[catacomb] / symm / des.c

/* -*-c-*-
 *
 * The Data Encryption Standard
 *
 * (c) 1999 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 *
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include <mLib/bits.h>

#include "blkc.h"
#include "des-base.h"
#include "des.h"
#include "gcipher.h"

/*----- Global variables --------------------------------------------------*/

const octet des_keysz[] = { KSZ_SET, 7, 8, 0 };

/*----- Main code ---------------------------------------------------------*/

/* --- @permute@ --- *
 *
 * Arguments:	@const char *p@ = pointer to permutation table
 *		@uint32 a, b@ = source value to permute
 *		@uint32 *d@ = destination for value
 *
 * Returns:	---
 *
 * Use:		Performs a 64-bit permutation.  The table is given in the
 *		normal (but bizarre) DES bit numbering system.  That's not to
 *		say that the tables in this source file are like the normal
 *		DES tables, because they're not.
 */

static void permute(const char *p, uint32 a, uint32 b, uint32 *d)
{
  uint32 x = 0, y = 0;
  int i;

  for (i = 0; i < 32; i++) {
    int q = p[i];
    uint32 t;
    if (!q)
      continue;
    else if (q <= 32)
      t = a;
    else {
      t = b;
      q -= 32;
    }
    if (t & (1 << (32 - q)))
      x |= (1 << (31 - i));
  }

  p += 32;

  for (i = 0; i < 32; i++) {
    int q = p[i];
    uint32 t;
    if (!q)
      continue;
    else if (q <= 32)
      t = a;
    else {
      t = b;
      q -= 32;
    }
    if (t & (1 << (32 - q)))
      y |= (1 << (31 - i));
  }

  d[0] = x;
  d[1] = y;
}

/* --- @des_fixparity@ --- *
 *
 * Arguments:	@octet *z@ = output buffer pointer, or null
 *		@const octet *p@ = input buffer pointer
 *		@size_t sz@ = size of the buffers
 *
 * Returns:	Zero if the input already had correct parity, @-1@ if changes
 *		were necessary (in constant time).
 *
 * Use:		Check the @sz@ bytes at @p@ for odd parity (as used in DES
 *		keys); if @z@ is not null, then copy a parity-fixed version
 *		of @p@ to @z@.  The two buffers at @p@ and @z@ may coincide,
 *		or be disjoint, but not otherwise overlap.
 */

int des_fixparity(octet *z, const octet *p, size_t sz)
{
  int a = 0, t, u;

  while (sz--) {

    /* Collect the byte. */
    t = *p++;

    /* Compute the parity.  Specifically, this will determine the overall
     * parity of the byte: 0 for odd, and 1 for even (since we complement
     * the result).  This is therefore the change which needs to be applied
     * to the incoming byte to ensure that it has odd parity.
     */
    u = t; u ^= u >> 4; u ^= u >> 2; u ^= u >> 1; u ^= 1; u &= 1;

    /* Accumulate the difference.  If any bytes had even parity, then this
     * will equal 1. */
    a |= u;

    /* Maybe write out the fixed value. */
    if (z) *z++ = t ^ u;
  }

  /* Done. */
  return (-a);
}

/* --- @des_expand@ --- *
 *
 * Arguments:	@const octet *k@ = pointer to key material
 *		@size_t n@ = number of octets of key material (7 or 8)
 *		@uint32 *xx, *yy@ = where to put the results
 *
 * Returns:	---
 *
 * Use:		Extracts 64 bits of key material from the given buffer,
 *		possibly expanding it from 56 to 64 bits on the way.
 *		Parity is set correctly if the key is expanded.
 */

void des_expand(const octet *k, size_t n, uint32 *xx, uint32 *yy)
{
  uint32 x, y, z;

  if (n == 8) {
    x = LOAD32(k + 0);
    y = LOAD32(k + 4);
  } else {
    x = LOAD32(k + 0);
    x = (x & 0xfe000000) | ((x & 0x01fffff0) >> 1);
    x = (x & 0xfffe0000) | ((x & 0x0001fff8) >> 1);
    x = (x & 0xfffffe00) | ((x & 0x000001fc) >> 1);
    z = x; z ^= z >> 4; z ^= z >> 2; z ^= z >> 1;
    x |= (z & 0x01010101) ^ 0x01010101;
    y = LOAD32(k + 3) << 1; /* Note: misaligned */
    y = (y & 0x000000fe) | ((y & 0x1fffff00) << 1);
    y = (y & 0x0000fefe) | ((y & 0x3fff0000) << 1);
    y = (y & 0x00fefefe) | ((y & 0x7f000000) << 1);
    z = y; z ^= z >> 4; z ^= z >> 2; z ^= z >> 1;
    y |= (z & 0x01010101) ^ 0x01010101;
  }
  *xx = x; *yy = y;
}

/* --- @des_init@ --- *
 *
 * Arguments:	@des_ctx *k@ = pointer to key block
 *		@const void *buf@ = pointer to key buffer
 *		@size_t sz@ = size of key material
 *
 * Returns:	---
 *
 * Use:		Initializes a DES key buffer.  The key buffer may be either 7
 *		or 8 bytes long.  If it's 8 bytes, the key is assumed to be
 *		padded with parity bits in the low order bit of each octet.
 *		These are stripped out without checking prior to the actual
 *		key scheduling.
 */

void des_init(des_ctx *k, const void *buf, size_t sz)
{
  uint32 x, y;
  uint32 *kp = k->k;
  uint32 ka[2];
  int i;

  /* --- @pc1@ --- *
   *
   * This cryptographically useless permutation is used to mangle the key
   * before it's subjected to the key schedule proper.  I've not actually
   * messed it about much except for inserting padding at the beginning of
   * the two halves of the key.
   */

  static const char pc1[] = {
     0,	 0,  0,	 0,
    57, 49, 41, 33, 25, 17,  9,
     1, 58, 50, 42, 34, 26, 18,
    10,	 2, 59, 51, 43, 35, 27,
    19, 11,  3, 60, 52, 44, 36,
     0,	 0,  0,	 0,
    63, 55, 47, 39, 31, 23, 15,
     7, 62, 54, 46, 38, 30, 22,
    14,	 6, 61, 53, 45, 37, 29,
    21, 13,  5, 28, 20, 12,  4
  };

  /* --- @pc2@ --- *
   *
   * This irritating but necessary permutation mangles the key between the
   * simple rotation-based schedule and the actual XOR with which it modifies
   * the behaviour of the cipher.
   *
   * This version of the table doesn't look much like the original.  This is
   * because some parts of the world have been permuted in order to make
   * things simpler for the round function.  In particular, everything is
   * rotated left one place to avoid problems with the wraparound of the
   * expansion permutation, and the key is split between odd and even S-boxes
   * rather than high and low ones.  That's without the complication of the
   * padding bits in the representation of the 56-bit proto-key.
   */

  static const char pc2[] = {
     0,	 0,  3 + 4, 28 + 4, 15 + 4,  6 + 4, 21 + 4, 10 + 4, /* S-box 2 */
     0,	 0, 16 + 4,  7 + 4, 27 + 4, 20 + 4, 13 + 4,  2 + 4, /* S-box 4 */
     0,	 0, 30 + 8, 40 + 8, 51 + 8, 45 + 8, 33 + 8, 48 + 8, /* S-box 6 */
     0,	 0, 46 + 8, 42 + 8, 50 + 8, 36 + 8, 29 + 8, 32 + 8, /* S-box 8 */
     0,	 0, 14 + 4, 17 + 4, 11 + 4, 24 + 4,  1 + 4,  5 + 4, /* S-box 1 */
     0,	 0, 23 + 4, 19 + 4, 12 + 4,  4 + 4, 26 + 4,  8 + 4, /* S-box 3 */
     0,	 0, 41 + 8, 52 + 8, 31 + 8, 37 + 8, 47 + 8, 55 + 8, /* S-box 5 */
     0,	 0, 44 + 8, 49 + 8, 39 + 8, 56 + 8, 34 + 8, 53 + 8  /* S-box 7 */
  };

  /* --- @v@ --- *
   *
   * Contains the rotation amounts for the key halves.
   */

  static const char v[] = {
    1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
  };

  /* --- Extract the key into my registers --- *
   *
   * The 7 byte case is rather horrible.  It expands the key to the 8 byte
   * case before going any further.  It could probably do with its own @pc1@
   * table.
   */

  KSZ_ASSERT(des, sz);
  des_expand(buf, sz, &x, &y);

  /* --- Permute using the pointless PC1 --- */

  permute(pc1, x, y, ka);
  x = ka[0]; y = ka[1];

  /* --- Now for the key schedule proper --- */

  for (i = 0; i < 16; i++) {
    if (v[i] == 1) {
      x = ((x << 1) | (x >> 27)) & 0x0fffffff;
      y = ((y << 1) | (y >> 27)) & 0x0fffffff;
    } else {
      x = ((x << 2) | (x >> 26)) & 0x0fffffff;
      y = ((y << 2) | (y >> 26)) & 0x0fffffff;
    }
    permute(pc2, x, y, kp);
    kp += 2;
  }
}

/* --- @des_eblk@, @des_dblk@ --- *
 *
 * Arguments:	@const des_ctx *k@ = pointer to key block
 *		@const uint32 s[2]@ = pointer to source block
 *		@uint32 d[2]@ = pointer to destination block
 *
 * Returns:	---
 *
 * Use:		Low-level block encryption and decryption.
 */

void des_eblk(const des_ctx *k, const uint32 *s, uint32 *d)
{
  uint32 x = s[0], y = s[1];
  DES_IP(x, y);
  DES_EBLK(k->k, x, y, x, y);
  DES_IPINV(x, y);
  d[0] = x, d[1] = y;
}

void des_dblk(const des_ctx *k, const uint32 *s, uint32 *d)
{
  uint32 x = s[0], y = s[1];
  DES_IP(x, y);
  DES_DBLK(k->k, x, y, x, y);
  DES_IPINV(x, y);
  d[0] = x, d[1] = y;
}

BLKC_TEST(DES, des)

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
d03ab969	1	/* --c--
d03ab969	2	*
d03ab969	3	* The Data Encryption Standard
	4	*
	5	* (c) 1999 Straylight/Edgeware
	6	*/
	7
45c0fd36	8	/----- Licensing notice --------------------------------------------------
d03ab969	9	*
	10	* This file is part of Catacomb.
	11	*
	12	* Catacomb is free software; you can redistribute it and/or modify
	13	* it under the terms of the GNU Library General Public License as
	14	* published by the Free Software Foundation; either version 2 of the
	15	* License, or (at your option) any later version.
45c0fd36	16	*
d03ab969	17	* Catacomb is distributed in the hope that it will be useful,
	18	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	19	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	20	* GNU Library General Public License for more details.
45c0fd36	21	*
d03ab969	22	* You should have received a copy of the GNU Library General Public
	23	* License along with Catacomb; if not, write to the Free
	24	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	25	* MA 02111-1307, USA.
	26	*/
	27
d03ab969	28	/----- Header files ------------------------------------------------------/
	29
	30	#include <assert.h>
	31	#include <stdio.h>
	32	#include <stdlib.h>
	33	#include <string.h>
	34
	35	#include <mLib/bits.h>
	36
	37	#include "blkc.h"
	38	#include "des-base.h"
	39	#include "des.h"
89ae755d	40	#include "gcipher.h"
	41
	42	/----- Global variables --------------------------------------------------/
	43
	44	const octet des_keysz[] = { KSZ_SET, 7, 8, 0 };
d03ab969	45
	46	/----- Main code ---------------------------------------------------------/
	47
	48	/* --- @permute@ --- *
	49	*
	50	* Arguments: @const char *p@ = pointer to permutation table
	51	* @uint32 a, b@ = source value to permute
	52	* @uint32 *d@ = destination for value
	53	*
	54	* Returns: ---
	55	*
	56	* Use: Performs a 64-bit permutation. The table is given in the
	57	* normal (but bizarre) DES bit numbering system. That's not to
	58	* say that the tables in this source file are like the normal
	59	* DES tables, because they're not.
	60	*/
	61
	62	static void permute(const char p, uint32 a, uint32 b, uint32 d)
	63	{
	64	uint32 x = 0, y = 0;
	65	int i;
	66
	67	for (i = 0; i < 32; i++) {
	68	int q = p[i];
	69	uint32 t;
	70	if (!q)
	71	continue;
	72	else if (q <= 32)
	73	t = a;
	74	else {
	75	t = b;
	76	q -= 32;
	77	}
	78	if (t & (1 << (32 - q)))
	79	x \|= (1 << (31 - i));
	80	}
	81
	82	p += 32;
	83
	84	for (i = 0; i < 32; i++) {
	85	int q = p[i];
	86	uint32 t;
	87	if (!q)
	88	continue;
	89	else if (q <= 32)
	90	t = a;
	91	else {
	92	t = b;
	93	q -= 32;
	94	}
	95	if (t & (1 << (32 - q)))
	96	y \|= (1 << (31 - i));
	97	}
	98
	99	d[0] = x;
	100	d[1] = y;
	101	}
	102
3b09bd84 MW	103	/* --- @des_fixparity@ --- *
	104	*
	105	* Arguments: @octet *z@ = output buffer pointer, or null
	106	* @const octet *p@ = input buffer pointer
	107	* @size_t sz@ = size of the buffers
	108	*
	109	* Returns: Zero if the input already had correct parity, @-1@ if changes
	110	* were necessary (in constant time).
	111	*
	112	* Use: Check the @sz@ bytes at @p@ for odd parity (as used in DES
	113	* keys); if @z@ is not null, then copy a parity-fixed version
	114	* of @p@ to @z@. The two buffers at @p@ and @z@ may coincide,
	115	* or be disjoint, but not otherwise overlap.
	116	*/
	117
	118	int des_fixparity(octet z, const octet p, size_t sz)
	119	{
	120	int a = 0, t, u;
	121
	122	while (sz--) {
	123
	124	/* Collect the byte. */
	125	t = *p++;
	126
	127	/* Compute the parity. Specifically, this will determine the overall
	128	* parity of the byte: 0 for odd, and 1 for even (since we complement
	129	* the result). This is therefore the change which needs to be applied
	130	* to the incoming byte to ensure that it has odd parity.
	131	*/
	132	u = t; u ^= u >> 4; u ^= u >> 2; u ^= u >> 1; u ^= 1; u &= 1;
	133
	134	/* Accumulate the difference. If any bytes had even parity, then this
	135	* will equal 1. */
	136	a \|= u;
	137
	138	/* Maybe write out the fixed value. */
	139	if (z) *z++ = t ^ u;
	140	}
	141
	142	/* Done. */
	143	return (-a);
	144	}
	145
986527ae	146	/* --- @des_expand@ --- *
	147	*
	148	* Arguments: @const octet *k@ = pointer to key material
	149	* @size_t n@ = number of octets of key material (7 or 8)
	150	* @uint32 xx, yy@ = where to put the results
	151	*
	152	* Returns: ---
	153	*
	154	* Use: Extracts 64 bits of key material from the given buffer,
	155	* possibly expanding it from 56 to 64 bits on the way.
	156	* Parity is set correctly if the key is expanded.
	157	*/
	158
	159	void des_expand(const octet k, size_t n, uint32 xx, uint32 *yy)
	160	{
	161	uint32 x, y, z;
	162
	163	if (n == 8) {
	164	x = LOAD32(k + 0);
	165	y = LOAD32(k + 4);
	166	} else {
	167	x = LOAD32(k + 0);
	168	x = (x & 0xfe000000) \| ((x & 0x01fffff0) >> 1);
	169	x = (x & 0xfffe0000) \| ((x & 0x0001fff8) >> 1);
	170	x = (x & 0xfffffe00) \| ((x & 0x000001fc) >> 1);
	171	z = x; z ^= z >> 4; z ^= z >> 2; z ^= z >> 1;
	172	x \|= (z & 0x01010101) ^ 0x01010101;
	173	y = LOAD32(k + 3) << 1; /* Note: misaligned */
	174	y = (y & 0x000000fe) \| ((y & 0x1fffff00) << 1);
	175	y = (y & 0x0000fefe) \| ((y & 0x3fff0000) << 1);
	176	y = (y & 0x00fefefe) \| ((y & 0x7f000000) << 1);
	177	z = y; z ^= z >> 4; z ^= z >> 2; z ^= z >> 1;
	178	y \|= (z & 0x01010101) ^ 0x01010101;
	179	}
	180	xx = x; yy = y;
	181	}
	182
d03ab969	183	/* --- @des_init@ --- *
	184	*
	185	* Arguments: @des_ctx *k@ = pointer to key block
	186	* @const void *buf@ = pointer to key buffer
	187	* @size_t sz@ = size of key material
	188	*
	189	* Returns: ---
	190	*
	191	* Use: Initializes a DES key buffer. The key buffer may be either 7
	192	* or 8 bytes long. If it's 8 bytes, the key is assumed to be
	193	* padded with parity bits in the low order bit of each octet.
	194	* These are stripped out without checking prior to the actual
	195	* key scheduling.
	196	*/
	197
	198	void des_init(des_ctx k, const void buf, size_t sz)
	199	{
	200	uint32 x, y;
	201	uint32 *kp = k->k;
986527ae	202	uint32 ka[2];
d03ab969	203	int i;
	204
	205	/* --- @pc1@ --- *
	206	*
	207	* This cryptographically useless permutation is used to mangle the key
	208	* before it's subjected to the key schedule proper. I've not actually
	209	* messed it about much except for inserting padding at the beginning of
	210	* the two halves of the key.
	211	*/
	212
	213	static const char pc1[] = {
45c0fd36	214	0, 0, 0, 0,
d03ab969	215	57, 49, 41, 33, 25, 17, 9,
d03ab969	216	1, 58, 50, 42, 34, 26, 18,
45c0fd36	217	10, 2, 59, 51, 43, 35, 27,
d03ab969	218	19, 11, 3, 60, 52, 44, 36,
45c0fd36	219	0, 0, 0, 0,
d03ab969	220	63, 55, 47, 39, 31, 23, 15,
d03ab969	221	7, 62, 54, 46, 38, 30, 22,
45c0fd36	222	14, 6, 61, 53, 45, 37, 29,
d03ab969	223	21, 13, 5, 28, 20, 12, 4
	224	};
	225
	226	/* --- @pc2@ --- *
	227	*
	228	* This irritating but necessary permutation mangles the key between the
	229	* simple rotation-based schedule and the actual XOR with which it modifies
	230	* the behaviour of the cipher.
	231	*
	232	* This version of the table doesn't look much like the original. This is
	233	* because some parts of the world have been permuted in order to make
	234	* things simpler for the round function. In particular, everything is
	235	* rotated left one place to avoid problems with the wraparound of the
	236	* expansion permutation, and the key is split between odd and even S-boxes
	237	* rather than high and low ones. That's without the complication of the
	238	* padding bits in the representation of the 56-bit proto-key.
	239	*/
	240
	241	static const char pc2[] = {
45c0fd36 MW	242	0, 0, 3 + 4, 28 + 4, 15 + 4, 6 + 4, 21 + 4, 10 + 4, /* S-box 2 */
	243	0, 0, 16 + 4, 7 + 4, 27 + 4, 20 + 4, 13 + 4, 2 + 4, /* S-box 4 */
	244	0, 0, 30 + 8, 40 + 8, 51 + 8, 45 + 8, 33 + 8, 48 + 8, /* S-box 6 */
	245	0, 0, 46 + 8, 42 + 8, 50 + 8, 36 + 8, 29 + 8, 32 + 8, /* S-box 8 */
	246	0, 0, 14 + 4, 17 + 4, 11 + 4, 24 + 4, 1 + 4, 5 + 4, /* S-box 1 */
	247	0, 0, 23 + 4, 19 + 4, 12 + 4, 4 + 4, 26 + 4, 8 + 4, /* S-box 3 */
	248	0, 0, 41 + 8, 52 + 8, 31 + 8, 37 + 8, 47 + 8, 55 + 8, /* S-box 5 */
	249	0, 0, 44 + 8, 49 + 8, 39 + 8, 56 + 8, 34 + 8, 53 + 8 /* S-box 7 */
d03ab969	250	};
	251
	252	/* --- @v@ --- *
	253	*
	254	* Contains the rotation amounts for the key halves.
	255	*/
	256
	257	static const char v[] = {
	258	1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
	259	};
	260
	261	/* --- Extract the key into my registers --- *
	262	*
	263	* The 7 byte case is rather horrible. It expands the key to the 8 byte
	264	* case before going any further. It could probably do with its own @pc1@
	265	* table.
	266	*/
	267
89ae755d	268	KSZ_ASSERT(des, sz);
986527ae	269	des_expand(buf, sz, &x, &y);
45c0fd36	270
d03ab969	271	/* --- Permute using the pointless PC1 --- */
d03ab969	272
986527ae	273	permute(pc1, x, y, ka);
986527ae	274	x = ka[0]; y = ka[1];
d03ab969	275
	276	/* --- Now for the key schedule proper --- */
	277
	278	for (i = 0; i < 16; i++) {
	279	if (v[i] == 1) {
	280	x = ((x << 1) \| (x >> 27)) & 0x0fffffff;
	281	y = ((y << 1) \| (y >> 27)) & 0x0fffffff;
	282	} else {
	283	x = ((x << 2) \| (x >> 26)) & 0x0fffffff;
	284	y = ((y << 2) \| (y >> 26)) & 0x0fffffff;
	285	}
	286	permute(pc2, x, y, kp);
	287	kp += 2;
	288	}
	289	}
	290
	291	/* --- @des_eblk@, @des_dblk@ --- *
	292	*
	293	* Arguments: @const des_ctx *k@ = pointer to key block
	294	* @const uint32 s[2]@ = pointer to source block
	295	* @uint32 d[2]@ = pointer to destination block
	296	*
	297	* Returns: ---
	298	*
	299	* Use: Low-level block encryption and decryption.
	300	*/
	301
	302	void des_eblk(const des_ctx k, const uint32 s, uint32 *d)
	303	{
	304	uint32 x = s[0], y = s[1];
	305	DES_IP(x, y);
	306	DES_EBLK(k->k, x, y, x, y);
	307	DES_IPINV(x, y);
	308	d[0] = x, d[1] = y;
	309	}
	310
	311	void des_dblk(const des_ctx k, const uint32 s, uint32 *d)
	312	{
	313	uint32 x = s[0], y = s[1];
	314	DES_IP(x, y);
	315	DES_DBLK(k->k, x, y, x, y);
	316	DES_IPINV(x, y);
	317	d[0] = x, d[1] = y;
	318	}
	319
	320	BLKC_TEST(DES, des)
	321
	322	/----- That's all, folks -------------------------------------------------/