Commit | Line | Data |
---|---|---|
d03ab969 | 1 | /* -*-c-*- |
2 | * | |
d03ab969 | 3 | * The Data Encryption Standard |
4 | * | |
5 | * (c) 1999 Straylight/Edgeware | |
6 | */ | |
7 | ||
45c0fd36 | 8 | /*----- Licensing notice --------------------------------------------------* |
d03ab969 | 9 | * |
10 | * This file is part of Catacomb. | |
11 | * | |
12 | * Catacomb is free software; you can redistribute it and/or modify | |
13 | * it under the terms of the GNU Library General Public License as | |
14 | * published by the Free Software Foundation; either version 2 of the | |
15 | * License, or (at your option) any later version. | |
45c0fd36 | 16 | * |
d03ab969 | 17 | * Catacomb is distributed in the hope that it will be useful, |
18 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
19 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
20 | * GNU Library General Public License for more details. | |
45c0fd36 | 21 | * |
d03ab969 | 22 | * You should have received a copy of the GNU Library General Public |
23 | * License along with Catacomb; if not, write to the Free | |
24 | * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, | |
25 | * MA 02111-1307, USA. | |
26 | */ | |
27 | ||
d03ab969 | 28 | /*----- Header files ------------------------------------------------------*/ |
29 | ||
30 | #include <assert.h> | |
31 | #include <stdio.h> | |
32 | #include <stdlib.h> | |
33 | #include <string.h> | |
34 | ||
35 | #include <mLib/bits.h> | |
36 | ||
37 | #include "blkc.h" | |
38 | #include "des-base.h" | |
39 | #include "des.h" | |
89ae755d | 40 | #include "gcipher.h" |
41 | ||
42 | /*----- Global variables --------------------------------------------------*/ | |
43 | ||
44 | const octet des_keysz[] = { KSZ_SET, 7, 8, 0 }; | |
d03ab969 | 45 | |
46 | /*----- Main code ---------------------------------------------------------*/ | |
47 | ||
48 | /* --- @permute@ --- * | |
49 | * | |
50 | * Arguments: @const char *p@ = pointer to permutation table | |
51 | * @uint32 a, b@ = source value to permute | |
52 | * @uint32 *d@ = destination for value | |
53 | * | |
54 | * Returns: --- | |
55 | * | |
56 | * Use: Performs a 64-bit permutation. The table is given in the | |
57 | * normal (but bizarre) DES bit numbering system. That's not to | |
58 | * say that the tables in this source file are like the normal | |
59 | * DES tables, because they're not. | |
60 | */ | |
61 | ||
62 | static void permute(const char *p, uint32 a, uint32 b, uint32 *d) | |
63 | { | |
64 | uint32 x = 0, y = 0; | |
65 | int i; | |
66 | ||
67 | for (i = 0; i < 32; i++) { | |
68 | int q = p[i]; | |
69 | uint32 t; | |
70 | if (!q) | |
71 | continue; | |
72 | else if (q <= 32) | |
73 | t = a; | |
74 | else { | |
75 | t = b; | |
76 | q -= 32; | |
77 | } | |
78 | if (t & (1 << (32 - q))) | |
79 | x |= (1 << (31 - i)); | |
80 | } | |
81 | ||
82 | p += 32; | |
83 | ||
84 | for (i = 0; i < 32; i++) { | |
85 | int q = p[i]; | |
86 | uint32 t; | |
87 | if (!q) | |
88 | continue; | |
89 | else if (q <= 32) | |
90 | t = a; | |
91 | else { | |
92 | t = b; | |
93 | q -= 32; | |
94 | } | |
95 | if (t & (1 << (32 - q))) | |
96 | y |= (1 << (31 - i)); | |
97 | } | |
98 | ||
99 | d[0] = x; | |
100 | d[1] = y; | |
101 | } | |
102 | ||
3b09bd84 MW |
103 | /* --- @des_fixparity@ --- * |
104 | * | |
105 | * Arguments: @octet *z@ = output buffer pointer, or null | |
106 | * @const octet *p@ = input buffer pointer | |
107 | * @size_t sz@ = size of the buffers | |
108 | * | |
109 | * Returns: Zero if the input already had correct parity, @-1@ if changes | |
110 | * were necessary (in constant time). | |
111 | * | |
112 | * Use: Check the @sz@ bytes at @p@ for odd parity (as used in DES | |
113 | * keys); if @z@ is not null, then copy a parity-fixed version | |
114 | * of @p@ to @z@. The two buffers at @p@ and @z@ may coincide, | |
115 | * or be disjoint, but not otherwise overlap. | |
116 | */ | |
117 | ||
118 | int des_fixparity(octet *z, const octet *p, size_t sz) | |
119 | { | |
120 | int a = 0, t, u; | |
121 | ||
122 | while (sz--) { | |
123 | ||
124 | /* Collect the byte. */ | |
125 | t = *p++; | |
126 | ||
127 | /* Compute the parity. Specifically, this will determine the overall | |
128 | * parity of the byte: 0 for odd, and 1 for even (since we complement | |
129 | * the result). This is therefore the change which needs to be applied | |
130 | * to the incoming byte to ensure that it has odd parity. | |
131 | */ | |
132 | u = t; u ^= u >> 4; u ^= u >> 2; u ^= u >> 1; u ^= 1; u &= 1; | |
133 | ||
134 | /* Accumulate the difference. If any bytes had even parity, then this | |
135 | * will equal 1. */ | |
136 | a |= u; | |
137 | ||
138 | /* Maybe write out the fixed value. */ | |
139 | if (z) *z++ = t ^ u; | |
140 | } | |
141 | ||
142 | /* Done. */ | |
143 | return (-a); | |
144 | } | |
145 | ||
986527ae | 146 | /* --- @des_expand@ --- * |
147 | * | |
148 | * Arguments: @const octet *k@ = pointer to key material | |
149 | * @size_t n@ = number of octets of key material (7 or 8) | |
150 | * @uint32 *xx, *yy@ = where to put the results | |
151 | * | |
152 | * Returns: --- | |
153 | * | |
154 | * Use: Extracts 64 bits of key material from the given buffer, | |
155 | * possibly expanding it from 56 to 64 bits on the way. | |
156 | * Parity is set correctly if the key is expanded. | |
157 | */ | |
158 | ||
159 | void des_expand(const octet *k, size_t n, uint32 *xx, uint32 *yy) | |
160 | { | |
161 | uint32 x, y, z; | |
162 | ||
163 | if (n == 8) { | |
164 | x = LOAD32(k + 0); | |
165 | y = LOAD32(k + 4); | |
166 | } else { | |
167 | x = LOAD32(k + 0); | |
168 | x = (x & 0xfe000000) | ((x & 0x01fffff0) >> 1); | |
169 | x = (x & 0xfffe0000) | ((x & 0x0001fff8) >> 1); | |
170 | x = (x & 0xfffffe00) | ((x & 0x000001fc) >> 1); | |
171 | z = x; z ^= z >> 4; z ^= z >> 2; z ^= z >> 1; | |
172 | x |= (z & 0x01010101) ^ 0x01010101; | |
173 | y = LOAD32(k + 3) << 1; /* Note: misaligned */ | |
174 | y = (y & 0x000000fe) | ((y & 0x1fffff00) << 1); | |
175 | y = (y & 0x0000fefe) | ((y & 0x3fff0000) << 1); | |
176 | y = (y & 0x00fefefe) | ((y & 0x7f000000) << 1); | |
177 | z = y; z ^= z >> 4; z ^= z >> 2; z ^= z >> 1; | |
178 | y |= (z & 0x01010101) ^ 0x01010101; | |
179 | } | |
180 | *xx = x; *yy = y; | |
181 | } | |
182 | ||
d03ab969 | 183 | /* --- @des_init@ --- * |
184 | * | |
185 | * Arguments: @des_ctx *k@ = pointer to key block | |
186 | * @const void *buf@ = pointer to key buffer | |
187 | * @size_t sz@ = size of key material | |
188 | * | |
189 | * Returns: --- | |
190 | * | |
191 | * Use: Initializes a DES key buffer. The key buffer may be either 7 | |
192 | * or 8 bytes long. If it's 8 bytes, the key is assumed to be | |
193 | * padded with parity bits in the low order bit of each octet. | |
194 | * These are stripped out without checking prior to the actual | |
195 | * key scheduling. | |
196 | */ | |
197 | ||
198 | void des_init(des_ctx *k, const void *buf, size_t sz) | |
199 | { | |
200 | uint32 x, y; | |
201 | uint32 *kp = k->k; | |
986527ae | 202 | uint32 ka[2]; |
d03ab969 | 203 | int i; |
204 | ||
205 | /* --- @pc1@ --- * | |
206 | * | |
207 | * This cryptographically useless permutation is used to mangle the key | |
208 | * before it's subjected to the key schedule proper. I've not actually | |
209 | * messed it about much except for inserting padding at the beginning of | |
210 | * the two halves of the key. | |
211 | */ | |
212 | ||
213 | static const char pc1[] = { | |
45c0fd36 | 214 | 0, 0, 0, 0, |
d03ab969 | 215 | 57, 49, 41, 33, 25, 17, 9, |
216 | 1, 58, 50, 42, 34, 26, 18, | |
45c0fd36 | 217 | 10, 2, 59, 51, 43, 35, 27, |
d03ab969 | 218 | 19, 11, 3, 60, 52, 44, 36, |
45c0fd36 | 219 | 0, 0, 0, 0, |
d03ab969 | 220 | 63, 55, 47, 39, 31, 23, 15, |
221 | 7, 62, 54, 46, 38, 30, 22, | |
45c0fd36 | 222 | 14, 6, 61, 53, 45, 37, 29, |
d03ab969 | 223 | 21, 13, 5, 28, 20, 12, 4 |
224 | }; | |
225 | ||
226 | /* --- @pc2@ --- * | |
227 | * | |
228 | * This irritating but necessary permutation mangles the key between the | |
229 | * simple rotation-based schedule and the actual XOR with which it modifies | |
230 | * the behaviour of the cipher. | |
231 | * | |
232 | * This version of the table doesn't look much like the original. This is | |
233 | * because some parts of the world have been permuted in order to make | |
234 | * things simpler for the round function. In particular, everything is | |
235 | * rotated left one place to avoid problems with the wraparound of the | |
236 | * expansion permutation, and the key is split between odd and even S-boxes | |
237 | * rather than high and low ones. That's without the complication of the | |
238 | * padding bits in the representation of the 56-bit proto-key. | |
239 | */ | |
240 | ||
241 | static const char pc2[] = { | |
45c0fd36 MW |
242 | 0, 0, 3 + 4, 28 + 4, 15 + 4, 6 + 4, 21 + 4, 10 + 4, /* S-box 2 */ |
243 | 0, 0, 16 + 4, 7 + 4, 27 + 4, 20 + 4, 13 + 4, 2 + 4, /* S-box 4 */ | |
244 | 0, 0, 30 + 8, 40 + 8, 51 + 8, 45 + 8, 33 + 8, 48 + 8, /* S-box 6 */ | |
245 | 0, 0, 46 + 8, 42 + 8, 50 + 8, 36 + 8, 29 + 8, 32 + 8, /* S-box 8 */ | |
246 | 0, 0, 14 + 4, 17 + 4, 11 + 4, 24 + 4, 1 + 4, 5 + 4, /* S-box 1 */ | |
247 | 0, 0, 23 + 4, 19 + 4, 12 + 4, 4 + 4, 26 + 4, 8 + 4, /* S-box 3 */ | |
248 | 0, 0, 41 + 8, 52 + 8, 31 + 8, 37 + 8, 47 + 8, 55 + 8, /* S-box 5 */ | |
249 | 0, 0, 44 + 8, 49 + 8, 39 + 8, 56 + 8, 34 + 8, 53 + 8 /* S-box 7 */ | |
d03ab969 | 250 | }; |
251 | ||
252 | /* --- @v@ --- * | |
253 | * | |
254 | * Contains the rotation amounts for the key halves. | |
255 | */ | |
256 | ||
257 | static const char v[] = { | |
258 | 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 | |
259 | }; | |
260 | ||
261 | /* --- Extract the key into my registers --- * | |
262 | * | |
263 | * The 7 byte case is rather horrible. It expands the key to the 8 byte | |
264 | * case before going any further. It could probably do with its own @pc1@ | |
265 | * table. | |
266 | */ | |
267 | ||
89ae755d | 268 | KSZ_ASSERT(des, sz); |
986527ae | 269 | des_expand(buf, sz, &x, &y); |
45c0fd36 | 270 | |
d03ab969 | 271 | /* --- Permute using the pointless PC1 --- */ |
272 | ||
986527ae | 273 | permute(pc1, x, y, ka); |
274 | x = ka[0]; y = ka[1]; | |
d03ab969 | 275 | |
276 | /* --- Now for the key schedule proper --- */ | |
277 | ||
278 | for (i = 0; i < 16; i++) { | |
279 | if (v[i] == 1) { | |
280 | x = ((x << 1) | (x >> 27)) & 0x0fffffff; | |
281 | y = ((y << 1) | (y >> 27)) & 0x0fffffff; | |
282 | } else { | |
283 | x = ((x << 2) | (x >> 26)) & 0x0fffffff; | |
284 | y = ((y << 2) | (y >> 26)) & 0x0fffffff; | |
285 | } | |
286 | permute(pc2, x, y, kp); | |
287 | kp += 2; | |
288 | } | |
289 | } | |
290 | ||
291 | /* --- @des_eblk@, @des_dblk@ --- * | |
292 | * | |
293 | * Arguments: @const des_ctx *k@ = pointer to key block | |
294 | * @const uint32 s[2]@ = pointer to source block | |
295 | * @uint32 d[2]@ = pointer to destination block | |
296 | * | |
297 | * Returns: --- | |
298 | * | |
299 | * Use: Low-level block encryption and decryption. | |
300 | */ | |
301 | ||
302 | void des_eblk(const des_ctx *k, const uint32 *s, uint32 *d) | |
303 | { | |
304 | uint32 x = s[0], y = s[1]; | |
305 | DES_IP(x, y); | |
306 | DES_EBLK(k->k, x, y, x, y); | |
307 | DES_IPINV(x, y); | |
308 | d[0] = x, d[1] = y; | |
309 | } | |
310 | ||
311 | void des_dblk(const des_ctx *k, const uint32 *s, uint32 *d) | |
312 | { | |
313 | uint32 x = s[0], y = s[1]; | |
314 | DES_IP(x, y); | |
315 | DES_DBLK(k->k, x, y, x, y); | |
316 | DES_IPINV(x, y); | |
317 | d[0] = x, d[1] = y; | |
318 | } | |
319 | ||
320 | BLKC_TEST(DES, des) | |
321 | ||
322 | /*----- That's all, folks -------------------------------------------------*/ |