2 * This program implements the
3 * Proposed Federal Information Processing
4 * Data Encryption Standard.
5 * See Federal Register, March 17, 1975 (40FR12134)
12 58,50,42,34,26,18,10, 2,
13 60,52,44,36,28,20,12, 4,
14 62,54,46,38,30,22,14, 6,
15 64,56,48,40,32,24,16, 8,
16 57,49,41,33,25,17, 9, 1,
17 59,51,43,35,27,19,11, 3,
18 61,53,45,37,29,21,13, 5,
19 63,55,47,39,31,23,15, 7,
23 * Final permutation, FP = IP^(-1)
26 40, 8,48,16,56,24,64,32,
27 39, 7,47,15,55,23,63,31,
28 38, 6,46,14,54,22,62,30,
29 37, 5,45,13,53,21,61,29,
30 36, 4,44,12,52,20,60,28,
31 35, 3,43,11,51,19,59,27,
32 34, 2,42,10,50,18,58,26,
33 33, 1,41, 9,49,17,57,25,
37 * Permuted-choice 1 from the key bits
39 * Note that bits 8,16... are left out:
40 * They are intended for a parity check.
42 static char PC1_C[] = {
49 static char PC1_D[] = {
57 * Sequence of shifts used for the key schedule.
59 static char shifts[] = {
60 1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1,
64 * Permuted-choice 2, to pick out the bits from
65 * the CD array that generate the key schedule.
67 static char PC2_C[] = {
74 static char PC2_D[] = {
82 * The C and D arrays used to calculate the key schedule.
90 * Generated from the key.
92 static char KS[16][48];
95 * The E bit-selection table.
110 * Set up the key schedule from the key.
122 * First, generate C and D by permuting
123 * the key. The low order bit of each
124 * 8-bit char is not used, so C and D are only 28
127 for (i=0; i<28; i++) {
128 C[i] = key[PC1_C[i]-1];
129 D[i] = key[PC1_D[i]-1];
132 * To generate Ki, rotate C and D according
133 * to schedule and pick up a permutation
136 for (i=0; i<16; i++) {
140 for (k=0; k<shifts[i]; k++) {
143 for (j=0; j<28-1; j++)
151 for (j=0; j<28-1; j++)
159 * get Ki. Note C and D are concatenated.
162 for (j=0; j<24; j++) {
163 ptr[j] = C[PC2_C[j]-1];
164 ptr[j+24] = D[PC2_D[j]-28-1];
173 * The 8 selection functions.
174 * For some reason, they give a 0-origin
175 * index, unlike everything else.
177 static char S[8][64] = {
178 14, 4,13, 1, 2,15,11, 8, 3,10, 6,12, 5, 9, 0, 7,
179 0,15, 7, 4,14, 2,13, 1,10, 6,12,11, 9, 5, 3, 8,
180 4, 1,14, 8,13, 6, 2,11,15,12, 9, 7, 3,10, 5, 0,
181 15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13,
183 15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10,
184 3,13, 4, 7,15, 2, 8,14,12, 0, 1,10, 6, 9,11, 5,
185 0,14, 7,11,10, 4,13, 1, 5, 8,12, 6, 9, 3, 2,15,
186 13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9,
188 10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8,
189 13, 7, 0, 9, 3, 4, 6,10, 2, 8, 5,14,12,11,15, 1,
190 13, 6, 4, 9, 8,15, 3, 0,11, 1, 2,12, 5,10,14, 7,
191 1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12,
193 7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15,
194 13, 8,11, 5, 6,15, 0, 3, 4, 7, 2,12, 1,10,14, 9,
195 10, 6, 9, 0,12,11, 7,13,15, 1, 3,14, 5, 2, 8, 4,
196 3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14,
198 2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9,
199 14,11, 2,12, 4, 7,13, 1, 5, 0,15,10, 3, 9, 8, 6,
200 4, 2, 1,11,10,13, 7, 8,15, 9,12, 5, 6, 3, 0,14,
201 11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3,
203 12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11,
204 10,15, 4, 2, 7,12, 9, 5, 6, 1,13,14, 0,11, 3, 8,
205 9,14,15, 5, 2, 8,12, 3, 7, 0, 4,10, 1,13,11, 6,
206 4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13,
208 4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1,
209 13, 0,11, 7, 4, 9, 1,10,14, 3, 5,12, 2,15, 8, 6,
210 1, 4,11,13,12, 3, 7,14,10,15, 6, 8, 0, 5, 9, 2,
211 6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12,
213 13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7,
214 1,15,13, 8,10, 3, 7, 4,12, 5, 6,11, 0,14, 9, 2,
215 7,11, 4, 1, 9,12,14, 2, 0, 6,10,13,15, 3, 5, 8,
216 2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11,
220 * P is a permutation on the selected combination
221 * of the current L and key.
235 * The current block, divided into 2 halves.
240 static char tempL[32];
244 * The combination of the key and the input, before selection.
246 static char preS[48];
249 * The payoff: encrypt a block.
253 encrypt (block, edflag)
260 * First, permute the bits in the input
263 L[j] = block[IP[j]-1];
265 * Perform an encryption operation 16 times.
267 for (ii=0; ii<16; ii++) {
268 /* print_bits ("L R", L); */
278 * which will be the new L.
283 * Expand R to 48 bits using the E selector;
284 * exclusive-or with the current key bits.
287 preS[j] = R[E[j]-1] ^ KS[i][j];
289 * The pre-select bits are now considered
290 * in 8 groups of 6 bits each.
291 * The 8 selection functions map these
292 * 6-bit quantities into 4-bit quantities
293 * and the results permuted
294 * to make an f(R, K).
295 * The indexing into the selection functions
296 * is peculiar; it could be simplified by
297 * rewriting the tables.
299 for (j=0; j<8; j++) {
301 k = S[j][(preS[t+0]<<5)+
314 * The new R is L ^ f(R, K).
315 * The f here has to be permuted first, though.
318 R[j] = L[j] ^ f[P[j]-1];
320 * Finally, the new L (the original R)
327 * The output L and R are reversed.
329 for (j=0; j<32; j++) {
336 * gets the inverse permutation of the very original.
339 block[j] = L[FP[j]-1];
343 bytes_to_bits (bytes, bits)
344 unsigned char *bytes;
347 int bit, byte, value;
349 for (byte = 0; byte < 8; byte++)
352 for (bit = 0; bit < 8; bit++)
353 *bits++ = (value >> (7-bit)) & 1;
358 bits_to_bytes (bits, bytes)
360 unsigned char *bytes;
362 int bit, byte, value;
364 for (byte = 0; byte < 8; byte++)
367 for (bit = 0; bit < 8; bit++)
368 value |= *bits++ << (7-bit);
374 * Interface compatible with Kerberos DES implementation
380 _XdmcpAuthSetup (key, schedule)
382 auth_wrapper_schedule schedule;
386 bytes_to_bits ((unsigned char *) key, expand_key);
391 _XdmcpAuthDoIt (input, output, schedule, edflag)
392 auth_cblock input, output;
393 auth_wrapper_schedule schedule;
396 char expand_input[64];
398 bytes_to_bits ((unsigned char *) input, expand_input);
399 encrypt (expand_input, !edflag);
400 bits_to_bytes (expand_input, (unsigned char *) output);