1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License, Version 1.0 only
6 * (the "License"). You may not use this file except in compliance
7 * with the License.
8 *
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or http://www.opensolaris.org/os/licensing.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
13 *
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 *
20 * CDDL HEADER END
21 *
22 * Copyright 1989 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 /* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */
27 /* All Rights Reserved */
28
29 /*
30 * Portions of this source code were derived from Berkeley 4.3 BSD
31 * under license from the Regents of the University of California.
32 */
33
34 #ident "%Z%%M% %I% %E% SMI"
35
36 /*
37 * Warning! Things are arranged very carefully in this file to
38 * allow read-only data to be moved to the text segment. The
39 * various DES tables must appear before any function definitions
40 * (this is arranged by including them immediately below) and partab
41 * must also appear before and function definitions
42 * This arrangement allows all data up through the first text to
43 * be moved to text.
44 */
45
46 /*
47 * Fast (?) software implementation of DES
48 * Has been seen going at 2000 bytes/sec on a Sun-2
49 * Works on a VAX too.
50 * Won't work without 8 bit chars and 32 bit longs
51 */
52
53 #include <sys/types.h>
54 #include <des/des.h>
55 #include <des/softdes.h>
56 #include <des/desdata.h>
57 #include <sys/debug.h>
58
59 static void des_setkey(u_char userkey[8], struct deskeydata *kd,
60 unsigned int dir);
61 static void des_encrypt(u_char *data, struct deskeydata *kd);
62
63 /* EXPORT DELETE START */
64 #define btst(k, b) (k[b >> 3] & (0x80 >> (b & 07)))
65 #define BIT28 (1<<28)
66 /* EXPORT DELETE END */
67
68 /*
69 * Software encrypt or decrypt a block of data (multiple of 8 bytes)
70 * Do the CBC ourselves if needed.
71 */
72 /* ARGSUSED */
73 int
_des_crypt(char * buf,size_t len,struct desparams * desp)74 _des_crypt(char *buf, size_t len, struct desparams *desp)
75 {
76 /* EXPORT DELETE START */
77 short i;
78 uint_t mode;
79 uint_t dir;
80 char nextiv[8];
81 struct deskeydata softkey;
82
83 mode = desp->des_mode;
84 dir = desp->des_dir;
85 des_setkey(desp->des_key, &softkey, dir);
86 while (len != 0) {
87 switch (mode) {
88 case CBC:
89 switch (dir) {
90 case ENCRYPT:
91 for (i = 0; i < 8; i++)
92 buf[i] ^= desp->des_ivec[i];
93 des_encrypt((u_char *)buf, &softkey);
94 for (i = 0; i < 8; i++)
95 desp->des_ivec[i] = buf[i];
96 break;
97 case DECRYPT:
98 for (i = 0; i < 8; i++)
99 nextiv[i] = buf[i];
100 des_encrypt((u_char *)buf, &softkey);
101 for (i = 0; i < 8; i++) {
102 buf[i] ^= desp->des_ivec[i];
103 desp->des_ivec[i] = nextiv[i];
104 }
105 break;
106 }
107 break;
108 case ECB:
109 des_encrypt((u_char *)buf, &softkey);
110 break;
111 }
112 buf += 8;
113 len -= 8;
114 }
115 /* EXPORT DELETE END */
116 return (1);
117 }
118
119
120 /*
121 * Set the key and direction for an encryption operation
122 * We build the 16 key entries here
123 */
124 /* ARGSUSED */
125 static void
des_setkey(u_char userkey[8],struct deskeydata * kd,unsigned int dir)126 des_setkey(u_char userkey[8], struct deskeydata *kd, unsigned int dir)
127 {
128 /* EXPORT DELETE START */
129 int32_t C, D;
130 short i;
131
132 /*
133 * First, generate C and D by permuting
134 * the key. The low order bit of each
135 * 8-bit char is not used, so C and D are only 28
136 * bits apiece.
137 */
138 {
139 short bit;
140 short *pcc = (short *)PC1_C, *pcd = (short *)PC1_D;
141
142 C = D = 0;
143 for (i = 0; i < 28; i++) {
144 C <<= 1;
145 D <<= 1;
146 bit = *pcc++;
147 if (btst(userkey, bit))
148 C |= 1;
149 bit = *pcd++;
150 if (btst(userkey, bit))
151 D |= 1;
152 }
153 }
154 /*
155 * To generate Ki, rotate C and D according
156 * to schedule and pick up a permutation
157 * using PC2.
158 */
159 for (i = 0; i < 16; i++) {
160 chunk_t *c;
161 short j, k, bit;
162 int bbit;
163
164 /*
165 * Do the "left shift" (rotate)
166 * We know we always rotate by either 1 or 2 bits
167 * the shifts table tells us if its 2
168 */
169 C <<= 1;
170 if (C & BIT28)
171 C |= 1;
172 D <<= 1;
173 if (D & BIT28)
174 D |= 1;
175 if (shifts[i]) {
176 C <<= 1;
177 if (C & BIT28)
178 C |= 1;
179 D <<= 1;
180 if (D & BIT28)
181 D |= 1;
182 }
183 /*
184 * get Ki. Note C and D are concatenated.
185 */
186 bit = 0;
187 switch (dir) {
188 case ENCRYPT:
189 c = &kd->keyval[i];
190 break;
191 case DECRYPT:
192 c = &kd->keyval[15 - i];
193 break;
194 }
195 c->long0 = 0;
196 c->long1 = 0;
197 bbit = (1 << 5) << 24;
198 for (j = 0; j < 4; j++) {
199 for (k = 0; k < 6; k++) {
200 if (C & (BIT28 >> PC2_C[bit]))
201 c->long0 |= bbit >> k;
202 if (D & (BIT28 >> PC2_D[bit]))
203 c->long1 |= bbit >> k;
204 bit++;
205 }
206 bbit >>= 8;
207 }
208 }
209 /* EXPORT DELETE END */
210 }
211
212
213
214 /*
215 * Do an encryption operation
216 * Much pain is taken (with preprocessor) to avoid loops so the compiler
217 * can do address arithmetic instead of doing it at runtime.
218 * Note that the byte-to-chunk conversion is necessary to guarantee
219 * processor byte-order independence.
220 */
221 /* ARGSUSED */
222 static void
des_encrypt(u_char * data,struct deskeydata * kd)223 des_encrypt(u_char *data, struct deskeydata *kd)
224 {
225 /* EXPORT DELETE START */
226 chunk_t work1, work2;
227
228 /*
229 * Initial permutation
230 * and byte to chunk conversion
231 */
232 {
233 const uint32_t *lp;
234 uint32_t l0, l1, w;
235 short i, pbit;
236
237 work1.byte0 = data[0];
238 work1.byte1 = data[1];
239 work1.byte2 = data[2];
240 work1.byte3 = data[3];
241 work1.byte4 = data[4];
242 work1.byte5 = data[5];
243 work1.byte6 = data[6];
244 work1.byte7 = data[7];
245 l0 = l1 = 0;
246 w = work1.long0;
247 for (lp = &longtab[0], i = 0; i < 32; i++) {
248 if (w & *lp++) {
249 pbit = IPtab[i];
250 if (pbit < 32)
251 l0 |= longtab[pbit];
252 else
253 l1 |= longtab[pbit-32];
254 }
255 }
256 w = work1.long1;
257 for (lp = &longtab[0], i = 32; i < 64; i++) {
258 if (w & *lp++) {
259 pbit = IPtab[i];
260 if (pbit < 32)
261 l0 |= longtab[pbit];
262 else
263 l1 |= longtab[pbit-32];
264 }
265 }
266 work2.long0 = l0;
267 work2.long1 = l1;
268 }
269
270 /*
271 * Expand 8 bits of 32 bit R to 48 bit R
272 */
273 #ifdef __STDC__
274 #define do_R_to_ER(op, b) { \
275 struct R_to_ER *p = \
276 (struct R_to_ER *)&R_to_ER_tab[b][R.byte##b]; \
277 e0 op p->l0; \
278 e1 op p->l1; \
279 }
280 #else
281 #define do_R_to_ER(op, b) { \
282 /*CSTYLED*/ \
283 struct R_to_ER *p = &R_to_ER_tab[b][R.byte/**/b]; \
284 e0 op p->l0; \
285 e1 op p->l1; \
286 }
287 #endif
288
289 /*
290 * Inner part of the algorithm:
291 * Expand R from 32 to 48 bits; xor key value;
292 * apply S boxes; permute 32 bits of output
293 */
294 #define do_F(iter, inR, outR) { \
295 chunk_t R, ER; \
296 u_int e0, e1; \
297 R.long0 = inR; \
298 /*CSTYLED*/ \
299 do_R_to_ER(=,0); \
300 /*CSTYLED*/ \
301 do_R_to_ER(|=,1); \
302 /*CSTYLED*/ \
303 do_R_to_ER(|=,2); \
304 /*CSTYLED*/ \
305 do_R_to_ER(|=,3); \
306 ER.long0 = e0 ^ kd->keyval[iter].long0; \
307 ER.long1 = e1 ^ kd->keyval[iter].long1; \
308 R.long0 = \
309 S_tab[0][ER.byte0] + \
310 S_tab[1][ER.byte1] + \
311 S_tab[2][ER.byte2] + \
312 S_tab[3][ER.byte3] + \
313 S_tab[4][ER.byte4] + \
314 S_tab[5][ER.byte5] + \
315 S_tab[6][ER.byte6] + \
316 S_tab[7][ER.byte7]; \
317 outR = \
318 P_tab[0][R.byte0] + \
319 P_tab[1][R.byte1] + \
320 P_tab[2][R.byte2] + \
321 P_tab[3][R.byte3]; \
322 }
323
324 /*
325 * Do a cipher step
326 * Apply inner part; do xor and exchange of 32 bit parts
327 */
328 #define cipher(iter, inR, inL, outR, outL) { \
329 do_F(iter, inR, outR); \
330 outR ^= inL; \
331 outL = inR; \
332 }
333
334 /*
335 * Apply the 16 ciphering steps
336 */
337 {
338 u_int r0, l0, r1, l1;
339
340 l0 = work2.long0;
341 r0 = work2.long1;
342 cipher(0, r0, l0, r1, l1);
343 cipher(1, r1, l1, r0, l0);
344 cipher(2, r0, l0, r1, l1);
345 cipher(3, r1, l1, r0, l0);
346 cipher(4, r0, l0, r1, l1);
347 cipher(5, r1, l1, r0, l0);
348 cipher(6, r0, l0, r1, l1);
349 cipher(7, r1, l1, r0, l0);
350 cipher(8, r0, l0, r1, l1);
351 cipher(9, r1, l1, r0, l0);
352 cipher(10, r0, l0, r1, l1);
353 cipher(11, r1, l1, r0, l0);
354 cipher(12, r0, l0, r1, l1);
355 cipher(13, r1, l1, r0, l0);
356 cipher(14, r0, l0, r1, l1);
357 cipher(15, r1, l1, r0, l0);
358 work1.long0 = r0;
359 work1.long1 = l0;
360 }
361
362 /*
363 * Final permutation
364 * and chunk to byte conversion
365 */
366 {
367 const uint32_t *lp;
368 uint32_t l0, l1, w;
369 short i, pbit;
370
371 l0 = l1 = 0;
372 w = work1.long0;
373 for (lp = &longtab[0], i = 0; i < 32; i++) {
374 if (w & *lp++) {
375 pbit = FPtab[i];
376 if (pbit < 32)
377 l0 |= longtab[pbit];
378 else
379 l1 |= longtab[pbit-32];
380 }
381 }
382 w = work1.long1;
383 for (lp = &longtab[0], i = 32; i < 64; i++) {
384 if (w & *lp++) {
385 pbit = FPtab[i];
386 if (pbit < 32)
387 l0 |= longtab[pbit];
388 else
389 l1 |= longtab[pbit-32];
390 }
391 }
392 work2.long0 = l0;
393 work2.long1 = l1;
394 }
395 data[0] = work2.byte0;
396 data[1] = work2.byte1;
397 data[2] = work2.byte2;
398 data[3] = work2.byte3;
399 data[4] = work2.byte4;
400 data[5] = work2.byte5;
401 data[6] = work2.byte6;
402 data[7] = work2.byte7;
403 /* EXPORT DELETE END */
404 }
405