iPXE
des.c
Go to the documentation of this file.
1 /*
2  * Copyright (C) 2024 Michael Brown <mbrown@fensystems.co.uk>.
3  *
4  * This program is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU General Public License as
6  * published by the Free Software Foundation; either version 2 of the
7  * License, or any later version.
8  *
9  * This program is distributed in the hope that it will be useful, but
10  * WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12  * General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, write to the Free Software
16  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
17  * 02110-1301, USA.
18  *
19  * You can also choose to distribute this program under the terms of
20  * the Unmodified Binary Distribution Licence (as given in the file
21  * COPYING.UBDL), provided that you have satisfied its requirements.
22  */
23 
24 FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
25 
26 /** @file
27  *
28  * DES algorithm
29  *
30  * DES was not designed to be implemented in software, and therefore
31  * contains a large number of bit permutation operations that are
32  * essentially free in hardware (requiring only wires, no gates) but
33  * expensive in software.
34  *
35  * Since DES is no longer used as a practical block cipher for large
36  * volumes of data, we optimise for code size, and do not attempt to
37  * obtain fast throughput.
38  *
39  * The algorithm is specified in NIST SP 800-67, downloadable from
40  * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-67r2.pdf
41  */
42 
43 #include <stdint.h>
44 #include <string.h>
45 #include <errno.h>
46 #include <byteswap.h>
47 #include <ipxe/rotate.h>
48 #include <ipxe/crypto.h>
49 #include <ipxe/ecb.h>
50 #include <ipxe/cbc.h>
51 #include <ipxe/init.h>
52 #include <ipxe/des.h>
53 
54 /**
55  * DES shift schedule
56  *
57  * The DES shift schedule (ordered from round 16 down to round 1) is
58  * {1,2,2,2,2,2,2,1,2,2,2,2,2,2,1,1}. In binary, this may be
59  * represented as {1,10,10,10,10,10,10,1,10,10,10,10,10,10,1,1} and
60  * concatenated (without padding) to produce a single binary integer
61  * 1101010101010110101010101011 (equal to 0x0d556aab in hexadecimal).
62  *
63  * This integer may then be consumed LSB-first, where a 1 bit
64  * indicates a shift and the generation of a round key, and a 0 bit
65  * indicates a shift without the generation of a round key.
66  */
67 #define DES_SCHEDULE 0x0d556aab
68 
69 /**
70  * Define an element pair in a DES S-box
71  *
72  * @v x Upper element of element pair
73  * @v y Lower element of element pair
74  *
75  * DES S-box elements are 4-bit values. We encode two values per
76  * byte, ordering the elements so that the six-bit input value may be
77  * used directly as a lookup index.
78  *
79  * Specifically, if the input value is {r1,c3,c2,c1,c0,r0}, where
80  * {r1,r0} is the table row index and {c3,c2,c1,c0} is the table
81  * column index (as used in the DES specification), then:
82  *
83  * - {r1,c3,c2,c1,c0} is the byte index into the table
84  *
85  * - (4*r0) is the required bit shift to extract the 4-bit value
86  */
87 #define SBYTE( x, y ) ( ( (y) << 4 ) | (x) )
88 
89 /**
90  * Define a row pair in a DES S-box
91  *
92  * @v x0..xf Upper row of row pair
93  * @v y0..yf Lower row of row pair
94  */
95 #define SBOX( x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, xa, xb, xc, xd, xe, xf, \
96  y0, y1, y2, y3, y4, y5, y6, y7, y8, y9, ya, yb, yc, yd, ye, yf ) \
97  SBYTE ( x0, y0 ), SBYTE ( x1, y1 ), SBYTE ( x2, y2 ), SBYTE ( x3, y3 ),\
98  SBYTE ( x4, y4 ), SBYTE ( x5, y5 ), SBYTE ( x6, y6 ), SBYTE ( x7, y7 ),\
99  SBYTE ( x8, y8 ), SBYTE ( x9, y9 ), SBYTE ( xa, ya ), SBYTE ( xb, yb ),\
100  SBYTE ( xc, yc ), SBYTE ( xd, yd ), SBYTE ( xe, ye ), SBYTE ( xf, yf )
101 
102 /** DES S-boxes S1..S8 */
103 static const uint8_t des_s[8][32] = { {
104  /* S1 */
105  SBOX ( 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
106  0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8 ),
107  SBOX ( 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
108  15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 )
109 }, {
110  /* S2 */
111  SBOX ( 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
112  3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5 ),
113  SBOX ( 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
114  13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 )
115 }, {
116  /* S3 */
117  SBOX ( 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
118  13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1 ),
119  SBOX ( 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
120  1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 )
121 }, {
122  /* S4 */
123  SBOX ( 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
124  13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9 ),
125  SBOX ( 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
126  3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 )
127 }, {
128  /* S5 */
129  SBOX ( 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
130  14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6 ),
131  SBOX ( 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
132  11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 )
133 }, {
134  /* S6 */
135  SBOX ( 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
136  10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8 ),
137  SBOX ( 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
138  4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13 )
139 }, {
140  /* S7 */
141  SBOX ( 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
142  13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6 ),
143  SBOX ( 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
144  6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 )
145 }, {
146  /* S8 */
147  SBOX ( 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
148  1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2 ),
149  SBOX ( 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
150  2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 )
151 } };
152 
153 /**
154  * Define a bit index within permuted choice 2 (PC2)
155  *
156  * @v bit Bit index
157  *
158  * Permuted choice 2 (PC2) is used to select bits from a concatenated
159  * pair of 28-bit registers ("C" and "D") as part of the key schedule.
160  * We store these as 32-bit registers and so must add 4 to indexes
161  * above 28.
162  */
163 #define DES_PC2( x ) ( (x) + ( ( (x) > 28 ) ? 4 : 0 ) )
164 
165 /**
166  * Define six bits of permuted choice 2 (PC2)
167  *
168  * @v r1:r0 Bits corresponding to S-box row index
169  * @v c3:c0 Bits corresponding to S-box column index
170  *
171  * There are 8 steps within a DES round (one step per S-box). Each
172  * step requires six bits of the round key, corresponding to the S-box
173  * input value {r1,c3,c2,c1,c0,r0}, where {r1,r0} is the table row
174  * index and {c3,c2,c1,c0} is the table column index.
175  *
176  * As an optimisation, we store the least significant of the 6 bits in
177  * the sign bit of a signed 8-bit value, and the remaining 5 bits in
178  * the least significant 5 bits of the 8-bit value. See the comments
179  * in des_sbox() for further details.
180  */
181 #define DES_PC2R( r1, c3, c2, c1, c0, r0 ) \
182  DES_PC2 ( r0 ), /* LSB stored in sign bit */ \
183  DES_PC2 ( r0 ), /* Unused bit */ \
184  DES_PC2 ( r0 ), /* Unused bit */ \
185  DES_PC2 ( r1 ), /* Remaining 5 bits */ \
186  DES_PC2 ( c3 ), /* ... */ \
187  DES_PC2 ( c2 ), /* ... */ \
188  DES_PC2 ( c1 ), /* ... */ \
189  DES_PC2 ( c0 ) /* ... */
190 
191 /**
192  * A DES systematic permutation generator
193  *
194  * Many of the permutations used in DES comprise systematic bit
195  * patterns. We generate these permutations at runtime to save on
196  * code size.
197  */
199  /** Permutation */
201  /** Seed value */
203 };
204 
205 /**
206  * Define a DES permutation generator
207  *
208  * @v PERMUTATION Permutation
209  * @v OFFSET Fixed input bit offset (0 or 1)
210  * @v INV<n> Input bit index bit <n> should be inverted
211  * @v BIT<n> Source bit for input bit index bit <n>
212  * @ret generator Permutation generator
213  */
214 #define DES_GENERATOR( PERMUTATION, OFFSET, INV5, BIT5, INV4, BIT4, \
215  INV3, BIT3, INV2, BIT2, INV1, BIT1, INV0, BIT0 ) \
216  { \
217  .permutation = (PERMUTATION), \
218  .seed = ( ( (INV0) << 31 ) | ( (BIT0) << 28 ) | \
219  ( (INV1) << 27 ) | ( (BIT1) << 24 ) | \
220  ( (INV2) << 23 ) | ( (BIT2) << 20 ) | \
221  ( (INV3) << 19 ) | ( (BIT3) << 16 ) | \
222  ( (INV4) << 15 ) | ( (BIT4) << 12 ) | \
223  ( (INV5) << 11 ) | ( (BIT5) << 8 ) | \
224  ( ( uint32_t ) sizeof (PERMUTATION) - 1 ) | \
225  (OFFSET) ), \
226  }
227 
228 /** DES permuted choice 1 (PC1) "C" register */
229 static uint8_t des_pc1c[29];
230 
231 /** DES permuted choice 1 (PC1) "D" register */
232 static uint8_t des_pc1d[33];
233 
234 /** DES permuted choice 2 (PC2) */
235 static const uint8_t des_pc2[65] = {
236  DES_PC2R ( 14, 17, 11, 24, 1, 5 ),
237  DES_PC2R ( 3, 28, 15, 6, 21, 10 ),
238  DES_PC2R ( 23, 19, 12, 4, 26, 8 ),
239  DES_PC2R ( 16, 7, 27, 20, 13, 2 ),
240  DES_PC2R ( 41, 52, 31, 37, 47, 55 ),
241  DES_PC2R ( 30, 40, 51, 45, 33, 48 ),
242  DES_PC2R ( 44, 49, 39, 56, 34, 53 ),
243  DES_PC2R ( 46, 42, 50, 36, 29, 32 ),
244  0 /* terminator */
245 };
246 
247 /** DES initial permutation (IP) */
248 static uint8_t des_ip[65];
249 
250 /** DES data permutation (P) */
251 static const uint8_t des_p[33] = {
252  16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
253  2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25,
254  0 /* terminator */
255 };
256 
257 /** DES final / inverse initial permutation (FP / IP^-1) */
258 static uint8_t des_fp[65];
259 
260 /** DES permutation generators */
261 static struct des_generator des_generators[] = {
262 
263  /* The DES initial permutation transforms the bit index
264  * {x5,x4,x3,x2,x1,x0}+1 into {~x2,~x1,~x0,x4,x3,~x5}+1
265  */
266  DES_GENERATOR ( des_ip, 1, 1, 2, 1, 1, 1, 0, 0, 4, 0, 3, 1, 5 ),
267 
268  /* The DES final permutation transforms the bit index
269  * {x5,x4,x3,x2,x1,x0}+1 into {~x0,x2,x1,~x5,~x4,~x3}+1
270  *
271  * There is an asymmetry in the DES block diagram for the last
272  * of the 16 rounds, which is functionally equivalent to
273  * performing 16 identical rounds and then swapping the left
274  * and right halves before applying the final permutation. We
275  * may therefore account for this asymmetry by inverting the
276  * MSB in each bit index, to point to the corresponding bit in
277  * the other half.
278  *
279  * This is equivalent to using a permutation that transforms
280  * {x5,x4,x3,x2,x1,x0}+1 into {x0,x2,x1,~x5,~x4,~x3}+1
281  */
282  DES_GENERATOR ( des_fp, 1, 0, 0, 0, 2, 0, 1, 1, 5, 1, 4, 1, 3 ),
283 
284  /* The "C" half of DES permuted choice 1 (PC1) transforms the
285  * bit index {x5,x4,x3,x2,x1,x0}+1 into {~x2,~x1,~x0,x5,x4,x3}+1
286  */
287  DES_GENERATOR ( des_pc1c, 1, 1, 2, 1, 1, 1, 0, 0, 5, 0, 4, 0, 3 ),
288 
289  /* The "D" half of DES permuted choice 1 (PC1) transforms the
290  * bit index {x5,x4,x3,x2,x1,x0}+1 into {~x2,~x1,~x0,~x5,~x4,~x3}+0
291  *
292  * Due to the idosyncratic design choice of using 28-bit
293  * registers in the DES key expansion schedule, the final four
294  * permutation values appear at indices [28:31] instead of
295  * [24:27]. This is adjusted for in @c des_setkey().
296  */
297  DES_GENERATOR ( des_pc1d, 0, 1, 2, 1, 1, 1, 0, 1, 5, 1, 4, 1, 3 ),
298 };
299 
300 /**
301  * Generate DES permutation
302  *
303  * @v generator Generator
304  */
305 static __attribute__ (( noinline )) void
306 des_generate ( struct des_generator *generator ) {
307  uint8_t *permutation = generator->permutation;
308  uint32_t seed = generator->seed;
309  unsigned int index = 0;
310  uint8_t accum;
311  uint8_t bit;
312 
313  /* Generate permutations
314  *
315  * This loop is optimised for code size on a
316  * register-constrained architecture such as i386.
317  */
318  do {
319  /* Rotate seed to access MSB's bit descriptor */
320  seed = ror32 ( seed, 8 );
321 
322  /* Initialise accumulator with six flag bits */
323  accum = 0xfc;
324 
325  /* Accumulate bits until all six flag bits are cleared */
326  do {
327  /* Extract specified bit from index. Use a
328  * rotation instead of a shift, since this
329  * will allow the mask to be elided.
330  */
331  bit = ror8 ( index, ( seed & 0x07 ) );
332  seed = ror32 ( seed, 3 );
333 
334  /* Toggle bit if applicable */
335  bit ^= seed;
336  seed = ror32 ( seed, 1 );
337 
338  /* Add bit to accumulator and clear one flag bit */
339  accum <<= 1;
340  accum |= ( bit & 0x01 );
341 
342  } while ( accum & 0x80 );
343 
344  /* Add constant offset if applicable */
345  accum += ( seed & 0x01 );
346 
347  /* Store permutation */
348  permutation[index] = accum;
349 
350  /* Loop until reaching length (which is always even) */
351  } while ( ++index < ( seed & 0xfe ) );
352  DBGC2 ( permutation, "DES generated permutation %p:\n", permutation );
354  ( ( seed & 0xfe ) + 1 /* zero terminator */ ) );
355 }
356 
357 /**
358  * Initialise permutations
359  */
360 static void des_init ( void ) {
361  unsigned int i;
362 
363  /* Generate all generated permutations */
364  for ( i = 0 ; i < ( sizeof ( des_generators ) /
365  sizeof ( des_generators[0] ) ) ; i++ ) {
367  }
368 }
369 
370 /** Initialisation function */
371 struct init_fn des_init_fn __init_fn ( INIT_NORMAL ) = {
372  .initialise = des_init,
373 };
374 
375 /**
376  * Perform bit permutation
377  *
378  * @v permutation Bit permutation (zero-terminated)
379  * @v in Input value
380  * @v out Output value
381  */
382 static void des_permute ( const uint8_t *permutation, const uint8_t *in,
383  uint8_t *out ) {
384  uint8_t mask = 0x80;
385  uint8_t accum = 0;
386  unsigned int bit;
387 
388  /* Extract individual input bits to construct output value */
389  while ( ( bit = *(permutation++) ) ) {
390  bit--;
391  if ( in[ bit / 8 ] & ( 0x80 >> ( bit % 8 ) ) )
392  accum |= mask;
393  *out = accum;
394  mask = ror8 ( mask, 1 );
395  if ( mask == 0x80 ) {
396  out++;
397  accum = 0;
398  }
399  }
400 }
401 
402 /**
403  * Perform DES S-box substitution
404  *
405  * @v in 32-bit input value (native endian)
406  * @v rkey 48-bit round key
407  * @ret out 32-bit output value (native endian)
408  */
409 static uint32_t des_sbox ( uint32_t in, const union des_round_key *rkey ) {
410  uint32_t out = 0;
411  uint32_t lookup;
412  int32_t key;
413  uint8_t sub;
414  unsigned int i;
415 
416  /* Perform input expansion, key addition, and S-box substitution */
417  for ( i = 0 ; i < 8 ; i++ ) {
418 
419  /* Rotate input and output */
420  out = rol32 ( out, 4 );
421  in = rol32 ( in, 4 );
422 
423  /* Extract step key from relevant 6 bits of round key
424  *
425  * The least significant of the 6 bits (corresponding
426  * to bit r0 in the S-box lookup index) is stored in
427  * the sign bit of the step key byte. It will
428  * therefore be propagated via sign extension to the
429  * MSB of the 32-bit step key.
430  *
431  * The remaining 5 of the 6 bits (corresponding to
432  * bits {r1,c3,c2,c1,c0} in the S-box lookup index)
433  * are stored in the least significant 5 bits of the
434  * step key byte and will end up in the least
435  * significant 5 bits of the 32-bit step key.
436  */
437  key = rkey->step[i];
438 
439  /* Add step key to input to produce S-box lookup index
440  *
441  * We do not ever perform an explicit expansion of the
442  * input value from 32 to 48 bits. Instead, we rotate
443  * the 32-bit input value by 4 bits on each step, and
444  * extract the relevant 6 bits.
445  *
446  * The least significant of the 6 bits (corresponding
447  * to bit r0 in the S-box lookup index) is currently
448  * in the MSB of the 32-bit (rotated) input value.
449  *
450  * The remaining 5 of the 6 bits (corresponding to
451  * bits {r1,c3,c2,c1,c0} in the S-box lookup index)
452  * are currently in the least significant 5 bits of
453  * the 32-bit (rotated) input value.
454  *
455  * This aligns with the placement of the bits in the
456  * step key (see above), and we can therefore perform
457  * a single XOR to add the 6-bit step key to the
458  * relevant 6 bits of the input value.
459  */
460  lookup = ( in ^ key );
461 
462  /* Look up S[i][in ^ key] from S-box
463  *
464  * We have bits {r1,c3,c2,c1,c0} in the least
465  * significant 5 bits of the lookup index, and so can
466  * use the masked lookup index directly as a byte
467  * index into the relevant S-box to extract the byte
468  * containing both {r1,c3,c2,c1,c0,'0'} and
469  * {r1,c3,c2,c1,c0,'1'}.
470  *
471  * We then use the MSB of the 32-bit lookup index to
472  * extract the relevant nibble for the full lookup
473  * index {r1,c3,c2,c1,c0,r0}.
474  */
475  sub = des_s[i][ lookup & 0x1f ];
476  sub >>= ( ( lookup >> 29 ) & 4 );
477  sub &= 0x0f;
478 
479  /* Substitute S[i][input ^ key] into output */
480  out |= sub;
481  }
482 
483  return out;
484 }
485 
486 /**
487  * Perform a single DES round
488  *
489  * @v block DES block
490  * @v rkey 48-bit round key
491  */
492 static void des_round ( union des_block *block,
493  const union des_round_key *rkey ) {
494  union des_dword sbox;
495  uint32_t left;
496  uint32_t right;
497 
498  /* Extract left and right halves L[n-1] and R[n-1] */
499  left = block->left.dword;
500  right = block->right.dword;
501  DBGC2 ( block, "DES L=%08x R=%08x K=%08x%08x", be32_to_cpu ( left ),
502  be32_to_cpu ( right ), be32_to_cpu ( rkey->dword[0] ),
503  be32_to_cpu ( rkey->dword[1] ) );
504 
505  /* L[n] = R[n-1] */
506  block->left.dword = right;
507 
508  /* Calculate Feistel function f(R[n-1], K[n]) */
509  sbox.dword = cpu_to_be32 ( des_sbox ( be32_to_cpu ( right ), rkey ) );
510  des_permute ( des_p, sbox.byte, block->right.byte );
511 
512  /* R[n] = L[n-1] + f(R[n-1], K[n]) */
513  block->right.dword ^= left;
514  DBGC2 ( block, " => L=%08x R=%08x\n",
515  be32_to_cpu ( block->left.dword ),
516  be32_to_cpu ( block->right.dword ) );
517 }
518 
519 /**
520  * Perform all DES rounds
521  *
522  * @v in Input DES block
523  * @v out Output DES block
524  * @v rkey Starting 48-bit round key
525  * @v offset Byte offset between round keys
526  */
527 static void des_rounds ( const union des_block *in, union des_block *out,
528  const union des_round_key *rkey,
529  ssize_t offset ) {
530  union des_block tmp;
531  unsigned int i;
532 
533  /* Apply initial permutation */
534  des_permute ( des_ip, in->byte, tmp.byte );
535 
536  /* Perform all DES rounds, consuming keys in the specified order */
537  for ( i = 0 ; i < DES_ROUNDS ; i++ ) {
538  des_round ( &tmp, rkey );
539  rkey = ( ( ( void * ) rkey ) + offset );
540  }
541 
542  /* Apply final permutation */
543  DBGC ( &tmp, "DES %scrypted %08x%08x => ",
544  ( ( offset > 0 ) ? "en" : "de" ), be32_to_cpu ( in->dword[0] ),
545  be32_to_cpu ( in->dword[1] ) );
546  des_permute ( des_fp, tmp.byte, out->byte );
547  DBGC ( &tmp, "%08x%08x\n", be32_to_cpu ( out->dword[0] ),
548  be32_to_cpu ( out->dword[1] ) );
549 }
550 
551 /**
552  * Rotate 28-bit word
553  *
554  * @v dword 28-bit dword value
555  * @ret dword Rotated 28-bit dword value
556  */
558  int32_t sdword;
559 
560  /* Convert to native-endian */
561  sdword = be32_to_cpu ( dword );
562 
563  /* Signed shift right by 4 places to copy bit 31 to bits 27:31 */
564  sdword >>= 4;
565 
566  /* Rotate left */
567  sdword = rol32 ( sdword, 1 );
568 
569  /* Shift left by 4 places to restore bit positions */
570  sdword <<= 4;
571 
572  /* Convert back to big-endian */
573  dword = cpu_to_be32 ( sdword );
574 
575  return dword;
576 }
577 
578 /**
579  * Set key
580  *
581  * @v ctx Context
582  * @v key Key
583  * @v keylen Key length
584  * @ret rc Return status code
585  */
586 static int des_setkey ( void *ctx, const void *key, size_t keylen ) {
587  struct des_context *des = ctx;
588  union des_round_key *rkey = des->rkey;
589  union des_block reg;
590  uint32_t schedule;
591 
592  /* Validate key length */
593  if ( keylen != DES_BLOCKSIZE )
594  return -EINVAL;
595  DBGC ( des, "DES %p new key:\n", des );
596  DBGC_HDA ( des, 0, key, keylen );
597 
598  /* Apply permuted choice 1 */
599  des_permute ( des_pc1c, key, reg.c.byte );
600  des_permute ( des_pc1d, key, reg.d.byte );
601  reg.d.byte[3] <<= 4; /* see comment for @c des_pc1d */
602  DBGC2 ( des, "DES %p C[ 0]=%07x D[ 0]=%07x\n",
603  des, ( be32_to_cpu ( reg.c.dword ) >> 4 ),
604  ( be32_to_cpu ( reg.d.dword ) >> 4 ) );
605 
606  /* Generate round keys */
607  for ( schedule = DES_SCHEDULE ; schedule ; schedule >>= 1 ) {
608 
609  /* Shift 28-bit words */
610  reg.c.dword = des_rol28 ( reg.c.dword );
611  reg.d.dword = des_rol28 ( reg.d.dword );
612 
613  /* Skip rounds according to shift schedule */
614  if ( ! ( schedule & 1 ) )
615  continue;
616 
617  /* Apply permuted choice 2 */
618  des_permute ( des_pc2, reg.byte, rkey->byte );
619  DBGC2 ( des, "DES %p C[%2zd]=%07x D[%2zd]=%07x K[%2zd]="
620  "%08x%08x\n", des, ( ( rkey - des->rkey ) + 1 ),
621  ( be32_to_cpu ( reg.c.dword ) >> 4 ),
622  ( ( rkey - des->rkey ) + 1 ),
623  ( be32_to_cpu ( reg.d.dword ) >> 4 ),
624  ( ( rkey - des->rkey ) + 1 ),
625  be32_to_cpu ( rkey->dword[0] ),
626  be32_to_cpu ( rkey->dword[1] ) );
627 
628  /* Move to next key */
629  rkey++;
630  }
631 
632  /* Sanity check */
633  assert ( rkey == &des->rkey[DES_ROUNDS] );
634 
635  return 0;
636 }
637 
638 /**
639  * Encrypt data
640  *
641  * @v ctx Context
642  * @v src Data to encrypt
643  * @v dst Buffer for encrypted data
644  * @v len Length of data
645  */
646 static void des_encrypt ( void *ctx, const void *src, void *dst, size_t len ) {
647  struct des_context *des = ctx;
648 
649  /* Sanity check */
650  assert ( len == DES_BLOCKSIZE );
651 
652  /* Cipher using keys in forward direction */
653  des_rounds ( src, dst, &des->rkey[0], sizeof ( des->rkey[0] ) );
654 }
655 
656 /**
657  * Decrypt data
658  *
659  * @v ctx Context
660  * @v src Data to decrypt
661  * @v dst Buffer for decrypted data
662  * @v len Length of data
663  */
664 static void des_decrypt ( void *ctx, const void *src, void *dst, size_t len ) {
665  struct des_context *des = ctx;
666 
667  /* Sanity check */
668  assert ( len == DES_BLOCKSIZE );
669 
670  /* Cipher using keys in reverse direction */
671  des_rounds ( src, dst, &des->rkey[ DES_ROUNDS - 1 ],
672  -sizeof ( des->rkey[0] ) );
673 }
674 
675 /** Basic DES algorithm */
677  .name = "des",
678  .ctxsize = sizeof ( struct des_context ),
679  .blocksize = DES_BLOCKSIZE,
680  .alignsize = 0,
681  .authsize = 0,
682  .setkey = des_setkey,
683  .setiv = cipher_null_setiv,
684  .encrypt = des_encrypt,
685  .decrypt = des_decrypt,
686  .auth = cipher_null_auth,
687 };
688 
689 /* DES in Electronic Codebook mode */
690 ECB_CIPHER ( des_ecb, des_ecb_algorithm,
692 
693 /* DES in Cipher Block Chaining mode */
694 CBC_CIPHER ( des_cbc, des_cbc_algorithm,
static const uint8_t des_p[33]
DES data permutation (P)
Definition: des.c:251
#define __attribute__(x)
Definition: compiler.h:10
#define EINVAL
Invalid argument.
Definition: errno.h:428
#define DES_PC2R(r1, c3, c2, c1, c0, r0)
Define six bits of permuted choice 2 (PC2)
Definition: des.c:181
uint8_t byte[4]
Raw bytes.
Definition: des.h:21
static const void * src
Definition: string.h:47
static void des_generate(struct des_generator *generator)
Generate DES permutation.
Definition: des.c:306
void(* initialise)(void)
Definition: init.h:15
static unsigned int unsigned int reg
Definition: myson.h:162
static unsigned int unsigned int bit
Definition: bigint.h:314
A DES 64-bit block.
Definition: des.h:27
__be32 in[4]
Definition: CIB_PRM.h:35
static u32 rol32(u32 v, int bits)
Rotate 32-bit value left.
Definition: wpa_tkip.c:173
A DES 32-bit dword value.
Definition: des.h:19
Error codes.
A DES systematic permutation generator.
Definition: des.c:198
void cipher_null_setiv(void *ctx __unused, const void *iv __unused, size_t ivlen __unused)
Definition: crypto_null.c:64
#define DBGC(...)
Definition: compiler.h:505
static void des_encrypt(void *ctx, const void *src, void *dst, size_t len)
Encrypt data.
Definition: des.c:646
struct init_fn des_init_fn __init_fn(INIT_NORMAL)
Initialisation function.
long index
Definition: bigint.h:62
ECB_CIPHER(des_ecb, des_ecb_algorithm, des_algorithm, struct des_context, DES_BLOCKSIZE)
Cryptographic API.
static uint8_t des_pc1d[33]
DES permuted choice 1 (PC1) "D" register.
Definition: des.c:232
static void des_permute(const uint8_t *permutation, const uint8_t *in, uint8_t *out)
Perform bit permutation.
Definition: des.c:382
struct cipher_algorithm des_cbc_algorithm
struct golan_eq_context ctx
Definition: CIB_PRM.h:28
FILE_LICENCE(GPL2_OR_LATER_OR_UBDL)
struct cipher_algorithm des_algorithm
Basic DES algorithm.
Definition: des.c:676
#define DES_SCHEDULE
DES shift schedule.
Definition: des.c:67
static u32 ror32(u32 v, int bits)
Rotate 32-bit value right.
Definition: wpa_tkip.c:161
DES context.
Definition: des.h:79
Electronic codebook (ECB)
unsigned long tmp
Definition: linux_pci.h:63
static uint8_t des_pc1c[29]
DES permuted choice 1 (PC1) "C" register.
Definition: des.c:229
union des_round_key rkey[DES_ROUNDS]
Round keys.
Definition: des.h:81
#define DES_ROUNDS
Number of DES rounds.
Definition: des.h:76
#define INIT_NORMAL
Normal initialisation.
Definition: init.h:30
An initialisation function.
Definition: init.h:14
#define be32_to_cpu(value)
Definition: byteswap.h:116
assert((readw(&hdr->flags) &(GTF_reading|GTF_writing))==0)
static void des_round(union des_block *block, const union des_round_key *rkey)
Perform a single DES round.
Definition: des.c:492
uint32_t seed
Seed value.
Definition: des.c:202
#define DBGC_HDA(...)
Definition: compiler.h:506
static const uint8_t des_s[8][32]
DES S-boxes S1..S8.
Definition: des.c:103
__be32 out[4]
Definition: CIB_PRM.h:36
struct cipher_algorithm des_ecb_algorithm
#define SBOX(x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, xa, xb, xc, xd, xe, xf, y0, y1, y2, y3, y4, y5, y6, y7, y8, y9, ya, yb, yc, yd, ye, yf)
Define a row pair in a DES S-box.
Definition: des.c:95
#define DBGC2_HDA(...)
Definition: compiler.h:523
static struct des_generator des_generators[]
DES permutation generators.
Definition: des.c:261
A DES round key.
Definition: des.h:56
static void des_decrypt(void *ctx, const void *src, void *dst, size_t len)
Decrypt data.
Definition: des.c:664
uint32_t dword[2]
32-bit big-endian dwords
Definition: des.h:60
#define DES_GENERATOR(PERMUTATION, OFFSET, INV5, BIT5, INV4, BIT4, INV3, BIT3, INV2, BIT2, INV1, BIT1, INV0, BIT0)
Define a DES permutation generator.
Definition: des.c:214
unsigned char uint8_t
Definition: stdint.h:10
Cipher-block chaining.
unsigned int uint32_t
Definition: stdint.h:12
DES algorithm.
static uint32_t des_rol28(uint32_t dword)
Rotate 28-bit word.
Definition: des.c:557
uint32_t dword
32-bit big-endian dword
Definition: des.h:23
uint8_t byte[8]
Raw bytes.
Definition: des.h:58
uint8_t * permutation
Permutation.
Definition: des.c:200
#define cpu_to_be32(value)
Definition: byteswap.h:110
int8_t step[8]
6-bit step key byte
Definition: des.h:72
signed int int32_t
Definition: stdint.h:17
#define DBGC2(...)
Definition: compiler.h:522
static const uint8_t des_pc2[65]
DES permuted choice 2 (PC2)
Definition: des.c:235
uint8_t block[3][8]
DES-encrypted blocks.
Definition: mschapv2.h:12
#define DES_BLOCKSIZE
DES blocksize.
Definition: des.h:49
A cipher algorithm.
Definition: crypto.h:50
static void des_init(void)
Initialise permutations.
Definition: des.c:360
uint16_t offset
Offset to command line.
Definition: bzimage.h:8
signed long ssize_t
Definition: stdint.h:7
CBC_CIPHER(des_cbc, des_cbc_algorithm, des_algorithm, struct des_context, DES_BLOCKSIZE)
static void des_rounds(const union des_block *in, union des_block *out, const union des_round_key *rkey, ssize_t offset)
Perform all DES rounds.
Definition: des.c:527
const char * name
Algorithm name.
Definition: crypto.h:52
void cipher_null_auth(void *ctx __unused, void *auth __unused)
Definition: crypto_null.c:79
uint32_t len
Length.
Definition: ena.h:14
static uint8_t des_fp[65]
DES final / inverse initial permutation (FP / IP^-1)
Definition: des.c:258
String functions.
static uint8_t des_ip[65]
DES initial permutation (IP)
Definition: des.c:248
unsigned long int dword
Definition: smc9000.h:40
union @383 key
Sense key.
Definition: scsi.h:18
static uint32_t des_sbox(uint32_t in, const union des_round_key *rkey)
Perform DES S-box substitution.
Definition: des.c:409
Bit operations.
static int des_setkey(void *ctx, const void *key, size_t keylen)
Set key.
Definition: des.c:586