[thirdparty/nettle.git] / des.c

/* des.c

   The des block cipher.

   Copyright (C) 2001, 2010 Niels Möller
   Copyright (C) 1992  Dana L. How

   This file is part of GNU Nettle.

   GNU Nettle is free software: you can redistribute it and/or
   modify it under the terms of either:

     * the GNU Lesser General Public License as published by the Free
       Software Foundation; either version 3 of the License, or (at your
       option) any later version.

   or

     * the GNU General Public License as published by the Free
       Software Foundation; either version 2 of the License, or (at your
       option) any later version.

   or both in parallel, as here.

   GNU Nettle is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   General Public License for more details.

   You should have received copies of the GNU General Public License and
   the GNU Lesser General Public License along with this program.  If
   not, see http://www.gnu.org/licenses/.
*/

/*	des - fast & portable DES encryption & decryption.
 *	Copyright (C) 1992  Dana L. How
 *	Please see the file `descore.README' for the complete copyright notice.
 */

#if HAVE_CONFIG_H
# include "config.h"
#endif

#include <assert.h>

#include "des.h"

#include "desCode.h"

/* various tables */

static const uint32_t
des_keymap[] = {
#include	"keymap.h"
};

static const uint8_t
rotors[] = {
#include	"rotors.h"
};

static ENCRYPT(DesSmallFipsEncrypt,TEMPSMALL, LOADFIPS,KEYMAPSMALL,SAVEFIPS)
static DECRYPT(DesSmallFipsDecrypt,TEMPSMALL, LOADFIPS,KEYMAPSMALL,SAVEFIPS)

/* If parity bits are used, keys should have odd parity. We use a
   small table, to not waste any memory on this fairly obscure DES
   feature. */

static const unsigned
parity_16[16] =
{ 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0 };

#define PARITY(x) (parity_16[(x)&0xf] ^ parity_16[((x)>>4) & 0xf])

int
des_check_parity(size_t length, const uint8_t *key)
{
  size_t i;
  for (i = 0; i<length; i++)
    if (!PARITY(key[i]))
      return 0;

  return 1;
}

void
des_fix_parity(size_t length, uint8_t *dst,
	       const uint8_t *src)
{
  size_t i;
  for (i = 0; i<length; i++)
    dst[i] = src[i] ^ PARITY(src[i]) ^ 1;
}

/* Weak and semiweak keys, excluding parity:
 *
 * 00 00 00 00  00 00 00 00
 * 7f 7f 7f 7f  7f 7f 7f 7f 
 * 0f 0f 0f 0f  07 07 07 07
 * 70 70 70 70  78 78 78 78
 *
 * 00 7f 00 7f  00 7f 00 7f
 * 7f 00 7f 00  7f 00 7f 00
 *
 * 0f 70 0f 70  07 78 07 78
 * 70 0f 70 0f  78 07 78 07
 *
 * 00 70 00 70  00 78 00 78
 * 70 00 70 00  78 00 78 00
 *
 * 0f 7f 0f 7f  07 7f 07 7f
 * 7f 0f 7f 0f  7f 07 7f 07
 *
 * 00 0f 00 0f  00 07 00 07
 * 0f 00 0f 00  07 00 07 00
 *
 * 70 7f 70 7f  78 7f 78 7f
 * 7f 70 7f 70  7f 78 7f 78
 */

static int
des_weak_p(const uint8_t *key)
{
  /* Hash function generated using gperf. */
  static const unsigned char asso_values[0x81] =
    {
      16,  9, 26, 26, 26, 26, 26, 26, 26, 26,
      26, 26, 26, 26, 26,  6,  2, 26, 26, 26,
      26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
      26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
      26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
      26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
      26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
      26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
      26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
      26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
      26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
      26, 26,  3,  1, 26, 26, 26, 26, 26, 26,
      26, 26, 26, 26, 26, 26, 26,  0,  0
    };

  static const int8_t weak_key_hash[26][4] =
    {
      /*  0 */ {0x7f,0x7f, 0x7f,0x7f},
      /*  1 */ {0x7f,0x70, 0x7f,0x78},
      /*  2 */ {0x7f,0x0f, 0x7f,0x07},
      /*  3 */ {0x70,0x7f, 0x78,0x7f},
      /*  4 */ {0x70,0x70, 0x78,0x78},
      /*  5 */ {0x70,0x0f, 0x78,0x07},
      /*  6 */ {0x0f,0x7f, 0x07,0x7f},
      /*  7 */ {0x0f,0x70, 0x07,0x78},
      /*  8 */ {0x0f,0x0f, 0x07,0x07},
      /*  9 */ {0x7f,0x00, 0x7f,0x00},
      /* 10 */ {-1,-1,-1,-1},
      /* 11 */ {-1,-1,-1,-1},
      /* 12 */ {0x70,0x00, 0x78,0x00},
      /* 13 */ {-1,-1,-1,-1},
      /* 14 */ {-1,-1,-1,-1},
      /* 15 */ {0x0f,0x00, 0x07,0x00},
      /* 16 */ {0x00,0x7f, 0x00,0x7f},
      /* 17 */ {0x00,0x70, 0x00,0x78},
      /* 18 */ {0x00,0x0f, 0x00,0x07},
      /* 19 */ {-1,-1,-1,-1},
      /* 20 */ {-1,-1,-1,-1},
      /* 21 */ {-1,-1,-1,-1},
      /* 22 */ {-1,-1,-1,-1},
      /* 23 */ {-1,-1,-1,-1},
      /* 24 */ {-1,-1,-1,-1},
      /* 25 */ {0x00,0x00, 0x00,0x00}
    };

  int8_t k0 = key[0] >> 1;
  int8_t k1 = key[1] >> 1;

  unsigned hash = asso_values[k1 + 1] + asso_values[k0];
  const int8_t *candidate;

  if (hash > 25)
    return 0;

  candidate = weak_key_hash[hash];

  if (k0 != candidate[0]
      || k1 != candidate[1])
    return 0;
  
  if ( (key[2] >> 1) != k0
       || (key[3] >> 1) != k1)
    return 0;

  k0 = key[4] >> 1;
  k1 = key[5] >> 1;
  if (k0 != candidate[2]
      || k1 != candidate[3])
    return 0;
  if ( (key[6] >> 1) != k0
       || (key[7] >> 1) != k1)
    return 0;

  return 1;
}

int
des_set_key(struct des_ctx *ctx, const uint8_t *key)
{
  register uint32_t n, w;
  register char * b0, * b1;
  char bits0[56], bits1[56];
  uint32_t *method;
  const uint8_t *k;

  /* explode the bits */
  n = 56;
  b0 = bits0;
  b1 = bits1;
  k = key;
  do {
    w = (256 | *k++) << 2;
    do {
      --n;
      b1[n] = 8 & w;
      w >>= 1;
      b0[n] = 4 & w;
    } while ( w >= 16 );
  } while ( n );

  /* put the bits in the correct places */
  n = 16;
  k = rotors;
  method = ctx->key;
  
  do {
    w   = (b1[k[ 0   ]] | b0[k[ 1   ]]) << 4;
    w  |= (b1[k[ 2   ]] | b0[k[ 3   ]]) << 2;
    w  |=  b1[k[ 4   ]] | b0[k[ 5   ]];
    w <<= 8;
    w  |= (b1[k[ 6   ]] | b0[k[ 7   ]]) << 4;
    w  |= (b1[k[ 8   ]] | b0[k[ 9   ]]) << 2;
    w  |=  b1[k[10   ]] | b0[k[11   ]];
    w <<= 8;
    w  |= (b1[k[12   ]] | b0[k[13   ]]) << 4;
    w  |= (b1[k[14   ]] | b0[k[15   ]]) << 2;
    w  |=  b1[k[16   ]] | b0[k[17   ]];
    w <<= 8;
    w  |= (b1[k[18   ]] | b0[k[19   ]]) << 4;
    w  |= (b1[k[20   ]] | b0[k[21   ]]) << 2;
    w  |=  b1[k[22   ]] | b0[k[23   ]];

    method[0] = w;

    w   = (b1[k[ 0+24]] | b0[k[ 1+24]]) << 4;
    w  |= (b1[k[ 2+24]] | b0[k[ 3+24]]) << 2;
    w  |=  b1[k[ 4+24]] | b0[k[ 5+24]];
    w <<= 8;
    w  |= (b1[k[ 6+24]] | b0[k[ 7+24]]) << 4;
    w  |= (b1[k[ 8+24]] | b0[k[ 9+24]]) << 2;
    w  |=  b1[k[10+24]] | b0[k[11+24]];
    w <<= 8;
    w  |= (b1[k[12+24]] | b0[k[13+24]]) << 4;
    w  |= (b1[k[14+24]] | b0[k[15+24]]) << 2;
    w  |=  b1[k[16+24]] | b0[k[17+24]];
    w <<= 8;
    w  |= (b1[k[18+24]] | b0[k[19+24]]) << 4;
    w  |= (b1[k[20+24]] | b0[k[21+24]]) << 2;
    w  |=  b1[k[22+24]] | b0[k[23+24]];

    ROR(w, 4, 28);		/* could be eliminated */
    method[1] = w;

    k	+= 48;
    method	+= 2;
  } while ( --n );

  return !des_weak_p (key);
}

void
des_encrypt(const struct des_ctx *ctx,
	    size_t length, uint8_t *dst,
	    const uint8_t *src)
{
  assert(!(length % DES_BLOCK_SIZE));
  
  while (length)
    {
      DesSmallFipsEncrypt(dst, ctx->key, src);
      length -= DES_BLOCK_SIZE;
      src += DES_BLOCK_SIZE;
      dst += DES_BLOCK_SIZE;
    }
}

void
des_decrypt(const struct des_ctx *ctx,
	    size_t length, uint8_t *dst,
	    const uint8_t *src)
{
  assert(!(length % DES_BLOCK_SIZE));

  while (length)
    {
      DesSmallFipsDecrypt(dst, ctx->key, src);
      length -= DES_BLOCK_SIZE;
      src += DES_BLOCK_SIZE;
      dst += DES_BLOCK_SIZE;
    }
}
Commit	Line	Data
e62872fa	1	/* des.c
e62872fa	2
90112edb NM	3	The des block cipher.
	4
	5	Copyright (C) 2001, 2010 Niels Möller
	6	Copyright (C) 1992 Dana L. How
	7
	8	This file is part of GNU Nettle.
	9
	10	GNU Nettle is free software: you can redistribute it and/or
	11	modify it under the terms of either:
	12
	13	* the GNU Lesser General Public License as published by the Free
	14	Software Foundation; either version 3 of the License, or (at your
	15	option) any later version.
	16
	17	or
	18
	19	* the GNU General Public License as published by the Free
	20	Software Foundation; either version 2 of the License, or (at your
	21	option) any later version.
	22
	23	or both in parallel, as here.
	24
	25	GNU Nettle is distributed in the hope that it will be useful,
	26	but WITHOUT ANY WARRANTY; without even the implied warranty of
	27	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	28	General Public License for more details.
	29
	30	You should have received copies of the GNU General Public License and
	31	the GNU Lesser General Public License along with this program. If
	32	not, see http://www.gnu.org/licenses/.
	33	*/
e62872fa NM	34
	35	/* des - fast & portable DES encryption & decryption.
	36	* Copyright (C) 1992 Dana L. How
	37	* Please see the file `descore.README' for the complete copyright notice.
	38	*/
	39
c5c15385 NM	40	#if HAVE_CONFIG_H
	41	# include "config.h"
	42	#endif
	43
	44	#include <assert.h>
	45
e62872fa NM	46	#include "des.h"
	47
	48	#include "desCode.h"
	49
e62872fa NM	50	/* various tables */
e62872fa NM	51
b9d18b83 NM	52	static const uint32_t
b9d18b83 NM	53	des_keymap[] = {
e62872fa NM	54	#include "keymap.h"
	55	};
	56
b9d18b83 NM	57	static const uint8_t
b9d18b83 NM	58	rotors[] = {
e62872fa NM	59	#include "rotors.h"
e62872fa NM	60	};
b9d18b83	61
572c75fe NM	62	static ENCRYPT(DesSmallFipsEncrypt,TEMPSMALL, LOADFIPS,KEYMAPSMALL,SAVEFIPS)
	63	static DECRYPT(DesSmallFipsDecrypt,TEMPSMALL, LOADFIPS,KEYMAPSMALL,SAVEFIPS)
	64
26cf3cef NM	65	/* If parity bits are used, keys should have odd parity. We use a
	66	small table, to not waste any memory on this fairly obscure DES
	67	feature. */
	68
	69	static const unsigned
	70	parity_16[16] =
	71	{ 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0 };
	72
	73	#define PARITY(x) (parity_16[(x)&0xf] ^ parity_16[((x)>>4) & 0xf])
	74
	75	int
3eb603d0	76	des_check_parity(size_t length, const uint8_t *key)
26cf3cef	77	{
3eb603d0	78	size_t i;
26cf3cef NM	79	for (i = 0; i<length; i++)
	80	if (!PARITY(key[i]))
	81	return 0;
	82
	83	return 1;
	84	}
	85
7e12e96e	86	void
3eb603d0	87	des_fix_parity(size_t length, uint8_t *dst,
7e12e96e NM	88	const uint8_t *src)
7e12e96e NM	89	{
3eb603d0	90	size_t i;
7e12e96e	91	for (i = 0; i<length; i++)
26cf3cef NM	92	dst[i] = src[i] ^ PARITY(src[i]) ^ 1;
	93	}
	94
	95	/* Weak and semiweak keys, excluding parity:
	96	*
	97	* 00 00 00 00 00 00 00 00
	98	* 7f 7f 7f 7f 7f 7f 7f 7f
	99	* 0f 0f 0f 0f 07 07 07 07
	100	* 70 70 70 70 78 78 78 78
	101	*
	102	* 00 7f 00 7f 00 7f 00 7f
	103	* 7f 00 7f 00 7f 00 7f 00
	104	*
	105	* 0f 70 0f 70 07 78 07 78
	106	* 70 0f 70 0f 78 07 78 07
	107	*
	108	* 00 70 00 70 00 78 00 78
	109	* 70 00 70 00 78 00 78 00
	110	*
	111	* 0f 7f 0f 7f 07 7f 07 7f
	112	* 7f 0f 7f 0f 7f 07 7f 07
	113	*
	114	* 00 0f 00 0f 00 07 00 07
	115	* 0f 00 0f 00 07 00 07 00
	116	*
	117	* 70 7f 70 7f 78 7f 78 7f
	118	* 7f 70 7f 70 7f 78 7f 78
	119	*/
	120
	121	static int
	122	des_weak_p(const uint8_t *key)
	123	{
	124	/* Hash function generated using gperf. */
	125	static const unsigned char asso_values[0x81] =
	126	{
	127	16, 9, 26, 26, 26, 26, 26, 26, 26, 26,
	128	26, 26, 26, 26, 26, 6, 2, 26, 26, 26,
	129	26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
	130	26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
	131	26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
	132	26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
	133	26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
	134	26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
	135	26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
	136	26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
	137	26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
	138	26, 26, 3, 1, 26, 26, 26, 26, 26, 26,
	139	26, 26, 26, 26, 26, 26, 26, 0, 0
	140	};
	141
	142	static const int8_t weak_key_hash[26][4] =
	143	{
	144	/* 0 */ {0x7f,0x7f, 0x7f,0x7f},
	145	/* 1 */ {0x7f,0x70, 0x7f,0x78},
	146	/* 2 */ {0x7f,0x0f, 0x7f,0x07},
	147	/* 3 */ {0x70,0x7f, 0x78,0x7f},
	148	/* 4 */ {0x70,0x70, 0x78,0x78},
	149	/* 5 */ {0x70,0x0f, 0x78,0x07},
	150	/* 6 */ {0x0f,0x7f, 0x07,0x7f},
	151	/* 7 */ {0x0f,0x70, 0x07,0x78},
	152	/* 8 */ {0x0f,0x0f, 0x07,0x07},
	153	/* 9 */ {0x7f,0x00, 0x7f,0x00},
	154	/* 10 */ {-1,-1,-1,-1},
	155	/* 11 */ {-1,-1,-1,-1},
156	/* 12 */ {0x70,0x00, 0x78,0x00},
157	/* 13 */ {-1,-1,-1,-1},
158	/* 14 */ {-1,-1,-1,-1},
159	/* 15 */ {0x0f,0x00, 0x07,0x00},
160	/* 16 */ {0x00,0x7f, 0x00,0x7f},
161	/* 17 */ {0x00,0x70, 0x00,0x78},
162	/* 18 */ {0x00,0x0f, 0x00,0x07},
163	/* 19 */ {-1,-1,-1,-1},
164	/* 20 */ {-1,-1,-1,-1},
165	/* 21 */ {-1,-1,-1,-1},
166	/* 22 */ {-1,-1,-1,-1},
167	/* 23 */ {-1,-1,-1,-1},
168	/* 24 */ {-1,-1,-1,-1},
169	/* 25 */ {0x00,0x00, 0x00,0x00}
170	};
171
172	int8_t k0 = key[0] >> 1;
173	int8_t k1 = key[1] >> 1;
174
175	unsigned hash = asso_values[k1 + 1] + asso_values[k0];
45a19a4b	176	const int8_t *candidate;
26cf3cef NM	177
	178	if (hash > 25)
	179	return 0;
45a19a4b NM	180
	181	candidate = weak_key_hash[hash];
	182
26cf3cef NM	183	if (k0 != candidate[0]
	184	\|\| k1 != candidate[1])
	185	return 0;
	186
	187	if ( (key[2] >> 1) != k0
	188	\|\| (key[3] >> 1) != k1)
	189	return 0;
	190
	191	k0 = key[4] >> 1;
	192	k1 = key[5] >> 1;
	193	if (k0 != candidate[2]
	194	\|\| k1 != candidate[3])
	195	return 0;
	196	if ( (key[6] >> 1) != k0
	197	\|\| (key[7] >> 1) != k1)
	198	return 0;
	199
	200	return 1;
7e12e96e NM	201	}
7e12e96e NM	202
e62872fa NM	203	int
	204	des_set_key(struct des_ctx ctx, const uint8_t key)
	205	{
	206	register uint32_t n, w;
	207	register char * b0, * b1;
	208	char bits0[56], bits1[56];
	209	uint32_t *method;
b9d18b83	210	const uint8_t *k;
ba675b01	211
e62872fa NM	212	/* explode the bits */
	213	n = 56;
	214	b0 = bits0;
	215	b1 = bits1;
e907011a	216	k = key;
e62872fa	217	do {
e907011a	218	w = (256 \| *k++) << 2;
e62872fa NM	219	do {
	220	--n;
	221	b1[n] = 8 & w;
	222	w >>= 1;
	223	b0[n] = 4 & w;
	224	} while ( w >= 16 );
	225	} while ( n );
	226
	227	/* put the bits in the correct places */
	228	n = 16;
	229	k = rotors;
	230	method = ctx->key;
	231
	232	do {
	233	w = (b1[k[ 0 ]] \| b0[k[ 1 ]]) << 4;
	234	w \|= (b1[k[ 2 ]] \| b0[k[ 3 ]]) << 2;
	235	w \|= b1[k[ 4 ]] \| b0[k[ 5 ]];
	236	w <<= 8;
	237	w \|= (b1[k[ 6 ]] \| b0[k[ 7 ]]) << 4;
	238	w \|= (b1[k[ 8 ]] \| b0[k[ 9 ]]) << 2;
	239	w \|= b1[k[10 ]] \| b0[k[11 ]];
	240	w <<= 8;
	241	w \|= (b1[k[12 ]] \| b0[k[13 ]]) << 4;
	242	w \|= (b1[k[14 ]] \| b0[k[15 ]]) << 2;
	243	w \|= b1[k[16 ]] \| b0[k[17 ]];
	244	w <<= 8;
	245	w \|= (b1[k[18 ]] \| b0[k[19 ]]) << 4;
	246	w \|= (b1[k[20 ]] \| b0[k[21 ]]) << 2;
	247	w \|= b1[k[22 ]] \| b0[k[23 ]];
	248
	249	method[0] = w;
	250
	251	w = (b1[k[ 0+24]] \| b0[k[ 1+24]]) << 4;
	252	w \|= (b1[k[ 2+24]] \| b0[k[ 3+24]]) << 2;
	253	w \|= b1[k[ 4+24]] \| b0[k[ 5+24]];
	254	w <<= 8;
	255	w \|= (b1[k[ 6+24]] \| b0[k[ 7+24]]) << 4;
	256	w \|= (b1[k[ 8+24]] \| b0[k[ 9+24]]) << 2;
	257	w \|= b1[k[10+24]] \| b0[k[11+24]];
	258	w <<= 8;
	259	w \|= (b1[k[12+24]] \| b0[k[13+24]]) << 4;
	260	w \|= (b1[k[14+24]] \| b0[k[15+24]]) << 2;
	261	w \|= b1[k[16+24]] \| b0[k[17+24]];
	262	w <<= 8;
	263	w \|= (b1[k[18+24]] \| b0[k[19+24]]) << 4;
	264	w \|= (b1[k[20+24]] \| b0[k[21+24]]) << 2;
	265	w \|= b1[k[22+24]] \| b0[k[23+24]];
	266
	267	ROR(w, 4, 28); /* could be eliminated */
	268	method[1] = w;
	269
	270	k += 48;
	271	method += 2;
	272	} while ( --n );
	273
e907011a	274	return !des_weak_p (key);
e62872fa NM	275	}
	276
	277	void
a4fa0f78	278	des_encrypt(const struct des_ctx *ctx,
3eb603d0	279	size_t length, uint8_t *dst,
e62872fa NM	280	const uint8_t *src)
	281	{
	282	assert(!(length % DES_BLOCK_SIZE));
072dd6ef	283
e62872fa NM	284	while (length)
	285	{
	286	DesSmallFipsEncrypt(dst, ctx->key, src);
	287	length -= DES_BLOCK_SIZE;
	288	src += DES_BLOCK_SIZE;
	289	dst += DES_BLOCK_SIZE;
	290	}
	291	}
	292
	293	void
a4fa0f78	294	des_decrypt(const struct des_ctx *ctx,
3eb603d0	295	size_t length, uint8_t *dst,
e62872fa NM	296	const uint8_t *src)
	297	{
	298	assert(!(length % DES_BLOCK_SIZE));
	299
	300	while (length)
	301	{
	302	DesSmallFipsDecrypt(dst, ctx->key, src);
	303	length -= DES_BLOCK_SIZE;
	304	src += DES_BLOCK_SIZE;
	305	dst += DES_BLOCK_SIZE;
	306	}
	307	}