 0x3F];             \
257
    } while (0)
258

259
#define SWAP(a, b)                                       \
260
    do                                                  \
261
    {                                                   \
262
        uint32_t t = (a); (a) = (b); (b) = t; t = 0;    \
263
    } while (0)
264

265
void mbedtls_des_init(mbedtls_des_context *ctx)
266
{
267
    memset(ctx, 0, sizeof(mbedtls_des_context));
268
}
269

270
void mbedtls_des_free(mbedtls_des_context *ctx)
271
{
272
    if (ctx == NULL) {
273
        return;
274
    }
275

276
    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_des_context));
277
}
278

279
void mbedtls_des3_init(mbedtls_des3_context *ctx)
280
{
281
    memset(ctx, 0, sizeof(mbedtls_des3_context));
282
}
283

284
void mbedtls_des3_free(mbedtls_des3_context *ctx)
285
{
286
    if (ctx == NULL) {
287
        return;
288
    }
289

290
    mbedtls_platform_zeroize(ctx, sizeof(mbedtls_des3_context));
291
}
292

293
static const unsigned char odd_parity_table[128] = { 1,  2,  4,  7,  8,
294
                                                     11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32,
295
                                                     35, 37, 38, 41, 42, 44,
296
                                                     47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69,
297
                                                     70, 73, 74, 76, 79, 81,
298
                                                     82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103,
299
                                                     104, 107, 109, 110, 112,
300
                                                     115, 117, 118, 121, 122, 124, 127, 128, 131,
301
                                                     133, 134, 137, 138, 140,
302
                                                     143, 145, 146, 148, 151, 152, 155, 157, 158,
303
                                                     161, 162, 164, 167, 168,
304
                                                     171, 173, 174, 176, 179, 181, 182, 185, 186,
305
                                                     188, 191, 193, 194, 196,
306
                                                     199, 200, 203, 205, 206, 208, 211, 213, 214,
307
                                                     217, 218, 220, 223, 224,
308
                                                     227, 229, 230, 233, 234, 236, 239, 241, 242,
309
                                                     244, 247, 248, 251, 253,
310
                                                     254 };
311

312
void mbedtls_des_key_set_parity(unsigned char key[MBEDTLS_DES_KEY_SIZE])
313
{
314
    int i;
315

316
    for (i = 0; i < MBEDTLS_DES_KEY_SIZE; i++) {
317
        key[i] = odd_parity_table[key[i] / 2];
318
    }
319
}
320

321
/*
322
 * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
323
 */
324
int mbedtls_des_key_check_key_parity(const unsigned char key[MBEDTLS_DES_KEY_SIZE])
325
{
326
    int i;
327

328
    for (i = 0; i < MBEDTLS_DES_KEY_SIZE; i++) {
329
        if (key[i] != odd_parity_table[key[i] / 2]) {
330
            return 1;
331
        }
332
    }
333

334
    return 0;
335
}
336

337
/*
338
 * Table of weak and semi-weak keys
339
 *
340
 * Source: http://en.wikipedia.org/wiki/Weak_key
341
 *
342
 * Weak:
343
 * Alternating ones + zeros (0x0101010101010101)
344
 * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
345
 * '0xE0E0E0E0F1F1F1F1'
346
 * '0x1F1F1F1F0E0E0E0E'
347
 *
348
 * Semi-weak:
349
 * 0x011F011F010E010E and 0x1F011F010E010E01
350
 * 0x01E001E001F101F1 and 0xE001E001F101F101
351
 * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
352
 * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
353
 * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
354
 * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
355
 *
356
 */
357

358
#define WEAK_KEY_COUNT 16
359

360
static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] =
361
{
362
    { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
363
    { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
364
    { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
365
    { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
366

367
    { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
368
    { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
369
    { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
370
    { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
371
    { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
372
    { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
373
    { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
374
    { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
375
    { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
376
    { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
377
    { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
378
    { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
379
};
380

381
int mbedtls_des_key_check_weak(const unsigned char key[MBEDTLS_DES_KEY_SIZE])
382
{
383
    int i;
384

385
    for (i = 0; i < WEAK_KEY_COUNT; i++) {
386
        if (memcmp(weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0) {
387
            return 1;
388
        }
389
    }
390

391
    return 0;
392
}
393

394
#if !defined(MBEDTLS_DES_SETKEY_ALT)
395
void mbedtls_des_setkey(uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE])
396
{
397
    int i;
398
    uint32_t X, Y, T;
399

400
    X = MBEDTLS_GET_UINT32_BE(key, 0);
401
    Y = MBEDTLS_GET_UINT32_BE(key, 4);
402

403
    /*
404
     * Permuted Choice 1
405
     */
406
    T =  ((Y >>  4) ^ X) & 0x0F0F0F0F;  X ^= T; Y ^= (T <<  4);
407
    T =  ((Y) ^ X) & 0x10101010;  X ^= T; Y ^= (T);
408

409
    X =   (LHs[(X) & 0xF] << 3) | (LHs[(X >>  8) & 0xF] << 2)
410
        | (LHs[(X >> 16) & 0xF] << 1) | (LHs[(X >> 24) & 0xF])
411
        | (LHs[(X >>  5) & 0xF] << 7) | (LHs[(X >> 13) & 0xF] << 6)
412
        | (LHs[(X >> 21) & 0xF] << 5) | (LHs[(X >> 29) & 0xF] << 4);
413

414
    Y =   (RHs[(Y >>  1) & 0xF] << 3) | (RHs[(Y >>  9) & 0xF] << 2)
415
        | (RHs[(Y >> 17) & 0xF] << 1) | (RHs[(Y >> 25) & 0xF])
416
        | (RHs[(Y >>  4) & 0xF] << 7) | (RHs[(Y >> 12) & 0xF] << 6)
417
        | (RHs[(Y >> 20) & 0xF] << 5) | (RHs[(Y >> 28) & 0xF] << 4);
418

419
    X &= 0x0FFFFFFF;
420
    Y &= 0x0FFFFFFF;
421

422
    /*
423
     * calculate subkeys
424
     */
425
    for (i = 0; i < 16; i++) {
426
        if (i < 2 || i == 8 || i == 15) {
427
            X = ((X <<  1) | (X >> 27)) & 0x0FFFFFFF;
428
            Y = ((Y <<  1) | (Y >> 27)) & 0x0FFFFFFF;
429
        } else {
430
            X = ((X <<  2) | (X >> 26)) & 0x0FFFFFFF;
431
            Y = ((Y <<  2) | (Y >> 26)) & 0x0FFFFFFF;
432
        }
433

434
        *SK++ =   ((X <<  4) & 0x24000000) | ((X << 28) & 0x10000000)
435
                | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
436
                | ((X <<  6) & 0x01000000) | ((X <<  9) & 0x00200000)
437
                | ((X >>  1) & 0x00100000) | ((X << 10) & 0x00040000)
438
                | ((X <<  2) & 0x00020000) | ((X >> 10) & 0x00010000)
439
                | ((Y >> 13) & 0x00002000) | ((Y >>  4) & 0x00001000)
440
                | ((Y <<  6) & 0x00000800) | ((Y >>  1) & 0x00000400)
441
                | ((Y >> 14) & 0x00000200) | ((Y) & 0x00000100)
442
                | ((Y >>  5) & 0x00000020) | ((Y >> 10) & 0x00000010)
443
                | ((Y >>  3) & 0x00000008) | ((Y >> 18) & 0x00000004)
444
                | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
445

446
        *SK++ =   ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
447
                | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
448
                | ((X >>  2) & 0x02000000) | ((X <<  1) & 0x01000000)
449
                | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
450
                | ((X <<  3) & 0x00080000) | ((X >>  6) & 0x00040000)
451
                | ((X << 15) & 0x00020000) | ((X >>  4) & 0x00010000)
452
                | ((Y >>  2) & 0x00002000) | ((Y <<  8) & 0x00001000)
453
                | ((Y >> 14) & 0x00000808) | ((Y >>  9) & 0x00000400)
454
                | ((Y) & 0x00000200) | ((Y <<  7) & 0x00000100)
455
                | ((Y >>  7) & 0x00000020) | ((Y >>  3) & 0x00000011)
456
                | ((Y <<  2) & 0x00000004) | ((Y >> 21) & 0x00000002);
457
    }
458
}
459
#endif /* !MBEDTLS_DES_SETKEY_ALT */
460

461
/*
462
 * DES key schedule (56-bit, encryption)
463
 */
464
int mbedtls_des_setkey_enc(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE])
465
{
466
    mbedtls_des_setkey(ctx->sk, key);
467

468
    return 0;
469
}
470

471
/*
472
 * DES key schedule (56-bit, decryption)
473
 */
474
int mbedtls_des_setkey_dec(mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE])
475
{
476
    int i;
477

478
    mbedtls_des_setkey(ctx->sk, key);
479

480
    for (i = 0; i < 16; i += 2) {
481
        SWAP(ctx->sk[i], ctx->sk[30 - i]);
482
        SWAP(ctx->sk[i + 1], ctx->sk[31 - i]);
483
    }
484

485
    return 0;
486
}
487

488
static void des3_set2key(uint32_t esk[96],
489
                         uint32_t dsk[96],
490
                         const unsigned char key[MBEDTLS_DES_KEY_SIZE*2])
491
{
492
    int i;
493

494
    mbedtls_des_setkey(esk, key);
495
    mbedtls_des_setkey(dsk + 32, key + 8);
496

497
    for (i = 0; i < 32; i += 2) {
498
        dsk[i] = esk[30 - i];
499
        dsk[i +  1] = esk[31 - i];
500

501
        esk[i + 32] = dsk[62 - i];
502
        esk[i + 33] = dsk[63 - i];
503

504
        esk[i + 64] = esk[i];
505
        esk[i + 65] = esk[i + 1];
506

507
        dsk[i + 64] = dsk[i];
508
        dsk[i + 65] = dsk[i + 1];
509
    }
510
}
511

512
/*
513
 * Triple-DES key schedule (112-bit, encryption)
514
 */
515
int mbedtls_des3_set2key_enc(mbedtls_des3_context *ctx,
516
                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])
517
{
518
    uint32_t sk[96];
519

520
    des3_set2key(ctx->sk, sk, key);
521
    mbedtls_platform_zeroize(sk,  sizeof(sk));
522

523
    return 0;
524
}
525

526
/*
527
 * Triple-DES key schedule (112-bit, decryption)
528
 */
529
int mbedtls_des3_set2key_dec(mbedtls_des3_context *ctx,
530
                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2])
531
{
532
    uint32_t sk[96];
533

534
    des3_set2key(sk, ctx->sk, key);
535
    mbedtls_platform_zeroize(sk,  sizeof(sk));
536

537
    return 0;
538
}
539

540
static void des3_set3key(uint32_t esk[96],
541
                         uint32_t dsk[96],
542
                         const unsigned char key[24])
543
{
544
    int i;
545

546
    mbedtls_des_setkey(esk, key);
547
    mbedtls_des_setkey(dsk + 32, key +  8);
548
    mbedtls_des_setkey(esk + 64, key + 16);
549

550
    for (i = 0; i < 32; i += 2) {
551
        dsk[i] = esk[94 - i];
552
        dsk[i +  1] = esk[95 - i];
553

554
        esk[i + 32] = dsk[62 - i];
555
        esk[i + 33] = dsk[63 - i];
556

557
        dsk[i + 64] = esk[30 - i];
558
        dsk[i + 65] = esk[31 - i];
559
    }
560
}
561

562
/*
563
 * Triple-DES key schedule (168-bit, encryption)
564
 */
565
int mbedtls_des3_set3key_enc(mbedtls_des3_context *ctx,
566
                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])
567
{
568
    uint32_t sk[96];
569

570
    des3_set3key(ctx->sk, sk, key);
571
    mbedtls_platform_zeroize(sk,  sizeof(sk));
572

573
    return 0;
574
}
575

576
/*
577
 * Triple-DES key schedule (168-bit, decryption)
578
 */
579
int mbedtls_des3_set3key_dec(mbedtls_des3_context *ctx,
580
                             const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3])
581
{
582
    uint32_t sk[96];
583

584
    des3_set3key(sk, ctx->sk, key);
585
    mbedtls_platform_zeroize(sk,  sizeof(sk));
586

587
    return 0;
588
}
589

590
/*
591
 * DES-ECB block encryption/decryption
592
 */
593
#if !defined(MBEDTLS_DES_CRYPT_ECB_ALT)
594
int mbedtls_des_crypt_ecb(mbedtls_des_context *ctx,
595
                          const unsigned char input[8],
596
                          unsigned char output[8])
597
{
598
    int i;
599
    uint32_t X, Y, T, *SK;
600

601
    SK = ctx->sk;
602

603
    X = MBEDTLS_GET_UINT32_BE(input, 0);
604
    Y = MBEDTLS_GET_UINT32_BE(input, 4);
605

606
    DES_IP(X, Y);
607

608
    for (i = 0; i < 8; i++) {
609
        DES_ROUND(Y, X);
610
        DES_ROUND(X, Y);
611
    }
612

613
    DES_FP(Y, X);
614

615
    MBEDTLS_PUT_UINT32_BE(Y, output, 0);
616
    MBEDTLS_PUT_UINT32_BE(X, output, 4);
617

618
    return 0;
619
}
620
#endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */
621

622
#if defined(MBEDTLS_CIPHER_MODE_CBC)
623
/*
624
 * DES-CBC buffer encryption/decryption
625
 */
626
int mbedtls_des_crypt_cbc(mbedtls_des_context *ctx,
627
                          int mode,
628
                          size_t length,
629
                          unsigned char iv[8],
630
                          const unsigned char *input,
631
                          unsigned char *output)
632
{
633
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
634
    unsigned char temp[8];
635

636
    if (length % 8) {
637
        return MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH;
638
    }
639

640
    if (mode == MBEDTLS_DES_ENCRYPT) {
641
        while (length > 0) {
642
            mbedtls_xor(output, input, iv, 8);
643

644
            ret = mbedtls_des_crypt_ecb(ctx, output, output);
645
            if (ret != 0) {
646
                goto exit;
647
            }
648
            memcpy(iv, output, 8);
649

650
            input  += 8;
651
            output += 8;
652
            length -= 8;
653
        }
654
    } else { /* MBEDTLS_DES_DECRYPT */
655
        while (length > 0) {
656
            memcpy(temp, input, 8);
657
            ret = mbedtls_des_crypt_ecb(ctx, input, output);
658
            if (ret != 0) {
659
                goto exit;
660
            }
661

662
            mbedtls_xor(output, output, iv, 8);
663

664
            memcpy(iv, temp, 8);
665

666
            input  += 8;
667
            output += 8;
668
            length -= 8;
669
        }
670
    }
671
    ret = 0;
672

673
exit:
674
    return ret;
675
}
676
#endif /* MBEDTLS_CIPHER_MODE_CBC */
677

678
/*
679
 * 3DES-ECB block encryption/decryption
680
 */
681
#if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
682
int mbedtls_des3_crypt_ecb(mbedtls_des3_context *ctx,
683
                           const unsigned char input[8],
684
                           unsigned char output[8])
685
{
686
    int i;
687
    uint32_t X, Y, T, *SK;
688

689
    SK = ctx->sk;
690

691
    X = MBEDTLS_GET_UINT32_BE(input, 0);
692
    Y = MBEDTLS_GET_UINT32_BE(input, 4);
693

694
    DES_IP(X, Y);
695

696
    for (i = 0; i < 8; i++) {
697
        DES_ROUND(Y, X);
698
        DES_ROUND(X, Y);
699
    }
700

701
    for (i = 0; i < 8; i++) {
702
        DES_ROUND(X, Y);
703
        DES_ROUND(Y, X);
704
    }
705

706
    for (i = 0; i < 8; i++) {
707
        DES_ROUND(Y, X);
708
        DES_ROUND(X, Y);
709
    }
710

711
    DES_FP(Y, X);
712

713
    MBEDTLS_PUT_UINT32_BE(Y, output, 0);
714
    MBEDTLS_PUT_UINT32_BE(X, output, 4);
715

716
    return 0;
717
}
718
#endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */
719

720
#if defined(MBEDTLS_CIPHER_MODE_CBC)
721
/*
722
 * 3DES-CBC buffer encryption/decryption
723
 */
724
int mbedtls_des3_crypt_cbc(mbedtls_des3_context *ctx,
725
                           int mode,
726
                           size_t length,
727
                           unsigned char iv[8],
728
                           const unsigned char *input,
729
                           unsigned char *output)
730
{
731
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
732
    unsigned char temp[8];
733

734
    if (length % 8) {
735
        return MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH;
736
    }
737

738
    if (mode == MBEDTLS_DES_ENCRYPT) {
739
        while (length > 0) {
740
            mbedtls_xor(output, input, iv, 8);
741

742
            ret = mbedtls_des3_crypt_ecb(ctx, output, output);
743
            if (ret != 0) {
744
                goto exit;
745
            }
746
            memcpy(iv, output, 8);
747

748
            input  += 8;
749
            output += 8;
750
            length -= 8;
751
        }
752
    } else { /* MBEDTLS_DES_DECRYPT */
753
        while (length > 0) {
754
            memcpy(temp, input, 8);
755
            ret = mbedtls_des3_crypt_ecb(ctx, input, output);
756
            if (ret != 0) {
757
                goto exit;
758
            }
759

760
            mbedtls_xor(output, output, iv, 8);
761

762
            memcpy(iv, temp, 8);
763

764
            input  += 8;
765
            output += 8;
766
            length -= 8;
767
        }
768
    }
769
    ret = 0;
770

771
exit:
772
    return ret;
773
}
774
#endif /* MBEDTLS_CIPHER_MODE_CBC */
775

776
#endif /* !MBEDTLS_DES_ALT */
777

778
#if defined(MBEDTLS_SELF_TEST)
779
/*
780
 * DES and 3DES test vectors from:
781
 *
782
 * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
783
 */
784
static const unsigned char des3_test_keys[24] =
785
{
786
    0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
787
    0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
788
    0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
789
};
790

791
static const unsigned char des3_test_buf[8] =
792
{
793
    0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
794
};
795

796
static const unsigned char des3_test_ecb_dec[3][8] =
797
{
798
    { 0x37, 0x2B, 0x98, 0xBF, 0x52, 0x65, 0xB0, 0x59 },
799
    { 0xC2, 0x10, 0x19, 0x9C, 0x38, 0x5A, 0x65, 0xA1 },
800
    { 0xA2, 0x70, 0x56, 0x68, 0x69, 0xE5, 0x15, 0x1D }
801
};
802

803
static const unsigned char des3_test_ecb_enc[3][8] =
804
{
805
    { 0x1C, 0xD5, 0x97, 0xEA, 0x84, 0x26, 0x73, 0xFB },
806
    { 0xB3, 0x92, 0x4D, 0xF3, 0xC5, 0xB5, 0x42, 0x93 },
807
    { 0xDA, 0x37, 0x64, 0x41, 0xBA, 0x6F, 0x62, 0x6F }
808
};
809

810
#if defined(MBEDTLS_CIPHER_MODE_CBC)
811
static const unsigned char des3_test_iv[8] =
812
{
813
    0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
814
};
815

816
static const unsigned char des3_test_cbc_dec[3][8] =
817
{
818
    { 0x58, 0xD9, 0x48, 0xEF, 0x85, 0x14, 0x65, 0x9A },
819
    { 0x5F, 0xC8, 0x78, 0xD4, 0xD7, 0x92, 0xD9, 0x54 },
820
    { 0x25, 0xF9, 0x75, 0x85, 0xA8, 0x1E, 0x48, 0xBF }
821
};
822

823
static const unsigned char des3_test_cbc_enc[3][8] =
824
{
825
    { 0x91, 0x1C, 0x6D, 0xCF, 0x48, 0xA7, 0xC3, 0x4D },
826
    { 0x60, 0x1A, 0x76, 0x8F, 0xA1, 0xF9, 0x66, 0xF1 },
827
    { 0xA1, 0x50, 0x0F, 0x99, 0xB2, 0xCD, 0x64, 0x76 }
828
};
829
#endif /* MBEDTLS_CIPHER_MODE_CBC */
830

831
/*
832
 * Checkup routine
833
 */
834
int mbedtls_des_self_test(int verbose)
835
{
836
    int i, j, u, v, ret = 0;
837
    mbedtls_des_context ctx;
838
    mbedtls_des3_context ctx3;
839
    unsigned char buf[8];
840
#if defined(MBEDTLS_CIPHER_MODE_CBC)
841
    unsigned char prv[8];
842
    unsigned char iv[8];
843
#endif
844

845
    mbedtls_des_init(&ctx);
846
    mbedtls_des3_init(&ctx3);
847
    /*
848
     * ECB mode
849
     */
850
    for (i = 0; i < 6; i++) {
851
        u = i >> 1;
852
        v = i  & 1;
853

854
        if (verbose != 0) {
855
            mbedtls_printf("  DES%c-ECB-%3d (%s): ",
856
                           (u == 0) ? ' ' : '3', 56 + u * 56,
857
                           (v == MBEDTLS_DES_DECRYPT) ? "dec" : "enc");
858
        }
859

860
        memcpy(buf, des3_test_buf, 8);
861

862
        switch (i) {
863
            case 0:
864
                ret = mbedtls_des_setkey_dec(&ctx, des3_test_keys);
865
                break;
866

867
            case 1:
868
                ret = mbedtls_des_setkey_enc(&ctx, des3_test_keys);
869
                break;
870

871
            case 2:
872
                ret = mbedtls_des3_set2key_dec(&ctx3, des3_test_keys);
873
                break;
874

875
            case 3:
876
                ret = mbedtls_des3_set2key_enc(&ctx3, des3_test_keys);
877
                break;
878

879
            case 4:
880
                ret = mbedtls_des3_set3key_dec(&ctx3, des3_test_keys);
881
                break;
882

883
            case 5:
884
                ret = mbedtls_des3_set3key_enc(&ctx3, des3_test_keys);
885
                break;
886

887
            default:
888
                return 1;
889
        }
890
        if (ret != 0) {
891
            goto exit;
892
        }
893

894
        for (j = 0; j < 100; j++) {
895
            if (u == 0) {
896
                ret = mbedtls_des_crypt_ecb(&ctx, buf, buf);
897
            } else {
898
                ret = mbedtls_des3_crypt_ecb(&ctx3, buf, buf);
899
            }
900
            if (ret != 0) {
901
                goto exit;
902
            }
903
        }
904

905
        if ((v == MBEDTLS_DES_DECRYPT &&
906
             memcmp(buf, des3_test_ecb_dec[u], 8) != 0) ||
907
            (v != MBEDTLS_DES_DECRYPT &&
908
             memcmp(buf, des3_test_ecb_enc[u], 8) != 0)) {
909
            if (verbose != 0) {
910
                mbedtls_printf("failed\n");
911
            }
912

913
            ret = 1;
914
            goto exit;
915
        }
916

917
        if (verbose != 0) {
918
            mbedtls_printf("passed\n");
919
        }
920
    }
921

922
    if (verbose != 0) {
923
        mbedtls_printf("\n");
924
    }
925

926
#if defined(MBEDTLS_CIPHER_MODE_CBC)
927
    /*
928
     * CBC mode
929
     */
930
    for (i = 0; i < 6; i++) {
931
        u = i >> 1;
932
        v = i  & 1;
933

934
        if (verbose != 0) {
935
            mbedtls_printf("  DES%c-CBC-%3d (%s): ",
936
                           (u == 0) ? ' ' : '3', 56 + u * 56,
937
                           (v == MBEDTLS_DES_DECRYPT) ? "dec" : "enc");
938
        }
939

940
        memcpy(iv,  des3_test_iv,  8);
941
        memcpy(prv, des3_test_iv,  8);
942
        memcpy(buf, des3_test_buf, 8);
943

944
        switch (i) {
945
            case 0:
946
                ret = mbedtls_des_setkey_dec(&ctx, des3_test_keys);
947
                break;
948

949
            case 1:
950
                ret = mbedtls_des_setkey_enc(&ctx, des3_test_keys);
951
                break;
952

953
            case 2:
954
                ret = mbedtls_des3_set2key_dec(&ctx3, des3_test_keys);
955
                break;
956

957
            case 3:
958
                ret = mbedtls_des3_set2key_enc(&ctx3, des3_test_keys);
959
                break;
960

961
            case 4:
962
                ret = mbedtls_des3_set3key_dec(&ctx3, des3_test_keys);
963
                break;
964

965
            case 5:
966
                ret = mbedtls_des3_set3key_enc(&ctx3, des3_test_keys);
967
                break;
968

969
            default:
970
                return 1;
971
        }
972
        if (ret != 0) {
973
            goto exit;
974
        }
975

976
        if (v == MBEDTLS_DES_DECRYPT) {
977
            for (j = 0; j < 100; j++) {
978
                if (u == 0) {
979
                    ret = mbedtls_des_crypt_cbc(&ctx, v, 8, iv, buf, buf);
980
                } else {
981
                    ret = mbedtls_des3_crypt_cbc(&ctx3, v, 8, iv, buf, buf);
982
                }
983
                if (ret != 0) {
984
                    goto exit;
985
                }
986
            }
987
        } else {
988
            for (j = 0; j < 100; j++) {
989
                unsigned char tmp[8];
990

991
                if (u == 0) {
992
                    ret = mbedtls_des_crypt_cbc(&ctx, v, 8, iv, buf, buf);
993
                } else {
994
                    ret = mbedtls_des3_crypt_cbc(&ctx3, v, 8, iv, buf, buf);
995
                }
996
                if (ret != 0) {
997
                    goto exit;
998
                }
999

1000
                memcpy(tmp, prv, 8);
1001
                memcpy(prv, buf, 8);
1002
                memcpy(buf, tmp, 8);
1003
            }
1004

1005
            memcpy(buf, prv, 8);
1006
        }
1007

1008
        if ((v == MBEDTLS_DES_DECRYPT &&
1009
             memcmp(buf, des3_test_cbc_dec[u], 8) != 0) ||
1010
            (v != MBEDTLS_DES_DECRYPT &&
1011
             memcmp(buf, des3_test_cbc_enc[u], 8) != 0)) {
1012
            if (verbose != 0) {
1013
                mbedtls_printf("failed\n");
1014
            }
1015

1016
            ret = 1;
1017
            goto exit;
1018
        }
1019

1020
        if (verbose != 0) {
1021
            mbedtls_printf("passed\n");
1022
        }
1023
    }
1024
#endif /* MBEDTLS_CIPHER_MODE_CBC */
1025

1026
    if (verbose != 0) {
1027
        mbedtls_printf("\n");
1028
    }
1029

1030
exit:
1031
    mbedtls_des_free(&ctx);
1032
    mbedtls_des3_free(&ctx3);
1033

1034
    if (ret != 0) {
1035
        ret = 1;
1036
    }
1037
    return ret;
1038
}
1039

1040
#endif /* MBEDTLS_SELF_TEST */
1041

1042
#endif /* MBEDTLS_DES_C */
1043

1044