2 * FIPS-46-3 compliant Triple-DES implementation
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
19 * This file is part of mbed TLS (https://tls.mbed.org)
22 * DES, on which TDES is based, was originally designed by Horst Feistel
23 * at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
25 * http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
28 #if !defined(MBEDTLS_CONFIG_FILE)
29 #include "mbedtls/config.h"
31 #include MBEDTLS_CONFIG_FILE
34 #if defined(MBEDTLS_DES_C)
36 #include "mbedtls/des.h"
37 #include "mbedtls/platform_util.h"
41 #if defined(MBEDTLS_SELF_TEST)
42 #if defined(MBEDTLS_PLATFORM_C)
43 #include "mbedtls/platform.h"
46 #define mbedtls_printf printf
47 #endif /* MBEDTLS_PLATFORM_C */
48 #endif /* MBEDTLS_SELF_TEST */
50 #if !defined(MBEDTLS_DES_ALT)
53 * 32-bit integer manipulation macros (big endian)
56 #define GET_UINT32_BE(n,b,i) \
58 (n) = ( (uint32_t) (b)[(i) ] << 24 ) \
59 | ( (uint32_t) (b)[(i) + 1] << 16 ) \
60 | ( (uint32_t) (b)[(i) + 2] << 8 ) \
61 | ( (uint32_t) (b)[(i) + 3] ); \
66 #define PUT_UINT32_BE(n,b,i) \
68 (b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
69 (b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
70 (b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
71 (b)[(i) + 3] = (unsigned char) ( (n) ); \
76 * Expanded DES S-boxes
78 static const uint32_t SB1[64] =
80 0x01010400, 0x00000000, 0x00010000, 0x01010404,
81 0x01010004, 0x00010404, 0x00000004, 0x00010000,
82 0x00000400, 0x01010400, 0x01010404, 0x00000400,
83 0x01000404, 0x01010004, 0x01000000, 0x00000004,
84 0x00000404, 0x01000400, 0x01000400, 0x00010400,
85 0x00010400, 0x01010000, 0x01010000, 0x01000404,
86 0x00010004, 0x01000004, 0x01000004, 0x00010004,
87 0x00000000, 0x00000404, 0x00010404, 0x01000000,
88 0x00010000, 0x01010404, 0x00000004, 0x01010000,
89 0x01010400, 0x01000000, 0x01000000, 0x00000400,
90 0x01010004, 0x00010000, 0x00010400, 0x01000004,
91 0x00000400, 0x00000004, 0x01000404, 0x00010404,
92 0x01010404, 0x00010004, 0x01010000, 0x01000404,
93 0x01000004, 0x00000404, 0x00010404, 0x01010400,
94 0x00000404, 0x01000400, 0x01000400, 0x00000000,
95 0x00010004, 0x00010400, 0x00000000, 0x01010004
98 static const uint32_t SB2[64] =
100 0x80108020, 0x80008000, 0x00008000, 0x00108020,
101 0x00100000, 0x00000020, 0x80100020, 0x80008020,
102 0x80000020, 0x80108020, 0x80108000, 0x80000000,
103 0x80008000, 0x00100000, 0x00000020, 0x80100020,
104 0x00108000, 0x00100020, 0x80008020, 0x00000000,
105 0x80000000, 0x00008000, 0x00108020, 0x80100000,
106 0x00100020, 0x80000020, 0x00000000, 0x00108000,
107 0x00008020, 0x80108000, 0x80100000, 0x00008020,
108 0x00000000, 0x00108020, 0x80100020, 0x00100000,
109 0x80008020, 0x80100000, 0x80108000, 0x00008000,
110 0x80100000, 0x80008000, 0x00000020, 0x80108020,
111 0x00108020, 0x00000020, 0x00008000, 0x80000000,
112 0x00008020, 0x80108000, 0x00100000, 0x80000020,
113 0x00100020, 0x80008020, 0x80000020, 0x00100020,
114 0x00108000, 0x00000000, 0x80008000, 0x00008020,
115 0x80000000, 0x80100020, 0x80108020, 0x00108000
118 static const uint32_t SB3[64] =
120 0x00000208, 0x08020200, 0x00000000, 0x08020008,
121 0x08000200, 0x00000000, 0x00020208, 0x08000200,
122 0x00020008, 0x08000008, 0x08000008, 0x00020000,
123 0x08020208, 0x00020008, 0x08020000, 0x00000208,
124 0x08000000, 0x00000008, 0x08020200, 0x00000200,
125 0x00020200, 0x08020000, 0x08020008, 0x00020208,
126 0x08000208, 0x00020200, 0x00020000, 0x08000208,
127 0x00000008, 0x08020208, 0x00000200, 0x08000000,
128 0x08020200, 0x08000000, 0x00020008, 0x00000208,
129 0x00020000, 0x08020200, 0x08000200, 0x00000000,
130 0x00000200, 0x00020008, 0x08020208, 0x08000200,
131 0x08000008, 0x00000200, 0x00000000, 0x08020008,
132 0x08000208, 0x00020000, 0x08000000, 0x08020208,
133 0x00000008, 0x00020208, 0x00020200, 0x08000008,
134 0x08020000, 0x08000208, 0x00000208, 0x08020000,
135 0x00020208, 0x00000008, 0x08020008, 0x00020200
138 static const uint32_t SB4[64] =
140 0x00802001, 0x00002081, 0x00002081, 0x00000080,
141 0x00802080, 0x00800081, 0x00800001, 0x00002001,
142 0x00000000, 0x00802000, 0x00802000, 0x00802081,
143 0x00000081, 0x00000000, 0x00800080, 0x00800001,
144 0x00000001, 0x00002000, 0x00800000, 0x00802001,
145 0x00000080, 0x00800000, 0x00002001, 0x00002080,
146 0x00800081, 0x00000001, 0x00002080, 0x00800080,
147 0x00002000, 0x00802080, 0x00802081, 0x00000081,
148 0x00800080, 0x00800001, 0x00802000, 0x00802081,
149 0x00000081, 0x00000000, 0x00000000, 0x00802000,
150 0x00002080, 0x00800080, 0x00800081, 0x00000001,
151 0x00802001, 0x00002081, 0x00002081, 0x00000080,
152 0x00802081, 0x00000081, 0x00000001, 0x00002000,
153 0x00800001, 0x00002001, 0x00802080, 0x00800081,
154 0x00002001, 0x00002080, 0x00800000, 0x00802001,
155 0x00000080, 0x00800000, 0x00002000, 0x00802080
158 static const uint32_t SB5[64] =
160 0x00000100, 0x02080100, 0x02080000, 0x42000100,
161 0x00080000, 0x00000100, 0x40000000, 0x02080000,
162 0x40080100, 0x00080000, 0x02000100, 0x40080100,
163 0x42000100, 0x42080000, 0x00080100, 0x40000000,
164 0x02000000, 0x40080000, 0x40080000, 0x00000000,
165 0x40000100, 0x42080100, 0x42080100, 0x02000100,
166 0x42080000, 0x40000100, 0x00000000, 0x42000000,
167 0x02080100, 0x02000000, 0x42000000, 0x00080100,
168 0x00080000, 0x42000100, 0x00000100, 0x02000000,
169 0x40000000, 0x02080000, 0x42000100, 0x40080100,
170 0x02000100, 0x40000000, 0x42080000, 0x02080100,
171 0x40080100, 0x00000100, 0x02000000, 0x42080000,
172 0x42080100, 0x00080100, 0x42000000, 0x42080100,
173 0x02080000, 0x00000000, 0x40080000, 0x42000000,
174 0x00080100, 0x02000100, 0x40000100, 0x00080000,
175 0x00000000, 0x40080000, 0x02080100, 0x40000100
178 static const uint32_t SB6[64] =
180 0x20000010, 0x20400000, 0x00004000, 0x20404010,
181 0x20400000, 0x00000010, 0x20404010, 0x00400000,
182 0x20004000, 0x00404010, 0x00400000, 0x20000010,
183 0x00400010, 0x20004000, 0x20000000, 0x00004010,
184 0x00000000, 0x00400010, 0x20004010, 0x00004000,
185 0x00404000, 0x20004010, 0x00000010, 0x20400010,
186 0x20400010, 0x00000000, 0x00404010, 0x20404000,
187 0x00004010, 0x00404000, 0x20404000, 0x20000000,
188 0x20004000, 0x00000010, 0x20400010, 0x00404000,
189 0x20404010, 0x00400000, 0x00004010, 0x20000010,
190 0x00400000, 0x20004000, 0x20000000, 0x00004010,
191 0x20000010, 0x20404010, 0x00404000, 0x20400000,
192 0x00404010, 0x20404000, 0x00000000, 0x20400010,
193 0x00000010, 0x00004000, 0x20400000, 0x00404010,
194 0x00004000, 0x00400010, 0x20004010, 0x00000000,
195 0x20404000, 0x20000000, 0x00400010, 0x20004010
198 static const uint32_t SB7[64] =
200 0x00200000, 0x04200002, 0x04000802, 0x00000000,
201 0x00000800, 0x04000802, 0x00200802, 0x04200800,
202 0x04200802, 0x00200000, 0x00000000, 0x04000002,
203 0x00000002, 0x04000000, 0x04200002, 0x00000802,
204 0x04000800, 0x00200802, 0x00200002, 0x04000800,
205 0x04000002, 0x04200000, 0x04200800, 0x00200002,
206 0x04200000, 0x00000800, 0x00000802, 0x04200802,
207 0x00200800, 0x00000002, 0x04000000, 0x00200800,
208 0x04000000, 0x00200800, 0x00200000, 0x04000802,
209 0x04000802, 0x04200002, 0x04200002, 0x00000002,
210 0x00200002, 0x04000000, 0x04000800, 0x00200000,
211 0x04200800, 0x00000802, 0x00200802, 0x04200800,
212 0x00000802, 0x04000002, 0x04200802, 0x04200000,
213 0x00200800, 0x00000000, 0x00000002, 0x04200802,
214 0x00000000, 0x00200802, 0x04200000, 0x00000800,
215 0x04000002, 0x04000800, 0x00000800, 0x00200002
218 static const uint32_t SB8[64] =
220 0x10001040, 0x00001000, 0x00040000, 0x10041040,
221 0x10000000, 0x10001040, 0x00000040, 0x10000000,
222 0x00040040, 0x10040000, 0x10041040, 0x00041000,
223 0x10041000, 0x00041040, 0x00001000, 0x00000040,
224 0x10040000, 0x10000040, 0x10001000, 0x00001040,
225 0x00041000, 0x00040040, 0x10040040, 0x10041000,
226 0x00001040, 0x00000000, 0x00000000, 0x10040040,
227 0x10000040, 0x10001000, 0x00041040, 0x00040000,
228 0x00041040, 0x00040000, 0x10041000, 0x00001000,
229 0x00000040, 0x10040040, 0x00001000, 0x00041040,
230 0x10001000, 0x00000040, 0x10000040, 0x10040000,
231 0x10040040, 0x10000000, 0x00040000, 0x10001040,
232 0x00000000, 0x10041040, 0x00040040, 0x10000040,
233 0x10040000, 0x10001000, 0x10001040, 0x00000000,
234 0x10041040, 0x00041000, 0x00041000, 0x00001040,
235 0x00001040, 0x00040040, 0x10000000, 0x10041000
239 * PC1: left and right halves bit-swap
241 static const uint32_t LHs[16] =
243 0x00000000, 0x00000001, 0x00000100, 0x00000101,
244 0x00010000, 0x00010001, 0x00010100, 0x00010101,
245 0x01000000, 0x01000001, 0x01000100, 0x01000101,
246 0x01010000, 0x01010001, 0x01010100, 0x01010101
249 static const uint32_t RHs[16] =
251 0x00000000, 0x01000000, 0x00010000, 0x01010000,
252 0x00000100, 0x01000100, 0x00010100, 0x01010100,
253 0x00000001, 0x01000001, 0x00010001, 0x01010001,
254 0x00000101, 0x01000101, 0x00010101, 0x01010101,
258 * Initial Permutation macro
260 #define DES_IP(X,Y) \
263 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \
264 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
265 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \
266 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \
267 (Y) = (((Y) << 1) | ((Y) >> 31)) & 0xFFFFFFFF; \
268 T = ((X) ^ (Y)) & 0xAAAAAAAA; (Y) ^= T; (X) ^= T; \
269 (X) = (((X) << 1) | ((X) >> 31)) & 0xFFFFFFFF; \
273 * Final Permutation macro
275 #define DES_FP(X,Y) \
278 (X) = (((X) << 31) | ((X) >> 1)) & 0xFFFFFFFF; \
279 T = ((X) ^ (Y)) & 0xAAAAAAAA; (X) ^= T; (Y) ^= T; \
280 (Y) = (((Y) << 31) | ((Y) >> 1)) & 0xFFFFFFFF; \
281 T = (((Y) >> 8) ^ (X)) & 0x00FF00FF; (X) ^= T; (Y) ^= (T << 8); \
282 T = (((Y) >> 2) ^ (X)) & 0x33333333; (X) ^= T; (Y) ^= (T << 2); \
283 T = (((X) >> 16) ^ (Y)) & 0x0000FFFF; (Y) ^= T; (X) ^= (T << 16); \
284 T = (((X) >> 4) ^ (Y)) & 0x0F0F0F0F; (Y) ^= T; (X) ^= (T << 4); \
290 #define DES_ROUND(X,Y) \
294 (Y) ^= SB8[ (T ) & 0x3F ] ^ \
295 SB6[ (T >> 8) & 0x3F ] ^ \
296 SB4[ (T >> 16) & 0x3F ] ^ \
297 SB2[ (T >> 24) & 0x3F ]; \
299 T = *SK++ ^ (((X) << 28) | ((X) >> 4)); \
300 (Y) ^= SB7[ (T ) & 0x3F ] ^ \
301 SB5[ (T >> 8) & 0x3F ] ^ \
302 SB3[ (T >> 16) & 0x3F ] ^ \
303 SB1[ (T >> 24) & 0x3F ]; \
309 uint32_t t = (a); (a) = (b); (b) = t; t = 0; \
312 void mbedtls_des_init( mbedtls_des_context *ctx )
314 memset( ctx, 0, sizeof( mbedtls_des_context ) );
317 void mbedtls_des_free( mbedtls_des_context *ctx )
322 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des_context ) );
325 void mbedtls_des3_init( mbedtls_des3_context *ctx )
327 memset( ctx, 0, sizeof( mbedtls_des3_context ) );
330 void mbedtls_des3_free( mbedtls_des3_context *ctx )
335 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_des3_context ) );
338 static const unsigned char odd_parity_table[128] = { 1, 2, 4, 7, 8,
339 11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 35, 37, 38, 41, 42, 44,
340 47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 70, 73, 74, 76, 79, 81,
341 82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 104, 107, 109, 110, 112,
342 115, 117, 118, 121, 122, 124, 127, 128, 131, 133, 134, 137, 138, 140,
343 143, 145, 146, 148, 151, 152, 155, 157, 158, 161, 162, 164, 167, 168,
344 171, 173, 174, 176, 179, 181, 182, 185, 186, 188, 191, 193, 194, 196,
345 199, 200, 203, 205, 206, 208, 211, 213, 214, 217, 218, 220, 223, 224,
346 227, 229, 230, 233, 234, 236, 239, 241, 242, 244, 247, 248, 251, 253,
349 void mbedtls_des_key_set_parity( unsigned char key[MBEDTLS_DES_KEY_SIZE] )
353 for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
354 key[i] = odd_parity_table[key[i] / 2];
358 * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
360 int mbedtls_des_key_check_key_parity( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
364 for( i = 0; i < MBEDTLS_DES_KEY_SIZE; i++ )
365 if( key[i] != odd_parity_table[key[i] / 2] )
372 * Table of weak and semi-weak keys
374 * Source: http://en.wikipedia.org/wiki/Weak_key
377 * Alternating ones + zeros (0x0101010101010101)
378 * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
379 * '0xE0E0E0E0F1F1F1F1'
380 * '0x1F1F1F1F0E0E0E0E'
383 * 0x011F011F010E010E and 0x1F011F010E010E01
384 * 0x01E001E001F101F1 and 0xE001E001F101F101
385 * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
386 * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
387 * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
388 * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
392 #define WEAK_KEY_COUNT 16
394 static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE] =
396 { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
397 { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
398 { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
399 { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
401 { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
402 { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
403 { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
404 { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
405 { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
406 { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
407 { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
408 { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
409 { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
410 { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
411 { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
412 { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
415 int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
419 for( i = 0; i < WEAK_KEY_COUNT; i++ )
420 if( memcmp( weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0 )
426 #if !defined(MBEDTLS_DES_SETKEY_ALT)
427 void mbedtls_des_setkey( uint32_t SK[32], const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
432 GET_UINT32_BE( X, key, 0 );
433 GET_UINT32_BE( Y, key, 4 );
438 T = ((Y >> 4) ^ X) & 0x0F0F0F0F; X ^= T; Y ^= (T << 4);
439 T = ((Y ) ^ X) & 0x10101010; X ^= T; Y ^= (T );
441 X = (LHs[ (X ) & 0xF] << 3) | (LHs[ (X >> 8) & 0xF ] << 2)
442 | (LHs[ (X >> 16) & 0xF] << 1) | (LHs[ (X >> 24) & 0xF ] )
443 | (LHs[ (X >> 5) & 0xF] << 7) | (LHs[ (X >> 13) & 0xF ] << 6)
444 | (LHs[ (X >> 21) & 0xF] << 5) | (LHs[ (X >> 29) & 0xF ] << 4);
446 Y = (RHs[ (Y >> 1) & 0xF] << 3) | (RHs[ (Y >> 9) & 0xF ] << 2)
447 | (RHs[ (Y >> 17) & 0xF] << 1) | (RHs[ (Y >> 25) & 0xF ] )
448 | (RHs[ (Y >> 4) & 0xF] << 7) | (RHs[ (Y >> 12) & 0xF ] << 6)
449 | (RHs[ (Y >> 20) & 0xF] << 5) | (RHs[ (Y >> 28) & 0xF ] << 4);
457 for( i = 0; i < 16; i++ )
459 if( i < 2 || i == 8 || i == 15 )
461 X = ((X << 1) | (X >> 27)) & 0x0FFFFFFF;
462 Y = ((Y << 1) | (Y >> 27)) & 0x0FFFFFFF;
466 X = ((X << 2) | (X >> 26)) & 0x0FFFFFFF;
467 Y = ((Y << 2) | (Y >> 26)) & 0x0FFFFFFF;
470 *SK++ = ((X << 4) & 0x24000000) | ((X << 28) & 0x10000000)
471 | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
472 | ((X << 6) & 0x01000000) | ((X << 9) & 0x00200000)
473 | ((X >> 1) & 0x00100000) | ((X << 10) & 0x00040000)
474 | ((X << 2) & 0x00020000) | ((X >> 10) & 0x00010000)
475 | ((Y >> 13) & 0x00002000) | ((Y >> 4) & 0x00001000)
476 | ((Y << 6) & 0x00000800) | ((Y >> 1) & 0x00000400)
477 | ((Y >> 14) & 0x00000200) | ((Y ) & 0x00000100)
478 | ((Y >> 5) & 0x00000020) | ((Y >> 10) & 0x00000010)
479 | ((Y >> 3) & 0x00000008) | ((Y >> 18) & 0x00000004)
480 | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
482 *SK++ = ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
483 | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
484 | ((X >> 2) & 0x02000000) | ((X << 1) & 0x01000000)
485 | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
486 | ((X << 3) & 0x00080000) | ((X >> 6) & 0x00040000)
487 | ((X << 15) & 0x00020000) | ((X >> 4) & 0x00010000)
488 | ((Y >> 2) & 0x00002000) | ((Y << 8) & 0x00001000)
489 | ((Y >> 14) & 0x00000808) | ((Y >> 9) & 0x00000400)
490 | ((Y ) & 0x00000200) | ((Y << 7) & 0x00000100)
491 | ((Y >> 7) & 0x00000020) | ((Y >> 3) & 0x00000011)
492 | ((Y << 2) & 0x00000004) | ((Y >> 21) & 0x00000002);
495 #endif /* !MBEDTLS_DES_SETKEY_ALT */
498 * DES key schedule (56-bit, encryption)
500 int mbedtls_des_setkey_enc( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
502 mbedtls_des_setkey( ctx->sk, key );
508 * DES key schedule (56-bit, decryption)
510 int mbedtls_des_setkey_dec( mbedtls_des_context *ctx, const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
514 mbedtls_des_setkey( ctx->sk, key );
516 for( i = 0; i < 16; i += 2 )
518 SWAP( ctx->sk[i ], ctx->sk[30 - i] );
519 SWAP( ctx->sk[i + 1], ctx->sk[31 - i] );
525 static void des3_set2key( uint32_t esk[96],
527 const unsigned char key[MBEDTLS_DES_KEY_SIZE*2] )
531 mbedtls_des_setkey( esk, key );
532 mbedtls_des_setkey( dsk + 32, key + 8 );
534 for( i = 0; i < 32; i += 2 )
536 dsk[i ] = esk[30 - i];
537 dsk[i + 1] = esk[31 - i];
539 esk[i + 32] = dsk[62 - i];
540 esk[i + 33] = dsk[63 - i];
542 esk[i + 64] = esk[i ];
543 esk[i + 65] = esk[i + 1];
545 dsk[i + 64] = dsk[i ];
546 dsk[i + 65] = dsk[i + 1];
551 * Triple-DES key schedule (112-bit, encryption)
553 int mbedtls_des3_set2key_enc( mbedtls_des3_context *ctx,
554 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
558 des3_set2key( ctx->sk, sk, key );
559 mbedtls_platform_zeroize( sk, sizeof( sk ) );
565 * Triple-DES key schedule (112-bit, decryption)
567 int mbedtls_des3_set2key_dec( mbedtls_des3_context *ctx,
568 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 2] )
572 des3_set2key( sk, ctx->sk, key );
573 mbedtls_platform_zeroize( sk, sizeof( sk ) );
578 static void des3_set3key( uint32_t esk[96],
580 const unsigned char key[24] )
584 mbedtls_des_setkey( esk, key );
585 mbedtls_des_setkey( dsk + 32, key + 8 );
586 mbedtls_des_setkey( esk + 64, key + 16 );
588 for( i = 0; i < 32; i += 2 )
590 dsk[i ] = esk[94 - i];
591 dsk[i + 1] = esk[95 - i];
593 esk[i + 32] = dsk[62 - i];
594 esk[i + 33] = dsk[63 - i];
596 dsk[i + 64] = esk[30 - i];
597 dsk[i + 65] = esk[31 - i];
602 * Triple-DES key schedule (168-bit, encryption)
604 int mbedtls_des3_set3key_enc( mbedtls_des3_context *ctx,
605 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
609 des3_set3key( ctx->sk, sk, key );
610 mbedtls_platform_zeroize( sk, sizeof( sk ) );
616 * Triple-DES key schedule (168-bit, decryption)
618 int mbedtls_des3_set3key_dec( mbedtls_des3_context *ctx,
619 const unsigned char key[MBEDTLS_DES_KEY_SIZE * 3] )
623 des3_set3key( sk, ctx->sk, key );
624 mbedtls_platform_zeroize( sk, sizeof( sk ) );
630 * DES-ECB block encryption/decryption
632 #if !defined(MBEDTLS_DES_CRYPT_ECB_ALT)
633 int mbedtls_des_crypt_ecb( mbedtls_des_context *ctx,
634 const unsigned char input[8],
635 unsigned char output[8] )
638 uint32_t X, Y, T, *SK;
642 GET_UINT32_BE( X, input, 0 );
643 GET_UINT32_BE( Y, input, 4 );
647 for( i = 0; i < 8; i++ )
655 PUT_UINT32_BE( Y, output, 0 );
656 PUT_UINT32_BE( X, output, 4 );
660 #endif /* !MBEDTLS_DES_CRYPT_ECB_ALT */
662 #if defined(MBEDTLS_CIPHER_MODE_CBC)
664 * DES-CBC buffer encryption/decryption
666 int mbedtls_des_crypt_cbc( mbedtls_des_context *ctx,
670 const unsigned char *input,
671 unsigned char *output )
674 unsigned char temp[8];
677 return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
679 if( mode == MBEDTLS_DES_ENCRYPT )
683 for( i = 0; i < 8; i++ )
684 output[i] = (unsigned char)( input[i] ^ iv[i] );
686 mbedtls_des_crypt_ecb( ctx, output, output );
687 memcpy( iv, output, 8 );
694 else /* MBEDTLS_DES_DECRYPT */
698 memcpy( temp, input, 8 );
699 mbedtls_des_crypt_ecb( ctx, input, output );
701 for( i = 0; i < 8; i++ )
702 output[i] = (unsigned char)( output[i] ^ iv[i] );
704 memcpy( iv, temp, 8 );
714 #endif /* MBEDTLS_CIPHER_MODE_CBC */
717 * 3DES-ECB block encryption/decryption
719 #if !defined(MBEDTLS_DES3_CRYPT_ECB_ALT)
720 int mbedtls_des3_crypt_ecb( mbedtls_des3_context *ctx,
721 const unsigned char input[8],
722 unsigned char output[8] )
725 uint32_t X, Y, T, *SK;
729 GET_UINT32_BE( X, input, 0 );
730 GET_UINT32_BE( Y, input, 4 );
734 for( i = 0; i < 8; i++ )
740 for( i = 0; i < 8; i++ )
746 for( i = 0; i < 8; i++ )
754 PUT_UINT32_BE( Y, output, 0 );
755 PUT_UINT32_BE( X, output, 4 );
759 #endif /* !MBEDTLS_DES3_CRYPT_ECB_ALT */
761 #if defined(MBEDTLS_CIPHER_MODE_CBC)
763 * 3DES-CBC buffer encryption/decryption
765 int mbedtls_des3_crypt_cbc( mbedtls_des3_context *ctx,
769 const unsigned char *input,
770 unsigned char *output )
773 unsigned char temp[8];
776 return( MBEDTLS_ERR_DES_INVALID_INPUT_LENGTH );
778 if( mode == MBEDTLS_DES_ENCRYPT )
782 for( i = 0; i < 8; i++ )
783 output[i] = (unsigned char)( input[i] ^ iv[i] );
785 mbedtls_des3_crypt_ecb( ctx, output, output );
786 memcpy( iv, output, 8 );
793 else /* MBEDTLS_DES_DECRYPT */
797 memcpy( temp, input, 8 );
798 mbedtls_des3_crypt_ecb( ctx, input, output );
800 for( i = 0; i < 8; i++ )
801 output[i] = (unsigned char)( output[i] ^ iv[i] );
803 memcpy( iv, temp, 8 );
813 #endif /* MBEDTLS_CIPHER_MODE_CBC */
815 #endif /* !MBEDTLS_DES_ALT */
817 #if defined(MBEDTLS_SELF_TEST)
819 * DES and 3DES test vectors from:
821 * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
823 static const unsigned char des3_test_keys[24] =
825 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
826 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
827 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
830 static const unsigned char des3_test_buf[8] =
832 0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
835 static const unsigned char des3_test_ecb_dec[3][8] =
837 { 0xCD, 0xD6, 0x4F, 0x2F, 0x94, 0x27, 0xC1, 0x5D },
838 { 0x69, 0x96, 0xC8, 0xFA, 0x47, 0xA2, 0xAB, 0xEB },
839 { 0x83, 0x25, 0x39, 0x76, 0x44, 0x09, 0x1A, 0x0A }
842 static const unsigned char des3_test_ecb_enc[3][8] =
844 { 0x6A, 0x2A, 0x19, 0xF4, 0x1E, 0xCA, 0x85, 0x4B },
845 { 0x03, 0xE6, 0x9F, 0x5B, 0xFA, 0x58, 0xEB, 0x42 },
846 { 0xDD, 0x17, 0xE8, 0xB8, 0xB4, 0x37, 0xD2, 0x32 }
849 #if defined(MBEDTLS_CIPHER_MODE_CBC)
850 static const unsigned char des3_test_iv[8] =
852 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
855 static const unsigned char des3_test_cbc_dec[3][8] =
857 { 0x12, 0x9F, 0x40, 0xB9, 0xD2, 0x00, 0x56, 0xB3 },
858 { 0x47, 0x0E, 0xFC, 0x9A, 0x6B, 0x8E, 0xE3, 0x93 },
859 { 0xC5, 0xCE, 0xCF, 0x63, 0xEC, 0xEC, 0x51, 0x4C }
862 static const unsigned char des3_test_cbc_enc[3][8] =
864 { 0x54, 0xF1, 0x5A, 0xF6, 0xEB, 0xE3, 0xA4, 0xB4 },
865 { 0x35, 0x76, 0x11, 0x56, 0x5F, 0xA1, 0x8E, 0x4D },
866 { 0xCB, 0x19, 0x1F, 0x85, 0xD1, 0xED, 0x84, 0x39 }
868 #endif /* MBEDTLS_CIPHER_MODE_CBC */
873 int mbedtls_des_self_test( int verbose )
875 int i, j, u, v, ret = 0;
876 mbedtls_des_context ctx;
877 mbedtls_des3_context ctx3;
878 unsigned char buf[8];
879 #if defined(MBEDTLS_CIPHER_MODE_CBC)
880 unsigned char prv[8];
884 mbedtls_des_init( &ctx );
885 mbedtls_des3_init( &ctx3 );
889 for( i = 0; i < 6; i++ )
895 mbedtls_printf( " DES%c-ECB-%3d (%s): ",
896 ( u == 0 ) ? ' ' : '3', 56 + u * 56,
897 ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
899 memcpy( buf, des3_test_buf, 8 );
904 mbedtls_des_setkey_dec( &ctx, des3_test_keys );
908 mbedtls_des_setkey_enc( &ctx, des3_test_keys );
912 mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
916 mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
920 mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
924 mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
931 for( j = 0; j < 10000; j++ )
934 mbedtls_des_crypt_ecb( &ctx, buf, buf );
936 mbedtls_des3_crypt_ecb( &ctx3, buf, buf );
939 if( ( v == MBEDTLS_DES_DECRYPT &&
940 memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) ||
941 ( v != MBEDTLS_DES_DECRYPT &&
942 memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) )
945 mbedtls_printf( "failed\n" );
952 mbedtls_printf( "passed\n" );
956 mbedtls_printf( "\n" );
958 #if defined(MBEDTLS_CIPHER_MODE_CBC)
962 for( i = 0; i < 6; i++ )
968 mbedtls_printf( " DES%c-CBC-%3d (%s): ",
969 ( u == 0 ) ? ' ' : '3', 56 + u * 56,
970 ( v == MBEDTLS_DES_DECRYPT ) ? "dec" : "enc" );
972 memcpy( iv, des3_test_iv, 8 );
973 memcpy( prv, des3_test_iv, 8 );
974 memcpy( buf, des3_test_buf, 8 );
979 mbedtls_des_setkey_dec( &ctx, des3_test_keys );
983 mbedtls_des_setkey_enc( &ctx, des3_test_keys );
987 mbedtls_des3_set2key_dec( &ctx3, des3_test_keys );
991 mbedtls_des3_set2key_enc( &ctx3, des3_test_keys );
995 mbedtls_des3_set3key_dec( &ctx3, des3_test_keys );
999 mbedtls_des3_set3key_enc( &ctx3, des3_test_keys );
1006 if( v == MBEDTLS_DES_DECRYPT )
1008 for( j = 0; j < 10000; j++ )
1011 mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
1013 mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
1018 for( j = 0; j < 10000; j++ )
1020 unsigned char tmp[8];
1023 mbedtls_des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
1025 mbedtls_des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
1027 memcpy( tmp, prv, 8 );
1028 memcpy( prv, buf, 8 );
1029 memcpy( buf, tmp, 8 );
1032 memcpy( buf, prv, 8 );
1035 if( ( v == MBEDTLS_DES_DECRYPT &&
1036 memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) ||
1037 ( v != MBEDTLS_DES_DECRYPT &&
1038 memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) )
1041 mbedtls_printf( "failed\n" );
1048 mbedtls_printf( "passed\n" );
1050 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1053 mbedtls_printf( "\n" );
1056 mbedtls_des_free( &ctx );
1057 mbedtls_des3_free( &ctx3 );
1062 #endif /* MBEDTLS_SELF_TEST */
1064 #endif /* MBEDTLS_DES_C */