1/* crypto/des/set_key.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to.  The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 *    notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 *    notice, this list of conditions and the following disclaimer in the
30 *    documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 *    must display the following acknowledgement:
33 *    "This product includes cryptographic software written by
34 *     Eric Young (eay@cryptsoft.com)"
35 *    The word 'cryptographic' can be left out if the rouines from the library
36 *    being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 *    the apps directory (application code) you must include an acknowledgement:
39 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed.  i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59/* set_key.c v 1.4 eay 24/9/91
60 * 1.4 Speed up by 400% :-)
61 * 1.3 added register declarations.
62 * 1.2 unrolled make_key_sched a bit more
63 * 1.1 added norm_expand_bits
64 * 1.0 First working version
65 */
66#include <openssl/crypto.h>
67#include "des_locl.h"
68
69OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key,0)	/* defaults to false */
70
71static const unsigned char odd_parity[256]={
72  1,  1,  2,  2,  4,  4,  7,  7,  8,  8, 11, 11, 13, 13, 14, 14,
73 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
74 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
75 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
76 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
77 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
78 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
79112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
80128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
81145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
82161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
83176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
84193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
85208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
86224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
87241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254};
88
89void DES_set_odd_parity(DES_cblock *key)
90	{
91	unsigned int i;
92
93	for (i=0; i<DES_KEY_SZ; i++)
94		(*key)[i]=odd_parity[(*key)[i]];
95	}
96
97int DES_check_key_parity(const_DES_cblock *key)
98	{
99	unsigned int i;
100
101	for (i=0; i<DES_KEY_SZ; i++)
102		{
103		if ((*key)[i] != odd_parity[(*key)[i]])
104			return(0);
105		}
106	return(1);
107	}
108
109/* Weak and semi week keys as take from
110 * %A D.W. Davies
111 * %A W.L. Price
112 * %T Security for Computer Networks
113 * %I John Wiley & Sons
114 * %D 1984
115 * Many thanks to smb@ulysses.att.com (Steven Bellovin) for the reference
116 * (and actual cblock values).
117 */
118#define NUM_WEAK_KEY	16
119static const DES_cblock weak_keys[NUM_WEAK_KEY]={
120	/* weak keys */
121	{0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01},
122	{0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE,0xFE},
123	{0x1F,0x1F,0x1F,0x1F,0x0E,0x0E,0x0E,0x0E},
124	{0xE0,0xE0,0xE0,0xE0,0xF1,0xF1,0xF1,0xF1},
125	/* semi-weak keys */
126	{0x01,0xFE,0x01,0xFE,0x01,0xFE,0x01,0xFE},
127	{0xFE,0x01,0xFE,0x01,0xFE,0x01,0xFE,0x01},
128	{0x1F,0xE0,0x1F,0xE0,0x0E,0xF1,0x0E,0xF1},
129	{0xE0,0x1F,0xE0,0x1F,0xF1,0x0E,0xF1,0x0E},
130	{0x01,0xE0,0x01,0xE0,0x01,0xF1,0x01,0xF1},
131	{0xE0,0x01,0xE0,0x01,0xF1,0x01,0xF1,0x01},
132	{0x1F,0xFE,0x1F,0xFE,0x0E,0xFE,0x0E,0xFE},
133	{0xFE,0x1F,0xFE,0x1F,0xFE,0x0E,0xFE,0x0E},
134	{0x01,0x1F,0x01,0x1F,0x01,0x0E,0x01,0x0E},
135	{0x1F,0x01,0x1F,0x01,0x0E,0x01,0x0E,0x01},
136	{0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1,0xFE},
137	{0xFE,0xE0,0xFE,0xE0,0xFE,0xF1,0xFE,0xF1}};
138
139int DES_is_weak_key(const_DES_cblock *key)
140	{
141	int i;
142
143	for (i=0; i<NUM_WEAK_KEY; i++)
144		/* Added == 0 to comparison, I obviously don't run
145		 * this section very often :-(, thanks to
146		 * engineering@MorningStar.Com for the fix
147		 * eay 93/06/29
148		 * Another problem, I was comparing only the first 4
149		 * bytes, 97/03/18 */
150		if (memcmp(weak_keys[i],key,sizeof(DES_cblock)) == 0) return(1);
151	return(0);
152	}
153
154/* NOW DEFINED IN des_local.h
155 * See ecb_encrypt.c for a pseudo description of these macros.
156 * #define PERM_OP(a,b,t,n,m) ((t)=((((a)>>(n))^(b))&(m)),\
157 * 	(b)^=(t),\
158 * 	(a)=((a)^((t)<<(n))))
159 */
160
161#define HPERM_OP(a,t,n,m) ((t)=((((a)<<(16-(n)))^(a))&(m)),\
162	(a)=(a)^(t)^(t>>(16-(n))))
163
164static const DES_LONG des_skb[8][64]={
165	{
166	/* for C bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
167	0x00000000L,0x00000010L,0x20000000L,0x20000010L,
168	0x00010000L,0x00010010L,0x20010000L,0x20010010L,
169	0x00000800L,0x00000810L,0x20000800L,0x20000810L,
170	0x00010800L,0x00010810L,0x20010800L,0x20010810L,
171	0x00000020L,0x00000030L,0x20000020L,0x20000030L,
172	0x00010020L,0x00010030L,0x20010020L,0x20010030L,
173	0x00000820L,0x00000830L,0x20000820L,0x20000830L,
174	0x00010820L,0x00010830L,0x20010820L,0x20010830L,
175	0x00080000L,0x00080010L,0x20080000L,0x20080010L,
176	0x00090000L,0x00090010L,0x20090000L,0x20090010L,
177	0x00080800L,0x00080810L,0x20080800L,0x20080810L,
178	0x00090800L,0x00090810L,0x20090800L,0x20090810L,
179	0x00080020L,0x00080030L,0x20080020L,0x20080030L,
180	0x00090020L,0x00090030L,0x20090020L,0x20090030L,
181	0x00080820L,0x00080830L,0x20080820L,0x20080830L,
182	0x00090820L,0x00090830L,0x20090820L,0x20090830L,
183	},{
184	/* for C bits (numbered as per FIPS 46) 7 8 10 11 12 13 */
185	0x00000000L,0x02000000L,0x00002000L,0x02002000L,
186	0x00200000L,0x02200000L,0x00202000L,0x02202000L,
187	0x00000004L,0x02000004L,0x00002004L,0x02002004L,
188	0x00200004L,0x02200004L,0x00202004L,0x02202004L,
189	0x00000400L,0x02000400L,0x00002400L,0x02002400L,
190	0x00200400L,0x02200400L,0x00202400L,0x02202400L,
191	0x00000404L,0x02000404L,0x00002404L,0x02002404L,
192	0x00200404L,0x02200404L,0x00202404L,0x02202404L,
193	0x10000000L,0x12000000L,0x10002000L,0x12002000L,
194	0x10200000L,0x12200000L,0x10202000L,0x12202000L,
195	0x10000004L,0x12000004L,0x10002004L,0x12002004L,
196	0x10200004L,0x12200004L,0x10202004L,0x12202004L,
197	0x10000400L,0x12000400L,0x10002400L,0x12002400L,
198	0x10200400L,0x12200400L,0x10202400L,0x12202400L,
199	0x10000404L,0x12000404L,0x10002404L,0x12002404L,
200	0x10200404L,0x12200404L,0x10202404L,0x12202404L,
201	},{
202	/* for C bits (numbered as per FIPS 46) 14 15 16 17 19 20 */
203	0x00000000L,0x00000001L,0x00040000L,0x00040001L,
204	0x01000000L,0x01000001L,0x01040000L,0x01040001L,
205	0x00000002L,0x00000003L,0x00040002L,0x00040003L,
206	0x01000002L,0x01000003L,0x01040002L,0x01040003L,
207	0x00000200L,0x00000201L,0x00040200L,0x00040201L,
208	0x01000200L,0x01000201L,0x01040200L,0x01040201L,
209	0x00000202L,0x00000203L,0x00040202L,0x00040203L,
210	0x01000202L,0x01000203L,0x01040202L,0x01040203L,
211	0x08000000L,0x08000001L,0x08040000L,0x08040001L,
212	0x09000000L,0x09000001L,0x09040000L,0x09040001L,
213	0x08000002L,0x08000003L,0x08040002L,0x08040003L,
214	0x09000002L,0x09000003L,0x09040002L,0x09040003L,
215	0x08000200L,0x08000201L,0x08040200L,0x08040201L,
216	0x09000200L,0x09000201L,0x09040200L,0x09040201L,
217	0x08000202L,0x08000203L,0x08040202L,0x08040203L,
218	0x09000202L,0x09000203L,0x09040202L,0x09040203L,
219	},{
220	/* for C bits (numbered as per FIPS 46) 21 23 24 26 27 28 */
221	0x00000000L,0x00100000L,0x00000100L,0x00100100L,
222	0x00000008L,0x00100008L,0x00000108L,0x00100108L,
223	0x00001000L,0x00101000L,0x00001100L,0x00101100L,
224	0x00001008L,0x00101008L,0x00001108L,0x00101108L,
225	0x04000000L,0x04100000L,0x04000100L,0x04100100L,
226	0x04000008L,0x04100008L,0x04000108L,0x04100108L,
227	0x04001000L,0x04101000L,0x04001100L,0x04101100L,
228	0x04001008L,0x04101008L,0x04001108L,0x04101108L,
229	0x00020000L,0x00120000L,0x00020100L,0x00120100L,
230	0x00020008L,0x00120008L,0x00020108L,0x00120108L,
231	0x00021000L,0x00121000L,0x00021100L,0x00121100L,
232	0x00021008L,0x00121008L,0x00021108L,0x00121108L,
233	0x04020000L,0x04120000L,0x04020100L,0x04120100L,
234	0x04020008L,0x04120008L,0x04020108L,0x04120108L,
235	0x04021000L,0x04121000L,0x04021100L,0x04121100L,
236	0x04021008L,0x04121008L,0x04021108L,0x04121108L,
237	},{
238	/* for D bits (numbered as per FIPS 46) 1 2 3 4 5 6 */
239	0x00000000L,0x10000000L,0x00010000L,0x10010000L,
240	0x00000004L,0x10000004L,0x00010004L,0x10010004L,
241	0x20000000L,0x30000000L,0x20010000L,0x30010000L,
242	0x20000004L,0x30000004L,0x20010004L,0x30010004L,
243	0x00100000L,0x10100000L,0x00110000L,0x10110000L,
244	0x00100004L,0x10100004L,0x00110004L,0x10110004L,
245	0x20100000L,0x30100000L,0x20110000L,0x30110000L,
246	0x20100004L,0x30100004L,0x20110004L,0x30110004L,
247	0x00001000L,0x10001000L,0x00011000L,0x10011000L,
248	0x00001004L,0x10001004L,0x00011004L,0x10011004L,
249	0x20001000L,0x30001000L,0x20011000L,0x30011000L,
250	0x20001004L,0x30001004L,0x20011004L,0x30011004L,
251	0x00101000L,0x10101000L,0x00111000L,0x10111000L,
252	0x00101004L,0x10101004L,0x00111004L,0x10111004L,
253	0x20101000L,0x30101000L,0x20111000L,0x30111000L,
254	0x20101004L,0x30101004L,0x20111004L,0x30111004L,
255	},{
256	/* for D bits (numbered as per FIPS 46) 8 9 11 12 13 14 */
257	0x00000000L,0x08000000L,0x00000008L,0x08000008L,
258	0x00000400L,0x08000400L,0x00000408L,0x08000408L,
259	0x00020000L,0x08020000L,0x00020008L,0x08020008L,
260	0x00020400L,0x08020400L,0x00020408L,0x08020408L,
261	0x00000001L,0x08000001L,0x00000009L,0x08000009L,
262	0x00000401L,0x08000401L,0x00000409L,0x08000409L,
263	0x00020001L,0x08020001L,0x00020009L,0x08020009L,
264	0x00020401L,0x08020401L,0x00020409L,0x08020409L,
265	0x02000000L,0x0A000000L,0x02000008L,0x0A000008L,
266	0x02000400L,0x0A000400L,0x02000408L,0x0A000408L,
267	0x02020000L,0x0A020000L,0x02020008L,0x0A020008L,
268	0x02020400L,0x0A020400L,0x02020408L,0x0A020408L,
269	0x02000001L,0x0A000001L,0x02000009L,0x0A000009L,
270	0x02000401L,0x0A000401L,0x02000409L,0x0A000409L,
271	0x02020001L,0x0A020001L,0x02020009L,0x0A020009L,
272	0x02020401L,0x0A020401L,0x02020409L,0x0A020409L,
273	},{
274	/* for D bits (numbered as per FIPS 46) 16 17 18 19 20 21 */
275	0x00000000L,0x00000100L,0x00080000L,0x00080100L,
276	0x01000000L,0x01000100L,0x01080000L,0x01080100L,
277	0x00000010L,0x00000110L,0x00080010L,0x00080110L,
278	0x01000010L,0x01000110L,0x01080010L,0x01080110L,
279	0x00200000L,0x00200100L,0x00280000L,0x00280100L,
280	0x01200000L,0x01200100L,0x01280000L,0x01280100L,
281	0x00200010L,0x00200110L,0x00280010L,0x00280110L,
282	0x01200010L,0x01200110L,0x01280010L,0x01280110L,
283	0x00000200L,0x00000300L,0x00080200L,0x00080300L,
284	0x01000200L,0x01000300L,0x01080200L,0x01080300L,
285	0x00000210L,0x00000310L,0x00080210L,0x00080310L,
286	0x01000210L,0x01000310L,0x01080210L,0x01080310L,
287	0x00200200L,0x00200300L,0x00280200L,0x00280300L,
288	0x01200200L,0x01200300L,0x01280200L,0x01280300L,
289	0x00200210L,0x00200310L,0x00280210L,0x00280310L,
290	0x01200210L,0x01200310L,0x01280210L,0x01280310L,
291	},{
292	/* for D bits (numbered as per FIPS 46) 22 23 24 25 27 28 */
293	0x00000000L,0x04000000L,0x00040000L,0x04040000L,
294	0x00000002L,0x04000002L,0x00040002L,0x04040002L,
295	0x00002000L,0x04002000L,0x00042000L,0x04042000L,
296	0x00002002L,0x04002002L,0x00042002L,0x04042002L,
297	0x00000020L,0x04000020L,0x00040020L,0x04040020L,
298	0x00000022L,0x04000022L,0x00040022L,0x04040022L,
299	0x00002020L,0x04002020L,0x00042020L,0x04042020L,
300	0x00002022L,0x04002022L,0x00042022L,0x04042022L,
301	0x00000800L,0x04000800L,0x00040800L,0x04040800L,
302	0x00000802L,0x04000802L,0x00040802L,0x04040802L,
303	0x00002800L,0x04002800L,0x00042800L,0x04042800L,
304	0x00002802L,0x04002802L,0x00042802L,0x04042802L,
305	0x00000820L,0x04000820L,0x00040820L,0x04040820L,
306	0x00000822L,0x04000822L,0x00040822L,0x04040822L,
307	0x00002820L,0x04002820L,0x00042820L,0x04042820L,
308	0x00002822L,0x04002822L,0x00042822L,0x04042822L,
309	}};
310
311int DES_set_key(const_DES_cblock *key, DES_key_schedule *schedule)
312	{
313	if (DES_check_key)
314		{
315		return DES_set_key_checked(key, schedule);
316		}
317	else
318		{
319		DES_set_key_unchecked(key, schedule);
320		return 0;
321		}
322	}
323
324/* return 0 if key parity is odd (correct),
325 * return -1 if key parity error,
326 * return -2 if illegal weak key.
327 */
328int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule)
329	{
330	if (!DES_check_key_parity(key))
331		return(-1);
332	if (DES_is_weak_key(key))
333		return(-2);
334	DES_set_key_unchecked(key, schedule);
335	return 0;
336	}
337
338void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
339#ifdef OPENSSL_FIPS
340	{
341	fips_cipher_abort(DES);
342	private_DES_set_key_unchecked(key, schedule);
343	}
344void private_DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
345#endif
346	{
347	static const int shifts2[16]={0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0};
348	register DES_LONG c,d,t,s,t2;
349	register const unsigned char *in;
350	register DES_LONG *k;
351	register int i;
352
353#ifdef OPENBSD_DEV_CRYPTO
354	memcpy(schedule->key,key,sizeof schedule->key);
355	schedule->session=NULL;
356#endif
357	k = &schedule->ks->deslong[0];
358	in = &(*key)[0];
359
360	c2l(in,c);
361	c2l(in,d);
362
363	/* do PC1 in 47 simple operations :-)
364	 * Thanks to John Fletcher (john_fletcher@lccmail.ocf.llnl.gov)
365	 * for the inspiration. :-) */
366	PERM_OP (d,c,t,4,0x0f0f0f0fL);
367	HPERM_OP(c,t,-2,0xcccc0000L);
368	HPERM_OP(d,t,-2,0xcccc0000L);
369	PERM_OP (d,c,t,1,0x55555555L);
370	PERM_OP (c,d,t,8,0x00ff00ffL);
371	PERM_OP (d,c,t,1,0x55555555L);
372	d=	(((d&0x000000ffL)<<16L)| (d&0x0000ff00L)     |
373		 ((d&0x00ff0000L)>>16L)|((c&0xf0000000L)>>4L));
374	c&=0x0fffffffL;
375
376	for (i=0; i<ITERATIONS; i++)
377		{
378		if (shifts2[i])
379			{ c=((c>>2L)|(c<<26L)); d=((d>>2L)|(d<<26L)); }
380		else
381			{ c=((c>>1L)|(c<<27L)); d=((d>>1L)|(d<<27L)); }
382		c&=0x0fffffffL;
383		d&=0x0fffffffL;
384		/* could be a few less shifts but I am to lazy at this
385		 * point in time to investigate */
386		s=	des_skb[0][ (c    )&0x3f                ]|
387			des_skb[1][((c>> 6L)&0x03)|((c>> 7L)&0x3c)]|
388			des_skb[2][((c>>13L)&0x0f)|((c>>14L)&0x30)]|
389			des_skb[3][((c>>20L)&0x01)|((c>>21L)&0x06) |
390						  ((c>>22L)&0x38)];
391		t=	des_skb[4][ (d    )&0x3f                ]|
392			des_skb[5][((d>> 7L)&0x03)|((d>> 8L)&0x3c)]|
393			des_skb[6][ (d>>15L)&0x3f                ]|
394			des_skb[7][((d>>21L)&0x0f)|((d>>22L)&0x30)];
395
396		/* table contained 0213 4657 */
397		t2=((t<<16L)|(s&0x0000ffffL))&0xffffffffL;
398		*(k++)=ROTATE(t2,30)&0xffffffffL;
399
400		t2=((s>>16L)|(t&0xffff0000L));
401		*(k++)=ROTATE(t2,26)&0xffffffffL;
402		}
403	}
404
405int DES_key_sched(const_DES_cblock *key, DES_key_schedule *schedule)
406	{
407	return(DES_set_key(key,schedule));
408	}
409/*
410#undef des_fixup_key_parity
411void des_fixup_key_parity(des_cblock *key)
412	{
413	des_set_odd_parity(key);
414	}
415*/
416