PolarSSL v1.1.4
des.c
Go to the documentation of this file.
00001 /*
00002  *  FIPS-46-3 compliant Triple-DES implementation
00003  *
00004  *  Copyright (C) 2006-2010, Brainspark B.V.
00005  *
00006  *  This file is part of PolarSSL (http://www.polarssl.org)
00007  *  Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
00008  *
00009  *  All rights reserved.
00010  *
00011  *  This program is free software; you can redistribute it and/or modify
00012  *  it under the terms of the GNU General Public License as published by
00013  *  the Free Software Foundation; either version 2 of the License, or
00014  *  (at your option) any later version.
00015  *
00016  *  This program is distributed in the hope that it will be useful,
00017  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
00018  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00019  *  GNU General Public License for more details.
00020  *
00021  *  You should have received a copy of the GNU General Public License along
00022  *  with this program; if not, write to the Free Software Foundation, Inc.,
00023  *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
00024  */
00025 /*
00026  *  DES, on which TDES is based, was originally designed by Horst Feistel
00027  *  at IBM in 1974, and was adopted as a standard by NIST (formerly NBS).
00028  *
00029  *  http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
00030  */
00031 
00032 #include "polarssl/config.h"
00033 
00034 #if defined(POLARSSL_DES_C)
00035 
00036 #include "polarssl/des.h"
00037 
00038 /*
00039  * 32-bit integer manipulation macros (big endian)
00040  */
00041 #ifndef GET_ULONG_BE
00042 #define GET_ULONG_BE(n,b,i)                             \
00043 {                                                       \
00044     (n) = ( (unsigned long) (b)[(i)    ] << 24 )        \
00045         | ( (unsigned long) (b)[(i) + 1] << 16 )        \
00046         | ( (unsigned long) (b)[(i) + 2] <<  8 )        \
00047         | ( (unsigned long) (b)[(i) + 3]       );       \
00048 }
00049 #endif
00050 
00051 #ifndef PUT_ULONG_BE
00052 #define PUT_ULONG_BE(n,b,i)                             \
00053 {                                                       \
00054     (b)[(i)    ] = (unsigned char) ( (n) >> 24 );       \
00055     (b)[(i) + 1] = (unsigned char) ( (n) >> 16 );       \
00056     (b)[(i) + 2] = (unsigned char) ( (n) >>  8 );       \
00057     (b)[(i) + 3] = (unsigned char) ( (n)       );       \
00058 }
00059 #endif
00060 
00061 /*
00062  * Expanded DES S-boxes
00063  */
00064 static const unsigned long SB1[64] =
00065 {
00066     0x01010400, 0x00000000, 0x00010000, 0x01010404,
00067     0x01010004, 0x00010404, 0x00000004, 0x00010000,
00068     0x00000400, 0x01010400, 0x01010404, 0x00000400,
00069     0x01000404, 0x01010004, 0x01000000, 0x00000004,
00070     0x00000404, 0x01000400, 0x01000400, 0x00010400,
00071     0x00010400, 0x01010000, 0x01010000, 0x01000404,
00072     0x00010004, 0x01000004, 0x01000004, 0x00010004,
00073     0x00000000, 0x00000404, 0x00010404, 0x01000000,
00074     0x00010000, 0x01010404, 0x00000004, 0x01010000,
00075     0x01010400, 0x01000000, 0x01000000, 0x00000400,
00076     0x01010004, 0x00010000, 0x00010400, 0x01000004,
00077     0x00000400, 0x00000004, 0x01000404, 0x00010404,
00078     0x01010404, 0x00010004, 0x01010000, 0x01000404,
00079     0x01000004, 0x00000404, 0x00010404, 0x01010400,
00080     0x00000404, 0x01000400, 0x01000400, 0x00000000,
00081     0x00010004, 0x00010400, 0x00000000, 0x01010004
00082 };
00083 
00084 static const unsigned long SB2[64] =
00085 {
00086     0x80108020, 0x80008000, 0x00008000, 0x00108020,
00087     0x00100000, 0x00000020, 0x80100020, 0x80008020,
00088     0x80000020, 0x80108020, 0x80108000, 0x80000000,
00089     0x80008000, 0x00100000, 0x00000020, 0x80100020,
00090     0x00108000, 0x00100020, 0x80008020, 0x00000000,
00091     0x80000000, 0x00008000, 0x00108020, 0x80100000,
00092     0x00100020, 0x80000020, 0x00000000, 0x00108000,
00093     0x00008020, 0x80108000, 0x80100000, 0x00008020,
00094     0x00000000, 0x00108020, 0x80100020, 0x00100000,
00095     0x80008020, 0x80100000, 0x80108000, 0x00008000,
00096     0x80100000, 0x80008000, 0x00000020, 0x80108020,
00097     0x00108020, 0x00000020, 0x00008000, 0x80000000,
00098     0x00008020, 0x80108000, 0x00100000, 0x80000020,
00099     0x00100020, 0x80008020, 0x80000020, 0x00100020,
00100     0x00108000, 0x00000000, 0x80008000, 0x00008020,
00101     0x80000000, 0x80100020, 0x80108020, 0x00108000
00102 };
00103 
00104 static const unsigned long SB3[64] =
00105 {
00106     0x00000208, 0x08020200, 0x00000000, 0x08020008,
00107     0x08000200, 0x00000000, 0x00020208, 0x08000200,
00108     0x00020008, 0x08000008, 0x08000008, 0x00020000,
00109     0x08020208, 0x00020008, 0x08020000, 0x00000208,
00110     0x08000000, 0x00000008, 0x08020200, 0x00000200,
00111     0x00020200, 0x08020000, 0x08020008, 0x00020208,
00112     0x08000208, 0x00020200, 0x00020000, 0x08000208,
00113     0x00000008, 0x08020208, 0x00000200, 0x08000000,
00114     0x08020200, 0x08000000, 0x00020008, 0x00000208,
00115     0x00020000, 0x08020200, 0x08000200, 0x00000000,
00116     0x00000200, 0x00020008, 0x08020208, 0x08000200,
00117     0x08000008, 0x00000200, 0x00000000, 0x08020008,
00118     0x08000208, 0x00020000, 0x08000000, 0x08020208,
00119     0x00000008, 0x00020208, 0x00020200, 0x08000008,
00120     0x08020000, 0x08000208, 0x00000208, 0x08020000,
00121     0x00020208, 0x00000008, 0x08020008, 0x00020200
00122 };
00123 
00124 static const unsigned long SB4[64] =
00125 {
00126     0x00802001, 0x00002081, 0x00002081, 0x00000080,
00127     0x00802080, 0x00800081, 0x00800001, 0x00002001,
00128     0x00000000, 0x00802000, 0x00802000, 0x00802081,
00129     0x00000081, 0x00000000, 0x00800080, 0x00800001,
00130     0x00000001, 0x00002000, 0x00800000, 0x00802001,
00131     0x00000080, 0x00800000, 0x00002001, 0x00002080,
00132     0x00800081, 0x00000001, 0x00002080, 0x00800080,
00133     0x00002000, 0x00802080, 0x00802081, 0x00000081,
00134     0x00800080, 0x00800001, 0x00802000, 0x00802081,
00135     0x00000081, 0x00000000, 0x00000000, 0x00802000,
00136     0x00002080, 0x00800080, 0x00800081, 0x00000001,
00137     0x00802001, 0x00002081, 0x00002081, 0x00000080,
00138     0x00802081, 0x00000081, 0x00000001, 0x00002000,
00139     0x00800001, 0x00002001, 0x00802080, 0x00800081,
00140     0x00002001, 0x00002080, 0x00800000, 0x00802001,
00141     0x00000080, 0x00800000, 0x00002000, 0x00802080
00142 };
00143 
00144 static const unsigned long SB5[64] =
00145 {
00146     0x00000100, 0x02080100, 0x02080000, 0x42000100,
00147     0x00080000, 0x00000100, 0x40000000, 0x02080000,
00148     0x40080100, 0x00080000, 0x02000100, 0x40080100,
00149     0x42000100, 0x42080000, 0x00080100, 0x40000000,
00150     0x02000000, 0x40080000, 0x40080000, 0x00000000,
00151     0x40000100, 0x42080100, 0x42080100, 0x02000100,
00152     0x42080000, 0x40000100, 0x00000000, 0x42000000,
00153     0x02080100, 0x02000000, 0x42000000, 0x00080100,
00154     0x00080000, 0x42000100, 0x00000100, 0x02000000,
00155     0x40000000, 0x02080000, 0x42000100, 0x40080100,
00156     0x02000100, 0x40000000, 0x42080000, 0x02080100,
00157     0x40080100, 0x00000100, 0x02000000, 0x42080000,
00158     0x42080100, 0x00080100, 0x42000000, 0x42080100,
00159     0x02080000, 0x00000000, 0x40080000, 0x42000000,
00160     0x00080100, 0x02000100, 0x40000100, 0x00080000,
00161     0x00000000, 0x40080000, 0x02080100, 0x40000100
00162 };
00163 
00164 static const unsigned long SB6[64] =
00165 {
00166     0x20000010, 0x20400000, 0x00004000, 0x20404010,
00167     0x20400000, 0x00000010, 0x20404010, 0x00400000,
00168     0x20004000, 0x00404010, 0x00400000, 0x20000010,
00169     0x00400010, 0x20004000, 0x20000000, 0x00004010,
00170     0x00000000, 0x00400010, 0x20004010, 0x00004000,
00171     0x00404000, 0x20004010, 0x00000010, 0x20400010,
00172     0x20400010, 0x00000000, 0x00404010, 0x20404000,
00173     0x00004010, 0x00404000, 0x20404000, 0x20000000,
00174     0x20004000, 0x00000010, 0x20400010, 0x00404000,
00175     0x20404010, 0x00400000, 0x00004010, 0x20000010,
00176     0x00400000, 0x20004000, 0x20000000, 0x00004010,
00177     0x20000010, 0x20404010, 0x00404000, 0x20400000,
00178     0x00404010, 0x20404000, 0x00000000, 0x20400010,
00179     0x00000010, 0x00004000, 0x20400000, 0x00404010,
00180     0x00004000, 0x00400010, 0x20004010, 0x00000000,
00181     0x20404000, 0x20000000, 0x00400010, 0x20004010
00182 };
00183 
00184 static const unsigned long SB7[64] =
00185 {
00186     0x00200000, 0x04200002, 0x04000802, 0x00000000,
00187     0x00000800, 0x04000802, 0x00200802, 0x04200800,
00188     0x04200802, 0x00200000, 0x00000000, 0x04000002,
00189     0x00000002, 0x04000000, 0x04200002, 0x00000802,
00190     0x04000800, 0x00200802, 0x00200002, 0x04000800,
00191     0x04000002, 0x04200000, 0x04200800, 0x00200002,
00192     0x04200000, 0x00000800, 0x00000802, 0x04200802,
00193     0x00200800, 0x00000002, 0x04000000, 0x00200800,
00194     0x04000000, 0x00200800, 0x00200000, 0x04000802,
00195     0x04000802, 0x04200002, 0x04200002, 0x00000002,
00196     0x00200002, 0x04000000, 0x04000800, 0x00200000,
00197     0x04200800, 0x00000802, 0x00200802, 0x04200800,
00198     0x00000802, 0x04000002, 0x04200802, 0x04200000,
00199     0x00200800, 0x00000000, 0x00000002, 0x04200802,
00200     0x00000000, 0x00200802, 0x04200000, 0x00000800,
00201     0x04000002, 0x04000800, 0x00000800, 0x00200002
00202 };
00203 
00204 static const unsigned long SB8[64] =
00205 {
00206     0x10001040, 0x00001000, 0x00040000, 0x10041040,
00207     0x10000000, 0x10001040, 0x00000040, 0x10000000,
00208     0x00040040, 0x10040000, 0x10041040, 0x00041000,
00209     0x10041000, 0x00041040, 0x00001000, 0x00000040,
00210     0x10040000, 0x10000040, 0x10001000, 0x00001040,
00211     0x00041000, 0x00040040, 0x10040040, 0x10041000,
00212     0x00001040, 0x00000000, 0x00000000, 0x10040040,
00213     0x10000040, 0x10001000, 0x00041040, 0x00040000,
00214     0x00041040, 0x00040000, 0x10041000, 0x00001000,
00215     0x00000040, 0x10040040, 0x00001000, 0x00041040,
00216     0x10001000, 0x00000040, 0x10000040, 0x10040000,
00217     0x10040040, 0x10000000, 0x00040000, 0x10001040,
00218     0x00000000, 0x10041040, 0x00040040, 0x10000040,
00219     0x10040000, 0x10001000, 0x10001040, 0x00000000,
00220     0x10041040, 0x00041000, 0x00041000, 0x00001040,
00221     0x00001040, 0x00040040, 0x10000000, 0x10041000
00222 };
00223 
00224 /*
00225  * PC1: left and right halves bit-swap
00226  */
00227 static const unsigned long LHs[16] =
00228 {
00229     0x00000000, 0x00000001, 0x00000100, 0x00000101,
00230     0x00010000, 0x00010001, 0x00010100, 0x00010101,
00231     0x01000000, 0x01000001, 0x01000100, 0x01000101,
00232     0x01010000, 0x01010001, 0x01010100, 0x01010101
00233 };
00234 
00235 static const unsigned long RHs[16] =
00236 {
00237     0x00000000, 0x01000000, 0x00010000, 0x01010000,
00238     0x00000100, 0x01000100, 0x00010100, 0x01010100,
00239     0x00000001, 0x01000001, 0x00010001, 0x01010001,
00240     0x00000101, 0x01000101, 0x00010101, 0x01010101,
00241 };
00242 
00243 /*
00244  * Initial Permutation macro
00245  */
00246 #define DES_IP(X,Y)                                             \
00247 {                                                               \
00248     T = ((X >>  4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T <<  4);   \
00249     T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16);   \
00250     T = ((Y >>  2) ^ X) & 0x33333333; X ^= T; Y ^= (T <<  2);   \
00251     T = ((Y >>  8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T <<  8);   \
00252     Y = ((Y << 1) | (Y >> 31)) & 0xFFFFFFFF;                    \
00253     T = (X ^ Y) & 0xAAAAAAAA; Y ^= T; X ^= T;                   \
00254     X = ((X << 1) | (X >> 31)) & 0xFFFFFFFF;                    \
00255 }
00256 
00257 /*
00258  * Final Permutation macro
00259  */
00260 #define DES_FP(X,Y)                                             \
00261 {                                                               \
00262     X = ((X << 31) | (X >> 1)) & 0xFFFFFFFF;                    \
00263     T = (X ^ Y) & 0xAAAAAAAA; X ^= T; Y ^= T;                   \
00264     Y = ((Y << 31) | (Y >> 1)) & 0xFFFFFFFF;                    \
00265     T = ((Y >>  8) ^ X) & 0x00FF00FF; X ^= T; Y ^= (T <<  8);   \
00266     T = ((Y >>  2) ^ X) & 0x33333333; X ^= T; Y ^= (T <<  2);   \
00267     T = ((X >> 16) ^ Y) & 0x0000FFFF; Y ^= T; X ^= (T << 16);   \
00268     T = ((X >>  4) ^ Y) & 0x0F0F0F0F; Y ^= T; X ^= (T <<  4);   \
00269 }
00270 
00271 /*
00272  * DES round macro
00273  */
00274 #define DES_ROUND(X,Y)                          \
00275 {                                               \
00276     T = *SK++ ^ X;                              \
00277     Y ^= SB8[ (T      ) & 0x3F ] ^              \
00278          SB6[ (T >>  8) & 0x3F ] ^              \
00279          SB4[ (T >> 16) & 0x3F ] ^              \
00280          SB2[ (T >> 24) & 0x3F ];               \
00281                                                 \
00282     T = *SK++ ^ ((X << 28) | (X >> 4));         \
00283     Y ^= SB7[ (T      ) & 0x3F ] ^              \
00284          SB5[ (T >>  8) & 0x3F ] ^              \
00285          SB3[ (T >> 16) & 0x3F ] ^              \
00286          SB1[ (T >> 24) & 0x3F ];               \
00287 }
00288 
00289 #define SWAP(a,b) { unsigned long t = a; a = b; b = t; t = 0; }
00290 
00291 static const unsigned char odd_parity_table[128] = { 1,  2,  4,  7,  8,
00292         11, 13, 14, 16, 19, 21, 22, 25, 26, 28, 31, 32, 35, 37, 38, 41, 42, 44,
00293         47, 49, 50, 52, 55, 56, 59, 61, 62, 64, 67, 69, 70, 73, 74, 76, 79, 81,
00294         82, 84, 87, 88, 91, 93, 94, 97, 98, 100, 103, 104, 107, 109, 110, 112,
00295         115, 117, 118, 121, 122, 124, 127, 128, 131, 133, 134, 137, 138, 140,
00296         143, 145, 146, 148, 151, 152, 155, 157, 158, 161, 162, 164, 167, 168,
00297         171, 173, 174, 176, 179, 181, 182, 185, 186, 188, 191, 193, 194, 196,
00298         199, 200, 203, 205, 206, 208, 211, 213, 214, 217, 218, 220, 223, 224,
00299         227, 229, 230, 233, 234, 236, 239, 241, 242, 244, 247, 248, 251, 253,
00300         254 };
00301 
00302 void des_key_set_parity( unsigned char key[DES_KEY_SIZE] )
00303 {
00304     int i;
00305 
00306     for( i = 0; i < DES_KEY_SIZE; i++ )
00307         key[i] = odd_parity_table[key[i] / 2];
00308 }
00309 
00310 /*
00311  * Check the given key's parity, returns 1 on failure, 0 on SUCCESS
00312  */
00313 int des_key_check_key_parity( const unsigned char key[DES_KEY_SIZE] )
00314 {
00315     int i;
00316 
00317     for( i = 0; i < DES_KEY_SIZE; i++ )
00318         if ( key[i] != odd_parity_table[key[i] / 2] )
00319             return( 1 );
00320 
00321     return( 0 );
00322 }
00323 
00324 /*
00325  * Table of weak and semi-weak keys
00326  *
00327  * Source: http://en.wikipedia.org/wiki/Weak_key
00328  *
00329  * Weak:
00330  * Alternating ones + zeros (0x0101010101010101)
00331  * Alternating 'F' + 'E' (0xFEFEFEFEFEFEFEFE)
00332  * '0xE0E0E0E0F1F1F1F1'
00333  * '0x1F1F1F1F0E0E0E0E'
00334  *
00335  * Semi-weak:
00336  * 0x011F011F010E010E and 0x1F011F010E010E01
00337  * 0x01E001E001F101F1 and 0xE001E001F101F101
00338  * 0x01FE01FE01FE01FE and 0xFE01FE01FE01FE01
00339  * 0x1FE01FE00EF10EF1 and 0xE01FE01FF10EF10E
00340  * 0x1FFE1FFE0EFE0EFE and 0xFE1FFE1FFE0EFE0E
00341  * 0xE0FEE0FEF1FEF1FE and 0xFEE0FEE0FEF1FEF1
00342  *
00343  */
00344 
00345 #define WEAK_KEY_COUNT 16
00346 
00347 static const unsigned char weak_key_table[WEAK_KEY_COUNT][DES_KEY_SIZE] =
00348 {
00349     { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 },
00350     { 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
00351     { 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
00352     { 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
00353 
00354     { 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
00355     { 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
00356     { 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
00357     { 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01 },
00358     { 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE },
00359     { 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01 },
00360     { 0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1 },
00361     { 0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E },
00362     { 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE },
00363     { 0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E },
00364     { 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE },
00365     { 0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1 }
00366 };
00367 
00368 int des_key_check_weak( const unsigned char key[DES_KEY_SIZE] )
00369 {
00370     int i;
00371 
00372     for( i = 0; i < WEAK_KEY_COUNT; i++ )
00373         if( memcmp( weak_key_table[i], key, DES_KEY_SIZE) == 0)
00374             return( 1 );
00375 
00376     return( 0 );
00377 }
00378 
00379 static void des_setkey( unsigned long SK[32], const unsigned char key[DES_KEY_SIZE] )
00380 {
00381     int i;
00382     unsigned long X, Y, T;
00383 
00384     GET_ULONG_BE( X, key, 0 );
00385     GET_ULONG_BE( Y, key, 4 );
00386 
00387     /*
00388      * Permuted Choice 1
00389      */
00390     T =  ((Y >>  4) ^ X) & 0x0F0F0F0F;  X ^= T; Y ^= (T <<  4);
00391     T =  ((Y      ) ^ X) & 0x10101010;  X ^= T; Y ^= (T      );
00392 
00393     X =   (LHs[ (X      ) & 0xF] << 3) | (LHs[ (X >>  8) & 0xF ] << 2)
00394         | (LHs[ (X >> 16) & 0xF] << 1) | (LHs[ (X >> 24) & 0xF ]     )
00395         | (LHs[ (X >>  5) & 0xF] << 7) | (LHs[ (X >> 13) & 0xF ] << 6)
00396         | (LHs[ (X >> 21) & 0xF] << 5) | (LHs[ (X >> 29) & 0xF ] << 4);
00397 
00398     Y =   (RHs[ (Y >>  1) & 0xF] << 3) | (RHs[ (Y >>  9) & 0xF ] << 2)
00399         | (RHs[ (Y >> 17) & 0xF] << 1) | (RHs[ (Y >> 25) & 0xF ]     )
00400         | (RHs[ (Y >>  4) & 0xF] << 7) | (RHs[ (Y >> 12) & 0xF ] << 6)
00401         | (RHs[ (Y >> 20) & 0xF] << 5) | (RHs[ (Y >> 28) & 0xF ] << 4);
00402 
00403     X &= 0x0FFFFFFF;
00404     Y &= 0x0FFFFFFF;
00405 
00406     /*
00407      * calculate subkeys
00408      */
00409     for( i = 0; i < 16; i++ )
00410     {
00411         if( i < 2 || i == 8 || i == 15 )
00412         {
00413             X = ((X <<  1) | (X >> 27)) & 0x0FFFFFFF;
00414             Y = ((Y <<  1) | (Y >> 27)) & 0x0FFFFFFF;
00415         }
00416         else
00417         {
00418             X = ((X <<  2) | (X >> 26)) & 0x0FFFFFFF;
00419             Y = ((Y <<  2) | (Y >> 26)) & 0x0FFFFFFF;
00420         }
00421 
00422         *SK++ =   ((X <<  4) & 0x24000000) | ((X << 28) & 0x10000000)
00423                 | ((X << 14) & 0x08000000) | ((X << 18) & 0x02080000)
00424                 | ((X <<  6) & 0x01000000) | ((X <<  9) & 0x00200000)
00425                 | ((X >>  1) & 0x00100000) | ((X << 10) & 0x00040000)
00426                 | ((X <<  2) & 0x00020000) | ((X >> 10) & 0x00010000)
00427                 | ((Y >> 13) & 0x00002000) | ((Y >>  4) & 0x00001000)
00428                 | ((Y <<  6) & 0x00000800) | ((Y >>  1) & 0x00000400)
00429                 | ((Y >> 14) & 0x00000200) | ((Y      ) & 0x00000100)
00430                 | ((Y >>  5) & 0x00000020) | ((Y >> 10) & 0x00000010)
00431                 | ((Y >>  3) & 0x00000008) | ((Y >> 18) & 0x00000004)
00432                 | ((Y >> 26) & 0x00000002) | ((Y >> 24) & 0x00000001);
00433 
00434         *SK++ =   ((X << 15) & 0x20000000) | ((X << 17) & 0x10000000)
00435                 | ((X << 10) & 0x08000000) | ((X << 22) & 0x04000000)
00436                 | ((X >>  2) & 0x02000000) | ((X <<  1) & 0x01000000)
00437                 | ((X << 16) & 0x00200000) | ((X << 11) & 0x00100000)
00438                 | ((X <<  3) & 0x00080000) | ((X >>  6) & 0x00040000)
00439                 | ((X << 15) & 0x00020000) | ((X >>  4) & 0x00010000)
00440                 | ((Y >>  2) & 0x00002000) | ((Y <<  8) & 0x00001000)
00441                 | ((Y >> 14) & 0x00000808) | ((Y >>  9) & 0x00000400)
00442                 | ((Y      ) & 0x00000200) | ((Y <<  7) & 0x00000100)
00443                 | ((Y >>  7) & 0x00000020) | ((Y >>  3) & 0x00000011)
00444                 | ((Y <<  2) & 0x00000004) | ((Y >> 21) & 0x00000002);
00445     }
00446 }
00447 
00448 /*
00449  * DES key schedule (56-bit, encryption)
00450  */
00451 int des_setkey_enc( des_context *ctx, const unsigned char key[DES_KEY_SIZE] )
00452 {
00453     des_setkey( ctx->sk, key );
00454 
00455     return( 0 );
00456 }
00457 
00458 /*
00459  * DES key schedule (56-bit, decryption)
00460  */
00461 int des_setkey_dec( des_context *ctx, const unsigned char key[DES_KEY_SIZE] )
00462 {
00463     int i;
00464 
00465     des_setkey( ctx->sk, key );
00466 
00467     for( i = 0; i < 16; i += 2 )
00468     {
00469         SWAP( ctx->sk[i    ], ctx->sk[30 - i] );
00470         SWAP( ctx->sk[i + 1], ctx->sk[31 - i] );
00471     }
00472 
00473     return( 0 );
00474 }
00475 
00476 static void des3_set2key( unsigned long esk[96],
00477                           unsigned long dsk[96],
00478                           const unsigned char key[DES_KEY_SIZE*2] )
00479 {
00480     int i;
00481 
00482     des_setkey( esk, key );
00483     des_setkey( dsk + 32, key + 8 );
00484 
00485     for( i = 0; i < 32; i += 2 )
00486     {
00487         dsk[i     ] = esk[30 - i];
00488         dsk[i +  1] = esk[31 - i];
00489 
00490         esk[i + 32] = dsk[62 - i];
00491         esk[i + 33] = dsk[63 - i];
00492 
00493         esk[i + 64] = esk[i    ];
00494         esk[i + 65] = esk[i + 1];
00495 
00496         dsk[i + 64] = dsk[i    ];
00497         dsk[i + 65] = dsk[i + 1];
00498     }
00499 }
00500 
00501 /*
00502  * Triple-DES key schedule (112-bit, encryption)
00503  */
00504 int des3_set2key_enc( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 2] )
00505 {
00506     unsigned long sk[96];
00507 
00508     des3_set2key( ctx->sk, sk, key );
00509     memset( sk,  0, sizeof( sk ) );
00510 
00511     return( 0 );
00512 }
00513 
00514 /*
00515  * Triple-DES key schedule (112-bit, decryption)
00516  */
00517 int des3_set2key_dec( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 2] )
00518 {
00519     unsigned long sk[96];
00520 
00521     des3_set2key( sk, ctx->sk, key );
00522     memset( sk,  0, sizeof( sk ) );
00523 
00524     return( 0 );
00525 }
00526 
00527 static void des3_set3key( unsigned long esk[96],
00528                           unsigned long dsk[96],
00529                           const unsigned char key[24] )
00530 {
00531     int i;
00532 
00533     des_setkey( esk, key );
00534     des_setkey( dsk + 32, key +  8 );
00535     des_setkey( esk + 64, key + 16 );
00536 
00537     for( i = 0; i < 32; i += 2 )
00538     {
00539         dsk[i     ] = esk[94 - i];
00540         dsk[i +  1] = esk[95 - i];
00541 
00542         esk[i + 32] = dsk[62 - i];
00543         esk[i + 33] = dsk[63 - i];
00544 
00545         dsk[i + 64] = esk[30 - i];
00546         dsk[i + 65] = esk[31 - i];
00547     }
00548 }
00549 
00550 /*
00551  * Triple-DES key schedule (168-bit, encryption)
00552  */
00553 int des3_set3key_enc( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 3] )
00554 {
00555     unsigned long sk[96];
00556 
00557     des3_set3key( ctx->sk, sk, key );
00558     memset( sk, 0, sizeof( sk ) );
00559 
00560     return( 0 );
00561 }
00562 
00563 /*
00564  * Triple-DES key schedule (168-bit, decryption)
00565  */
00566 int des3_set3key_dec( des3_context *ctx, const unsigned char key[DES_KEY_SIZE * 3] )
00567 {
00568     unsigned long sk[96];
00569 
00570     des3_set3key( sk, ctx->sk, key );
00571     memset( sk, 0, sizeof( sk ) );
00572 
00573     return( 0 );
00574 }
00575 
00576 /*
00577  * DES-ECB block encryption/decryption
00578  */
00579 int des_crypt_ecb( des_context *ctx,
00580                     const unsigned char input[8],
00581                     unsigned char output[8] )
00582 {
00583     int i;
00584     unsigned long X, Y, T, *SK;
00585 
00586     SK = ctx->sk;
00587 
00588     GET_ULONG_BE( X, input, 0 );
00589     GET_ULONG_BE( Y, input, 4 );
00590 
00591     DES_IP( X, Y );
00592 
00593     for( i = 0; i < 8; i++ )
00594     {
00595         DES_ROUND( Y, X );
00596         DES_ROUND( X, Y );
00597     }
00598 
00599     DES_FP( Y, X );
00600 
00601     PUT_ULONG_BE( Y, output, 0 );
00602     PUT_ULONG_BE( X, output, 4 );
00603 
00604     return( 0 );
00605 }
00606 
00607 /*
00608  * DES-CBC buffer encryption/decryption
00609  */
00610 int des_crypt_cbc( des_context *ctx,
00611                     int mode,
00612                     size_t length,
00613                     unsigned char iv[8],
00614                     const unsigned char *input,
00615                     unsigned char *output )
00616 {
00617     int i;
00618     unsigned char temp[8];
00619 
00620     if( length % 8 )
00621         return( POLARSSL_ERR_DES_INVALID_INPUT_LENGTH );
00622 
00623     if( mode == DES_ENCRYPT )
00624     {
00625         while( length > 0 )
00626         {
00627             for( i = 0; i < 8; i++ )
00628                 output[i] = (unsigned char)( input[i] ^ iv[i] );
00629 
00630             des_crypt_ecb( ctx, output, output );
00631             memcpy( iv, output, 8 );
00632 
00633             input  += 8;
00634             output += 8;
00635             length -= 8;
00636         }
00637     }
00638     else /* DES_DECRYPT */
00639     {
00640         while( length > 0 )
00641         {
00642             memcpy( temp, input, 8 );
00643             des_crypt_ecb( ctx, input, output );
00644 
00645             for( i = 0; i < 8; i++ )
00646                 output[i] = (unsigned char)( output[i] ^ iv[i] );
00647 
00648             memcpy( iv, temp, 8 );
00649 
00650             input  += 8;
00651             output += 8;
00652             length -= 8;
00653         }
00654     }
00655 
00656     return( 0 );
00657 }
00658 
00659 /*
00660  * 3DES-ECB block encryption/decryption
00661  */
00662 int des3_crypt_ecb( des3_context *ctx,
00663                      const unsigned char input[8],
00664                      unsigned char output[8] )
00665 {
00666     int i;
00667     unsigned long X, Y, T, *SK;
00668 
00669     SK = ctx->sk;
00670 
00671     GET_ULONG_BE( X, input, 0 );
00672     GET_ULONG_BE( Y, input, 4 );
00673 
00674     DES_IP( X, Y );
00675 
00676     for( i = 0; i < 8; i++ )
00677     {
00678         DES_ROUND( Y, X );
00679         DES_ROUND( X, Y );
00680     }
00681 
00682     for( i = 0; i < 8; i++ )
00683     {
00684         DES_ROUND( X, Y );
00685         DES_ROUND( Y, X );
00686     }
00687 
00688     for( i = 0; i < 8; i++ )
00689     {
00690         DES_ROUND( Y, X );
00691         DES_ROUND( X, Y );
00692     }
00693 
00694     DES_FP( Y, X );
00695 
00696     PUT_ULONG_BE( Y, output, 0 );
00697     PUT_ULONG_BE( X, output, 4 );
00698 
00699     return( 0 );
00700 }
00701 
00702 /*
00703  * 3DES-CBC buffer encryption/decryption
00704  */
00705 int des3_crypt_cbc( des3_context *ctx,
00706                      int mode,
00707                      size_t length,
00708                      unsigned char iv[8],
00709                      const unsigned char *input,
00710                      unsigned char *output )
00711 {
00712     int i;
00713     unsigned char temp[8];
00714 
00715     if( length % 8 )
00716         return( POLARSSL_ERR_DES_INVALID_INPUT_LENGTH );
00717 
00718     if( mode == DES_ENCRYPT )
00719     {
00720         while( length > 0 )
00721         {
00722             for( i = 0; i < 8; i++ )
00723                 output[i] = (unsigned char)( input[i] ^ iv[i] );
00724 
00725             des3_crypt_ecb( ctx, output, output );
00726             memcpy( iv, output, 8 );
00727 
00728             input  += 8;
00729             output += 8;
00730             length -= 8;
00731         }
00732     }
00733     else /* DES_DECRYPT */
00734     {
00735         while( length > 0 )
00736         {
00737             memcpy( temp, input, 8 );
00738             des3_crypt_ecb( ctx, input, output );
00739 
00740             for( i = 0; i < 8; i++ )
00741                 output[i] = (unsigned char)( output[i] ^ iv[i] );
00742 
00743             memcpy( iv, temp, 8 );
00744 
00745             input  += 8;
00746             output += 8;
00747             length -= 8;
00748         }
00749     }
00750 
00751     return( 0 );
00752 }
00753 
00754 #if defined(POLARSSL_SELF_TEST)
00755 
00756 #include <stdio.h>
00757 
00758 /*
00759  * DES and 3DES test vectors from:
00760  *
00761  * http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledes-vectors.zip
00762  */
00763 static const unsigned char des3_test_keys[24] =
00764 {
00765     0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
00766     0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
00767     0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
00768 };
00769 
00770 static const unsigned char des3_test_iv[8] =
00771 {
00772     0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF,
00773 };
00774 
00775 static const unsigned char des3_test_buf[8] =
00776 {
00777     0x4E, 0x6F, 0x77, 0x20, 0x69, 0x73, 0x20, 0x74
00778 };
00779 
00780 static const unsigned char des3_test_ecb_dec[3][8] =
00781 {
00782     { 0xCD, 0xD6, 0x4F, 0x2F, 0x94, 0x27, 0xC1, 0x5D },
00783     { 0x69, 0x96, 0xC8, 0xFA, 0x47, 0xA2, 0xAB, 0xEB },
00784     { 0x83, 0x25, 0x39, 0x76, 0x44, 0x09, 0x1A, 0x0A }
00785 };
00786 
00787 static const unsigned char des3_test_ecb_enc[3][8] =
00788 {
00789     { 0x6A, 0x2A, 0x19, 0xF4, 0x1E, 0xCA, 0x85, 0x4B },
00790     { 0x03, 0xE6, 0x9F, 0x5B, 0xFA, 0x58, 0xEB, 0x42 },
00791     { 0xDD, 0x17, 0xE8, 0xB8, 0xB4, 0x37, 0xD2, 0x32 }
00792 };
00793 
00794 static const unsigned char des3_test_cbc_dec[3][8] =
00795 {
00796     { 0x12, 0x9F, 0x40, 0xB9, 0xD2, 0x00, 0x56, 0xB3 },
00797     { 0x47, 0x0E, 0xFC, 0x9A, 0x6B, 0x8E, 0xE3, 0x93 },
00798     { 0xC5, 0xCE, 0xCF, 0x63, 0xEC, 0xEC, 0x51, 0x4C }
00799 };
00800 
00801 static const unsigned char des3_test_cbc_enc[3][8] =
00802 {
00803     { 0x54, 0xF1, 0x5A, 0xF6, 0xEB, 0xE3, 0xA4, 0xB4 },
00804     { 0x35, 0x76, 0x11, 0x56, 0x5F, 0xA1, 0x8E, 0x4D },
00805     { 0xCB, 0x19, 0x1F, 0x85, 0xD1, 0xED, 0x84, 0x39 }
00806 };
00807 
00808 /*
00809  * Checkup routine
00810  */
00811 int des_self_test( int verbose )
00812 {
00813     int i, j, u, v;
00814     des_context ctx;
00815     des3_context ctx3;
00816     unsigned char key[24];
00817     unsigned char buf[8];
00818     unsigned char prv[8];
00819     unsigned char iv[8];
00820 
00821     memset( key, 0, 24 );
00822 
00823     /*
00824      * ECB mode
00825      */
00826     for( i = 0; i < 6; i++ )
00827     {
00828         u = i >> 1;
00829         v = i  & 1;
00830 
00831         if( verbose != 0 )
00832             printf( "  DES%c-ECB-%3d (%s): ",
00833                     ( u == 0 ) ? ' ' : '3', 56 + u * 56,
00834                     ( v == DES_DECRYPT ) ? "dec" : "enc" );
00835 
00836         memcpy( buf, des3_test_buf, 8 );
00837 
00838         switch( i )
00839         {
00840         case 0:
00841             des_setkey_dec( &ctx, (unsigned char *) des3_test_keys );
00842             break;
00843 
00844         case 1:
00845             des_setkey_enc( &ctx, (unsigned char *) des3_test_keys );
00846             break;
00847 
00848         case 2:
00849             des3_set2key_dec( &ctx3, (unsigned char *) des3_test_keys );
00850             break;
00851 
00852         case 3:
00853             des3_set2key_enc( &ctx3, (unsigned char *) des3_test_keys );
00854             break;
00855 
00856         case 4:
00857             des3_set3key_dec( &ctx3, (unsigned char *) des3_test_keys );
00858             break;
00859 
00860         case 5:
00861             des3_set3key_enc( &ctx3, (unsigned char *) des3_test_keys );
00862             break;
00863 
00864         default:
00865             return( 1 );
00866         }
00867 
00868         for( j = 0; j < 10000; j++ )
00869         {
00870             if( u == 0 )
00871                 des_crypt_ecb( &ctx, buf, buf );
00872             else
00873                 des3_crypt_ecb( &ctx3, buf, buf );
00874         }
00875 
00876         if( ( v == DES_DECRYPT &&
00877                 memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) ||
00878             ( v != DES_DECRYPT &&
00879                 memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) )
00880         {
00881             if( verbose != 0 )
00882                 printf( "failed\n" );
00883 
00884             return( 1 );
00885         }
00886 
00887         if( verbose != 0 )
00888             printf( "passed\n" );
00889     }
00890 
00891     if( verbose != 0 )
00892         printf( "\n" );
00893 
00894     /*
00895      * CBC mode
00896      */
00897     for( i = 0; i < 6; i++ )
00898     {
00899         u = i >> 1;
00900         v = i  & 1;
00901 
00902         if( verbose != 0 )
00903             printf( "  DES%c-CBC-%3d (%s): ",
00904                     ( u == 0 ) ? ' ' : '3', 56 + u * 56,
00905                     ( v == DES_DECRYPT ) ? "dec" : "enc" );
00906 
00907         memcpy( iv,  des3_test_iv,  8 );
00908         memcpy( prv, des3_test_iv,  8 );
00909         memcpy( buf, des3_test_buf, 8 );
00910 
00911         switch( i )
00912         {
00913         case 0:
00914             des_setkey_dec( &ctx, (unsigned char *) des3_test_keys );
00915             break;
00916 
00917         case 1:
00918             des_setkey_enc( &ctx, (unsigned char *) des3_test_keys );
00919             break;
00920 
00921         case 2:
00922             des3_set2key_dec( &ctx3, (unsigned char *) des3_test_keys );
00923             break;
00924 
00925         case 3:
00926             des3_set2key_enc( &ctx3, (unsigned char *) des3_test_keys );
00927             break;
00928 
00929         case 4:
00930             des3_set3key_dec( &ctx3, (unsigned char *) des3_test_keys );
00931             break;
00932 
00933         case 5:
00934             des3_set3key_enc( &ctx3, (unsigned char *) des3_test_keys );
00935             break;
00936 
00937         default:
00938             return( 1 );
00939         }
00940 
00941         if( v == DES_DECRYPT )
00942         {
00943             for( j = 0; j < 10000; j++ )
00944             {
00945                 if( u == 0 )
00946                     des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
00947                 else
00948                     des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
00949             }
00950         }
00951         else
00952         {
00953             for( j = 0; j < 10000; j++ )
00954             {
00955                 unsigned char tmp[8];
00956 
00957                 if( u == 0 )
00958                     des_crypt_cbc( &ctx, v, 8, iv, buf, buf );
00959                 else
00960                     des3_crypt_cbc( &ctx3, v, 8, iv, buf, buf );
00961 
00962                 memcpy( tmp, prv, 8 );
00963                 memcpy( prv, buf, 8 );
00964                 memcpy( buf, tmp, 8 );
00965             }
00966 
00967             memcpy( buf, prv, 8 );
00968         }
00969 
00970         if( ( v == DES_DECRYPT &&
00971                 memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) ||
00972             ( v != DES_DECRYPT &&
00973                 memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) )
00974         {
00975             if( verbose != 0 )
00976                 printf( "failed\n" );
00977 
00978             return( 1 );
00979         }
00980 
00981         if( verbose != 0 )
00982             printf( "passed\n" );
00983     }
00984 
00985     if( verbose != 0 )
00986         printf( "\n" );
00987 
00988     return( 0 );
00989 }
00990 
00991 #endif
00992 
00993 #endif