des3.c

PeerSec Networks MatrixSSL?is an embedded SSL implementation designed for small footprint applicatio

			pt += ctx->des3.blocklen;
		}
	}
#ifdef CLEAN_STACK
	psZeromem(tmp, sizeof(tmp));
	psZeromem(tmp2, sizeof(tmp2));
#endif /* CLEAN_STACK */
	return len;
}

/******************************************************************************/
/*
	3DES implementation below
*/
static void cookey(const ulong32 *raw1, ulong32 *keyout)
{
	ulong32			*cook;
	const ulong32	*raw0;
	ulong32			dough[32];
	int32				i;

	cook = dough;
	for(i=0; i < 16; i++, raw1++) {
		raw0 = raw1++;
		*cook    = (*raw0 & 0x00fc0000L) << 6;
		*cook   |= (*raw0 & 0x00000fc0L) << 10;
		*cook   |= (*raw1 & 0x00fc0000L) >> 10;
		*cook++ |= (*raw1 & 0x00000fc0L) >> 6;
		*cook    = (*raw0 & 0x0003f000L) << 12;
		*cook   |= (*raw0 & 0x0000003fL) << 16;
		*cook   |= (*raw1 & 0x0003f000L) >> 4;
		*cook++ |= (*raw1 & 0x0000003fL);
	}

	psMemcpy(keyout, dough, sizeof dough);
	psBurnStack(sizeof(ulong32 *) * 2 + sizeof(ulong32)*32 + sizeof(int32));
}


static void deskey(const unsigned char *key, short edf, ulong32 *keyout)
{
	ulong32				i, j, l, m, n, kn[32];
	unsigned char		pc1m[56], pcr[56];

	for (j=0; j < 56; j++) {
		l = (ulong32)pc1[j];
		m = l & 7;
		pc1m[j] = (unsigned char)((key[l >> 3U] & bytebit[m]) == 
			bytebit[m] ? 1 : 0);
	}

	for (i=0; i < 16; i++) {
		if (edf == DE1) {
			m = (15 - i) << 1;
		} else {
			m = i << 1;
		}
		n = m + 1;
		kn[m] = kn[n] = 0L;
		for (j=0; j < 28; j++) {
			l = j + (ulong32)totrot[i];
			if (l < 28) {
				pcr[j] = pc1m[l];
			} else {
				pcr[j] = pc1m[l - 28];
			}
		}
		for (/*j = 28*/; j < 56; j++) {
			l = j + (ulong32)totrot[i];
			if (l < 56) {
				pcr[j] = pc1m[l];
			} else {
				pcr[j] = pc1m[l - 28];
			}
		}
		for (j=0; j < 24; j++)  {
			if ((int32)pcr[(int32)pc2[j]] != 0) {
				kn[m] |= bigbyte[j];
			}
			if ((int32)pcr[(int32)pc2[j+24]] != 0) {
				kn[n] |= bigbyte[j];
			}
		}
	}
	cookey(kn, keyout);
	psBurnStack(sizeof(int32)*5 + sizeof(ulong32)*32 + 
		sizeof(unsigned char)*112);
}

static void desfunc(ulong32 *block, const ulong32 *keys)
{
	ulong32 work, right, leftt;
	int32 cur_round;

	leftt = block[0];
	right = block[1];

#ifdef SMALL_CODE
	work = ((leftt >> 4)  ^ right) & 0x0f0f0f0fL;
	right ^= work;
	leftt ^= (work << 4);

	work = ((leftt >> 16) ^ right) & 0x0000ffffL;
	right ^= work;
	leftt ^= (work << 16);

	work = ((right >> 2)  ^ leftt) & 0x33333333L;
	leftt ^= work;
	right ^= (work << 2);

	work = ((right >> 8)  ^ leftt) & 0x00ff00ffL;
	leftt ^= work;
	right ^= (work << 8);

	right = ROLc(right, 1);
	work = (leftt ^ right) & 0xaaaaaaaaL;

	leftt ^= work;
	right ^= work;
	leftt = ROLc(leftt, 1);
#else /* SMALL_CODE */
{
	ulong64 tmp;
	tmp = des_ip[0][byte(leftt, 0)] ^
			des_ip[1][byte(leftt, 1)] ^
			des_ip[2][byte(leftt, 2)] ^
			des_ip[3][byte(leftt, 3)] ^
			des_ip[4][byte(right, 0)] ^
			des_ip[5][byte(right, 1)] ^
			des_ip[6][byte(right, 2)] ^
			des_ip[7][byte(right, 3)];
	leftt = (ulong32)(tmp >> 32);
	right = (ulong32)(tmp & 0xFFFFFFFFUL);
}
#endif /* SMALL CODE */

	for (cur_round = 0; cur_round < 8; cur_round++) {
		work	= RORc(right, 4) ^ *keys++;
		leftt	^= SP7[work        & 0x3fL]
				^ SP5[(work >>  8) & 0x3fL]
				^ SP3[(work >> 16) & 0x3fL]
				^ SP1[(work >> 24) & 0x3fL];
		work	 = right ^ *keys++;
		leftt	^= SP8[ work        & 0x3fL]
				^  SP6[(work >>  8) & 0x3fL]
				^  SP4[(work >> 16) & 0x3fL]
				^  SP2[(work >> 24) & 0x3fL];

		work	= RORc(leftt, 4) ^ *keys++;
		right	^= SP7[ work        & 0x3fL]
				^  SP5[(work >>  8) & 0x3fL]
				^  SP3[(work >> 16) & 0x3fL]
				^  SP1[(work >> 24) & 0x3fL];
		work	 = leftt ^ *keys++;
		right	^= SP8[ work        & 0x3fL]
				^  SP6[(work >>  8) & 0x3fL]
				^  SP4[(work >> 16) & 0x3fL]
				^  SP2[(work >> 24) & 0x3fL];
	}

#ifdef SMALL_CODE
	right = RORc(right, 1);
	work = (leftt ^ right) & 0xaaaaaaaaL;
	leftt ^= work;
	right ^= work;
	leftt = RORc(leftt, 1);
	work = ((leftt >> 8) ^ right) & 0x00ff00ffL;
	right ^= work;
	leftt ^= (work << 8);
	
	work = ((leftt >> 2) ^ right) & 0x33333333L;
	right ^= work;
	leftt ^= (work << 2);
	work = ((right >> 16) ^ leftt) & 0x0000ffffL;
	leftt ^= work;
	right ^= (work << 16);
	work = ((right >> 4) ^ leftt) & 0x0f0f0f0fL;
	leftt ^= work;
	right ^= (work << 4);
#else /* SMALL CODE */
	{
	ulong64 tmp;
	tmp = des_fp[0][byte(leftt, 0)] ^
			des_fp[1][byte(leftt, 1)] ^
			des_fp[2][byte(leftt, 2)] ^
			des_fp[3][byte(leftt, 3)] ^
			des_fp[4][byte(right, 0)] ^
			des_fp[5][byte(right, 1)] ^
			des_fp[6][byte(right, 2)] ^
			des_fp[7][byte(right, 3)];
		leftt = (ulong32)(tmp >> 32);
		right = (ulong32)(tmp & 0xFFFFFFFFUL);
	}
#endif /* SMALL CODE */

	block[0] = right;
	block[1] = leftt;
	psBurnStack(sizeof(ulong32) * 4 + sizeof(int32));
}

/*
	We don't validate DES keys against the following known weak keys.
	Astronomically small chances of randomly getting a weak key
	with 3DES. http://www.rsasecurity.com/rsalabs/faq/3-2-4.html

	http://www.itl.nist.gov/fipspubs/fip74.htm
	1.		E001E00lFl0lFl0l		01E001E00lFl0lFl
	2.		FElFFElFFEOEFEOE		1FFElFFEOEFEOEFE
	3.		E01FE01FF10EF10E		1FE01FEOOEF10EF1
	4.		01FE01FE01FE01FE		FE01FE01FE01FE01
	5.		011F011F0l0E010E		1F011F0l0E0l0E01
	6.		E0FEE0FEFlFEFlFE		FEE0FEE0FEFlFEF1
	7.		0101010101010101
	8.		FEFEFEFEFEFEFEFE
	9.		E0E0E0E0FlFlFlFl
	10.		lFlFlFlF0E0E0E0E
*/
int32 des3_setup(const unsigned char *key, int32 keylen, int32 num_rounds, 
					  des3_CBC *skey)
{
	if (key == NULL || skey == NULL) {
		return -1;
	}

	if( num_rounds != 0 && num_rounds != 16) {
		return CRYPT_INVALID_ROUNDS;
	}

	if (keylen != 24) {
		return CRYPT_INVALID_KEYSIZE;
	}

	deskey(key,		EN0, skey->key.ek[0]);
	deskey(key+8,	DE1, skey->key.ek[1]);
	deskey(key+16,	EN0, skey->key.ek[2]);

	deskey(key,		DE1, skey->key.dk[2]);
	deskey(key+8,	EN0, skey->key.dk[1]);
	deskey(key+16,	DE1, skey->key.dk[0]);

	return CRYPT_OK;
}

void des3_ecb_encrypt(const unsigned char *pt, unsigned char *ct, 
							 des3_CBC *key)
{
	ulong32 work[2];

	LOAD32H(work[0], pt+0);
	LOAD32H(work[1], pt+4);
	desfunc(work, key->key.ek[0]);
	desfunc(work, key->key.ek[1]);
	desfunc(work, key->key.ek[2]);
	STORE32H(work[0],ct+0);
	STORE32H(work[1],ct+4);
}

void des3_ecb_decrypt(const unsigned char *ct, unsigned char *pt, 
							 des3_CBC *key)
{
	ulong32 work[2];

	LOAD32H(work[0], ct+0);
	LOAD32H(work[1], ct+4);
	desfunc(work, key->key.dk[0]);
	desfunc(work, key->key.dk[1]);
	desfunc(work, key->key.dk[2]);
	STORE32H(work[0],pt+0);
	STORE32H(work[1],pt+4);
}

int32 des3_keysize(int32 *desired_keysize)
{
    if(*desired_keysize < 24) {
        return CRYPT_INVALID_KEYSIZE;
    }
    *desired_keysize = 24;
    return CRYPT_OK;
}

/******************************************************************************/
/*
	Generate a 3DES key given a password and salt value.
	We use PKCS#5 2.0 PBKDF1 key derivation format with MD5 and count == 1 per:
	http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/index.html

	This key is compatible with the algorithm used by OpenSSL to encrypt keys
	generated with 'openssl genrsa'.  If other encryption formats are used
	(for example PBKDF2), or an iteration count > 0 is used, they are not 
	compatible with this simple implementation.  OpenSSL provides many options
	for converting key formats to the one used here.

	A 3DES key is 24 bytes long, to generate it with this algorithm,
	we md5 hash the password and salt for the first 16 bytes.  We then 
	hash these first 16 bytes with the password and salt again, generating 
	another 16 bytes.  We take the first 16 bytes and 8 of the second 16 to 
	form the 24 byte key.

	salt is assumed to point to 8 bytes of data
	key is assumed to point to 24 bytes of data
*/
void generate3DESKey(unsigned char *pass, int32 passlen, unsigned char *salt, 
					unsigned char *key)
{
	sslMd5Context_t		state;
	unsigned char		md5[SSL_MD5_HASH_SIZE];

	matrixMd5Init(&state);
	matrixMd5Update(&state, pass, passlen);
	matrixMd5Update(&state, salt, SSL_DES3_IV_LEN);
	matrixMd5Final(&state, md5);
	memcpy(key, md5, SSL_MD5_HASH_SIZE);

	matrixMd5Init(&state);
	matrixMd5Update(&state, md5, SSL_MD5_HASH_SIZE);
	matrixMd5Update(&state, pass, passlen);
	matrixMd5Update(&state, salt, SSL_DES3_IV_LEN);
	matrixMd5Final(&state, md5);
	memcpy(key + SSL_MD5_HASH_SIZE, md5, SSL_DES3_KEY_LEN - SSL_MD5_HASH_SIZE);
}



#ifdef PEERSEC_TEST

int32 matrixDes3Test()
{
	unsigned char key[24], pt[8], ct[8], tmp[8];
	des3_CBC skey;
	int32 x, err;

	for (x = 0; x < 8; x++) {
		pt[x] = x;
	}

	for (x = 0; x < 24; x++) {
		key[x] = x;
	}

	if ((err = des3_setup(key, 24, 0, &skey)) != CRYPT_OK) {
		return err;
	}

	des3_ecb_encrypt(pt, ct, &skey);
	des3_ecb_decrypt(ct, tmp, &skey);

	if (memcmp(pt, tmp, 8) != 0) {
		return CRYPT_FAIL_TESTVECTOR;
	}

	return CRYPT_OK;
}
#endif /* PEERSEC_TEST */

#endif /* USE_3DES */

/******************************************************************************/