1 /* $OpenBSD: des.c,v 1.9 2024/08/31 15:56:09 jsing Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59 #include <endian.h>
60
61 #include <openssl/opensslconf.h>
62
63 #include "des_local.h"
64
65 void
DES_cbc_encrypt(const unsigned char * in,unsigned char * out,long length,DES_key_schedule * _schedule,DES_cblock * ivec,int enc)66 DES_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
67 DES_key_schedule *_schedule, DES_cblock *ivec, int enc)
68 {
69 DES_LONG tin0, tin1;
70 DES_LONG tout0, tout1, xor0, xor1;
71 long l = length;
72 DES_LONG tin[2];
73 unsigned char *iv;
74
75 iv = &(*ivec)[0];
76
77 if (enc) {
78 c2l(iv, tout0);
79 c2l(iv, tout1);
80 for (l -= 8; l >= 0; l -= 8) {
81 c2l(in, tin0);
82 c2l(in, tin1);
83 tin0 ^= tout0;
84 tin[0] = tin0;
85 tin1 ^= tout1;
86 tin[1] = tin1;
87 DES_encrypt1((DES_LONG *)tin, _schedule, DES_ENCRYPT);
88 tout0 = tin[0];
89 l2c(tout0, out);
90 tout1 = tin[1];
91 l2c(tout1, out);
92 }
93 if (l != -8) {
94 c2ln(in, tin0, tin1, l + 8);
95 tin0 ^= tout0;
96 tin[0] = tin0;
97 tin1 ^= tout1;
98 tin[1] = tin1;
99 DES_encrypt1((DES_LONG *)tin, _schedule, DES_ENCRYPT);
100 tout0 = tin[0];
101 l2c(tout0, out);
102 tout1 = tin[1];
103 l2c(tout1, out);
104 }
105 } else {
106 c2l(iv, xor0);
107 c2l(iv, xor1);
108 for (l -= 8; l >= 0; l -= 8) {
109 c2l(in, tin0);
110 tin[0] = tin0;
111 c2l(in, tin1);
112 tin[1] = tin1;
113 DES_encrypt1((DES_LONG *)tin, _schedule, DES_DECRYPT);
114 tout0 = tin[0] ^ xor0;
115 tout1 = tin[1] ^ xor1;
116 l2c(tout0, out);
117 l2c(tout1, out);
118 xor0 = tin0;
119 xor1 = tin1;
120 }
121 if (l != -8) {
122 c2l(in, tin0);
123 tin[0] = tin0;
124 c2l(in, tin1);
125 tin[1] = tin1;
126 DES_encrypt1((DES_LONG *)tin, _schedule, DES_DECRYPT);
127 tout0 = tin[0] ^ xor0;
128 tout1 = tin[1] ^ xor1;
129 l2cn(tout0, tout1, out, l + 8);
130 }
131 }
132 tin0 = tin1 = tout0 = tout1 = xor0 = xor1 = 0;
133 tin[0] = tin[1] = 0;
134 }
135 LCRYPTO_ALIAS(DES_cbc_encrypt);
136
137 /* The input and output encrypted as though 64bit cfb mode is being
138 * used. The extra state information to record how much of the
139 * 64bit block we have used is contained in *num;
140 */
141
142 void
DES_ede3_cfb64_encrypt(const unsigned char * in,unsigned char * out,long length,DES_key_schedule * ks1,DES_key_schedule * ks2,DES_key_schedule * ks3,DES_cblock * ivec,int * num,int enc)143 DES_ede3_cfb64_encrypt(const unsigned char *in, unsigned char *out,
144 long length, DES_key_schedule *ks1,
145 DES_key_schedule *ks2, DES_key_schedule *ks3,
146 DES_cblock *ivec, int *num, int enc)
147 {
148 DES_LONG v0, v1;
149 long l = length;
150 int n = *num;
151 DES_LONG ti[2];
152 unsigned char *iv, c, cc;
153
154 iv = &(*ivec)[0];
155 if (enc) {
156 while (l--) {
157 if (n == 0) {
158 c2l(iv, v0);
159 c2l(iv, v1);
160
161 ti[0] = v0;
162 ti[1] = v1;
163 DES_encrypt3(ti, ks1, ks2, ks3);
164 v0 = ti[0];
165 v1 = ti[1];
166
167 iv = &(*ivec)[0];
168 l2c(v0, iv);
169 l2c(v1, iv);
170 iv = &(*ivec)[0];
171 }
172 c = *(in++) ^ iv[n];
173 *(out++) = c;
174 iv[n] = c;
175 n = (n + 1) & 0x07;
176 }
177 } else {
178 while (l--) {
179 if (n == 0) {
180 c2l(iv, v0);
181 c2l(iv, v1);
182
183 ti[0] = v0;
184 ti[1] = v1;
185 DES_encrypt3(ti, ks1, ks2, ks3);
186 v0 = ti[0];
187 v1 = ti[1];
188
189 iv = &(*ivec)[0];
190 l2c(v0, iv);
191 l2c(v1, iv);
192 iv = &(*ivec)[0];
193 }
194 cc = *(in++);
195 c = iv[n];
196 iv[n] = cc;
197 *(out++) = c ^ cc;
198 n = (n + 1) & 0x07;
199 }
200 }
201 v0 = v1 = ti[0] = ti[1] = c = cc = 0;
202 *num = n;
203 }
204 LCRYPTO_ALIAS(DES_ede3_cfb64_encrypt);
205
206 /* This is compatible with the single key CFB-r for DES, even thought that's
207 * not what EVP needs.
208 */
209
210 void
DES_ede3_cfb_encrypt(const unsigned char * in,unsigned char * out,int numbits,long length,DES_key_schedule * ks1,DES_key_schedule * ks2,DES_key_schedule * ks3,DES_cblock * ivec,int enc)211 DES_ede3_cfb_encrypt(const unsigned char *in, unsigned char *out,
212 int numbits, long length, DES_key_schedule *ks1,
213 DES_key_schedule *ks2, DES_key_schedule *ks3,
214 DES_cblock *ivec, int enc)
215 {
216 DES_LONG d0, d1, v0, v1;
217 unsigned long l = length, n = ((unsigned int)numbits + 7)/8;
218 int num = numbits, i;
219 DES_LONG ti[2];
220 unsigned char *iv;
221 unsigned char ovec[16];
222
223 if (num > 64)
224 return;
225 iv = &(*ivec)[0];
226 c2l(iv, v0);
227 c2l(iv, v1);
228 if (enc) {
229 while (l >= n) {
230 l -= n;
231 ti[0] = v0;
232 ti[1] = v1;
233 DES_encrypt3(ti, ks1, ks2, ks3);
234 c2ln(in, d0, d1, n);
235 in += n;
236 d0 ^= ti[0];
237 d1 ^= ti[1];
238 l2cn(d0, d1, out, n);
239 out += n;
240 /* 30-08-94 - eay - changed because l>>32 and
241 * l<<32 are bad under gcc :-( */
242 if (num == 32) {
243 v0 = v1;
244 v1 = d0;
245 } else if (num == 64) {
246 v0 = d0;
247 v1 = d1;
248 } else {
249 iv = &ovec[0];
250 l2c(v0, iv);
251 l2c(v1, iv);
252 l2c(d0, iv);
253 l2c(d1, iv);
254 /* shift ovec left most of the bits... */
255 memmove(ovec, ovec + num/8,
256 8 + (num % 8 ? 1 : 0));
257 /* now the remaining bits */
258 if (num % 8 != 0) {
259 for (i = 0; i < 8; ++i) {
260 ovec[i] <<= num % 8;
261 ovec[i] |= ovec[i + 1] >>
262 (8 - num % 8);
263 }
264 }
265 iv = &ovec[0];
266 c2l(iv, v0);
267 c2l(iv, v1);
268 }
269 }
270 } else {
271 while (l >= n) {
272 l -= n;
273 ti[0] = v0;
274 ti[1] = v1;
275 DES_encrypt3(ti, ks1, ks2, ks3);
276 c2ln(in, d0, d1, n);
277 in += n;
278 /* 30-08-94 - eay - changed because l>>32 and
279 * l<<32 are bad under gcc :-( */
280 if (num == 32) {
281 v0 = v1;
282 v1 = d0;
283 } else if (num == 64) {
284 v0 = d0;
285 v1 = d1;
286 } else {
287 iv = &ovec[0];
288 l2c(v0, iv);
289 l2c(v1, iv);
290 l2c(d0, iv);
291 l2c(d1, iv);
292 /* shift ovec left most of the bits... */
293 memmove(ovec, ovec + num/8,
294 8 + (num % 8 ? 1 : 0));
295 /* now the remaining bits */
296 if (num % 8 != 0) {
297 for (i = 0; i < 8; ++i) {
298 ovec[i] <<= num % 8;
299 ovec[i] |= ovec[i + 1] >>
300 (8 - num % 8);
301 }
302 }
303 iv = &ovec[0];
304 c2l(iv, v0);
305 c2l(iv, v1);
306 }
307 d0 ^= ti[0];
308 d1 ^= ti[1];
309 l2cn(d0, d1, out, n);
310 out += n;
311 }
312 }
313 iv = &(*ivec)[0];
314 l2c(v0, iv);
315 l2c(v1, iv);
316 v0 = v1 = d0 = d1 = ti[0] = ti[1] = 0;
317 }
318 LCRYPTO_ALIAS(DES_ede3_cfb_encrypt);
319
320 /* The input and output encrypted as though 64bit cfb mode is being
321 * used. The extra state information to record how much of the
322 * 64bit block we have used is contained in *num;
323 */
324
325 void
DES_cfb64_encrypt(const unsigned char * in,unsigned char * out,long length,DES_key_schedule * schedule,DES_cblock * ivec,int * num,int enc)326 DES_cfb64_encrypt(const unsigned char *in, unsigned char *out,
327 long length, DES_key_schedule *schedule,
328 DES_cblock *ivec, int *num, int enc)
329 {
330 DES_LONG v0, v1;
331 long l = length;
332 int n = *num;
333 DES_LONG ti[2];
334 unsigned char *iv, c, cc;
335
336 iv = &(*ivec)[0];
337 if (enc) {
338 while (l--) {
339 if (n == 0) {
340 c2l(iv, v0);
341 ti[0] = v0;
342 c2l(iv, v1);
343 ti[1] = v1;
344 DES_encrypt1(ti, schedule, DES_ENCRYPT);
345 iv = &(*ivec)[0];
346 v0 = ti[0];
347 l2c(v0, iv);
348 v0 = ti[1];
349 l2c(v0, iv);
350 iv = &(*ivec)[0];
351 }
352 c = *(in++) ^ iv[n];
353 *(out++) = c;
354 iv[n] = c;
355 n = (n + 1) & 0x07;
356 }
357 } else {
358 while (l--) {
359 if (n == 0) {
360 c2l(iv, v0);
361 ti[0] = v0;
362 c2l(iv, v1);
363 ti[1] = v1;
364 DES_encrypt1(ti, schedule, DES_ENCRYPT);
365 iv = &(*ivec)[0];
366 v0 = ti[0];
367 l2c(v0, iv);
368 v0 = ti[1];
369 l2c(v0, iv);
370 iv = &(*ivec)[0];
371 }
372 cc = *(in++);
373 c = iv[n];
374 iv[n] = cc;
375 *(out++) = c ^ cc;
376 n = (n + 1) & 0x07;
377 }
378 }
379 v0 = v1 = ti[0] = ti[1] = c = cc = 0;
380 *num = n;
381 }
382 LCRYPTO_ALIAS(DES_cfb64_encrypt);
383
384 /* The input and output are loaded in multiples of 8 bits.
385 * What this means is that if you hame numbits=12 and length=2
386 * the first 12 bits will be retrieved from the first byte and half
387 * the second. The second 12 bits will come from the 3rd and half the 4th
388 * byte.
389 */
390 /* Until Aug 1 2003 this function did not correctly implement CFB-r, so it
391 * will not be compatible with any encryption prior to that date. Ben. */
392 void
DES_cfb_encrypt(const unsigned char * in,unsigned char * out,int numbits,long length,DES_key_schedule * schedule,DES_cblock * ivec,int enc)393 DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
394 long length, DES_key_schedule *schedule, DES_cblock *ivec,
395 int enc)
396 {
397 DES_LONG d0, d1, v0, v1;
398 unsigned long l = length;
399 int num = numbits/8, n = (numbits + 7)/8, i, rem = numbits % 8;
400 DES_LONG ti[2];
401 unsigned char *iv;
402 #if BYTE_ORDER != LITTLE_ENDIAN
403 unsigned char ovec[16];
404 #else
405 unsigned int sh[4];
406 unsigned char *ovec = (unsigned char *)sh;
407 #endif
408
409 if (numbits <= 0 || numbits > 64)
410 return;
411 iv = &(*ivec)[0];
412 c2l(iv, v0);
413 c2l(iv, v1);
414 if (enc) {
415 while (l >= (unsigned long)n) {
416 l -= n;
417 ti[0] = v0;
418 ti[1] = v1;
419 DES_encrypt1((DES_LONG *)ti, schedule, DES_ENCRYPT);
420 c2ln(in, d0, d1, n);
421 in += n;
422 d0 ^= ti[0];
423 d1 ^= ti[1];
424 l2cn(d0, d1, out, n);
425 out += n;
426 /* 30-08-94 - eay - changed because l>>32 and
427 * l<<32 are bad under gcc :-( */
428 if (numbits == 32) {
429 v0 = v1;
430 v1 = d0;
431 } else if (numbits == 64) {
432 v0 = d0;
433 v1 = d1;
434 } else {
435 #if BYTE_ORDER != LITTLE_ENDIAN
436 iv = &ovec[0];
437 l2c(v0, iv);
438 l2c(v1, iv);
439 l2c(d0, iv);
440 l2c(d1, iv);
441 #else
442 sh[0] = v0, sh[1] = v1, sh[2] = d0, sh[3] = d1;
443 #endif
444 if (rem == 0)
445 memmove(ovec, ovec + num, 8);
446 else
447 for (i = 0; i < 8; ++i)
448 ovec[i] = ovec[i + num] << rem |
449 ovec[i + num + 1] >> (8 -
450 rem);
451 #if BYTE_ORDER == LITTLE_ENDIAN
452 v0 = sh[0], v1 = sh[1];
453 #else
454 iv = &ovec[0];
455 c2l(iv, v0);
456 c2l(iv, v1);
457 #endif
458 }
459 }
460 } else {
461 while (l >= (unsigned long)n) {
462 l -= n;
463 ti[0] = v0;
464 ti[1] = v1;
465 DES_encrypt1((DES_LONG *)ti, schedule, DES_ENCRYPT);
466 c2ln(in, d0, d1, n);
467 in += n;
468 /* 30-08-94 - eay - changed because l>>32 and
469 * l<<32 are bad under gcc :-( */
470 if (numbits == 32) {
471 v0 = v1;
472 v1 = d0;
473 } else if (numbits == 64) {
474 v0 = d0;
475 v1 = d1;
476 } else {
477 #if BYTE_ORDER != LITTLE_ENDIAN
478 iv = &ovec[0];
479 l2c(v0, iv);
480 l2c(v1, iv);
481 l2c(d0, iv);
482 l2c(d1, iv);
483 #else
484 sh[0] = v0, sh[1] = v1, sh[2] = d0, sh[3] = d1;
485 #endif
486 if (rem == 0)
487 memmove(ovec, ovec + num, 8);
488 else
489 for (i = 0; i < 8; ++i)
490 ovec[i] = ovec[i + num] << rem |
491 ovec[i + num + 1] >> (8 -
492 rem);
493 #if BYTE_ORDER == LITTLE_ENDIAN
494 v0 = sh[0], v1 = sh[1];
495 #else
496 iv = &ovec[0];
497 c2l(iv, v0);
498 c2l(iv, v1);
499 #endif
500 }
501 d0 ^= ti[0];
502 d1 ^= ti[1];
503 l2cn(d0, d1, out, n);
504 out += n;
505 }
506 }
507 iv = &(*ivec)[0];
508 l2c(v0, iv);
509 l2c(v1, iv);
510 v0 = v1 = d0 = d1 = ti[0] = ti[1] = 0;
511 }
512 LCRYPTO_ALIAS(DES_cfb_encrypt);
513
514 void
DES_ecb3_encrypt(const_DES_cblock * input,DES_cblock * output,DES_key_schedule * ks1,DES_key_schedule * ks2,DES_key_schedule * ks3,int enc)515 DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output,
516 DES_key_schedule *ks1, DES_key_schedule *ks2,
517 DES_key_schedule *ks3,
518 int enc)
519 {
520 DES_LONG l0, l1;
521 DES_LONG ll[2];
522 const unsigned char *in = &(*input)[0];
523 unsigned char *out = &(*output)[0];
524
525 c2l(in, l0);
526 c2l(in, l1);
527 ll[0] = l0;
528 ll[1] = l1;
529 if (enc)
530 DES_encrypt3(ll, ks1, ks2, ks3);
531 else
532 DES_decrypt3(ll, ks1, ks2, ks3);
533 l0 = ll[0];
534 l1 = ll[1];
535 l2c(l0, out);
536 l2c(l1, out);
537 }
538 LCRYPTO_ALIAS(DES_ecb3_encrypt);
539
540 void
DES_ecb_encrypt(const_DES_cblock * input,DES_cblock * output,DES_key_schedule * ks,int enc)541 DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output,
542 DES_key_schedule *ks, int enc)
543 {
544 DES_LONG l;
545 DES_LONG ll[2];
546 const unsigned char *in = &(*input)[0];
547 unsigned char *out = &(*output)[0];
548
549 c2l(in, l);
550 ll[0] = l;
551 c2l(in, l);
552 ll[1] = l;
553 DES_encrypt1(ll, ks, enc);
554 l = ll[0];
555 l2c(l, out);
556 l = ll[1];
557 l2c(l, out);
558 l = ll[0] = ll[1] = 0;
559 }
560 LCRYPTO_ALIAS(DES_ecb_encrypt);
561
562 /*
563
564 This is an implementation of Triple DES Cipher Block Chaining with Output
565 Feedback Masking, by Coppersmith, Johnson and Matyas, (IBM and Certicom).
566
567 Note that there is a known attack on this by Biham and Knudsen but it takes
568 a lot of work:
569
570 http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1998/CS/CS0928.ps.gz
571
572 */
573
574 #ifndef OPENSSL_NO_DESCBCM
575 void
DES_ede3_cbcm_encrypt(const unsigned char * in,unsigned char * out,long length,DES_key_schedule * ks1,DES_key_schedule * ks2,DES_key_schedule * ks3,DES_cblock * ivec1,DES_cblock * ivec2,int enc)576 DES_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out,
577 long length, DES_key_schedule *ks1, DES_key_schedule *ks2,
578 DES_key_schedule *ks3, DES_cblock *ivec1, DES_cblock *ivec2,
579 int enc)
580 {
581 DES_LONG tin0, tin1;
582 DES_LONG tout0, tout1, xor0, xor1, m0, m1;
583 long l = length;
584 DES_LONG tin[2];
585 unsigned char *iv1, *iv2;
586
587 iv1 = &(*ivec1)[0];
588 iv2 = &(*ivec2)[0];
589
590 if (enc) {
591 c2l(iv1, m0);
592 c2l(iv1, m1);
593 c2l(iv2, tout0);
594 c2l(iv2, tout1);
595 for (l -= 8; l >= -7; l -= 8) {
596 tin[0] = m0;
597 tin[1] = m1;
598 DES_encrypt1(tin, ks3, 1);
599 m0 = tin[0];
600 m1 = tin[1];
601
602 if (l < 0) {
603 c2ln(in, tin0, tin1, l + 8);
604 } else {
605 c2l(in, tin0);
606 c2l(in, tin1);
607 }
608 tin0 ^= tout0;
609 tin1 ^= tout1;
610
611 tin[0] = tin0;
612 tin[1] = tin1;
613 DES_encrypt1(tin, ks1, 1);
614 tin[0] ^= m0;
615 tin[1] ^= m1;
616 DES_encrypt1(tin, ks2, 0);
617 tin[0] ^= m0;
618 tin[1] ^= m1;
619 DES_encrypt1(tin, ks1, 1);
620 tout0 = tin[0];
621 tout1 = tin[1];
622
623 l2c(tout0, out);
624 l2c(tout1, out);
625 }
626 iv1 = &(*ivec1)[0];
627 l2c(m0, iv1);
628 l2c(m1, iv1);
629
630 iv2 = &(*ivec2)[0];
631 l2c(tout0, iv2);
632 l2c(tout1, iv2);
633 } else {
634 DES_LONG t0, t1;
635
636 c2l(iv1, m0);
637 c2l(iv1, m1);
638 c2l(iv2, xor0);
639 c2l(iv2, xor1);
640 for (l -= 8; l >= -7; l -= 8) {
641 tin[0] = m0;
642 tin[1] = m1;
643 DES_encrypt1(tin, ks3, 1);
644 m0 = tin[0];
645 m1 = tin[1];
646
647 c2l(in, tin0);
648 c2l(in, tin1);
649
650 t0 = tin0;
651 t1 = tin1;
652
653 tin[0] = tin0;
654 tin[1] = tin1;
655 DES_encrypt1(tin, ks1, 0);
656 tin[0] ^= m0;
657 tin[1] ^= m1;
658 DES_encrypt1(tin, ks2, 1);
659 tin[0] ^= m0;
660 tin[1] ^= m1;
661 DES_encrypt1(tin, ks1, 0);
662 tout0 = tin[0];
663 tout1 = tin[1];
664
665 tout0 ^= xor0;
666 tout1 ^= xor1;
667 if (l < 0) {
668 l2cn(tout0, tout1, out, l + 8);
669 } else {
670 l2c(tout0, out);
671 l2c(tout1, out);
672 }
673 xor0 = t0;
674 xor1 = t1;
675 }
676
677 iv1 = &(*ivec1)[0];
678 l2c(m0, iv1);
679 l2c(m1, iv1);
680
681 iv2 = &(*ivec2)[0];
682 l2c(xor0, iv2);
683 l2c(xor1, iv2);
684 }
685 tin0 = tin1 = tout0 = tout1 = xor0 = xor1 = 0;
686 tin[0] = tin[1] = 0;
687 }
688 LCRYPTO_ALIAS(DES_ede3_cbcm_encrypt);
689 #endif
690
691 /* The input and output encrypted as though 64bit ofb mode is being
692 * used. The extra state information to record how much of the
693 * 64bit block we have used is contained in *num;
694 */
695 void
DES_ede3_ofb64_encrypt(const unsigned char * in,unsigned char * out,long length,DES_key_schedule * k1,DES_key_schedule * k2,DES_key_schedule * k3,DES_cblock * ivec,int * num)696 DES_ede3_ofb64_encrypt(const unsigned char *in,
697 unsigned char *out, long length,
698 DES_key_schedule *k1, DES_key_schedule *k2,
699 DES_key_schedule *k3, DES_cblock *ivec,
700 int *num)
701 {
702 DES_LONG v0, v1;
703 int n = *num;
704 long l = length;
705 DES_cblock d;
706 char *dp;
707 DES_LONG ti[2];
708 unsigned char *iv;
709 int save = 0;
710
711 iv = &(*ivec)[0];
712 c2l(iv, v0);
713 c2l(iv, v1);
714 ti[0] = v0;
715 ti[1] = v1;
716 dp = (char *)d;
717 l2c(v0, dp);
718 l2c(v1, dp);
719 while (l--) {
720 if (n == 0) {
721 /* ti[0]=v0; */
722 /* ti[1]=v1; */
723 DES_encrypt3(ti, k1, k2, k3);
724 v0 = ti[0];
725 v1 = ti[1];
726
727 dp = (char *)d;
728 l2c(v0, dp);
729 l2c(v1, dp);
730 save++;
731 }
732 *(out++) = *(in++) ^ d[n];
733 n = (n + 1) & 0x07;
734 }
735 if (save) {
736 iv = &(*ivec)[0];
737 l2c(v0, iv);
738 l2c(v1, iv);
739 }
740 v0 = v1 = ti[0] = ti[1] = 0;
741 *num = n;
742 }
743 LCRYPTO_ALIAS(DES_ede3_ofb64_encrypt);
744
745 /* The input and output encrypted as though 64bit ofb mode is being
746 * used. The extra state information to record how much of the
747 * 64bit block we have used is contained in *num;
748 */
749 void
DES_ofb64_encrypt(const unsigned char * in,unsigned char * out,long length,DES_key_schedule * schedule,DES_cblock * ivec,int * num)750 DES_ofb64_encrypt(const unsigned char *in,
751 unsigned char *out, long length,
752 DES_key_schedule *schedule, DES_cblock *ivec, int *num)
753 {
754 DES_LONG v0, v1, t;
755 int n = *num;
756 long l = length;
757 DES_cblock d;
758 unsigned char *dp;
759 DES_LONG ti[2];
760 unsigned char *iv;
761 int save = 0;
762
763 iv = &(*ivec)[0];
764 c2l(iv, v0);
765 c2l(iv, v1);
766 ti[0] = v0;
767 ti[1] = v1;
768 dp = d;
769 l2c(v0, dp);
770 l2c(v1, dp);
771 while (l--) {
772 if (n == 0) {
773 DES_encrypt1(ti, schedule, DES_ENCRYPT);
774 dp = d;
775 t = ti[0];
776 l2c(t, dp);
777 t = ti[1];
778 l2c(t, dp);
779 save++;
780 }
781 *(out++) = *(in++) ^ d[n];
782 n = (n + 1) & 0x07;
783 }
784 if (save) {
785 v0 = ti[0];
786 v1 = ti[1];
787 iv = &(*ivec)[0];
788 l2c(v0, iv);
789 l2c(v1, iv);
790 }
791 t = v0 = v1 = ti[0] = ti[1] = 0;
792 *num = n;
793 }
794 LCRYPTO_ALIAS(DES_ofb64_encrypt);
795
796 /* The input and output are loaded in multiples of 8 bits.
797 * What this means is that if you hame numbits=12 and length=2
798 * the first 12 bits will be retrieved from the first byte and half
799 * the second. The second 12 bits will come from the 3rd and half the 4th
800 * byte.
801 */
802 void
DES_ofb_encrypt(const unsigned char * in,unsigned char * out,int numbits,long length,DES_key_schedule * schedule,DES_cblock * ivec)803 DES_ofb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
804 long length, DES_key_schedule *schedule,
805 DES_cblock *ivec)
806 {
807 DES_LONG d0, d1, vv0, vv1, v0, v1, n = (numbits + 7)/8;
808 DES_LONG mask0, mask1;
809 long l = length;
810 int num = numbits;
811 DES_LONG ti[2];
812 unsigned char *iv;
813
814 if (num > 64)
815 return;
816 if (num > 32) {
817 mask0 = 0xffffffffL;
818 if (num >= 64)
819 mask1 = mask0;
820 else
821 mask1 = (1L << (num - 32)) - 1;
822 } else {
823 if (num == 32)
824 mask0 = 0xffffffffL;
825 else
826 mask0 = (1L << num) - 1;
827 mask1 = 0x00000000L;
828 }
829
830 iv = &(*ivec)[0];
831 c2l(iv, v0);
832 c2l(iv, v1);
833 ti[0] = v0;
834 ti[1] = v1;
835 while (l-- > 0) {
836 ti[0] = v0;
837 ti[1] = v1;
838 DES_encrypt1((DES_LONG *)ti, schedule, DES_ENCRYPT);
839 vv0 = ti[0];
840 vv1 = ti[1];
841 c2ln(in, d0, d1, n);
842 in += n;
843 d0 = (d0 ^ vv0) & mask0;
844 d1 = (d1 ^ vv1) & mask1;
845 l2cn(d0, d1, out, n);
846 out += n;
847
848 if (num == 32) {
849 v0 = v1;
850 v1 = vv0;
851 } else if (num == 64) {
852 v0 = vv0;
853 v1 = vv1;
854 } else if (num > 32) { /* && num != 64 */
855 v0 = ((v1 >> (num - 32))|(vv0 << (64 - num))) &
856 0xffffffffL;
857 v1 = ((vv0 >> (num - 32))|(vv1 << (64 - num))) &
858 0xffffffffL;
859 } else /* num < 32 */ {
860 v0 = ((v0 >> num)|(v1 << (32 - num))) & 0xffffffffL;
861 v1 = ((v1 >> num)|(vv0 << (32 - num))) & 0xffffffffL;
862 }
863 }
864 iv = &(*ivec)[0];
865 l2c(v0, iv);
866 l2c(v1, iv);
867 v0 = v1 = d0 = d1 = ti[0] = ti[1] = vv0 = vv1 = 0;
868 }
869 LCRYPTO_ALIAS(DES_ofb_encrypt);
870
871 void
DES_pcbc_encrypt(const unsigned char * input,unsigned char * output,long length,DES_key_schedule * schedule,DES_cblock * ivec,int enc)872 DES_pcbc_encrypt(const unsigned char *input, unsigned char *output,
873 long length, DES_key_schedule *schedule,
874 DES_cblock *ivec, int enc)
875 {
876 DES_LONG sin0, sin1, xor0, xor1, tout0, tout1;
877 DES_LONG tin[2];
878 const unsigned char *in;
879 unsigned char *out, *iv;
880
881 in = input;
882 out = output;
883 iv = &(*ivec)[0];
884
885 if (enc) {
886 c2l(iv, xor0);
887 c2l(iv, xor1);
888 for (; length > 0; length -= 8) {
889 if (length >= 8) {
890 c2l(in, sin0);
891 c2l(in, sin1);
892 } else
893 c2ln(in, sin0, sin1, length);
894 tin[0] = sin0 ^ xor0;
895 tin[1] = sin1 ^ xor1;
896 DES_encrypt1((DES_LONG *)tin, schedule, DES_ENCRYPT);
897 tout0 = tin[0];
898 tout1 = tin[1];
899 xor0 = sin0 ^ tout0;
900 xor1 = sin1 ^ tout1;
901 l2c(tout0, out);
902 l2c(tout1, out);
903 }
904 } else {
905 c2l(iv, xor0);
906 c2l(iv, xor1);
907 for (; length > 0; length -= 8) {
908 c2l(in, sin0);
909 c2l(in, sin1);
910 tin[0] = sin0;
911 tin[1] = sin1;
912 DES_encrypt1((DES_LONG *)tin, schedule, DES_DECRYPT);
913 tout0 = tin[0] ^ xor0;
914 tout1 = tin[1] ^ xor1;
915 if (length >= 8) {
916 l2c(tout0, out);
917 l2c(tout1, out);
918 } else
919 l2cn(tout0, tout1, out, length);
920 xor0 = tout0 ^ sin0;
921 xor1 = tout1 ^ sin1;
922 }
923 }
924 tin[0] = tin[1] = 0;
925 sin0 = sin1 = xor0 = xor1 = tout0 = tout1 = 0;
926 }
927 LCRYPTO_ALIAS(DES_pcbc_encrypt);
928
929 /* RSA's DESX */
930
931 void
DES_xcbc_encrypt(const unsigned char * in,unsigned char * out,long length,DES_key_schedule * schedule,DES_cblock * ivec,const_DES_cblock * inw,const_DES_cblock * outw,int enc)932 DES_xcbc_encrypt(const unsigned char *in, unsigned char *out,
933 long length, DES_key_schedule *schedule,
934 DES_cblock *ivec, const_DES_cblock *inw,
935 const_DES_cblock *outw, int enc)
936 {
937 DES_LONG tin0, tin1;
938 DES_LONG tout0, tout1, xor0, xor1;
939 DES_LONG inW0, inW1, outW0, outW1;
940 const unsigned char *in2;
941 long l = length;
942 DES_LONG tin[2];
943 unsigned char *iv;
944
945 in2 = &(*inw)[0];
946 c2l(in2, inW0);
947 c2l(in2, inW1);
948 in2 = &(*outw)[0];
949 c2l(in2, outW0);
950 c2l(in2, outW1);
951
952 iv = &(*ivec)[0];
953
954 if (enc) {
955 c2l(iv, tout0);
956 c2l(iv, tout1);
957 for (l -= 8; l >= 0; l -= 8) {
958 c2l(in, tin0);
959 c2l(in, tin1);
960 tin0 ^= tout0 ^ inW0;
961 tin[0] = tin0;
962 tin1 ^= tout1 ^ inW1;
963 tin[1] = tin1;
964 DES_encrypt1(tin, schedule, DES_ENCRYPT);
965 tout0 = tin[0] ^ outW0;
966 l2c(tout0, out);
967 tout1 = tin[1] ^ outW1;
968 l2c(tout1, out);
969 }
970 if (l != -8) {
971 c2ln(in, tin0, tin1, l + 8);
972 tin0 ^= tout0 ^ inW0;
973 tin[0] = tin0;
974 tin1 ^= tout1 ^ inW1;
975 tin[1] = tin1;
976 DES_encrypt1(tin, schedule, DES_ENCRYPT);
977 tout0 = tin[0] ^ outW0;
978 l2c(tout0, out);
979 tout1 = tin[1] ^ outW1;
980 l2c(tout1, out);
981 }
982 iv = &(*ivec)[0];
983 l2c(tout0, iv);
984 l2c(tout1, iv);
985 } else {
986 c2l(iv, xor0);
987 c2l(iv, xor1);
988 for (l -= 8; l > 0; l -= 8) {
989 c2l(in, tin0);
990 tin[0] = tin0 ^ outW0;
991 c2l(in, tin1);
992 tin[1] = tin1 ^ outW1;
993 DES_encrypt1(tin, schedule, DES_DECRYPT);
994 tout0 = tin[0] ^ xor0 ^ inW0;
995 tout1 = tin[1] ^ xor1 ^ inW1;
996 l2c(tout0, out);
997 l2c(tout1, out);
998 xor0 = tin0;
999 xor1 = tin1;
1000 }
1001 if (l != -8) {
1002 c2l(in, tin0);
1003 tin[0] = tin0 ^ outW0;
1004 c2l(in, tin1);
1005 tin[1] = tin1 ^ outW1;
1006 DES_encrypt1(tin, schedule, DES_DECRYPT);
1007 tout0 = tin[0] ^ xor0 ^ inW0;
1008 tout1 = tin[1] ^ xor1 ^ inW1;
1009 l2cn(tout0, tout1, out, l + 8);
1010 xor0 = tin0;
1011 xor1 = tin1;
1012 }
1013
1014 iv = &(*ivec)[0];
1015 l2c(xor0, iv);
1016 l2c(xor1, iv);
1017 }
1018 tin0 = tin1 = tout0 = tout1 = xor0 = xor1 = 0;
1019 inW0 = inW1 = outW0 = outW1 = 0;
1020 tin[0] = tin[1] = 0;
1021 }
1022 LCRYPTO_ALIAS(DES_xcbc_encrypt);
1023