CoCalc -- 3des.c

GitHub Repository: wine-mirror/wine
Path: blob/master/libs/symcrypt/lib/3des.c
¹⁵⁰¹⁰ views
1
//
2
// 3des.c Routines for DES and 3DES
3
//
4
// Copyright (c) Microsoft Corporation. Licensed under the MIT license.
5
//
6
// This is an updated implementation that is carefully reviewed to be fully copyrighted by
7
// Microsoft. Our previous implementation was partially based on a very old public domain
8
// implementation.
9
// According to Andrew Tucker (atucker) there was a claim many years ago about the copyright of
10
// our DES code. Working with LCA (legal) it was determined that the DES implementation in RSA32.lib
11
// was a Microsoft derivative of a public-domain implementation, and therefore is clear of
12
// any IP issues. To avoid any further claims we have now scrubbed this implementation from all
13
// copyrightable elements derived from outside sources.
14
//
15
// We take non-copyrightable items from the old implementations such as
16
// - lookup tables
17
// - algorithm for various bit permutations
18
// - Any variable & function names that are already MS-generated.
19
// - Other MS-generated code elements (e.g. SymCrypt integration)
20
// Some of the considerations we made are:
21
// Most of the functionality of DES is required by the FIPS standard and there is not much
22
// choice on how to code it; elements required by the standard are not copyright protected.
23
// The lookup tables themselves are not copyrightable as they have no artistic expression.
24
// The format of the lookup tables is almost completely determined by the standard and the algorithm
25
// used to access them. Any further layout and structure are all standard C conventions.
26
// Algorithm tricks such as Hoey's IP implementation are not copyrightable but are patentable.
27
// Fortunately all the techniques we use have been around long enough that any patents have expired.
28
//
29

30
//
31
// Feb 2018, Niels Ferguson
32
//
33

34
#include "precomp.h"
35

36
//
37
// Tables to describe the DES and 3DES block ciphers so that the generic
38
// chaining mode functions can use them.
39
// We have no optimized mode-specific code as the DES block is so slow that there is
40
// very little to be gained.
41
//
42

43
const SYMCRYPT_BLOCKCIPHER SymCrypt3DesBlockCipher_default = {
44
    SymCrypt3DesExpandKey,  // PSYMCRYPT_BLOCKCIPHER_EXPAND_KEY    expandKeyFunc;
45
    SymCrypt3DesEncrypt,    // PSYMCRYPT_BLOCKCIPHER_CRYPT         encryptFunc;
46
    SymCrypt3DesDecrypt,    // PSYMCRYPT_BLOCKCIPHER_CRYPT         decryptFunc;
47
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_ECB     ecbEncryptFunc;
48
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_ECB     ecbDecryptFunc;
49
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE    cbcEncryptFunc;
50
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE    cbcDecryptFunc;
51
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_MAC_MODE      cbcMacFunc;
52
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE    ctrMsbFunc;
53
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_AEADPART_MODE gcmEncryptPartFunc;
54
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_AEADPART_MODE gcmDecryptPartFunc;
55
    8,                      // SIZE_T                              blockSize;
56
    sizeof( SYMCRYPT_3DES_EXPANDED_KEY ), // SIZE_T  expandedKeySize;    // = sizeof( SYMCRYPT_XXX_EXPANDED_KEY )
57
};
58

59
const SYMCRYPT_BLOCKCIPHER SymCryptDesBlockCipher_default = {
60
    SymCryptDesExpandKey,   // PSYMCRYPT_BLOCKCIPHER_EXPAND_KEY    expandKeyFunc;
61
    SymCryptDesEncrypt,     // PSYMCRYPT_BLOCKCIPHER_CRYPT         encryptFunc;
62
    SymCryptDesDecrypt,     // PSYMCRYPT_BLOCKCIPHER_CRYPT         decryptFunc;
63
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_ECB     ecbEncryptFunc;
64
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_ECB     ecbDecryptFunc;
65
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE    cbcEncryptFunc;
66
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE    cbcDecryptFunc;
67
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_MAC_MODE      cbcMacFunc;
68
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_CRYPT_MODE    ctrMsbFunc;
69
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_AEADPART_MODE gcmEncryptPartFunc;
70
    NULL,                   // PSYMCRYPT_BLOCKCIPHER_AEADPART_MODE gcmDecryptPartFunc;
71
    8,                      // SIZE_T                              blockSize;
72
    sizeof( SYMCRYPT_DES_EXPANDED_KEY ), // SIZE_T  expandedKeySize;    // = sizeof( SYMCRYPT_XXX_EXPANDED_KEY )
73
};
74

75
const PCSYMCRYPT_BLOCKCIPHER SymCrypt3DesBlockCipher = &SymCrypt3DesBlockCipher_default;
76
const PCSYMCRYPT_BLOCKCIPHER SymCryptDesBlockCipher = &SymCryptDesBlockCipher_default;
77

78
extern SYMCRYPT_ALIGN_AT(256) const UINT32 SymCryptDesSpbox[8][64];      // Combined S and P tables
79
extern SYMCRYPT_ALIGN_AT(256) const UINT32 SymCryptDesKeySelect[8][64];
80

81

82
//
83
// The SWAP_BITS_WITHIN_UINT32 macro swaps bits within a UINT32 value
84
// SWAP_BITS_WITHIN_UINT32( _value, _shift, _mask )
85
// swaps each bit in _value selected by _mask with the bit _shift positions to the left
86
// Thus it swaps (_value & _mask) with (_value & (_mask << _shift))
87
//
88

89
#define SWAP_BITS_WITHIN_UINT32( _value, _shift, _mask ) \
90
{ \
91
    UINT32  _tmp; \
92
    _tmp = ((_value) ^ ((_value) >> (_shift))) & (_mask ); \
93
    _value = (_value) ^ _tmp ^ (_tmp << (_shift)); \
94
}
95

96
//
97
// The SWAP_BITS_BETWEEN_UINT32 macro swaps bits between two UINT32 values
98
// SWAP_BITS_BETWEEN_UINT32( _v1, _v2, _shift, _mask )
99
// swaps bits in _v1 selected by _mask with bits in _v2 selected by _mask << _shift
100
//
101

102
#define SWAP_BITS_BETWEEN_UINT32( _v1, _v2, _shift, _mask ) \
103
{ \
104
    UINT32  _tmp; \
105
    _tmp = ((_v1) ^ ((_v2) >> (_shift))) & (_mask); \
106
    _v1 ^= _tmp; \
107
    _v2 ^= (_tmp << (_shift )); \
108
}
109

110
//
111
// For each round, a bit that states whether the key schedule shift registers are clocked twice
112
// The data is straight from the standard.
113
//
114
static const BYTE SymCryptDesDoubleShift[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
115

116
//////////////////////////
117
//  DES
118
// We just implement DES as 3DES.
119
// People using DES have bigger problems than bad performance.
120
//
121

122
SYMCRYPT_ERROR
123
SYMCRYPT_CALL
124
SymCryptDesExpandKey(
125
    _Out_               PSYMCRYPT_DES_EXPANDED_KEY  pExpandedKey,
126
    _In_reads_( cbKey ) PCBYTE                      pbKey,
127
                        SIZE_T                      cbKey )
128
{
129
    if( cbKey != 8 )
130
    {
131
        //
132
        // cbKey should be a compile-time constant in most cases,
133
        // so this should be optimized away
134
        //
135
        return SYMCRYPT_WRONG_KEY_SIZE;
136
    }
137
    return SymCrypt3DesExpandKey( &pExpandedKey->threeDes, pbKey, cbKey );
138
}
139

140
VOID
141
SYMCRYPT_CALL
142
SymCryptDesEncrypt(
143
    _In_                                    PCSYMCRYPT_DES_EXPANDED_KEY pExpandedKey,
144
    _In_reads_( SYMCRYPT_DES_BLOCK_SIZE )   PCBYTE                      pbSrc,
145
    _Out_writes_( SYMCRYPT_DES_BLOCK_SIZE ) PBYTE                       pbDst )
146
{
147
    SymCrypt3DesEncrypt( &pExpandedKey->threeDes, pbSrc, pbDst );
148
}
149

150
VOID
151
SYMCRYPT_CALL
152
SymCryptDesDecrypt(
153
    _In_                                    PCSYMCRYPT_DES_EXPANDED_KEY pExpandedKey,
154
    _In_reads_( SYMCRYPT_DES_BLOCK_SIZE )   PCBYTE                      pbSrc,
155
    _Out_writes_( SYMCRYPT_DES_BLOCK_SIZE ) PBYTE                       pbDst )
156
{
157
    SymCrypt3DesDecrypt( &pExpandedKey->threeDes, pbSrc, pbDst );
158
}
159

160
//
161
// The 3DesCbcEncrypt/Decrypt functions are used to make converting code from
162
// older libraries to SymCrypt easier.
163
//
164

165
VOID
166
SYMCRYPT_CALL
167
SymCrypt3DesCbcEncrypt(
168
    _In_                                        PCSYMCRYPT_3DES_EXPANDED_KEY    pExpandedKey,
169
    _Inout_updates_( SYMCRYPT_3DES_BLOCK_SIZE ) PBYTE                           pbChainingValue,
170
    _In_reads_( cbData )                        PCBYTE                          pbSrc,
171
    _Out_writes_( cbData )                      PBYTE                           pbDst,
172
                                                SIZE_T                          cbData )
173
{
174
    SYMCRYPT_ASSERT( SymCrypt3DesBlockCipher->blockSize == SYMCRYPT_3DES_BLOCK_SIZE );
175
    SymCryptCbcEncrypt( SymCrypt3DesBlockCipher, pExpandedKey, pbChainingValue, pbSrc, pbDst, cbData );
176
}
177

178
VOID
179
SYMCRYPT_CALL
180
SymCrypt3DesCbcDecrypt(
181
    _In_                                        PCSYMCRYPT_3DES_EXPANDED_KEY    pExpandedKey,
182
    _Inout_updates_( SYMCRYPT_3DES_BLOCK_SIZE ) PBYTE                           pbChainingValue,
183
    _In_reads_( cbData )                        PCBYTE                          pbSrc,
184
    _Out_writes_( cbData )                      PBYTE                           pbDst,
185
                                                SIZE_T                          cbData )
186
{
187
    SYMCRYPT_ASSERT( SymCrypt3DesBlockCipher->blockSize == SYMCRYPT_3DES_BLOCK_SIZE );
188
    SymCryptCbcDecrypt( SymCrypt3DesBlockCipher, pExpandedKey, pbChainingValue, pbSrc, pbDst, cbData );
189
}
190

191

192

193
VOID
194
SYMCRYPT_CALL
195
SymCryptDesExpandSingleKey(
196
        _Out_writes_bytes_(128) UINT32  expandedKeyTable[16][2],
197
        _In_reads_(8)           PCBYTE  pKey )
198
{
199
    UINT32 Cr, Dr;      // The C_r D_r values of FIPS 43 for round value r
200
    UINT32 r;           // round
201
    UINT32 K1, K2;      // round keys after the permuted choice 2
202
    UINT32 tmp;
203

204
    //
205
    // We follow the FIPS 43 flow quite closely and have not optimized the key expansion much.
206
    // Key expansion is not performance-critical.
207
    //
208

209
    // Load the key
210
    Cr = SYMCRYPT_LOAD_LSBFIRST32( pKey );
211
    Dr = SYMCRYPT_LOAD_LSBFIRST32( pKey + 4 );
212

213
    //
214
    // The Permuted Choice 1 can be done mostly with a sequence of bit swaps.
215
    // The algorithm we use is derived from our earlier implementation and might potentially
216
    // derive from an external source.
217
    // But the algorithm cannot be copyrighted, only patented, and if there were any patents
218
    // they have expired by now.
219
    // The expression of the algorithm in code is purely MS generated, and so not encumbered
220
    // by external copyrights.
221
    // This algorithm is really just a transposition of the bits when viewed as an 8x8 matrix
222
    // with an additional permutation on the output side.
223
    //
224
    SWAP_BITS_BETWEEN_UINT32( Cr, Dr, 4, 0x0f0f0f0f );
225
    SWAP_BITS_WITHIN_UINT32( Dr, 18, 0x00003333 );
226
    SWAP_BITS_WITHIN_UINT32( Cr, 18, 0x00003333 );
227
    SWAP_BITS_BETWEEN_UINT32( Cr, Dr, 1, 0x55555555 );
228
    SWAP_BITS_BETWEEN_UINT32( Dr, Cr, 8, 0x00ff00ff );
229
    SWAP_BITS_BETWEEN_UINT32( Cr, Dr, 1, 0x55555555 );
230
    SWAP_BITS_WITHIN_UINT32( Dr, 16, 0xff );
231

232
    // Have to re-arrange C and D a tiny bit so that each contains 28 bits and we throw away 8 bits
233
    Dr = (Dr & 0x00ffffff) | ((Cr & 0xf0000000 ) >> 4 );
234
    Cr = (Cr & 0x0fffffff);
235

236
    for( r = 0; r < 16; r++)
237
    {
238
        //
239
        // Cr and Dr are the two key shift registers, they are rotated once or twice for each round.
240
        //
241

242
        if( SymCryptDesDoubleShift[ r ] ) {
243
            Cr = ((Cr >> 2) | (Cr << 26));
244
            Dr = ((Dr >> 2) | (Dr << 26));
245
        } else {
246
            Cr = ((Cr >> 1) | (Cr << 27));
247
            Dr = ((Dr >> 1) | (Dr << 27));
248
        }
249

250
        Cr &= 0x0fffffff;
251
        Dr &= 0x0fffffff;
252

253
        //
254
        // The Permuted Choice 2 is done using table lookups
255
        // Not all bits of C and D are used, so we cut those out using shifts and masks,
256
        // and then index 6 bits at a time into lookup tables that implement the bit relocation.
257
        //
258

259
        K1 = SymCryptDesKeySelect[0][ (Cr      )&0x3f                     ] |
260
             SymCryptDesKeySelect[1][((Cr >>  6)&0x03) | ((Cr >>  7)&0x3c)] |
261
             SymCryptDesKeySelect[2][((Cr >> 13)&0x0f) | ((Cr >> 14)&0x30)] |
262
             SymCryptDesKeySelect[3][((Cr >> 20)&0x01) | ((Cr >> 21)&0x06) | ((Cr >> 22)&0x38)];
263

264
        K2 = SymCryptDesKeySelect[4][ (Dr      )&0x3f                     ] |
265
             SymCryptDesKeySelect[5][((Dr >>  7)&0x03) | ((Dr >>  8)&0x3c)] |
266
             SymCryptDesKeySelect[6][ (Dr >> 15)&0x3f                     ] |
267
             SymCryptDesKeySelect[7][((Dr >> 21)&0x0f) | ((Dr >> 22)&0x30)];
268

269
        //
270
        // After this we still have to swap the halves of K1 and K2, that is done below
271
        // as part of the formatting of the round key
272
        //
273

274
        //
275
        // So far we have recreated the round keys per the standard.
276
        // The round keys are stored rotated by 2 as the encrypt/decrypt code finds that easier.
277
        // We could update the tables to do this, but key expansion is not used that frequently,
278
        // and it is not worth the effort to update the tables.
279
        //
280
        // We don't worry about extraneous bits in unused positions as the F function masks out unused bits.
281
        //
282

283
        tmp = ((K2 << 16) | (K1 & 0x0000ffff)) ;
284
        expandedKeyTable[r][0] = ROL32(tmp, 2);
285

286
        tmp = ((K1 >> 16) | (K2 & 0xffff0000));
287
        expandedKeyTable[r][1] = ROL32(tmp, 6);
288
    }
289
}
290

291

292
SYMCRYPT_NOINLINE
293
SYMCRYPT_ERROR
294
SYMCRYPT_CALL
295
SymCrypt3DesExpandKey(
296
    _Out_               PSYMCRYPT_3DES_EXPANDED_KEY pExpandedKey,
297
    _In_reads_(cbKey)   PCBYTE                      pbKey,
298
                        SIZE_T                      cbKey )
299
{
300
    SIZE_T keyIndex = 0;
301
    int i;
302

303
    if( cbKey != 8 && cbKey != 16 && cbKey != 24 )
304
    {
305
        return SYMCRYPT_WRONG_KEY_SIZE;
306
    }
307

308
    //
309
    // A loop that goes over the provided key as a circular buffer provides
310
    // the right result with the least complexity.
311
    // This is inefficient for the cases cbKey=8 and cbKey=16, but those should
312
    // not be used anyway.
313
    //
314
    for( i=0; i<3; i++ )
315
    {
316
        SYMCRYPT_ASSERT( keyIndex <= cbKey - 8 );       // help PreFast
317
        SymCryptDesExpandSingleKey( pExpandedKey->roundKey[i], pbKey + keyIndex );
318
        keyIndex = (keyIndex + 8) % cbKey;
319
    }
320

321
    SYMCRYPT_SET_MAGIC( pExpandedKey );
322

323
    return SYMCRYPT_NO_ERROR;
324
}
325

326

327
//
328
// The DES round function
329
// This is straight from the standard.
330
// Ta and Tb each contain 4 sets of 6 bits that are S-box inputs
331
// We interleave the use of Ta and Tb to provide better CPU scheduling on weak compilers.
332
// We ensure that the input bits appear in bits 2-7 of the index to avoid a scaled index
333
// which can be slower on some CPUs.
334
//
335
#define F(L, R, keyptr) { \
336
    Ta = keyptr[0] ^ R; \
337
    Tb = keyptr[1] ^ R; \
338
    Tb = ROR32(Tb, 4); \
339
    L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[0] + ( Ta     & 0xfc)); \
340
    L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[1] + ( Tb     & 0xfc)); \
341
    L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[2] + ((Ta>> 8)& 0xfc)); \
342
    L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[3] + ((Tb>> 8)& 0xfc)); \
343
    L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[4] + ((Ta>>16)& 0xfc)); \
344
    L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[5] + ((Tb>>16)& 0xfc)); \
345
    L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[6] + ((Ta>>24)& 0xfc)); \
346
    L ^= *(UINT32 *)((PBYTE)SymCryptDesSpbox[7] + ((Tb>>24)& 0xfc)); }
347

348

349

350
//
351
// Block encryption.
352
// The noinline stops the compiler from inlining the code and creating additional
353
// implementations which would require separate FIPS selftests.
354
//
355
SYMCRYPT_NOINLINE
356
VOID
357
SYMCRYPT_CALL
358
SymCrypt3DesEncrypt(
359
    _In_                                        PCSYMCRYPT_3DES_EXPANDED_KEY    pExpandedKey,
360
    _In_reads_( SYMCRYPT_3DES_BLOCK_SIZE )      PCBYTE                          pbSrc,
361
    _Out_writes_( SYMCRYPT_3DES_BLOCK_SIZE )    PBYTE                           pbDst )
362
{
363
    UINT32   L, R, Ta, Tb;
364
    int r;
365

366
    SYMCRYPT_CHECK_MAGIC( pExpandedKey );
367

368
    R = SYMCRYPT_LOAD_LSBFIRST32( pbSrc );
369
    L = SYMCRYPT_LOAD_LSBFIRST32( pbSrc + 4 );
370

371
    //
372
    // Hoey's wonderful initial permutation algorithm, from Outerbridge
373
    // (see Schneier p 478)
374
    //
375
    // The algorithm we use is derived (through several intermediate forms) from the mentioned source.
376
    // But the algorithm cannot be copyrighted, only patented, and if there were any patents
377
    // they have expired by now.
378
    // The expression of the algorithm in code is purely MS generated,
379
    // within the confines of implementing the algorithm in the best way such that even a simple
380
    // compiler will create good code.
381
    //
382

383
    R = ROL32(R, 4);
384
    Ta = (L ^ R) & 0xf0f0f0f0;
385
    L ^= Ta;
386
    R ^= Ta;
387

388
    L = ROL32(L, 20);
389
    Ta = (L ^ R) & 0xfff0000f;
390
    R ^= Ta;
391
    L ^= Ta;
392

393
    L = ROL32(L,14);
394
    Ta = (L ^ R) & 0x33333333;
395
    R ^= Ta;
396
    L ^= Ta;
397

398
    R = ROL32(R, 22);
399
    Ta = (L ^ R) & 0x03fc03fc;
400
    R ^= Ta;
401
    L ^= Ta;
402

403
    R = ROL32(R, 9);
404
    Ta = (L ^ R) & 0xaaaaaaaa;
405
    R ^= Ta;
406
    L ^= Ta;
407

408
    L = ROL32(L, 1);
409

410
    //
411
    // First: encryption
412
    //
413
    for( r=0; r<16; r += 2 )
414
    {
415
        F( L, R, pExpandedKey->roundKey[0][r  ] );
416
        F( R, L, pExpandedKey->roundKey[0][r+1] );
417
    }
418

419
    //
420
    // Second: decryption
421
    // Note that L and R are swapped here, and the round counter counts down.
422
    //
423
    for( r=14; r>=0; r -= 2 )
424
    {
425
        F( R, L, pExpandedKey->roundKey[1][r+1] );
426
        F( L, R, pExpandedKey->roundKey[1][r  ] );
427
    }
428

429
    //
430
    // Third: encryption
431
    //
432
    for( r=0; r<16; r += 2 )
433
    {
434
        F( L, R, pExpandedKey->roundKey[2][r  ] );
435
        F( R, L, pExpandedKey->roundKey[2][r+1] );
436
    }
437

438
    R = ROR32(R, 1);
439
    Ta = (L ^ R) & 0xaaaaaaaa;
440
    R ^= Ta;
441
    L ^= Ta;
442

443
    L = ROR32(L, 9);
444
    Ta = (L ^ R) & 0x03fc03fc;
445
    R ^= Ta;
446
    L ^= Ta;
447

448
    L = ROR32(L, 22);
449
    Ta = (L ^ R) & 0x33333333;
450
    R ^= Ta;
451
    L ^= Ta;
452

453
    R = ROR32(R, 14);
454
    Ta = (L ^ R) & 0xfff0000f;
455
    R ^= Ta;
456
    L ^= Ta;
457

458
    R = ROR32(R, 20);
459
    Ta = (L ^ R) & 0xf0f0f0f0;
460
    R ^= Ta;
461
    L ^= Ta;
462

463
    L = ROR32(L, 4);
464

465
    SYMCRYPT_STORE_LSBFIRST32( pbDst, L );
466
    SYMCRYPT_STORE_LSBFIRST32( pbDst + 4, R );
467
}
468

469

470
//
471
// Block decrypt
472
// The noinline stops the compiler from inlining the code and creating additional
473
// implementations which would require separate FIPS selftests.
474
//
475
SYMCRYPT_NOINLINE
476
VOID
477
SYMCRYPT_CALL
478
SymCrypt3DesDecrypt(
479
    _In_                                        PCSYMCRYPT_3DES_EXPANDED_KEY    pExpandedKey,
480
    _In_reads_( SYMCRYPT_3DES_BLOCK_SIZE )      PCBYTE                          pbSrc,
481
    _Out_writes_( SYMCRYPT_3DES_BLOCK_SIZE )    PBYTE                           pbDst )
482
{
483
    UINT32   L, R, Ta, Tb;
484
    int r;
485

486
    SYMCRYPT_CHECK_MAGIC( pExpandedKey );
487

488
    R = SYMCRYPT_LOAD_LSBFIRST32( pbSrc );
489
    L = SYMCRYPT_LOAD_LSBFIRST32( pbSrc + 4 );
490

491
    R = ROL32(R, 4);
492
    Ta = (L ^ R) & 0xf0f0f0f0;
493
    L ^= Ta;
494
    R ^= Ta;
495

496
    L = ROL32(L, 20);
497
    Ta = (L ^ R) & 0xfff0000f;
498
    L ^= Ta;
499
    R ^= Ta;
500

501
    L = ROL32(L, 14);
502
    Ta = (L ^ R) & 0x33333333;
503
    L ^= Ta;
504
    R ^= Ta;
505

506
    R = ROL32(R, 22);
507
    Ta = (L ^ R) & 0x03fc03fc;
508
    L ^= Ta;
509
    R ^= Ta;
510

511
    R = ROL32(R, 9);
512
    Ta = (L ^ R) & 0xaaaaaaaa;
513
    L ^= Ta;
514
    R ^= Ta;
515

516
    L = ROL32(L, 1);
517

518

519
    // Decrypt with key 2
520
    for( r=14; r>=0; r -= 2 )
521
    {
522
        F( L, R, pExpandedKey->roundKey[2][r+1] );
523
        F( R, L, pExpandedKey->roundKey[2][r  ] );
524
    }
525

526
    // Encrypt with key 1
527
    for( r=0; r<16; r += 2 )
528
    {
529
        F( R, L, pExpandedKey->roundKey[1][r  ] );
530
        F( L, R, pExpandedKey->roundKey[1][r+1] );
531
    }
532

533
    // Decrypt with key 0
534
    for( r=14; r>=0; r -= 2 )
535
    {
536
        F( L, R, pExpandedKey->roundKey[0][r+1] );
537
        F( R, L, pExpandedKey->roundKey[0][r  ] );
538
    }
539

540
    /* Inverse permutation, also from Hoey via Outerbridge and Schneier */
541

542
    R = ROR32(R, 1);
543
    Ta = (L ^ R) & 0xaaaaaaaa;
544
    L ^= Ta;
545
    R ^= Ta;
546

547
    L = ROR32(L, 9);
548
    Ta = (L ^ R) & 0x03fc03fc;
549
    L ^= Ta;
550
    R ^= Ta;
551

552
    L = ROR32(L, 22);
553
    Ta = (L ^ R) & 0x33333333;
554
    L ^= Ta;
555
    R ^= Ta;
556

557
    R = ROR32(R, 14);
558
    Ta = (L ^ R) & 0xfff0000f;
559
    L ^= Ta;
560
    R ^= Ta;
561

562
    R = ROR32(R, 20);
563
    Ta = (L ^ R) & 0xf0f0f0f0;
564
    L ^= Ta;
565
    R ^= Ta;
566

567
    L = ROR32(L, 4);
568

569
    SYMCRYPT_STORE_LSBFIRST32( pbDst, L );
570
    SYMCRYPT_STORE_LSBFIRST32( pbDst + 4, R );
571
}
572

573

574

575
VOID
576
SYMCRYPT_CALL
577
SymCryptDesSetOddParity(
578
    _Inout_updates_( cbData )   PBYTE   pbData,
579
    _In_                        SIZE_T  cbData )
580
//
581
// For each byte, set bit 0 such that the byte parity is odd.
582
// This function is side-channel safe
583
//
584
{
585
    SIZE_T i;
586
    BYTE b, t;
587
    for( i=0; i<cbData; i++ )
588
    {
589
        // We obey the read-once write-once rule
590
        b = *pbData;
591

592
        t = b ^ (b>>4);     // parity(b) = parity( t & 0xf )
593
        t ^= t>>2;          //           = parity( t & 0x3 )
594
        t ^= t>>1;          //           = parity( t & 0x1 )
595
        *pbData++ = b ^ (t&1) ^ 1;
596
    }
597
}
598

599

600
//
601
// Test vectors for self test
602
//
603
static const BYTE SP800_67Key[24] = {
604
    0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
605
    0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
606
    0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23,
607
};
608

609
static const BYTE des3KnownPlaintext[8] = {
610
    0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74,
611
};
612

613
static const BYTE des3KnownCiphertext[8] = {
614
    0x31, 0x4F, 0x83, 0x27, 0xFA, 0x7A, 0x09, 0xA8,
615
};
616

617
static const BYTE desKnownCiphertext[8] = {
618
    0x3F, 0xA4, 0x0E, 0x8A, 0x98, 0x4D, 0x48, 0x15,
619
};
620

621

622
VOID
623
SYMCRYPT_CALL
624
SymCryptDesSelftest(void)
625
{
626
    BYTE                        buf[SYMCRYPT_DES_BLOCK_SIZE];
627
    SYMCRYPT_DES_EXPANDED_KEY   key;
628

629
    if( SymCryptDesExpandKey( &key, SP800_67Key, 8 ) != SYMCRYPT_NO_ERROR )
630
    {
631
        SymCryptFatal( 'desa' );
632
    }
633

634
    SymCryptDesEncrypt( &key, des3KnownPlaintext, buf );
635

636
    SymCryptInjectError( buf, SYMCRYPT_DES_BLOCK_SIZE );
637

638
    if( memcmp( buf, desKnownCiphertext, SYMCRYPT_DES_BLOCK_SIZE ) != 0 )
639
    {
640
        SymCryptFatal( 'desb' );
641
    }
642

643
    SymCryptDesDecrypt( &key, desKnownCiphertext, buf );
644

645
    SymCryptInjectError( buf, SYMCRYPT_DES_BLOCK_SIZE );
646

647
    if( memcmp( buf, des3KnownPlaintext, SYMCRYPT_DES_BLOCK_SIZE ) != 0 )
648
    {
649
        SymCryptFatal( 'desc' );
650
    }
651
}
652

653

654
VOID
655
SYMCRYPT_CALL
656
SymCrypt3DesSelftest(void)
657
{
658
    BYTE                        buf[SYMCRYPT_3DES_BLOCK_SIZE];
659
    SYMCRYPT_3DES_EXPANDED_KEY  key;
660

661
    if( SymCrypt3DesExpandKey( &key, SP800_67Key, 24 ) != SYMCRYPT_NO_ERROR )
662
    {
663
        SymCryptFatal( 'des3' );
664
    }
665

666
    SymCrypt3DesEncrypt( &key, des3KnownPlaintext, buf );
667

668
    SymCryptInjectError( buf, SYMCRYPT_3DES_BLOCK_SIZE );
669

670
    if( memcmp( buf, des3KnownCiphertext, SYMCRYPT_3DES_BLOCK_SIZE ) != 0 )
671
    {
672
        SymCryptFatal( 'des4' );
673
    }
674

675
    SymCrypt3DesDecrypt( &key, des3KnownCiphertext, buf );
676

677
    SymCryptInjectError( buf, SYMCRYPT_3DES_BLOCK_SIZE );
678

679
    if( memcmp( buf, des3KnownPlaintext, SYMCRYPT_3DES_BLOCK_SIZE ) != 0 )
680
    {
681
        SymCryptFatal( 'des5' );
682
    }
683
}
684

685

686

687

688

689
#if 0
690
////////////////////////////////////////////
691
// Useful tables, kept for future reference.
692
//
693

694
// Tables defined in the Data Encryption Standard documents
695
// Three of these tables, the initial permutation, the final
696
// permutation and the expansion operator, are regular enough that
697
// for speed, we hard-code them. They're here for reference only.
698
// Also, the S and P boxes are used by a separate program, gensp.c,
699
// to build the combined SP box, Spbox[]. They're also here just
700
// for reference.
701
//
702
// initial permutation IP
703
static unsigned BYTE ip[] = {
704
    58, 50, 42, 34, 26, 18, 10,  2,
705
    60, 52, 44, 36, 28, 20, 12,  4,
706
    62, 54, 46, 38, 30, 22, 14,  6,
707
    64, 56, 48, 40, 32, 24, 16,  8,
708
    57, 49, 41, 33, 25, 17,  9,  1,
709
    59, 51, 43, 35, 27, 19, 11,  3,
710
    61, 53, 45, 37, 29, 21, 13,  5,
711
    63, 55, 47, 39, 31, 23, 15,  7
712
};
713

714
// final permutation IP^-1
715
static unsigned BYTE fp[] = {
716
    40,  8, 48, 16, 56, 24, 64, 32,
717
    39,  7, 47, 15, 55, 23, 63, 31,
718
    38,  6, 46, 14, 54, 22, 62, 30,
719
    37,  5, 45, 13, 53, 21, 61, 29,
720
    36,  4, 44, 12, 52, 20, 60, 28,
721
    35,  3, 43, 11, 51, 19, 59, 27,
722
    34,  2, 42, 10, 50, 18, 58, 26,
723
    33,  1, 41,  9, 49, 17, 57, 25
724
};
725

726
// expansion operation matrix
727
static unsigned BYTE ei[] = {
728
    32,  1,  2,  3,  4,  5,
729
     4,  5,  6,  7,  8,  9,
730
     8,  9, 10, 11, 12, 13,
731
    12, 13, 14, 15, 16, 17,
732
    16, 17, 18, 19, 20, 21,
733
    20, 21, 22, 23, 24, 25,
734
    24, 25, 26, 27, 28, 29,
735
    28, 29, 30, 31, 32,  1
736
};
737

738
// The (in)famous S-boxes
739
static unsigned BYTE sbox[8][64] = {
740
    // S1
741
    14,  4, 13,  1,  2, 15, 11,  8,  3, 10,  6, 12,  5,  9,  0,  7,
742
     0, 15,  7,  4, 14,  2, 13,  1, 10,  6, 12, 11,  9,  5,  3,  8,
743
     4,  1, 14,  8, 13,  6,  2, 11, 15, 12,  9,  7,  3, 10,  5,  0,
744
    15, 12,  8,  2,  4,  9,  1,  7,  5, 11,  3, 14, 10,  0,  6, 13,
745

746
    // S2
747
    15,  1,  8, 14,  6, 11,  3,  4,  9,  7,  2, 13, 12,  0,  5, 10,
748
     3, 13,  4,  7, 15,  2,  8, 14, 12,  0,  1, 10,  6,  9, 11,  5,
749
     0, 14,  7, 11, 10,  4, 13,  1,  5,  8, 12,  6,  9,  3,  2, 15,
750
    13,  8, 10,  1,  3, 15,  4,  2, 11,  6,  7, 12,  0,  5, 14,  9,
751

752
    // S3
753
    10,  0,  9, 14,  6,  3, 15,  5,  1, 13, 12,  7, 11,  4,  2,  8,
754
    13,  7,  0,  9,  3,  4,  6, 10,  2,  8,  5, 14, 12, 11, 15,  1,
755
    13,  6,  4,  9,  8, 15,  3,  0, 11,  1,  2, 12,  5, 10, 14,  7,
756
     1, 10, 13,  0,  6,  9,  8,  7,  4, 15, 14,  3, 11,  5,  2, 12,
757

758
    // S4
759
     7, 13, 14,  3,  0,  6,  9, 10,  1,  2,  8,  5, 11, 12,  4, 15,
760
    13,  8, 11,  5,  6, 15,  0,  3,  4,  7,  2, 12,  1, 10, 14,  9,
761
    10,  6,  9,  0, 12, 11,  7, 13, 15,  1,  3, 14,  5,  2,  8,  4,
762
     3, 15,  0,  6, 10,  1, 13,  8,  9,  4,  5, 11, 12,  7,  2, 14,
763

764
    // S5
765
     2, 12,  4,  1,  7, 10, 11,  6,  8,  5,  3, 15, 13,  0, 14,  9,
766
    14, 11,  2, 12,  4,  7, 13,  1,  5,  0, 15, 10,  3,  9,  8,  6,
767
     4,  2,  1, 11, 10, 13,  7,  8, 15,  9, 12,  5,  6,  3,  0, 14,
768
    11,  8, 12,  7,  1, 14,  2, 13,  6, 15,  0,  9, 10,  4,  5,  3,
769

770
    // S6
771
    12,  1, 10, 15,  9,  2,  6,  8,  0, 13,  3,  4, 14,  7,  5, 11,
772
    10, 15,  4,  2,  7, 12,  9,  5,  6,  1, 13, 14,  0, 11,  3,  8,
773
     9, 14, 15,  5,  2,  8, 12,  3,  7,  0,  4, 10,  1, 13, 11,  6,
774
     4,  3,  2, 12,  9,  5, 15, 10, 11, 14,  1,  7,  6,  0,  8, 13,
775

776
    // S7
777
     4, 11,  2, 14, 15,  0,  8, 13,  3, 12,  9,  7,  5, 10,  6,  1,
778
    13,  0, 11,  7,  4,  9,  1, 10, 14,  3,  5, 12,  2, 15,  8,  6,
779
     1,  4, 11, 13, 12,  3,  7, 14, 10, 15,  6,  8,  0,  5,  9,  2,
780
     6, 11, 13,  8,  1,  4, 10,  7,  9,  5,  0, 15, 14,  2,  3, 12,
781

782
    // S8
783
    13,  2,  8,  4,  6, 15, 11,  1, 10,  9,  3, 14,  5,  0, 12,  7,
784
     1, 15, 13,  8, 10,  3,  7,  4, 12,  5,  6, 11,  0, 14,  9,  2,
785
     7, 11,  4,  1,  9, 12, 14,  2,  0,  6, 10, 13, 15,  3,  5,  8,
786
     2,  1, 14,  7,  4, 10,  8, 13, 15, 12,  9,  0,  3,  5,  6, 11
787
};
788

789
// 32-bit permutation function P used on the output of the S-boxes
790
static unsigned BYTE p32i[] = {
791
    16,  7, 20, 21,
792
    29, 12, 28, 17,
793
     1, 15, 23, 26,
794
     5, 18, 31, 10,
795
     2,  8, 24, 14,
796
    32, 27,  3,  9,
797
    19, 13, 30,  6,
798
    22, 11,  4, 25
799
};
800

801
// permuted choice table (key)
802
static unsigned BYTE pc1[] = {
803
    57, 49, 41, 33, 25, 17,  9,
804
     1, 58, 50, 42, 34, 26, 18,
805
    10,  2, 59, 51, 43, 35, 27,
806
    19, 11,  3, 60, 52, 44, 36,
807

808
    63, 55, 47, 39, 31, 23, 15,
809
     7, 62, 54, 46, 38, 30, 22,
810
    14,  6, 61, 53, 45, 37, 29,
811
    21, 13,  5, 28, 20, 12,  4
812
};
813

814
// number left rotations of pc1
815
static unsigned BYTE totrot[] = {
816
    1,2,4,6,8,10,12,14,15,17,19,21,23,25,27,28
817
};
818

819
// permuted choice key (table)
820
static unsigned BYTE pc2[] = {
821
    14, 17, 11, 24,  1,  5,
822
     3, 28, 15,  6, 21, 10,
823
    23, 19, 12,  4, 26,  8,
824
    16,  7, 27, 20, 13,  2,
825
    41, 52, 31, 37, 47, 55,
826
    30, 40, 51, 45, 33, 48,
827
    44, 49, 39, 56, 34, 53,
828
    46, 42, 50, 36, 29, 32
829
};
830

831
#endif
832

833
Product

Resources

Company
