1
/* des.c - DES and Triple-DES encryption/decryption Algorithm
2
* Copyright (C) 1998, 1999, 2000, 2001 Free Software Foundation, Inc.
4
* This file is part of GnuPG.
6
* GnuPG is free software; you can redistribute it and/or modify
7
* it under the terms of the GNU General Public License as published by
8
* the Free Software Foundation; either version 2 of the License, or
9
* (at your option) any later version.
11
* GnuPG is distributed in the hope that it will be useful,
12
* but WITHOUT ANY WARRANTY; without even the implied warranty of
13
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
* GNU General Public License for more details.
16
* You should have received a copy of the GNU General Public License
17
* along with this program; if not, write to the Free Software
18
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
21
* According to the definition of DES in FIPS PUB 46-2 from December 1993.
22
* For a description of triple encryption, see:
23
* Bruce Schneier: Applied Cryptography. Second Edition.
24
* John Wiley & Sons, 1996. ISBN 0-471-12845-7. Pages 358 ff.
29
* Written by Michael Roth <mroth@nessie.de>, September 1998
37
* For DES or Triple-DES encryption/decryption you must initialize a proper
38
* encryption context with a key.
40
* A DES key is 64bit wide but only 56bits of the key are used. The remaining
41
* bits are parity bits and they will _not_ checked in this implementation, but
44
* For Triple-DES you could use either two 64bit keys or three 64bit keys.
45
* The parity bits will _not_ checked, too.
47
* After initializing a context with a key you could use this context to
48
* encrypt or decrypt data in 64bit blocks in Electronic Codebook Mode.
50
* (In the examples below the slashes at the beginning and ending of comments
55
* unsigned char key[8];
56
* unsigned char plaintext[8];
57
* unsigned char ciphertext[8];
58
* unsigned char recoverd[8];
61
* * Fill 'key' and 'plaintext' with some data *
64
* * Set up the DES encryption context *
65
* des_setkey(context, key);
67
* * Encrypt the plaintext *
68
* des_ecb_encrypt(context, plaintext, ciphertext);
70
* * To recover the orginal plaintext from ciphertext use: *
71
* des_ecb_decrypt(context, ciphertext, recoverd);
76
* unsigned char key1[8];
77
* unsigned char key2[8];
78
* unsigned char key3[8];
79
* unsigned char plaintext[8];
80
* unsigned char ciphertext[8];
81
* unsigned char recoverd[8];
82
* tripledes_ctx context;
84
* * If you would like to use two 64bit keys, fill 'key1' and'key2'
85
* then setup the encryption context: *
86
* tripledes_set2keys(context, key1, key2);
88
* * To use three 64bit keys with Triple-DES use: *
89
* tripledes_set3keys(context, key1, key2, key3);
91
* * Encrypting plaintext with Triple-DES *
92
* tripledes_ecb_encrypt(context, plaintext, ciphertext);
94
* * Decrypting ciphertext to recover the plaintext with Triple-DES *
95
* tripledes_ecb_decrypt(context, ciphertext, recoverd);
102
* * To perform a selftest of this DES/Triple-DES implementation use the
103
* function selftest(). It will return an error string if their are
104
* some problems with this library. *
106
* if ( (error_msg = selftest()) )
108
* fprintf(stderr, "An error in the DES/Tripple-DES implementation occured: %s\n", error_msg);
116
#include <string.h> /* memcpy, memcmp */
117
#include "types.h" /* for byte and u32 typedefs */
120
#include "algorithms.h"
122
#if defined(__GNUC__) && defined(__GNU_LIBRARY__)
123
#define working_memcmp memcmp
126
* According to the SunOS man page, memcmp returns indeterminate sign
127
* depending on whether characters are signed or not.
130
working_memcmp( const char *a, const char *b, size_t n )
132
for( ; n; n--, a++, b++ )
134
return (int)(*(byte*)a) - (int)(*(byte*)b);
141
/* Some defines/checks to support standalone modules */
143
#ifndef CIPHER_ALGO_3DES
144
#define CIPHER_ALGO_3DES 2
145
#elif CIPHER_ALGO_3DES != 2
146
#error CIPHER_ALGO_3DES is defined to a wrong value.
153
* Encryption/Decryption context of DES
155
typedef struct _des_ctx
157
u32 encrypt_subkeys[32];
158
u32 decrypt_subkeys[32];
163
* Encryption/Decryption context of Triple-DES
165
typedef struct _tripledes_ctx
167
u32 encrypt_subkeys[96];
168
u32 decrypt_subkeys[96];
172
static const char *selftest_failed;
174
static void des_key_schedule (const byte *, u32 *);
175
static int des_setkey (struct _des_ctx *, const byte *);
176
static int des_ecb_crypt (struct _des_ctx *, const byte *, byte *, int);
177
static int tripledes_set2keys (struct _tripledes_ctx *, const byte *, const byte *);
178
static int tripledes_set3keys (struct _tripledes_ctx *, const byte *, const byte *, const byte *);
179
static int tripledes_ecb_crypt (struct _tripledes_ctx *, const byte *, byte *, int);
180
static int is_weak_key ( const byte *key );
181
static const char *selftest (void);
189
* The s-box values are permuted according to the 'primitive function P'
190
* and are rotated one bit to the left.
192
static u32 sbox1[64] =
194
0x01010400, 0x00000000, 0x00010000, 0x01010404, 0x01010004, 0x00010404, 0x00000004, 0x00010000,
195
0x00000400, 0x01010400, 0x01010404, 0x00000400, 0x01000404, 0x01010004, 0x01000000, 0x00000004,
196
0x00000404, 0x01000400, 0x01000400, 0x00010400, 0x00010400, 0x01010000, 0x01010000, 0x01000404,
197
0x00010004, 0x01000004, 0x01000004, 0x00010004, 0x00000000, 0x00000404, 0x00010404, 0x01000000,
198
0x00010000, 0x01010404, 0x00000004, 0x01010000, 0x01010400, 0x01000000, 0x01000000, 0x00000400,
199
0x01010004, 0x00010000, 0x00010400, 0x01000004, 0x00000400, 0x00000004, 0x01000404, 0x00010404,
200
0x01010404, 0x00010004, 0x01010000, 0x01000404, 0x01000004, 0x00000404, 0x00010404, 0x01010400,
201
0x00000404, 0x01000400, 0x01000400, 0x00000000, 0x00010004, 0x00010400, 0x00000000, 0x01010004
204
static u32 sbox2[64] =
206
0x80108020, 0x80008000, 0x00008000, 0x00108020, 0x00100000, 0x00000020, 0x80100020, 0x80008020,
207
0x80000020, 0x80108020, 0x80108000, 0x80000000, 0x80008000, 0x00100000, 0x00000020, 0x80100020,
208
0x00108000, 0x00100020, 0x80008020, 0x00000000, 0x80000000, 0x00008000, 0x00108020, 0x80100000,
209
0x00100020, 0x80000020, 0x00000000, 0x00108000, 0x00008020, 0x80108000, 0x80100000, 0x00008020,
210
0x00000000, 0x00108020, 0x80100020, 0x00100000, 0x80008020, 0x80100000, 0x80108000, 0x00008000,
211
0x80100000, 0x80008000, 0x00000020, 0x80108020, 0x00108020, 0x00000020, 0x00008000, 0x80000000,
212
0x00008020, 0x80108000, 0x00100000, 0x80000020, 0x00100020, 0x80008020, 0x80000020, 0x00100020,
213
0x00108000, 0x00000000, 0x80008000, 0x00008020, 0x80000000, 0x80100020, 0x80108020, 0x00108000
216
static u32 sbox3[64] =
218
0x00000208, 0x08020200, 0x00000000, 0x08020008, 0x08000200, 0x00000000, 0x00020208, 0x08000200,
219
0x00020008, 0x08000008, 0x08000008, 0x00020000, 0x08020208, 0x00020008, 0x08020000, 0x00000208,
220
0x08000000, 0x00000008, 0x08020200, 0x00000200, 0x00020200, 0x08020000, 0x08020008, 0x00020208,
221
0x08000208, 0x00020200, 0x00020000, 0x08000208, 0x00000008, 0x08020208, 0x00000200, 0x08000000,
222
0x08020200, 0x08000000, 0x00020008, 0x00000208, 0x00020000, 0x08020200, 0x08000200, 0x00000000,
223
0x00000200, 0x00020008, 0x08020208, 0x08000200, 0x08000008, 0x00000200, 0x00000000, 0x08020008,
224
0x08000208, 0x00020000, 0x08000000, 0x08020208, 0x00000008, 0x00020208, 0x00020200, 0x08000008,
225
0x08020000, 0x08000208, 0x00000208, 0x08020000, 0x00020208, 0x00000008, 0x08020008, 0x00020200
228
static u32 sbox4[64] =
230
0x00802001, 0x00002081, 0x00002081, 0x00000080, 0x00802080, 0x00800081, 0x00800001, 0x00002001,
231
0x00000000, 0x00802000, 0x00802000, 0x00802081, 0x00000081, 0x00000000, 0x00800080, 0x00800001,
232
0x00000001, 0x00002000, 0x00800000, 0x00802001, 0x00000080, 0x00800000, 0x00002001, 0x00002080,
233
0x00800081, 0x00000001, 0x00002080, 0x00800080, 0x00002000, 0x00802080, 0x00802081, 0x00000081,
234
0x00800080, 0x00800001, 0x00802000, 0x00802081, 0x00000081, 0x00000000, 0x00000000, 0x00802000,
235
0x00002080, 0x00800080, 0x00800081, 0x00000001, 0x00802001, 0x00002081, 0x00002081, 0x00000080,
236
0x00802081, 0x00000081, 0x00000001, 0x00002000, 0x00800001, 0x00002001, 0x00802080, 0x00800081,
237
0x00002001, 0x00002080, 0x00800000, 0x00802001, 0x00000080, 0x00800000, 0x00002000, 0x00802080
240
static u32 sbox5[64] =
242
0x00000100, 0x02080100, 0x02080000, 0x42000100, 0x00080000, 0x00000100, 0x40000000, 0x02080000,
243
0x40080100, 0x00080000, 0x02000100, 0x40080100, 0x42000100, 0x42080000, 0x00080100, 0x40000000,
244
0x02000000, 0x40080000, 0x40080000, 0x00000000, 0x40000100, 0x42080100, 0x42080100, 0x02000100,
245
0x42080000, 0x40000100, 0x00000000, 0x42000000, 0x02080100, 0x02000000, 0x42000000, 0x00080100,
246
0x00080000, 0x42000100, 0x00000100, 0x02000000, 0x40000000, 0x02080000, 0x42000100, 0x40080100,
247
0x02000100, 0x40000000, 0x42080000, 0x02080100, 0x40080100, 0x00000100, 0x02000000, 0x42080000,
248
0x42080100, 0x00080100, 0x42000000, 0x42080100, 0x02080000, 0x00000000, 0x40080000, 0x42000000,
249
0x00080100, 0x02000100, 0x40000100, 0x00080000, 0x00000000, 0x40080000, 0x02080100, 0x40000100
252
static u32 sbox6[64] =
254
0x20000010, 0x20400000, 0x00004000, 0x20404010, 0x20400000, 0x00000010, 0x20404010, 0x00400000,
255
0x20004000, 0x00404010, 0x00400000, 0x20000010, 0x00400010, 0x20004000, 0x20000000, 0x00004010,
256
0x00000000, 0x00400010, 0x20004010, 0x00004000, 0x00404000, 0x20004010, 0x00000010, 0x20400010,
257
0x20400010, 0x00000000, 0x00404010, 0x20404000, 0x00004010, 0x00404000, 0x20404000, 0x20000000,
258
0x20004000, 0x00000010, 0x20400010, 0x00404000, 0x20404010, 0x00400000, 0x00004010, 0x20000010,
259
0x00400000, 0x20004000, 0x20000000, 0x00004010, 0x20000010, 0x20404010, 0x00404000, 0x20400000,
260
0x00404010, 0x20404000, 0x00000000, 0x20400010, 0x00000010, 0x00004000, 0x20400000, 0x00404010,
261
0x00004000, 0x00400010, 0x20004010, 0x00000000, 0x20404000, 0x20000000, 0x00400010, 0x20004010
264
static u32 sbox7[64] =
266
0x00200000, 0x04200002, 0x04000802, 0x00000000, 0x00000800, 0x04000802, 0x00200802, 0x04200800,
267
0x04200802, 0x00200000, 0x00000000, 0x04000002, 0x00000002, 0x04000000, 0x04200002, 0x00000802,
268
0x04000800, 0x00200802, 0x00200002, 0x04000800, 0x04000002, 0x04200000, 0x04200800, 0x00200002,
269
0x04200000, 0x00000800, 0x00000802, 0x04200802, 0x00200800, 0x00000002, 0x04000000, 0x00200800,
270
0x04000000, 0x00200800, 0x00200000, 0x04000802, 0x04000802, 0x04200002, 0x04200002, 0x00000002,
271
0x00200002, 0x04000000, 0x04000800, 0x00200000, 0x04200800, 0x00000802, 0x00200802, 0x04200800,
272
0x00000802, 0x04000002, 0x04200802, 0x04200000, 0x00200800, 0x00000000, 0x00000002, 0x04200802,
273
0x00000000, 0x00200802, 0x04200000, 0x00000800, 0x04000002, 0x04000800, 0x00000800, 0x00200002
276
static u32 sbox8[64] =
278
0x10001040, 0x00001000, 0x00040000, 0x10041040, 0x10000000, 0x10001040, 0x00000040, 0x10000000,
279
0x00040040, 0x10040000, 0x10041040, 0x00041000, 0x10041000, 0x00041040, 0x00001000, 0x00000040,
280
0x10040000, 0x10000040, 0x10001000, 0x00001040, 0x00041000, 0x00040040, 0x10040040, 0x10041000,
281
0x00001040, 0x00000000, 0x00000000, 0x10040040, 0x10000040, 0x10001000, 0x00041040, 0x00040000,
282
0x00041040, 0x00040000, 0x10041000, 0x00001000, 0x00000040, 0x10040040, 0x00001000, 0x00041040,
283
0x10001000, 0x00000040, 0x10000040, 0x10040000, 0x10040040, 0x10000000, 0x00040000, 0x10001040,
284
0x00000000, 0x10041040, 0x00040040, 0x10000040, 0x10040000, 0x10001000, 0x10001040, 0x00000000,
285
0x10041040, 0x00041000, 0x00041000, 0x00001040, 0x00001040, 0x00040040, 0x10000000, 0x10041000
290
* These two tables are part of the 'permuted choice 1' function.
291
* In this implementation several speed improvements are done.
293
u32 leftkey_swap[16] =
295
0x00000000, 0x00000001, 0x00000100, 0x00000101,
296
0x00010000, 0x00010001, 0x00010100, 0x00010101,
297
0x01000000, 0x01000001, 0x01000100, 0x01000101,
298
0x01010000, 0x01010001, 0x01010100, 0x01010101
301
u32 rightkey_swap[16] =
303
0x00000000, 0x01000000, 0x00010000, 0x01010000,
304
0x00000100, 0x01000100, 0x00010100, 0x01010100,
305
0x00000001, 0x01000001, 0x00010001, 0x01010001,
306
0x00000101, 0x01000101, 0x00010101, 0x01010101,
312
* Numbers of left shifts per round for encryption subkeys.
313
* To calculate the decryption subkeys we just reverse the
314
* ordering of the calculated encryption subkeys. So their
315
* is no need for a decryption rotate tab.
317
static byte encrypt_rotate_tab[16] =
319
1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
325
* Table with weak DES keys sorted in ascending order.
326
* In DES their are 64 known keys wich are weak. They are weak
327
* because they produce only one, two or four different
328
* subkeys in the subkey scheduling process.
329
* The keys in this table have all their parity bits cleared.
331
static byte weak_keys[64][8] =
333
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, { 0x00, 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e },
334
{ 0x00, 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0 }, { 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe },
335
{ 0x00, 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e }, { 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00 },
336
{ 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe }, { 0x00, 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0 },
337
{ 0x00, 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0 }, { 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe },
338
{ 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00 }, { 0x00, 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e },
339
{ 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe }, { 0x00, 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0 },
340
{ 0x00, 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e }, { 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00 },
341
{ 0x0e, 0x0e, 0x0e, 0x0e, 0xf0, 0xf0, 0xf0, 0xf0 }, { 0x1e, 0x00, 0x00, 0x1e, 0x0e, 0x00, 0x00, 0x0e },
342
{ 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e, 0x00 }, { 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0, 0xfe },
343
{ 0x1e, 0x00, 0xfe, 0xe0, 0x0e, 0x00, 0xfe, 0xf0 }, { 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00, 0x00 },
344
{ 0x1e, 0x1e, 0x1e, 0x1e, 0x0e, 0x0e, 0x0e, 0x0e }, { 0x1e, 0x1e, 0xe0, 0xe0, 0x0e, 0x0e, 0xf0, 0xf0 },
345
{ 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe, 0xfe }, { 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00, 0xfe },
346
{ 0x1e, 0xe0, 0x1e, 0xe0, 0x0e, 0xf0, 0x0e, 0xf0 }, { 0x1e, 0xe0, 0xe0, 0x1e, 0x0e, 0xf0, 0xf0, 0x0e },
347
{ 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe, 0x00 }, { 0x1e, 0xfe, 0x00, 0xe0, 0x0e, 0xfe, 0x00, 0xf0 },
348
{ 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe }, { 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0, 0x00 },
349
{ 0x1e, 0xfe, 0xfe, 0x1e, 0x0e, 0xfe, 0xfe, 0x0e }, { 0xe0, 0x00, 0x00, 0xe0, 0xf0, 0x00, 0x00, 0xf0 },
350
{ 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e, 0xfe }, { 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0, 0x00 },
351
{ 0xe0, 0x00, 0xfe, 0x1e, 0xf0, 0x00, 0xfe, 0x0e }, { 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00, 0xfe },
352
{ 0xe0, 0x1e, 0x1e, 0xe0, 0xf0, 0x0e, 0x0e, 0xf0 }, { 0xe0, 0x1e, 0xe0, 0x1e, 0xf0, 0x0e, 0xf0, 0x0e },
353
{ 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe, 0x00 }, { 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00, 0x00 },
354
{ 0xe0, 0xe0, 0x1e, 0x1e, 0xf0, 0xf0, 0x0e, 0x0e }, { 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe, 0xfe },
355
{ 0xe0, 0xfe, 0x00, 0x1e, 0xf0, 0xfe, 0x00, 0x0e }, { 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e, 0x00 },
356
{ 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0, 0xfe }, { 0xe0, 0xfe, 0xfe, 0xe0, 0xf0, 0xfe, 0xfe, 0xf0 },
357
{ 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe }, { 0xfe, 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0 },
358
{ 0xfe, 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e }, { 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00 },
359
{ 0xfe, 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0 }, { 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe },
360
{ 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00 }, { 0xfe, 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e },
361
{ 0xfe, 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e }, { 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00 },
362
{ 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe }, { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0 },
363
{ 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00 }, { 0xfe, 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e },
364
{ 0xfe, 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0 }, { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe }
373
* Macro to swap bits across two words.
375
#define DO_PERMUTATION(a, temp, b, offset, mask) \
376
temp = ((a>>offset) ^ b) & mask; \
382
* This performs the 'initial permutation' of the data to be encrypted
383
* or decrypted. Additionally the resulting two words are rotated one bit
386
#define INITIAL_PERMUTATION(left, temp, right) \
387
DO_PERMUTATION(left, temp, right, 4, 0x0f0f0f0f) \
388
DO_PERMUTATION(left, temp, right, 16, 0x0000ffff) \
389
DO_PERMUTATION(right, temp, left, 2, 0x33333333) \
390
DO_PERMUTATION(right, temp, left, 8, 0x00ff00ff) \
391
right = (right << 1) | (right >> 31); \
392
temp = (left ^ right) & 0xaaaaaaaa; \
395
left = (left << 1) | (left >> 31);
398
* The 'inverse initial permutation'.
400
#define FINAL_PERMUTATION(left, temp, right) \
401
left = (left << 31) | (left >> 1); \
402
temp = (left ^ right) & 0xaaaaaaaa; \
405
right = (right << 31) | (right >> 1); \
406
DO_PERMUTATION(right, temp, left, 8, 0x00ff00ff) \
407
DO_PERMUTATION(right, temp, left, 2, 0x33333333) \
408
DO_PERMUTATION(left, temp, right, 16, 0x0000ffff) \
409
DO_PERMUTATION(left, temp, right, 4, 0x0f0f0f0f)
413
* A full DES round including 'expansion function', 'sbox substitution'
414
* and 'primitive function P' but without swapping the left and right word.
415
* Please note: The data in 'from' and 'to' is already rotated one bit to
416
* the left, done in the initial permutation.
418
#define DES_ROUND(from, to, work, subkey) \
419
work = from ^ *subkey++; \
420
to ^= sbox8[ work & 0x3f ]; \
421
to ^= sbox6[ (work>>8) & 0x3f ]; \
422
to ^= sbox4[ (work>>16) & 0x3f ]; \
423
to ^= sbox2[ (work>>24) & 0x3f ]; \
424
work = ((from << 28) | (from >> 4)) ^ *subkey++; \
425
to ^= sbox7[ work & 0x3f ]; \
426
to ^= sbox5[ (work>>8) & 0x3f ]; \
427
to ^= sbox3[ (work>>16) & 0x3f ]; \
428
to ^= sbox1[ (work>>24) & 0x3f ];
431
* Macros to convert 8 bytes from/to 32bit words.
433
#define READ_64BIT_DATA(data, left, right) \
434
left = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; \
435
right = (data[4] << 24) | (data[5] << 16) | (data[6] << 8) | data[7];
437
#define WRITE_64BIT_DATA(data, left, right) \
438
data[0] = (left >> 24) &0xff; data[1] = (left >> 16) &0xff; \
439
data[2] = (left >> 8) &0xff; data[3] = left &0xff; \
440
data[4] = (right >> 24) &0xff; data[5] = (right >> 16) &0xff; \
441
data[6] = (right >> 8) &0xff; data[7] = right &0xff;
444
* Handy macros for encryption and decryption of data
446
#define des_ecb_encrypt(ctx, from, to) des_ecb_crypt(ctx, from, to, 0)
447
#define des_ecb_decrypt(ctx, from, to) des_ecb_crypt(ctx, from, to, 1)
448
#define tripledes_ecb_encrypt(ctx, from, to) tripledes_ecb_crypt(ctx, from, to, 0)
449
#define tripledes_ecb_decrypt(ctx, from, to) tripledes_ecb_crypt(ctx, from, to, 1)
453
burn_stack (int bytes)
457
wipememory(buf,sizeof buf);
464
* des_key_schedule(): Calculate 16 subkeys pairs (even/odd) for
465
* 16 encryption rounds.
466
* To calculate subkeys for decryption the caller
467
* have to reorder the generated subkeys.
469
* rawkey: 8 Bytes of key data
470
* subkey: Array of at least 32 u32s. Will be filled
471
* with calculated subkeys.
475
des_key_schedule (const byte * rawkey, u32 * subkey)
477
u32 left, right, work;
480
READ_64BIT_DATA (rawkey, left, right)
482
DO_PERMUTATION (right, work, left, 4, 0x0f0f0f0f)
483
DO_PERMUTATION (right, work, left, 0, 0x10101010)
485
left = (leftkey_swap[(left >> 0) & 0xf] << 3) | (leftkey_swap[(left >> 8) & 0xf] << 2)
486
| (leftkey_swap[(left >> 16) & 0xf] << 1) | (leftkey_swap[(left >> 24) & 0xf])
487
| (leftkey_swap[(left >> 5) & 0xf] << 7) | (leftkey_swap[(left >> 13) & 0xf] << 6)
488
| (leftkey_swap[(left >> 21) & 0xf] << 5) | (leftkey_swap[(left >> 29) & 0xf] << 4);
492
right = (rightkey_swap[(right >> 1) & 0xf] << 3) | (rightkey_swap[(right >> 9) & 0xf] << 2)
493
| (rightkey_swap[(right >> 17) & 0xf] << 1) | (rightkey_swap[(right >> 25) & 0xf])
494
| (rightkey_swap[(right >> 4) & 0xf] << 7) | (rightkey_swap[(right >> 12) & 0xf] << 6)
495
| (rightkey_swap[(right >> 20) & 0xf] << 5) | (rightkey_swap[(right >> 28) & 0xf] << 4);
499
for (round = 0; round < 16; ++round)
501
left = ((left << encrypt_rotate_tab[round]) | (left >> (28 - encrypt_rotate_tab[round]))) & 0x0fffffff;
502
right = ((right << encrypt_rotate_tab[round]) | (right >> (28 - encrypt_rotate_tab[round]))) & 0x0fffffff;
504
*subkey++ = ((left << 4) & 0x24000000)
505
| ((left << 28) & 0x10000000)
506
| ((left << 14) & 0x08000000)
507
| ((left << 18) & 0x02080000)
508
| ((left << 6) & 0x01000000)
509
| ((left << 9) & 0x00200000)
510
| ((left >> 1) & 0x00100000)
511
| ((left << 10) & 0x00040000)
512
| ((left << 2) & 0x00020000)
513
| ((left >> 10) & 0x00010000)
514
| ((right >> 13) & 0x00002000)
515
| ((right >> 4) & 0x00001000)
516
| ((right << 6) & 0x00000800)
517
| ((right >> 1) & 0x00000400)
518
| ((right >> 14) & 0x00000200)
519
| (right & 0x00000100)
520
| ((right >> 5) & 0x00000020)
521
| ((right >> 10) & 0x00000010)
522
| ((right >> 3) & 0x00000008)
523
| ((right >> 18) & 0x00000004)
524
| ((right >> 26) & 0x00000002)
525
| ((right >> 24) & 0x00000001);
527
*subkey++ = ((left << 15) & 0x20000000)
528
| ((left << 17) & 0x10000000)
529
| ((left << 10) & 0x08000000)
530
| ((left << 22) & 0x04000000)
531
| ((left >> 2) & 0x02000000)
532
| ((left << 1) & 0x01000000)
533
| ((left << 16) & 0x00200000)
534
| ((left << 11) & 0x00100000)
535
| ((left << 3) & 0x00080000)
536
| ((left >> 6) & 0x00040000)
537
| ((left << 15) & 0x00020000)
538
| ((left >> 4) & 0x00010000)
539
| ((right >> 2) & 0x00002000)
540
| ((right << 8) & 0x00001000)
541
| ((right >> 14) & 0x00000808)
542
| ((right >> 9) & 0x00000400)
543
| ((right) & 0x00000200)
544
| ((right << 7) & 0x00000100)
545
| ((right >> 7) & 0x00000020)
546
| ((right >> 3) & 0x00000011)
547
| ((right << 2) & 0x00000004)
548
| ((right >> 21) & 0x00000002);
555
* Fill a DES context with subkeys calculated from a 64bit key.
556
* Does not check parity bits, but simply ignore them.
557
* Does not check for weak keys.
560
des_setkey (struct _des_ctx *ctx, const byte * key)
564
if( selftest_failed )
565
return G10ERR_SELFTEST_FAILED;
567
des_key_schedule (key, ctx->encrypt_subkeys);
572
ctx->decrypt_subkeys[i] = ctx->encrypt_subkeys[30-i];
573
ctx->decrypt_subkeys[i+1] = ctx->encrypt_subkeys[31-i];
582
* Electronic Codebook Mode DES encryption/decryption of data according
586
des_ecb_crypt (struct _des_ctx *ctx, const byte * from, byte * to, int mode)
588
u32 left, right, work;
591
keys = mode ? ctx->decrypt_subkeys : ctx->encrypt_subkeys;
593
READ_64BIT_DATA (from, left, right)
594
INITIAL_PERMUTATION (left, work, right)
596
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
597
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
598
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
599
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
600
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
601
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
602
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
603
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
605
FINAL_PERMUTATION (right, work, left)
606
WRITE_64BIT_DATA (to, right, left)
614
* Fill a Triple-DES context with subkeys calculated from two 64bit keys.
615
* Does not check the parity bits of the keys, but simply ignore them.
616
* Does not check for weak keys.
619
tripledes_set2keys (struct _tripledes_ctx *ctx,
625
des_key_schedule (key1, ctx->encrypt_subkeys);
626
des_key_schedule (key2, &(ctx->decrypt_subkeys[32]));
631
ctx->decrypt_subkeys[i] = ctx->encrypt_subkeys[30-i];
632
ctx->decrypt_subkeys[i+1] = ctx->encrypt_subkeys[31-i];
634
ctx->encrypt_subkeys[i+32] = ctx->decrypt_subkeys[62-i];
635
ctx->encrypt_subkeys[i+33] = ctx->decrypt_subkeys[63-i];
637
ctx->encrypt_subkeys[i+64] = ctx->encrypt_subkeys[i];
638
ctx->encrypt_subkeys[i+65] = ctx->encrypt_subkeys[i+1];
640
ctx->decrypt_subkeys[i+64] = ctx->decrypt_subkeys[i];
641
ctx->decrypt_subkeys[i+65] = ctx->decrypt_subkeys[i+1];
650
* Fill a Triple-DES context with subkeys calculated from three 64bit keys.
651
* Does not check the parity bits of the keys, but simply ignore them.
652
* Does not check for weak keys.
655
tripledes_set3keys (struct _tripledes_ctx *ctx,
662
des_key_schedule (key1, ctx->encrypt_subkeys);
663
des_key_schedule (key2, &(ctx->decrypt_subkeys[32]));
664
des_key_schedule (key3, &(ctx->encrypt_subkeys[64]));
669
ctx->decrypt_subkeys[i] = ctx->encrypt_subkeys[94-i];
670
ctx->decrypt_subkeys[i+1] = ctx->encrypt_subkeys[95-i];
672
ctx->encrypt_subkeys[i+32] = ctx->decrypt_subkeys[62-i];
673
ctx->encrypt_subkeys[i+33] = ctx->decrypt_subkeys[63-i];
675
ctx->decrypt_subkeys[i+64] = ctx->encrypt_subkeys[30-i];
676
ctx->decrypt_subkeys[i+65] = ctx->encrypt_subkeys[31-i];
685
* Electronic Codebook Mode Triple-DES encryption/decryption of data according to 'mode'.
686
* Sometimes this mode is named 'EDE' mode (Encryption-Decryption-Encryption).
689
tripledes_ecb_crypt (struct _tripledes_ctx *ctx, const byte * from, byte * to, int mode)
691
u32 left, right, work;
694
keys = mode ? ctx->decrypt_subkeys : ctx->encrypt_subkeys;
696
READ_64BIT_DATA (from, left, right)
697
INITIAL_PERMUTATION (left, work, right)
699
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
700
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
701
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
702
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
703
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
704
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
705
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
706
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
708
DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
709
DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
710
DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
711
DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
712
DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
713
DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
714
DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
715
DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys)
717
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
718
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
719
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
720
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
721
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
722
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
723
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
724
DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys)
726
FINAL_PERMUTATION (right, work, left)
727
WRITE_64BIT_DATA (to, right, left)
737
* Check whether the 8 byte key is weak.
738
* Dose not check the parity bits of the key but simple ignore them.
741
is_weak_key ( const byte *key )
744
int i, left, right, middle, cmp_result;
746
/* clear parity bits */
748
work[i] = key[i] & 0xfe;
750
/* binary search in the weak key table */
755
middle = (left + right) / 2;
757
if ( !(cmp_result=working_memcmp(work, weak_keys[middle], 8)) )
760
if ( cmp_result > 0 )
772
* Performs a selftest of this DES/Triple-DES implementation.
773
* Returns an string with the error text on failure.
774
* Returns NULL if all is ok.
780
* Check if 'u32' is really 32 bits wide. This DES / 3DES implementation
783
if (sizeof (u32) != 4)
784
return "Wrong word size for DES configured.";
787
* DES Maintenance Test
792
{0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55};
794
{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
796
{0x24, 0x6e, 0x9d, 0xb9, 0xc5, 0x50, 0x38, 0x1a};
797
byte temp1[8], temp2[8], temp3[8];
800
for (i = 0; i < 64; ++i)
802
des_setkey (des, key);
803
des_ecb_encrypt (des, input, temp1);
804
des_ecb_encrypt (des, temp1, temp2);
805
des_setkey (des, temp2);
806
des_ecb_decrypt (des, temp1, temp3);
807
memcpy (key, temp3, 8);
808
memcpy (input, temp1, 8);
810
if (memcmp (temp3, result, 8))
811
return "DES maintenance test failed.";
816
* Self made Triple-DES test (Does somebody known an official test?)
821
{0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10};
823
{0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0};
825
{0x11, 0x22, 0x33, 0x44, 0xff, 0xaa, 0xcc, 0xdd};
827
{0x7b, 0x38, 0x3b, 0x23, 0xa2, 0x7d, 0x26, 0xd3};
831
for (i = 0; i < 16; ++i)
833
tripledes_set2keys (des3, key1, key2);
834
tripledes_ecb_encrypt (des3, input, key1);
835
tripledes_ecb_decrypt (des3, input, key2);
836
tripledes_set3keys (des3, key1, input, key2);
837
tripledes_ecb_encrypt (des3, input, input);
839
if (memcmp (input, result, 8))
840
return "Triple-DES test failed.";
844
* More Triple-DES test. These are testvectors as used by SSLeay,
845
* thanks to Jeroen C. van Gelderen.
847
{ struct { byte key[24]; byte plain[8]; byte cipher[8]; } testdata[] = {
848
{ { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,
849
0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,
850
0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01 },
851
{ 0x95,0xF8,0xA5,0xE5,0xDD,0x31,0xD9,0x00 },
852
{ 0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }
855
{ { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,
856
0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,
857
0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01 },
858
{ 0x9D,0x64,0x55,0x5A,0x9A,0x10,0xB8,0x52, },
859
{ 0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x00 }
861
{ { 0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E,
862
0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E,
863
0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E },
864
{ 0x51,0x45,0x4B,0x58,0x2D,0xDF,0x44,0x0A },
865
{ 0x71,0x78,0x87,0x6E,0x01,0xF1,0x9B,0x2A }
867
{ { 0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6,
868
0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6,
869
0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6 },
870
{ 0x42,0xFD,0x44,0x30,0x59,0x57,0x7F,0xA2 },
871
{ 0xAF,0x37,0xFB,0x42,0x1F,0x8C,0x40,0x95 }
873
{ { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
874
0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
875
0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF },
876
{ 0x73,0x6F,0x6D,0x65,0x64,0x61,0x74,0x61 },
877
{ 0x3D,0x12,0x4F,0xE2,0x19,0x8B,0xA3,0x18 }
879
{ { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
880
0x55,0x55,0x55,0x55,0x55,0x55,0x55,0x55,
881
0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF },
882
{ 0x73,0x6F,0x6D,0x65,0x64,0x61,0x74,0x61 },
883
{ 0xFB,0xAB,0xA1,0xFF,0x9D,0x05,0xE9,0xB1 }
885
{ { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF,
886
0x55,0x55,0x55,0x55,0x55,0x55,0x55,0x55,
887
0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10 },
888
{ 0x73,0x6F,0x6D,0x65,0x64,0x61,0x74,0x61 },
889
{ 0x18,0xd7,0x48,0xe5,0x63,0x62,0x05,0x72 }
891
{ { 0x03,0x52,0x02,0x07,0x67,0x20,0x82,0x17,
892
0x86,0x02,0x87,0x66,0x59,0x08,0x21,0x98,
893
0x64,0x05,0x6A,0xBD,0xFE,0xA9,0x34,0x57 },
894
{ 0x73,0x71,0x75,0x69,0x67,0x67,0x6C,0x65 },
895
{ 0xc0,0x7d,0x2a,0x0f,0xa5,0x66,0xfa,0x30 }
897
{ { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01,
898
0x80,0x01,0x01,0x01,0x01,0x01,0x01,0x01,
899
0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x02 },
900
{ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
901
{ 0xe6,0xe6,0xdd,0x5b,0x7e,0x72,0x29,0x74 }
903
{ { 0x10,0x46,0x10,0x34,0x89,0x98,0x80,0x20,
904
0x91,0x07,0xD0,0x15,0x89,0x19,0x01,0x01,
905
0x19,0x07,0x92,0x10,0x98,0x1A,0x01,0x01 },
906
{ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
907
{ 0xe1,0xef,0x62,0xc3,0x32,0xfe,0x82,0x5b }
913
static char error[80];
916
for (i=0; i<sizeof(testdata)/sizeof(*testdata); ++i) {
917
tripledes_set3keys (des3, testdata[i].key, testdata[i].key + 8, testdata[i].key + 16);
919
tripledes_ecb_encrypt (des3, testdata[i].plain, result);
920
if (memcmp (testdata[i].cipher, result, 8)) {
921
sprintf (error, "Triple-DES SSLeay test pattern no. %d failend on encryption.", i+1);
925
tripledes_ecb_decrypt (des3, testdata[i].cipher, result);
926
if (memcmp (testdata[i].plain, result, 8)) {
927
sprintf (error, "Triple-DES SSLeay test pattern no. %d failend on decryption.", i+1);
934
* Check the weak key detection. We simply assume that the table
935
* with weak keys is ok and check every key in the table if it is
936
* detected... (This test is a little bit stupid)
941
for (i = 0; i < 64; ++i)
942
if (!is_weak_key(weak_keys[i]))
943
return "DES weak key detection failed";
951
do_tripledes_setkey ( void *ctx, const byte *key, unsigned keylen )
953
if( selftest_failed )
954
return G10ERR_SELFTEST_FAILED;
956
return G10ERR_WRONG_KEYLEN;
958
tripledes_set3keys ( ctx, key, key+8, key+16);
960
if( is_weak_key( key ) || is_weak_key( key+8 ) || is_weak_key( key+16 ) ) {
962
return G10ERR_WEAK_KEY;
971
do_tripledes_encrypt( void *ctx, byte *outbuf, const byte *inbuf )
973
tripledes_ecb_encrypt ( ctx, inbuf, outbuf );
978
do_tripledes_decrypt( void *ctx, byte *outbuf, const byte *inbuf )
980
tripledes_ecb_decrypt ( ctx, inbuf, outbuf );
986
* Return some information about the algorithm. We need algo here to
987
* distinguish different flavors of the algorithm.
988
* Returns: A pointer to string describing the algorithm or NULL if
989
* the ALGO is invalid.
992
des_get_info( int algo, size_t *keylen,
993
size_t *blocksize, size_t *contextsize,
994
int (**r_setkey)( void *c, const byte *key, unsigned keylen ),
995
void (**r_encrypt)( void *c, byte *outbuf, const byte *inbuf ),
996
void (**r_decrypt)( void *c, byte *outbuf, const byte *inbuf )
999
static int did_selftest = 0;
1001
if( !did_selftest ) {
1002
const char *s = selftest();
1005
fprintf(stderr,"%s\n", s );
1006
selftest_failed = s;
1011
if( algo == CIPHER_ALGO_3DES ) {
1014
*contextsize = sizeof(struct _tripledes_ctx);
1015
*r_setkey = do_tripledes_setkey;
1016
*r_encrypt = do_tripledes_encrypt;
1017
*r_decrypt = do_tripledes_decrypt;