| /* des.c - DES and Triple-DES encryption/decryption Algorithm |
| * Copyright (C) 1998, 1999, 2001, 2002, 2003, |
| * 2008 Free Software Foundation, Inc. |
| * |
| * This file is part of Libgcrypt. |
| * |
| * Libgcrypt is free software; you can redistribute it and/or modify |
| * it under the terms of the GNU Lesser general Public License as |
| * published by the Free Software Foundation; either version 2.1 of |
| * the License, or (at your option) any later version. |
| * |
| * Libgcrypt is distributed in the hope that it will be useful, |
| * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| * GNU Lesser General Public License for more details. |
| * |
| * You should have received a copy of the GNU Lesser General Public |
| * License along with this program; if not, write to the Free Software |
| * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA |
| * |
| * For a description of triple encryption, see: |
| * Bruce Schneier: Applied Cryptography. Second Edition. |
| * John Wiley & Sons, 1996. ISBN 0-471-12845-7. Pages 358 ff. |
| * This implementation is according to the definition of DES in FIPS |
| * PUB 46-2 from December 1993. |
| */ |
| |
| |
| /* |
| * Written by Michael Roth <mroth@nessie.de>, September 1998 |
| */ |
| |
| |
| /* |
| * U S A G E |
| * =========== |
| * |
| * For DES or Triple-DES encryption/decryption you must initialize a proper |
| * encryption context with a key. |
| * |
| * A DES key is 64bit wide but only 56bits of the key are used. The remaining |
| * bits are parity bits and they will _not_ checked in this implementation, but |
| * simply ignored. |
| * |
| * For Triple-DES you could use either two 64bit keys or three 64bit keys. |
| * The parity bits will _not_ checked, too. |
| * |
| * After initializing a context with a key you could use this context to |
| * encrypt or decrypt data in 64bit blocks in Electronic Codebook Mode. |
| * |
| * (In the examples below the slashes at the beginning and ending of comments |
| * are omited.) |
| * |
| * DES Example |
| * ----------- |
| * unsigned char key[8]; |
| * unsigned char plaintext[8]; |
| * unsigned char ciphertext[8]; |
| * unsigned char recoverd[8]; |
| * des_ctx context; |
| * |
| * * Fill 'key' and 'plaintext' with some data * |
| * .... |
| * |
| * * Set up the DES encryption context * |
| * des_setkey(context, key); |
| * |
| * * Encrypt the plaintext * |
| * des_ecb_encrypt(context, plaintext, ciphertext); |
| * |
| * * To recover the orginal plaintext from ciphertext use: * |
| * des_ecb_decrypt(context, ciphertext, recoverd); |
| * |
| * |
| * Triple-DES Example |
| * ------------------ |
| * unsigned char key1[8]; |
| * unsigned char key2[8]; |
| * unsigned char key3[8]; |
| * unsigned char plaintext[8]; |
| * unsigned char ciphertext[8]; |
| * unsigned char recoverd[8]; |
| * tripledes_ctx context; |
| * |
| * * If you would like to use two 64bit keys, fill 'key1' and'key2' |
| * then setup the encryption context: * |
| * tripledes_set2keys(context, key1, key2); |
| * |
| * * To use three 64bit keys with Triple-DES use: * |
| * tripledes_set3keys(context, key1, key2, key3); |
| * |
| * * Encrypting plaintext with Triple-DES * |
| * tripledes_ecb_encrypt(context, plaintext, ciphertext); |
| * |
| * * Decrypting ciphertext to recover the plaintext with Triple-DES * |
| * tripledes_ecb_decrypt(context, ciphertext, recoverd); |
| * |
| * |
| * Selftest |
| * -------- |
| * char *error_msg; |
| * |
| * * To perform a selftest of this DES/Triple-DES implementation use the |
| * function selftest(). It will return an error string if there are |
| * some problems with this library. * |
| * |
| * if ( (error_msg = selftest()) ) |
| * { |
| * fprintf(stderr, "An error in the DES/Tripple-DES implementation occured: %s\n", error_msg); |
| * abort(); |
| * } |
| */ |
| |
| |
| #include <config.h> |
| #include <stdio.h> |
| #include <string.h> /* memcpy, memcmp */ |
| #include "types.h" /* for byte and u32 typedefs */ |
| #include "g10lib.h" |
| #include "cipher.h" |
| |
| #if defined(__GNUC__) && defined(__GNU_LIBRARY__) |
| #define working_memcmp memcmp |
| #else |
| /* |
| * According to the SunOS man page, memcmp returns indeterminate sign |
| * depending on whether characters are signed or not. |
| */ |
| static int |
| working_memcmp( const char *a, const char *b, size_t n ) |
| { |
| for( ; n; n--, a++, b++ ) |
| if( *a != *b ) |
| return (int)(*(byte*)a) - (int)(*(byte*)b); |
| return 0; |
| } |
| #endif |
| |
| /* |
| * Encryption/Decryption context of DES |
| */ |
| typedef struct _des_ctx |
| { |
| u32 encrypt_subkeys[32]; |
| u32 decrypt_subkeys[32]; |
| } |
| des_ctx[1]; |
| |
| /* |
| * Encryption/Decryption context of Triple-DES |
| */ |
| typedef struct _tripledes_ctx |
| { |
| u32 encrypt_subkeys[96]; |
| u32 decrypt_subkeys[96]; |
| struct { |
| int no_weak_key; |
| } flags; |
| } |
| tripledes_ctx[1]; |
| |
| static void des_key_schedule (const byte *, u32 *); |
| static int des_setkey (struct _des_ctx *, const byte *); |
| static int des_ecb_crypt (struct _des_ctx *, const byte *, byte *, int); |
| static int tripledes_set2keys (struct _tripledes_ctx *, |
| const byte *, const byte *); |
| static int tripledes_set3keys (struct _tripledes_ctx *, |
| const byte *, const byte *, const byte *); |
| static int tripledes_ecb_crypt (struct _tripledes_ctx *, |
| const byte *, byte *, int); |
| static int is_weak_key ( const byte *key ); |
| static const char *selftest (void); |
| |
| static int initialized; |
| |
| |
| |
| |
| /* |
| * The s-box values are permuted according to the 'primitive function P' |
| * and are rotated one bit to the left. |
| */ |
| static u32 sbox1[64] = |
| { |
| 0x01010400, 0x00000000, 0x00010000, 0x01010404, 0x01010004, 0x00010404, 0x00000004, 0x00010000, |
| 0x00000400, 0x01010400, 0x01010404, 0x00000400, 0x01000404, 0x01010004, 0x01000000, 0x00000004, |
| 0x00000404, 0x01000400, 0x01000400, 0x00010400, 0x00010400, 0x01010000, 0x01010000, 0x01000404, |
| 0x00010004, 0x01000004, 0x01000004, 0x00010004, 0x00000000, 0x00000404, 0x00010404, 0x01000000, |
| 0x00010000, 0x01010404, 0x00000004, 0x01010000, 0x01010400, 0x01000000, 0x01000000, 0x00000400, |
| 0x01010004, 0x00010000, 0x00010400, 0x01000004, 0x00000400, 0x00000004, 0x01000404, 0x00010404, |
| 0x01010404, 0x00010004, 0x01010000, 0x01000404, 0x01000004, 0x00000404, 0x00010404, 0x01010400, |
| 0x00000404, 0x01000400, 0x01000400, 0x00000000, 0x00010004, 0x00010400, 0x00000000, 0x01010004 |
| }; |
| |
| static u32 sbox2[64] = |
| { |
| 0x80108020, 0x80008000, 0x00008000, 0x00108020, 0x00100000, 0x00000020, 0x80100020, 0x80008020, |
| 0x80000020, 0x80108020, 0x80108000, 0x80000000, 0x80008000, 0x00100000, 0x00000020, 0x80100020, |
| 0x00108000, 0x00100020, 0x80008020, 0x00000000, 0x80000000, 0x00008000, 0x00108020, 0x80100000, |
| 0x00100020, 0x80000020, 0x00000000, 0x00108000, 0x00008020, 0x80108000, 0x80100000, 0x00008020, |
| 0x00000000, 0x00108020, 0x80100020, 0x00100000, 0x80008020, 0x80100000, 0x80108000, 0x00008000, |
| 0x80100000, 0x80008000, 0x00000020, 0x80108020, 0x00108020, 0x00000020, 0x00008000, 0x80000000, |
| 0x00008020, 0x80108000, 0x00100000, 0x80000020, 0x00100020, 0x80008020, 0x80000020, 0x00100020, |
| 0x00108000, 0x00000000, 0x80008000, 0x00008020, 0x80000000, 0x80100020, 0x80108020, 0x00108000 |
| }; |
| |
| static u32 sbox3[64] = |
| { |
| 0x00000208, 0x08020200, 0x00000000, 0x08020008, 0x08000200, 0x00000000, 0x00020208, 0x08000200, |
| 0x00020008, 0x08000008, 0x08000008, 0x00020000, 0x08020208, 0x00020008, 0x08020000, 0x00000208, |
| 0x08000000, 0x00000008, 0x08020200, 0x00000200, 0x00020200, 0x08020000, 0x08020008, 0x00020208, |
| 0x08000208, 0x00020200, 0x00020000, 0x08000208, 0x00000008, 0x08020208, 0x00000200, 0x08000000, |
| 0x08020200, 0x08000000, 0x00020008, 0x00000208, 0x00020000, 0x08020200, 0x08000200, 0x00000000, |
| 0x00000200, 0x00020008, 0x08020208, 0x08000200, 0x08000008, 0x00000200, 0x00000000, 0x08020008, |
| 0x08000208, 0x00020000, 0x08000000, 0x08020208, 0x00000008, 0x00020208, 0x00020200, 0x08000008, |
| 0x08020000, 0x08000208, 0x00000208, 0x08020000, 0x00020208, 0x00000008, 0x08020008, 0x00020200 |
| }; |
| |
| static u32 sbox4[64] = |
| { |
| 0x00802001, 0x00002081, 0x00002081, 0x00000080, 0x00802080, 0x00800081, 0x00800001, 0x00002001, |
| 0x00000000, 0x00802000, 0x00802000, 0x00802081, 0x00000081, 0x00000000, 0x00800080, 0x00800001, |
| 0x00000001, 0x00002000, 0x00800000, 0x00802001, 0x00000080, 0x00800000, 0x00002001, 0x00002080, |
| 0x00800081, 0x00000001, 0x00002080, 0x00800080, 0x00002000, 0x00802080, 0x00802081, 0x00000081, |
| 0x00800080, 0x00800001, 0x00802000, 0x00802081, 0x00000081, 0x00000000, 0x00000000, 0x00802000, |
| 0x00002080, 0x00800080, 0x00800081, 0x00000001, 0x00802001, 0x00002081, 0x00002081, 0x00000080, |
| 0x00802081, 0x00000081, 0x00000001, 0x00002000, 0x00800001, 0x00002001, 0x00802080, 0x00800081, |
| 0x00002001, 0x00002080, 0x00800000, 0x00802001, 0x00000080, 0x00800000, 0x00002000, 0x00802080 |
| }; |
| |
| static u32 sbox5[64] = |
| { |
| 0x00000100, 0x02080100, 0x02080000, 0x42000100, 0x00080000, 0x00000100, 0x40000000, 0x02080000, |
| 0x40080100, 0x00080000, 0x02000100, 0x40080100, 0x42000100, 0x42080000, 0x00080100, 0x40000000, |
| 0x02000000, 0x40080000, 0x40080000, 0x00000000, 0x40000100, 0x42080100, 0x42080100, 0x02000100, |
| 0x42080000, 0x40000100, 0x00000000, 0x42000000, 0x02080100, 0x02000000, 0x42000000, 0x00080100, |
| 0x00080000, 0x42000100, 0x00000100, 0x02000000, 0x40000000, 0x02080000, 0x42000100, 0x40080100, |
| 0x02000100, 0x40000000, 0x42080000, 0x02080100, 0x40080100, 0x00000100, 0x02000000, 0x42080000, |
| 0x42080100, 0x00080100, 0x42000000, 0x42080100, 0x02080000, 0x00000000, 0x40080000, 0x42000000, |
| 0x00080100, 0x02000100, 0x40000100, 0x00080000, 0x00000000, 0x40080000, 0x02080100, 0x40000100 |
| }; |
| |
| static u32 sbox6[64] = |
| { |
| 0x20000010, 0x20400000, 0x00004000, 0x20404010, 0x20400000, 0x00000010, 0x20404010, 0x00400000, |
| 0x20004000, 0x00404010, 0x00400000, 0x20000010, 0x00400010, 0x20004000, 0x20000000, 0x00004010, |
| 0x00000000, 0x00400010, 0x20004010, 0x00004000, 0x00404000, 0x20004010, 0x00000010, 0x20400010, |
| 0x20400010, 0x00000000, 0x00404010, 0x20404000, 0x00004010, 0x00404000, 0x20404000, 0x20000000, |
| 0x20004000, 0x00000010, 0x20400010, 0x00404000, 0x20404010, 0x00400000, 0x00004010, 0x20000010, |
| 0x00400000, 0x20004000, 0x20000000, 0x00004010, 0x20000010, 0x20404010, 0x00404000, 0x20400000, |
| 0x00404010, 0x20404000, 0x00000000, 0x20400010, 0x00000010, 0x00004000, 0x20400000, 0x00404010, |
| 0x00004000, 0x00400010, 0x20004010, 0x00000000, 0x20404000, 0x20000000, 0x00400010, 0x20004010 |
| }; |
| |
| static u32 sbox7[64] = |
| { |
| 0x00200000, 0x04200002, 0x04000802, 0x00000000, 0x00000800, 0x04000802, 0x00200802, 0x04200800, |
| 0x04200802, 0x00200000, 0x00000000, 0x04000002, 0x00000002, 0x04000000, 0x04200002, 0x00000802, |
| 0x04000800, 0x00200802, 0x00200002, 0x04000800, 0x04000002, 0x04200000, 0x04200800, 0x00200002, |
| 0x04200000, 0x00000800, 0x00000802, 0x04200802, 0x00200800, 0x00000002, 0x04000000, 0x00200800, |
| 0x04000000, 0x00200800, 0x00200000, 0x04000802, 0x04000802, 0x04200002, 0x04200002, 0x00000002, |
| 0x00200002, 0x04000000, 0x04000800, 0x00200000, 0x04200800, 0x00000802, 0x00200802, 0x04200800, |
| 0x00000802, 0x04000002, 0x04200802, 0x04200000, 0x00200800, 0x00000000, 0x00000002, 0x04200802, |
| 0x00000000, 0x00200802, 0x04200000, 0x00000800, 0x04000002, 0x04000800, 0x00000800, 0x00200002 |
| }; |
| |
| static u32 sbox8[64] = |
| { |
| 0x10001040, 0x00001000, 0x00040000, 0x10041040, 0x10000000, 0x10001040, 0x00000040, 0x10000000, |
| 0x00040040, 0x10040000, 0x10041040, 0x00041000, 0x10041000, 0x00041040, 0x00001000, 0x00000040, |
| 0x10040000, 0x10000040, 0x10001000, 0x00001040, 0x00041000, 0x00040040, 0x10040040, 0x10041000, |
| 0x00001040, 0x00000000, 0x00000000, 0x10040040, 0x10000040, 0x10001000, 0x00041040, 0x00040000, |
| 0x00041040, 0x00040000, 0x10041000, 0x00001000, 0x00000040, 0x10040040, 0x00001000, 0x00041040, |
| 0x10001000, 0x00000040, 0x10000040, 0x10040000, 0x10040040, 0x10000000, 0x00040000, 0x10001040, |
| 0x00000000, 0x10041040, 0x00040040, 0x10000040, 0x10040000, 0x10001000, 0x10001040, 0x00000000, |
| 0x10041040, 0x00041000, 0x00041000, 0x00001040, 0x00001040, 0x00040040, 0x10000000, 0x10041000 |
| }; |
| |
| |
| /* |
| * These two tables are part of the 'permuted choice 1' function. |
| * In this implementation several speed improvements are done. |
| */ |
| static u32 leftkey_swap[16] = |
| { |
| 0x00000000, 0x00000001, 0x00000100, 0x00000101, |
| 0x00010000, 0x00010001, 0x00010100, 0x00010101, |
| 0x01000000, 0x01000001, 0x01000100, 0x01000101, |
| 0x01010000, 0x01010001, 0x01010100, 0x01010101 |
| }; |
| |
| static u32 rightkey_swap[16] = |
| { |
| 0x00000000, 0x01000000, 0x00010000, 0x01010000, |
| 0x00000100, 0x01000100, 0x00010100, 0x01010100, |
| 0x00000001, 0x01000001, 0x00010001, 0x01010001, |
| 0x00000101, 0x01000101, 0x00010101, 0x01010101, |
| }; |
| |
| |
| |
| /* |
| * Numbers of left shifts per round for encryption subkeys. |
| * To calculate the decryption subkeys we just reverse the |
| * ordering of the calculated encryption subkeys. So their |
| * is no need for a decryption rotate tab. |
| */ |
| static byte encrypt_rotate_tab[16] = |
| { |
| 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 |
| }; |
| |
| |
| |
| /* |
| * Table with weak DES keys sorted in ascending order. |
| * In DES their are 64 known keys which are weak. They are weak |
| * because they produce only one, two or four different |
| * subkeys in the subkey scheduling process. |
| * The keys in this table have all their parity bits cleared. |
| */ |
| static byte weak_keys[64][8] = |
| { |
| { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, /*w*/ |
| { 0x00, 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e }, |
| { 0x00, 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0 }, |
| { 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe }, |
| { 0x00, 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e }, /*sw*/ |
| { 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00 }, |
| { 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe }, |
| { 0x00, 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0 }, |
| { 0x00, 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0 }, /*sw*/ |
| { 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe }, |
| { 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00 }, |
| { 0x00, 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e }, |
| { 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe }, /*sw*/ |
| { 0x00, 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0 }, |
| { 0x00, 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e }, |
| { 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00 }, |
| { 0x1e, 0x00, 0x00, 0x1e, 0x0e, 0x00, 0x00, 0x0e }, |
| { 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e, 0x00 }, /*sw*/ |
| { 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0, 0xfe }, |
| { 0x1e, 0x00, 0xfe, 0xe0, 0x0e, 0x00, 0xfe, 0xf0 }, |
| { 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00, 0x00 }, |
| { 0x1e, 0x1e, 0x1e, 0x1e, 0x0e, 0x0e, 0x0e, 0x0e }, /*w*/ |
| { 0x1e, 0x1e, 0xe0, 0xe0, 0x0e, 0x0e, 0xf0, 0xf0 }, |
| { 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe, 0xfe }, |
| { 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00, 0xfe }, |
| { 0x1e, 0xe0, 0x1e, 0xe0, 0x0e, 0xf0, 0x0e, 0xf0 }, /*sw*/ |
| { 0x1e, 0xe0, 0xe0, 0x1e, 0x0e, 0xf0, 0xf0, 0x0e }, |
| { 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe, 0x00 }, |
| { 0x1e, 0xfe, 0x00, 0xe0, 0x0e, 0xfe, 0x00, 0xf0 }, |
| { 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe }, /*sw*/ |
| { 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0, 0x00 }, |
| { 0x1e, 0xfe, 0xfe, 0x1e, 0x0e, 0xfe, 0xfe, 0x0e }, |
| { 0xe0, 0x00, 0x00, 0xe0, 0xf0, 0x00, 0x00, 0xf0 }, |
| { 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e, 0xfe }, |
| { 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0, 0x00 }, /*sw*/ |
| { 0xe0, 0x00, 0xfe, 0x1e, 0xf0, 0x00, 0xfe, 0x0e }, |
| { 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00, 0xfe }, |
| { 0xe0, 0x1e, 0x1e, 0xe0, 0xf0, 0x0e, 0x0e, 0xf0 }, |
| { 0xe0, 0x1e, 0xe0, 0x1e, 0xf0, 0x0e, 0xf0, 0x0e }, /*sw*/ |
| { 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe, 0x00 }, |
| { 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00, 0x00 }, |
| { 0xe0, 0xe0, 0x1e, 0x1e, 0xf0, 0xf0, 0x0e, 0x0e }, |
| { 0xe0, 0xe0, 0xe0, 0xe0, 0xf0, 0xf0, 0xf0, 0xf0 }, /*w*/ |
| { 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe, 0xfe }, |
| { 0xe0, 0xfe, 0x00, 0x1e, 0xf0, 0xfe, 0x00, 0x0e }, |
| { 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e, 0x00 }, |
| { 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0, 0xfe }, /*sw*/ |
| { 0xe0, 0xfe, 0xfe, 0xe0, 0xf0, 0xfe, 0xfe, 0xf0 }, |
| { 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe }, |
| { 0xfe, 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0 }, |
| { 0xfe, 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e }, |
| { 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00 }, /*sw*/ |
| { 0xfe, 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0 }, |
| { 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe }, |
| { 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00 }, |
| { 0xfe, 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e }, /*sw*/ |
| { 0xfe, 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e }, |
| { 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00 }, |
| { 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe }, |
| { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0 }, /*sw*/ |
| { 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00 }, |
| { 0xfe, 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e }, |
| { 0xfe, 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0 }, |
| { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe } /*w*/ |
| }; |
| static unsigned char weak_keys_chksum[20] = { |
| 0xD0, 0xCF, 0x07, 0x38, 0x93, 0x70, 0x8A, 0x83, 0x7D, 0xD7, |
| 0x8A, 0x36, 0x65, 0x29, 0x6C, 0x1F, 0x7C, 0x3F, 0xD3, 0x41 |
| }; |
| |
| |
| |
| /* |
| * Macro to swap bits across two words. |
| */ |
| #define DO_PERMUTATION(a, temp, b, offset, mask) \ |
| temp = ((a>>offset) ^ b) & mask; \ |
| b ^= temp; \ |
| a ^= temp<<offset; |
| |
| |
| /* |
| * This performs the 'initial permutation' of the data to be encrypted |
| * or decrypted. Additionally the resulting two words are rotated one bit |
| * to the left. |
| */ |
| #define INITIAL_PERMUTATION(left, temp, right) \ |
| DO_PERMUTATION(left, temp, right, 4, 0x0f0f0f0f) \ |
| DO_PERMUTATION(left, temp, right, 16, 0x0000ffff) \ |
| DO_PERMUTATION(right, temp, left, 2, 0x33333333) \ |
| DO_PERMUTATION(right, temp, left, 8, 0x00ff00ff) \ |
| right = (right << 1) | (right >> 31); \ |
| temp = (left ^ right) & 0xaaaaaaaa; \ |
| right ^= temp; \ |
| left ^= temp; \ |
| left = (left << 1) | (left >> 31); |
| |
| /* |
| * The 'inverse initial permutation'. |
| */ |
| #define FINAL_PERMUTATION(left, temp, right) \ |
| left = (left << 31) | (left >> 1); \ |
| temp = (left ^ right) & 0xaaaaaaaa; \ |
| left ^= temp; \ |
| right ^= temp; \ |
| right = (right << 31) | (right >> 1); \ |
| DO_PERMUTATION(right, temp, left, 8, 0x00ff00ff) \ |
| DO_PERMUTATION(right, temp, left, 2, 0x33333333) \ |
| DO_PERMUTATION(left, temp, right, 16, 0x0000ffff) \ |
| DO_PERMUTATION(left, temp, right, 4, 0x0f0f0f0f) |
| |
| |
| /* |
| * A full DES round including 'expansion function', 'sbox substitution' |
| * and 'primitive function P' but without swapping the left and right word. |
| * Please note: The data in 'from' and 'to' is already rotated one bit to |
| * the left, done in the initial permutation. |
| */ |
| #define DES_ROUND(from, to, work, subkey) \ |
| work = from ^ *subkey++; \ |
| to ^= sbox8[ work & 0x3f ]; \ |
| to ^= sbox6[ (work>>8) & 0x3f ]; \ |
| to ^= sbox4[ (work>>16) & 0x3f ]; \ |
| to ^= sbox2[ (work>>24) & 0x3f ]; \ |
| work = ((from << 28) | (from >> 4)) ^ *subkey++; \ |
| to ^= sbox7[ work & 0x3f ]; \ |
| to ^= sbox5[ (work>>8) & 0x3f ]; \ |
| to ^= sbox3[ (work>>16) & 0x3f ]; \ |
| to ^= sbox1[ (work>>24) & 0x3f ]; |
| |
| /* |
| * Macros to convert 8 bytes from/to 32bit words. |
| */ |
| #define READ_64BIT_DATA(data, left, right) \ |
| left = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; \ |
| right = (data[4] << 24) | (data[5] << 16) | (data[6] << 8) | data[7]; |
| |
| #define WRITE_64BIT_DATA(data, left, right) \ |
| data[0] = (left >> 24) &0xff; data[1] = (left >> 16) &0xff; \ |
| data[2] = (left >> 8) &0xff; data[3] = left &0xff; \ |
| data[4] = (right >> 24) &0xff; data[5] = (right >> 16) &0xff; \ |
| data[6] = (right >> 8) &0xff; data[7] = right &0xff; |
| |
| /* |
| * Handy macros for encryption and decryption of data |
| */ |
| #define des_ecb_encrypt(ctx, from, to) des_ecb_crypt(ctx, from, to, 0) |
| #define des_ecb_decrypt(ctx, from, to) des_ecb_crypt(ctx, from, to, 1) |
| #define tripledes_ecb_encrypt(ctx, from, to) tripledes_ecb_crypt(ctx,from,to,0) |
| #define tripledes_ecb_decrypt(ctx, from, to) tripledes_ecb_crypt(ctx,from,to,1) |
| |
| |
| |
| |
| |
| |
| /* |
| * des_key_schedule(): Calculate 16 subkeys pairs (even/odd) for |
| * 16 encryption rounds. |
| * To calculate subkeys for decryption the caller |
| * have to reorder the generated subkeys. |
| * |
| * rawkey: 8 Bytes of key data |
| * subkey: Array of at least 32 u32s. Will be filled |
| * with calculated subkeys. |
| * |
| */ |
| static void |
| des_key_schedule (const byte * rawkey, u32 * subkey) |
| { |
| u32 left, right, work; |
| int round; |
| |
| READ_64BIT_DATA (rawkey, left, right) |
| |
| DO_PERMUTATION (right, work, left, 4, 0x0f0f0f0f) |
| DO_PERMUTATION (right, work, left, 0, 0x10101010) |
| |
| left = ((leftkey_swap[(left >> 0) & 0xf] << 3) |
| | (leftkey_swap[(left >> 8) & 0xf] << 2) |
| | (leftkey_swap[(left >> 16) & 0xf] << 1) |
| | (leftkey_swap[(left >> 24) & 0xf]) |
| | (leftkey_swap[(left >> 5) & 0xf] << 7) |
| | (leftkey_swap[(left >> 13) & 0xf] << 6) |
| | (leftkey_swap[(left >> 21) & 0xf] << 5) |
| | (leftkey_swap[(left >> 29) & 0xf] << 4)); |
| |
| left &= 0x0fffffff; |
| |
| right = ((rightkey_swap[(right >> 1) & 0xf] << 3) |
| | (rightkey_swap[(right >> 9) & 0xf] << 2) |
| | (rightkey_swap[(right >> 17) & 0xf] << 1) |
| | (rightkey_swap[(right >> 25) & 0xf]) |
| | (rightkey_swap[(right >> 4) & 0xf] << 7) |
| | (rightkey_swap[(right >> 12) & 0xf] << 6) |
| | (rightkey_swap[(right >> 20) & 0xf] << 5) |
| | (rightkey_swap[(right >> 28) & 0xf] << 4)); |
| |
| right &= 0x0fffffff; |
| |
| for (round = 0; round < 16; ++round) |
| { |
| left = ((left << encrypt_rotate_tab[round]) |
| | (left >> (28 - encrypt_rotate_tab[round]))) & 0x0fffffff; |
| right = ((right << encrypt_rotate_tab[round]) |
| | (right >> (28 - encrypt_rotate_tab[round]))) & 0x0fffffff; |
| |
| *subkey++ = (((left << 4) & 0x24000000) |
| | ((left << 28) & 0x10000000) |
| | ((left << 14) & 0x08000000) |
| | ((left << 18) & 0x02080000) |
| | ((left << 6) & 0x01000000) |
| | ((left << 9) & 0x00200000) |
| | ((left >> 1) & 0x00100000) |
| | ((left << 10) & 0x00040000) |
| | ((left << 2) & 0x00020000) |
| | ((left >> 10) & 0x00010000) |
| | ((right >> 13) & 0x00002000) |
| | ((right >> 4) & 0x00001000) |
| | ((right << 6) & 0x00000800) |
| | ((right >> 1) & 0x00000400) |
| | ((right >> 14) & 0x00000200) |
| | (right & 0x00000100) |
| | ((right >> 5) & 0x00000020) |
| | ((right >> 10) & 0x00000010) |
| | ((right >> 3) & 0x00000008) |
| | ((right >> 18) & 0x00000004) |
| | ((right >> 26) & 0x00000002) |
| | ((right >> 24) & 0x00000001)); |
| |
| *subkey++ = (((left << 15) & 0x20000000) |
| | ((left << 17) & 0x10000000) |
| | ((left << 10) & 0x08000000) |
| | ((left << 22) & 0x04000000) |
| | ((left >> 2) & 0x02000000) |
| | ((left << 1) & 0x01000000) |
| | ((left << 16) & 0x00200000) |
| | ((left << 11) & 0x00100000) |
| | ((left << 3) & 0x00080000) |
| | ((left >> 6) & 0x00040000) |
| | ((left << 15) & 0x00020000) |
| | ((left >> 4) & 0x00010000) |
| | ((right >> 2) & 0x00002000) |
| | ((right << 8) & 0x00001000) |
| | ((right >> 14) & 0x00000808) |
| | ((right >> 9) & 0x00000400) |
| | ((right) & 0x00000200) |
| | ((right << 7) & 0x00000100) |
| | ((right >> 7) & 0x00000020) |
| | ((right >> 3) & 0x00000011) |
| | ((right << 2) & 0x00000004) |
| | ((right >> 21) & 0x00000002)); |
| } |
| } |
| |
| |
| /* |
| * Fill a DES context with subkeys calculated from a 64bit key. |
| * Does not check parity bits, but simply ignore them. |
| * Does not check for weak keys. |
| */ |
| static int |
| des_setkey (struct _des_ctx *ctx, const byte * key) |
| { |
| static const char *selftest_failed; |
| int i; |
| |
| if (!fips_mode () && !initialized) |
| { |
| initialized = 1; |
| selftest_failed = selftest (); |
| |
| if (selftest_failed) |
| log_error ("%s\n", selftest_failed); |
| } |
| if (selftest_failed) |
| return GPG_ERR_SELFTEST_FAILED; |
| |
| des_key_schedule (key, ctx->encrypt_subkeys); |
| _gcry_burn_stack (32); |
| |
| for(i=0; i<32; i+=2) |
| { |
| ctx->decrypt_subkeys[i] = ctx->encrypt_subkeys[30-i]; |
| ctx->decrypt_subkeys[i+1] = ctx->encrypt_subkeys[31-i]; |
| } |
| |
| return 0; |
| } |
| |
| |
| |
| /* |
| * Electronic Codebook Mode DES encryption/decryption of data according |
| * to 'mode'. |
| */ |
| static int |
| des_ecb_crypt (struct _des_ctx *ctx, const byte * from, byte * to, int mode) |
| { |
| u32 left, right, work; |
| u32 *keys; |
| |
| keys = mode ? ctx->decrypt_subkeys : ctx->encrypt_subkeys; |
| |
| READ_64BIT_DATA (from, left, right) |
| INITIAL_PERMUTATION (left, work, right) |
| |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| |
| FINAL_PERMUTATION (right, work, left) |
| WRITE_64BIT_DATA (to, right, left) |
| |
| return 0; |
| } |
| |
| |
| |
| /* |
| * Fill a Triple-DES context with subkeys calculated from two 64bit keys. |
| * Does not check the parity bits of the keys, but simply ignore them. |
| * Does not check for weak keys. |
| */ |
| static int |
| tripledes_set2keys (struct _tripledes_ctx *ctx, |
| const byte * key1, |
| const byte * key2) |
| { |
| int i; |
| |
| des_key_schedule (key1, ctx->encrypt_subkeys); |
| des_key_schedule (key2, &(ctx->decrypt_subkeys[32])); |
| _gcry_burn_stack (32); |
| |
| for(i=0; i<32; i+=2) |
| { |
| ctx->decrypt_subkeys[i] = ctx->encrypt_subkeys[30-i]; |
| ctx->decrypt_subkeys[i+1] = ctx->encrypt_subkeys[31-i]; |
| |
| ctx->encrypt_subkeys[i+32] = ctx->decrypt_subkeys[62-i]; |
| ctx->encrypt_subkeys[i+33] = ctx->decrypt_subkeys[63-i]; |
| |
| ctx->encrypt_subkeys[i+64] = ctx->encrypt_subkeys[i]; |
| ctx->encrypt_subkeys[i+65] = ctx->encrypt_subkeys[i+1]; |
| |
| ctx->decrypt_subkeys[i+64] = ctx->decrypt_subkeys[i]; |
| ctx->decrypt_subkeys[i+65] = ctx->decrypt_subkeys[i+1]; |
| } |
| |
| return 0; |
| } |
| |
| |
| |
| /* |
| * Fill a Triple-DES context with subkeys calculated from three 64bit keys. |
| * Does not check the parity bits of the keys, but simply ignore them. |
| * Does not check for weak keys. |
| */ |
| static int |
| tripledes_set3keys (struct _tripledes_ctx *ctx, |
| const byte * key1, |
| const byte * key2, |
| const byte * key3) |
| { |
| static const char *selftest_failed; |
| int i; |
| |
| if (!fips_mode () && !initialized) |
| { |
| initialized = 1; |
| selftest_failed = selftest (); |
| |
| if (selftest_failed) |
| log_error ("%s\n", selftest_failed); |
| } |
| if (selftest_failed) |
| return GPG_ERR_SELFTEST_FAILED; |
| |
| des_key_schedule (key1, ctx->encrypt_subkeys); |
| des_key_schedule (key2, &(ctx->decrypt_subkeys[32])); |
| des_key_schedule (key3, &(ctx->encrypt_subkeys[64])); |
| _gcry_burn_stack (32); |
| |
| for(i=0; i<32; i+=2) |
| { |
| ctx->decrypt_subkeys[i] = ctx->encrypt_subkeys[94-i]; |
| ctx->decrypt_subkeys[i+1] = ctx->encrypt_subkeys[95-i]; |
| |
| ctx->encrypt_subkeys[i+32] = ctx->decrypt_subkeys[62-i]; |
| ctx->encrypt_subkeys[i+33] = ctx->decrypt_subkeys[63-i]; |
| |
| ctx->decrypt_subkeys[i+64] = ctx->encrypt_subkeys[30-i]; |
| ctx->decrypt_subkeys[i+65] = ctx->encrypt_subkeys[31-i]; |
| } |
| |
| return 0; |
| } |
| |
| |
| |
| /* |
| * Electronic Codebook Mode Triple-DES encryption/decryption of data |
| * according to 'mode'. Sometimes this mode is named 'EDE' mode |
| * (Encryption-Decryption-Encryption). |
| */ |
| static int |
| tripledes_ecb_crypt (struct _tripledes_ctx *ctx, const byte * from, |
| byte * to, int mode) |
| { |
| u32 left, right, work; |
| u32 *keys; |
| |
| keys = mode ? ctx->decrypt_subkeys : ctx->encrypt_subkeys; |
| |
| READ_64BIT_DATA (from, left, right) |
| INITIAL_PERMUTATION (left, work, right) |
| |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| |
| DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) |
| DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) |
| DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) |
| DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) |
| DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) |
| DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) |
| DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) |
| DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) |
| |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) |
| |
| FINAL_PERMUTATION (right, work, left) |
| WRITE_64BIT_DATA (to, right, left) |
| |
| return 0; |
| } |
| |
| |
| |
| |
| |
| /* |
| * Check whether the 8 byte key is weak. |
| * Does not check the parity bits of the key but simple ignore them. |
| */ |
| static int |
| is_weak_key ( const byte *key ) |
| { |
| byte work[8]; |
| int i, left, right, middle, cmp_result; |
| |
| /* clear parity bits */ |
| for(i=0; i<8; ++i) |
| work[i] = key[i] & 0xfe; |
| |
| /* binary search in the weak key table */ |
| left = 0; |
| right = 63; |
| while(left <= right) |
| { |
| middle = (left + right) / 2; |
| |
| if ( !(cmp_result=working_memcmp(work, weak_keys[middle], 8)) ) |
| return -1; |
| |
| if ( cmp_result > 0 ) |
| left = middle + 1; |
| else |
| right = middle - 1; |
| } |
| |
| return 0; |
| } |
| |
| |
| |
| /* |
| * Performs a selftest of this DES/Triple-DES implementation. |
| * Returns an string with the error text on failure. |
| * Returns NULL if all is ok. |
| */ |
| static const char * |
| selftest (void) |
| { |
| /* |
| * Check if 'u32' is really 32 bits wide. This DES / 3DES implementation |
| * need this. |
| */ |
| if (sizeof (u32) != 4) |
| return "Wrong word size for DES configured."; |
| |
| /* |
| * DES Maintenance Test |
| */ |
| { |
| int i; |
| byte key[8] = |
| {0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55}; |
| byte input[8] = |
| {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; |
| byte result[8] = |
| {0x24, 0x6e, 0x9d, 0xb9, 0xc5, 0x50, 0x38, 0x1a}; |
| byte temp1[8], temp2[8], temp3[8]; |
| des_ctx des; |
| |
| for (i = 0; i < 64; ++i) |
| { |
| des_setkey (des, key); |
| des_ecb_encrypt (des, input, temp1); |
| des_ecb_encrypt (des, temp1, temp2); |
| des_setkey (des, temp2); |
| des_ecb_decrypt (des, temp1, temp3); |
| memcpy (key, temp3, 8); |
| memcpy (input, temp1, 8); |
| } |
| if (memcmp (temp3, result, 8)) |
| return "DES maintenance test failed."; |
| } |
| |
| |
| /* |
| * Self made Triple-DES test (Does somebody know an official test?) |
| */ |
| { |
| int i; |
| byte input[8] = |
| {0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10}; |
| byte key1[8] = |
| {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}; |
| byte key2[8] = |
| {0x11, 0x22, 0x33, 0x44, 0xff, 0xaa, 0xcc, 0xdd}; |
| byte result[8] = |
| {0x7b, 0x38, 0x3b, 0x23, 0xa2, 0x7d, 0x26, 0xd3}; |
| |
| tripledes_ctx des3; |
| |
| for (i = 0; i < 16; ++i) |
| { |
| tripledes_set2keys (des3, key1, key2); |
| tripledes_ecb_encrypt (des3, input, key1); |
| tripledes_ecb_decrypt (des3, input, key2); |
| tripledes_set3keys (des3, key1, input, key2); |
| tripledes_ecb_encrypt (des3, input, input); |
| } |
| if (memcmp (input, result, 8)) |
| return "Triple-DES test failed."; |
| } |
| |
| /* |
| * More Triple-DES test. These are testvectors as used by SSLeay, |
| * thanks to Jeroen C. van Gelderen. |
| */ |
| { |
| struct { byte key[24]; byte plain[8]; byte cipher[8]; } testdata[] = { |
| { { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, |
| 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, |
| 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01 }, |
| { 0x95,0xF8,0xA5,0xE5,0xDD,0x31,0xD9,0x00 }, |
| { 0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00 } |
| }, |
| |
| { { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, |
| 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, |
| 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01 }, |
| { 0x9D,0x64,0x55,0x5A,0x9A,0x10,0xB8,0x52, }, |
| { 0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x00 } |
| }, |
| { { 0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E, |
| 0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E, |
| 0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E }, |
| { 0x51,0x45,0x4B,0x58,0x2D,0xDF,0x44,0x0A }, |
| { 0x71,0x78,0x87,0x6E,0x01,0xF1,0x9B,0x2A } |
| }, |
| { { 0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6, |
| 0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6, |
| 0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6 }, |
| { 0x42,0xFD,0x44,0x30,0x59,0x57,0x7F,0xA2 }, |
| { 0xAF,0x37,0xFB,0x42,0x1F,0x8C,0x40,0x95 } |
| }, |
| { { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, |
| 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, |
| 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF }, |
| { 0x73,0x6F,0x6D,0x65,0x64,0x61,0x74,0x61 }, |
| { 0x3D,0x12,0x4F,0xE2,0x19,0x8B,0xA3,0x18 } |
| }, |
| { { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, |
| 0x55,0x55,0x55,0x55,0x55,0x55,0x55,0x55, |
| 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF }, |
| { 0x73,0x6F,0x6D,0x65,0x64,0x61,0x74,0x61 }, |
| { 0xFB,0xAB,0xA1,0xFF,0x9D,0x05,0xE9,0xB1 } |
| }, |
| { { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, |
| 0x55,0x55,0x55,0x55,0x55,0x55,0x55,0x55, |
| 0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10 }, |
| { 0x73,0x6F,0x6D,0x65,0x64,0x61,0x74,0x61 }, |
| { 0x18,0xd7,0x48,0xe5,0x63,0x62,0x05,0x72 } |
| }, |
| { { 0x03,0x52,0x02,0x07,0x67,0x20,0x82,0x17, |
| 0x86,0x02,0x87,0x66,0x59,0x08,0x21,0x98, |
| 0x64,0x05,0x6A,0xBD,0xFE,0xA9,0x34,0x57 }, |
| { 0x73,0x71,0x75,0x69,0x67,0x67,0x6C,0x65 }, |
| { 0xc0,0x7d,0x2a,0x0f,0xa5,0x66,0xfa,0x30 } |
| }, |
| { { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, |
| 0x80,0x01,0x01,0x01,0x01,0x01,0x01,0x01, |
| 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x02 }, |
| { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }, |
| { 0xe6,0xe6,0xdd,0x5b,0x7e,0x72,0x29,0x74 } |
| }, |
| { { 0x10,0x46,0x10,0x34,0x89,0x98,0x80,0x20, |
| 0x91,0x07,0xD0,0x15,0x89,0x19,0x01,0x01, |
| 0x19,0x07,0x92,0x10,0x98,0x1A,0x01,0x01 }, |
| { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }, |
| { 0xe1,0xef,0x62,0xc3,0x32,0xfe,0x82,0x5b } |
| } |
| }; |
| |
| byte result[8]; |
| int i; |
| tripledes_ctx des3; |
| |
| for (i=0; i<sizeof(testdata)/sizeof(*testdata); ++i) |
| { |
| tripledes_set3keys (des3, testdata[i].key, |
| testdata[i].key + 8, testdata[i].key + 16); |
| |
| tripledes_ecb_encrypt (des3, testdata[i].plain, result); |
| if (memcmp (testdata[i].cipher, result, 8)) |
| return "Triple-DES SSLeay test failed on encryption."; |
| |
| tripledes_ecb_decrypt (des3, testdata[i].cipher, result); |
| if (memcmp (testdata[i].plain, result, 8)) |
| return "Triple-DES SSLeay test failed on decryption.";; |
| } |
| } |
| |
| /* |
| * Check the weak key detection. We simply assume that the table |
| * with weak keys is ok and check every key in the table if it is |
| * detected... (This test is a little bit stupid). |
| */ |
| { |
| int i; |
| unsigned char *p; |
| gcry_md_hd_t h; |
| |
| if (_gcry_md_open (&h, GCRY_MD_SHA1, 0)) |
| return "SHA1 not available"; |
| |
| for (i = 0; i < 64; ++i) |
| _gcry_md_write (h, weak_keys[i], 8); |
| p = _gcry_md_read (h, GCRY_MD_SHA1); |
| i = memcmp (p, weak_keys_chksum, 20); |
| _gcry_md_close (h); |
| if (i) |
| return "weak key table defect"; |
| |
| for (i = 0; i < 64; ++i) |
| if (!is_weak_key(weak_keys[i])) |
| return "DES weak key detection failed"; |
| } |
| |
| return 0; |
| } |
| |
| |
| static gcry_err_code_t |
| do_tripledes_setkey ( void *context, const byte *key, unsigned keylen ) |
| { |
| struct _tripledes_ctx *ctx = (struct _tripledes_ctx *) context; |
| |
| if( keylen != 24 ) |
| return GPG_ERR_INV_KEYLEN; |
| |
| tripledes_set3keys ( ctx, key, key+8, key+16); |
| |
| if (ctx->flags.no_weak_key) |
| ; /* Detection has been disabled. */ |
| else if (is_weak_key (key) || is_weak_key (key+8) || is_weak_key (key+16)) |
| { |
| _gcry_burn_stack (64); |
| return GPG_ERR_WEAK_KEY; |
| } |
| _gcry_burn_stack (64); |
| |
| return GPG_ERR_NO_ERROR; |
| } |
| |
| |
| static gcry_err_code_t |
| do_tripledes_set_extra_info (void *context, int what, |
| const void *buffer, size_t buflen) |
| { |
| struct _tripledes_ctx *ctx = (struct _tripledes_ctx *)context; |
| gpg_err_code_t ec = 0; |
| |
| (void)buffer; |
| (void)buflen; |
| |
| switch (what) |
| { |
| case CIPHER_INFO_NO_WEAK_KEY: |
| ctx->flags.no_weak_key = 1; |
| break; |
| |
| default: |
| ec = GPG_ERR_INV_OP; |
| break; |
| } |
| return ec; |
| } |
| |
| |
| static void |
| do_tripledes_encrypt( void *context, byte *outbuf, const byte *inbuf ) |
| { |
| struct _tripledes_ctx *ctx = (struct _tripledes_ctx *) context; |
| |
| tripledes_ecb_encrypt ( ctx, inbuf, outbuf ); |
| _gcry_burn_stack (32); |
| } |
| |
| static void |
| do_tripledes_decrypt( void *context, byte *outbuf, const byte *inbuf ) |
| { |
| struct _tripledes_ctx *ctx = (struct _tripledes_ctx *) context; |
| tripledes_ecb_decrypt ( ctx, inbuf, outbuf ); |
| _gcry_burn_stack (32); |
| } |
| |
| static gcry_err_code_t |
| do_des_setkey (void *context, const byte *key, unsigned keylen) |
| { |
| struct _des_ctx *ctx = (struct _des_ctx *) context; |
| |
| if (keylen != 8) |
| return GPG_ERR_INV_KEYLEN; |
| |
| des_setkey (ctx, key); |
| |
| if (is_weak_key (key)) { |
| _gcry_burn_stack (64); |
| return GPG_ERR_WEAK_KEY; |
| } |
| _gcry_burn_stack (64); |
| |
| return GPG_ERR_NO_ERROR; |
| } |
| |
| |
| static void |
| do_des_encrypt( void *context, byte *outbuf, const byte *inbuf ) |
| { |
| struct _des_ctx *ctx = (struct _des_ctx *) context; |
| |
| des_ecb_encrypt ( ctx, inbuf, outbuf ); |
| _gcry_burn_stack (32); |
| } |
| |
| static void |
| do_des_decrypt( void *context, byte *outbuf, const byte *inbuf ) |
| { |
| struct _des_ctx *ctx = (struct _des_ctx *) context; |
| |
| des_ecb_decrypt ( ctx, inbuf, outbuf ); |
| _gcry_burn_stack (32); |
| } |
| |
| |
| |
| |
| /* |
| Self-test section. |
| */ |
| |
| |
| /* Selftest for TripleDES. */ |
| static gpg_err_code_t |
| selftest_fips (int extended, selftest_report_func_t report) |
| { |
| const char *what; |
| const char *errtxt; |
| |
| (void)extended; /* No extended tests available. */ |
| |
| what = "low-level"; |
| errtxt = selftest (); |
| if (errtxt) |
| goto failed; |
| |
| /* The low-level self-tests are quite extensive and thus we can do |
| without high level tests. This is also justified because we have |
| no custom block code implementation for 3des but always use the |
| standard high level block code. */ |
| |
| return 0; /* Succeeded. */ |
| |
| failed: |
| if (report) |
| report ("cipher", GCRY_CIPHER_3DES, what, errtxt); |
| return GPG_ERR_SELFTEST_FAILED; |
| } |
| |
| |
| |
| /* Run a full self-test for ALGO and return 0 on success. */ |
| static gpg_err_code_t |
| run_selftests (int algo, int extended, selftest_report_func_t report) |
| { |
| gpg_err_code_t ec; |
| |
| switch (algo) |
| { |
| case GCRY_CIPHER_3DES: |
| ec = selftest_fips (extended, report); |
| break; |
| default: |
| ec = GPG_ERR_CIPHER_ALGO; |
| break; |
| |
| } |
| return ec; |
| } |
| |
| |
| |
| gcry_cipher_spec_t _gcry_cipher_spec_des = |
| { |
| "DES", NULL, NULL, 8, 64, sizeof (struct _des_ctx), |
| do_des_setkey, do_des_encrypt, do_des_decrypt |
| }; |
| |
| static gcry_cipher_oid_spec_t oids_tripledes[] = |
| { |
| { "1.2.840.113549.3.7", GCRY_CIPHER_MODE_CBC }, |
| /* Teletrust specific OID for 3DES. */ |
| { "1.3.36.3.1.3.2.1", GCRY_CIPHER_MODE_CBC }, |
| /* pbeWithSHAAnd3_KeyTripleDES_CBC */ |
| { "1.2.840.113549.1.12.1.3", GCRY_CIPHER_MODE_CBC }, |
| { NULL } |
| }; |
| |
| gcry_cipher_spec_t _gcry_cipher_spec_tripledes = |
| { |
| "3DES", NULL, oids_tripledes, 8, 192, sizeof (struct _tripledes_ctx), |
| do_tripledes_setkey, do_tripledes_encrypt, do_tripledes_decrypt |
| }; |
| |
| cipher_extra_spec_t _gcry_cipher_extraspec_tripledes = |
| { |
| run_selftests, |
| do_tripledes_set_extra_info |
| }; |