1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 */
26
27 /* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */
28 /* All Rights Reserved */
29
30 /*
31 * Portions of this source code were derived from Berkeley 4.3 BSD
32 * under license from the Regents of the University of California.
33 */
34
35 #pragma ident "%Z%%M% %I% %E% SMI"
36
37 /*
38 * Warning! Things are arranged very carefully in this file to
39 * allow read-only data to be moved to the text segment. The
40 * various DES tables must appear before any function definitions
41 * (this is arranged by including them immediately below) and partab
42 * must also appear before and function definitions
43 * This arrangement allows all data up through the first text to
44 * be moved to text.
45 */
46
47 #ifndef _KERNEL
48 #define CRYPT /* cannot configure out of user-level code */
49 #endif
50
51 #ifdef CRYPT
52 #include <sys/types.h>
53 #include <des/softdes.h>
54 #include <des/desdata.h>
55
56 #ifdef sun
57 #include <sys/ioctl.h>
58 #include <sys/des.h>
59 #else
60 #include <des/des.h>
61 #endif
62
63 #include "des_soft.h"
64
65 /*
66 * Fast (?) software implementation of DES
67 * Has been seen going at 2000 bytes/sec on a Sun-2
68 * Works on a VAX too.
69 * Won't work without 8 bit chars and 32 bit longs
70 */
71
72 #define btst(k, b) (k[b >> 3] & (0x80 >> (b & 07)))
73 #define BIT28 (1<<28)
74
75
76 #endif /* def CRYPT */
77
78 static void des_setkey(uchar_t [8], struct deskeydata *, unsigned);
79 static void des_encrypt(uchar_t *, struct deskeydata *);
80
81 #ifndef _KERNEL
82 /*
83 * Table giving odd parity in the low bit for ASCII characters
84 */
85 static char partab[128] = {
86 0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
87 0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
88 0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
89 0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
90 0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
91 0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
92 0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
93 0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
94 0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
95 0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
96 0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
97 0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
98 0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
99 0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
100 0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
101 0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
102 };
103
104
105
106 /*
107 * Add odd parity to low bit of 8 byte key
108 */
109 void
des_setparity(char * p)110 des_setparity(char *p)
111 {
112 int i;
113
114 for (i = 0; i < 8; i++) {
115 *p = partab[*p & 0x7f];
116 p++;
117 }
118 }
119 #endif /* def _KERNEL */
120
121 #ifdef CRYPT
122 /*
123 * Software encrypt or decrypt a block of data (multiple of 8 bytes)
124 * Do the CBC ourselves if needed.
125 */
126 int
__des_crypt(char * buf,unsigned int len,struct desparams * desp)127 __des_crypt(char *buf, unsigned int len, struct desparams *desp)
128 {
129 /* EXPORT DELETE START */
130 short i;
131 unsigned mode;
132 unsigned dir;
133 char nextiv[8];
134 struct deskeydata softkey;
135
136 mode = (unsigned)desp->des_mode;
137 dir = (unsigned)desp->des_dir;
138 des_setkey(desp->des_key, &softkey, dir);
139 while (len != 0) {
140 switch (mode) {
141 case CBC:
142 switch (dir) {
143 case ENCRYPT:
144 for (i = 0; i < 8; i++)
145 buf[i] ^= desp->des_ivec[i];
146 des_encrypt((uchar_t *)buf, &softkey);
147 for (i = 0; i < 8; i++)
148 desp->des_ivec[i] = buf[i];
149 break;
150 case DECRYPT:
151 for (i = 0; i < 8; i++)
152 nextiv[i] = buf[i];
153 des_encrypt((uchar_t *)buf, &softkey);
154 for (i = 0; i < 8; i++) {
155 buf[i] ^= desp->des_ivec[i];
156 desp->des_ivec[i] = nextiv[i];
157 }
158 break;
159 }
160 break;
161 case ECB:
162 des_encrypt((uchar_t *)buf, &softkey);
163 break;
164 }
165 buf += 8;
166 len -= 8;
167 }
168 /* EXPORT DELETE END */
169 return (1);
170 }
171
172
173 /*
174 * Set the key and direction for an encryption operation
175 * We build the 16 key entries here
176 */
177 static void
des_setkey(uchar_t userkey[8],struct deskeydata * kd,unsigned int dir)178 des_setkey(uchar_t userkey[8], struct deskeydata *kd, unsigned int dir)
179 {
180 /* EXPORT DELETE START */
181 long C, D;
182 short i;
183
184 /*
185 * First, generate C and D by permuting
186 * the key. The low order bit of each
187 * 8-bit char is not used, so C and D are only 28
188 * bits apiece.
189 */
190 {
191 short bit;
192 const short *pcc = PC1_C, *pcd = PC1_D;
193
194 C = D = 0;
195 for (i = 0; i < 28; i++) {
196 C <<= 1;
197 D <<= 1;
198 bit = *pcc++;
199 if (btst(userkey, bit))
200 C |= 1;
201 bit = *pcd++;
202 if (btst(userkey, bit))
203 D |= 1;
204 }
205 }
206 /*
207 * To generate Ki, rotate C and D according
208 * to schedule and pick up a permutation
209 * using PC2.
210 */
211 for (i = 0; i < 16; i++) {
212 chunk_t *c;
213 short j, k, bit;
214 long bbit;
215
216 /*
217 * Do the "left shift" (rotate)
218 * We know we always rotate by either 1 or 2 bits
219 * the shifts table tells us if its 2
220 */
221 C <<= 1;
222 if (C & BIT28)
223 C |= 1;
224 D <<= 1;
225 if (D & BIT28)
226 D |= 1;
227 if (shifts[i]) {
228 C <<= 1;
229 if (C & BIT28)
230 C |= 1;
231 D <<= 1;
232 if (D & BIT28)
233 D |= 1;
234 }
235 /*
236 * get Ki. Note C and D are concatenated.
237 */
238 bit = 0;
239 switch (dir) {
240 case ENCRYPT:
241 c = &kd->keyval[i]; break;
242 case DECRYPT:
243 c = &kd->keyval[15 - i]; break;
244 }
245 c->long0 = 0;
246 c->long1 = 0;
247 bbit = (1 << 5) << 24;
248 for (j = 0; j < 4; j++) {
249 for (k = 0; k < 6; k++) {
250 if (C & (BIT28 >> PC2_C[bit]))
251 c->long0 |= bbit >> k;
252 if (D & (BIT28 >> PC2_D[bit]))
253 c->long1 |= bbit >> k;
254 bit++;
255 }
256 bbit >>= 8;
257 }
258
259 }
260 /* EXPORT DELETE END */
261 }
262
263
264
265 /*
266 * Do an encryption operation
267 * Much pain is taken (with preprocessor) to avoid loops so the compiler
268 * can do address arithmetic instead of doing it at runtime.
269 * Note that the byte-to-chunk conversion is necessary to guarantee
270 * processor byte-order independence.
271 */
272 static void
des_encrypt(uchar_t * data,struct deskeydata * kd)273 des_encrypt(uchar_t *data, struct deskeydata *kd)
274 {
275 /* EXPORT DELETE START */
276 chunk_t work1, work2;
277
278 /*
279 * Initial permutation
280 * and byte to chunk conversion
281 */
282 {
283 const uint32_t *lp;
284 uint32_t l0, l1, w;
285 short i, pbit;
286
287 work1.byte0 = data[0];
288 work1.byte1 = data[1];
289 work1.byte2 = data[2];
290 work1.byte3 = data[3];
291 work1.byte4 = data[4];
292 work1.byte5 = data[5];
293 work1.byte6 = data[6];
294 work1.byte7 = data[7];
295 l0 = l1 = 0;
296 w = work1.long0;
297 for (lp = &longtab[0], i = 0; i < 32; i++) {
298 if (w & *lp++) {
299 pbit = IPtab[i];
300 if (pbit < 32)
301 l0 |= longtab[pbit];
302 else
303 l1 |= longtab[pbit-32];
304 }
305 }
306 w = work1.long1;
307 for (lp = &longtab[0], i = 32; i < 64; i++) {
308 if (w & *lp++) {
309 pbit = IPtab[i];
310 if (pbit < 32)
311 l0 |= longtab[pbit];
312 else
313 l1 |= longtab[pbit-32];
314 }
315 }
316 work2.long0 = l0;
317 work2.long1 = l1;
318 }
319
320 /*
321 * Expand 8 bits of 32 bit R to 48 bit R
322 */
323 #define do_R_to_ER(op, b) { \
324 const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b]; \
325 e0 op p->l0; \
326 e1 op p->l1; \
327 }
328
329 /*
330 * Inner part of the algorithm:
331 * Expand R from 32 to 48 bits; xor key value;
332 * apply S boxes; permute 32 bits of output
333 */
334 #define do_F(iter, inR, outR) { \
335 chunk_t R, ER; \
336 uint32_t e0, e1; \
337 R.long0 = inR; \
338 /* CSTYLED */ \
339 do_R_to_ER(=, 0); \
340 /* CSTYLED */ \
341 do_R_to_ER(|=, 1); \
342 /* CSTYLED */ \
343 do_R_to_ER(|=, 2); \
344 /* CSTYLED */ \
345 do_R_to_ER(|=, 3); \
346 ER.long0 = e0 ^ kd->keyval[iter].long0; \
347 ER.long1 = e1 ^ kd->keyval[iter].long1; \
348 R.long0 = \
349 S_tab[0][ER.byte0] + \
350 S_tab[1][ER.byte1] + \
351 S_tab[2][ER.byte2] + \
352 S_tab[3][ER.byte3] + \
353 S_tab[4][ER.byte4] + \
354 S_tab[5][ER.byte5] + \
355 S_tab[6][ER.byte6] + \
356 S_tab[7][ER.byte7]; \
357 outR = \
358 P_tab[0][R.byte0] + \
359 P_tab[1][R.byte1] + \
360 P_tab[2][R.byte2] + \
361 P_tab[3][R.byte3]; \
362 }
363
364 /*
365 * Do a cipher step
366 * Apply inner part; do xor and exchange of 32 bit parts
367 */
368 #define cipher(iter, inR, inL, outR, outL) { \
369 do_F(iter, inR, outR); \
370 outR ^= inL; \
371 outL = inR; \
372 }
373
374 /*
375 * Apply the 16 ciphering steps
376 */
377 {
378 uint32_t r0, l0, r1, l1;
379
380 l0 = work2.long0;
381 r0 = work2.long1;
382 cipher(0, r0, l0, r1, l1);
383 cipher(1, r1, l1, r0, l0);
384 cipher(2, r0, l0, r1, l1);
385 cipher(3, r1, l1, r0, l0);
386 cipher(4, r0, l0, r1, l1);
387 cipher(5, r1, l1, r0, l0);
388 cipher(6, r0, l0, r1, l1);
389 cipher(7, r1, l1, r0, l0);
390 cipher(8, r0, l0, r1, l1);
391 cipher(9, r1, l1, r0, l0);
392 cipher(10, r0, l0, r1, l1);
393 cipher(11, r1, l1, r0, l0);
394 cipher(12, r0, l0, r1, l1);
395 cipher(13, r1, l1, r0, l0);
396 cipher(14, r0, l0, r1, l1);
397 cipher(15, r1, l1, r0, l0);
398 work1.long0 = r0;
399 work1.long1 = l0;
400 }
401
402 /*
403 * Final permutation
404 * and chunk to byte conversion
405 */
406 {
407 const uint32_t *lp;
408 uint32_t l0, l1, w;
409 short i, pbit;
410
411 l0 = l1 = 0;
412 w = work1.long0;
413 for (lp = &longtab[0], i = 0; i < 32; i++) {
414 if (w & *lp++) {
415 pbit = FPtab[i];
416 if (pbit < 32)
417 l0 |= longtab[pbit];
418 else
419 l1 |= longtab[pbit-32];
420 }
421 }
422 w = work1.long1;
423 for (lp = &longtab[0], i = 32; i < 64; i++) {
424 if (w & *lp++) {
425 pbit = FPtab[i];
426 if (pbit < 32)
427 l0 |= longtab[pbit];
428 else
429 l1 |= longtab[pbit-32];
430 }
431 }
432 work2.long0 = l0;
433 work2.long1 = l1;
434 }
435 data[0] = work2.byte0;
436 data[1] = work2.byte1;
437 data[2] = work2.byte2;
438 data[3] = work2.byte3;
439 data[4] = work2.byte4;
440 data[5] = work2.byte5;
441 data[6] = work2.byte6;
442 data[7] = work2.byte7;
443
444 /* EXPORT DELETE END */
445 }
446 #endif /* def CRYPT */
447