Coverage Report

Created: 2020-02-14 15:38

/src/botan/src/lib/block/des/des.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* DES
3
* (C) 1999-2008,2018 Jack Lloyd
4
*
5
* Based on a public domain implemenation by Phil Karn (who in turn
6
* credited Richard Outerbridge and Jim Gillogly)
7
*
8
* Botan is released under the Simplified BSD License (see license.txt)
9
*/
10
11
#include <botan/des.h>
12
#include <botan/loadstor.h>
13
#include <botan/rotate.h>
14
15
namespace Botan {
16
17
namespace {
18
19
/*
20
* DES Key Schedule
21
*/
22
void des_key_schedule(uint32_t round_key[32], const uint8_t key[8])
23
978
   {
24
978
   static const uint8_t ROT[16] = { 1, 1, 2, 2, 2, 2, 2, 2,
25
978
                                 1, 2, 2, 2, 2, 2, 2, 1 };
26
978
27
978
   uint32_t C = ((key[7] & 0x80) << 20) | ((key[6] & 0x80) << 19) |
28
978
                ((key[5] & 0x80) << 18) | ((key[4] & 0x80) << 17) |
29
978
                ((key[3] & 0x80) << 16) | ((key[2] & 0x80) << 15) |
30
978
                ((key[1] & 0x80) << 14) | ((key[0] & 0x80) << 13) |
31
978
                ((key[7] & 0x40) << 13) | ((key[6] & 0x40) << 12) |
32
978
                ((key[5] & 0x40) << 11) | ((key[4] & 0x40) << 10) |
33
978
                ((key[3] & 0x40) <<  9) | ((key[2] & 0x40) <<  8) |
34
978
                ((key[1] & 0x40) <<  7) | ((key[0] & 0x40) <<  6) |
35
978
                ((key[7] & 0x20) <<  6) | ((key[6] & 0x20) <<  5) |
36
978
                ((key[5] & 0x20) <<  4) | ((key[4] & 0x20) <<  3) |
37
978
                ((key[3] & 0x20) <<  2) | ((key[2] & 0x20) <<  1) |
38
978
                ((key[1] & 0x20)      ) | ((key[0] & 0x20) >>  1) |
39
978
                ((key[7] & 0x10) >>  1) | ((key[6] & 0x10) >>  2) |
40
978
                ((key[5] & 0x10) >>  3) | ((key[4] & 0x10) >>  4);
41
978
   uint32_t D = ((key[7] & 0x02) << 26) | ((key[6] & 0x02) << 25) |
42
978
                ((key[5] & 0x02) << 24) | ((key[4] & 0x02) << 23) |
43
978
                ((key[3] & 0x02) << 22) | ((key[2] & 0x02) << 21) |
44
978
                ((key[1] & 0x02) << 20) | ((key[0] & 0x02) << 19) |
45
978
                ((key[7] & 0x04) << 17) | ((key[6] & 0x04) << 16) |
46
978
                ((key[5] & 0x04) << 15) | ((key[4] & 0x04) << 14) |
47
978
                ((key[3] & 0x04) << 13) | ((key[2] & 0x04) << 12) |
48
978
                ((key[1] & 0x04) << 11) | ((key[0] & 0x04) << 10) |
49
978
                ((key[7] & 0x08) <<  8) | ((key[6] & 0x08) <<  7) |
50
978
                ((key[5] & 0x08) <<  6) | ((key[4] & 0x08) <<  5) |
51
978
                ((key[3] & 0x08) <<  4) | ((key[2] & 0x08) <<  3) |
52
978
                ((key[1] & 0x08) <<  2) | ((key[0] & 0x08) <<  1) |
53
978
                ((key[3] & 0x10) >>  1) | ((key[2] & 0x10) >>  2) |
54
978
                ((key[1] & 0x10) >>  3) | ((key[0] & 0x10) >>  4);
55
978
56
16.6k
   for(size_t i = 0; i != 16; ++i)
57
15.6k
      {
58
15.6k
      C = ((C << ROT[i]) | (C >> (28-ROT[i]))) & 0x0FFFFFFF;
59
15.6k
      D = ((D << ROT[i]) | (D >> (28-ROT[i]))) & 0x0FFFFFFF;
60
15.6k
      round_key[2*i  ] = ((C & 0x00000010) << 22) | ((C & 0x00000800) << 17) |
61
15.6k
                         ((C & 0x00000020) << 16) | ((C & 0x00004004) << 15) |
62
15.6k
                         ((C & 0x00000200) << 11) | ((C & 0x00020000) << 10) |
63
15.6k
                         ((C & 0x01000000) >>  6) | ((C & 0x00100000) >>  4) |
64
15.6k
                         ((C & 0x00010000) <<  3) | ((C & 0x08000000) >>  2) |
65
15.6k
                         ((C & 0x00800000) <<  1) | ((D & 0x00000010) <<  8) |
66
15.6k
                         ((D & 0x00000002) <<  7) | ((D & 0x00000001) <<  2) |
67
15.6k
                         ((D & 0x00000200)      ) | ((D & 0x00008000) >>  2) |
68
15.6k
                         ((D & 0x00000088) >>  3) | ((D & 0x00001000) >>  7) |
69
15.6k
                         ((D & 0x00080000) >>  9) | ((D & 0x02020000) >> 14) |
70
15.6k
                         ((D & 0x00400000) >> 21);
71
15.6k
      round_key[2*i+1] = ((C & 0x00000001) << 28) | ((C & 0x00000082) << 18) |
72
15.6k
                         ((C & 0x00002000) << 14) | ((C & 0x00000100) << 10) |
73
15.6k
                         ((C & 0x00001000) <<  9) | ((C & 0x00040000) <<  6) |
74
15.6k
                         ((C & 0x02400000) <<  4) | ((C & 0x00008000) <<  2) |
75
15.6k
                         ((C & 0x00200000) >>  1) | ((C & 0x04000000) >> 10) |
76
15.6k
                         ((D & 0x00000020) <<  6) | ((D & 0x00000100)      ) |
77
15.6k
                         ((D & 0x00000800) >>  1) | ((D & 0x00000040) >>  3) |
78
15.6k
                         ((D & 0x00010000) >>  4) | ((D & 0x00000400) >>  5) |
79
15.6k
                         ((D & 0x00004000) >> 10) | ((D & 0x04000000) >> 13) |
80
15.6k
                         ((D & 0x00800000) >> 14) | ((D & 0x00100000) >> 18) |
81
15.6k
                         ((D & 0x01000000) >> 24) | ((D & 0x08000000) >> 26);
82
15.6k
      }
83
978
   }
84
85
inline uint32_t spbox(uint32_t T0, uint32_t T1)
86
857k
   {
87
857k
   return DES_SPBOX1[get_byte(0, T0)] ^ DES_SPBOX2[get_byte(0, T1)] ^
88
857k
          DES_SPBOX3[get_byte(1, T0)] ^ DES_SPBOX4[get_byte(1, T1)] ^
89
857k
          DES_SPBOX5[get_byte(2, T0)] ^ DES_SPBOX6[get_byte(2, T1)] ^
90
857k
          DES_SPBOX7[get_byte(3, T0)] ^ DES_SPBOX8[get_byte(3, T1)];
91
857k
   }
92
93
/*
94
* DES Encryption
95
*/
96
inline void des_encrypt(uint32_t& Lr, uint32_t& Rr,
97
                        const uint32_t round_key[32])
98
2.12k
   {
99
2.12k
   uint32_t L = Lr;
100
2.12k
   uint32_t R = Rr;
101
19.1k
   for(size_t i = 0; i != 16; i += 2)
102
17.0k
      {
103
17.0k
      L ^= spbox(rotr<4>(R) ^ round_key[2*i  ], R ^ round_key[2*i+1]);
104
17.0k
      R ^= spbox(rotr<4>(L) ^ round_key[2*i+2], L ^ round_key[2*i+3]);
105
17.0k
      }
106
2.12k
107
2.12k
   Lr = L;
108
2.12k
   Rr = R;
109
2.12k
   }
110
111
inline void des_encrypt_x2(uint32_t& L0r, uint32_t& R0r,
112
                           uint32_t& L1r, uint32_t& R1r,
113
                           const uint32_t round_key[32])
114
8.37k
   {
115
8.37k
   uint32_t L0 = L0r;
116
8.37k
   uint32_t R0 = R0r;
117
8.37k
   uint32_t L1 = L1r;
118
8.37k
   uint32_t R1 = R1r;
119
8.37k
120
75.4k
   for(size_t i = 0; i != 16; i += 2)
121
67.0k
      {
122
67.0k
      L0 ^= spbox(rotr<4>(R0) ^ round_key[2*i  ], R0 ^ round_key[2*i+1]);
123
67.0k
      L1 ^= spbox(rotr<4>(R1) ^ round_key[2*i  ], R1 ^ round_key[2*i+1]);
124
67.0k
125
67.0k
      R0 ^= spbox(rotr<4>(L0) ^ round_key[2*i+2], L0 ^ round_key[2*i+3]);
126
67.0k
      R1 ^= spbox(rotr<4>(L1) ^ round_key[2*i+2], L1 ^ round_key[2*i+3]);
127
67.0k
      }
128
8.37k
129
8.37k
   L0r = L0;
130
8.37k
   R0r = R0;
131
8.37k
   L1r = L1;
132
8.37k
   R1r = R1;
133
8.37k
   }
134
135
/*
136
* DES Decryption
137
*/
138
inline void des_decrypt(uint32_t& Lr, uint32_t& Rr,
139
                        const uint32_t round_key[32])
140
1.18k
   {
141
1.18k
   uint32_t L = Lr;
142
1.18k
   uint32_t R = Rr;
143
10.6k
   for(size_t i = 16; i != 0; i -= 2)
144
9.45k
      {
145
9.45k
      L ^= spbox(rotr<4>(R) ^ round_key[2*i - 2], R  ^ round_key[2*i - 1]);
146
9.45k
      R ^= spbox(rotr<4>(L) ^ round_key[2*i - 4], L  ^ round_key[2*i - 3]);
147
9.45k
      }
148
1.18k
   Lr = L;
149
1.18k
   Rr = R;
150
1.18k
   }
151
152
inline void des_decrypt_x2(uint32_t& L0r, uint32_t& R0r,
153
                           uint32_t& L1r, uint32_t& R1r,
154
                           const uint32_t round_key[32])
155
16.7k
   {
156
16.7k
   uint32_t L0 = L0r;
157
16.7k
   uint32_t R0 = R0r;
158
16.7k
   uint32_t L1 = L1r;
159
16.7k
   uint32_t R1 = R1r;
160
16.7k
161
150k
   for(size_t i = 16; i != 0; i -= 2)
162
134k
      {
163
134k
      L0 ^= spbox(rotr<4>(R0) ^ round_key[2*i - 2], R0  ^ round_key[2*i - 1]);
164
134k
      L1 ^= spbox(rotr<4>(R1) ^ round_key[2*i - 2], R1  ^ round_key[2*i - 1]);
165
134k
166
134k
      R0 ^= spbox(rotr<4>(L0) ^ round_key[2*i - 4], L0  ^ round_key[2*i - 3]);
167
134k
      R1 ^= spbox(rotr<4>(L1) ^ round_key[2*i - 4], L1  ^ round_key[2*i - 3]);
168
134k
      }
169
16.7k
170
16.7k
   L0r = L0;
171
16.7k
   R0r = R0;
172
16.7k
   L1r = L1;
173
16.7k
   R1r = R1;
174
16.7k
   }
175
176
inline void des_IP(uint32_t& L, uint32_t& R, const uint8_t block[])
177
17.8k
   {
178
17.8k
   // IP sequence by Wei Dai, taken from public domain Crypto++
179
17.8k
   L = load_be<uint32_t>(block, 0);
180
17.8k
   R = load_be<uint32_t>(block, 1);
181
17.8k
182
17.8k
   uint32_t T;
183
17.8k
   R = rotl<4>(R);
184
17.8k
   T = (L ^ R) & 0xF0F0F0F0;
185
17.8k
   L ^= T;
186
17.8k
   R = rotr<20>(R ^ T);
187
17.8k
   T = (L ^ R) & 0xFFFF0000;
188
17.8k
   L ^= T;
189
17.8k
   R = rotr<18>(R ^ T);
190
17.8k
   T = (L ^ R) & 0x33333333;
191
17.8k
   L ^= T;
192
17.8k
   R = rotr<6>(R ^ T);
193
17.8k
   T = (L ^ R) & 0x00FF00FF;
194
17.8k
   L ^= T;
195
17.8k
   R = rotl<9>(R ^ T);
196
17.8k
   T = (L ^ R) & 0xAAAAAAAA;
197
17.8k
   L = rotl<1>(L ^ T);
198
17.8k
   R ^= T;
199
17.8k
   }
200
201
inline void des_FP(uint32_t L, uint32_t R, uint8_t out[])
202
17.8k
   {
203
17.8k
   // FP sequence by Wei Dai, taken from public domain Crypto++
204
17.8k
   uint32_t T;
205
17.8k
206
17.8k
   R = rotr<1>(R);
207
17.8k
   T = (L ^ R) & 0xAAAAAAAA;
208
17.8k
   R ^= T;
209
17.8k
   L = rotr<9>(L ^ T);
210
17.8k
   T = (L ^ R) & 0x00FF00FF;
211
17.8k
   R ^= T;
212
17.8k
   L = rotl<6>(L ^ T);
213
17.8k
   T = (L ^ R) & 0x33333333;
214
17.8k
   R ^= T;
215
17.8k
   L = rotl<18>(L ^ T);
216
17.8k
   T = (L ^ R) & 0xFFFF0000;
217
17.8k
   R ^= T;
218
17.8k
   L = rotl<20>(L ^ T);
219
17.8k
   T = (L ^ R) & 0xF0F0F0F0;
220
17.8k
   R ^= T;
221
17.8k
   L = rotr<4>(L ^ T);
222
17.8k
223
17.8k
   store_be(out, R, L);
224
17.8k
   }
225
226
}
227
228
/*
229
* DES Encryption
230
*/
231
void DES::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
232
0
   {
233
0
   verify_key_set(m_round_key.empty() == false);
234
0
235
0
   while(blocks >= 2)
236
0
      {
237
0
      uint32_t L0, R0;
238
0
      uint32_t L1, R1;
239
0
240
0
      des_IP(L0, R0, in);
241
0
      des_IP(L1, R1, in + BLOCK_SIZE);
242
0
243
0
      des_encrypt_x2(L0, R0, L1, R1, m_round_key.data());
244
0
245
0
      des_FP(L0, R0, out);
246
0
      des_FP(L1, R1, out + BLOCK_SIZE);
247
0
248
0
      in += 2*BLOCK_SIZE;
249
0
      out += 2*BLOCK_SIZE;
250
0
      blocks -= 2;
251
0
      }
252
0
253
0
   for(size_t i = 0; i < blocks; ++i)
254
0
      {
255
0
      uint32_t L, R;
256
0
      des_IP(L, R, in + BLOCK_SIZE*i);
257
0
      des_encrypt(L, R, m_round_key.data());
258
0
      des_FP(L, R, out + BLOCK_SIZE*i);
259
0
      }
260
0
   }
261
262
/*
263
* DES Decryption
264
*/
265
void DES::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
266
0
   {
267
0
   verify_key_set(m_round_key.empty() == false);
268
0
269
0
   while(blocks >= 2)
270
0
      {
271
0
      uint32_t L0, R0;
272
0
      uint32_t L1, R1;
273
0
274
0
      des_IP(L0, R0, in);
275
0
      des_IP(L1, R1, in + BLOCK_SIZE);
276
0
277
0
      des_decrypt_x2(L0, R0, L1, R1, m_round_key.data());
278
0
279
0
      des_FP(L0, R0, out);
280
0
      des_FP(L1, R1, out + BLOCK_SIZE);
281
0
282
0
      in += 2*BLOCK_SIZE;
283
0
      out += 2*BLOCK_SIZE;
284
0
      blocks -= 2;
285
0
      }
286
0
287
0
   for(size_t i = 0; i < blocks; ++i)
288
0
      {
289
0
      uint32_t L, R;
290
0
      des_IP(L, R, in + BLOCK_SIZE*i);
291
0
      des_decrypt(L, R, m_round_key.data());
292
0
      des_FP(L, R, out + BLOCK_SIZE*i);
293
0
      }
294
0
   }
295
296
/*
297
* DES Key Schedule
298
*/
299
void DES::key_schedule(const uint8_t key[], size_t)
300
0
   {
301
0
   m_round_key.resize(32);
302
0
   des_key_schedule(m_round_key.data(), key);
303
0
   }
304
305
void DES::clear()
306
0
   {
307
0
   zap(m_round_key);
308
0
   }
309
310
/*
311
* TripleDES Encryption
312
*/
313
void TripleDES::encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
314
1.02k
   {
315
1.02k
   verify_key_set(m_round_key.empty() == false);
316
1.02k
317
1.02k
   while(blocks >= 2)
318
0
      {
319
0
      uint32_t L0, R0;
320
0
      uint32_t L1, R1;
321
0
322
0
      des_IP(L0, R0, in);
323
0
      des_IP(L1, R1, in + BLOCK_SIZE);
324
0
325
0
      des_encrypt_x2(L0, R0, L1, R1, &m_round_key[0]);
326
0
      des_decrypt_x2(R0, L0, R1, L1, &m_round_key[32]);
327
0
      des_encrypt_x2(L0, R0, L1, R1, &m_round_key[64]);
328
0
329
0
      des_FP(L0, R0, out);
330
0
      des_FP(L1, R1, out + BLOCK_SIZE);
331
0
332
0
      in += 2*BLOCK_SIZE;
333
0
      out += 2*BLOCK_SIZE;
334
0
      blocks -= 2;
335
0
      }
336
1.02k
337
2.04k
   for(size_t i = 0; i != blocks; ++i)
338
1.02k
      {
339
1.02k
      uint32_t L, R;
340
1.02k
      des_IP(L, R, in + BLOCK_SIZE*i);
341
1.02k
342
1.02k
      des_encrypt(L, R, &m_round_key[0]);
343
1.02k
      des_decrypt(R, L, &m_round_key[32]);
344
1.02k
      des_encrypt(L, R, &m_round_key[64]);
345
1.02k
346
1.02k
      des_FP(L, R, out + BLOCK_SIZE*i);
347
1.02k
      }
348
1.02k
   }
349
350
/*
351
* TripleDES Decryption
352
*/
353
void TripleDES::decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const
354
4.26k
   {
355
4.26k
   verify_key_set(m_round_key.empty() == false);
356
4.26k
357
12.6k
   while(blocks >= 2)
358
8.37k
      {
359
8.37k
      uint32_t L0, R0;
360
8.37k
      uint32_t L1, R1;
361
8.37k
362
8.37k
      des_IP(L0, R0, in);
363
8.37k
      des_IP(L1, R1, in + BLOCK_SIZE);
364
8.37k
365
8.37k
      des_decrypt_x2(L0, R0, L1, R1, &m_round_key[64]);
366
8.37k
      des_encrypt_x2(R0, L0, R1, L1, &m_round_key[32]);
367
8.37k
      des_decrypt_x2(L0, R0, L1, R1, &m_round_key[0]);
368
8.37k
369
8.37k
      des_FP(L0, R0, out);
370
8.37k
      des_FP(L1, R1, out + BLOCK_SIZE);
371
8.37k
372
8.37k
      in += 2*BLOCK_SIZE;
373
8.37k
      out += 2*BLOCK_SIZE;
374
8.37k
      blocks -= 2;
375
8.37k
      }
376
4.26k
377
4.34k
   for(size_t i = 0; i != blocks; ++i)
378
79
      {
379
79
      uint32_t L, R;
380
79
      des_IP(L, R, in + BLOCK_SIZE*i);
381
79
382
79
      des_decrypt(L, R, &m_round_key[64]);
383
79
      des_encrypt(R, L, &m_round_key[32]);
384
79
      des_decrypt(L, R, &m_round_key[0]);
385
79
386
79
      des_FP(L, R, out + BLOCK_SIZE*i);
387
79
      }
388
4.26k
   }
389
390
/*
391
* TripleDES Key Schedule
392
*/
393
void TripleDES::key_schedule(const uint8_t key[], size_t length)
394
326
   {
395
326
   m_round_key.resize(3*32);
396
326
   des_key_schedule(&m_round_key[0], key);
397
326
   des_key_schedule(&m_round_key[32], key + 8);
398
326
399
326
   if(length == 24)
400
326
      des_key_schedule(&m_round_key[64], key + 16);
401
0
   else
402
0
      copy_mem(&m_round_key[64], &m_round_key[0], 32);
403
326
   }
404
405
void TripleDES::clear()
406
0
   {
407
0
   zap(m_round_key);
408
0
   }
409
410
}