1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 
  22 /*
  23  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  24  * Use is subject to license terms.
  25  */
  26 
  27 /*      Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */
  28 /*        All Rights Reserved   */
  29 
  30 /*
  31  * Portions of this source code were derived from Berkeley 4.3 BSD
  32  * under license from the Regents of the University of California.
  33  */
  34 
  35 #pragma ident   "%Z%%M% %I%     %E% SMI"
  36 
  37 /*
  38  * Warning!  Things are arranged very carefully in this file to
  39  * allow read-only data to be moved to the text segment.  The
  40  * various DES tables must appear before any function definitions
  41  * (this is arranged by including them immediately below) and partab
  42  * must also appear before and function definitions
  43  * This arrangement allows all data up through the first text to
  44  * be moved to text.
  45  */
  46 
  47 #ifndef _KERNEL
  48 #define CRYPT   /* cannot configure out of user-level code */
  49 #endif
  50 
  51 #ifdef CRYPT
  52 #include <sys/types.h>
  53 #include <des/softdes.h>
  54 #include <des/desdata.h>
  55 
  56 #ifdef sun
  57 #include <sys/ioctl.h>
  58 #include <sys/des.h>
  59 #else
  60 #include <des/des.h>
  61 #endif
  62 
  63 #include "des_soft.h"
  64 
  65 /*
  66  * Fast (?) software implementation of DES
  67  * Has been seen going at 2000 bytes/sec on a Sun-2
  68  * Works on a VAX too.
  69  * Won't work without 8 bit chars and 32 bit longs
  70  */
  71 
  72 #define btst(k, b)      (k[b >> 3] & (0x80 >> (b & 07)))
  73 #define BIT28   (1<<28)
  74 
  75 
  76 #endif /* def CRYPT */
  77 
  78 static void des_setkey(uchar_t [8], struct deskeydata *, unsigned);
  79 static void des_encrypt(uchar_t *, struct deskeydata *);
  80 
  81 #ifndef _KERNEL
  82 /*
  83  * Table giving odd parity in the low bit for ASCII characters
  84  */
  85 static char partab[128] = {
  86         0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
  87         0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
  88         0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
  89         0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
  90         0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
  91         0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
  92         0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
  93         0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
  94         0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
  95         0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
  96         0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
  97         0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
  98         0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
  99         0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
 100         0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
 101         0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
 102 };
 103 
 104 
 105 
 106 /*
 107  * Add odd parity to low bit of 8 byte key
 108  */
 109 void
 110 des_setparity(char *p)
 111 {
 112         int i;
 113 
 114         for (i = 0; i < 8; i++) {
 115                 *p = partab[*p & 0x7f];
 116                 p++;
 117         }
 118 }
 119 #endif /* def _KERNEL */
 120 
 121 #ifdef CRYPT
 122 /*
 123  * Software encrypt or decrypt a block of data (multiple of 8 bytes)
 124  * Do the CBC ourselves if needed.
 125  */
 126 int
 127 __des_crypt(char *buf, unsigned int len, struct desparams *desp)
 128 {
 129 /* EXPORT DELETE START */
 130         short i;
 131         unsigned mode;
 132         unsigned dir;
 133         char nextiv[8];
 134         struct deskeydata softkey;
 135 
 136         mode = (unsigned)desp->des_mode;
 137         dir = (unsigned)desp->des_dir;
 138         des_setkey(desp->des_key, &softkey, dir);
 139         while (len != 0) {
 140                 switch (mode) {
 141                 case CBC:
 142                         switch (dir) {
 143                         case ENCRYPT:
 144                                 for (i = 0; i < 8; i++)
 145                                         buf[i] ^= desp->des_ivec[i];
 146                                 des_encrypt((uchar_t *)buf, &softkey);
 147                                 for (i = 0; i < 8; i++)
 148                                         desp->des_ivec[i] = buf[i];
 149                                 break;
 150                         case DECRYPT:
 151                                 for (i = 0; i < 8; i++)
 152                                         nextiv[i] = buf[i];
 153                                 des_encrypt((uchar_t *)buf, &softkey);
 154                                 for (i = 0; i < 8; i++) {
 155                                         buf[i] ^= desp->des_ivec[i];
 156                                         desp->des_ivec[i] = nextiv[i];
 157                                 }
 158                                 break;
 159                         }
 160                         break;
 161                 case ECB:
 162                         des_encrypt((uchar_t *)buf, &softkey);
 163                         break;
 164                 }
 165                 buf += 8;
 166                 len -= 8;
 167         }
 168 /* EXPORT DELETE END */
 169         return (1);
 170 }
 171 
 172 
 173 /*
 174  * Set the key and direction for an encryption operation
 175  * We build the 16 key entries here
 176  */
 177 static void
 178 des_setkey(uchar_t userkey[8], struct deskeydata *kd, unsigned int dir)
 179 {
 180 /* EXPORT DELETE START */
 181         long C, D;
 182         short i;
 183 
 184         /*
 185          * First, generate C and D by permuting
 186          * the key. The low order bit of each
 187          * 8-bit char is not used, so C and D are only 28
 188          * bits apiece.
 189          */
 190         {
 191                 short bit;
 192                 const short *pcc = PC1_C, *pcd = PC1_D;
 193 
 194                 C = D = 0;
 195                 for (i = 0; i < 28; i++) {
 196                         C <<= 1;
 197                         D <<= 1;
 198                         bit = *pcc++;
 199                         if (btst(userkey, bit))
 200                                 C |= 1;
 201                         bit = *pcd++;
 202                         if (btst(userkey, bit))
 203                                 D |= 1;
 204                 }
 205         }
 206         /*
 207          * To generate Ki, rotate C and D according
 208          * to schedule and pick up a permutation
 209          * using PC2.
 210          */
 211         for (i = 0; i < 16; i++) {
 212                 chunk_t *c;
 213                 short j, k, bit;
 214                 long bbit;
 215 
 216                 /*
 217                  * Do the "left shift" (rotate)
 218                  * We know we always rotate by either 1 or 2 bits
 219                  * the shifts table tells us if its 2
 220                  */
 221                 C <<= 1;
 222                 if (C & BIT28)
 223                         C |= 1;
 224                 D <<= 1;
 225                 if (D & BIT28)
 226                         D |= 1;
 227                 if (shifts[i]) {
 228                         C <<= 1;
 229                         if (C & BIT28)
 230                                 C |= 1;
 231                         D <<= 1;
 232                         if (D & BIT28)
 233                                 D |= 1;
 234                 }
 235                 /*
 236                  * get Ki. Note C and D are concatenated.
 237                  */
 238                 bit = 0;
 239                 switch (dir) {
 240                 case ENCRYPT:
 241                         c = &kd->keyval[i]; break;
 242                 case DECRYPT:
 243                         c = &kd->keyval[15 - i]; break;
 244                 }
 245                 c->long0 = 0;
 246                 c->long1 = 0;
 247                 bbit = (1 << 5) << 24;
 248                 for (j = 0; j < 4; j++) {
 249                         for (k = 0; k < 6; k++) {
 250                                 if (C & (BIT28 >> PC2_C[bit]))
 251                                         c->long0 |= bbit >> k;
 252                                 if (D & (BIT28 >> PC2_D[bit]))
 253                                         c->long1 |= bbit >> k;
 254                                 bit++;
 255                         }
 256                         bbit >>= 8;
 257                 }
 258 
 259         }
 260 /* EXPORT DELETE END */
 261 }
 262 
 263 
 264 
 265 /*
 266  * Do an encryption operation
 267  * Much pain is taken (with preprocessor) to avoid loops so the compiler
 268  * can do address arithmetic instead of doing it at runtime.
 269  * Note that the byte-to-chunk conversion is necessary to guarantee
 270  * processor byte-order independence.
 271  */
 272 static void
 273 des_encrypt(uchar_t *data, struct deskeydata *kd)
 274 {
 275 /* EXPORT DELETE START */
 276         chunk_t work1, work2;
 277 
 278         /*
 279          * Initial permutation
 280          * and byte to chunk conversion
 281          */
 282         {
 283                 const uint32_t *lp;
 284                 uint32_t l0, l1, w;
 285                 short i, pbit;
 286 
 287                 work1.byte0 = data[0];
 288                 work1.byte1 = data[1];
 289                 work1.byte2 = data[2];
 290                 work1.byte3 = data[3];
 291                 work1.byte4 = data[4];
 292                 work1.byte5 = data[5];
 293                 work1.byte6 = data[6];
 294                 work1.byte7 = data[7];
 295                 l0 = l1 = 0;
 296                 w = work1.long0;
 297                 for (lp = &longtab[0], i = 0; i < 32; i++) {
 298                         if (w & *lp++) {
 299                                 pbit = IPtab[i];
 300                                 if (pbit < 32)
 301                                         l0 |= longtab[pbit];
 302                                 else
 303                                         l1 |= longtab[pbit-32];
 304                         }
 305                 }
 306                 w = work1.long1;
 307                 for (lp = &longtab[0], i = 32; i < 64; i++) {
 308                         if (w & *lp++) {
 309                                 pbit = IPtab[i];
 310                                 if (pbit < 32)
 311                                         l0 |= longtab[pbit];
 312                                 else
 313                                         l1 |= longtab[pbit-32];
 314                         }
 315                 }
 316                 work2.long0 = l0;
 317                 work2.long1 = l1;
 318         }
 319 
 320 /*
 321  * Expand 8 bits of 32 bit R to 48 bit R
 322  */
 323 #define do_R_to_ER(op, b)       {                       \
 324         const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b];       \
 325         e0 op p->l0;                         \
 326         e1 op p->l1;                         \
 327 }
 328 
 329 /*
 330  * Inner part of the algorithm:
 331  * Expand R from 32 to 48 bits; xor key value;
 332  * apply S boxes; permute 32 bits of output
 333  */
 334 #define do_F(iter, inR, outR)   {                       \
 335         chunk_t R, ER;                                  \
 336         uint32_t e0, e1;                                \
 337         R.long0 = inR;                                  \
 338         /* CSTYLED */                                   \
 339         do_R_to_ER(=, 0);                               \
 340         /* CSTYLED */                                   \
 341         do_R_to_ER(|=, 1);                              \
 342         /* CSTYLED */                                   \
 343         do_R_to_ER(|=, 2);                              \
 344         /* CSTYLED */                                   \
 345         do_R_to_ER(|=, 3);                              \
 346         ER.long0 = e0 ^ kd->keyval[iter].long0;              \
 347         ER.long1 = e1 ^ kd->keyval[iter].long1;              \
 348         R.long0 =                                       \
 349                 S_tab[0][ER.byte0] +                    \
 350                 S_tab[1][ER.byte1] +                    \
 351                 S_tab[2][ER.byte2] +                    \
 352                 S_tab[3][ER.byte3] +                    \
 353                 S_tab[4][ER.byte4] +                    \
 354                 S_tab[5][ER.byte5] +                    \
 355                 S_tab[6][ER.byte6] +                    \
 356                 S_tab[7][ER.byte7];                     \
 357         outR =                                          \
 358                 P_tab[0][R.byte0] +                     \
 359                 P_tab[1][R.byte1] +                     \
 360                 P_tab[2][R.byte2] +                     \
 361                 P_tab[3][R.byte3];                      \
 362 }
 363 
 364 /*
 365  * Do a cipher step
 366  * Apply inner part; do xor and exchange of 32 bit parts
 367  */
 368 #define cipher(iter, inR, inL, outR, outL)      {       \
 369         do_F(iter, inR, outR);                          \
 370         outR ^= inL;                                    \
 371         outL = inR;                                     \
 372 }
 373 
 374         /*
 375          * Apply the 16 ciphering steps
 376          */
 377         {
 378                 uint32_t r0, l0, r1, l1;
 379 
 380                 l0 = work2.long0;
 381                 r0 = work2.long1;
 382                 cipher(0, r0, l0, r1, l1);
 383                 cipher(1, r1, l1, r0, l0);
 384                 cipher(2, r0, l0, r1, l1);
 385                 cipher(3, r1, l1, r0, l0);
 386                 cipher(4, r0, l0, r1, l1);
 387                 cipher(5, r1, l1, r0, l0);
 388                 cipher(6, r0, l0, r1, l1);
 389                 cipher(7, r1, l1, r0, l0);
 390                 cipher(8, r0, l0, r1, l1);
 391                 cipher(9, r1, l1, r0, l0);
 392                 cipher(10, r0, l0, r1, l1);
 393                 cipher(11, r1, l1, r0, l0);
 394                 cipher(12, r0, l0, r1, l1);
 395                 cipher(13, r1, l1, r0, l0);
 396                 cipher(14, r0, l0, r1, l1);
 397                 cipher(15, r1, l1, r0, l0);
 398                 work1.long0 = r0;
 399                 work1.long1 = l0;
 400         }
 401 
 402         /*
 403          * Final permutation
 404          * and chunk to byte conversion
 405          */
 406         {
 407                 const uint32_t *lp;
 408                 uint32_t l0, l1, w;
 409                 short i, pbit;
 410 
 411                 l0 = l1 = 0;
 412                 w = work1.long0;
 413                 for (lp = &longtab[0], i = 0; i < 32; i++) {
 414                         if (w & *lp++) {
 415                                 pbit = FPtab[i];
 416                                 if (pbit < 32)
 417                                         l0 |= longtab[pbit];
 418                                 else
 419                                         l1 |= longtab[pbit-32];
 420                         }
 421                 }
 422                 w = work1.long1;
 423                 for (lp = &longtab[0], i = 32; i < 64; i++) {
 424                         if (w & *lp++) {
 425                                 pbit = FPtab[i];
 426                                 if (pbit < 32)
 427                                         l0 |= longtab[pbit];
 428                                 else
 429                                         l1 |= longtab[pbit-32];
 430                         }
 431                 }
 432                 work2.long0 = l0;
 433                 work2.long1 = l1;
 434         }
 435         data[0] = work2.byte0;
 436         data[1] = work2.byte1;
 437         data[2] = work2.byte2;
 438         data[3] = work2.byte3;
 439         data[4] = work2.byte4;
 440         data[5] = work2.byte5;
 441         data[6] = work2.byte6;
 442         data[7] = work2.byte7;
 443 
 444 /* EXPORT DELETE END */
 445 }
 446 #endif /* def CRYPT */