1
/* This file was automatically imported with
2
import_gcry.py. Please don't modify it */
3
/* des.c - DES and Triple-DES encryption/decryption Algorithm
4
* Copyright (C) 1998, 1999, 2001, 2002, 2003,
5
* 2008 Free Software Foundation, Inc.
7
* This file is part of Libgcrypt.
9
* Libgcrypt is free software; you can redistribute it and/or modify
10
* it under the terms of the GNU Lesser general Public License as
11
* published by the Free Software Foundation; either version 2.1 of
12
* the License, or (at your option) any later version.
14
* Libgcrypt is distributed in the hope that it will be useful,
15
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
* GNU Lesser General Public License for more details.
19
* You should have received a copy of the GNU Lesser General Public
20
* License along with this program; if not, write to the Free Software
21
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
23
* For a description of triple encryption, see:
24
* Bruce Schneier: Applied Cryptography. Second Edition.
25
* John Wiley & Sons, 1996. ISBN 0-471-12845-7. Pages 358 ff.
26
* This implementation is according to the definition of DES in FIPS
27
* PUB 46-2 from December 1993.
32
* Written by Michael Roth <mroth@nessie.de>, September 1998
40
* For DES or Triple-DES encryption/decryption you must initialize a proper
41
* encryption context with a key.
43
* A DES key is 64bit wide but only 56bits of the key are used. The remaining
44
* bits are parity bits and they will _not_ checked in this implementation, but
47
* For Triple-DES you could use either two 64bit keys or three 64bit keys.
48
* The parity bits will _not_ checked, too.
50
* After initializing a context with a key you could use this context to
51
* encrypt or decrypt data in 64bit blocks in Electronic Codebook Mode.
53
* (In the examples below the slashes at the beginning and ending of comments
58
* unsigned char key[8];
59
* unsigned char plaintext[8];
60
* unsigned char ciphertext[8];
61
* unsigned char recoverd[8];
64
* * Fill 'key' and 'plaintext' with some data *
67
* * Set up the DES encryption context *
68
* des_setkey(context, key);
70
* * Encrypt the plaintext *
71
* des_ecb_encrypt(context, plaintext, ciphertext);
73
* * To recover the orginal plaintext from ciphertext use: *
74
* des_ecb_decrypt(context, ciphertext, recoverd);
79
* unsigned char key1[8];
80
* unsigned char key2[8];
81
* unsigned char key3[8];
82
* unsigned char plaintext[8];
83
* unsigned char ciphertext[8];
84
* unsigned char recoverd[8];
85
* tripledes_ctx context;
87
* * If you would like to use two 64bit keys, fill 'key1' and'key2'
88
* then setup the encryption context: *
89
* tripledes_set2keys(context, key1, key2);
91
* * To use three 64bit keys with Triple-DES use: *
92
* tripledes_set3keys(context, key1, key2, key3);
94
* * Encrypting plaintext with Triple-DES *
95
* tripledes_ecb_encrypt(context, plaintext, ciphertext);
97
* * Decrypting ciphertext to recover the plaintext with Triple-DES *
98
* tripledes_ecb_decrypt(context, ciphertext, recoverd);
105
* * To perform a selftest of this DES/Triple-DES implementation use the
106
* function selftest(). It will return an error string if there are
107
* some problems with this library. *
109
* if ( (error_msg = selftest()) )
111
* fprintf(stderr, "An error in the DES/Tripple-DES implementation occured: %s\n", error_msg);
117
#include "types.h" /* for byte and u32 typedefs */
121
#if defined(__GNUC__) && defined(__GNU_LIBRARY__)
122
#define working_memcmp memcmp
125
* According to the SunOS man page, memcmp returns indeterminate sign
126
* depending on whether characters are signed or not.
129
working_memcmp( const char *a, const char *b, size_t n )
131
for( ; n; n--, a++, b++ )
133
return (int)(*(byte*)a) - (int)(*(byte*)b);
139
* Encryption/Decryption context of DES
141
typedef struct _des_ctx
143
u32 encrypt_subkeys[32];
144
u32 decrypt_subkeys[32];
149
* Encryption/Decryption context of Triple-DES
151
typedef struct _tripledes_ctx
153
u32 encrypt_subkeys[96];
154
u32 decrypt_subkeys[96];
161
static void des_key_schedule (const byte *, u32 *);
162
static int des_setkey (struct _des_ctx *, const byte *);
163
static int des_ecb_crypt (struct _des_ctx *, const byte *, byte *, int);
164
static int tripledes_set3keys (struct _tripledes_ctx *,
165
const byte *, const byte *, const byte *);
166
static int tripledes_ecb_crypt (struct _tripledes_ctx *,
167
const byte *, byte *, int);
168
static int is_weak_key ( const byte *key );
170
static int initialized;
176
* The s-box values are permuted according to the 'primitive function P'
177
* and are rotated one bit to the left.
179
static u32 sbox1[64] =
181
0x01010400, 0x00000000, 0x00010000, 0x01010404, 0x01010004, 0x00010404, 0x00000004, 0x00010000,
182
0x00000400, 0x01010400, 0x01010404, 0x00000400, 0x01000404, 0x01010004, 0x01000000, 0x00000004,
183
0x00000404, 0x01000400, 0x01000400, 0x00010400, 0x00010400, 0x01010000, 0x01010000, 0x01000404,
184
0x00010004, 0x01000004, 0x01000004, 0x00010004, 0x00000000, 0x00000404, 0x00010404, 0x01000000,
185
0x00010000, 0x01010404, 0x00000004, 0x01010000, 0x01010400, 0x01000000, 0x01000000, 0x00000400,
186
0x01010004, 0x00010000, 0x00010400, 0x01000004, 0x00000400, 0x00000004, 0x01000404, 0x00010404,
187
0x01010404, 0x00010004, 0x01010000, 0x01000404, 0x01000004, 0x00000404, 0x00010404, 0x01010400,
188
0x00000404, 0x01000400, 0x01000400, 0x00000000, 0x00010004, 0x00010400, 0x00000000, 0x01010004
191
static u32 sbox2[64] =
193
0x80108020, 0x80008000, 0x00008000, 0x00108020, 0x00100000, 0x00000020, 0x80100020, 0x80008020,
194
0x80000020, 0x80108020, 0x80108000, 0x80000000, 0x80008000, 0x00100000, 0x00000020, 0x80100020,
195
0x00108000, 0x00100020, 0x80008020, 0x00000000, 0x80000000, 0x00008000, 0x00108020, 0x80100000,
196
0x00100020, 0x80000020, 0x00000000, 0x00108000, 0x00008020, 0x80108000, 0x80100000, 0x00008020,
197
0x00000000, 0x00108020, 0x80100020, 0x00100000, 0x80008020, 0x80100000, 0x80108000, 0x00008000,
198
0x80100000, 0x80008000, 0x00000020, 0x80108020, 0x00108020, 0x00000020, 0x00008000, 0x80000000,
199
0x00008020, 0x80108000, 0x00100000, 0x80000020, 0x00100020, 0x80008020, 0x80000020, 0x00100020,
200
0x00108000, 0x00000000, 0x80008000, 0x00008020, 0x80000000, 0x80100020, 0x80108020, 0x00108000
203
static u32 sbox3[64] =
205
0x00000208, 0x08020200, 0x00000000, 0x08020008, 0x08000200, 0x00000000, 0x00020208, 0x08000200,
206
0x00020008, 0x08000008, 0x08000008, 0x00020000, 0x08020208, 0x00020008, 0x08020000, 0x00000208,
207
0x08000000, 0x00000008, 0x08020200, 0x00000200, 0x00020200, 0x08020000, 0x08020008, 0x00020208,
208
0x08000208, 0x00020200, 0x00020000, 0x08000208, 0x00000008, 0x08020208, 0x00000200, 0x08000000,
209
0x08020200, 0x08000000, 0x00020008, 0x00000208, 0x00020000, 0x08020200, 0x08000200, 0x00000000,
210
0x00000200, 0x00020008, 0x08020208, 0x08000200, 0x08000008, 0x00000200, 0x00000000, 0x08020008,
211
0x08000208, 0x00020000, 0x08000000, 0x08020208, 0x00000008, 0x00020208, 0x00020200, 0x08000008,
212
0x08020000, 0x08000208, 0x00000208, 0x08020000, 0x00020208, 0x00000008, 0x08020008, 0x00020200
215
static u32 sbox4[64] =
217
0x00802001, 0x00002081, 0x00002081, 0x00000080, 0x00802080, 0x00800081, 0x00800001, 0x00002001,
218
0x00000000, 0x00802000, 0x00802000, 0x00802081, 0x00000081, 0x00000000, 0x00800080, 0x00800001,
219
0x00000001, 0x00002000, 0x00800000, 0x00802001, 0x00000080, 0x00800000, 0x00002001, 0x00002080,
220
0x00800081, 0x00000001, 0x00002080, 0x00800080, 0x00002000, 0x00802080, 0x00802081, 0x00000081,
221
0x00800080, 0x00800001, 0x00802000, 0x00802081, 0x00000081, 0x00000000, 0x00000000, 0x00802000,
222
0x00002080, 0x00800080, 0x00800081, 0x00000001, 0x00802001, 0x00002081, 0x00002081, 0x00000080,
223
0x00802081, 0x00000081, 0x00000001, 0x00002000, 0x00800001, 0x00002001, 0x00802080, 0x00800081,
224
0x00002001, 0x00002080, 0x00800000, 0x00802001, 0x00000080, 0x00800000, 0x00002000, 0x00802080
227
static u32 sbox5[64] =
229
0x00000100, 0x02080100, 0x02080000, 0x42000100, 0x00080000, 0x00000100, 0x40000000, 0x02080000,
230
0x40080100, 0x00080000, 0x02000100, 0x40080100, 0x42000100, 0x42080000, 0x00080100, 0x40000000,
231
0x02000000, 0x40080000, 0x40080000, 0x00000000, 0x40000100, 0x42080100, 0x42080100, 0x02000100,
232
0x42080000, 0x40000100, 0x00000000, 0x42000000, 0x02080100, 0x02000000, 0x42000000, 0x00080100,
233
0x00080000, 0x42000100, 0x00000100, 0x02000000, 0x40000000, 0x02080000, 0x42000100, 0x40080100,
234
0x02000100, 0x40000000, 0x42080000, 0x02080100, 0x40080100, 0x00000100, 0x02000000, 0x42080000,
235
0x42080100, 0x00080100, 0x42000000, 0x42080100, 0x02080000, 0x00000000, 0x40080000, 0x42000000,
236
0x00080100, 0x02000100, 0x40000100, 0x00080000, 0x00000000, 0x40080000, 0x02080100, 0x40000100
239
static u32 sbox6[64] =
241
0x20000010, 0x20400000, 0x00004000, 0x20404010, 0x20400000, 0x00000010, 0x20404010, 0x00400000,
242
0x20004000, 0x00404010, 0x00400000, 0x20000010, 0x00400010, 0x20004000, 0x20000000, 0x00004010,
243
0x00000000, 0x00400010, 0x20004010, 0x00004000, 0x00404000, 0x20004010, 0x00000010, 0x20400010,
244
0x20400010, 0x00000000, 0x00404010, 0x20404000, 0x00004010, 0x00404000, 0x20404000, 0x20000000,
245
0x20004000, 0x00000010, 0x20400010, 0x00404000, 0x20404010, 0x00400000, 0x00004010, 0x20000010,
246
0x00400000, 0x20004000, 0x20000000, 0x00004010, 0x20000010, 0x20404010, 0x00404000, 0x20400000,
247
0x00404010, 0x20404000, 0x00000000, 0x20400010, 0x00000010, 0x00004000, 0x20400000, 0x00404010,
248
0x00004000, 0x00400010, 0x20004010, 0x00000000, 0x20404000, 0x20000000, 0x00400010, 0x20004010
251
static u32 sbox7[64] =
253
0x00200000, 0x04200002, 0x04000802, 0x00000000, 0x00000800, 0x04000802, 0x00200802, 0x04200800,
254
0x04200802, 0x00200000, 0x00000000, 0x04000002, 0x00000002, 0x04000000, 0x04200002, 0x00000802,
255
0x04000800, 0x00200802, 0x00200002, 0x04000800, 0x04000002, 0x04200000, 0x04200800, 0x00200002,
256
0x04200000, 0x00000800, 0x00000802, 0x04200802, 0x00200800, 0x00000002, 0x04000000, 0x00200800,
257
0x04000000, 0x00200800, 0x00200000, 0x04000802, 0x04000802, 0x04200002, 0x04200002, 0x00000002,
258
0x00200002, 0x04000000, 0x04000800, 0x00200000, 0x04200800, 0x00000802, 0x00200802, 0x04200800,
259
0x00000802, 0x04000002, 0x04200802, 0x04200000, 0x00200800, 0x00000000, 0x00000002, 0x04200802,
260
0x00000000, 0x00200802, 0x04200000, 0x00000800, 0x04000002, 0x04000800, 0x00000800, 0x00200002
263
static u32 sbox8[64] =
265
0x10001040, 0x00001000, 0x00040000, 0x10041040, 0x10000000, 0x10001040, 0x00000040, 0x10000000,
266
0x00040040, 0x10040000, 0x10041040, 0x00041000, 0x10041000, 0x00041040, 0x00001000, 0x00000040,
267
0x10040000, 0x10000040, 0x10001000, 0x00001040, 0x00041000, 0x00040040, 0x10040040, 0x10041000,
268
0x00001040, 0x00000000, 0x00000000, 0x10040040, 0x10000040, 0x10001000, 0x00041040, 0x00040000,
269
0x00041040, 0x00040000, 0x10041000, 0x00001000, 0x00000040, 0x10040040, 0x00001000, 0x00041040,
270
0x10001000, 0x00000040, 0x10000040, 0x10040000, 0x10040040, 0x10000000, 0x00040000, 0x10001040,
271
0x00000000, 0x10041040, 0x00040040, 0x10000040, 0x10040000, 0x10001000, 0x10001040, 0x00000000,
272
0x10041040, 0x00041000, 0x00041000, 0x00001040, 0x00001040, 0x00040040, 0x10000000, 0x10041000
277
* These two tables are part of the 'permuted choice 1' function.
278
* In this implementation several speed improvements are done.
280
static u32 leftkey_swap[16] =
282
0x00000000, 0x00000001, 0x00000100, 0x00000101,
283
0x00010000, 0x00010001, 0x00010100, 0x00010101,
284
0x01000000, 0x01000001, 0x01000100, 0x01000101,
285
0x01010000, 0x01010001, 0x01010100, 0x01010101
288
static u32 rightkey_swap[16] =
290
0x00000000, 0x01000000, 0x00010000, 0x01010000,
291
0x00000100, 0x01000100, 0x00010100, 0x01010100,
292
0x00000001, 0x01000001, 0x00010001, 0x01010001,
293
0x00000101, 0x01000101, 0x00010101, 0x01010101,
299
* Numbers of left shifts per round for encryption subkeys.
300
* To calculate the decryption subkeys we just reverse the
301
* ordering of the calculated encryption subkeys. So their
302
* is no need for a decryption rotate tab.
304
static byte encrypt_rotate_tab[16] =
306
1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
312
* Table with weak DES keys sorted in ascending order.
313
* In DES their are 64 known keys which are weak. They are weak
314
* because they produce only one, two or four different
315
* subkeys in the subkey scheduling process.
316
* The keys in this table have all their parity bits cleared.
318
static byte weak_keys[64][8] =
320
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, /*w*/
321
{ 0x00, 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e },
322
{ 0x00, 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0 },
323
{ 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe },
324
{ 0x00, 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e }, /*sw*/
325
{ 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00 },
326
{ 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe },
327
{ 0x00, 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0 },
328
{ 0x00, 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0 }, /*sw*/
329
{ 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe },
330
{ 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00 },
331
{ 0x00, 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e },
332
{ 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe }, /*sw*/
333
{ 0x00, 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0 },
334
{ 0x00, 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e },
335
{ 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00 },
336
{ 0x1e, 0x00, 0x00, 0x1e, 0x0e, 0x00, 0x00, 0x0e },
337
{ 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e, 0x00 }, /*sw*/
338
{ 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0, 0xfe },
339
{ 0x1e, 0x00, 0xfe, 0xe0, 0x0e, 0x00, 0xfe, 0xf0 },
340
{ 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00, 0x00 },
341
{ 0x1e, 0x1e, 0x1e, 0x1e, 0x0e, 0x0e, 0x0e, 0x0e }, /*w*/
342
{ 0x1e, 0x1e, 0xe0, 0xe0, 0x0e, 0x0e, 0xf0, 0xf0 },
343
{ 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe, 0xfe },
344
{ 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00, 0xfe },
345
{ 0x1e, 0xe0, 0x1e, 0xe0, 0x0e, 0xf0, 0x0e, 0xf0 }, /*sw*/
346
{ 0x1e, 0xe0, 0xe0, 0x1e, 0x0e, 0xf0, 0xf0, 0x0e },
347
{ 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe, 0x00 },
348
{ 0x1e, 0xfe, 0x00, 0xe0, 0x0e, 0xfe, 0x00, 0xf0 },
349
{ 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe }, /*sw*/
350
{ 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0, 0x00 },
351
{ 0x1e, 0xfe, 0xfe, 0x1e, 0x0e, 0xfe, 0xfe, 0x0e },
352
{ 0xe0, 0x00, 0x00, 0xe0, 0xf0, 0x00, 0x00, 0xf0 },
353
{ 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e, 0xfe },
354
{ 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0, 0x00 }, /*sw*/
355
{ 0xe0, 0x00, 0xfe, 0x1e, 0xf0, 0x00, 0xfe, 0x0e },
356
{ 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00, 0xfe },
357
{ 0xe0, 0x1e, 0x1e, 0xe0, 0xf0, 0x0e, 0x0e, 0xf0 },
358
{ 0xe0, 0x1e, 0xe0, 0x1e, 0xf0, 0x0e, 0xf0, 0x0e }, /*sw*/
359
{ 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe, 0x00 },
360
{ 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00, 0x00 },
361
{ 0xe0, 0xe0, 0x1e, 0x1e, 0xf0, 0xf0, 0x0e, 0x0e },
362
{ 0xe0, 0xe0, 0xe0, 0xe0, 0xf0, 0xf0, 0xf0, 0xf0 }, /*w*/
363
{ 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe, 0xfe },
364
{ 0xe0, 0xfe, 0x00, 0x1e, 0xf0, 0xfe, 0x00, 0x0e },
365
{ 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e, 0x00 },
366
{ 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0, 0xfe }, /*sw*/
367
{ 0xe0, 0xfe, 0xfe, 0xe0, 0xf0, 0xfe, 0xfe, 0xf0 },
368
{ 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe },
369
{ 0xfe, 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0 },
370
{ 0xfe, 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e },
371
{ 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00 }, /*sw*/
372
{ 0xfe, 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0 },
373
{ 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe },
374
{ 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00 },
375
{ 0xfe, 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e }, /*sw*/
376
{ 0xfe, 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e },
377
{ 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00 },
378
{ 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe },
379
{ 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0 }, /*sw*/
380
{ 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00 },
381
{ 0xfe, 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e },
382
{ 0xfe, 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0 },
383
{ 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe } /*w*/
389
* Macro to swap bits across two words.
391
#define DO_PERMUTATION(a, temp, b, offset, mask) \
392
temp = ((a>>offset) ^ b) & mask; \
398
* This performs the 'initial permutation' of the data to be encrypted
399
* or decrypted. Additionally the resulting two words are rotated one bit
402
#define INITIAL_PERMUTATION(left, temp, right) \
403
DO_PERMUTATION(left, temp, right, 4, 0x0f0f0f0f) \
404
DO_PERMUTATION(left, temp, right, 16, 0x0000ffff) \
405
DO_PERMUTATION(right, temp, left, 2, 0x33333333) \
406
DO_PERMUTATION(right, temp, left, 8, 0x00ff00ff) \
407
right = (right << 1) | (right >> 31); \
408
temp = (left ^ right) & 0xaaaaaaaa; \
411
left = (left << 1) | (left >> 31);
414
* The 'inverse initial permutation'.
416
#define FINAL_PERMUTATION(left, temp, right) \
417
left = (left << 31) | (left >> 1); \
418
temp = (left ^ right) & 0xaaaaaaaa; \
421
right = (right << 31) | (right >> 1); \
422
DO_PERMUTATION(right, temp, left, 8, 0x00ff00ff) \
423
DO_PERMUTATION(right, temp, left, 2, 0x33333333) \
424
DO_PERMUTATION(left, temp, right, 16, 0x0000ffff) \
425
DO_PERMUTATION(left, temp, right, 4, 0x0f0f0f0f)
429
* A full DES round including 'expansion function', 'sbox substitution'
430
* and 'primitive function P' but without swapping the left and right word.
431
* Please note: The data in 'from' and 'to' is already rotated one bit to
432
* the left, done in the initial permutation.
434
#define DES_ROUND(from, to, work, subkey) \
435
work = from ^ *subkey++; \
436
to ^= sbox8[ work & 0x3f ]; \
437
to ^= sbox6[ (work>>8) & 0x3f ]; \
438
to ^= sbox4[ (work>>16) & 0x3f ]; \
439
to ^= sbox2[ (work>>24) & 0x3f ]; \
440
work = ((from << 28) | (from >> 4)) ^ *subkey++; \
441
to ^= sbox7[ work & 0x3f ]; \
442
to ^= sbox5[ (work>>8) & 0x3f ]; \
443
to ^= sbox3[ (work>>16) & 0x3f ]; \
444
to ^= sbox1[ (work>>24) & 0x3f ];
447
* Macros to convert 8 bytes from/to 32bit words.
449
#define READ_64BIT_DATA(data, left, right) \
450
left = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; \
451
right = (data[4] << 24) | (data[5] << 16) | (data[6] << 8) | data[7];
453
#define WRITE_64BIT_DATA(data, left, right) \
454
data[0] = (left >> 24) &0xff; data[1] = (left >> 16) &0xff; \
455
data[2] = (left >> 8) &0xff; data[3] = left &0xff; \
456
data[4] = (right >> 24) &0xff; data[5] = (right >> 16) &0xff; \
457
data[6] = (right >> 8) &0xff; data[7] = right &0xff;
460
* Handy macros for encryption and decryption of data
462
#define des_ecb_encrypt(ctx, from, to) des_ecb_crypt(ctx, from, to, 0)
463
#define des_ecb_decrypt(ctx, from, to) des_ecb_crypt(ctx, from, to, 1)
464
#define tripledes_ecb_encrypt(ctx, from, to) tripledes_ecb_crypt(ctx,from,to,0)
465
#define tripledes_ecb_decrypt(ctx, from, to) tripledes_ecb_crypt(ctx,from,to,1)
473
* des_key_schedule(): Calculate 16 subkeys pairs (even/odd) for
474
* 16 encryption rounds.
475
* To calculate subkeys for decryption the caller
476
* have to reorder the generated subkeys.
478
* rawkey: 8 Bytes of key data
479
* subkey: Array of at least 32 u32s. Will be filled
480
* with calculated subkeys.
484
des_key_schedule (const byte * rawkey, u32 * subkey)
486
u32 left, right, work;
489
READ_64BIT_DATA (rawkey, left, right)
491
DO_PERMUTATION (right, work, left, 4, 0x0f0f0f0f)
492
DO_PERMUTATION (right, work, left, 0, 0x10101010)
494
left = ((leftkey_swap[(left >> 0) & 0xf] << 3)
495
| (leftkey_swap[(left >> 8) & 0xf] << 2)
496
| (leftkey_swap[(left >> 16) & 0xf] << 1)
497
| (leftkey_swap[(left >> 24) & 0xf])
498
| (leftkey_swap[(left >> 5) & 0xf] << 7)
499
| (leftkey_swap[(left >> 13) & 0xf] << 6)
500
| (leftkey_swap[(left >> 21) & 0xf] << 5)
501
| (leftkey_swap[(left >> 29) & 0xf] << 4));
505
right = ((rightkey_swap[(right >> 1) & 0xf] << 3)
506
| (rightkey_swap[(right >> 9) & 0xf] << 2)
507
| (rightkey_swap[(right >> 17) & 0xf] << 1)
508
| (rightkey_swap[(right >> 25) & 0xf])
509
| (rightkey_swap[(right >> 4) & 0xf] << 7)
510
| (rightkey_swap[(right >> 12) & 0xf] << 6)
511
| (rightkey_swap[(right >> 20) & 0xf] << 5)
512
| (rightkey_swap[(right >> 28) & 0xf] << 4));
516
for (round = 0; round < 16; ++round)
518
left = ((left << encrypt_rotate_tab[round])
519
| (left >> (28 - encrypt_rotate_tab[round]))) & 0x0fffffff;
520
right = ((right << encrypt_rotate_tab[round])
521
| (right >> (28 - encrypt_rotate_tab[round]))) & 0x0fffffff;
523
*subkey++ = (((left << 4) & 0x24000000)
524
| ((left << 28) & 0x10000000)
525
| ((left << 14) & 0x08000000)
526
| ((left << 18) & 0x02080000)
527
| ((left << 6) & 0x01000000)
528
| ((left << 9) & 0x00200000)
529
| ((left >> 1) & 0x00100000)
530
| ((left << 10) & 0x00040000)
531
| ((left << 2) & 0x00020000)
532
| ((left >> 10) & 0x00010000)
533
| ((right >> 13) & 0x00002000)
534
| ((right >> 4) & 0x00001000)
535
| ((right << 6) & 0x00000800)
536
| ((right >> 1) & 0x00000400)
537
| ((right >> 14) & 0x00000200)
538
| (right & 0x00000100)
539
| ((right >> 5) & 0x00000020)
540
| ((right >> 10) & 0x00000010)
541
| ((right >> 3) & 0x00000008)
542
| ((right >> 18) & 0x00000004)
543
| ((right >> 26) & 0x00000002)
544
| ((right >> 24) & 0x00000001));
546
*subkey++ = (((left << 15) & 0x20000000)
547
| ((left << 17) & 0x10000000)
548
| ((left << 10) & 0x08000000)
549
| ((left << 22) & 0x04000000)
550
| ((left >> 2) & 0x02000000)
551
| ((left << 1) & 0x01000000)
552
| ((left << 16) & 0x00200000)
553
| ((left << 11) & 0x00100000)
554
| ((left << 3) & 0x00080000)
555
| ((left >> 6) & 0x00040000)
556
| ((left << 15) & 0x00020000)
557
| ((left >> 4) & 0x00010000)
558
| ((right >> 2) & 0x00002000)
559
| ((right << 8) & 0x00001000)
560
| ((right >> 14) & 0x00000808)
561
| ((right >> 9) & 0x00000400)
562
| ((right) & 0x00000200)
563
| ((right << 7) & 0x00000100)
564
| ((right >> 7) & 0x00000020)
565
| ((right >> 3) & 0x00000011)
566
| ((right << 2) & 0x00000004)
567
| ((right >> 21) & 0x00000002));
573
* Fill a DES context with subkeys calculated from a 64bit key.
574
* Does not check parity bits, but simply ignore them.
575
* Does not check for weak keys.
578
des_setkey (struct _des_ctx *ctx, const byte * key)
580
static const char *selftest_failed;
583
if (!fips_mode () && !initialized)
586
selftest_failed = selftest ();
589
log_error ("%s\n", selftest_failed);
592
return GPG_ERR_SELFTEST_FAILED;
594
des_key_schedule (key, ctx->encrypt_subkeys);
595
_gcry_burn_stack (32);
599
ctx->decrypt_subkeys[i] = ctx->encrypt_subkeys[30-i];
600
ctx->decrypt_subkeys[i+1] = ctx->encrypt_subkeys[31-i];
609
* Electronic Codebook Mode DES encryption/decryption of data according
613
des_ecb_crypt (struct _des_ctx *ctx, const byte * from, byte * to, int mode)
615
u32 left, right, work;
618
keys = mode ? ctx->decrypt_subkeys : ctx->encrypt_subkeys;
620
READ_64BIT_DATA (from, left, right)
621
INITIAL_PERMUTATION (left, work, right)
623
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
624
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
625
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
626
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
627
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
628
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
629
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
630
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
632
FINAL_PERMUTATION (right, work, left)
633
WRITE_64BIT_DATA (to, right, left)
641
* Fill a Triple-DES context with subkeys calculated from two 64bit keys.
642
* Does not check the parity bits of the keys, but simply ignore them.
643
* Does not check for weak keys.
649
* Fill a Triple-DES context with subkeys calculated from three 64bit keys.
650
* Does not check the parity bits of the keys, but simply ignore them.
651
* Does not check for weak keys.
654
tripledes_set3keys (struct _tripledes_ctx *ctx,
659
static const char *selftest_failed;
662
if (!fips_mode () && !initialized)
665
selftest_failed = selftest ();
668
log_error ("%s\n", selftest_failed);
671
return GPG_ERR_SELFTEST_FAILED;
673
des_key_schedule (key1, ctx->encrypt_subkeys);
674
des_key_schedule (key2, &(ctx->decrypt_subkeys[32]));
675
des_key_schedule (key3, &(ctx->encrypt_subkeys[64]));
676
_gcry_burn_stack (32);
680
ctx->decrypt_subkeys[i] = ctx->encrypt_subkeys[94-i];
681
ctx->decrypt_subkeys[i+1] = ctx->encrypt_subkeys[95-i];
683
ctx->encrypt_subkeys[i+32] = ctx->decrypt_subkeys[62-i];
684
ctx->encrypt_subkeys[i+33] = ctx->decrypt_subkeys[63-i];
686
ctx->decrypt_subkeys[i+64] = ctx->encrypt_subkeys[30-i];
687
ctx->decrypt_subkeys[i+65] = ctx->encrypt_subkeys[31-i];
696
* Electronic Codebook Mode Triple-DES encryption/decryption of data
697
* according to 'mode'. Sometimes this mode is named 'EDE' mode
698
* (Encryption-Decryption-Encryption).
701
tripledes_ecb_crypt (struct _tripledes_ctx *ctx, const byte * from,
704
u32 left, right, work;
707
keys = mode ? ctx->decrypt_subkeys : ctx->encrypt_subkeys;
709
READ_64BIT_DATA (from, left, right)
710
INITIAL_PERMUTATION (left, work, right)
712
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
713
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
714
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
715
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
716
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
717
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
718
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
719
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
721
DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
722
DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
723
DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
724
DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
725
DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
726
DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
727
DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
728
DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
730
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
731
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
732
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
733
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
734
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
735
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
736
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
737
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
739
FINAL_PERMUTATION (right, work, left)
740
WRITE_64BIT_DATA (to, right, left)
750
* Check whether the 8 byte key is weak.
751
* Does not check the parity bits of the key but simple ignore them.
754
is_weak_key ( const byte *key )
757
int i, left, right, middle, cmp_result;
759
/* clear parity bits */
761
work[i] = key[i] & 0xfe;
763
/* binary search in the weak key table */
768
middle = (left + right) / 2;
770
if ( !(cmp_result=working_memcmp(work, weak_keys[middle], 8)) )
773
if ( cmp_result > 0 )
785
* Performs a selftest of this DES/Triple-DES implementation.
786
* Returns an string with the error text on failure.
787
* Returns NULL if all is ok.
791
static gcry_err_code_t
792
do_tripledes_setkey ( void *context, const byte *key, unsigned keylen )
794
struct _tripledes_ctx *ctx = (struct _tripledes_ctx *) context;
797
return GPG_ERR_INV_KEYLEN;
799
tripledes_set3keys ( ctx, key, key+8, key+16);
801
if (ctx->flags.no_weak_key)
802
; /* Detection has been disabled. */
803
else if (is_weak_key (key) || is_weak_key (key+8) || is_weak_key (key+16))
805
_gcry_burn_stack (64);
806
return GPG_ERR_WEAK_KEY;
808
_gcry_burn_stack (64);
810
return GPG_ERR_NO_ERROR;
817
do_tripledes_encrypt( void *context, byte *outbuf, const byte *inbuf )
819
struct _tripledes_ctx *ctx = (struct _tripledes_ctx *) context;
821
tripledes_ecb_encrypt ( ctx, inbuf, outbuf );
822
_gcry_burn_stack (32);
826
do_tripledes_decrypt( void *context, byte *outbuf, const byte *inbuf )
828
struct _tripledes_ctx *ctx = (struct _tripledes_ctx *) context;
829
tripledes_ecb_decrypt ( ctx, inbuf, outbuf );
830
_gcry_burn_stack (32);
833
static gcry_err_code_t
834
do_des_setkey (void *context, const byte *key, unsigned keylen)
836
struct _des_ctx *ctx = (struct _des_ctx *) context;
839
return GPG_ERR_INV_KEYLEN;
841
des_setkey (ctx, key);
843
if (is_weak_key (key)) {
844
_gcry_burn_stack (64);
845
return GPG_ERR_WEAK_KEY;
847
_gcry_burn_stack (64);
849
return GPG_ERR_NO_ERROR;
854
do_des_encrypt( void *context, byte *outbuf, const byte *inbuf )
856
struct _des_ctx *ctx = (struct _des_ctx *) context;
858
des_ecb_encrypt ( ctx, inbuf, outbuf );
859
_gcry_burn_stack (32);
863
do_des_decrypt( void *context, byte *outbuf, const byte *inbuf )
865
struct _des_ctx *ctx = (struct _des_ctx *) context;
867
des_ecb_decrypt ( ctx, inbuf, outbuf );
868
_gcry_burn_stack (32);
879
/* Selftest for TripleDES. */
883
/* Run a full self-test for ALGO and return 0 on success. */
887
gcry_cipher_spec_t _gcry_cipher_spec_des =
889
"DES", NULL, NULL, 8, 64, sizeof (struct _des_ctx),
890
do_des_setkey, do_des_encrypt, do_des_decrypt
893
static gcry_cipher_oid_spec_t oids_tripledes[] =
895
{ "1.2.840.113549.3.7", GCRY_CIPHER_MODE_CBC },
896
/* Teletrust specific OID for 3DES. */
897
{ "1.3.36.3.1.3.2.1", GCRY_CIPHER_MODE_CBC },
898
/* pbeWithSHAAnd3_KeyTripleDES_CBC */
899
{ "1.2.840.113549.1.12.1.3", GCRY_CIPHER_MODE_CBC },
903
gcry_cipher_spec_t _gcry_cipher_spec_tripledes =
905
"3DES", NULL, oids_tripledes, 8, 192, sizeof (struct _tripledes_ctx),
906
do_tripledes_setkey, do_tripledes_encrypt, do_tripledes_decrypt
911
GRUB_MOD_INIT(gcry_des)
913
grub_cipher_register (&_gcry_cipher_spec_des);
914
grub_cipher_register (&_gcry_cipher_spec_tripledes);
917
GRUB_MOD_FINI(gcry_des)
919
grub_cipher_unregister (&_gcry_cipher_spec_des);
920
grub_cipher_unregister (&_gcry_cipher_spec_tripledes);