author | zautrix <zautrix> | 2004-10-19 20:16:14 (UTC) |
---|---|---|
committer | zautrix <zautrix> | 2004-10-19 20:16:14 (UTC) |
commit | eca49bb06a71980ef61d078904573f25890fc7f2 (patch) (unidiff) | |
tree | c5338e3b12430248979a9ac2c1c7e6646ea9ecdf /pwmanager/libcrypt/cipher/des.c | |
parent | 53cc32b6e7b1f672bf91b2baf2df6c1e8baf3e0a (diff) | |
download | kdepimpi-eca49bb06a71980ef61d078904573f25890fc7f2.zip kdepimpi-eca49bb06a71980ef61d078904573f25890fc7f2.tar.gz kdepimpi-eca49bb06a71980ef61d078904573f25890fc7f2.tar.bz2 |
Initial revision
Diffstat (limited to 'pwmanager/libcrypt/cipher/des.c') (more/less context) (ignore whitespace changes)
-rw-r--r-- | pwmanager/libcrypt/cipher/des.c | 1111 |
1 files changed, 1111 insertions, 0 deletions
diff --git a/pwmanager/libcrypt/cipher/des.c b/pwmanager/libcrypt/cipher/des.c new file mode 100644 index 0000000..81b5337 --- a/dev/null +++ b/pwmanager/libcrypt/cipher/des.c | |||
@@ -0,0 +1,1111 @@ | |||
1 | /* des.c - DES and Triple-DES encryption/decryption Algorithm | ||
2 | * Copyright (C) 1998, 1999, 2001, 2002, 2003 Free Software Foundation, Inc. | ||
3 | * | ||
4 | * This file is part of Libgcrypt. | ||
5 | * | ||
6 | * Libgcrypt is free software; you can redistribute it and/or modify | ||
7 | * it under the terms of the GNU Lesser general Public License as | ||
8 | * published by the Free Software Foundation; either version 2.1 of | ||
9 | * the License, or (at your option) any later version. | ||
10 | * | ||
11 | * Libgcrypt is distributed in the hope that it will be useful, | ||
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
14 | * GNU Lesser General Public License for more details. | ||
15 | * | ||
16 | * You should have received a copy of the GNU Lesser General Public | ||
17 | * License along with this program; if not, write to the Free Software | ||
18 | * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA | ||
19 | * | ||
20 | * For a description of triple encryption, see: | ||
21 | * Bruce Schneier: Applied Cryptography. Second Edition. | ||
22 | * John Wiley & Sons, 1996. ISBN 0-471-12845-7. Pages 358 ff. | ||
23 | * This implementation is according to the definition of DES in FIPS | ||
24 | * PUB 46-2 from December 1993. | ||
25 | */ | ||
26 | |||
27 | |||
28 | /* | ||
29 | * Written by Michael Roth <mroth@nessie.de>, September 1998 | ||
30 | */ | ||
31 | |||
32 | |||
33 | /* | ||
34 | * U S A G E | ||
35 | * =========== | ||
36 | * | ||
37 | * For DES or Triple-DES encryption/decryption you must initialize a proper | ||
38 | * encryption context with a key. | ||
39 | * | ||
40 | * A DES key is 64bit wide but only 56bits of the key are used. The remaining | ||
41 | * bits are parity bits and they will _not_ checked in this implementation, but | ||
42 | * simply ignored. | ||
43 | * | ||
44 | * For Triple-DES you could use either two 64bit keys or three 64bit keys. | ||
45 | * The parity bits will _not_ checked, too. | ||
46 | * | ||
47 | * After initializing a context with a key you could use this context to | ||
48 | * encrypt or decrypt data in 64bit blocks in Electronic Codebook Mode. | ||
49 | * | ||
50 | * (In the examples below the slashes at the beginning and ending of comments | ||
51 | * are omited.) | ||
52 | * | ||
53 | * DES Example | ||
54 | * ----------- | ||
55 | * unsigned char key[8]; | ||
56 | * unsigned char plaintext[8]; | ||
57 | * unsigned char ciphertext[8]; | ||
58 | * unsigned char recoverd[8]; | ||
59 | * des_ctx context; | ||
60 | * | ||
61 | * * Fill 'key' and 'plaintext' with some data * | ||
62 | * .... | ||
63 | * | ||
64 | * * Set up the DES encryption context * | ||
65 | * des_setkey(context, key); | ||
66 | * | ||
67 | * * Encrypt the plaintext * | ||
68 | * des_ecb_encrypt(context, plaintext, ciphertext); | ||
69 | * | ||
70 | * * To recover the orginal plaintext from ciphertext use: * | ||
71 | * des_ecb_decrypt(context, ciphertext, recoverd); | ||
72 | * | ||
73 | * | ||
74 | * Triple-DES Example | ||
75 | * ------------------ | ||
76 | * unsigned char key1[8]; | ||
77 | * unsigned char key2[8]; | ||
78 | * unsigned char key3[8]; | ||
79 | * unsigned char plaintext[8]; | ||
80 | * unsigned char ciphertext[8]; | ||
81 | * unsigned char recoverd[8]; | ||
82 | * tripledes_ctx context; | ||
83 | * | ||
84 | * * If you would like to use two 64bit keys, fill 'key1' and'key2' | ||
85 | * then setup the encryption context: * | ||
86 | * tripledes_set2keys(context, key1, key2); | ||
87 | * | ||
88 | * * To use three 64bit keys with Triple-DES use: * | ||
89 | * tripledes_set3keys(context, key1, key2, key3); | ||
90 | * | ||
91 | * * Encrypting plaintext with Triple-DES * | ||
92 | * tripledes_ecb_encrypt(context, plaintext, ciphertext); | ||
93 | * | ||
94 | * * Decrypting ciphertext to recover the plaintext with Triple-DES * | ||
95 | * tripledes_ecb_decrypt(context, ciphertext, recoverd); | ||
96 | * | ||
97 | * | ||
98 | * Selftest | ||
99 | * -------- | ||
100 | * char *error_msg; | ||
101 | * | ||
102 | * * To perform a selftest of this DES/Triple-DES implementation use the | ||
103 | * function selftest(). It will return an error string if their are | ||
104 | * some problems with this library. * | ||
105 | * | ||
106 | * if ( (error_msg = selftest()) ) | ||
107 | * { | ||
108 | * fprintf(stderr, "An error in the DES/Tripple-DES implementation occured: %s\n", error_msg); | ||
109 | * abort(); | ||
110 | * } | ||
111 | */ | ||
112 | |||
113 | |||
114 | #include <config.h> | ||
115 | #include <stdio.h> | ||
116 | #include <string.h> /* memcpy, memcmp */ | ||
117 | #include "types.h" /* for byte and u32 typedefs */ | ||
118 | #include "g10lib.h" | ||
119 | #include "cipher.h" | ||
120 | |||
121 | #if defined(__GNUC__) && defined(__GNU_LIBRARY__) | ||
122 | #define working_memcmp memcmp | ||
123 | #else | ||
124 | /* | ||
125 | * According to the SunOS man page, memcmp returns indeterminate sign | ||
126 | * depending on whether characters are signed or not. | ||
127 | */ | ||
128 | static int | ||
129 | working_memcmp( const char *a, const char *b, size_t n ) | ||
130 | { | ||
131 | for( ; n; n--, a++, b++ ) | ||
132 | if( *a != *b ) | ||
133 | return (int)(*(byte*)a) - (int)(*(byte*)b); | ||
134 | return 0; | ||
135 | } | ||
136 | #endif | ||
137 | |||
138 | /* | ||
139 | * Encryption/Decryption context of DES | ||
140 | */ | ||
141 | typedef struct _des_ctx | ||
142 | { | ||
143 | u32 encrypt_subkeys[32]; | ||
144 | u32 decrypt_subkeys[32]; | ||
145 | } | ||
146 | des_ctx[1]; | ||
147 | |||
148 | /* | ||
149 | * Encryption/Decryption context of Triple-DES | ||
150 | */ | ||
151 | typedef struct _tripledes_ctx | ||
152 | { | ||
153 | u32 encrypt_subkeys[96]; | ||
154 | u32 decrypt_subkeys[96]; | ||
155 | } | ||
156 | tripledes_ctx[1]; | ||
157 | |||
158 | static void des_key_schedule (const byte *, u32 *); | ||
159 | static int des_setkey (struct _des_ctx *, const byte *); | ||
160 | static int des_ecb_crypt (struct _des_ctx *, const byte *, byte *, int); | ||
161 | static int tripledes_set2keys (struct _tripledes_ctx *, | ||
162 | const byte *, const byte *); | ||
163 | static int tripledes_set3keys (struct _tripledes_ctx *, | ||
164 | const byte *, const byte *, const byte *); | ||
165 | static int tripledes_ecb_crypt (struct _tripledes_ctx *, | ||
166 | const byte *, byte *, int); | ||
167 | static int is_weak_key ( const byte *key ); | ||
168 | static const char *selftest (void); | ||
169 | |||
170 | static int initialized; | ||
171 | |||
172 | |||
173 | |||
174 | |||
175 | /* | ||
176 | * The s-box values are permuted according to the 'primitive function P' | ||
177 | * and are rotated one bit to the left. | ||
178 | */ | ||
179 | static u32 sbox1[64] = | ||
180 | { | ||
181 | 0x01010400, 0x00000000, 0x00010000, 0x01010404, 0x01010004, 0x00010404, 0x00000004, 0x00010000, | ||
182 | 0x00000400, 0x01010400, 0x01010404, 0x00000400, 0x01000404, 0x01010004, 0x01000000, 0x00000004, | ||
183 | 0x00000404, 0x01000400, 0x01000400, 0x00010400, 0x00010400, 0x01010000, 0x01010000, 0x01000404, | ||
184 | 0x00010004, 0x01000004, 0x01000004, 0x00010004, 0x00000000, 0x00000404, 0x00010404, 0x01000000, | ||
185 | 0x00010000, 0x01010404, 0x00000004, 0x01010000, 0x01010400, 0x01000000, 0x01000000, 0x00000400, | ||
186 | 0x01010004, 0x00010000, 0x00010400, 0x01000004, 0x00000400, 0x00000004, 0x01000404, 0x00010404, | ||
187 | 0x01010404, 0x00010004, 0x01010000, 0x01000404, 0x01000004, 0x00000404, 0x00010404, 0x01010400, | ||
188 | 0x00000404, 0x01000400, 0x01000400, 0x00000000, 0x00010004, 0x00010400, 0x00000000, 0x01010004 | ||
189 | }; | ||
190 | |||
191 | static u32 sbox2[64] = | ||
192 | { | ||
193 | 0x80108020, 0x80008000, 0x00008000, 0x00108020, 0x00100000, 0x00000020, 0x80100020, 0x80008020, | ||
194 | 0x80000020, 0x80108020, 0x80108000, 0x80000000, 0x80008000, 0x00100000, 0x00000020, 0x80100020, | ||
195 | 0x00108000, 0x00100020, 0x80008020, 0x00000000, 0x80000000, 0x00008000, 0x00108020, 0x80100000, | ||
196 | 0x00100020, 0x80000020, 0x00000000, 0x00108000, 0x00008020, 0x80108000, 0x80100000, 0x00008020, | ||
197 | 0x00000000, 0x00108020, 0x80100020, 0x00100000, 0x80008020, 0x80100000, 0x80108000, 0x00008000, | ||
198 | 0x80100000, 0x80008000, 0x00000020, 0x80108020, 0x00108020, 0x00000020, 0x00008000, 0x80000000, | ||
199 | 0x00008020, 0x80108000, 0x00100000, 0x80000020, 0x00100020, 0x80008020, 0x80000020, 0x00100020, | ||
200 | 0x00108000, 0x00000000, 0x80008000, 0x00008020, 0x80000000, 0x80100020, 0x80108020, 0x00108000 | ||
201 | }; | ||
202 | |||
203 | static u32 sbox3[64] = | ||
204 | { | ||
205 | 0x00000208, 0x08020200, 0x00000000, 0x08020008, 0x08000200, 0x00000000, 0x00020208, 0x08000200, | ||
206 | 0x00020008, 0x08000008, 0x08000008, 0x00020000, 0x08020208, 0x00020008, 0x08020000, 0x00000208, | ||
207 | 0x08000000, 0x00000008, 0x08020200, 0x00000200, 0x00020200, 0x08020000, 0x08020008, 0x00020208, | ||
208 | 0x08000208, 0x00020200, 0x00020000, 0x08000208, 0x00000008, 0x08020208, 0x00000200, 0x08000000, | ||
209 | 0x08020200, 0x08000000, 0x00020008, 0x00000208, 0x00020000, 0x08020200, 0x08000200, 0x00000000, | ||
210 | 0x00000200, 0x00020008, 0x08020208, 0x08000200, 0x08000008, 0x00000200, 0x00000000, 0x08020008, | ||
211 | 0x08000208, 0x00020000, 0x08000000, 0x08020208, 0x00000008, 0x00020208, 0x00020200, 0x08000008, | ||
212 | 0x08020000, 0x08000208, 0x00000208, 0x08020000, 0x00020208, 0x00000008, 0x08020008, 0x00020200 | ||
213 | }; | ||
214 | |||
215 | static u32 sbox4[64] = | ||
216 | { | ||
217 | 0x00802001, 0x00002081, 0x00002081, 0x00000080, 0x00802080, 0x00800081, 0x00800001, 0x00002001, | ||
218 | 0x00000000, 0x00802000, 0x00802000, 0x00802081, 0x00000081, 0x00000000, 0x00800080, 0x00800001, | ||
219 | 0x00000001, 0x00002000, 0x00800000, 0x00802001, 0x00000080, 0x00800000, 0x00002001, 0x00002080, | ||
220 | 0x00800081, 0x00000001, 0x00002080, 0x00800080, 0x00002000, 0x00802080, 0x00802081, 0x00000081, | ||
221 | 0x00800080, 0x00800001, 0x00802000, 0x00802081, 0x00000081, 0x00000000, 0x00000000, 0x00802000, | ||
222 | 0x00002080, 0x00800080, 0x00800081, 0x00000001, 0x00802001, 0x00002081, 0x00002081, 0x00000080, | ||
223 | 0x00802081, 0x00000081, 0x00000001, 0x00002000, 0x00800001, 0x00002001, 0x00802080, 0x00800081, | ||
224 | 0x00002001, 0x00002080, 0x00800000, 0x00802001, 0x00000080, 0x00800000, 0x00002000, 0x00802080 | ||
225 | }; | ||
226 | |||
227 | static u32 sbox5[64] = | ||
228 | { | ||
229 | 0x00000100, 0x02080100, 0x02080000, 0x42000100, 0x00080000, 0x00000100, 0x40000000, 0x02080000, | ||
230 | 0x40080100, 0x00080000, 0x02000100, 0x40080100, 0x42000100, 0x42080000, 0x00080100, 0x40000000, | ||
231 | 0x02000000, 0x40080000, 0x40080000, 0x00000000, 0x40000100, 0x42080100, 0x42080100, 0x02000100, | ||
232 | 0x42080000, 0x40000100, 0x00000000, 0x42000000, 0x02080100, 0x02000000, 0x42000000, 0x00080100, | ||
233 | 0x00080000, 0x42000100, 0x00000100, 0x02000000, 0x40000000, 0x02080000, 0x42000100, 0x40080100, | ||
234 | 0x02000100, 0x40000000, 0x42080000, 0x02080100, 0x40080100, 0x00000100, 0x02000000, 0x42080000, | ||
235 | 0x42080100, 0x00080100, 0x42000000, 0x42080100, 0x02080000, 0x00000000, 0x40080000, 0x42000000, | ||
236 | 0x00080100, 0x02000100, 0x40000100, 0x00080000, 0x00000000, 0x40080000, 0x02080100, 0x40000100 | ||
237 | }; | ||
238 | |||
239 | static u32 sbox6[64] = | ||
240 | { | ||
241 | 0x20000010, 0x20400000, 0x00004000, 0x20404010, 0x20400000, 0x00000010, 0x20404010, 0x00400000, | ||
242 | 0x20004000, 0x00404010, 0x00400000, 0x20000010, 0x00400010, 0x20004000, 0x20000000, 0x00004010, | ||
243 | 0x00000000, 0x00400010, 0x20004010, 0x00004000, 0x00404000, 0x20004010, 0x00000010, 0x20400010, | ||
244 | 0x20400010, 0x00000000, 0x00404010, 0x20404000, 0x00004010, 0x00404000, 0x20404000, 0x20000000, | ||
245 | 0x20004000, 0x00000010, 0x20400010, 0x00404000, 0x20404010, 0x00400000, 0x00004010, 0x20000010, | ||
246 | 0x00400000, 0x20004000, 0x20000000, 0x00004010, 0x20000010, 0x20404010, 0x00404000, 0x20400000, | ||
247 | 0x00404010, 0x20404000, 0x00000000, 0x20400010, 0x00000010, 0x00004000, 0x20400000, 0x00404010, | ||
248 | 0x00004000, 0x00400010, 0x20004010, 0x00000000, 0x20404000, 0x20000000, 0x00400010, 0x20004010 | ||
249 | }; | ||
250 | |||
251 | static u32 sbox7[64] = | ||
252 | { | ||
253 | 0x00200000, 0x04200002, 0x04000802, 0x00000000, 0x00000800, 0x04000802, 0x00200802, 0x04200800, | ||
254 | 0x04200802, 0x00200000, 0x00000000, 0x04000002, 0x00000002, 0x04000000, 0x04200002, 0x00000802, | ||
255 | 0x04000800, 0x00200802, 0x00200002, 0x04000800, 0x04000002, 0x04200000, 0x04200800, 0x00200002, | ||
256 | 0x04200000, 0x00000800, 0x00000802, 0x04200802, 0x00200800, 0x00000002, 0x04000000, 0x00200800, | ||
257 | 0x04000000, 0x00200800, 0x00200000, 0x04000802, 0x04000802, 0x04200002, 0x04200002, 0x00000002, | ||
258 | 0x00200002, 0x04000000, 0x04000800, 0x00200000, 0x04200800, 0x00000802, 0x00200802, 0x04200800, | ||
259 | 0x00000802, 0x04000002, 0x04200802, 0x04200000, 0x00200800, 0x00000000, 0x00000002, 0x04200802, | ||
260 | 0x00000000, 0x00200802, 0x04200000, 0x00000800, 0x04000002, 0x04000800, 0x00000800, 0x00200002 | ||
261 | }; | ||
262 | |||
263 | static u32 sbox8[64] = | ||
264 | { | ||
265 | 0x10001040, 0x00001000, 0x00040000, 0x10041040, 0x10000000, 0x10001040, 0x00000040, 0x10000000, | ||
266 | 0x00040040, 0x10040000, 0x10041040, 0x00041000, 0x10041000, 0x00041040, 0x00001000, 0x00000040, | ||
267 | 0x10040000, 0x10000040, 0x10001000, 0x00001040, 0x00041000, 0x00040040, 0x10040040, 0x10041000, | ||
268 | 0x00001040, 0x00000000, 0x00000000, 0x10040040, 0x10000040, 0x10001000, 0x00041040, 0x00040000, | ||
269 | 0x00041040, 0x00040000, 0x10041000, 0x00001000, 0x00000040, 0x10040040, 0x00001000, 0x00041040, | ||
270 | 0x10001000, 0x00000040, 0x10000040, 0x10040000, 0x10040040, 0x10000000, 0x00040000, 0x10001040, | ||
271 | 0x00000000, 0x10041040, 0x00040040, 0x10000040, 0x10040000, 0x10001000, 0x10001040, 0x00000000, | ||
272 | 0x10041040, 0x00041000, 0x00041000, 0x00001040, 0x00001040, 0x00040040, 0x10000000, 0x10041000 | ||
273 | }; | ||
274 | |||
275 | |||
276 | /* | ||
277 | * These two tables are part of the 'permuted choice 1' function. | ||
278 | * In this implementation several speed improvements are done. | ||
279 | */ | ||
280 | static u32 leftkey_swap[16] = | ||
281 | { | ||
282 | 0x00000000, 0x00000001, 0x00000100, 0x00000101, | ||
283 | 0x00010000, 0x00010001, 0x00010100, 0x00010101, | ||
284 | 0x01000000, 0x01000001, 0x01000100, 0x01000101, | ||
285 | 0x01010000, 0x01010001, 0x01010100, 0x01010101 | ||
286 | }; | ||
287 | |||
288 | static u32 rightkey_swap[16] = | ||
289 | { | ||
290 | 0x00000000, 0x01000000, 0x00010000, 0x01010000, | ||
291 | 0x00000100, 0x01000100, 0x00010100, 0x01010100, | ||
292 | 0x00000001, 0x01000001, 0x00010001, 0x01010001, | ||
293 | 0x00000101, 0x01000101, 0x00010101, 0x01010101, | ||
294 | }; | ||
295 | |||
296 | |||
297 | |||
298 | /* | ||
299 | * Numbers of left shifts per round for encryption subkeys. | ||
300 | * To calculate the decryption subkeys we just reverse the | ||
301 | * ordering of the calculated encryption subkeys. So their | ||
302 | * is no need for a decryption rotate tab. | ||
303 | */ | ||
304 | static byte encrypt_rotate_tab[16] = | ||
305 | { | ||
306 | 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 | ||
307 | }; | ||
308 | |||
309 | |||
310 | |||
311 | /* | ||
312 | * Table with weak DES keys sorted in ascending order. | ||
313 | * In DES their are 64 known keys wich are weak. They are weak | ||
314 | * because they produce only one, two or four different | ||
315 | * subkeys in the subkey scheduling process. | ||
316 | * The keys in this table have all their parity bits cleared. | ||
317 | */ | ||
318 | static byte weak_keys[64][8] = | ||
319 | { | ||
320 | { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, /*w*/ | ||
321 | { 0x00, 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e }, | ||
322 | { 0x00, 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0 }, | ||
323 | { 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe }, | ||
324 | { 0x00, 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e }, /*sw*/ | ||
325 | { 0x00, 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00 }, | ||
326 | { 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe }, | ||
327 | { 0x00, 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0 }, | ||
328 | { 0x00, 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0 }, /*sw*/ | ||
329 | { 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe }, | ||
330 | { 0x00, 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00 }, | ||
331 | { 0x00, 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e }, | ||
332 | { 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe }, /*sw*/ | ||
333 | { 0x00, 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0 }, | ||
334 | { 0x00, 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e }, | ||
335 | { 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00 }, | ||
336 | { 0x1e, 0x00, 0x00, 0x1e, 0x0e, 0x00, 0x00, 0x0e }, | ||
337 | { 0x1e, 0x00, 0x1e, 0x00, 0x0e, 0x00, 0x0e, 0x00 }, /*sw*/ | ||
338 | { 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0, 0xfe }, | ||
339 | { 0x1e, 0x00, 0xfe, 0xe0, 0x0e, 0x00, 0xfe, 0xf0 }, | ||
340 | { 0x1e, 0x1e, 0x00, 0x00, 0x0e, 0x0e, 0x00, 0x00 }, | ||
341 | { 0x1e, 0x1e, 0x1e, 0x1e, 0x0e, 0x0e, 0x0e, 0x0e }, /*w*/ | ||
342 | { 0x1e, 0x1e, 0xe0, 0xe0, 0x0e, 0x0e, 0xf0, 0xf0 }, | ||
343 | { 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe, 0xfe }, | ||
344 | { 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00, 0xfe }, | ||
345 | { 0x1e, 0xe0, 0x1e, 0xe0, 0x0e, 0xf0, 0x0e, 0xf0 }, /*sw*/ | ||
346 | { 0x1e, 0xe0, 0xe0, 0x1e, 0x0e, 0xf0, 0xf0, 0x0e }, | ||
347 | { 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0, 0xfe, 0x00 }, | ||
348 | { 0x1e, 0xfe, 0x00, 0xe0, 0x0e, 0xfe, 0x00, 0xf0 }, | ||
349 | { 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e, 0xfe }, /*sw*/ | ||
350 | { 0x1e, 0xfe, 0xe0, 0x00, 0x0e, 0xfe, 0xf0, 0x00 }, | ||
351 | { 0x1e, 0xfe, 0xfe, 0x1e, 0x0e, 0xfe, 0xfe, 0x0e }, | ||
352 | { 0xe0, 0x00, 0x00, 0xe0, 0xf0, 0x00, 0x00, 0xf0 }, | ||
353 | { 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e, 0xfe }, | ||
354 | { 0xe0, 0x00, 0xe0, 0x00, 0xf0, 0x00, 0xf0, 0x00 }, /*sw*/ | ||
355 | { 0xe0, 0x00, 0xfe, 0x1e, 0xf0, 0x00, 0xfe, 0x0e }, | ||
356 | { 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00, 0xfe }, | ||
357 | { 0xe0, 0x1e, 0x1e, 0xe0, 0xf0, 0x0e, 0x0e, 0xf0 }, | ||
358 | { 0xe0, 0x1e, 0xe0, 0x1e, 0xf0, 0x0e, 0xf0, 0x0e }, /*sw*/ | ||
359 | { 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e, 0xfe, 0x00 }, | ||
360 | { 0xe0, 0xe0, 0x00, 0x00, 0xf0, 0xf0, 0x00, 0x00 }, | ||
361 | { 0xe0, 0xe0, 0x1e, 0x1e, 0xf0, 0xf0, 0x0e, 0x0e }, | ||
362 | { 0xe0, 0xe0, 0xe0, 0xe0, 0xf0, 0xf0, 0xf0, 0xf0 }, /*w*/ | ||
363 | { 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe, 0xfe }, | ||
364 | { 0xe0, 0xfe, 0x00, 0x1e, 0xf0, 0xfe, 0x00, 0x0e }, | ||
365 | { 0xe0, 0xfe, 0x1e, 0x00, 0xf0, 0xfe, 0x0e, 0x00 }, | ||
366 | { 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0, 0xfe }, /*sw*/ | ||
367 | { 0xe0, 0xfe, 0xfe, 0xe0, 0xf0, 0xfe, 0xfe, 0xf0 }, | ||
368 | { 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00, 0xfe }, | ||
369 | { 0xfe, 0x00, 0x1e, 0xe0, 0xfe, 0x00, 0x0e, 0xf0 }, | ||
370 | { 0xfe, 0x00, 0xe0, 0x1e, 0xfe, 0x00, 0xf0, 0x0e }, | ||
371 | { 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00, 0xfe, 0x00 }, /*sw*/ | ||
372 | { 0xfe, 0x1e, 0x00, 0xe0, 0xfe, 0x0e, 0x00, 0xf0 }, | ||
373 | { 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e, 0xfe }, | ||
374 | { 0xfe, 0x1e, 0xe0, 0x00, 0xfe, 0x0e, 0xf0, 0x00 }, | ||
375 | { 0xfe, 0x1e, 0xfe, 0x1e, 0xfe, 0x0e, 0xfe, 0x0e }, /*sw*/ | ||
376 | { 0xfe, 0xe0, 0x00, 0x1e, 0xfe, 0xf0, 0x00, 0x0e }, | ||
377 | { 0xfe, 0xe0, 0x1e, 0x00, 0xfe, 0xf0, 0x0e, 0x00 }, | ||
378 | { 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0, 0xfe }, | ||
379 | { 0xfe, 0xe0, 0xfe, 0xe0, 0xfe, 0xf0, 0xfe, 0xf0 }, /*sw*/ | ||
380 | { 0xfe, 0xfe, 0x00, 0x00, 0xfe, 0xfe, 0x00, 0x00 }, | ||
381 | { 0xfe, 0xfe, 0x1e, 0x1e, 0xfe, 0xfe, 0x0e, 0x0e }, | ||
382 | { 0xfe, 0xfe, 0xe0, 0xe0, 0xfe, 0xfe, 0xf0, 0xf0 }, | ||
383 | { 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe, 0xfe } /*w*/ | ||
384 | }; | ||
385 | static unsigned char weak_keys_chksum[20] = { | ||
386 | 0xD0, 0xCF, 0x07, 0x38, 0x93, 0x70, 0x8A, 0x83, 0x7D, 0xD7, | ||
387 | 0x8A, 0x36, 0x65, 0x29, 0x6C, 0x1F, 0x7C, 0x3F, 0xD3, 0x41 | ||
388 | }; | ||
389 | |||
390 | |||
391 | |||
392 | /* | ||
393 | * Macro to swap bits across two words. | ||
394 | */ | ||
395 | #define DO_PERMUTATION(a, temp, b, offset, mask)\ | ||
396 | temp = ((a>>offset) ^ b) & mask; \ | ||
397 | b ^= temp; \ | ||
398 | a ^= temp<<offset; | ||
399 | |||
400 | |||
401 | /* | ||
402 | * This performs the 'initial permutation' of the data to be encrypted | ||
403 | * or decrypted. Additionally the resulting two words are rotated one bit | ||
404 | * to the left. | ||
405 | */ | ||
406 | #define INITIAL_PERMUTATION(left, temp, right) \ | ||
407 | DO_PERMUTATION(left, temp, right, 4, 0x0f0f0f0f)\ | ||
408 | DO_PERMUTATION(left, temp, right, 16, 0x0000ffff)\ | ||
409 | DO_PERMUTATION(right, temp, left, 2, 0x33333333)\ | ||
410 | DO_PERMUTATION(right, temp, left, 8, 0x00ff00ff)\ | ||
411 | right = (right << 1) | (right >> 31); \ | ||
412 | temp = (left ^ right) & 0xaaaaaaaa; \ | ||
413 | right ^= temp; \ | ||
414 | left ^= temp; \ | ||
415 | left = (left << 1) | (left >> 31); | ||
416 | |||
417 | /* | ||
418 | * The 'inverse initial permutation'. | ||
419 | */ | ||
420 | #define FINAL_PERMUTATION(left, temp, right) \ | ||
421 | left = (left << 31) | (left >> 1); \ | ||
422 | temp = (left ^ right) & 0xaaaaaaaa; \ | ||
423 | left ^= temp; \ | ||
424 | right ^= temp; \ | ||
425 | right = (right << 31) | (right >> 1); \ | ||
426 | DO_PERMUTATION(right, temp, left, 8, 0x00ff00ff)\ | ||
427 | DO_PERMUTATION(right, temp, left, 2, 0x33333333)\ | ||
428 | DO_PERMUTATION(left, temp, right, 16, 0x0000ffff)\ | ||
429 | DO_PERMUTATION(left, temp, right, 4, 0x0f0f0f0f) | ||
430 | |||
431 | |||
432 | /* | ||
433 | * A full DES round including 'expansion function', 'sbox substitution' | ||
434 | * and 'primitive function P' but without swapping the left and right word. | ||
435 | * Please note: The data in 'from' and 'to' is already rotated one bit to | ||
436 | * the left, done in the initial permutation. | ||
437 | */ | ||
438 | #define DES_ROUND(from, to, work, subkey) \ | ||
439 | work = from ^ *subkey++; \ | ||
440 | to ^= sbox8[ work & 0x3f ]; \ | ||
441 | to ^= sbox6[ (work>>8) & 0x3f ]; \ | ||
442 | to ^= sbox4[ (work>>16) & 0x3f ]; \ | ||
443 | to ^= sbox2[ (work>>24) & 0x3f ]; \ | ||
444 | work = ((from << 28) | (from >> 4)) ^ *subkey++;\ | ||
445 | to ^= sbox7[ work & 0x3f ]; \ | ||
446 | to ^= sbox5[ (work>>8) & 0x3f ]; \ | ||
447 | to ^= sbox3[ (work>>16) & 0x3f ]; \ | ||
448 | to ^= sbox1[ (work>>24) & 0x3f ]; | ||
449 | |||
450 | /* | ||
451 | * Macros to convert 8 bytes from/to 32bit words. | ||
452 | */ | ||
453 | #define READ_64BIT_DATA(data, left, right) \ | ||
454 | left = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; \ | ||
455 | right = (data[4] << 24) | (data[5] << 16) | (data[6] << 8) | data[7]; | ||
456 | |||
457 | #define WRITE_64BIT_DATA(data, left, right) \ | ||
458 | data[0] = (left >> 24) &0xff; data[1] = (left >> 16) &0xff; \ | ||
459 | data[2] = (left >> 8) &0xff; data[3] = left &0xff; \ | ||
460 | data[4] = (right >> 24) &0xff; data[5] = (right >> 16) &0xff; \ | ||
461 | data[6] = (right >> 8) &0xff; data[7] = right &0xff; | ||
462 | |||
463 | /* | ||
464 | * Handy macros for encryption and decryption of data | ||
465 | */ | ||
466 | #define des_ecb_encrypt(ctx, from, to) des_ecb_crypt(ctx, from, to, 0) | ||
467 | #define des_ecb_decrypt(ctx, from, to) des_ecb_crypt(ctx, from, to, 1) | ||
468 | #define tripledes_ecb_encrypt(ctx, from, to) tripledes_ecb_crypt(ctx,from,to,0) | ||
469 | #define tripledes_ecb_decrypt(ctx, from, to) tripledes_ecb_crypt(ctx,from,to,1) | ||
470 | |||
471 | |||
472 | |||
473 | |||
474 | |||
475 | |||
476 | /* | ||
477 | * des_key_schedule(): Calculate 16 subkeys pairs (even/odd) for | ||
478 | * 16 encryption rounds. | ||
479 | * To calculate subkeys for decryption the caller | ||
480 | * have to reorder the generated subkeys. | ||
481 | * | ||
482 | * rawkey: 8 Bytes of key data | ||
483 | * subkey: Array of at least 32 u32s. Will be filled | ||
484 | * with calculated subkeys. | ||
485 | * | ||
486 | */ | ||
487 | static void | ||
488 | des_key_schedule (const byte * rawkey, u32 * subkey) | ||
489 | { | ||
490 | u32 left, right, work; | ||
491 | int round; | ||
492 | |||
493 | READ_64BIT_DATA (rawkey, left, right) | ||
494 | |||
495 | DO_PERMUTATION (right, work, left, 4, 0x0f0f0f0f) | ||
496 | DO_PERMUTATION (right, work, left, 0, 0x10101010) | ||
497 | |||
498 | left = ((leftkey_swap[(left >> 0) & 0xf] << 3) | ||
499 | | (leftkey_swap[(left >> 8) & 0xf] << 2) | ||
500 | | (leftkey_swap[(left >> 16) & 0xf] << 1) | ||
501 | | (leftkey_swap[(left >> 24) & 0xf]) | ||
502 | | (leftkey_swap[(left >> 5) & 0xf] << 7) | ||
503 | | (leftkey_swap[(left >> 13) & 0xf] << 6) | ||
504 | | (leftkey_swap[(left >> 21) & 0xf] << 5) | ||
505 | | (leftkey_swap[(left >> 29) & 0xf] << 4)); | ||
506 | |||
507 | left &= 0x0fffffff; | ||
508 | |||
509 | right = ((rightkey_swap[(right >> 1) & 0xf] << 3) | ||
510 | | (rightkey_swap[(right >> 9) & 0xf] << 2) | ||
511 | | (rightkey_swap[(right >> 17) & 0xf] << 1) | ||
512 | | (rightkey_swap[(right >> 25) & 0xf]) | ||
513 | | (rightkey_swap[(right >> 4) & 0xf] << 7) | ||
514 | | (rightkey_swap[(right >> 12) & 0xf] << 6) | ||
515 | | (rightkey_swap[(right >> 20) & 0xf] << 5) | ||
516 | | (rightkey_swap[(right >> 28) & 0xf] << 4)); | ||
517 | |||
518 | right &= 0x0fffffff; | ||
519 | |||
520 | for (round = 0; round < 16; ++round) | ||
521 | { | ||
522 | left = ((left << encrypt_rotate_tab[round]) | ||
523 | | (left >> (28 - encrypt_rotate_tab[round]))) & 0x0fffffff; | ||
524 | right = ((right << encrypt_rotate_tab[round]) | ||
525 | | (right >> (28 - encrypt_rotate_tab[round]))) & 0x0fffffff; | ||
526 | |||
527 | *subkey++ = (((left << 4) & 0x24000000) | ||
528 | | ((left << 28) & 0x10000000) | ||
529 | | ((left << 14) & 0x08000000) | ||
530 | | ((left << 18) & 0x02080000) | ||
531 | | ((left << 6) & 0x01000000) | ||
532 | | ((left << 9) & 0x00200000) | ||
533 | | ((left >> 1) & 0x00100000) | ||
534 | | ((left << 10) & 0x00040000) | ||
535 | | ((left << 2) & 0x00020000) | ||
536 | | ((left >> 10) & 0x00010000) | ||
537 | | ((right >> 13) & 0x00002000) | ||
538 | | ((right >> 4) & 0x00001000) | ||
539 | | ((right << 6) & 0x00000800) | ||
540 | | ((right >> 1) & 0x00000400) | ||
541 | | ((right >> 14) & 0x00000200) | ||
542 | | (right & 0x00000100) | ||
543 | | ((right >> 5) & 0x00000020) | ||
544 | | ((right >> 10) & 0x00000010) | ||
545 | | ((right >> 3) & 0x00000008) | ||
546 | | ((right >> 18) & 0x00000004) | ||
547 | | ((right >> 26) & 0x00000002) | ||
548 | | ((right >> 24) & 0x00000001)); | ||
549 | |||
550 | *subkey++ = (((left << 15) & 0x20000000) | ||
551 | | ((left << 17) & 0x10000000) | ||
552 | | ((left << 10) & 0x08000000) | ||
553 | | ((left << 22) & 0x04000000) | ||
554 | | ((left >> 2) & 0x02000000) | ||
555 | | ((left << 1) & 0x01000000) | ||
556 | | ((left << 16) & 0x00200000) | ||
557 | | ((left << 11) & 0x00100000) | ||
558 | | ((left << 3) & 0x00080000) | ||
559 | | ((left >> 6) & 0x00040000) | ||
560 | | ((left << 15) & 0x00020000) | ||
561 | | ((left >> 4) & 0x00010000) | ||
562 | | ((right >> 2) & 0x00002000) | ||
563 | | ((right << 8) & 0x00001000) | ||
564 | | ((right >> 14) & 0x00000808) | ||
565 | | ((right >> 9) & 0x00000400) | ||
566 | | ((right) & 0x00000200) | ||
567 | | ((right << 7) & 0x00000100) | ||
568 | | ((right >> 7) & 0x00000020) | ||
569 | | ((right >> 3) & 0x00000011) | ||
570 | | ((right << 2) & 0x00000004) | ||
571 | | ((right >> 21) & 0x00000002)); | ||
572 | } | ||
573 | } | ||
574 | |||
575 | |||
576 | /* | ||
577 | * Fill a DES context with subkeys calculated from a 64bit key. | ||
578 | * Does not check parity bits, but simply ignore them. | ||
579 | * Does not check for weak keys. | ||
580 | */ | ||
581 | static int | ||
582 | des_setkey (struct _des_ctx *ctx, const byte * key) | ||
583 | { | ||
584 | static const char *selftest_failed; | ||
585 | int i; | ||
586 | |||
587 | if (! initialized) | ||
588 | { | ||
589 | initialized = 1; | ||
590 | selftest_failed = selftest (); | ||
591 | |||
592 | if (selftest_failed) | ||
593 | log_error ("%s\n", selftest_failed); | ||
594 | } | ||
595 | if (selftest_failed) | ||
596 | return GPG_ERR_SELFTEST_FAILED; | ||
597 | |||
598 | des_key_schedule (key, ctx->encrypt_subkeys); | ||
599 | _gcry_burn_stack (32); | ||
600 | |||
601 | for(i=0; i<32; i+=2) | ||
602 | { | ||
603 | ctx->decrypt_subkeys[i]= ctx->encrypt_subkeys[30-i]; | ||
604 | ctx->decrypt_subkeys[i+1] = ctx->encrypt_subkeys[31-i]; | ||
605 | } | ||
606 | |||
607 | return 0; | ||
608 | } | ||
609 | |||
610 | |||
611 | |||
612 | /* | ||
613 | * Electronic Codebook Mode DES encryption/decryption of data according | ||
614 | * to 'mode'. | ||
615 | */ | ||
616 | static int | ||
617 | des_ecb_crypt (struct _des_ctx *ctx, const byte * from, byte * to, int mode) | ||
618 | { | ||
619 | u32 left, right, work; | ||
620 | u32 *keys; | ||
621 | |||
622 | keys = mode ? ctx->decrypt_subkeys : ctx->encrypt_subkeys; | ||
623 | |||
624 | READ_64BIT_DATA (from, left, right) | ||
625 | INITIAL_PERMUTATION (left, work, right) | ||
626 | |||
627 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
628 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
629 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
630 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
631 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
632 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
633 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
634 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
635 | |||
636 | FINAL_PERMUTATION (right, work, left) | ||
637 | WRITE_64BIT_DATA (to, right, left) | ||
638 | |||
639 | return 0; | ||
640 | } | ||
641 | |||
642 | |||
643 | |||
644 | /* | ||
645 | * Fill a Triple-DES context with subkeys calculated from two 64bit keys. | ||
646 | * Does not check the parity bits of the keys, but simply ignore them. | ||
647 | * Does not check for weak keys. | ||
648 | */ | ||
649 | static int | ||
650 | tripledes_set2keys (struct _tripledes_ctx *ctx, | ||
651 | const byte * key1, | ||
652 | const byte * key2) | ||
653 | { | ||
654 | int i; | ||
655 | |||
656 | des_key_schedule (key1, ctx->encrypt_subkeys); | ||
657 | des_key_schedule (key2, &(ctx->decrypt_subkeys[32])); | ||
658 | _gcry_burn_stack (32); | ||
659 | |||
660 | for(i=0; i<32; i+=2) | ||
661 | { | ||
662 | ctx->decrypt_subkeys[i] = ctx->encrypt_subkeys[30-i]; | ||
663 | ctx->decrypt_subkeys[i+1] = ctx->encrypt_subkeys[31-i]; | ||
664 | |||
665 | ctx->encrypt_subkeys[i+32] = ctx->decrypt_subkeys[62-i]; | ||
666 | ctx->encrypt_subkeys[i+33] = ctx->decrypt_subkeys[63-i]; | ||
667 | |||
668 | ctx->encrypt_subkeys[i+64] = ctx->encrypt_subkeys[i]; | ||
669 | ctx->encrypt_subkeys[i+65] = ctx->encrypt_subkeys[i+1]; | ||
670 | |||
671 | ctx->decrypt_subkeys[i+64] = ctx->decrypt_subkeys[i]; | ||
672 | ctx->decrypt_subkeys[i+65] = ctx->decrypt_subkeys[i+1]; | ||
673 | } | ||
674 | |||
675 | return 0; | ||
676 | } | ||
677 | |||
678 | |||
679 | |||
680 | /* | ||
681 | * Fill a Triple-DES context with subkeys calculated from three 64bit keys. | ||
682 | * Does not check the parity bits of the keys, but simply ignore them. | ||
683 | * Does not check for weak keys. | ||
684 | */ | ||
685 | static int | ||
686 | tripledes_set3keys (struct _tripledes_ctx *ctx, | ||
687 | const byte * key1, | ||
688 | const byte * key2, | ||
689 | const byte * key3) | ||
690 | { | ||
691 | static const char *selftest_failed; | ||
692 | int i; | ||
693 | |||
694 | if (! initialized) | ||
695 | { | ||
696 | initialized = 1; | ||
697 | selftest_failed = selftest (); | ||
698 | |||
699 | if (selftest_failed) | ||
700 | log_error ("%s\n", selftest_failed); | ||
701 | } | ||
702 | if (selftest_failed) | ||
703 | return GPG_ERR_SELFTEST_FAILED; | ||
704 | |||
705 | des_key_schedule (key1, ctx->encrypt_subkeys); | ||
706 | des_key_schedule (key2, &(ctx->decrypt_subkeys[32])); | ||
707 | des_key_schedule (key3, &(ctx->encrypt_subkeys[64])); | ||
708 | _gcry_burn_stack (32); | ||
709 | |||
710 | for(i=0; i<32; i+=2) | ||
711 | { | ||
712 | ctx->decrypt_subkeys[i] = ctx->encrypt_subkeys[94-i]; | ||
713 | ctx->decrypt_subkeys[i+1] = ctx->encrypt_subkeys[95-i]; | ||
714 | |||
715 | ctx->encrypt_subkeys[i+32] = ctx->decrypt_subkeys[62-i]; | ||
716 | ctx->encrypt_subkeys[i+33] = ctx->decrypt_subkeys[63-i]; | ||
717 | |||
718 | ctx->decrypt_subkeys[i+64] = ctx->encrypt_subkeys[30-i]; | ||
719 | ctx->decrypt_subkeys[i+65] = ctx->encrypt_subkeys[31-i]; | ||
720 | } | ||
721 | |||
722 | return 0; | ||
723 | } | ||
724 | |||
725 | |||
726 | |||
727 | /* | ||
728 | * Electronic Codebook Mode Triple-DES encryption/decryption of data | ||
729 | * according to 'mode'. Sometimes this mode is named 'EDE' mode | ||
730 | * (Encryption-Decryption-Encryption). | ||
731 | */ | ||
732 | static int | ||
733 | tripledes_ecb_crypt (struct _tripledes_ctx *ctx, const byte * from, | ||
734 | byte * to, int mode) | ||
735 | { | ||
736 | u32 left, right, work; | ||
737 | u32 *keys; | ||
738 | |||
739 | keys = mode ? ctx->decrypt_subkeys : ctx->encrypt_subkeys; | ||
740 | |||
741 | READ_64BIT_DATA (from, left, right) | ||
742 | INITIAL_PERMUTATION (left, work, right) | ||
743 | |||
744 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
745 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
746 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
747 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
748 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
749 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
750 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
751 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
752 | |||
753 | DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) | ||
754 | DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) | ||
755 | DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) | ||
756 | DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) | ||
757 | DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) | ||
758 | DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) | ||
759 | DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) | ||
760 | DES_ROUND (left, right, work, keys) DES_ROUND (right, left, work, keys) | ||
761 | |||
762 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
763 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
764 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
765 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
766 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
767 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
768 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
769 | DES_ROUND (right, left, work, keys) DES_ROUND (left, right, work, keys) | ||
770 | |||
771 | FINAL_PERMUTATION (right, work, left) | ||
772 | WRITE_64BIT_DATA (to, right, left) | ||
773 | |||
774 | return 0; | ||
775 | } | ||
776 | |||
777 | |||
778 | |||
779 | |||
780 | |||
781 | /* | ||
782 | * Check whether the 8 byte key is weak. | ||
783 | * Does not check the parity bits of the key but simple ignore them. | ||
784 | */ | ||
785 | static int | ||
786 | is_weak_key ( const byte *key ) | ||
787 | { | ||
788 | byte work[8]; | ||
789 | int i, left, right, middle, cmp_result; | ||
790 | |||
791 | /* clear parity bits */ | ||
792 | for(i=0; i<8; ++i) | ||
793 | work[i] = key[i] & 0xfe; | ||
794 | |||
795 | /* binary search in the weak key table */ | ||
796 | left = 0; | ||
797 | right = 63; | ||
798 | while(left <= right) | ||
799 | { | ||
800 | middle = (left + right) / 2; | ||
801 | |||
802 | if ( !(cmp_result=working_memcmp(work, weak_keys[middle], 8)) ) | ||
803 | return -1; | ||
804 | |||
805 | if ( cmp_result > 0 ) | ||
806 | left = middle + 1; | ||
807 | else | ||
808 | right = middle - 1; | ||
809 | } | ||
810 | |||
811 | return 0; | ||
812 | } | ||
813 | |||
814 | |||
815 | |||
816 | /* | ||
817 | * Performs a selftest of this DES/Triple-DES implementation. | ||
818 | * Returns an string with the error text on failure. | ||
819 | * Returns NULL if all is ok. | ||
820 | */ | ||
821 | static const char * | ||
822 | selftest (void) | ||
823 | { | ||
824 | /* | ||
825 | * Check if 'u32' is really 32 bits wide. This DES / 3DES implementation | ||
826 | * need this. | ||
827 | */ | ||
828 | if (sizeof (u32) != 4) | ||
829 | return "Wrong word size for DES configured."; | ||
830 | |||
831 | /* | ||
832 | * DES Maintenance Test | ||
833 | */ | ||
834 | { | ||
835 | int i; | ||
836 | byte key[8] = | ||
837 | {0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55}; | ||
838 | byte input[8] = | ||
839 | {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; | ||
840 | byte result[8] = | ||
841 | {0x24, 0x6e, 0x9d, 0xb9, 0xc5, 0x50, 0x38, 0x1a}; | ||
842 | byte temp1[8], temp2[8], temp3[8]; | ||
843 | des_ctx des; | ||
844 | |||
845 | for (i = 0; i < 64; ++i) | ||
846 | { | ||
847 | des_setkey (des, key); | ||
848 | des_ecb_encrypt (des, input, temp1); | ||
849 | des_ecb_encrypt (des, temp1, temp2); | ||
850 | des_setkey (des, temp2); | ||
851 | des_ecb_decrypt (des, temp1, temp3); | ||
852 | memcpy (key, temp3, 8); | ||
853 | memcpy (input, temp1, 8); | ||
854 | } | ||
855 | if (memcmp (temp3, result, 8)) | ||
856 | return "DES maintenance test failed."; | ||
857 | } | ||
858 | |||
859 | |||
860 | /* | ||
861 | * Self made Triple-DES test(Does somebody know an official test?) | ||
862 | */ | ||
863 | { | ||
864 | int i; | ||
865 | byte input[8] = | ||
866 | {0xfe, 0xdc, 0xba, 0x98, 0x76, 0x54, 0x32, 0x10}; | ||
867 | byte key1[8] = | ||
868 | {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}; | ||
869 | byte key2[8] = | ||
870 | {0x11, 0x22, 0x33, 0x44, 0xff, 0xaa, 0xcc, 0xdd}; | ||
871 | byte result[8] = | ||
872 | {0x7b, 0x38, 0x3b, 0x23, 0xa2, 0x7d, 0x26, 0xd3}; | ||
873 | |||
874 | tripledes_ctx des3; | ||
875 | |||
876 | for (i = 0; i < 16; ++i) | ||
877 | { | ||
878 | tripledes_set2keys (des3, key1, key2); | ||
879 | tripledes_ecb_encrypt (des3, input, key1); | ||
880 | tripledes_ecb_decrypt (des3, input, key2); | ||
881 | tripledes_set3keys (des3, key1, input, key2); | ||
882 | tripledes_ecb_encrypt (des3, input, input); | ||
883 | } | ||
884 | if (memcmp (input, result, 8)) | ||
885 | return "Triple-DES test failed."; | ||
886 | } | ||
887 | |||
888 | /* | ||
889 | * More Triple-DES test. These are testvectors as used by SSLeay, | ||
890 | * thanks to Jeroen C. van Gelderen. | ||
891 | */ | ||
892 | { | ||
893 | struct { byte key[24]; byte plain[8]; byte cipher[8]; } testdata[] = { | ||
894 | { { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, | ||
895 | 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, | ||
896 | 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01 }, | ||
897 | { 0x95,0xF8,0xA5,0xE5,0xDD,0x31,0xD9,0x00 }, | ||
898 | { 0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00 } | ||
899 | }, | ||
900 | |||
901 | { { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, | ||
902 | 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, | ||
903 | 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01 }, | ||
904 | { 0x9D,0x64,0x55,0x5A,0x9A,0x10,0xB8,0x52, }, | ||
905 | { 0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x00 } | ||
906 | }, | ||
907 | { { 0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E, | ||
908 | 0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E, | ||
909 | 0x38,0x49,0x67,0x4C,0x26,0x02,0x31,0x9E }, | ||
910 | { 0x51,0x45,0x4B,0x58,0x2D,0xDF,0x44,0x0A }, | ||
911 | { 0x71,0x78,0x87,0x6E,0x01,0xF1,0x9B,0x2A } | ||
912 | }, | ||
913 | { { 0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6, | ||
914 | 0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6, | ||
915 | 0x04,0xB9,0x15,0xBA,0x43,0xFE,0xB5,0xB6 }, | ||
916 | { 0x42,0xFD,0x44,0x30,0x59,0x57,0x7F,0xA2 }, | ||
917 | { 0xAF,0x37,0xFB,0x42,0x1F,0x8C,0x40,0x95 } | ||
918 | }, | ||
919 | { { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, | ||
920 | 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, | ||
921 | 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF }, | ||
922 | { 0x73,0x6F,0x6D,0x65,0x64,0x61,0x74,0x61 }, | ||
923 | { 0x3D,0x12,0x4F,0xE2,0x19,0x8B,0xA3,0x18 } | ||
924 | }, | ||
925 | { { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, | ||
926 | 0x55,0x55,0x55,0x55,0x55,0x55,0x55,0x55, | ||
927 | 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF }, | ||
928 | { 0x73,0x6F,0x6D,0x65,0x64,0x61,0x74,0x61 }, | ||
929 | { 0xFB,0xAB,0xA1,0xFF,0x9D,0x05,0xE9,0xB1 } | ||
930 | }, | ||
931 | { { 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF, | ||
932 | 0x55,0x55,0x55,0x55,0x55,0x55,0x55,0x55, | ||
933 | 0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10 }, | ||
934 | { 0x73,0x6F,0x6D,0x65,0x64,0x61,0x74,0x61 }, | ||
935 | { 0x18,0xd7,0x48,0xe5,0x63,0x62,0x05,0x72 } | ||
936 | }, | ||
937 | { { 0x03,0x52,0x02,0x07,0x67,0x20,0x82,0x17, | ||
938 | 0x86,0x02,0x87,0x66,0x59,0x08,0x21,0x98, | ||
939 | 0x64,0x05,0x6A,0xBD,0xFE,0xA9,0x34,0x57 }, | ||
940 | { 0x73,0x71,0x75,0x69,0x67,0x67,0x6C,0x65 }, | ||
941 | { 0xc0,0x7d,0x2a,0x0f,0xa5,0x66,0xfa,0x30 } | ||
942 | }, | ||
943 | { { 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, | ||
944 | 0x80,0x01,0x01,0x01,0x01,0x01,0x01,0x01, | ||
945 | 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x02 }, | ||
946 | { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }, | ||
947 | { 0xe6,0xe6,0xdd,0x5b,0x7e,0x72,0x29,0x74 } | ||
948 | }, | ||
949 | { { 0x10,0x46,0x10,0x34,0x89,0x98,0x80,0x20, | ||
950 | 0x91,0x07,0xD0,0x15,0x89,0x19,0x01,0x01, | ||
951 | 0x19,0x07,0x92,0x10,0x98,0x1A,0x01,0x01 }, | ||
952 | { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 }, | ||
953 | { 0xe1,0xef,0x62,0xc3,0x32,0xfe,0x82,0x5b } | ||
954 | } | ||
955 | }; | ||
956 | |||
957 | byte result[8]; | ||
958 | int i; | ||
959 | static charerror[80]; | ||
960 | tripledes_ctxdes3; | ||
961 | |||
962 | for (i=0; i<sizeof(testdata)/sizeof(*testdata); ++i) | ||
963 | { | ||
964 | tripledes_set3keys (des3, testdata[i].key, | ||
965 | testdata[i].key + 8, testdata[i].key + 16); | ||
966 | |||
967 | tripledes_ecb_encrypt (des3, testdata[i].plain, result); | ||
968 | if (memcmp (testdata[i].cipher, result, 8)) | ||
969 | { | ||
970 | sprintf (error, "Triple-DES SSLeay test pattern no. %d " | ||
971 | "failed on encryption.", i+1); | ||
972 | return error; | ||
973 | } | ||
974 | |||
975 | tripledes_ecb_decrypt (des3, testdata[i].cipher, result); | ||
976 | if (memcmp (testdata[i].plain, result, 8)) | ||
977 | { | ||
978 | sprintf (error, "Triple-DES SSLeay test pattern no. %d " | ||
979 | "failed on decryption.", i+1); | ||
980 | return error; | ||
981 | } | ||
982 | } | ||
983 | } | ||
984 | |||
985 | /* | ||
986 | * Check the weak key detection. We simply assume that the table | ||
987 | * with weak keys is ok and check every key in the table if it is | ||
988 | * detected... (This test is a little bit stupid). | ||
989 | */ | ||
990 | { | ||
991 | int i; | ||
992 | unsigned char *p; | ||
993 | gcry_md_hd_t h; | ||
994 | |||
995 | if (gcry_md_open (&h, GCRY_MD_SHA1, 0)) | ||
996 | return "SHA1 not available"; | ||
997 | |||
998 | for (i = 0; i < 64; ++i) | ||
999 | gcry_md_write (h, weak_keys[i], 8); | ||
1000 | p = gcry_md_read (h, GCRY_MD_SHA1); | ||
1001 | i = memcmp (p, weak_keys_chksum, 20); | ||
1002 | gcry_md_close (h); | ||
1003 | if (i) | ||
1004 | return "weak key table defect"; | ||
1005 | |||
1006 | for (i = 0; i < 64; ++i) | ||
1007 | if (!is_weak_key(weak_keys[i])) | ||
1008 | return "DES weak key detection failed"; | ||
1009 | } | ||
1010 | |||
1011 | return 0; | ||
1012 | } | ||
1013 | |||
1014 | |||
1015 | static gcry_err_code_t | ||
1016 | do_tripledes_setkey ( void *context, const byte *key, unsigned keylen ) | ||
1017 | { | ||
1018 | struct _tripledes_ctx *ctx = (struct _tripledes_ctx *) context; | ||
1019 | |||
1020 | if( keylen != 24 ) | ||
1021 | return GPG_ERR_INV_KEYLEN; | ||
1022 | |||
1023 | tripledes_set3keys ( ctx, key, key+8, key+16); | ||
1024 | |||
1025 | if( is_weak_key( key ) || is_weak_key( key+8 ) || is_weak_key( key+16 ) ) | ||
1026 | { | ||
1027 | _gcry_burn_stack (64); | ||
1028 | return GPG_ERR_WEAK_KEY; | ||
1029 | } | ||
1030 | _gcry_burn_stack (64); | ||
1031 | |||
1032 | return GPG_ERR_NO_ERROR; | ||
1033 | } | ||
1034 | |||
1035 | |||
1036 | static void | ||
1037 | do_tripledes_encrypt( void *context, byte *outbuf, const byte *inbuf ) | ||
1038 | { | ||
1039 | struct _tripledes_ctx *ctx = (struct _tripledes_ctx *) context; | ||
1040 | |||
1041 | tripledes_ecb_encrypt ( ctx, inbuf, outbuf ); | ||
1042 | _gcry_burn_stack (32); | ||
1043 | } | ||
1044 | |||
1045 | static void | ||
1046 | do_tripledes_decrypt( void *context, byte *outbuf, const byte *inbuf ) | ||
1047 | { | ||
1048 | struct _tripledes_ctx *ctx = (struct _tripledes_ctx *) context; | ||
1049 | tripledes_ecb_decrypt ( ctx, inbuf, outbuf ); | ||
1050 | _gcry_burn_stack (32); | ||
1051 | } | ||
1052 | |||
1053 | static gcry_err_code_t | ||
1054 | do_des_setkey (void *context, const byte *key, unsigned keylen) | ||
1055 | { | ||
1056 | struct _des_ctx *ctx = (struct _des_ctx *) context; | ||
1057 | |||
1058 | if (keylen != 8) | ||
1059 | return GPG_ERR_INV_KEYLEN; | ||
1060 | |||
1061 | des_setkey (ctx, key); | ||
1062 | |||
1063 | if (is_weak_key (key)) { | ||
1064 | _gcry_burn_stack (64); | ||
1065 | return GPG_ERR_WEAK_KEY; | ||
1066 | } | ||
1067 | _gcry_burn_stack (64); | ||
1068 | |||
1069 | return GPG_ERR_NO_ERROR; | ||
1070 | } | ||
1071 | |||
1072 | |||
1073 | static void | ||
1074 | do_des_encrypt( void *context, byte *outbuf, const byte *inbuf ) | ||
1075 | { | ||
1076 | struct _des_ctx *ctx = (struct _des_ctx *) context; | ||
1077 | |||
1078 | des_ecb_encrypt ( ctx, inbuf, outbuf ); | ||
1079 | _gcry_burn_stack (32); | ||
1080 | } | ||
1081 | |||
1082 | static void | ||
1083 | do_des_decrypt( void *context, byte *outbuf, const byte *inbuf ) | ||
1084 | { | ||
1085 | struct _des_ctx *ctx = (struct _des_ctx *) context; | ||
1086 | |||
1087 | des_ecb_decrypt ( ctx, inbuf, outbuf ); | ||
1088 | _gcry_burn_stack (32); | ||
1089 | } | ||
1090 | |||
1091 | gcry_cipher_spec_t _gcry_cipher_spec_des = | ||
1092 | { | ||
1093 | "DES", NULL, NULL, 8, 64, sizeof (struct _des_ctx), | ||
1094 | do_des_setkey, do_des_encrypt, do_des_decrypt | ||
1095 | }; | ||
1096 | |||
1097 | static gcry_cipher_oid_spec_t oids_tripledes[] = | ||
1098 | { | ||
1099 | { "1.2.840.113549.3.7", GCRY_CIPHER_MODE_CBC }, | ||
1100 | /* Teletrust specific OID for 3DES. */ | ||
1101 | { "1.3.36.3.1.3.2.1", GCRY_CIPHER_MODE_CBC }, | ||
1102 | /* pbeWithSHAAnd3_KeyTripleDES_CBC */ | ||
1103 | { "1.2.840.113549.1.12.1.3", GCRY_CIPHER_MODE_CBC }, | ||
1104 | { NULL } | ||
1105 | }; | ||
1106 | |||
1107 | gcry_cipher_spec_t _gcry_cipher_spec_tripledes = | ||
1108 | { | ||
1109 | "3DES", NULL, oids_tripledes, 8, 192, sizeof (struct _tripledes_ctx), | ||
1110 | do_tripledes_setkey, do_tripledes_encrypt, do_tripledes_decrypt | ||
1111 | }; | ||