Commit | Line | Data |
---|---|---|
805e021f CE |
1 | /* |
2 | * Copyright (c) 2005 Kungliga Tekniska Högskolan | |
3 | * (Royal Institute of Technology, Stockholm, Sweden). | |
4 | * All rights reserved. | |
5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions | |
8 | * are met: | |
9 | * | |
10 | * 1. Redistributions of source code must retain the above copyright | |
11 | * notice, this list of conditions and the following disclaimer. | |
12 | * | |
13 | * 2. Redistributions in binary form must reproduce the above copyright | |
14 | * notice, this list of conditions and the following disclaimer in the | |
15 | * documentation and/or other materials provided with the distribution. | |
16 | * | |
17 | * 3. Neither the name of the Institute nor the names of its contributors | |
18 | * may be used to endorse or promote products derived from this software | |
19 | * without specific prior written permission. | |
20 | * | |
21 | * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND | |
22 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
23 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
24 | * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE | |
25 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
26 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
27 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
29 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
30 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
31 | * SUCH DAMAGE. | |
32 | */ | |
33 | ||
34 | /** | |
35 | * @page page_des DES - Data Encryption Standard crypto interface | |
36 | * | |
37 | * See the library functions here: @ref hcrypto_des | |
38 | * | |
39 | * DES was created by IBM, modififed by NSA and then adopted by NBS | |
40 | * (now NIST) and published ad FIPS PUB 46 (updated by FIPS 46-1). | |
41 | * | |
42 | * Since the 19th May 2005 DES was withdrawn by NIST and should no | |
43 | * longer be used. See @ref page_evp for replacement encryption | |
44 | * algorithms and interfaces. | |
45 | * | |
46 | * Read more the iteresting history of DES on Wikipedia | |
47 | * http://www.wikipedia.org/wiki/Data_Encryption_Standard . | |
48 | * | |
49 | * @section des_keygen DES key generation | |
50 | * | |
51 | * To generate a DES key safely you have to use the code-snippet | |
52 | * below. This is because the DES_random_key() can fail with an | |
53 | * abort() in case of and failure to start the random generator. | |
54 | * | |
55 | * There is a replacement function DES_new_random_key(), however that | |
56 | * function does not exists in OpenSSL. | |
57 | * | |
58 | * @code | |
59 | * DES_cblock key; | |
60 | * do { | |
61 | * if (RAND_rand(&key, sizeof(key)) != 1) | |
62 | * goto failure; | |
63 | * DES_set_odd_parity(key); | |
64 | * } while (DES_is_weak_key(&key)); | |
65 | * @endcode | |
66 | * | |
67 | * @section des_impl DES implementation history | |
68 | * | |
69 | * There was no complete BSD licensed, fast, GPL compatible | |
70 | * implementation of DES, so Love wrote the part that was missing, | |
71 | * fast key schedule setup and adapted the interface to the orignal | |
72 | * libdes. | |
73 | * | |
74 | * The document that got me started for real was "Efficient | |
75 | * Implementation of the Data Encryption Standard" by Dag Arne Osvik. | |
76 | * I never got to the PC1 transformation was working, instead I used | |
77 | * table-lookup was used for all key schedule setup. The document was | |
78 | * very useful since it de-mystified other implementations for me. | |
79 | * | |
80 | * The core DES function (SBOX + P transformation) is from Richard | |
81 | * Outerbridge public domain DES implementation. My sanity is saved | |
82 | * thanks to his work. Thank you Richard. | |
83 | */ | |
84 | ||
85 | #include <config.h> | |
86 | ||
87 | #define HC_DEPRECATED | |
88 | ||
89 | #include <stdio.h> | |
90 | #include <stdlib.h> | |
91 | #include <string.h> | |
92 | #include <krb5-types.h> | |
93 | #include <assert.h> | |
94 | ||
95 | #include <roken.h> | |
96 | ||
97 | #include "des.h" | |
98 | #include "ui.h" | |
99 | ||
100 | static void desx(uint32_t [2], DES_key_schedule *, int); | |
101 | static void IP(uint32_t [2]); | |
102 | static void FP(uint32_t [2]); | |
103 | ||
104 | #include "des-tables.h" | |
105 | ||
106 | #define ROTATE_LEFT28(x,one) \ | |
107 | if (one) { \ | |
108 | x = ( ((x)<<(1)) & 0xffffffe) | ((x) >> 27); \ | |
109 | } else { \ | |
110 | x = ( ((x)<<(2)) & 0xffffffc) | ((x) >> 26); \ | |
111 | } | |
112 | ||
113 | /** | |
114 | * Set the parity of the key block, used to generate a des key from a | |
115 | * random key. See @ref des_keygen. | |
116 | * | |
117 | * @param key key to fixup the parity for. | |
118 | * @ingroup hcrypto_des | |
119 | */ | |
120 | ||
121 | void | |
122 | DES_set_odd_parity(DES_cblock *key) | |
123 | { | |
124 | unsigned int i; | |
125 | for (i = 0; i < DES_CBLOCK_LEN; i++) | |
126 | (*key)[i] = odd_parity[(*key)[i]]; | |
127 | } | |
128 | ||
129 | /** | |
130 | * Check if the key have correct parity. | |
131 | * | |
132 | * @param key key to check the parity. | |
133 | * @return 1 on success, 0 on failure. | |
134 | * @ingroup hcrypto_des | |
135 | */ | |
136 | ||
137 | int HC_DEPRECATED | |
138 | DES_check_key_parity(DES_cblock *key) | |
139 | { | |
140 | unsigned int i; | |
141 | ||
142 | for (i = 0; i < DES_CBLOCK_LEN; i++) | |
143 | if ((*key)[i] != odd_parity[(*key)[i]]) | |
144 | return 0; | |
145 | return 1; | |
146 | } | |
147 | ||
148 | /* | |
149 | * | |
150 | */ | |
151 | ||
152 | /* FIPS 74 */ | |
153 | static DES_cblock weak_keys[] = { | |
154 | {0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01}, /* weak keys */ | |
155 | {0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE}, | |
156 | {0x1F,0x1F,0x1F,0x1F,0x0E,0x0E,0x0E,0x0E}, | |
157 | {0xE0,0xE0,0xE0,0xE0,0xF1,0xF1,0xF1,0xF1}, | |
158 | {0x01,0xFE,0x01,0xFE,0x01,0xFE,0x01,0xFE}, /* semi-weak keys */ | |
159 | {0xFE,0x01,0xFE,0x01,0xFE,0x01,0xFE,0x01}, | |
160 | {0x1F,0xE0,0x1F,0xE0,0x0E,0xF1,0x0E,0xF1}, | |
161 | {0xE0,0x1F,0xE0,0x1F,0xF1,0x0E,0xF1,0x0E}, | |
162 | {0x01,0xE0,0x01,0xE0,0x01,0xF1,0x01,0xF1}, | |
163 | {0xE0,0x01,0xE0,0x01,0xF1,0x01,0xF1,0x01}, | |
164 | {0x1F,0xFE,0x1F,0xFE,0x0E,0xFE,0x0E,0xFE}, | |
165 | {0xFE,0x1F,0xFE,0x1F,0xFE,0x0E,0xFE,0x0E}, | |
166 | {0x01,0x1F,0x01,0x1F,0x01,0x0E,0x01,0x0E}, | |
167 | {0x1F,0x01,0x1F,0x01,0x0E,0x01,0x0E,0x01}, | |
168 | {0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1,0xFE}, | |
169 | {0xFE,0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1} | |
170 | }; | |
171 | ||
172 | /** | |
173 | * Checks if the key is any of the weaks keys that makes DES attacks | |
174 | * trival. | |
175 | * | |
176 | * @param key key to check. | |
177 | * | |
178 | * @return 1 if the key is weak, 0 otherwise. | |
179 | * @ingroup hcrypto_des | |
180 | */ | |
181 | ||
182 | int | |
183 | DES_is_weak_key(DES_cblock *key) | |
184 | { | |
185 | int weak = 0; | |
186 | int i; | |
187 | ||
188 | for (i = 0; i < sizeof(weak_keys)/sizeof(weak_keys[0]); i++) | |
189 | weak ^= (ct_memcmp(weak_keys[i], key, DES_CBLOCK_LEN) == 0); | |
190 | ||
191 | return !!weak; | |
192 | } | |
193 | ||
194 | /** | |
195 | * Setup a des key schedule from a key. Deprecated function, use | |
196 | * DES_set_key_unchecked() or DES_set_key_checked() instead. | |
197 | * | |
198 | * @param key a key to initialize the key schedule with. | |
199 | * @param ks a key schedule to initialize. | |
200 | * | |
201 | * @return 0 on success | |
202 | * @ingroup hcrypto_des | |
203 | */ | |
204 | ||
205 | int HC_DEPRECATED | |
206 | DES_set_key(DES_cblock *key, DES_key_schedule *ks) | |
207 | { | |
208 | return DES_set_key_checked(key, ks); | |
209 | } | |
210 | ||
211 | /** | |
212 | * Setup a des key schedule from a key. The key is no longer needed | |
213 | * after this transaction and can cleared. | |
214 | * | |
215 | * Does NOT check that the key is weak for or have wrong parity. | |
216 | * | |
217 | * @param key a key to initialize the key schedule with. | |
218 | * @param ks a key schedule to initialize. | |
219 | * | |
220 | * @return 0 on success | |
221 | * @ingroup hcrypto_des | |
222 | */ | |
223 | ||
224 | int | |
225 | DES_set_key_unchecked(DES_cblock *key, DES_key_schedule *ks) | |
226 | { | |
227 | uint32_t t1, t2; | |
228 | uint32_t c, d; | |
229 | int shifts[16] = { 1, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 1 }; | |
230 | uint32_t *k = &ks->ks[0]; | |
231 | int i; | |
232 | ||
233 | t1 = (*key)[0] << 24 | (*key)[1] << 16 | (*key)[2] << 8 | (*key)[3]; | |
234 | t2 = (*key)[4] << 24 | (*key)[5] << 16 | (*key)[6] << 8 | (*key)[7]; | |
235 | ||
236 | c = (pc1_c_3[(t1 >> (5 )) & 0x7] << 3) | |
237 | | (pc1_c_3[(t1 >> (5 + 8 )) & 0x7] << 2) | |
238 | | (pc1_c_3[(t1 >> (5 + 8 + 8 )) & 0x7] << 1) | |
239 | | (pc1_c_3[(t1 >> (5 + 8 + 8 + 8)) & 0x7] << 0) | |
240 | | (pc1_c_4[(t2 >> (4 )) & 0xf] << 3) | |
241 | | (pc1_c_4[(t2 >> (4 + 8 )) & 0xf] << 2) | |
242 | | (pc1_c_4[(t2 >> (4 + 8 + 8 )) & 0xf] << 1) | |
243 | | (pc1_c_4[(t2 >> (4 + 8 + 8 + 8)) & 0xf] << 0); | |
244 | ||
245 | ||
246 | d = (pc1_d_3[(t2 >> (1 )) & 0x7] << 3) | |
247 | | (pc1_d_3[(t2 >> (1 + 8 )) & 0x7] << 2) | |
248 | | (pc1_d_3[(t2 >> (1 + 8 + 8 )) & 0x7] << 1) | |
249 | | (pc1_d_3[(t2 >> (1 + 8 + 8 + 8)) & 0x7] << 0) | |
250 | | (pc1_d_4[(t1 >> (1 )) & 0xf] << 3) | |
251 | | (pc1_d_4[(t1 >> (1 + 8 )) & 0xf] << 2) | |
252 | | (pc1_d_4[(t1 >> (1 + 8 + 8 )) & 0xf] << 1) | |
253 | | (pc1_d_4[(t1 >> (1 + 8 + 8 + 8)) & 0xf] << 0); | |
254 | ||
255 | for (i = 0; i < 16; i++) { | |
256 | uint32_t kc, kd; | |
257 | ||
258 | ROTATE_LEFT28(c, shifts[i]); | |
259 | ROTATE_LEFT28(d, shifts[i]); | |
260 | ||
261 | kc = pc2_c_1[(c >> 22) & 0x3f] | | |
262 | pc2_c_2[((c >> 16) & 0x30) | ((c >> 15) & 0xf)] | | |
263 | pc2_c_3[((c >> 9 ) & 0x3c) | ((c >> 8 ) & 0x3)] | | |
264 | pc2_c_4[((c >> 2 ) & 0x20) | ((c >> 1) & 0x18) | (c & 0x7)]; | |
265 | kd = pc2_d_1[(d >> 22) & 0x3f] | | |
266 | pc2_d_2[((d >> 15) & 0x30) | ((d >> 14) & 0xf)] | | |
267 | pc2_d_3[ (d >> 7 ) & 0x3f] | | |
268 | pc2_d_4[((d >> 1 ) & 0x3c) | ((d ) & 0x3)]; | |
269 | ||
270 | /* Change to byte order used by the S boxes */ | |
271 | *k = (kc & 0x00fc0000L) << 6; | |
272 | *k |= (kc & 0x00000fc0L) << 10; | |
273 | *k |= (kd & 0x00fc0000L) >> 10; | |
274 | *k++ |= (kd & 0x00000fc0L) >> 6; | |
275 | *k = (kc & 0x0003f000L) << 12; | |
276 | *k |= (kc & 0x0000003fL) << 16; | |
277 | *k |= (kd & 0x0003f000L) >> 4; | |
278 | *k++ |= (kd & 0x0000003fL); | |
279 | } | |
280 | ||
281 | return 0; | |
282 | } | |
283 | ||
284 | /** | |
285 | * Just like DES_set_key_unchecked() except checking that the key is | |
286 | * not weak for or have correct parity. | |
287 | * | |
288 | * @param key a key to initialize the key schedule with. | |
289 | * @param ks a key schedule to initialize. | |
290 | * | |
291 | * @return 0 on success, -1 on invalid parity, -2 on weak key. | |
292 | * @ingroup hcrypto_des | |
293 | */ | |
294 | ||
295 | int | |
296 | DES_set_key_checked(DES_cblock *key, DES_key_schedule *ks) | |
297 | { | |
298 | if (!DES_check_key_parity(key)) { | |
299 | memset(ks, 0, sizeof(*ks)); | |
300 | return -1; | |
301 | } | |
302 | if (DES_is_weak_key(key)) { | |
303 | memset(ks, 0, sizeof(*ks)); | |
304 | return -2; | |
305 | } | |
306 | return DES_set_key_unchecked(key, ks); | |
307 | } | |
308 | ||
309 | /** | |
310 | * Compatibility function for eay libdes, works just like | |
311 | * DES_set_key_checked(). | |
312 | * | |
313 | * @param key a key to initialize the key schedule with. | |
314 | * @param ks a key schedule to initialize. | |
315 | * | |
316 | * @return 0 on success, -1 on invalid parity, -2 on weak key. | |
317 | * @ingroup hcrypto_des | |
318 | */ | |
319 | ||
320 | int | |
321 | DES_key_sched(DES_cblock *key, DES_key_schedule *ks) | |
322 | { | |
323 | return DES_set_key_checked(key, ks); | |
324 | } | |
325 | ||
326 | /* | |
327 | * | |
328 | */ | |
329 | ||
330 | static void | |
331 | load(const unsigned char *b, uint32_t v[2]) | |
332 | { | |
333 | v[0] = b[0] << 24; | |
334 | v[0] |= b[1] << 16; | |
335 | v[0] |= b[2] << 8; | |
336 | v[0] |= b[3] << 0; | |
337 | v[1] = b[4] << 24; | |
338 | v[1] |= b[5] << 16; | |
339 | v[1] |= b[6] << 8; | |
340 | v[1] |= b[7] << 0; | |
341 | } | |
342 | ||
343 | static void | |
344 | store(const uint32_t v[2], unsigned char *b) | |
345 | { | |
346 | b[0] = (v[0] >> 24) & 0xff; | |
347 | b[1] = (v[0] >> 16) & 0xff; | |
348 | b[2] = (v[0] >> 8) & 0xff; | |
349 | b[3] = (v[0] >> 0) & 0xff; | |
350 | b[4] = (v[1] >> 24) & 0xff; | |
351 | b[5] = (v[1] >> 16) & 0xff; | |
352 | b[6] = (v[1] >> 8) & 0xff; | |
353 | b[7] = (v[1] >> 0) & 0xff; | |
354 | } | |
355 | ||
356 | /** | |
357 | * Encrypt/decrypt a block using DES. Also called ECB mode | |
358 | * | |
359 | * @param u data to encrypt | |
360 | * @param ks key schedule to use | |
361 | * @param encp if non zero, encrypt. if zero, decrypt. | |
362 | * | |
363 | * @ingroup hcrypto_des | |
364 | */ | |
365 | ||
366 | void | |
367 | DES_encrypt(uint32_t u[2], DES_key_schedule *ks, int encp) | |
368 | { | |
369 | IP(u); | |
370 | desx(u, ks, encp); | |
371 | FP(u); | |
372 | } | |
373 | ||
374 | /** | |
375 | * Encrypt/decrypt a block using DES. | |
376 | * | |
377 | * @param input data to encrypt | |
378 | * @param output data to encrypt | |
379 | * @param ks key schedule to use | |
380 | * @param encp if non zero, encrypt. if zero, decrypt. | |
381 | * | |
382 | * @ingroup hcrypto_des | |
383 | */ | |
384 | ||
385 | void | |
386 | DES_ecb_encrypt(DES_cblock *input, DES_cblock *output, | |
387 | DES_key_schedule *ks, int encp) | |
388 | { | |
389 | uint32_t u[2]; | |
390 | load(*input, u); | |
391 | DES_encrypt(u, ks, encp); | |
392 | store(u, *output); | |
393 | } | |
394 | ||
395 | /** | |
396 | * Encrypt/decrypt a block using DES in Chain Block Cipher mode (cbc). | |
397 | * | |
398 | * The IV must always be diffrent for diffrent input data blocks. | |
399 | * | |
400 | * @param in data to encrypt | |
401 | * @param out data to encrypt | |
402 | * @param length length of data | |
403 | * @param ks key schedule to use | |
404 | * @param iv initial vector to use | |
405 | * @param encp if non zero, encrypt. if zero, decrypt. | |
406 | * | |
407 | * @ingroup hcrypto_des | |
408 | */ | |
409 | ||
410 | void | |
411 | DES_cbc_encrypt(const void *in, void *out, long length, | |
412 | DES_key_schedule *ks, DES_cblock *iv, int encp) | |
413 | { | |
414 | const unsigned char *input = in; | |
415 | unsigned char *output = out; | |
416 | uint32_t u[2]; | |
417 | uint32_t uiv[2]; | |
418 | ||
419 | load(*iv, uiv); | |
420 | ||
421 | if (encp) { | |
422 | while (length >= DES_CBLOCK_LEN) { | |
423 | load(input, u); | |
424 | u[0] ^= uiv[0]; u[1] ^= uiv[1]; | |
425 | DES_encrypt(u, ks, 1); | |
426 | uiv[0] = u[0]; uiv[1] = u[1]; | |
427 | store(u, output); | |
428 | ||
429 | length -= DES_CBLOCK_LEN; | |
430 | input += DES_CBLOCK_LEN; | |
431 | output += DES_CBLOCK_LEN; | |
432 | } | |
433 | if (length) { | |
434 | unsigned char tmp[DES_CBLOCK_LEN]; | |
435 | memcpy(tmp, input, length); | |
436 | memset(tmp + length, 0, DES_CBLOCK_LEN - length); | |
437 | load(tmp, u); | |
438 | u[0] ^= uiv[0]; u[1] ^= uiv[1]; | |
439 | DES_encrypt(u, ks, 1); | |
440 | store(u, output); | |
441 | } | |
442 | } else { | |
443 | uint32_t t[2]; | |
444 | while (length >= DES_CBLOCK_LEN) { | |
445 | load(input, u); | |
446 | t[0] = u[0]; t[1] = u[1]; | |
447 | DES_encrypt(u, ks, 0); | |
448 | u[0] ^= uiv[0]; u[1] ^= uiv[1]; | |
449 | store(u, output); | |
450 | uiv[0] = t[0]; uiv[1] = t[1]; | |
451 | ||
452 | length -= DES_CBLOCK_LEN; | |
453 | input += DES_CBLOCK_LEN; | |
454 | output += DES_CBLOCK_LEN; | |
455 | } | |
456 | if (length) { | |
457 | unsigned char tmp[DES_CBLOCK_LEN]; | |
458 | memcpy(tmp, input, length); | |
459 | memset(tmp + length, 0, DES_CBLOCK_LEN - length); | |
460 | load(tmp, u); | |
461 | DES_encrypt(u, ks, 0); | |
462 | u[0] ^= uiv[0]; u[1] ^= uiv[1]; | |
463 | store(u, output); | |
464 | } | |
465 | } | |
466 | uiv[0] = 0; u[0] = 0; uiv[1] = 0; u[1] = 0; | |
467 | } | |
468 | ||
469 | /** | |
470 | * Encrypt/decrypt a block using DES in Propagating Cipher Block | |
471 | * Chaining mode. This mode is only used for Kerberos 4, and it should | |
472 | * stay that way. | |
473 | * | |
474 | * The IV must always be diffrent for diffrent input data blocks. | |
475 | * | |
476 | * @param in data to encrypt | |
477 | * @param out data to encrypt | |
478 | * @param length length of data | |
479 | * @param ks key schedule to use | |
480 | * @param iv initial vector to use | |
481 | * @param encp if non zero, encrypt. if zero, decrypt. | |
482 | * | |
483 | * @ingroup hcrypto_des | |
484 | */ | |
485 | ||
486 | void | |
487 | DES_pcbc_encrypt(const void *in, void *out, long length, | |
488 | DES_key_schedule *ks, DES_cblock *iv, int encp) | |
489 | { | |
490 | const unsigned char *input = in; | |
491 | unsigned char *output = out; | |
492 | uint32_t u[2]; | |
493 | uint32_t uiv[2]; | |
494 | ||
495 | load(*iv, uiv); | |
496 | ||
497 | if (encp) { | |
498 | uint32_t t[2]; | |
499 | while (length >= DES_CBLOCK_LEN) { | |
500 | load(input, u); | |
501 | t[0] = u[0]; t[1] = u[1]; | |
502 | u[0] ^= uiv[0]; u[1] ^= uiv[1]; | |
503 | DES_encrypt(u, ks, 1); | |
504 | uiv[0] = u[0] ^ t[0]; uiv[1] = u[1] ^ t[1]; | |
505 | store(u, output); | |
506 | ||
507 | length -= DES_CBLOCK_LEN; | |
508 | input += DES_CBLOCK_LEN; | |
509 | output += DES_CBLOCK_LEN; | |
510 | } | |
511 | if (length) { | |
512 | unsigned char tmp[DES_CBLOCK_LEN]; | |
513 | memcpy(tmp, input, length); | |
514 | memset(tmp + length, 0, DES_CBLOCK_LEN - length); | |
515 | load(tmp, u); | |
516 | u[0] ^= uiv[0]; u[1] ^= uiv[1]; | |
517 | DES_encrypt(u, ks, 1); | |
518 | store(u, output); | |
519 | } | |
520 | } else { | |
521 | uint32_t t[2]; | |
522 | while (length >= DES_CBLOCK_LEN) { | |
523 | load(input, u); | |
524 | t[0] = u[0]; t[1] = u[1]; | |
525 | DES_encrypt(u, ks, 0); | |
526 | u[0] ^= uiv[0]; u[1] ^= uiv[1]; | |
527 | store(u, output); | |
528 | uiv[0] = t[0] ^ u[0]; uiv[1] = t[1] ^ u[1]; | |
529 | ||
530 | length -= DES_CBLOCK_LEN; | |
531 | input += DES_CBLOCK_LEN; | |
532 | output += DES_CBLOCK_LEN; | |
533 | } | |
534 | if (length) { | |
535 | unsigned char tmp[DES_CBLOCK_LEN]; | |
536 | memcpy(tmp, input, length); | |
537 | memset(tmp + length, 0, DES_CBLOCK_LEN - length); | |
538 | load(tmp, u); | |
539 | DES_encrypt(u, ks, 0); | |
540 | u[0] ^= uiv[0]; u[1] ^= uiv[1]; | |
541 | } | |
542 | } | |
543 | uiv[0] = 0; u[0] = 0; uiv[1] = 0; u[1] = 0; | |
544 | } | |
545 | ||
546 | /* | |
547 | * | |
548 | */ | |
549 | ||
550 | static void | |
551 | _des3_encrypt(uint32_t u[2], DES_key_schedule *ks1, DES_key_schedule *ks2, | |
552 | DES_key_schedule *ks3, int encp) | |
553 | { | |
554 | IP(u); | |
555 | if (encp) { | |
556 | desx(u, ks1, 1); /* IP + FP cancel out each other */ | |
557 | desx(u, ks2, 0); | |
558 | desx(u, ks3, 1); | |
559 | } else { | |
560 | desx(u, ks3, 0); | |
561 | desx(u, ks2, 1); | |
562 | desx(u, ks1, 0); | |
563 | } | |
564 | FP(u); | |
565 | } | |
566 | ||
567 | /** | |
568 | * Encrypt/decrypt a block using triple DES using EDE mode, | |
569 | * encrypt/decrypt/encrypt. | |
570 | * | |
571 | * @param input data to encrypt | |
572 | * @param output data to encrypt | |
573 | * @param ks1 key schedule to use | |
574 | * @param ks2 key schedule to use | |
575 | * @param ks3 key schedule to use | |
576 | * @param encp if non zero, encrypt. if zero, decrypt. | |
577 | * | |
578 | * @ingroup hcrypto_des | |
579 | */ | |
580 | ||
581 | void | |
582 | DES_ecb3_encrypt(DES_cblock *input, | |
583 | DES_cblock *output, | |
584 | DES_key_schedule *ks1, | |
585 | DES_key_schedule *ks2, | |
586 | DES_key_schedule *ks3, | |
587 | int encp) | |
588 | { | |
589 | uint32_t u[2]; | |
590 | load(*input, u); | |
591 | _des3_encrypt(u, ks1, ks2, ks3, encp); | |
592 | store(u, *output); | |
593 | return; | |
594 | } | |
595 | ||
596 | /** | |
597 | * Encrypt/decrypt using Triple DES in Chain Block Cipher mode (cbc). | |
598 | * | |
599 | * The IV must always be diffrent for diffrent input data blocks. | |
600 | * | |
601 | * @param in data to encrypt | |
602 | * @param out data to encrypt | |
603 | * @param length length of data | |
604 | * @param ks1 key schedule to use | |
605 | * @param ks2 key schedule to use | |
606 | * @param ks3 key schedule to use | |
607 | * @param iv initial vector to use | |
608 | * @param encp if non zero, encrypt. if zero, decrypt. | |
609 | * | |
610 | * @ingroup hcrypto_des | |
611 | */ | |
612 | ||
613 | void | |
614 | DES_ede3_cbc_encrypt(const void *in, void *out, | |
615 | long length, DES_key_schedule *ks1, | |
616 | DES_key_schedule *ks2, DES_key_schedule *ks3, | |
617 | DES_cblock *iv, int encp) | |
618 | { | |
619 | const unsigned char *input = in; | |
620 | unsigned char *output = out; | |
621 | uint32_t u[2]; | |
622 | uint32_t uiv[2]; | |
623 | ||
624 | load(*iv, uiv); | |
625 | ||
626 | if (encp) { | |
627 | while (length >= DES_CBLOCK_LEN) { | |
628 | load(input, u); | |
629 | u[0] ^= uiv[0]; u[1] ^= uiv[1]; | |
630 | _des3_encrypt(u, ks1, ks2, ks3, 1); | |
631 | uiv[0] = u[0]; uiv[1] = u[1]; | |
632 | store(u, output); | |
633 | ||
634 | length -= DES_CBLOCK_LEN; | |
635 | input += DES_CBLOCK_LEN; | |
636 | output += DES_CBLOCK_LEN; | |
637 | } | |
638 | if (length) { | |
639 | unsigned char tmp[DES_CBLOCK_LEN]; | |
640 | memcpy(tmp, input, length); | |
641 | memset(tmp + length, 0, DES_CBLOCK_LEN - length); | |
642 | load(tmp, u); | |
643 | u[0] ^= uiv[0]; u[1] ^= uiv[1]; | |
644 | _des3_encrypt(u, ks1, ks2, ks3, 1); | |
645 | store(u, output); | |
646 | } | |
647 | } else { | |
648 | uint32_t t[2]; | |
649 | while (length >= DES_CBLOCK_LEN) { | |
650 | load(input, u); | |
651 | t[0] = u[0]; t[1] = u[1]; | |
652 | _des3_encrypt(u, ks1, ks2, ks3, 0); | |
653 | u[0] ^= uiv[0]; u[1] ^= uiv[1]; | |
654 | store(u, output); | |
655 | uiv[0] = t[0]; uiv[1] = t[1]; | |
656 | ||
657 | length -= DES_CBLOCK_LEN; | |
658 | input += DES_CBLOCK_LEN; | |
659 | output += DES_CBLOCK_LEN; | |
660 | } | |
661 | if (length) { | |
662 | unsigned char tmp[DES_CBLOCK_LEN]; | |
663 | memcpy(tmp, input, length); | |
664 | memset(tmp + length, 0, DES_CBLOCK_LEN - length); | |
665 | load(tmp, u); | |
666 | _des3_encrypt(u, ks1, ks2, ks3, 0); | |
667 | u[0] ^= uiv[0]; u[1] ^= uiv[1]; | |
668 | store(u, output); | |
669 | } | |
670 | } | |
671 | store(uiv, *iv); | |
672 | uiv[0] = 0; u[0] = 0; uiv[1] = 0; u[1] = 0; | |
673 | } | |
674 | ||
675 | /** | |
676 | * Encrypt/decrypt using DES in cipher feedback mode with 64 bit | |
677 | * feedback. | |
678 | * | |
679 | * The IV must always be diffrent for diffrent input data blocks. | |
680 | * | |
681 | * @param in data to encrypt | |
682 | * @param out data to encrypt | |
683 | * @param length length of data | |
684 | * @param ks key schedule to use | |
685 | * @param iv initial vector to use | |
686 | * @param num offset into in cipher block encryption/decryption stop last time. | |
687 | * @param encp if non zero, encrypt. if zero, decrypt. | |
688 | * | |
689 | * @ingroup hcrypto_des | |
690 | */ | |
691 | ||
692 | void | |
693 | DES_cfb64_encrypt(const void *in, void *out, | |
694 | long length, DES_key_schedule *ks, DES_cblock *iv, | |
695 | int *num, int encp) | |
696 | { | |
697 | const unsigned char *input = in; | |
698 | unsigned char *output = out; | |
699 | unsigned char tmp[DES_CBLOCK_LEN]; | |
700 | uint32_t uiv[2]; | |
701 | ||
702 | load(*iv, uiv); | |
703 | ||
704 | assert(*num >= 0 && *num < DES_CBLOCK_LEN); | |
705 | ||
706 | if (encp) { | |
707 | int i = *num; | |
708 | ||
709 | while (length > 0) { | |
710 | if (i == 0) | |
711 | DES_encrypt(uiv, ks, 1); | |
712 | store(uiv, tmp); | |
713 | for (; i < DES_CBLOCK_LEN && i < length; i++) { | |
714 | output[i] = tmp[i] ^ input[i]; | |
715 | } | |
716 | if (i == DES_CBLOCK_LEN) | |
717 | load(output, uiv); | |
718 | output += i; | |
719 | input += i; | |
720 | length -= i; | |
721 | if (i == DES_CBLOCK_LEN) | |
722 | i = 0; | |
723 | } | |
724 | store(uiv, *iv); | |
725 | *num = i; | |
726 | } else { | |
727 | int i = *num; | |
728 | unsigned char c; | |
729 | ||
730 | while (length > 0) { | |
731 | if (i == 0) { | |
732 | DES_encrypt(uiv, ks, 1); | |
733 | store(uiv, tmp); | |
734 | } | |
735 | for (; i < DES_CBLOCK_LEN && i < length; i++) { | |
736 | c = input[i]; | |
737 | output[i] = tmp[i] ^ input[i]; | |
738 | (*iv)[i] = c; | |
739 | } | |
740 | output += i; | |
741 | input += i; | |
742 | length -= i; | |
743 | if (i == DES_CBLOCK_LEN) { | |
744 | i = 0; | |
745 | load(*iv, uiv); | |
746 | } | |
747 | } | |
748 | store(uiv, *iv); | |
749 | *num = i; | |
750 | } | |
751 | } | |
752 | ||
753 | /** | |
754 | * Crete a checksum using DES in CBC encryption mode. This mode is | |
755 | * only used for Kerberos 4, and it should stay that way. | |
756 | * | |
757 | * The IV must always be diffrent for diffrent input data blocks. | |
758 | * | |
759 | * @param in data to checksum | |
760 | * @param output the checksum | |
761 | * @param length length of data | |
762 | * @param ks key schedule to use | |
763 | * @param iv initial vector to use | |
764 | * | |
765 | * @ingroup hcrypto_des | |
766 | */ | |
767 | ||
768 | uint32_t | |
769 | DES_cbc_cksum(const void *in, DES_cblock *output, | |
770 | long length, DES_key_schedule *ks, DES_cblock *iv) | |
771 | { | |
772 | const unsigned char *input = in; | |
773 | uint32_t uiv[2]; | |
774 | uint32_t u[2] = { 0, 0 }; | |
775 | ||
776 | load(*iv, uiv); | |
777 | ||
778 | while (length >= DES_CBLOCK_LEN) { | |
779 | load(input, u); | |
780 | u[0] ^= uiv[0]; u[1] ^= uiv[1]; | |
781 | DES_encrypt(u, ks, 1); | |
782 | uiv[0] = u[0]; uiv[1] = u[1]; | |
783 | ||
784 | length -= DES_CBLOCK_LEN; | |
785 | input += DES_CBLOCK_LEN; | |
786 | } | |
787 | if (length) { | |
788 | unsigned char tmp[DES_CBLOCK_LEN]; | |
789 | memcpy(tmp, input, length); | |
790 | memset(tmp + length, 0, DES_CBLOCK_LEN - length); | |
791 | load(tmp, u); | |
792 | u[0] ^= uiv[0]; u[1] ^= uiv[1]; | |
793 | DES_encrypt(u, ks, 1); | |
794 | } | |
795 | if (output) | |
796 | store(u, *output); | |
797 | ||
798 | uiv[0] = 0; u[0] = 0; uiv[1] = 0; | |
799 | return u[1]; | |
800 | } | |
801 | ||
802 | /* | |
803 | * | |
804 | */ | |
805 | ||
806 | static unsigned char | |
807 | bitswap8(unsigned char b) | |
808 | { | |
809 | unsigned char r = 0; | |
810 | int i; | |
811 | for (i = 0; i < 8; i++) { | |
812 | r = r << 1 | (b & 1); | |
813 | b = b >> 1; | |
814 | } | |
815 | return r; | |
816 | } | |
817 | ||
818 | /** | |
819 | * Convert a string to a DES key. Use something like | |
820 | * PKCS5_PBKDF2_HMAC_SHA1() to create key from passwords. | |
821 | * | |
822 | * @param str The string to convert to a key | |
823 | * @param key the resulting key | |
824 | * | |
825 | * @ingroup hcrypto_des | |
826 | */ | |
827 | ||
828 | void | |
829 | DES_string_to_key(const char *str, DES_cblock *key) | |
830 | { | |
831 | const unsigned char *s; | |
832 | unsigned char *k; | |
833 | DES_key_schedule ks; | |
834 | size_t i, len; | |
835 | ||
836 | memset(key, 0, sizeof(*key)); | |
837 | k = *key; | |
838 | s = (const unsigned char *)str; | |
839 | ||
840 | len = strlen(str); | |
841 | for (i = 0; i < len; i++) { | |
842 | if ((i % 16) < 8) | |
843 | k[i % 8] ^= s[i] << 1; | |
844 | else | |
845 | k[7 - (i % 8)] ^= bitswap8(s[i]); | |
846 | } | |
847 | DES_set_odd_parity(key); | |
848 | if (DES_is_weak_key(key)) | |
849 | k[7] ^= 0xF0; | |
850 | DES_set_key(key, &ks); | |
851 | DES_cbc_cksum(s, key, len, &ks, key); | |
852 | memset(&ks, 0, sizeof(ks)); | |
853 | DES_set_odd_parity(key); | |
854 | if (DES_is_weak_key(key)) | |
855 | k[7] ^= 0xF0; | |
856 | } | |
857 | ||
858 | /** | |
859 | * Read password from prompt and create a DES key. Internal uses | |
860 | * DES_string_to_key(). Really, go use a really string2key function | |
861 | * like PKCS5_PBKDF2_HMAC_SHA1(). | |
862 | * | |
863 | * @param key key to convert to | |
864 | * @param prompt prompt to display user | |
865 | * @param verify prompt twice. | |
866 | * | |
867 | * @return 1 on success, non 1 on failure. | |
868 | */ | |
869 | ||
870 | int | |
871 | DES_read_password(DES_cblock *key, char *prompt, int verify) | |
872 | { | |
873 | char buf[512]; | |
874 | int ret; | |
875 | ||
876 | ret = UI_UTIL_read_pw_string(buf, sizeof(buf) - 1, prompt, verify); | |
877 | if (ret == 1) | |
878 | DES_string_to_key(buf, key); | |
879 | return ret; | |
880 | } | |
881 | ||
882 | /* | |
883 | * | |
884 | */ | |
885 | ||
886 | ||
887 | void | |
888 | _DES_ipfp_test(void) | |
889 | { | |
890 | DES_cblock k = "\x01\x02\x04\x08\x10\x20\x40\x80", k2; | |
891 | uint32_t u[2] = { 1, 0 }; | |
892 | IP(u); | |
893 | FP(u); | |
894 | IP(u); | |
895 | FP(u); | |
896 | if (u[0] != 1 || u[1] != 0) | |
897 | abort(); | |
898 | ||
899 | load(k, u); | |
900 | store(u, k2); | |
901 | if (memcmp(k, k2, 8) != 0) | |
902 | abort(); | |
903 | } | |
904 | ||
905 | /* D3DES (V5.09) - | |
906 | * | |
907 | * A portable, public domain, version of the Data Encryption Standard. | |
908 | * | |
909 | * Written with Symantec's THINK (Lightspeed) C by Richard Outerbridge. | |
910 | * Thanks to: Dan Hoey for his excellent Initial and Inverse permutation | |
911 | * code; Jim Gillogly & Phil Karn for the DES key schedule code; Dennis | |
912 | * Ferguson, Eric Young and Dana How for comparing notes; and Ray Lau, | |
913 | * for humouring me on. | |
914 | * | |
915 | * Copyright (c) 1988,1989,1990,1991,1992 by Richard Outerbridge. | |
916 | * (GEnie : OUTER; CIS : [71755,204]) Graven Imagery, 1992. | |
917 | */ | |
918 | ||
919 | static uint32_t SP1[64] = { | |
920 | 0x01010400L, 0x00000000L, 0x00010000L, 0x01010404L, | |
921 | 0x01010004L, 0x00010404L, 0x00000004L, 0x00010000L, | |
922 | 0x00000400L, 0x01010400L, 0x01010404L, 0x00000400L, | |
923 | 0x01000404L, 0x01010004L, 0x01000000L, 0x00000004L, | |
924 | 0x00000404L, 0x01000400L, 0x01000400L, 0x00010400L, | |
925 | 0x00010400L, 0x01010000L, 0x01010000L, 0x01000404L, | |
926 | 0x00010004L, 0x01000004L, 0x01000004L, 0x00010004L, | |
927 | 0x00000000L, 0x00000404L, 0x00010404L, 0x01000000L, | |
928 | 0x00010000L, 0x01010404L, 0x00000004L, 0x01010000L, | |
929 | 0x01010400L, 0x01000000L, 0x01000000L, 0x00000400L, | |
930 | 0x01010004L, 0x00010000L, 0x00010400L, 0x01000004L, | |
931 | 0x00000400L, 0x00000004L, 0x01000404L, 0x00010404L, | |
932 | 0x01010404L, 0x00010004L, 0x01010000L, 0x01000404L, | |
933 | 0x01000004L, 0x00000404L, 0x00010404L, 0x01010400L, | |
934 | 0x00000404L, 0x01000400L, 0x01000400L, 0x00000000L, | |
935 | 0x00010004L, 0x00010400L, 0x00000000L, 0x01010004L }; | |
936 | ||
937 | static uint32_t SP2[64] = { | |
938 | 0x80108020L, 0x80008000L, 0x00008000L, 0x00108020L, | |
939 | 0x00100000L, 0x00000020L, 0x80100020L, 0x80008020L, | |
940 | 0x80000020L, 0x80108020L, 0x80108000L, 0x80000000L, | |
941 | 0x80008000L, 0x00100000L, 0x00000020L, 0x80100020L, | |
942 | 0x00108000L, 0x00100020L, 0x80008020L, 0x00000000L, | |
943 | 0x80000000L, 0x00008000L, 0x00108020L, 0x80100000L, | |
944 | 0x00100020L, 0x80000020L, 0x00000000L, 0x00108000L, | |
945 | 0x00008020L, 0x80108000L, 0x80100000L, 0x00008020L, | |
946 | 0x00000000L, 0x00108020L, 0x80100020L, 0x00100000L, | |
947 | 0x80008020L, 0x80100000L, 0x80108000L, 0x00008000L, | |
948 | 0x80100000L, 0x80008000L, 0x00000020L, 0x80108020L, | |
949 | 0x00108020L, 0x00000020L, 0x00008000L, 0x80000000L, | |
950 | 0x00008020L, 0x80108000L, 0x00100000L, 0x80000020L, | |
951 | 0x00100020L, 0x80008020L, 0x80000020L, 0x00100020L, | |
952 | 0x00108000L, 0x00000000L, 0x80008000L, 0x00008020L, | |
953 | 0x80000000L, 0x80100020L, 0x80108020L, 0x00108000L }; | |
954 | ||
955 | static uint32_t SP3[64] = { | |
956 | 0x00000208L, 0x08020200L, 0x00000000L, 0x08020008L, | |
957 | 0x08000200L, 0x00000000L, 0x00020208L, 0x08000200L, | |
958 | 0x00020008L, 0x08000008L, 0x08000008L, 0x00020000L, | |
959 | 0x08020208L, 0x00020008L, 0x08020000L, 0x00000208L, | |
960 | 0x08000000L, 0x00000008L, 0x08020200L, 0x00000200L, | |
961 | 0x00020200L, 0x08020000L, 0x08020008L, 0x00020208L, | |
962 | 0x08000208L, 0x00020200L, 0x00020000L, 0x08000208L, | |
963 | 0x00000008L, 0x08020208L, 0x00000200L, 0x08000000L, | |
964 | 0x08020200L, 0x08000000L, 0x00020008L, 0x00000208L, | |
965 | 0x00020000L, 0x08020200L, 0x08000200L, 0x00000000L, | |
966 | 0x00000200L, 0x00020008L, 0x08020208L, 0x08000200L, | |
967 | 0x08000008L, 0x00000200L, 0x00000000L, 0x08020008L, | |
968 | 0x08000208L, 0x00020000L, 0x08000000L, 0x08020208L, | |
969 | 0x00000008L, 0x00020208L, 0x00020200L, 0x08000008L, | |
970 | 0x08020000L, 0x08000208L, 0x00000208L, 0x08020000L, | |
971 | 0x00020208L, 0x00000008L, 0x08020008L, 0x00020200L }; | |
972 | ||
973 | static uint32_t SP4[64] = { | |
974 | 0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L, | |
975 | 0x00802080L, 0x00800081L, 0x00800001L, 0x00002001L, | |
976 | 0x00000000L, 0x00802000L, 0x00802000L, 0x00802081L, | |
977 | 0x00000081L, 0x00000000L, 0x00800080L, 0x00800001L, | |
978 | 0x00000001L, 0x00002000L, 0x00800000L, 0x00802001L, | |
979 | 0x00000080L, 0x00800000L, 0x00002001L, 0x00002080L, | |
980 | 0x00800081L, 0x00000001L, 0x00002080L, 0x00800080L, | |
981 | 0x00002000L, 0x00802080L, 0x00802081L, 0x00000081L, | |
982 | 0x00800080L, 0x00800001L, 0x00802000L, 0x00802081L, | |
983 | 0x00000081L, 0x00000000L, 0x00000000L, 0x00802000L, | |
984 | 0x00002080L, 0x00800080L, 0x00800081L, 0x00000001L, | |
985 | 0x00802001L, 0x00002081L, 0x00002081L, 0x00000080L, | |
986 | 0x00802081L, 0x00000081L, 0x00000001L, 0x00002000L, | |
987 | 0x00800001L, 0x00002001L, 0x00802080L, 0x00800081L, | |
988 | 0x00002001L, 0x00002080L, 0x00800000L, 0x00802001L, | |
989 | 0x00000080L, 0x00800000L, 0x00002000L, 0x00802080L }; | |
990 | ||
991 | static uint32_t SP5[64] = { | |
992 | 0x00000100L, 0x02080100L, 0x02080000L, 0x42000100L, | |
993 | 0x00080000L, 0x00000100L, 0x40000000L, 0x02080000L, | |
994 | 0x40080100L, 0x00080000L, 0x02000100L, 0x40080100L, | |
995 | 0x42000100L, 0x42080000L, 0x00080100L, 0x40000000L, | |
996 | 0x02000000L, 0x40080000L, 0x40080000L, 0x00000000L, | |
997 | 0x40000100L, 0x42080100L, 0x42080100L, 0x02000100L, | |
998 | 0x42080000L, 0x40000100L, 0x00000000L, 0x42000000L, | |
999 | 0x02080100L, 0x02000000L, 0x42000000L, 0x00080100L, | |
1000 | 0x00080000L, 0x42000100L, 0x00000100L, 0x02000000L, | |
1001 | 0x40000000L, 0x02080000L, 0x42000100L, 0x40080100L, | |
1002 | 0x02000100L, 0x40000000L, 0x42080000L, 0x02080100L, | |
1003 | 0x40080100L, 0x00000100L, 0x02000000L, 0x42080000L, | |
1004 | 0x42080100L, 0x00080100L, 0x42000000L, 0x42080100L, | |
1005 | 0x02080000L, 0x00000000L, 0x40080000L, 0x42000000L, | |
1006 | 0x00080100L, 0x02000100L, 0x40000100L, 0x00080000L, | |
1007 | 0x00000000L, 0x40080000L, 0x02080100L, 0x40000100L }; | |
1008 | ||
1009 | static uint32_t SP6[64] = { | |
1010 | 0x20000010L, 0x20400000L, 0x00004000L, 0x20404010L, | |
1011 | 0x20400000L, 0x00000010L, 0x20404010L, 0x00400000L, | |
1012 | 0x20004000L, 0x00404010L, 0x00400000L, 0x20000010L, | |
1013 | 0x00400010L, 0x20004000L, 0x20000000L, 0x00004010L, | |
1014 | 0x00000000L, 0x00400010L, 0x20004010L, 0x00004000L, | |
1015 | 0x00404000L, 0x20004010L, 0x00000010L, 0x20400010L, | |
1016 | 0x20400010L, 0x00000000L, 0x00404010L, 0x20404000L, | |
1017 | 0x00004010L, 0x00404000L, 0x20404000L, 0x20000000L, | |
1018 | 0x20004000L, 0x00000010L, 0x20400010L, 0x00404000L, | |
1019 | 0x20404010L, 0x00400000L, 0x00004010L, 0x20000010L, | |
1020 | 0x00400000L, 0x20004000L, 0x20000000L, 0x00004010L, | |
1021 | 0x20000010L, 0x20404010L, 0x00404000L, 0x20400000L, | |
1022 | 0x00404010L, 0x20404000L, 0x00000000L, 0x20400010L, | |
1023 | 0x00000010L, 0x00004000L, 0x20400000L, 0x00404010L, | |
1024 | 0x00004000L, 0x00400010L, 0x20004010L, 0x00000000L, | |
1025 | 0x20404000L, 0x20000000L, 0x00400010L, 0x20004010L }; | |
1026 | ||
1027 | static uint32_t SP7[64] = { | |
1028 | 0x00200000L, 0x04200002L, 0x04000802L, 0x00000000L, | |
1029 | 0x00000800L, 0x04000802L, 0x00200802L, 0x04200800L, | |
1030 | 0x04200802L, 0x00200000L, 0x00000000L, 0x04000002L, | |
1031 | 0x00000002L, 0x04000000L, 0x04200002L, 0x00000802L, | |
1032 | 0x04000800L, 0x00200802L, 0x00200002L, 0x04000800L, | |
1033 | 0x04000002L, 0x04200000L, 0x04200800L, 0x00200002L, | |
1034 | 0x04200000L, 0x00000800L, 0x00000802L, 0x04200802L, | |
1035 | 0x00200800L, 0x00000002L, 0x04000000L, 0x00200800L, | |
1036 | 0x04000000L, 0x00200800L, 0x00200000L, 0x04000802L, | |
1037 | 0x04000802L, 0x04200002L, 0x04200002L, 0x00000002L, | |
1038 | 0x00200002L, 0x04000000L, 0x04000800L, 0x00200000L, | |
1039 | 0x04200800L, 0x00000802L, 0x00200802L, 0x04200800L, | |
1040 | 0x00000802L, 0x04000002L, 0x04200802L, 0x04200000L, | |
1041 | 0x00200800L, 0x00000000L, 0x00000002L, 0x04200802L, | |
1042 | 0x00000000L, 0x00200802L, 0x04200000L, 0x00000800L, | |
1043 | 0x04000002L, 0x04000800L, 0x00000800L, 0x00200002L }; | |
1044 | ||
1045 | static uint32_t SP8[64] = { | |
1046 | 0x10001040L, 0x00001000L, 0x00040000L, 0x10041040L, | |
1047 | 0x10000000L, 0x10001040L, 0x00000040L, 0x10000000L, | |
1048 | 0x00040040L, 0x10040000L, 0x10041040L, 0x00041000L, | |
1049 | 0x10041000L, 0x00041040L, 0x00001000L, 0x00000040L, | |
1050 | 0x10040000L, 0x10000040L, 0x10001000L, 0x00001040L, | |
1051 | 0x00041000L, 0x00040040L, 0x10040040L, 0x10041000L, | |
1052 | 0x00001040L, 0x00000000L, 0x00000000L, 0x10040040L, | |
1053 | 0x10000040L, 0x10001000L, 0x00041040L, 0x00040000L, | |
1054 | 0x00041040L, 0x00040000L, 0x10041000L, 0x00001000L, | |
1055 | 0x00000040L, 0x10040040L, 0x00001000L, 0x00041040L, | |
1056 | 0x10001000L, 0x00000040L, 0x10000040L, 0x10040000L, | |
1057 | 0x10040040L, 0x10000000L, 0x00040000L, 0x10001040L, | |
1058 | 0x00000000L, 0x10041040L, 0x00040040L, 0x10000040L, | |
1059 | 0x10040000L, 0x10001000L, 0x10001040L, 0x00000000L, | |
1060 | 0x10041040L, 0x00041000L, 0x00041000L, 0x00001040L, | |
1061 | 0x00001040L, 0x00040040L, 0x10000000L, 0x10041000L }; | |
1062 | ||
1063 | static void | |
1064 | IP(uint32_t v[2]) | |
1065 | { | |
1066 | uint32_t work; | |
1067 | ||
1068 | work = ((v[0] >> 4) ^ v[1]) & 0x0f0f0f0fL; | |
1069 | v[1] ^= work; | |
1070 | v[0] ^= (work << 4); | |
1071 | work = ((v[0] >> 16) ^ v[1]) & 0x0000ffffL; | |
1072 | v[1] ^= work; | |
1073 | v[0] ^= (work << 16); | |
1074 | work = ((v[1] >> 2) ^ v[0]) & 0x33333333L; | |
1075 | v[0] ^= work; | |
1076 | v[1] ^= (work << 2); | |
1077 | work = ((v[1] >> 8) ^ v[0]) & 0x00ff00ffL; | |
1078 | v[0] ^= work; | |
1079 | v[1] ^= (work << 8); | |
1080 | v[1] = ((v[1] << 1) | ((v[1] >> 31) & 1L)) & 0xffffffffL; | |
1081 | work = (v[0] ^ v[1]) & 0xaaaaaaaaL; | |
1082 | v[0] ^= work; | |
1083 | v[1] ^= work; | |
1084 | v[0] = ((v[0] << 1) | ((v[0] >> 31) & 1L)) & 0xffffffffL; | |
1085 | } | |
1086 | ||
1087 | static void | |
1088 | FP(uint32_t v[2]) | |
1089 | { | |
1090 | uint32_t work; | |
1091 | ||
1092 | v[0] = (v[0] << 31) | (v[0] >> 1); | |
1093 | work = (v[1] ^ v[0]) & 0xaaaaaaaaL; | |
1094 | v[1] ^= work; | |
1095 | v[0] ^= work; | |
1096 | v[1] = (v[1] << 31) | (v[1] >> 1); | |
1097 | work = ((v[1] >> 8) ^ v[0]) & 0x00ff00ffL; | |
1098 | v[0] ^= work; | |
1099 | v[1] ^= (work << 8); | |
1100 | work = ((v[1] >> 2) ^ v[0]) & 0x33333333L; | |
1101 | v[0] ^= work; | |
1102 | v[1] ^= (work << 2); | |
1103 | work = ((v[0] >> 16) ^ v[1]) & 0x0000ffffL; | |
1104 | v[1] ^= work; | |
1105 | v[0] ^= (work << 16); | |
1106 | work = ((v[0] >> 4) ^ v[1]) & 0x0f0f0f0fL; | |
1107 | v[1] ^= work; | |
1108 | v[0] ^= (work << 4); | |
1109 | } | |
1110 | ||
1111 | static void | |
1112 | desx(uint32_t block[2], DES_key_schedule *ks, int encp) | |
1113 | { | |
1114 | uint32_t *keys; | |
1115 | uint32_t fval, work, right, left; | |
1116 | int round; | |
1117 | ||
1118 | left = block[0]; | |
1119 | right = block[1]; | |
1120 | ||
1121 | if (encp) { | |
1122 | keys = &ks->ks[0]; | |
1123 | ||
1124 | for( round = 0; round < 8; round++ ) { | |
1125 | work = (right << 28) | (right >> 4); | |
1126 | work ^= *keys++; | |
1127 | fval = SP7[ work & 0x3fL]; | |
1128 | fval |= SP5[(work >> 8) & 0x3fL]; | |
1129 | fval |= SP3[(work >> 16) & 0x3fL]; | |
1130 | fval |= SP1[(work >> 24) & 0x3fL]; | |
1131 | work = right ^ *keys++; | |
1132 | fval |= SP8[ work & 0x3fL]; | |
1133 | fval |= SP6[(work >> 8) & 0x3fL]; | |
1134 | fval |= SP4[(work >> 16) & 0x3fL]; | |
1135 | fval |= SP2[(work >> 24) & 0x3fL]; | |
1136 | left ^= fval; | |
1137 | work = (left << 28) | (left >> 4); | |
1138 | work ^= *keys++; | |
1139 | fval = SP7[ work & 0x3fL]; | |
1140 | fval |= SP5[(work >> 8) & 0x3fL]; | |
1141 | fval |= SP3[(work >> 16) & 0x3fL]; | |
1142 | fval |= SP1[(work >> 24) & 0x3fL]; | |
1143 | work = left ^ *keys++; | |
1144 | fval |= SP8[ work & 0x3fL]; | |
1145 | fval |= SP6[(work >> 8) & 0x3fL]; | |
1146 | fval |= SP4[(work >> 16) & 0x3fL]; | |
1147 | fval |= SP2[(work >> 24) & 0x3fL]; | |
1148 | right ^= fval; | |
1149 | } | |
1150 | } else { | |
1151 | keys = &ks->ks[30]; | |
1152 | ||
1153 | for( round = 0; round < 8; round++ ) { | |
1154 | work = (right << 28) | (right >> 4); | |
1155 | work ^= *keys++; | |
1156 | fval = SP7[ work & 0x3fL]; | |
1157 | fval |= SP5[(work >> 8) & 0x3fL]; | |
1158 | fval |= SP3[(work >> 16) & 0x3fL]; | |
1159 | fval |= SP1[(work >> 24) & 0x3fL]; | |
1160 | work = right ^ *keys++; | |
1161 | fval |= SP8[ work & 0x3fL]; | |
1162 | fval |= SP6[(work >> 8) & 0x3fL]; | |
1163 | fval |= SP4[(work >> 16) & 0x3fL]; | |
1164 | fval |= SP2[(work >> 24) & 0x3fL]; | |
1165 | left ^= fval; | |
1166 | work = (left << 28) | (left >> 4); | |
1167 | keys -= 4; | |
1168 | work ^= *keys++; | |
1169 | fval = SP7[ work & 0x3fL]; | |
1170 | fval |= SP5[(work >> 8) & 0x3fL]; | |
1171 | fval |= SP3[(work >> 16) & 0x3fL]; | |
1172 | fval |= SP1[(work >> 24) & 0x3fL]; | |
1173 | work = left ^ *keys++; | |
1174 | fval |= SP8[ work & 0x3fL]; | |
1175 | fval |= SP6[(work >> 8) & 0x3fL]; | |
1176 | fval |= SP4[(work >> 16) & 0x3fL]; | |
1177 | fval |= SP2[(work >> 24) & 0x3fL]; | |
1178 | right ^= fval; | |
1179 | keys -= 4; | |
1180 | } | |
1181 | } | |
1182 | block[0] = right; | |
1183 | block[1] = left; | |
1184 | } |