/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* lib/crypto/builtin/des/f_sched.c */ /* * Copyright (C) 1990 by the Massachusetts Institute of Technology. * All rights reserved. * * Export of this software from the United States of America may * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright * notice appear in all copies and that both that copyright notice and * this permission notice appear in supporting documentation, and that * the name of M.I.T. not be used in advertising or publicity pertaining * to distribution of the software without specific, written prior * permission. Furthermore if you modify this software you must label * your software as modified software and not distribute it in such a * fashion that it might be confused with the original M.I.T. software. * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. */ /* DES implementation donated by Dennis Ferguson */ /* * des_make_sched.c - permute a DES key, returning the resulting key schedule */ #include "k5-int.h" #include "des_int.h" /* * Permuted choice 1 tables. These are used to extract bits * from the left and right parts of the key to form Ci and Di. * The code that uses these tables knows which bits from which * part of each key are used to form Ci and Di. */ static const unsigned DES_INT32 PC1_CL[8] = { 0x00000000, 0x00000010, 0x00001000, 0x00001010, 0x00100000, 0x00100010, 0x00101000, 0x00101010 }; static const unsigned DES_INT32 PC1_DL[16] = { 0x00000000, 0x00100000, 0x00001000, 0x00101000, 0x00000010, 0x00100010, 0x00001010, 0x00101010, 0x00000001, 0x00100001, 0x00001001, 0x00101001, 0x00000011, 0x00100011, 0x00001011, 0x00101011 }; static const unsigned DES_INT32 PC1_CR[16] = { 0x00000000, 0x00000001, 0x00000100, 0x00000101, 0x00010000, 0x00010001, 0x00010100, 0x00010101, 0x01000000, 0x01000001, 0x01000100, 0x01000101, 0x01010000, 0x01010001, 0x01010100, 0x01010101 }; static const unsigned DES_INT32 PC1_DR[8] = { 0x00000000, 0x01000000, 0x00010000, 0x01010000, 0x00000100, 0x01000100, 0x00010100, 0x01010100 }; /* * At the start of some iterations of the key schedule we do * a circular left shift by one place, while for others we do a shift by * two places. This has bits set for the iterations where we do 2 bit * shifts, starting at the low order bit. */ #define TWO_BIT_SHIFTS 0x7efc /* * Permuted choice 2 tables. The first actually produces the low order * 24 bits of the subkey Ki from the 28 bit value of Ci. The second produces * the high order 24 bits from Di. The tables are indexed by six bit * segments of Ci and Di respectively. The code is handcrafted to compute * the appropriate 6 bit chunks. * * Note that for ease of computation, the 24 bit values are produced with * six bits going into each byte. Note also that the table has been byte * rearranged to produce keys which match the order we will apply them * in in the des code. */ static const unsigned DES_INT32 PC2_C[4][64] = { { 0x00000000, 0x00000004, 0x00010000, 0x00010004, 0x00000400, 0x00000404, 0x00010400, 0x00010404, 0x00000020, 0x00000024, 0x00010020, 0x00010024, 0x00000420, 0x00000424, 0x00010420, 0x00010424, 0x01000000, 0x01000004, 0x01010000, 0x01010004, 0x01000400, 0x01000404, 0x01010400, 0x01010404, 0x01000020, 0x01000024, 0x01010020, 0x01010024, 0x01000420, 0x01000424, 0x01010420, 0x01010424, 0x00020000, 0x00020004, 0x00030000, 0x00030004, 0x00020400, 0x00020404, 0x00030400, 0x00030404, 0x00020020, 0x00020024, 0x00030020, 0x00030024, 0x00020420, 0x00020424, 0x00030420, 0x00030424, 0x01020000, 0x01020004, 0x01030000, 0x01030004, 0x01020400, 0x01020404, 0x01030400, 0x01030404, 0x01020020, 0x01020024, 0x01030020, 0x01030024, 0x01020420, 0x01020424, 0x01030420, 0x01030424, }, { 0x00000000, 0x02000000, 0x00000800, 0x02000800, 0x00080000, 0x02080000, 0x00080800, 0x02080800, 0x00000001, 0x02000001, 0x00000801, 0x02000801, 0x00080001, 0x02080001, 0x00080801, 0x02080801, 0x00000100, 0x02000100, 0x00000900, 0x02000900, 0x00080100, 0x02080100, 0x00080900, 0x02080900, 0x00000101, 0x02000101, 0x00000901, 0x02000901, 0x00080101, 0x02080101, 0x00080901, 0x02080901, 0x10000000, 0x12000000, 0x10000800, 0x12000800, 0x10080000, 0x12080000, 0x10080800, 0x12080800, 0x10000001, 0x12000001, 0x10000801, 0x12000801, 0x10080001, 0x12080001, 0x10080801, 0x12080801, 0x10000100, 0x12000100, 0x10000900, 0x12000900, 0x10080100, 0x12080100, 0x10080900, 0x12080900, 0x10000101, 0x12000101, 0x10000901, 0x12000901, 0x10080101, 0x12080101, 0x10080901, 0x12080901, }, { 0x00000000, 0x00040000, 0x00002000, 0x00042000, 0x00100000, 0x00140000, 0x00102000, 0x00142000, 0x20000000, 0x20040000, 0x20002000, 0x20042000, 0x20100000, 0x20140000, 0x20102000, 0x20142000, 0x00000008, 0x00040008, 0x00002008, 0x00042008, 0x00100008, 0x00140008, 0x00102008, 0x00142008, 0x20000008, 0x20040008, 0x20002008, 0x20042008, 0x20100008, 0x20140008, 0x20102008, 0x20142008, 0x00200000, 0x00240000, 0x00202000, 0x00242000, 0x00300000, 0x00340000, 0x00302000, 0x00342000, 0x20200000, 0x20240000, 0x20202000, 0x20242000, 0x20300000, 0x20340000, 0x20302000, 0x20342000, 0x00200008, 0x00240008, 0x00202008, 0x00242008, 0x00300008, 0x00340008, 0x00302008, 0x00342008, 0x20200008, 0x20240008, 0x20202008, 0x20242008, 0x20300008, 0x20340008, 0x20302008, 0x20342008, }, { 0x00000000, 0x00000010, 0x08000000, 0x08000010, 0x00000200, 0x00000210, 0x08000200, 0x08000210, 0x00000002, 0x00000012, 0x08000002, 0x08000012, 0x00000202, 0x00000212, 0x08000202, 0x08000212, 0x04000000, 0x04000010, 0x0c000000, 0x0c000010, 0x04000200, 0x04000210, 0x0c000200, 0x0c000210, 0x04000002, 0x04000012, 0x0c000002, 0x0c000012, 0x04000202, 0x04000212, 0x0c000202, 0x0c000212, 0x00001000, 0x00001010, 0x08001000, 0x08001010, 0x00001200, 0x00001210, 0x08001200, 0x08001210, 0x00001002, 0x00001012, 0x08001002, 0x08001012, 0x00001202, 0x00001212, 0x08001202, 0x08001212, 0x04001000, 0x04001010, 0x0c001000, 0x0c001010, 0x04001200, 0x04001210, 0x0c001200, 0x0c001210, 0x04001002, 0x04001012, 0x0c001002, 0x0c001012, 0x04001202, 0x04001212, 0x0c001202, 0x0c001212 }, }; static const unsigned DES_INT32 PC2_D[4][64] = { { 0x00000000, 0x02000000, 0x00020000, 0x02020000, 0x00000100, 0x02000100, 0x00020100, 0x02020100, 0x00000008, 0x02000008, 0x00020008, 0x02020008, 0x00000108, 0x02000108, 0x00020108, 0x02020108, 0x00200000, 0x02200000, 0x00220000, 0x02220000, 0x00200100, 0x02200100, 0x00220100, 0x02220100, 0x00200008, 0x02200008, 0x00220008, 0x02220008, 0x00200108, 0x02200108, 0x00220108, 0x02220108, 0x00000200, 0x02000200, 0x00020200, 0x02020200, 0x00000300, 0x02000300, 0x00020300, 0x02020300, 0x00000208, 0x02000208, 0x00020208, 0x02020208, 0x00000308, 0x02000308, 0x00020308, 0x02020308, 0x00200200, 0x02200200, 0x00220200, 0x02220200, 0x00200300, 0x02200300, 0x00220300, 0x02220300, 0x00200208, 0x02200208, 0x00220208, 0x02220208, 0x00200308, 0x02200308, 0x00220308, 0x02220308, }, { 0x00000000, 0x00001000, 0x00000020, 0x00001020, 0x00100000, 0x00101000, 0x00100020, 0x00101020, 0x08000000, 0x08001000, 0x08000020, 0x08001020, 0x08100000, 0x08101000, 0x08100020, 0x08101020, 0x00000004, 0x00001004, 0x00000024, 0x00001024, 0x00100004, 0x00101004, 0x00100024, 0x00101024, 0x08000004, 0x08001004, 0x08000024, 0x08001024, 0x08100004, 0x08101004, 0x08100024, 0x08101024, 0x00000400, 0x00001400, 0x00000420, 0x00001420, 0x00100400, 0x00101400, 0x00100420, 0x00101420, 0x08000400, 0x08001400, 0x08000420, 0x08001420, 0x08100400, 0x08101400, 0x08100420, 0x08101420, 0x00000404, 0x00001404, 0x00000424, 0x00001424, 0x00100404, 0x00101404, 0x00100424, 0x00101424, 0x08000404, 0x08001404, 0x08000424, 0x08001424, 0x08100404, 0x08101404, 0x08100424, 0x08101424, }, { 0x00000000, 0x10000000, 0x00010000, 0x10010000, 0x00000002, 0x10000002, 0x00010002, 0x10010002, 0x00002000, 0x10002000, 0x00012000, 0x10012000, 0x00002002, 0x10002002, 0x00012002, 0x10012002, 0x00040000, 0x10040000, 0x00050000, 0x10050000, 0x00040002, 0x10040002, 0x00050002, 0x10050002, 0x00042000, 0x10042000, 0x00052000, 0x10052000, 0x00042002, 0x10042002, 0x00052002, 0x10052002, 0x20000000, 0x30000000, 0x20010000, 0x30010000, 0x20000002, 0x30000002, 0x20010002, 0x30010002, 0x20002000, 0x30002000, 0x20012000, 0x30012000, 0x20002002, 0x30002002, 0x20012002, 0x30012002, 0x20040000, 0x30040000, 0x20050000, 0x30050000, 0x20040002, 0x30040002, 0x20050002, 0x30050002, 0x20042000, 0x30042000, 0x20052000, 0x30052000, 0x20042002, 0x30042002, 0x20052002, 0x30052002, }, { 0x00000000, 0x04000000, 0x00000001, 0x04000001, 0x01000000, 0x05000000, 0x01000001, 0x05000001, 0x00000010, 0x04000010, 0x00000011, 0x04000011, 0x01000010, 0x05000010, 0x01000011, 0x05000011, 0x00080000, 0x04080000, 0x00080001, 0x04080001, 0x01080000, 0x05080000, 0x01080001, 0x05080001, 0x00080010, 0x04080010, 0x00080011, 0x04080011, 0x01080010, 0x05080010, 0x01080011, 0x05080011, 0x00000800, 0x04000800, 0x00000801, 0x04000801, 0x01000800, 0x05000800, 0x01000801, 0x05000801, 0x00000810, 0x04000810, 0x00000811, 0x04000811, 0x01000810, 0x05000810, 0x01000811, 0x05000811, 0x00080800, 0x04080800, 0x00080801, 0x04080801, 0x01080800, 0x05080800, 0x01080801, 0x05080801, 0x00080810, 0x04080810, 0x00080811, 0x04080811, 0x01080810, 0x05080810, 0x01080811, 0x05080811 }, }; /* * Permute the key to give us our key schedule. */ int mit_des_make_key_sched(mit_des_cblock key, mit_des_key_schedule schedule) { unsigned DES_INT32 c, d; { /* * Need a pointer for the keys and a temporary DES_INT32 */ const unsigned char *k; unsigned DES_INT32 tmp; /* * Fetch the key into something we can work with */ k = key; /* * The first permutted choice gives us the 28 bits for C0 and * 28 for D0. C0 gets 12 bits from the left key and 16 from * the right, while D0 gets 16 from the left and 12 from the * right. The code knows which bits go where. */ tmp = load_32_be(k), k += 4; c = PC1_CL[(tmp >> 29) & 0x7] | (PC1_CL[(tmp >> 21) & 0x7] << 1) | (PC1_CL[(tmp >> 13) & 0x7] << 2) | (PC1_CL[(tmp >> 5) & 0x7] << 3); d = PC1_DL[(tmp >> 25) & 0xf] | (PC1_DL[(tmp >> 17) & 0xf] << 1) | (PC1_DL[(tmp >> 9) & 0xf] << 2) | (PC1_DL[(tmp >> 1) & 0xf] << 3); tmp = load_32_be(k), k += 4; c |= PC1_CR[(tmp >> 28) & 0xf] | (PC1_CR[(tmp >> 20) & 0xf] << 1) | (PC1_CR[(tmp >> 12) & 0xf] << 2) | (PC1_CR[(tmp >> 4) & 0xf] << 3); d |= PC1_DR[(tmp >> 25) & 0x7] | (PC1_DR[(tmp >> 17) & 0x7] << 1) | (PC1_DR[(tmp >> 9) & 0x7] << 2) | (PC1_DR[(tmp >> 1) & 0x7] << 3); } { /* * Need several temporaries in here */ unsigned DES_INT32 ltmp, rtmp; unsigned DES_INT32 *k; int two_bit_shifts; int i; /* * Now iterate to compute the key schedule. Note that we * record the entire set of subkeys in 6 bit chunks since * they are used that way. At 6 bits/char, we need * 48/6 char's/subkey * 16 subkeys/encryption == 128 bytes. * The schedule must be this big. */ k = (unsigned DES_INT32 *)schedule; two_bit_shifts = TWO_BIT_SHIFTS; for (i = 16; i > 0; i--) { /* * Do the rotation. One bit and two bit rotations * are done separately. Note C and D are 28 bits. */ if (two_bit_shifts & 0x1) { c = ((c << 2) & 0xffffffc) | (c >> 26); d = ((d << 2) & 0xffffffc) | (d >> 26); } else { c = ((c << 1) & 0xffffffe) | (c >> 27); d = ((d << 1) & 0xffffffe) | (d >> 27); } two_bit_shifts >>= 1; /* * Apply permutted choice 2 to C to get the first * 24 bits worth of keys. Note that bits 9, 18, 22 * and 25 (using DES numbering) in C are unused. The * shift-mask stuff is done to delete these bits from * the indices, since this cuts the table size in half. * * The table is torqued, by the way. If the standard * byte order for this (high to low order) is 1234, * the table actually gives us 4132. */ ltmp = PC2_C[0][((c >> 22) & 0x3f)] | PC2_C[1][((c >> 15) & 0xf) | ((c >> 16) & 0x30)] | PC2_C[2][((c >> 4) & 0x3) | ((c >> 9) & 0x3c)] | PC2_C[3][((c ) & 0x7) | ((c >> 4) & 0x38)]; /* * Apply permutted choice 2 to D to get the other half. * Here, bits 7, 10, 15 and 26 go unused. The sqeezing * actually turns out to be cheaper here. * * This table is similarly torqued. If the standard * byte order is 5678, the table has the bytes permuted * to give us 7685. */ rtmp = PC2_D[0][((d >> 22) & 0x3f)] | PC2_D[1][((d >> 14) & 0xf) | ((d >> 15) & 0x30)] | PC2_D[2][((d >> 7) & 0x3f)] | PC2_D[3][((d ) & 0x3) | ((d >> 1) & 0x3c)]; /* * Make up two words of the key schedule, with a * byte order which is convenient for the DES * inner loop. The high order (first) word will * hold bytes 7135 (high to low order) while the * second holds bytes 4682. */ *k++ = (ltmp & 0x00ffff00) | (rtmp & 0xff0000ff); *k++ = (ltmp & 0xff0000ff) | (rtmp & 0x00ffff00); } } return (0); }