1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License, Version 1.0 only
6 * (the "License"). You may not use this file except in compliance
7 * with the License.
8 *
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or http://www.opensolaris.org/os/licensing.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
13 *
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 *
20 * CDDL HEADER END
21 */
22
23 /*
24 * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
25 * Use is subject to license terms.
26 */
27
28 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */
29 /* All Rights Reserved */
30
31 /*
32 * Portions of this source code were derived from Berkeley 4.3 BSD
33 * under license from the Regents of the University of California.
34 */
35
36 #pragma ident "%Z%%M% %I% %E% SMI"
37
38 /*
39 * Warning! Things are arranged very carefully in this file to
40 * allow read-only data to be moved to the text segment. The
41 * various DES tables must appear before any function definitions
42 * (this is arranged by including them immediately below) and partab
43 * must also appear before and function definitions
44 * This arrangement allows all data up through the first text to
45 * be moved to text.
46 */
47
48 #include "mt.h"
49 #include <sys/types.h>
50 #include <des/softdes.h>
51 #include <des/desdata.h>
52 #ifdef sun
53 #include <sys/ioctl.h>
54 #include <sys/des.h>
55 #else
56 #include <des/des.h>
57 #endif
58 #include <rpcsvc/nis_dhext.h>
59
60 /*
61 * Fast (?) software implementation of DES
62 * Has been seen going at 2000 bytes/sec on a Sun-2
63 * Works on a VAX too.
64 * Won't work without 8 bit chars and 32 bit longs
65 */
66
67 #define btst(k, b) (k[b >> 3] & (0x80 >> (b & 07)))
68 #define BIT28 (1<<28)
69
70 static int __des_encrypt(uchar_t *, struct deskeydata *);
71 static int __des_setkey(uchar_t[8], struct deskeydata *, unsigned);
72
73
74 /*
75 * Table giving odd parity in the low bit for ASCII characters
76 */
77 const char partab[128] = {
78 0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
79 0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
80 0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
81 0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
82 0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
83 0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
84 0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
85 0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
86 0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
87 0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
88 0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
89 0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
90 0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
91 0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
92 0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
93 0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
94 };
95
96 /*
97 * Add odd parity to low bit of 8 byte key
98 */
99 void
100 des_setparity(char *p)
101 {
102 int i;
103
104 for (i = 0; i < 8; i++) {
105 *p = partab[*p & 0x7f];
106 p++;
107 }
108 }
109
110 static const unsigned char partab_g[256] = {
111 0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
112 0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
113 0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
114 0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
115 0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
116 0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
117 0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
118 0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
119 0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
120 0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
121 0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
122 0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
123 0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
124 0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
125 0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
126 0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
127 0x80, 0x80, 0x83, 0x83, 0x85, 0x85, 0x86, 0x86,
128 0x89, 0x89, 0x8a, 0x8a, 0x8c, 0x8c, 0x8f, 0x8f,
129 0x91, 0x91, 0x92, 0x92, 0x94, 0x94, 0x97, 0x97,
130 0x98, 0x98, 0x9b, 0x9b, 0x9d, 0x9d, 0x9e, 0x9e,
131 0xa1, 0xa1, 0xa2, 0xa2, 0xa4, 0xa4, 0xa7, 0xa7,
132 0xa8, 0xa8, 0xab, 0xab, 0xad, 0xad, 0xae, 0xae,
133 0xb0, 0xb0, 0xb3, 0xb3, 0xb5, 0xb5, 0xb6, 0xb6,
134 0xb9, 0xb9, 0xba, 0xba, 0xbc, 0xbc, 0xbf, 0xbf,
135 0xc1, 0xc1, 0xc2, 0xc2, 0xc4, 0xc4, 0xc7, 0xc7,
136 0xc8, 0xc8, 0xcb, 0xcb, 0xcd, 0xcd, 0xce, 0xce,
137 0xd0, 0xd0, 0xd3, 0xd3, 0xd5, 0xd5, 0xd6, 0xd6,
138 0xd9, 0xd9, 0xda, 0xda, 0xdc, 0xdc, 0xdf, 0xdf,
139 0xe0, 0xe0, 0xe3, 0xe3, 0xe5, 0xe5, 0xe6, 0xe6,
140 0xe9, 0xe9, 0xea, 0xea, 0xec, 0xec, 0xef, 0xef,
141 0xf1, 0xf1, 0xf2, 0xf2, 0xf4, 0xf4, 0xf7, 0xf7,
142 0xf8, 0xf8, 0xfb, 0xfb, 0xfd, 0xfd, 0xfe, 0xfe
143 };
144
145 /*
146 * A corrected version of des_setparity (see bug 1149767).
147 */
148 void
149 des_setparity_g(des_block *p)
150 {
151 int i;
152
153 for (i = 0; i < 8; i++) {
154 (*p).c[i] = partab_g[(*p).c[i]];
155 }
156 }
157
158 /*
159 * Software encrypt or decrypt a block of data (multiple of 8 bytes)
160 * Do the CBC ourselves if needed.
161 */
162 int
163 __des_crypt(char *buf, unsigned len, struct desparams *desp)
164 {
165 /* EXPORT DELETE START */
166 short i;
167 unsigned mode;
168 unsigned dir;
169 char nextiv[8];
170 struct deskeydata softkey;
171
172 mode = (unsigned)desp->des_mode;
173 dir = (unsigned)desp->des_dir;
174 (void) __des_setkey(desp->des_key, &softkey, dir);
175 while (len != 0) {
176 switch (mode) {
177 case CBC:
178 switch (dir) {
179 case ENCRYPT:
180 for (i = 0; i < 8; i++)
181 buf[i] ^= desp->des_ivec[i];
182 (void) __des_encrypt((uchar_t *)buf, &softkey);
183 for (i = 0; i < 8; i++)
184 desp->des_ivec[i] = buf[i];
185 break;
186 case DECRYPT:
187 for (i = 0; i < 8; i++)
188 nextiv[i] = buf[i];
189 (void) __des_encrypt((uchar_t *)buf, &softkey);
190 for (i = 0; i < 8; i++) {
191 buf[i] ^= desp->des_ivec[i];
192 desp->des_ivec[i] = nextiv[i];
193 }
194 break;
195 }
196 break;
197 case ECB:
198 (void) __des_encrypt((uchar_t *)buf, &softkey);
199 break;
200 }
201 buf += 8;
202 len -= 8;
203 }
204 /* EXPORT DELETE END */
205 return (1);
206 }
207
208
209 /*
210 * Set the key and direction for an encryption operation
211 * We build the 16 key entries here
212 */
213 static int
214 __des_setkey(uchar_t userkey[8], struct deskeydata *kd, unsigned dir)
215 {
216 /* EXPORT DELETE START */
217 int32_t C, D;
218 short i;
219
220 /*
221 * First, generate C and D by permuting
222 * the key. The low order bit of each
223 * 8-bit char is not used, so C and D are only 28
224 * bits apiece.
225 */
226 {
227 short bit;
228 const short *pcc = PC1_C, *pcd = PC1_D;
229
230 C = D = 0;
231 for (i = 0; i < 28; i++) {
232 C <<= 1;
233 D <<= 1;
234 bit = *pcc++;
235 if (btst(userkey, bit))
236 C |= 1;
237 bit = *pcd++;
238 if (btst(userkey, bit))
239 D |= 1;
240 }
241 }
242 /*
243 * To generate Ki, rotate C and D according
244 * to schedule and pick up a permutation
245 * using PC2.
246 */
247 for (i = 0; i < 16; i++) {
248 chunk_t *c;
249 short j, k, bit;
250 uint32_t bbit;
251
252 /*
253 * Do the "left shift" (rotate)
254 * We know we always rotate by either 1 or 2 bits
255 * the shifts table tells us if its 2
256 */
257 C <<= 1;
258 if (C & BIT28)
259 C |= 1;
260 D <<= 1;
261 if (D & BIT28)
262 D |= 1;
263 if (shifts[i]) {
264 C <<= 1;
265 if (C & BIT28)
266 C |= 1;
267 D <<= 1;
268 if (D & BIT28)
269 D |= 1;
270 }
271 /*
272 * get Ki. Note C and D are concatenated.
273 */
274 bit = 0;
275 switch (dir) {
276 case ENCRYPT:
277 c = &kd->keyval[i]; break;
278 case DECRYPT:
279 c = &kd->keyval[15 - i]; break;
280 }
281 c->long0 = 0;
282 c->long1 = 0;
283 bbit = (1 << 5) << 24;
284 for (j = 0; j < 4; j++) {
285 for (k = 0; k < 6; k++) {
286 if (C & (BIT28 >> PC2_C[bit]))
287 c->long0 |= bbit >> k;
288 if (D & (BIT28 >> PC2_D[bit]))
289 c->long1 |= bbit >> k;
290 bit++;
291 }
292 bbit >>= 8;
293 }
294
295 }
296 /* EXPORT DELETE END */
297 return (1);
298 }
299
300
301
302 /*
303 * Do an encryption operation
304 * Much pain is taken (with preprocessor) to avoid loops so the compiler
305 * can do address arithmetic instead of doing it at runtime.
306 * Note that the byte-to-chunk conversion is necessary to guarantee
307 * processor byte-order independence.
308 */
309 static int
310 __des_encrypt(uchar_t *data, struct deskeydata *kd)
311 {
312 /* EXPORT DELETE START */
313 chunk_t work1, work2;
314
315 /*
316 * Initial permutation
317 * and byte to chunk conversion
318 */
319 {
320 const uint32_t *lp;
321 uint32_t l0, l1, w;
322 short i, pbit;
323
324 work1.byte0 = data[0];
325 work1.byte1 = data[1];
326 work1.byte2 = data[2];
327 work1.byte3 = data[3];
328 work1.byte4 = data[4];
329 work1.byte5 = data[5];
330 work1.byte6 = data[6];
331 work1.byte7 = data[7];
332 l0 = l1 = 0;
333 w = work1.long0;
334 for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) {
335 if (w & *lp++) {
336 pbit = IPtab[i];
337 if (pbit < 32)
338 l0 |= longtab[pbit];
339 else
340 l1 |= longtab[pbit-32];
341 }
342 }
343 w = work1.long1;
344 for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) {
345 if (w & *lp++) {
346 pbit = IPtab[i];
347 if (pbit < 32)
348 l0 |= longtab[pbit];
349 else
350 l1 |= longtab[pbit-32];
351 }
352 }
353 work2.long0 = l0;
354 work2.long1 = l1;
355 }
356
357 /*
358 * Expand 8 bits of 32 bit R to 48 bit R
359 */
360 #define do_R_to_ER(op, b) { \
361 const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b]; \
362 e0 op p->l0; \
363 e1 op p->l1; \
364 }
365
366 /*
367 * Inner part of the algorithm:
368 * Expand R from 32 to 48 bits; xor key value;
369 * apply S boxes; permute 32 bits of output
370 */
371 /* BEGIN CSTYLED */
372 #define do_F(iter, inR, outR) { \
373 chunk_t R, ER; \
374 uint32_t e0, e1; \
375 R.long0 = inR; \
376 do_R_to_ER(=, 0); \
377 do_R_to_ER(|=, 1); \
378 do_R_to_ER(|=, 2); \
379 do_R_to_ER(|=, 3); \
380 ER.long0 = e0 ^ kd->keyval[iter].long0; \
381 ER.long1 = e1 ^ kd->keyval[iter].long1; \
382 R.long0 = \
383 S_tab[0][ER.byte0] + \
384 S_tab[1][ER.byte1] + \
385 S_tab[2][ER.byte2] + \
386 S_tab[3][ER.byte3] + \
387 S_tab[4][ER.byte4] + \
388 S_tab[5][ER.byte5] + \
389 S_tab[6][ER.byte6] + \
390 S_tab[7][ER.byte7]; \
391 outR = \
392 P_tab[0][R.byte0] + \
393 P_tab[1][R.byte1] + \
394 P_tab[2][R.byte2] + \
395 P_tab[3][R.byte3]; \
396 }
397 /* END CSTYLED */
398
399 /*
400 * Do a cipher step
401 * Apply inner part; do xor and exchange of 32 bit parts
402 */
403 #define cipher(iter, inR, inL, outR, outL) { \
404 do_F(iter, inR, outR); \
405 outR ^= inL; \
406 outL = inR; \
407 }
408
409 /*
410 * Apply the 16 ciphering steps
411 */
412 {
413 uint32_t r0, l0, r1, l1;
414
415 l0 = work2.long0;
416 r0 = work2.long1;
417 cipher(0, r0, l0, r1, l1);
418 cipher(1, r1, l1, r0, l0);
419 cipher(2, r0, l0, r1, l1);
420 cipher(3, r1, l1, r0, l0);
421 cipher(4, r0, l0, r1, l1);
422 cipher(5, r1, l1, r0, l0);
423 cipher(6, r0, l0, r1, l1);
424 cipher(7, r1, l1, r0, l0);
425 cipher(8, r0, l0, r1, l1);
426 cipher(9, r1, l1, r0, l0);
427 cipher(10, r0, l0, r1, l1);
428 cipher(11, r1, l1, r0, l0);
429 cipher(12, r0, l0, r1, l1);
430 cipher(13, r1, l1, r0, l0);
431 cipher(14, r0, l0, r1, l1);
432 cipher(15, r1, l1, r0, l0);
433 work1.long0 = r0;
434 work1.long1 = l0;
435 }
436
437 /*
438 * Final permutation
439 * and chunk to byte conversion
440 */
441 {
442 uint32_t *lp;
443 uint32_t l0, l1, w;
444 short i, pbit;
445
446 l0 = l1 = 0;
447 w = work1.long0;
448 for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) {
449 if (w & *lp++) {
450 pbit = FPtab[i];
451 if (pbit < 32)
452 l0 |= longtab[pbit];
453 else
454 l1 |= longtab[pbit-32];
455 }
456 }
457 w = work1.long1;
458 for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) {
459 if (w & *lp++) {
460 pbit = FPtab[i];
461 if (pbit < 32)
462 l0 |= longtab[pbit];
463 else
464 l1 |= longtab[pbit-32];
465 }
466 }
467 work2.long0 = l0;
468 work2.long1 = l1;
469 }
470 data[0] = work2.byte0;
471 data[1] = work2.byte1;
472 data[2] = work2.byte2;
473 data[3] = work2.byte3;
474 data[4] = work2.byte4;
475 data[5] = work2.byte5;
476 data[6] = work2.byte6;
477 data[7] = work2.byte7;
478
479 /* EXPORT DELETE END */
480 return (1);
481 }