1 | /* |
2 | * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at |
7 | * https://www.openssl.org/source/license.html |
8 | */ |
9 | |
10 | /*- |
11 | * set_key.c v 1.4 eay 24/9/91 |
12 | * 1.4 Speed up by 400% :-) |
13 | * 1.3 added register declarations. |
14 | * 1.2 unrolled make_key_sched a bit more |
15 | * 1.1 added norm_expand_bits |
16 | * 1.0 First working version |
17 | */ |
18 | #include <openssl/crypto.h> |
19 | #include "des_local.h" |
20 | |
21 | static const unsigned char odd_parity[256] = { |
22 | 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14, |
23 | 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31, |
24 | 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47, |
25 | 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62, |
26 | 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79, |
27 | 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94, |
28 | 97, 97, 98, 98, 100, 100, 103, 103, 104, 104, 107, 107, 109, 109, 110, |
29 | 110, |
30 | 112, 112, 115, 115, 117, 117, 118, 118, 121, 121, 122, 122, 124, 124, 127, |
31 | 127, |
32 | 128, 128, 131, 131, 133, 133, 134, 134, 137, 137, 138, 138, 140, 140, 143, |
33 | 143, |
34 | 145, 145, 146, 146, 148, 148, 151, 151, 152, 152, 155, 155, 157, 157, 158, |
35 | 158, |
36 | 161, 161, 162, 162, 164, 164, 167, 167, 168, 168, 171, 171, 173, 173, 174, |
37 | 174, |
38 | 176, 176, 179, 179, 181, 181, 182, 182, 185, 185, 186, 186, 188, 188, 191, |
39 | 191, |
40 | 193, 193, 194, 194, 196, 196, 199, 199, 200, 200, 203, 203, 205, 205, 206, |
41 | 206, |
42 | 208, 208, 211, 211, 213, 213, 214, 214, 217, 217, 218, 218, 220, 220, 223, |
43 | 223, |
44 | 224, 224, 227, 227, 229, 229, 230, 230, 233, 233, 234, 234, 236, 236, 239, |
45 | 239, |
46 | 241, 241, 242, 242, 244, 244, 247, 247, 248, 248, 251, 251, 253, 253, 254, |
47 | 254 |
48 | }; |
49 | |
50 | void DES_set_odd_parity(DES_cblock *key) |
51 | { |
52 | unsigned int i; |
53 | |
54 | for (i = 0; i < DES_KEY_SZ; i++) |
55 | (*key)[i] = odd_parity[(*key)[i]]; |
56 | } |
57 | |
58 | int DES_check_key_parity(const_DES_cblock *key) |
59 | { |
60 | unsigned int i; |
61 | |
62 | for (i = 0; i < DES_KEY_SZ; i++) { |
63 | if ((*key)[i] != odd_parity[(*key)[i]]) |
64 | return 0; |
65 | } |
66 | return 1; |
67 | } |
68 | |
69 | /*- |
70 | * Weak and semi weak keys as taken from |
71 | * %A D.W. Davies |
72 | * %A W.L. Price |
73 | * %T Security for Computer Networks |
74 | * %I John Wiley & Sons |
75 | * %D 1984 |
76 | */ |
77 | #define NUM_WEAK_KEY 16 |
78 | static const DES_cblock weak_keys[NUM_WEAK_KEY] = { |
79 | /* weak keys */ |
80 | {0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01}, |
81 | {0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE}, |
82 | {0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E}, |
83 | {0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1}, |
84 | /* semi-weak keys */ |
85 | {0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE}, |
86 | {0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01}, |
87 | {0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1}, |
88 | {0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E}, |
89 | {0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1}, |
90 | {0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01}, |
91 | {0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE}, |
92 | {0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E}, |
93 | {0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E}, |
94 | {0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01}, |
95 | {0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE}, |
96 | {0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1} |
97 | }; |
98 | |
99 | int DES_is_weak_key(const_DES_cblock *key) |
100 | { |
101 | int i; |
102 | |
103 | for (i = 0; i < NUM_WEAK_KEY; i++) |
104 | if (memcmp(weak_keys[i], key, sizeof(DES_cblock)) == 0) |
105 | return 1; |
106 | return 0; |
107 | } |
108 | |
109 | /*- |
110 | * NOW DEFINED IN des_local.h |
111 | * See ecb_encrypt.c for a pseudo description of these macros. |
112 | * #define PERM_OP(a,b,t,n,m) ((t)=((((a)>>(n))^(b))&(m)),\ |
113 | * (b)^=(t),\ |
114 | * (a)=((a)^((t)<<(n)))) |
115 | */ |
116 | |
117 | #define HPERM_OP(a,t,n,m) ((t)=((((a)<<(16-(n)))^(a))&(m)),\ |
118 | (a)=(a)^(t)^(t>>(16-(n)))) |
119 | |
120 | static const DES_LONG des_skb[8][64] = { |
121 | { |
122 | /* for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 */ |
123 | 0x00000000L, 0x00000010L, 0x20000000L, 0x20000010L, |
124 | 0x00010000L, 0x00010010L, 0x20010000L, 0x20010010L, |
125 | 0x00000800L, 0x00000810L, 0x20000800L, 0x20000810L, |
126 | 0x00010800L, 0x00010810L, 0x20010800L, 0x20010810L, |
127 | 0x00000020L, 0x00000030L, 0x20000020L, 0x20000030L, |
128 | 0x00010020L, 0x00010030L, 0x20010020L, 0x20010030L, |
129 | 0x00000820L, 0x00000830L, 0x20000820L, 0x20000830L, |
130 | 0x00010820L, 0x00010830L, 0x20010820L, 0x20010830L, |
131 | 0x00080000L, 0x00080010L, 0x20080000L, 0x20080010L, |
132 | 0x00090000L, 0x00090010L, 0x20090000L, 0x20090010L, |
133 | 0x00080800L, 0x00080810L, 0x20080800L, 0x20080810L, |
134 | 0x00090800L, 0x00090810L, 0x20090800L, 0x20090810L, |
135 | 0x00080020L, 0x00080030L, 0x20080020L, 0x20080030L, |
136 | 0x00090020L, 0x00090030L, 0x20090020L, 0x20090030L, |
137 | 0x00080820L, 0x00080830L, 0x20080820L, 0x20080830L, |
138 | 0x00090820L, 0x00090830L, 0x20090820L, 0x20090830L, |
139 | }, |
140 | { |
141 | /* for C bits (numbered as per FIPS 46) 7 8 10 11 12 13 */ |
142 | 0x00000000L, 0x02000000L, 0x00002000L, 0x02002000L, |
143 | 0x00200000L, 0x02200000L, 0x00202000L, 0x02202000L, |
144 | 0x00000004L, 0x02000004L, 0x00002004L, 0x02002004L, |
145 | 0x00200004L, 0x02200004L, 0x00202004L, 0x02202004L, |
146 | 0x00000400L, 0x02000400L, 0x00002400L, 0x02002400L, |
147 | 0x00200400L, 0x02200400L, 0x00202400L, 0x02202400L, |
148 | 0x00000404L, 0x02000404L, 0x00002404L, 0x02002404L, |
149 | 0x00200404L, 0x02200404L, 0x00202404L, 0x02202404L, |
150 | 0x10000000L, 0x12000000L, 0x10002000L, 0x12002000L, |
151 | 0x10200000L, 0x12200000L, 0x10202000L, 0x12202000L, |
152 | 0x10000004L, 0x12000004L, 0x10002004L, 0x12002004L, |
153 | 0x10200004L, 0x12200004L, 0x10202004L, 0x12202004L, |
154 | 0x10000400L, 0x12000400L, 0x10002400L, 0x12002400L, |
155 | 0x10200400L, 0x12200400L, 0x10202400L, 0x12202400L, |
156 | 0x10000404L, 0x12000404L, 0x10002404L, 0x12002404L, |
157 | 0x10200404L, 0x12200404L, 0x10202404L, 0x12202404L, |
158 | }, |
159 | { |
160 | /* for C bits (numbered as per FIPS 46) 14 15 16 17 19 20 */ |
161 | 0x00000000L, 0x00000001L, 0x00040000L, 0x00040001L, |
162 | 0x01000000L, 0x01000001L, 0x01040000L, 0x01040001L, |
163 | 0x00000002L, 0x00000003L, 0x00040002L, 0x00040003L, |
164 | 0x01000002L, 0x01000003L, 0x01040002L, 0x01040003L, |
165 | 0x00000200L, 0x00000201L, 0x00040200L, 0x00040201L, |
166 | 0x01000200L, 0x01000201L, 0x01040200L, 0x01040201L, |
167 | 0x00000202L, 0x00000203L, 0x00040202L, 0x00040203L, |
168 | 0x01000202L, 0x01000203L, 0x01040202L, 0x01040203L, |
169 | 0x08000000L, 0x08000001L, 0x08040000L, 0x08040001L, |
170 | 0x09000000L, 0x09000001L, 0x09040000L, 0x09040001L, |
171 | 0x08000002L, 0x08000003L, 0x08040002L, 0x08040003L, |
172 | 0x09000002L, 0x09000003L, 0x09040002L, 0x09040003L, |
173 | 0x08000200L, 0x08000201L, 0x08040200L, 0x08040201L, |
174 | 0x09000200L, 0x09000201L, 0x09040200L, 0x09040201L, |
175 | 0x08000202L, 0x08000203L, 0x08040202L, 0x08040203L, |
176 | 0x09000202L, 0x09000203L, 0x09040202L, 0x09040203L, |
177 | }, |
178 | { |
179 | /* for C bits (numbered as per FIPS 46) 21 23 24 26 27 28 */ |
180 | 0x00000000L, 0x00100000L, 0x00000100L, 0x00100100L, |
181 | 0x00000008L, 0x00100008L, 0x00000108L, 0x00100108L, |
182 | 0x00001000L, 0x00101000L, 0x00001100L, 0x00101100L, |
183 | 0x00001008L, 0x00101008L, 0x00001108L, 0x00101108L, |
184 | 0x04000000L, 0x04100000L, 0x04000100L, 0x04100100L, |
185 | 0x04000008L, 0x04100008L, 0x04000108L, 0x04100108L, |
186 | 0x04001000L, 0x04101000L, 0x04001100L, 0x04101100L, |
187 | 0x04001008L, 0x04101008L, 0x04001108L, 0x04101108L, |
188 | 0x00020000L, 0x00120000L, 0x00020100L, 0x00120100L, |
189 | 0x00020008L, 0x00120008L, 0x00020108L, 0x00120108L, |
190 | 0x00021000L, 0x00121000L, 0x00021100L, 0x00121100L, |
191 | 0x00021008L, 0x00121008L, 0x00021108L, 0x00121108L, |
192 | 0x04020000L, 0x04120000L, 0x04020100L, 0x04120100L, |
193 | 0x04020008L, 0x04120008L, 0x04020108L, 0x04120108L, |
194 | 0x04021000L, 0x04121000L, 0x04021100L, 0x04121100L, |
195 | 0x04021008L, 0x04121008L, 0x04021108L, 0x04121108L, |
196 | }, |
197 | { |
198 | /* for D bits (numbered as per FIPS 46) 1 2 3 4 5 6 */ |
199 | 0x00000000L, 0x10000000L, 0x00010000L, 0x10010000L, |
200 | 0x00000004L, 0x10000004L, 0x00010004L, 0x10010004L, |
201 | 0x20000000L, 0x30000000L, 0x20010000L, 0x30010000L, |
202 | 0x20000004L, 0x30000004L, 0x20010004L, 0x30010004L, |
203 | 0x00100000L, 0x10100000L, 0x00110000L, 0x10110000L, |
204 | 0x00100004L, 0x10100004L, 0x00110004L, 0x10110004L, |
205 | 0x20100000L, 0x30100000L, 0x20110000L, 0x30110000L, |
206 | 0x20100004L, 0x30100004L, 0x20110004L, 0x30110004L, |
207 | 0x00001000L, 0x10001000L, 0x00011000L, 0x10011000L, |
208 | 0x00001004L, 0x10001004L, 0x00011004L, 0x10011004L, |
209 | 0x20001000L, 0x30001000L, 0x20011000L, 0x30011000L, |
210 | 0x20001004L, 0x30001004L, 0x20011004L, 0x30011004L, |
211 | 0x00101000L, 0x10101000L, 0x00111000L, 0x10111000L, |
212 | 0x00101004L, 0x10101004L, 0x00111004L, 0x10111004L, |
213 | 0x20101000L, 0x30101000L, 0x20111000L, 0x30111000L, |
214 | 0x20101004L, 0x30101004L, 0x20111004L, 0x30111004L, |
215 | }, |
216 | { |
217 | /* for D bits (numbered as per FIPS 46) 8 9 11 12 13 14 */ |
218 | 0x00000000L, 0x08000000L, 0x00000008L, 0x08000008L, |
219 | 0x00000400L, 0x08000400L, 0x00000408L, 0x08000408L, |
220 | 0x00020000L, 0x08020000L, 0x00020008L, 0x08020008L, |
221 | 0x00020400L, 0x08020400L, 0x00020408L, 0x08020408L, |
222 | 0x00000001L, 0x08000001L, 0x00000009L, 0x08000009L, |
223 | 0x00000401L, 0x08000401L, 0x00000409L, 0x08000409L, |
224 | 0x00020001L, 0x08020001L, 0x00020009L, 0x08020009L, |
225 | 0x00020401L, 0x08020401L, 0x00020409L, 0x08020409L, |
226 | 0x02000000L, 0x0A000000L, 0x02000008L, 0x0A000008L, |
227 | 0x02000400L, 0x0A000400L, 0x02000408L, 0x0A000408L, |
228 | 0x02020000L, 0x0A020000L, 0x02020008L, 0x0A020008L, |
229 | 0x02020400L, 0x0A020400L, 0x02020408L, 0x0A020408L, |
230 | 0x02000001L, 0x0A000001L, 0x02000009L, 0x0A000009L, |
231 | 0x02000401L, 0x0A000401L, 0x02000409L, 0x0A000409L, |
232 | 0x02020001L, 0x0A020001L, 0x02020009L, 0x0A020009L, |
233 | 0x02020401L, 0x0A020401L, 0x02020409L, 0x0A020409L, |
234 | }, |
235 | { |
236 | /* for D bits (numbered as per FIPS 46) 16 17 18 19 20 21 */ |
237 | 0x00000000L, 0x00000100L, 0x00080000L, 0x00080100L, |
238 | 0x01000000L, 0x01000100L, 0x01080000L, 0x01080100L, |
239 | 0x00000010L, 0x00000110L, 0x00080010L, 0x00080110L, |
240 | 0x01000010L, 0x01000110L, 0x01080010L, 0x01080110L, |
241 | 0x00200000L, 0x00200100L, 0x00280000L, 0x00280100L, |
242 | 0x01200000L, 0x01200100L, 0x01280000L, 0x01280100L, |
243 | 0x00200010L, 0x00200110L, 0x00280010L, 0x00280110L, |
244 | 0x01200010L, 0x01200110L, 0x01280010L, 0x01280110L, |
245 | 0x00000200L, 0x00000300L, 0x00080200L, 0x00080300L, |
246 | 0x01000200L, 0x01000300L, 0x01080200L, 0x01080300L, |
247 | 0x00000210L, 0x00000310L, 0x00080210L, 0x00080310L, |
248 | 0x01000210L, 0x01000310L, 0x01080210L, 0x01080310L, |
249 | 0x00200200L, 0x00200300L, 0x00280200L, 0x00280300L, |
250 | 0x01200200L, 0x01200300L, 0x01280200L, 0x01280300L, |
251 | 0x00200210L, 0x00200310L, 0x00280210L, 0x00280310L, |
252 | 0x01200210L, 0x01200310L, 0x01280210L, 0x01280310L, |
253 | }, |
254 | { |
255 | /* for D bits (numbered as per FIPS 46) 22 23 24 25 27 28 */ |
256 | 0x00000000L, 0x04000000L, 0x00040000L, 0x04040000L, |
257 | 0x00000002L, 0x04000002L, 0x00040002L, 0x04040002L, |
258 | 0x00002000L, 0x04002000L, 0x00042000L, 0x04042000L, |
259 | 0x00002002L, 0x04002002L, 0x00042002L, 0x04042002L, |
260 | 0x00000020L, 0x04000020L, 0x00040020L, 0x04040020L, |
261 | 0x00000022L, 0x04000022L, 0x00040022L, 0x04040022L, |
262 | 0x00002020L, 0x04002020L, 0x00042020L, 0x04042020L, |
263 | 0x00002022L, 0x04002022L, 0x00042022L, 0x04042022L, |
264 | 0x00000800L, 0x04000800L, 0x00040800L, 0x04040800L, |
265 | 0x00000802L, 0x04000802L, 0x00040802L, 0x04040802L, |
266 | 0x00002800L, 0x04002800L, 0x00042800L, 0x04042800L, |
267 | 0x00002802L, 0x04002802L, 0x00042802L, 0x04042802L, |
268 | 0x00000820L, 0x04000820L, 0x00040820L, 0x04040820L, |
269 | 0x00000822L, 0x04000822L, 0x00040822L, 0x04040822L, |
270 | 0x00002820L, 0x04002820L, 0x00042820L, 0x04042820L, |
271 | 0x00002822L, 0x04002822L, 0x00042822L, 0x04042822L, |
272 | } |
273 | }; |
274 | |
275 | int DES_set_key(const_DES_cblock *key, DES_key_schedule *schedule) |
276 | { |
277 | return DES_set_key_checked(key, schedule); |
278 | } |
279 | |
280 | /*- |
281 | * return 0 if key parity is odd (correct), |
282 | * return -1 if key parity error, |
283 | * return -2 if illegal weak key. |
284 | */ |
285 | int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule) |
286 | { |
287 | if (!DES_check_key_parity(key)) |
288 | return -1; |
289 | if (DES_is_weak_key(key)) |
290 | return -2; |
291 | DES_set_key_unchecked(key, schedule); |
292 | return 0; |
293 | } |
294 | |
295 | void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule) |
296 | { |
297 | static const int shifts2[16] = |
298 | { 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0 }; |
299 | register DES_LONG c, d, t, s, t2; |
300 | register const unsigned char *in; |
301 | register DES_LONG *k; |
302 | register int i; |
303 | |
304 | #ifdef OPENBSD_DEV_CRYPTO |
305 | memcpy(schedule->key, key, sizeof(schedule->key)); |
306 | schedule->session = NULL; |
307 | #endif |
308 | k = &schedule->ks->deslong[0]; |
309 | in = &(*key)[0]; |
310 | |
311 | c2l(in, c); |
312 | c2l(in, d); |
313 | |
314 | /* |
315 | * do PC1 in 47 simple operations. Thanks to John Fletcher |
316 | * for the inspiration. |
317 | */ |
318 | PERM_OP(d, c, t, 4, 0x0f0f0f0fL); |
319 | HPERM_OP(c, t, -2, 0xcccc0000L); |
320 | HPERM_OP(d, t, -2, 0xcccc0000L); |
321 | PERM_OP(d, c, t, 1, 0x55555555L); |
322 | PERM_OP(c, d, t, 8, 0x00ff00ffL); |
323 | PERM_OP(d, c, t, 1, 0x55555555L); |
324 | d = (((d & 0x000000ffL) << 16L) | (d & 0x0000ff00L) | |
325 | ((d & 0x00ff0000L) >> 16L) | ((c & 0xf0000000L) >> 4L)); |
326 | c &= 0x0fffffffL; |
327 | |
328 | for (i = 0; i < ITERATIONS; i++) { |
329 | if (shifts2[i]) { |
330 | c = ((c >> 2L) | (c << 26L)); |
331 | d = ((d >> 2L) | (d << 26L)); |
332 | } else { |
333 | c = ((c >> 1L) | (c << 27L)); |
334 | d = ((d >> 1L) | (d << 27L)); |
335 | } |
336 | c &= 0x0fffffffL; |
337 | d &= 0x0fffffffL; |
338 | /* |
339 | * could be a few less shifts but I am to lazy at this point in time |
340 | * to investigate |
341 | */ |
342 | s = des_skb[0][(c) & 0x3f] | |
343 | des_skb[1][((c >> 6L) & 0x03) | ((c >> 7L) & 0x3c)] | |
344 | des_skb[2][((c >> 13L) & 0x0f) | ((c >> 14L) & 0x30)] | |
345 | des_skb[3][((c >> 20L) & 0x01) | ((c >> 21L) & 0x06) | |
346 | ((c >> 22L) & 0x38)]; |
347 | t = des_skb[4][(d) & 0x3f] | |
348 | des_skb[5][((d >> 7L) & 0x03) | ((d >> 8L) & 0x3c)] | |
349 | des_skb[6][(d >> 15L) & 0x3f] | |
350 | des_skb[7][((d >> 21L) & 0x0f) | ((d >> 22L) & 0x30)]; |
351 | |
352 | /* table contained 0213 4657 */ |
353 | t2 = ((t << 16L) | (s & 0x0000ffffL)) & 0xffffffffL; |
354 | *(k++) = ROTATE(t2, 30) & 0xffffffffL; |
355 | |
356 | t2 = ((s >> 16L) | (t & 0xffff0000L)); |
357 | *(k++) = ROTATE(t2, 26) & 0xffffffffL; |
358 | } |
359 | } |
360 | |
361 | int DES_key_sched(const_DES_cblock *key, DES_key_schedule *schedule) |
362 | { |
363 | return DES_set_key(key, schedule); |
364 | } |
365 | |