1/* des.c - DES and Triple-DES encryption/decryption Algorithm 2 * Copyright (C) 1998, 1999, 2001, 2002, 2003, 3 * 2008 Free Software Foundation, Inc. 4 * 5 * This file is part of Libgcrypt. 6 * 7 * Libgcrypt is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU Lesser general Public License as 9 * published by the Free Software Foundation; either version 2.1 of 10 * the License, or (at your option) any later version. 11 * 12 * Libgcrypt is distributed in the hope that it will be useful, 13 * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU Lesser General Public License for more details. 16 * 17 * You should have received a copy of the GNU Lesser General Public 18 * License along with this program; if not, write to the Free Software 19 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA 20 * 21 * For a description of triple encryption, see: 22 * Bruce Schneier: Applied Cryptography. Second Edition. 23 * John Wiley & Sons, 1996. ISBN 0-471-12845-7. Pages 358 ff. 24 * This implementation is according to the definition of DES in FIPS 25 * PUB 46-2 from December 1993. 26 */ 27 28 29/* 30 * Written by Michael Roth <mroth@nessie.de>, September 1998 31 */ 32 33 34/* 35 * U S A G E 36 * =========== 37 * 38 * For DES or Triple-DES encryption/decryption you must initialize a proper 39 * encryption context with a key. 40 * 41 * A DES key is 64bit wide but only 56bits of the key are used. The remaining 42 * bits are parity bits and they will _not_ checked in this implementation, but 43 * simply ignored. 44 * 45 * For Triple-DES you could use either two 64bit keys or three 64bit keys. 46 * The parity bits will _not_ checked, too. 47 * 48 * After initializing a context with a key you could use this context to 49 * encrypt or decrypt data in 64bit blocks in Electronic Codebook Mode. 50 * 51 * (In the examples below the slashes at the beginning and ending of comments 52 * are omited.) 53 * 54 * DES Example 55 * ----------- 56 * unsigned char key[8]; 57 * unsigned char plaintext[8]; 58 * unsigned char ciphertext[8]; 59 * unsigned char recoverd[8]; 60 * des_ctx context; 61 * 62 * * Fill 'key' and 'plaintext' with some data * 63 * .... 64 * 65 * * Set up the DES encryption context * 66 * des_setkey(context, key); 67 * 68 * * Encrypt the plaintext * 69 * des_ecb_encrypt(context, plaintext, ciphertext); 70 * 71 * * To recover the orginal plaintext from ciphertext use: * 72 * des_ecb_decrypt(context, ciphertext, recoverd); 73 * 74 * 75 * Triple-DES Example 76 * ------------------ 77 * unsigned char key1[8]; 78 * unsigned char key2[8]; 79 * unsigned char key3[8]; 80 * unsigned char plaintext[8]; 81 * unsigned char ciphertext[8]; 82 * unsigned char recoverd[8]; 83 * tripledes_ctx context; 84 * 85 * * If you would like to use two 64bit keys, fill 'key1' and'key2' 86 * then setup the encryption context: * 87 * tripledes_set2keys(context, key1, key2); 88 * 89 * * To use three 64bit keys with Triple-DES use: * 90 * tripledes_set3keys(context, key1, key2, key3); 91 * 92 * * Encrypting plaintext with Triple-DES * 93 * tripledes_ecb_encrypt(context, plaintext, ciphertext); 94 * 95 * * Decrypting ciphertext to recover the plaintext with Triple-DES * 96 * tripledes_ecb_decrypt(context, ciphertext, recoverd); 97 * 98 * 99 * Selftest 100 * -------- 101 * char *error_msg; 102 * 103 * * To perform a selftest of this DES/Triple-DES implementation use the 104 * function selftest(). It will return an error string if there are 105 * some problems with this library. * 106 * 107 * if ( (error_msg = selftest()) ) 108 * { 109 * fprintf(stderr, "An error in the DES/Triple-DES implementation occurred: %s\n", error_msg); 110 * abort(); 111 * } 112 */ 113 114 115#include <config.h> 116#include <stdio.h> 117#include <string.h> /* memcpy, memcmp */ 118#include "types.h" /* for byte and u32 typedefs */ 119#include "g10lib.h" 120#include "cipher.h" 121 122#if defined(__GNUC__) && defined(__GNU_LIBRARY__) 123#define working_memcmp memcmp 124#else 125/* 126 * According to the SunOS man page, memcmp returns indeterminate sign 127 * depending on whether characters are signed or not. 128 */ 129static int 130working_memcmp( const char *a, const char *b, size_t n ) 131{ 132 for( ; n; n--, a++, b++ ) 133 if( *a != *b ) 134 return (int)(*(byte*)a) - (int)(*(byte*)b); 135 return 0; 136} 137#endif 138 139/* 140 * Encryption/Decryption context of DES 141 */ 142typedef struct _des_ctx 143 { 144 u32 encrypt_subkeys[32]; 145 u32 decrypt_subkeys[32]; 146 } 147des_ctx[1]; 148 149/* 150 * Encryption/Decryption context of Triple-DES 151 */ 152typedef struct _tripledes_ctx 153 { 154 u32 encrypt_subkeys[96]; 155 u32 decrypt_subkeys[96]; 156 struct { 157 int no_weak_key; 158 } flags; 159 } 160tripledes_ctx[1]; 161 162static void des_key_schedule (const byte *, u32 *); 163static int des_setkey (struct _des_ctx *, const byte *); 164static int des_ecb_crypt (struct _des_ctx *, const byte *, byte *, int); 165static int tripledes_set2keys (struct _tripledes_ctx *, 166 const byte *, const byte *); 167static int tripledes_set3keys (struct _tripledes_ctx *, 168 const byte *, const byte *, const byte *); 169static int tripledes_ecb_crypt (struct _tripledes_ctx *, 170 const byte *, byte *, int); 171static int is_weak_key ( const byte *key ); 172static const char *selftest (void); 173 174static int initialized; 175 176 177 178 179/* 180 * The s-box values are permuted according to the 'primitive function P' 181 * and are rotated one bit to the left. 182 */ 183static u32 sbox1[64] = 184{ 185 0x01010400, 0x00000000, 0x00010000, 0x01010404, 0x01010004, 0x00010404, 0x00000004, 0x00010000, 186 0x00000400, 0x01010400, 0x01010404, 0x00000400, 0x01000404, 0x01010004, 0x01000000, 0x00000004, 187 0x00000404, 0x01000400, 0x01000400, 0x00010400, 0x00010400, 0x01010000, 0x01010000, 0x01000404, 188 0x00010004, 0x01000004, 0x01000004, 0x00010004, 0x00000000, 0x00000404, 0x00010404, 0x01000000, 189 0x00010000, 0x01010404, 0x00000004, 0x01010000, 0x01010400, 0x01000000, 0x01000000, 0x00000400, 190 0x01010004, 0x00010000, 0x00010400, 0x01000004, 0x00000400, 0x00000004, 0x01000404, 0x00010404, 191 0x01010404, 0x00010004, 0x01010000, 0x01000404, 0x01000004, 0x00000404, 0x00010404, 0x01010400, 192 0x00000404, 0x01000400, 0x01000400, 0x00000000, 0x00010004, 0x00010400, 0x00000000, 0x01010004 193}; 194 195static u32 sbox2[64] = 196{ 197 0x80108020, 0x80008000, 0x00008000, 0x00108020, 0x00100000, 0x00000020, 0x80100020, 0x80008020, 198 0x80000020, 0x80108020, 0x80108000, 0x80000000, 0x80008000, 0x00100000, 0x00000020, 0x80100020, 199 0x00108000, 0x00100020, 0x80008020, 0x00000000, 0x80000000, 0x00008000, 0x00108020, 0x80100000, 200 0x00100020, 0x80000020, 0x00000000, 0x00108000, 0x00008020, 0x80108000, 0x80100000, 0x00008020, 201 0x00000000, 0x00108020, 0x80100020, 0x00100000, 0x80008020, 0x80100000, 0x80108000, 0x00008000, 202 0x80100000, 0x80008000, 0x00000020, 0x80108020, 0x00108020, 0x00000020, 0x00008000, 0x80000000, 203 0x00008020, 0x80108000, 0x00100000, 0x80000020, 0x00100020, 0x80008020, 0x80000020, 0x00100020, 204 0x00108000, 0x00000000, 0x80008000, 0x00008020, 0x80000000, 0x80100020, 0x80108020, 0x00108000 205}; 206 207static u32 sbox3[64] = 208{ 209 0x00000208, 0x08020200, 0x00000000, 0x08020008, 0x08000200, 0x00000000, 0x00020208, 0x08000200, 210 0x00020008, 0x08000008, 0x08000008, 0x00020000, 0x08020208, 0x00020008, 0x08020000, 0x00000208, 211 0x08000000, 0x00000008, 0x08020200, 0x00000200, 0x00020200, 0x08020000, 0x08020008, 0x00020208, 212 0x08000208, 0x00020200, 0x00020000, 0x08000208, 0x00000008, 0x08020208, 0x00000200, 0x08000000, 213 0x08020200, 0x08000000, 0x00020008, 0x00000208, 0x00020000, 0x08020200, 0x08000200, 0x00000000, 214 0x00000200, 0x00020008, 0x08020208, 0x08000200, 0x08000008, 0x00000200, 0x00000000, 0x08020008, 215 0x08000208, 0x00020000, 0x08000000, 0x08020208, 0x00000008, 0x00020208, 0x00020200, 0x08000008, 216 0x08020000, 0x08000208, 0x00000208, 0x08020000, 0x00020208, 0x00000008, 0x08020008, 0x00020200 217}; 218 219static u32 sbox4[64] = 220{ 221 0x00802001, 0x00002081, 0x00002081, 0x00000080, 0x00802080, 0x00800081, 0x00800001, 0x00002001, 222 0x00000000, 0x00802000, 0x00802000, 0x00802081, 0x00000081, 0x00000000, 0x00800080, 0x00800001, 223 0x00000001, 0x00002000, 0x00800000, 0x00802001, 0x00000080, 0x00800000, 0x00002001, 0x00002080, 224 0x00800081, 0x00000001, 0x00002080, 0x00800080, 0x00002000, 0x00802080, 0x00802081, 0x00000081, 225 0x00800080, 0x00800001, 0x00802000, 0x00802081, 0x00000081, 0x00000000, 0x00000000, 0x00802000, 226 0x00002080, 0x00800080, 0x00800081, 0x00000001, 0x00802001, 0x00002081, 0x00002081, 0x00000080, 227 0x00802081, 0x00000081, 0x00000001, 0x00002000, 0x00800001, 0x00002001, 0x00802080, 0x00800081, 228 0x00002001, 0x00002080, 0x00800000, 0x00802001, 0x00000080, 0x00800000, 0x00002000, 0x00802080 229}; 230 231static u32 sbox5[64] = 232{ 233 0x00000100, 0x02080100, 0x02080000, 0x42000100, 0x00080000, 0x00000100, 0x40000000, 0x02080000, 234 0x40080100, 0x00080000, 0x02000100, 0x40080100, 0x42000100, 0x42080000, 0x00080100, 0x40000000, 235 0x02000000, 0x40080000, 0x40080000, 0x00000000, 0x40000100, 0x42080100, 0x42080100, 0x02000100, 236 0x42080000, 0x40000100, 0x00000000, 0x42000000, 0x02080100, 0x02000000, 0x42000000, 0x00080100, 237 0x00080000, 0x42000100, 0x00000100, 0x02000000, 0x40000000, 0x02080000, 0x42000100, 0x40080100, 238 0x02000100, 0x40000000, 0x42080000, 0x02080100, 0x40080100, 0x00000100, 0x02000000, 0x42080000, 239 0x42080100, 0x00080100, 0x42000000, 0x42080100, 0x02080000, 0x00000000, 0x40080000, 0x42000000, 240 0x00080100, 0x02000100, 0x40000100, 0x00080000, 0x00000000, 0x40080000, 0x02080100, 0x40000100 241}; 242 243static u32 sbox6[64] = 244{ 245 0x20000010, 0x20400000, 0x00004000, 0x20404010, 0x20400000, 0x00000010, 0x20404010, 0x00400000, 246 0x20004000, 0x00404010, 0x00400000, 0x20000010, 0x00400010, 0x20004000, 0x20000000, 0x00004010, 247 0x00000000, 0x00400010, 0x20004010, 0x00004000, 0x00404000, 0x20004010, 0x00000010, 0x20400010, 248 0x20400010, 0x00000000, 0x00404010, 0x20404000, 0x00004010, 0x00404000, 0x20404000, 0x20000000, 249 0x20004000, 0x00000010, 0x20400010, 0x00404000, 0x20404010, 0x00400000, 0x00004010, 0x20000010, 250 0x00400000, 0x20004000, 0x20000000, 0x00004010, 0x20000010, 0x20404010, 0x00404000, 0x20400000, 251 0x00404010, 0x20404000, 0x00000000, 0x20400010, 0x00000010, 0x00004000, 0x20400000, 0x00404010, 252 0x00004000, 0x00400010, 0x20004010, 0x00000000, 0x20404000, 0x20000000, 0x00400010, 0x20004010 253}; 254 255static u32 sbox7[64] = 256{ 257 0x00200000, 0x04200002, 0x04000802, 0x00000000, 0x00000800, 0x04000802, 0x00200802, 0x04200800, 258 0x04200802, 0x00200000, 0x00000000, 0x04000002, 0x00000002, 0x04000000, 0x04200002, 0x00000802, 259 0x04000800, 0x00200802, 0x00200002, 0x04000800, 0x04000002, 0x04200000, 0x04200800, 0x00200002, 260 0x04200000, 0x00000800, 0x00000802, 0x04200802, 0x00200800, 0x00000002, 0x04000000, 0x00200800, 261 0x04000000, 0x00200800, 0x00200000, 0x04000802, 0x04000802, 0x04200002, 0x04200002, 0x00000002, 262 0x00200002, 0x04000000, 0x04000800, 0x00200000, 0x04200800, 0x00000802, 0x00200802, 0x04200800, 263 0x00000802, 0x04000002, 0x04200802, 0x04200000, 0x00200800, 0x00000000, 0x00000002, 0x04200802, 264 0x00000000, 0x00200802, 0x04200000, 0x00000800, 0x04000002, 0x04000800, 0x00000800, 0x00200002 265}; 266 267static u32 sbox8[64] = 268{ 269 0x10001040, 0x00001000, 0x00040000, 0x10041040, 0x10000000, 0x10001040, 0x00000040, 0x10000000, 270 0x00040040, 0x10040000, 0x10041040, 0x00041000, 0x10041000, 0x00041040, 0x00001000, 0x00000040, 271 0x10040000, 0x10000040, 0x10001000, 0x00001040, 0x00041000, 0x00040040, 0x10040040, 0x10041000, 272 0x00001040, 0x00000000, 0x00000000, 0x10040040, 0x10000040, 0x10001000, 0x00041040, 0x00040000, 273 0x00041040, 0x00040000, 0x10041000, 0x00001000, 0x00000040, 0x10040040, 0x00001000, 0x00041040, 274 0x10001000, 0x00000040, 0x10000040, 0x10040000, 0x10040040, 0x10000000, 0x00040000, 0x10001040, 275 0x00000000, 0x10041040, 0x00040040, 0x10000040, 0x10040000, 0x10001000, 0x10001040, 0x00000000, 276 0x10041040, 0x00041000, 0x00041000, 0x00001040, 0x00001040, 0x00040040, 0x10000000, 0x10041000 277}; 278 279 280/* 281 * These two tables are part of the 'permuted choice 1' function. 282 * In this implementation several speed improvements are done. 283 */ 284static u32 leftkey_swap[16] = 285{ 286 0x00000000, 0x00000001, 0x00000100, 0x00000101, 287 0x00010000, 0x00010001, 0x00010100, 0x00010101, 288 0x01000000, 0x01000001, 0x01000100, 0x01000101, 289 0x01010000, 0x01010001, 0x01010100, 0x01010101 290}; 291 292static u32 rightkey_swap[16] = 293{ 294 0x00000000, 0x01000000, 0x00010000, 0x01010000, 295 0x00000100, 0x01000100, 0x00010100, 0x01010100, 296 0x00000001, 0x01000001, 0x00010001, 0x01010001, 297 0x00000101, 0x01000101, 0x00010101, 0x01010101, 298}; 299 300 301 302/* 303 * Numbers of left shifts per round for encryption subkeys. 304 * To calculate the decryption subkeys we just reverse the 305 * ordering of the calculated encryption subkeys. So their 306 * is no need for a decryption rotate tab. 307 */ 308static byte encrypt_rotate_tab[16] = 309{ 310 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 311}; 312 313 314 315/* 316 * Table with weak DES keys sorted in ascending order. 317 * In DES their are 64 known keys which are weak. They are weak 318 * because they produce only one, two or four different 319 * subkeys in the subkey scheduling process. 320 * The keys in this table have all their parity bits cleared. 321 */ 322static byte weak_keys[64][8] = 323{ 324 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, /*w*/ 325 { 0x00, 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e }, 326 { 0x00, 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0 }, 327 { 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe }, 328 { 0x00, 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e }, /*sw*/ 329 { 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00 }, 330 { 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe }, 331 { 0x00, 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0 }, 332 { 0x00, 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0 }, /*sw*/ 333 { 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe }, 334 { 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00 }, 335 { 0x00, 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e }, 336 { 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe }, /*sw*/ 337 { 0x00, 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0 }, 338 { 0x00, 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e }, 339 { 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00 }, 340 { 0x1e, 0x00, 0x00, 0x1e, 0x0e, 0x00, 0x00, 0x0e }, 341 { 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e, 0x00 }, /*sw*/ 342 { 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0, 0xfe }, 343 { 0x1e, 0x00, 0xfe, 0xe0, 0x0e, 0x00, 0xfe, 0xf0 }, 344 { 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00, 0x00 }, 345 { 0x1e, 0x1e, 0x1e, 0x1e, 0x0e, 0x0e, 0x0e, 0x0e }, /*w*/ 346 { 0x1e, 0x1e, 0xe0, 0xe0, 0x0e, 0x0e, 0xf0, 0xf0 }, 347 { 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe, 0xfe }, 348 { 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00, 0xfe }, 349 { 0x1e, 0xe0, 0x1e, 0xe0, 0x0e, 0xf0, 0x0e, 0xf0 }, /*sw*/ 350 { 0x1e, 0xe0, 0xe0, 0x1e, 0x0e, 0xf0, 0xf0, 0x0e }, 351 { 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe, 0x00 }, 352 { 0x1e, 0xfe, 0x00, 0xe0, 0x0e, 0xfe, 0x00, 0xf0 }, 353 { 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe }, /*sw*/ 354 { 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0, 0x00 }, 355 { 0x1e, 0xfe, 0xfe, 0x1e, 0x0e, 0xfe, 0xfe, 0x0e }, 356 { 0xe0, 0x00, 0x00, 0xe0, 0xf0, 0x00, 0x00, 0xf0 }, 357 { 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e, 0xfe }, 358 { 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0, 0x00 }, /*sw*/ 359 { 0xe0, 0x00, 0xfe, 0x1e, 0xf0, 0x00, 0xfe, 0x0e }, 360 { 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00, 0xfe }, 361 { 0xe0, 0x1e, 0x1e, 0xe0, 0xf0, 0x0e, 0x0e, 0xf0 }, 362 { 0xe0, 0x1e, 0xe0, 0x1e, 0xf0, 0x0e, 0xf0, 0x0e }, /*sw*/ 363 { 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe, 0x00 }, 364 { 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00, 0x00 }, 365 { 0xe0, 0xe0, 0x1e, 0x1e, 0xf0, 0xf0, 0x0e, 0x0e }, 366 { 0xe0, 0xe0, 0xe0, 0xe0, 0xf0, 0xf0, 0xf0, 0xf0 }, /*w*/ 367 { 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe, 0xfe }, 368 { 0xe0, 0xfe, 0x00, 0x1e, 0xf0, 0xfe, 0x00, 0x0e }, 369 { 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e, 0x00 }, 370 { 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0, 0xfe }, /*sw*/ 371 { 0xe0, 0xfe, 0xfe, 0xe0, 0xf0, 0xfe, 0xfe, 0xf0 }, 372 { 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe }, 373 { 0xfe, 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0 }, 374 { 0xfe, 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e }, 375 { 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00 }, /*sw*/ 376 { 0xfe, 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0 }, 377 { 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe }, 378 { 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00 }, 379 { 0xfe, 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e }, /*sw*/ 380 { 0xfe, 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e }, 381 { 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00 }, 382 { 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe }, 383 { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0 }, /*sw*/ 384 { 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00 }, 385 { 0xfe, 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e }, 386 { 0xfe, 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0 }, 387 { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe } /*w*/ 388}; 389static unsigned char weak_keys_chksum[20] = { 390 0xD0, 0xCF, 0x07, 0x38, 0x93, 0x70, 0x8A, 0x83, 0x7D, 0xD7, 391 0x8A, 0x36, 0x65, 0x29, 0x6C, 0x1F, 0x7C, 0x3F, 0xD3, 0x41 392}; 393 394 395 396/* 397 * Macro to swap bits across two words. 398 */ 399#define DO_PERMUTATION(a, temp, b, offset, mask) \ 400 temp = ((a>>offset) ^ b) & mask; \ 401 b ^= temp; \ 402 a ^= temp<<offset; 403 404 405/* 406 * This performs the 'initial permutation' of the data to be encrypted 407 * or decrypted. Additionally the resulting two words are rotated one bit 408 * to the left. 409 */ 410#define INITIAL_PERMUTATION(left, temp, right) \ 411 DO_PERMUTATION(left, temp, right, 4, 0x0f0f0f0f) \ 412 DO_PERMUTATION(left, temp, right, 16, 0x0000ffff) \ 413 DO_PERMUTATION(right, temp, left, 2, 0x33333333) \ 414 DO_PERMUTATION(right, temp, left, 8, 0x00ff00ff) \ 415 right = (right << 1) | (right >> 31); \ 416 temp = (left ^ right) & 0xaaaaaaaa; \ 417 right ^= temp; \ 418 left ^= temp; \ 419 left = (left << 1) | (left >> 31); 420 421/* 422 * The 'inverse initial permutation'. 423 */ 424#define FINAL_PERMUTATION(left, temp, right) \ 425 left = (left << 31) | (left >> 1); \ 426 temp = (left ^ right) & 0xaaaaaaaa; \ 427 left ^= temp; \ 428 right ^= temp; \ 429 right = (right << 31) | (right >> 1); \ 430 DO_PERMUTATION(right, temp, left, 8, 0x00ff00ff) \ 431 DO_PERMUTATION(right, temp, left, 2, 0x33333333) \ 432 DO_PERMUTATION(left, temp, right, 16, 0x0000ffff) \ 433 DO_PERMUTATION(left, temp, right, 4, 0x0f0f0f0f) 434 435 436/* 437 * A full DES round including 'expansion function', 'sbox substitution' 438 * and 'primitive function P' but without swapping the left and right word. 439 * Please note: The data in 'from' and 'to' is already rotated one bit to 440 * the left, done in the initial permutation. 441 */ 442#define DES_ROUND(from, to, work, subkey) \ 443 work = from ^ *subkey++; \ 444 to ^= sbox8[ work & 0x3f ]; \ 445 to ^= sbox6[ (work>>8) & 0x3f ]; \ 446 to ^= sbox4[ (work>>16) & 0x3f ]; \ 447 to ^= sbox2[ (work>>24) & 0x3f ]; \ 448 work = ((from << 28) | (from >> 4)) ^ *subkey++; \ 449 to ^= sbox7[ work & 0x3f ]; \ 450 to ^= sbox5[ (work>>8) & 0x3f ]; \ 451 to ^= sbox3[ (work>>16) & 0x3f ]; \ 452 to ^= sbox1[ (work>>24) & 0x3f ]; 453 454/* 455 * Macros to convert 8 bytes from/to 32bit words. 456 */ 457#define READ_64BIT_DATA(data, left, right) \ 458 left = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; \ 459 right = (data[4] << 24) | (data[5] << 16) | (data[6] << 8) | data[7]; 460 461#define WRITE_64BIT_DATA(data, left, right) \ 462 data[0] = (left >> 24) &0xff; data[1] = (left >> 16) &0xff; \ 463 data[2] = (left >> 8) &0xff; data[3] = left &0xff; \ 464 data[4] = (right >> 24) &0xff; data[5] = (right >> 16) &0xff; \ 465 data[6] = (right >> 8) &0xff; data[7] = right &0xff; 466 467/* 468 * Handy macros for encryption and decryption of data 469 */ 470#define des_ecb_encrypt(ctx, from, to) des_ecb_crypt(ctx, from, to, 0) 471#define des_ecb_decrypt(ctx, from, to) des_ecb_crypt(ctx, from, to, 1) 472#define tripledes_ecb_encrypt(ctx, from, to) tripledes_ecb_crypt(ctx,from,to,0) 473#define tripledes_ecb_decrypt(ctx, from, to) tripledes_ecb_crypt(ctx,from,to,1) 474 475 476 477 478 479 480/* 481 * des_key_schedule(): Calculate 16 subkeys pairs (even/odd) for 482 * 16 encryption rounds. 483 * To calculate subkeys for decryption the caller 484 * have to reorder the generated subkeys. 485 * 486 * rawkey: 8 Bytes of key data 487 * subkey: Array of at least 32 u32s. Will be filled 488 * with calculated subkeys. 489 * 490 */ 491static void 492des_key_schedule (const byte * rawkey, u32 * subkey) 493{ 494 u32 left, right, work; 495 int round; 496 497 READ_64BIT_DATA (rawkey, left, right) 498 499 DO_PERMUTATION (right, work, left, 4, 0x0f0f0f0f) 500 DO_PERMUTATION (right, work, left, 0, 0x10101010) 501 502 left = ((leftkey_swap[(left >> 0) & 0xf] << 3) 503 | (leftkey_swap[(left >> 8) & 0xf] << 2) 504 | (leftkey_swap[(left >> 16) & 0xf] << 1) 505 | (leftkey_swap[(left >> 24) & 0xf]) 506 | (leftkey_swap[(left >> 5) & 0xf] << 7) 507 | (leftkey_swap[(left >> 13) & 0xf] << 6) 508 | (leftkey_swap[(left >> 21) & 0xf] << 5) 509 | (leftkey_swap[(left >> 29) & 0xf] << 4)); 510 511 left &= 0x0fffffff; 512 513 right = ((rightkey_swap[(right >> 1) & 0xf] << 3) 514 | (rightkey_swap[(right >> 9) & 0xf] << 2) 515 | (rightkey_swap[(right >> 17) & 0xf] << 1) 516 | (rightkey_swap[(right >> 25) & 0xf]) 517 | (rightkey_swap[(right >> 4) & 0xf] << 7) 518 | (rightkey_swap[(right >> 12) & 0xf] << 6) 519 | (rightkey_swap[(right >> 20) & 0xf] << 5) 520 | (rightkey_swap[(right >> 28) & 0xf] << 4)); 521 522 right &= 0x0fffffff; 523 524 for (round = 0; round < 16; ++round) 525 { 526 left = ((left << encrypt_rotate_tab[round]) 527 | (left >> (28 - encrypt_rotate_tab[round]))) & 0x0fffffff; 528 right = ((right << encrypt_rotate_tab[round]) 529 | (right >> (28 - encrypt_rotate_tab[round]))) & 0x0fffffff; 530 531 *subkey++ = (((left << 4) & 0x24000000) 532 | ((left << 28) & 0x10000000) 533 | ((left << 14) & 0x08000000) 534 | ((left << 18) & 0x02080000) 535 | ((left << 6) & 0x01000000) 536 | ((left << 9) & 0x00200000) 537 | ((left >> 1) & 0x00100000) 538 | ((left << 10) & 0x00040000) 539 | ((left << 2) & 0x00020000) 540 | ((left >> 10) & 0x00010000) 541 | ((right >> 13) & 0x00002000) 542 | ((right >> 4) & 0x00001000) 543 | ((right << 6) & 0x00000800) 544 | ((right >> 1) & 0x00000400) 545 | ((right >> 14) & 0x00000200) 546 | (right & 0x00000100) 547 | ((right >> 5) & 0x00000020) 548 | ((right >> 10) & 0x00000010) 549 | ((right >> 3) & 0x00000008) 550 | ((right >> 18) & 0x00000004) 551 | ((right >> 26) & 0x00000002) 552 | ((right >> 24) & 0x00000001)); 553 554 *subkey++ = (((left << 15) & 0x20000000) 555 | ((left << 17) & 0x10000000) 556 | ((left << 10) & 0x08000000) 557 | ((left << 22) & 0x04000000) 558 | ((left >> 2) & 0x02000000) 559 | ((left << 1) & 0x01000000) 560 | ((left << 16) & 0x00200000) 561 | ((left << 11) & 0x00100000) 562 | ((left << 3) & 0x00080000) 563 | ((left >> 6) & 0x00040000) 564 | ((left << 15) & 0x00020000) 565 | ((left >> 4) & 0x00010000) 566 | ((right >> 2) & 0x00002000) 567 | ((right << 8) & 0x00001000) 568 | ((right >> 14) & 0x00000808) 569 | ((right >> 9) & 0x00000400) 570 | ((right) & 0x00000200) 571 | ((right << 7) & 0x00000100) 572 | ((right >> 7) & 0x00000020) 573 | ((right >> 3) & 0x00000011) 574 | ((right << 2) & 0x00000004) 575 | ((right >> 21) & 0x00000002)); 576 } 577} 578 579 580/* 581 * Fill a DES context with subkeys calculated from a 64bit key. 582 * Does not check parity bits, but simply ignore them. 583 * Does not check for weak keys. 584 */ 585static int 586des_setkey (struct _des_ctx *ctx, const byte * key) 587{ 588 static const char *selftest_failed; 589 int i; 590 591 if (!fips_mode () && !initialized) 592 { 593 initialized = 1; 594 selftest_failed = selftest (); 595 596 if (selftest_failed) 597 log_error ("%s\n", selftest_failed); 598 } 599 if (selftest_failed) 600 return GPG_ERR_SELFTEST_FAILED; 601 602 des_key_schedule (key, ctx->encrypt_subkeys); 603 _gcry_burn_stack (32); 604 605 for(i=0; i<32; i+=2) 606 { 607 ctx->decrypt_subkeys[i] = ctx->encrypt_subkeys[30-i]; 608 ctx->decrypt_subkeys[i+1] = ctx->encrypt_subkeys[31-i]; 609 } 610 611 return 0; 612} 613 614 615 616/* 617 * Electronic Codebook Mode DES encryption/decryption of data according 618 * to 'mode'. 619 */ 620static int 621des_ecb_crypt (struct _des_ctx *ctx, const byte * from, byte * to, int mode) 622{ 623 u32 left, right, work; 624 u32 *keys; 625 626 keys = mode ? ctx->decrypt_subkeys : ctx->encrypt_subkeys; 627 628 READ_64BIT_DATA (from, left, right) 629 INITIAL_PERMUTATION (left, work, right) 630 631 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 632 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 633 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 634 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 635 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 636 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 637 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 638 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 639 640 FINAL_PERMUTATION (right, work, left) 641 WRITE_64BIT_DATA (to, right, left) 642 643 return 0; 644} 645 646 647 648/* 649 * Fill a Triple-DES context with subkeys calculated from two 64bit keys. 650 * Does not check the parity bits of the keys, but simply ignore them. 651 * Does not check for weak keys. 652 */ 653static int 654tripledes_set2keys (struct _tripledes_ctx *ctx, 655 const byte * key1, 656 const byte * key2) 657{ 658 int i; 659 660 des_key_schedule (key1, ctx->encrypt_subkeys); 661 des_key_schedule (key2, &(ctx->decrypt_subkeys[32])); 662 _gcry_burn_stack (32); 663 664 for(i=0; i<32; i+=2) 665 { 666 ctx->decrypt_subkeys[i] = ctx->encrypt_subkeys[30-i]; 667 ctx->decrypt_subkeys[i+1] = ctx->encrypt_subkeys[31-i]; 668 669 ctx->encrypt_subkeys[i+32] = ctx->decrypt_subkeys[62-i]; 670 ctx->encrypt_subkeys[i+33] = ctx->decrypt_subkeys[63-i]; 671 672 ctx->encrypt_subkeys[i+64] = ctx->encrypt_subkeys[i]; 673 ctx->encrypt_subkeys[i+65] = ctx->encrypt_subkeys[i+1]; 674 675 ctx->decrypt_subkeys[i+64] = ctx->decrypt_subkeys[i]; 676 ctx->decrypt_subkeys[i+65] = ctx->decrypt_subkeys[i+1]; 677 } 678 679 return 0; 680} 681 682 683 684/* 685 * Fill a Triple-DES context with subkeys calculated from three 64bit keys. 686 * Does not check the parity bits of the keys, but simply ignore them. 687 * Does not check for weak keys. 688 */ 689static int 690tripledes_set3keys (struct _tripledes_ctx *ctx, 691 const byte * key1, 692 const byte * key2, 693 const byte * key3) 694{ 695 static const char *selftest_failed; 696 int i; 697 698 if (!fips_mode () && !initialized) 699 { 700 initialized = 1; 701 selftest_failed = selftest (); 702 703 if (selftest_failed) 704 log_error ("%s\n", selftest_failed); 705 } 706 if (selftest_failed) 707 return GPG_ERR_SELFTEST_FAILED; 708 709 des_key_schedule (key1, ctx->encrypt_subkeys); 710 des_key_schedule (key2, &(ctx->decrypt_subkeys[32])); 711 des_key_schedule (key3, &(ctx->encrypt_subkeys[64])); 712 _gcry_burn_stack (32); 713 714 for(i=0; i<32; i+=2) 715 { 716 ctx->decrypt_subkeys[i] = ctx->encrypt_subkeys[94-i]; 717 ctx->decrypt_subkeys[i+1] = ctx->encrypt_subkeys[95-i]; 718 719 ctx->encrypt_subkeys[i+32] = ctx->decrypt_subkeys[62-i]; 720 ctx->encrypt_subkeys[i+33] = ctx->decrypt_subkeys[63-i]; 721 722 ctx->decrypt_subkeys[i+64] = ctx->encrypt_subkeys[30-i]; 723 ctx->decrypt_subkeys[i+65] = ctx->encrypt_subkeys[31-i]; 724 } 725 726 return 0; 727} 728 729 730 731/* 732 * Electronic Codebook Mode Triple-DES encryption/decryption of data 733 * according to 'mode'. Sometimes this mode is named 'EDE' mode 734 * (Encryption-Decryption-Encryption). 735 */ 736static int 737tripledes_ecb_crypt (struct _tripledes_ctx *ctx, const byte * from, 738 byte * to, int mode) 739{ 740 u32 left, right, work; 741 u32 *keys; 742 743 keys = mode ? ctx->decrypt_subkeys : ctx->encrypt_subkeys; 744 745 READ_64BIT_DATA (from, left, right) 746 INITIAL_PERMUTATION (left, work, right) 747 748 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 749 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 750 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 751 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 752 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 753 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 754 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 755 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 756 757 DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) 758 DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) 759 DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) 760 DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) 761 DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) 762 DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) 763 DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) 764 DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) 765 766 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 767 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 768 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 769 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 770 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 771 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 772 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 773 DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) 774 775 FINAL_PERMUTATION (right, work, left) 776 WRITE_64BIT_DATA (to, right, left) 777 778 return 0; 779} 780 781 782 783 784 785/* 786 * Check whether the 8 byte key is weak. 787 * Does not check the parity bits of the key but simple ignore them. 788 */ 789static int 790is_weak_key ( const byte *key ) 791{ 792 byte work[8]; 793 int i, left, right, middle, cmp_result; 794 795 /* clear parity bits */ 796 for(i=0; i<8; ++i) 797 work[i] = key[i] & 0xfe; 798 799 /* binary search in the weak key table */ 800 left = 0; 801 right = 63; 802 while(left <= right) 803 { 804 middle = (left + right) / 2; 805 806 if ( !(cmp_result=working_memcmp(work, weak_keys[middle], 8)) ) 807 return -1; 808 809 if ( cmp_result > 0 ) 810 left = middle + 1; 811 else 812 right = middle - 1; 813 } 814 815 return 0; 816} 817 818 819 820/* 821 * Performs a selftest of this DES/Triple-DES implementation. 822 * Returns an string with the error text on failure. 823 * Returns NULL if all is ok. 824 */ 825static const char * 826selftest (void) 827{ 828 /* 829 * Check if 'u32' is really 32 bits wide. This DES / 3DES implementation 830 * need this. 831 */ 832 if (sizeof (u32) != 4) 833 return "Wrong word size for DES configured."; 834 835 /* 836 * DES Maintenance Test 837 */ 838 { 839 int i; 840 byte key[8] = 841 {0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55}; 842 byte input[8] = 843 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; 844 byte result[8] = 845 {0x24, 0x6e, 0x9d, 0xb9, 0xc5, 0x50, 0x38, 0x1a}; 846 byte temp1[8], temp2[8], temp3[8]; 847 des_ctx des; 848 849 for (i = 0; i < 64; ++i) 850 { 851 des_setkey (des, key); 852 des_ecb_encrypt (des, input, temp1); 853 des_ecb_encrypt (des, temp1, temp2); 854 des_setkey (des, temp2); 855 des_ecb_decrypt (des, temp1, temp3); 856 memcpy (key, temp3, 8); 857 memcpy (input, temp1, 8); 858 } 859 if (memcmp (temp3, result, 8)) 860 return "DES maintenance test failed."; 861 } 862 863 864 /* 865 * Self made Triple-DES test (Does somebody know an official test?) 866 */ 867 { 868 int i; 869 byte input[8] = 870 {0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10}; 871 byte key1[8] = 872 {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}; 873 byte key2[8] = 874 {0x11, 0x22, 0x33, 0x44, 0xff, 0xaa, 0xcc, 0xdd}; 875 byte result[8] = 876 {0x7b, 0x38, 0x3b, 0x23, 0xa2, 0x7d, 0x26, 0xd3}; 877 878 tripledes_ctx des3; 879 880 for (i = 0; i < 16; ++i) 881 { 882 tripledes_set2keys (des3, key1, key2); 883 tripledes_ecb_encrypt (des3, input, key1); 884 tripledes_ecb_decrypt (des3, input, key2); 885 tripledes_set3keys (des3, key1, input, key2); 886 tripledes_ecb_encrypt (des3, input, input); 887 } 888 if (memcmp (input, result, 8)) 889 return "Triple-DES test failed."; 890 } 891 892 /* 893 * More Triple-DES test. These are testvectors as used by SSLeay, 894 * thanks to Jeroen C. van Gelderen. 895 */ 896 { 897 struct { byte key[24]; byte plain[8]; byte cipher[8]; } testdata[] = { 898 { { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, 899 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, 900 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01 }, 901 { 0x95,0xF8,0xA5,0xE5,0xDD,0x31,0xD9,0x00 }, 902 { 0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00 } 903 }, 904 905 { { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, 906 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, 907 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01 }, 908 { 0x9D,0x64,0x55,0x5A,0x9A,0x10,0xB8,0x52, }, 909 { 0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x00 } 910 }, 911 { { 0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E, 912 0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E, 913 0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E }, 914 { 0x51,0x45,0x4B,0x58,0x2D,0xDF,0x44,0x0A }, 915 { 0x71,0x78,0x87,0x6E,0x01,0xF1,0x9B,0x2A } 916 }, 917 { { 0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6, 918 0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6, 919 0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6 }, 920 { 0x42,0xFD,0x44,0x30,0x59,0x57,0x7F,0xA2 }, 921 { 0xAF,0x37,0xFB,0x42,0x1F,0x8C,0x40,0x95 } 922 }, 923 { { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, 924 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, 925 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF }, 926 { 0x73,0x6F,0x6D,0x65,0x64,0x61,0x74,0x61 }, 927 { 0x3D,0x12,0x4F,0xE2,0x19,0x8B,0xA3,0x18 } 928 }, 929 { { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, 930 0x55,0x55,0x55,0x55,0x55,0x55,0x55,0x55, 931 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF }, 932 { 0x73,0x6F,0x6D,0x65,0x64,0x61,0x74,0x61 }, 933 { 0xFB,0xAB,0xA1,0xFF,0x9D,0x05,0xE9,0xB1 } 934 }, 935 { { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, 936 0x55,0x55,0x55,0x55,0x55,0x55,0x55,0x55, 937 0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10 }, 938 { 0x73,0x6F,0x6D,0x65,0x64,0x61,0x74,0x61 }, 939 { 0x18,0xd7,0x48,0xe5,0x63,0x62,0x05,0x72 } 940 }, 941 { { 0x03,0x52,0x02,0x07,0x67,0x20,0x82,0x17, 942 0x86,0x02,0x87,0x66,0x59,0x08,0x21,0x98, 943 0x64,0x05,0x6A,0xBD,0xFE,0xA9,0x34,0x57 }, 944 { 0x73,0x71,0x75,0x69,0x67,0x67,0x6C,0x65 }, 945 { 0xc0,0x7d,0x2a,0x0f,0xa5,0x66,0xfa,0x30 } 946 }, 947 { { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, 948 0x80,0x01,0x01,0x01,0x01,0x01,0x01,0x01, 949 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x02 }, 950 { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }, 951 { 0xe6,0xe6,0xdd,0x5b,0x7e,0x72,0x29,0x74 } 952 }, 953 { { 0x10,0x46,0x10,0x34,0x89,0x98,0x80,0x20, 954 0x91,0x07,0xD0,0x15,0x89,0x19,0x01,0x01, 955 0x19,0x07,0x92,0x10,0x98,0x1A,0x01,0x01 }, 956 { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }, 957 { 0xe1,0xef,0x62,0xc3,0x32,0xfe,0x82,0x5b } 958 } 959 }; 960 961 byte result[8]; 962 int i; 963 tripledes_ctx des3; 964 965 for (i=0; i<sizeof(testdata)/sizeof(*testdata); ++i) 966 { 967 tripledes_set3keys (des3, testdata[i].key, 968 testdata[i].key + 8, testdata[i].key + 16); 969 970 tripledes_ecb_encrypt (des3, testdata[i].plain, result); 971 if (memcmp (testdata[i].cipher, result, 8)) 972 return "Triple-DES SSLeay test failed on encryption."; 973 974 tripledes_ecb_decrypt (des3, testdata[i].cipher, result); 975 if (memcmp (testdata[i].plain, result, 8)) 976 return "Triple-DES SSLeay test failed on decryption.";; 977 } 978 } 979 980 /* 981 * Check the weak key detection. We simply assume that the table 982 * with weak keys is ok and check every key in the table if it is 983 * detected... (This test is a little bit stupid). 984 */ 985 { 986 int i; 987 unsigned char *p; 988 gcry_md_hd_t h; 989 990 if (_gcry_md_open (&h, GCRY_MD_SHA1, 0)) 991 return "SHA1 not available"; 992 993 for (i = 0; i < 64; ++i) 994 _gcry_md_write (h, weak_keys[i], 8); 995 p = _gcry_md_read (h, GCRY_MD_SHA1); 996 i = memcmp (p, weak_keys_chksum, 20); 997 _gcry_md_close (h); 998 if (i) 999 return "weak key table defect"; 1000 1001 for (i = 0; i < 64; ++i) 1002 if (!is_weak_key(weak_keys[i])) 1003 return "DES weak key detection failed"; 1004 } 1005 1006 return 0; 1007} 1008 1009 1010static gcry_err_code_t 1011do_tripledes_setkey ( void *context, const byte *key, unsigned keylen ) 1012{ 1013 struct _tripledes_ctx *ctx = (struct _tripledes_ctx *) context; 1014 1015 if( keylen != 24 ) 1016 return GPG_ERR_INV_KEYLEN; 1017 1018 tripledes_set3keys ( ctx, key, key+8, key+16); 1019 1020 if (ctx->flags.no_weak_key) 1021 ; /* Detection has been disabled. */ 1022 else if (is_weak_key (key) || is_weak_key (key+8) || is_weak_key (key+16)) 1023 { 1024 _gcry_burn_stack (64); 1025 return GPG_ERR_WEAK_KEY; 1026 } 1027 _gcry_burn_stack (64); 1028 1029 return GPG_ERR_NO_ERROR; 1030} 1031 1032 1033static gcry_err_code_t 1034do_tripledes_set_extra_info (void *context, int what, 1035 const void *buffer, size_t buflen) 1036{ 1037 struct _tripledes_ctx *ctx = (struct _tripledes_ctx *)context; 1038 gpg_err_code_t ec = 0; 1039 1040 (void)buffer; 1041 (void)buflen; 1042 1043 switch (what) 1044 { 1045 case CIPHER_INFO_NO_WEAK_KEY: 1046 ctx->flags.no_weak_key = 1; 1047 break; 1048 1049 default: 1050 ec = GPG_ERR_INV_OP; 1051 break; 1052 } 1053 return ec; 1054} 1055 1056 1057static void 1058do_tripledes_encrypt( void *context, byte *outbuf, const byte *inbuf ) 1059{ 1060 struct _tripledes_ctx *ctx = (struct _tripledes_ctx *) context; 1061 1062 tripledes_ecb_encrypt ( ctx, inbuf, outbuf ); 1063 _gcry_burn_stack (32); 1064} 1065 1066static void 1067do_tripledes_decrypt( void *context, byte *outbuf, const byte *inbuf ) 1068{ 1069 struct _tripledes_ctx *ctx = (struct _tripledes_ctx *) context; 1070 tripledes_ecb_decrypt ( ctx, inbuf, outbuf ); 1071 _gcry_burn_stack (32); 1072} 1073 1074static gcry_err_code_t 1075do_des_setkey (void *context, const byte *key, unsigned keylen) 1076{ 1077 struct _des_ctx *ctx = (struct _des_ctx *) context; 1078 1079 if (keylen != 8) 1080 return GPG_ERR_INV_KEYLEN; 1081 1082 des_setkey (ctx, key); 1083 1084 if (is_weak_key (key)) { 1085 _gcry_burn_stack (64); 1086 return GPG_ERR_WEAK_KEY; 1087 } 1088 _gcry_burn_stack (64); 1089 1090 return GPG_ERR_NO_ERROR; 1091} 1092 1093 1094static void 1095do_des_encrypt( void *context, byte *outbuf, const byte *inbuf ) 1096{ 1097 struct _des_ctx *ctx = (struct _des_ctx *) context; 1098 1099 des_ecb_encrypt ( ctx, inbuf, outbuf ); 1100 _gcry_burn_stack (32); 1101} 1102 1103static void 1104do_des_decrypt( void *context, byte *outbuf, const byte *inbuf ) 1105{ 1106 struct _des_ctx *ctx = (struct _des_ctx *) context; 1107 1108 des_ecb_decrypt ( ctx, inbuf, outbuf ); 1109 _gcry_burn_stack (32); 1110} 1111 1112 1113 1114 1115/* 1116 Self-test section. 1117 */ 1118 1119 1120/* Selftest for TripleDES. */ 1121static gpg_err_code_t 1122selftest_fips (int extended, selftest_report_func_t report) 1123{ 1124 const char *what; 1125 const char *errtxt; 1126 1127 (void)extended; /* No extended tests available. */ 1128 1129 what = "low-level"; 1130 errtxt = selftest (); 1131 if (errtxt) 1132 goto failed; 1133 1134 /* The low-level self-tests are quite extensive and thus we can do 1135 without high level tests. This is also justified because we have 1136 no custom block code implementation for 3des but always use the 1137 standard high level block code. */ 1138 1139 return 0; /* Succeeded. */ 1140 1141 failed: 1142 if (report) 1143 report ("cipher", GCRY_CIPHER_3DES, what, errtxt); 1144 return GPG_ERR_SELFTEST_FAILED; 1145} 1146 1147 1148 1149/* Run a full self-test for ALGO and return 0 on success. */ 1150static gpg_err_code_t 1151run_selftests (int algo, int extended, selftest_report_func_t report) 1152{ 1153 gpg_err_code_t ec; 1154 1155 switch (algo) 1156 { 1157 case GCRY_CIPHER_3DES: 1158 ec = selftest_fips (extended, report); 1159 break; 1160 default: 1161 ec = GPG_ERR_CIPHER_ALGO; 1162 break; 1163 1164 } 1165 return ec; 1166} 1167 1168 1169 1170gcry_cipher_spec_t _gcry_cipher_spec_des = 1171 { 1172 "DES", NULL, NULL, 8, 64, sizeof (struct _des_ctx), 1173 do_des_setkey, do_des_encrypt, do_des_decrypt 1174 }; 1175 1176static gcry_cipher_oid_spec_t oids_tripledes[] = 1177 { 1178 { "1.2.840.113549.3.7", GCRY_CIPHER_MODE_CBC }, 1179 /* Teletrust specific OID for 3DES. */ 1180 { "1.3.36.3.1.3.2.1", GCRY_CIPHER_MODE_CBC }, 1181 /* pbeWithSHAAnd3_KeyTripleDES_CBC */ 1182 { "1.2.840.113549.1.12.1.3", GCRY_CIPHER_MODE_CBC }, 1183 { NULL } 1184 }; 1185 1186gcry_cipher_spec_t _gcry_cipher_spec_tripledes = 1187 { 1188 "3DES", NULL, oids_tripledes, 8, 192, sizeof (struct _tripledes_ctx), 1189 do_tripledes_setkey, do_tripledes_encrypt, do_tripledes_decrypt 1190 }; 1191 1192cipher_extra_spec_t _gcry_cipher_extraspec_tripledes = 1193 { 1194 run_selftests, 1195 do_tripledes_set_extra_info 1196 }; 1197