1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License, Version 1.0 only
   6  * (the "License").  You may not use this file except in compliance
   7  * with the License.
   8  *
   9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  10  * or http://www.opensolaris.org/os/licensing.
  11  * See the License for the specific language governing permissions
  12  * and limitations under the License.
  13  *
  14  * When distributing Covered Code, include this CDDL HEADER in each
  15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  16  * If applicable, add the following below this CDDL HEADER, with the
  17  * fields enclosed by brackets "[]" replaced with your own identifying
  18  * information: Portions Copyright [yyyy] [name of copyright owner]
  19  *
  20  * CDDL HEADER END
  21  *
  22  * Copyright 1989 Sun Microsystems, Inc.  All rights reserved.
  23  * Use is subject to license terms.
  24  */
  25 
  26 /*      Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */
  27 /*        All Rights Reserved   */
  28 
  29 /*
  30  * Portions of this source code were derived from Berkeley 4.3 BSD
  31  * under license from the Regents of the University of California.
  32  */
  33 
  34 #ident  "%Z%%M% %I%     %E% SMI"
  35 
  36 /*
  37  * Warning!  Things are arranged very carefully in this file to
  38  * allow read-only data to be moved to the text segment.  The
  39  * various DES tables must appear before any function definitions
  40  * (this is arranged by including them immediately below) and partab
  41  * must also appear before and function definitions
  42  * This arrangement allows all data up through the first text to
  43  * be moved to text.
  44  */
  45 
  46 /*
  47  * Fast (?) software implementation of DES
  48  * Has been seen going at 2000 bytes/sec on a Sun-2
  49  * Works on a VAX too.
  50  * Won't work without 8 bit chars and 32 bit longs
  51  */
  52 
  53 #include <sys/types.h>
  54 #include <des/des.h>
  55 #include <des/softdes.h>
  56 #include <des/desdata.h>
  57 #include <sys/debug.h>
  58 
  59 static void des_setkey(u_char userkey[8], struct deskeydata *kd,
  60     unsigned int dir);
  61 static void des_encrypt(u_char *data, struct deskeydata *kd);
  62 
  63 #define btst(k, b)      (k[b >> 3] & (0x80 >> (b & 07)))
  64 #define BIT28   (1<<28)
  65 
  66 /*
  67  * Software encrypt or decrypt a block of data (multiple of 8 bytes)
  68  * Do the CBC ourselves if needed.
  69  */
  70 /* ARGSUSED */
  71 int
  72 _des_crypt(char *buf, size_t len, struct desparams *desp)
  73 {
  74         short i;
  75         uint_t mode;
  76         uint_t dir;
  77         char nextiv[8];
  78         struct deskeydata softkey;
  79 
  80         mode = desp->des_mode;
  81         dir = desp->des_dir;
  82         des_setkey(desp->des_key, &softkey, dir);
  83         while (len != 0) {
  84                 switch (mode) {
  85                 case CBC:
  86                         switch (dir) {
  87                         case ENCRYPT:
  88                                 for (i = 0; i < 8; i++)
  89                                         buf[i] ^= desp->des_ivec[i];
  90                                 des_encrypt((u_char *)buf, &softkey);
  91                                 for (i = 0; i < 8; i++)
  92                                         desp->des_ivec[i] = buf[i];
  93                                 break;
  94                         case DECRYPT:
  95                                 for (i = 0; i < 8; i++)
  96                                         nextiv[i] = buf[i];
  97                                 des_encrypt((u_char *)buf, &softkey);
  98                                 for (i = 0; i < 8; i++) {
  99                                         buf[i] ^= desp->des_ivec[i];
 100                                         desp->des_ivec[i] = nextiv[i];
 101                                 }
 102                                 break;
 103                         }
 104                         break;
 105                 case ECB:
 106                         des_encrypt((u_char *)buf, &softkey);
 107                         break;
 108                 }
 109                 buf += 8;
 110                 len -= 8;
 111         }
 112         return (1);
 113 }
 114 
 115 
 116 /*
 117  * Set the key and direction for an encryption operation
 118  * We build the 16 key entries here
 119  */
 120 /* ARGSUSED */
 121 static void
 122 des_setkey(u_char userkey[8], struct deskeydata *kd, unsigned int dir)
 123 {
 124         int32_t C, D;
 125         short i;
 126 
 127         /*
 128          * First, generate C and D by permuting
 129          * the key. The low order bit of each
 130          * 8-bit char is not used, so C and D are only 28
 131          * bits apiece.
 132          */
 133         {
 134                 short bit;
 135                 short *pcc = (short *)PC1_C, *pcd = (short *)PC1_D;
 136 
 137                 C = D = 0;
 138                 for (i = 0; i < 28; i++) {
 139                         C <<= 1;
 140                         D <<= 1;
 141                         bit = *pcc++;
 142                         if (btst(userkey, bit))
 143                                 C |= 1;
 144                         bit = *pcd++;
 145                         if (btst(userkey, bit))
 146                                 D |= 1;
 147                 }
 148         }
 149         /*
 150          * To generate Ki, rotate C and D according
 151          * to schedule and pick up a permutation
 152          * using PC2.
 153          */
 154         for (i = 0; i < 16; i++) {
 155                 chunk_t *c;
 156                 short j, k, bit;
 157                 int bbit;
 158 
 159                 /*
 160                  * Do the "left shift" (rotate)
 161                  * We know we always rotate by either 1 or 2 bits
 162                  * the shifts table tells us if its 2
 163                  */
 164                 C <<= 1;
 165                 if (C & BIT28)
 166                         C |= 1;
 167                 D <<= 1;
 168                 if (D & BIT28)
 169                         D |= 1;
 170                 if (shifts[i]) {
 171                         C <<= 1;
 172                         if (C & BIT28)
 173                                 C |= 1;
 174                         D <<= 1;
 175                         if (D & BIT28)
 176                                 D |= 1;
 177                 }
 178                 /*
 179                  * get Ki. Note C and D are concatenated.
 180                  */
 181                 bit = 0;
 182                 switch (dir) {
 183                 case ENCRYPT:
 184                         c = &kd->keyval[i];
 185                         break;
 186                 case DECRYPT:
 187                         c = &kd->keyval[15 - i];
 188                         break;
 189                 }
 190                 c->long0 = 0;
 191                 c->long1 = 0;
 192                 bbit = (1 << 5) << 24;
 193                 for (j = 0; j < 4; j++) {
 194                         for (k = 0; k < 6; k++) {
 195                                 if (C & (BIT28 >> PC2_C[bit]))
 196                                         c->long0 |= bbit >> k;
 197                                 if (D & (BIT28 >> PC2_D[bit]))
 198                                         c->long1 |= bbit >> k;
 199                                 bit++;
 200                         }
 201                         bbit >>= 8;
 202                 }
 203         }
 204 }
 205 
 206 
 207 
 208 /*
 209  * Do an encryption operation
 210  * Much pain is taken (with preprocessor) to avoid loops so the compiler
 211  * can do address arithmetic instead of doing it at runtime.
 212  * Note that the byte-to-chunk conversion is necessary to guarantee
 213  * processor byte-order independence.
 214  */
 215 /* ARGSUSED */
 216 static void
 217 des_encrypt(u_char *data, struct deskeydata *kd)
 218 {
 219         chunk_t work1, work2;
 220 
 221         /*
 222          * Initial permutation
 223          * and byte to chunk conversion
 224          */
 225         {
 226                 const uint32_t *lp;
 227                 uint32_t l0, l1, w;
 228                 short i, pbit;
 229 
 230                 work1.byte0 = data[0];
 231                 work1.byte1 = data[1];
 232                 work1.byte2 = data[2];
 233                 work1.byte3 = data[3];
 234                 work1.byte4 = data[4];
 235                 work1.byte5 = data[5];
 236                 work1.byte6 = data[6];
 237                 work1.byte7 = data[7];
 238                 l0 = l1 = 0;
 239                 w = work1.long0;
 240                 for (lp = &longtab[0], i = 0; i < 32; i++) {
 241                         if (w & *lp++) {
 242                                 pbit = IPtab[i];
 243                                 if (pbit < 32)
 244                                         l0 |= longtab[pbit];
 245                                 else
 246                                         l1 |= longtab[pbit-32];
 247                         }
 248                 }
 249                 w = work1.long1;
 250                 for (lp = &longtab[0], i = 32; i < 64; i++) {
 251                         if (w & *lp++) {
 252                                 pbit = IPtab[i];
 253                                 if (pbit < 32)
 254                                         l0 |= longtab[pbit];
 255                                 else
 256                                         l1 |= longtab[pbit-32];
 257                         }
 258                 }
 259                 work2.long0 = l0;
 260                 work2.long1 = l1;
 261         }
 262 
 263 /*
 264  * Expand 8 bits of 32 bit R to 48 bit R
 265  */
 266 #ifdef __STDC__
 267 #define do_R_to_ER(op, b) {                                     \
 268         struct R_to_ER *p =                                     \
 269             (struct R_to_ER *)&R_to_ER_tab[b][R.byte##b];   \
 270         e0 op p->l0;                                         \
 271         e1 op p->l1;                                         \
 272 }
 273 #else
 274 #define do_R_to_ER(op, b)       {                               \
 275         /*CSTYLED*/                                             \
 276         struct R_to_ER *p = &R_to_ER_tab[b][R.byte/**/b];   \
 277         e0 op p->l0;                                         \
 278         e1 op p->l1;                                         \
 279 }
 280 #endif
 281 
 282 /*
 283  * Inner part of the algorithm:
 284  * Expand R from 32 to 48 bits; xor key value;
 285  * apply S boxes; permute 32 bits of output
 286  */
 287 #define do_F(iter, inR, outR)   {                       \
 288         chunk_t R, ER;                                  \
 289         u_int e0, e1;                                   \
 290         R.long0 = inR;                                  \
 291         /*CSTYLED*/                                     \
 292         do_R_to_ER(=,0);                                \
 293         /*CSTYLED*/                                     \
 294         do_R_to_ER(|=,1);                               \
 295         /*CSTYLED*/                                     \
 296         do_R_to_ER(|=,2);                               \
 297         /*CSTYLED*/                                     \
 298         do_R_to_ER(|=,3);                               \
 299         ER.long0 = e0 ^ kd->keyval[iter].long0;              \
 300         ER.long1 = e1 ^ kd->keyval[iter].long1;              \
 301         R.long0 =                                       \
 302                 S_tab[0][ER.byte0] +                    \
 303                 S_tab[1][ER.byte1] +                    \
 304                 S_tab[2][ER.byte2] +                    \
 305                 S_tab[3][ER.byte3] +                    \
 306                 S_tab[4][ER.byte4] +                    \
 307                 S_tab[5][ER.byte5] +                    \
 308                 S_tab[6][ER.byte6] +                    \
 309                 S_tab[7][ER.byte7];                     \
 310         outR =                                          \
 311                 P_tab[0][R.byte0] +                     \
 312                 P_tab[1][R.byte1] +                     \
 313                 P_tab[2][R.byte2] +                     \
 314                 P_tab[3][R.byte3];                      \
 315 }
 316 
 317 /*
 318  * Do a cipher step
 319  * Apply inner part; do xor and exchange of 32 bit parts
 320  */
 321 #define cipher(iter, inR, inL, outR, outL)      {       \
 322         do_F(iter, inR, outR);                          \
 323         outR ^= inL;                                    \
 324         outL = inR;                                     \
 325 }
 326 
 327         /*
 328          * Apply the 16 ciphering steps
 329          */
 330         {
 331                 u_int r0, l0, r1, l1;
 332 
 333                 l0 = work2.long0;
 334                 r0 = work2.long1;
 335                 cipher(0, r0, l0, r1, l1);
 336                 cipher(1, r1, l1, r0, l0);
 337                 cipher(2, r0, l0, r1, l1);
 338                 cipher(3, r1, l1, r0, l0);
 339                 cipher(4, r0, l0, r1, l1);
 340                 cipher(5, r1, l1, r0, l0);
 341                 cipher(6, r0, l0, r1, l1);
 342                 cipher(7, r1, l1, r0, l0);
 343                 cipher(8, r0, l0, r1, l1);
 344                 cipher(9, r1, l1, r0, l0);
 345                 cipher(10, r0, l0, r1, l1);
 346                 cipher(11, r1, l1, r0, l0);
 347                 cipher(12, r0, l0, r1, l1);
 348                 cipher(13, r1, l1, r0, l0);
 349                 cipher(14, r0, l0, r1, l1);
 350                 cipher(15, r1, l1, r0, l0);
 351                 work1.long0 = r0;
 352                 work1.long1 = l0;
 353         }
 354 
 355         /*
 356          * Final permutation
 357          * and chunk to byte conversion
 358          */
 359         {
 360                 const uint32_t *lp;
 361                 uint32_t l0, l1, w;
 362                 short i, pbit;
 363 
 364                 l0 = l1 = 0;
 365                 w = work1.long0;
 366                 for (lp = &longtab[0], i = 0; i < 32; i++) {
 367                         if (w & *lp++) {
 368                                 pbit = FPtab[i];
 369                                 if (pbit < 32)
 370                                         l0 |= longtab[pbit];
 371                                 else
 372                                         l1 |= longtab[pbit-32];
 373                         }
 374                 }
 375                 w = work1.long1;
 376                 for (lp = &longtab[0], i = 32; i < 64; i++) {
 377                         if (w & *lp++) {
 378                                 pbit = FPtab[i];
 379                                 if (pbit < 32)
 380                                         l0 |= longtab[pbit];
 381                                 else
 382                                         l1 |= longtab[pbit-32];
 383                         }
 384                 }
 385                 work2.long0 = l0;
 386                 work2.long1 = l1;
 387         }
 388         data[0] = work2.byte0;
 389         data[1] = work2.byte1;
 390         data[2] = work2.byte2;
 391         data[3] = work2.byte3;
 392         data[4] = work2.byte4;
 393         data[5] = work2.byte5;
 394         data[6] = work2.byte6;
 395         data[7] = work2.byte7;
 396 }