5 Copyright (C) 2001, 2010 Niels Möller
6 Copyright (C) 1992 Dana L. How
8 This file is part of GNU Nettle.
10 GNU Nettle is free software: you can redistribute it and/or
11 modify it under the terms of either:
13 * the GNU Lesser General Public License as published by the Free
14 Software Foundation; either version 3 of the License, or (at your
15 option) any later version.
19 * the GNU General Public License as published by the Free
20 Software Foundation; either version 2 of the License, or (at your
21 option) any later version.
23 or both in parallel, as here.
25 GNU Nettle is distributed in the hope that it will be useful,
26 but WITHOUT ANY WARRANTY; without even the implied warranty of
27 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
28 General Public License for more details.
30 You should have received copies of the GNU General Public License and
31 the GNU Lesser General Public License along with this program. If
32 not, see http://www.gnu.org/licenses/.
35 /* des - fast & portable DES encryption & decryption.
36 * Copyright (C) 1992 Dana L. How
37 * Please see the file `descore.README' for the complete copyright notice.
62 static ENCRYPT(DesSmallFipsEncrypt,TEMPSMALL, LOADFIPS,KEYMAPSMALL,SAVEFIPS)
63 static DECRYPT(DesSmallFipsDecrypt,TEMPSMALL, LOADFIPS,KEYMAPSMALL,SAVEFIPS)
65 /* If parity bits are used, keys should have odd parity. We use a
66 small table, to not waste any memory on this fairly obscure DES
71 { 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0 };
73 #define PARITY(x) (parity_16[(x)&0xf] ^ parity_16[((x)>>4) & 0xf])
76 des_check_parity(size_t length, const uint8_t *key)
79 for (i = 0; i<length; i++)
87 des_fix_parity(size_t length, uint8_t *dst,
91 for (i = 0; i<length; i++)
92 dst[i] = src[i] ^ PARITY(src[i]) ^ 1;
95 /* Weak and semiweak keys, excluding parity:
97 * 00 00 00 00 00 00 00 00
98 * 7f 7f 7f 7f 7f 7f 7f 7f
99 * 0f 0f 0f 0f 07 07 07 07
100 * 70 70 70 70 78 78 78 78
102 * 00 7f 00 7f 00 7f 00 7f
103 * 7f 00 7f 00 7f 00 7f 00
105 * 0f 70 0f 70 07 78 07 78
106 * 70 0f 70 0f 78 07 78 07
108 * 00 70 00 70 00 78 00 78
109 * 70 00 70 00 78 00 78 00
111 * 0f 7f 0f 7f 07 7f 07 7f
112 * 7f 0f 7f 0f 7f 07 7f 07
114 * 00 0f 00 0f 00 07 00 07
115 * 0f 00 0f 00 07 00 07 00
117 * 70 7f 70 7f 78 7f 78 7f
118 * 7f 70 7f 70 7f 78 7f 78
122 des_weak_p(const uint8_t *key)
124 /* Hash function generated using gperf. */
125 static const unsigned char asso_values[0x81] =
127 16, 9, 26, 26, 26, 26, 26, 26, 26, 26,
128 26, 26, 26, 26, 26, 6, 2, 26, 26, 26,
129 26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
130 26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
131 26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
132 26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
133 26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
134 26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
135 26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
136 26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
137 26, 26, 26, 26, 26, 26, 26, 26, 26, 26,
138 26, 26, 3, 1, 26, 26, 26, 26, 26, 26,
139 26, 26, 26, 26, 26, 26, 26, 0, 0
142 static const int8_t weak_key_hash[26][4] =
144 /* 0 */ {0x7f,0x7f, 0x7f,0x7f},
145 /* 1 */ {0x7f,0x70, 0x7f,0x78},
146 /* 2 */ {0x7f,0x0f, 0x7f,0x07},
147 /* 3 */ {0x70,0x7f, 0x78,0x7f},
148 /* 4 */ {0x70,0x70, 0x78,0x78},
149 /* 5 */ {0x70,0x0f, 0x78,0x07},
150 /* 6 */ {0x0f,0x7f, 0x07,0x7f},
151 /* 7 */ {0x0f,0x70, 0x07,0x78},
152 /* 8 */ {0x0f,0x0f, 0x07,0x07},
153 /* 9 */ {0x7f,0x00, 0x7f,0x00},
154 /* 10 */ {-1,-1,-1,-1},
155 /* 11 */ {-1,-1,-1,-1},
156 /* 12 */ {0x70,0x00, 0x78,0x00},
157 /* 13 */ {-1,-1,-1,-1},
158 /* 14 */ {-1,-1,-1,-1},
159 /* 15 */ {0x0f,0x00, 0x07,0x00},
160 /* 16 */ {0x00,0x7f, 0x00,0x7f},
161 /* 17 */ {0x00,0x70, 0x00,0x78},
162 /* 18 */ {0x00,0x0f, 0x00,0x07},
163 /* 19 */ {-1,-1,-1,-1},
164 /* 20 */ {-1,-1,-1,-1},
165 /* 21 */ {-1,-1,-1,-1},
166 /* 22 */ {-1,-1,-1,-1},
167 /* 23 */ {-1,-1,-1,-1},
168 /* 24 */ {-1,-1,-1,-1},
169 /* 25 */ {0x00,0x00, 0x00,0x00}
172 int8_t k0 = key[0] >> 1;
173 int8_t k1 = key[1] >> 1;
175 unsigned hash = asso_values[k1 + 1] + asso_values[k0];
176 const int8_t *candidate;
181 candidate = weak_key_hash[hash];
183 if (k0 != candidate[0]
184 || k1 != candidate[1])
187 if ( (key[2] >> 1) != k0
188 || (key[3] >> 1) != k1)
193 if (k0 != candidate[2]
194 || k1 != candidate[3])
196 if ( (key[6] >> 1) != k0
197 || (key[7] >> 1) != k1)
204 des_set_key(struct des_ctx *ctx, const uint8_t *key)
206 register uint32_t n, w;
207 register char * b0, * b1;
208 char bits0[56], bits1[56];
212 /* explode the bits */
218 w = (256 | *k++) << 2;
227 /* put the bits in the correct places */
233 w = (b1[k[ 0 ]] | b0[k[ 1 ]]) << 4;
234 w |= (b1[k[ 2 ]] | b0[k[ 3 ]]) << 2;
235 w |= b1[k[ 4 ]] | b0[k[ 5 ]];
237 w |= (b1[k[ 6 ]] | b0[k[ 7 ]]) << 4;
238 w |= (b1[k[ 8 ]] | b0[k[ 9 ]]) << 2;
239 w |= b1[k[10 ]] | b0[k[11 ]];
241 w |= (b1[k[12 ]] | b0[k[13 ]]) << 4;
242 w |= (b1[k[14 ]] | b0[k[15 ]]) << 2;
243 w |= b1[k[16 ]] | b0[k[17 ]];
245 w |= (b1[k[18 ]] | b0[k[19 ]]) << 4;
246 w |= (b1[k[20 ]] | b0[k[21 ]]) << 2;
247 w |= b1[k[22 ]] | b0[k[23 ]];
251 w = (b1[k[ 0+24]] | b0[k[ 1+24]]) << 4;
252 w |= (b1[k[ 2+24]] | b0[k[ 3+24]]) << 2;
253 w |= b1[k[ 4+24]] | b0[k[ 5+24]];
255 w |= (b1[k[ 6+24]] | b0[k[ 7+24]]) << 4;
256 w |= (b1[k[ 8+24]] | b0[k[ 9+24]]) << 2;
257 w |= b1[k[10+24]] | b0[k[11+24]];
259 w |= (b1[k[12+24]] | b0[k[13+24]]) << 4;
260 w |= (b1[k[14+24]] | b0[k[15+24]]) << 2;
261 w |= b1[k[16+24]] | b0[k[17+24]];
263 w |= (b1[k[18+24]] | b0[k[19+24]]) << 4;
264 w |= (b1[k[20+24]] | b0[k[21+24]]) << 2;
265 w |= b1[k[22+24]] | b0[k[23+24]];
267 ROR(w, 4, 28); /* could be eliminated */
274 return !des_weak_p (key);
278 des_encrypt(const struct des_ctx *ctx,
279 size_t length, uint8_t *dst,
282 assert(!(length % DES_BLOCK_SIZE));
286 DesSmallFipsEncrypt(dst, ctx->key, src);
287 length -= DES_BLOCK_SIZE;
288 src += DES_BLOCK_SIZE;
289 dst += DES_BLOCK_SIZE;
294 des_decrypt(const struct des_ctx *ctx,
295 size_t length, uint8_t *dst,
298 assert(!(length % DES_BLOCK_SIZE));
302 DesSmallFipsDecrypt(dst, ctx->key, src);
303 length -= DES_BLOCK_SIZE;
304 src += DES_BLOCK_SIZE;
305 dst += DES_BLOCK_SIZE;