1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 
  22 /*
  23  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  24  * Use is subject to license terms.
  25  */
  26 
  27 /*      Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */
  28 /*        All Rights Reserved   */
  29 
  30 /*
  31  * Portions of this source code were derived from Berkeley 4.3 BSD
  32  * under license from the Regents of the University of California.
  33  */
  34 
  35 #pragma ident   "%Z%%M% %I%     %E% SMI"
  36 
  37 /*
  38  * Warning!  Things are arranged very carefully in this file to
  39  * allow read-only data to be moved to the text segment.  The
  40  * various DES tables must appear before any function definitions
  41  * (this is arranged by including them immediately below) and partab
  42  * must also appear before and function definitions
  43  * This arrangement allows all data up through the first text to
  44  * be moved to text.
  45  */
  46 
  47 #ifndef _KERNEL
  48 #define CRYPT   /* cannot configure out of user-level code */
  49 #endif
  50 
  51 #ifdef CRYPT
  52 #include <sys/types.h>
  53 #include <des/softdes.h>
  54 #include <des/desdata.h>
  55 
  56 #ifdef sun
  57 #include <sys/ioctl.h>
  58 #include <sys/des.h>
  59 #else
  60 #include <des/des.h>
  61 #endif
  62 
  63 #include "des_soft.h"
  64 
  65 /*
  66  * Fast (?) software implementation of DES
  67  * Has been seen going at 2000 bytes/sec on a Sun-2
  68  * Works on a VAX too.
  69  * Won't work without 8 bit chars and 32 bit longs
  70  */
  71 
  72 #define btst(k, b)      (k[b >> 3] & (0x80 >> (b & 07)))
  73 #define BIT28   (1<<28)
  74 
  75 
  76 #endif /* def CRYPT */
  77 
  78 static void des_setkey(uchar_t [8], struct deskeydata *, unsigned);
  79 static void des_encrypt(uchar_t *, struct deskeydata *);
  80 
  81 #ifndef _KERNEL
  82 /*
  83  * Table giving odd parity in the low bit for ASCII characters
  84  */
  85 static char partab[128] = {
  86         0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
  87         0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
  88         0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
  89         0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
  90         0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
  91         0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
  92         0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
  93         0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
  94         0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
  95         0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
  96         0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
  97         0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
  98         0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
  99         0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
 100         0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
 101         0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
 102 };
 103 
 104 
 105 
 106 /*
 107  * Add odd parity to low bit of 8 byte key
 108  */
 109 void
 110 des_setparity(char *p)
 111 {
 112         int i;
 113 
 114         for (i = 0; i < 8; i++) {
 115                 *p = partab[*p & 0x7f];
 116                 p++;
 117         }
 118 }
 119 #endif /* def _KERNEL */
 120 
 121 #ifdef CRYPT
 122 /*
 123  * Software encrypt or decrypt a block of data (multiple of 8 bytes)
 124  * Do the CBC ourselves if needed.
 125  */
 126 int
 127 __des_crypt(char *buf, unsigned int len, struct desparams *desp)
 128 {
 129         short i;
 130         unsigned mode;
 131         unsigned dir;
 132         char nextiv[8];
 133         struct deskeydata softkey;
 134 
 135         mode = (unsigned)desp->des_mode;
 136         dir = (unsigned)desp->des_dir;
 137         des_setkey(desp->des_key, &softkey, dir);
 138         while (len != 0) {
 139                 switch (mode) {
 140                 case CBC:
 141                         switch (dir) {
 142                         case ENCRYPT:
 143                                 for (i = 0; i < 8; i++)
 144                                         buf[i] ^= desp->des_ivec[i];
 145                                 des_encrypt((uchar_t *)buf, &softkey);
 146                                 for (i = 0; i < 8; i++)
 147                                         desp->des_ivec[i] = buf[i];
 148                                 break;
 149                         case DECRYPT:
 150                                 for (i = 0; i < 8; i++)
 151                                         nextiv[i] = buf[i];
 152                                 des_encrypt((uchar_t *)buf, &softkey);
 153                                 for (i = 0; i < 8; i++) {
 154                                         buf[i] ^= desp->des_ivec[i];
 155                                         desp->des_ivec[i] = nextiv[i];
 156                                 }
 157                                 break;
 158                         }
 159                         break;
 160                 case ECB:
 161                         des_encrypt((uchar_t *)buf, &softkey);
 162                         break;
 163                 }
 164                 buf += 8;
 165                 len -= 8;
 166         }
 167         return (1);
 168 }
 169 
 170 
 171 /*
 172  * Set the key and direction for an encryption operation
 173  * We build the 16 key entries here
 174  */
 175 static void
 176 des_setkey(uchar_t userkey[8], struct deskeydata *kd, unsigned int dir)
 177 {
 178         long C, D;
 179         short i;
 180 
 181         /*
 182          * First, generate C and D by permuting
 183          * the key. The low order bit of each
 184          * 8-bit char is not used, so C and D are only 28
 185          * bits apiece.
 186          */
 187         {
 188                 short bit;
 189                 const short *pcc = PC1_C, *pcd = PC1_D;
 190 
 191                 C = D = 0;
 192                 for (i = 0; i < 28; i++) {
 193                         C <<= 1;
 194                         D <<= 1;
 195                         bit = *pcc++;
 196                         if (btst(userkey, bit))
 197                                 C |= 1;
 198                         bit = *pcd++;
 199                         if (btst(userkey, bit))
 200                                 D |= 1;
 201                 }
 202         }
 203         /*
 204          * To generate Ki, rotate C and D according
 205          * to schedule and pick up a permutation
 206          * using PC2.
 207          */
 208         for (i = 0; i < 16; i++) {
 209                 chunk_t *c;
 210                 short j, k, bit;
 211                 long bbit;
 212 
 213                 /*
 214                  * Do the "left shift" (rotate)
 215                  * We know we always rotate by either 1 or 2 bits
 216                  * the shifts table tells us if its 2
 217                  */
 218                 C <<= 1;
 219                 if (C & BIT28)
 220                         C |= 1;
 221                 D <<= 1;
 222                 if (D & BIT28)
 223                         D |= 1;
 224                 if (shifts[i]) {
 225                         C <<= 1;
 226                         if (C & BIT28)
 227                                 C |= 1;
 228                         D <<= 1;
 229                         if (D & BIT28)
 230                                 D |= 1;
 231                 }
 232                 /*
 233                  * get Ki. Note C and D are concatenated.
 234                  */
 235                 bit = 0;
 236                 switch (dir) {
 237                 case ENCRYPT:
 238                         c = &kd->keyval[i]; break;
 239                 case DECRYPT:
 240                         c = &kd->keyval[15 - i]; break;
 241                 }
 242                 c->long0 = 0;
 243                 c->long1 = 0;
 244                 bbit = (1 << 5) << 24;
 245                 for (j = 0; j < 4; j++) {
 246                         for (k = 0; k < 6; k++) {
 247                                 if (C & (BIT28 >> PC2_C[bit]))
 248                                         c->long0 |= bbit >> k;
 249                                 if (D & (BIT28 >> PC2_D[bit]))
 250                                         c->long1 |= bbit >> k;
 251                                 bit++;
 252                         }
 253                         bbit >>= 8;
 254                 }
 255 
 256         }
 257 }
 258 
 259 
 260 
 261 /*
 262  * Do an encryption operation
 263  * Much pain is taken (with preprocessor) to avoid loops so the compiler
 264  * can do address arithmetic instead of doing it at runtime.
 265  * Note that the byte-to-chunk conversion is necessary to guarantee
 266  * processor byte-order independence.
 267  */
 268 static void
 269 des_encrypt(uchar_t *data, struct deskeydata *kd)
 270 {
 271         chunk_t work1, work2;
 272 
 273         /*
 274          * Initial permutation
 275          * and byte to chunk conversion
 276          */
 277         {
 278                 const uint32_t *lp;
 279                 uint32_t l0, l1, w;
 280                 short i, pbit;
 281 
 282                 work1.byte0 = data[0];
 283                 work1.byte1 = data[1];
 284                 work1.byte2 = data[2];
 285                 work1.byte3 = data[3];
 286                 work1.byte4 = data[4];
 287                 work1.byte5 = data[5];
 288                 work1.byte6 = data[6];
 289                 work1.byte7 = data[7];
 290                 l0 = l1 = 0;
 291                 w = work1.long0;
 292                 for (lp = &longtab[0], i = 0; i < 32; i++) {
 293                         if (w & *lp++) {
 294                                 pbit = IPtab[i];
 295                                 if (pbit < 32)
 296                                         l0 |= longtab[pbit];
 297                                 else
 298                                         l1 |= longtab[pbit-32];
 299                         }
 300                 }
 301                 w = work1.long1;
 302                 for (lp = &longtab[0], i = 32; i < 64; i++) {
 303                         if (w & *lp++) {
 304                                 pbit = IPtab[i];
 305                                 if (pbit < 32)
 306                                         l0 |= longtab[pbit];
 307                                 else
 308                                         l1 |= longtab[pbit-32];
 309                         }
 310                 }
 311                 work2.long0 = l0;
 312                 work2.long1 = l1;
 313         }
 314 
 315 /*
 316  * Expand 8 bits of 32 bit R to 48 bit R
 317  */
 318 #define do_R_to_ER(op, b)       {                       \
 319         const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b];       \
 320         e0 op p->l0;                         \
 321         e1 op p->l1;                         \
 322 }
 323 
 324 /*
 325  * Inner part of the algorithm:
 326  * Expand R from 32 to 48 bits; xor key value;
 327  * apply S boxes; permute 32 bits of output
 328  */
 329 #define do_F(iter, inR, outR)   {                       \
 330         chunk_t R, ER;                                  \
 331         uint32_t e0, e1;                                \
 332         R.long0 = inR;                                  \
 333         /* CSTYLED */                                   \
 334         do_R_to_ER(=, 0);                               \
 335         /* CSTYLED */                                   \
 336         do_R_to_ER(|=, 1);                              \
 337         /* CSTYLED */                                   \
 338         do_R_to_ER(|=, 2);                              \
 339         /* CSTYLED */                                   \
 340         do_R_to_ER(|=, 3);                              \
 341         ER.long0 = e0 ^ kd->keyval[iter].long0;              \
 342         ER.long1 = e1 ^ kd->keyval[iter].long1;              \
 343         R.long0 =                                       \
 344                 S_tab[0][ER.byte0] +                    \
 345                 S_tab[1][ER.byte1] +                    \
 346                 S_tab[2][ER.byte2] +                    \
 347                 S_tab[3][ER.byte3] +                    \
 348                 S_tab[4][ER.byte4] +                    \
 349                 S_tab[5][ER.byte5] +                    \
 350                 S_tab[6][ER.byte6] +                    \
 351                 S_tab[7][ER.byte7];                     \
 352         outR =                                          \
 353                 P_tab[0][R.byte0] +                     \
 354                 P_tab[1][R.byte1] +                     \
 355                 P_tab[2][R.byte2] +                     \
 356                 P_tab[3][R.byte3];                      \
 357 }
 358 
 359 /*
 360  * Do a cipher step
 361  * Apply inner part; do xor and exchange of 32 bit parts
 362  */
 363 #define cipher(iter, inR, inL, outR, outL)      {       \
 364         do_F(iter, inR, outR);                          \
 365         outR ^= inL;                                    \
 366         outL = inR;                                     \
 367 }
 368 
 369         /*
 370          * Apply the 16 ciphering steps
 371          */
 372         {
 373                 uint32_t r0, l0, r1, l1;
 374 
 375                 l0 = work2.long0;
 376                 r0 = work2.long1;
 377                 cipher(0, r0, l0, r1, l1);
 378                 cipher(1, r1, l1, r0, l0);
 379                 cipher(2, r0, l0, r1, l1);
 380                 cipher(3, r1, l1, r0, l0);
 381                 cipher(4, r0, l0, r1, l1);
 382                 cipher(5, r1, l1, r0, l0);
 383                 cipher(6, r0, l0, r1, l1);
 384                 cipher(7, r1, l1, r0, l0);
 385                 cipher(8, r0, l0, r1, l1);
 386                 cipher(9, r1, l1, r0, l0);
 387                 cipher(10, r0, l0, r1, l1);
 388                 cipher(11, r1, l1, r0, l0);
 389                 cipher(12, r0, l0, r1, l1);
 390                 cipher(13, r1, l1, r0, l0);
 391                 cipher(14, r0, l0, r1, l1);
 392                 cipher(15, r1, l1, r0, l0);
 393                 work1.long0 = r0;
 394                 work1.long1 = l0;
 395         }
 396 
 397         /*
 398          * Final permutation
 399          * and chunk to byte conversion
 400          */
 401         {
 402                 const uint32_t *lp;
 403                 uint32_t l0, l1, w;
 404                 short i, pbit;
 405 
 406                 l0 = l1 = 0;
 407                 w = work1.long0;
 408                 for (lp = &longtab[0], i = 0; i < 32; i++) {
 409                         if (w & *lp++) {
 410                                 pbit = FPtab[i];
 411                                 if (pbit < 32)
 412                                         l0 |= longtab[pbit];
 413                                 else
 414                                         l1 |= longtab[pbit-32];
 415                         }
 416                 }
 417                 w = work1.long1;
 418                 for (lp = &longtab[0], i = 32; i < 64; i++) {
 419                         if (w & *lp++) {
 420                                 pbit = FPtab[i];
 421                                 if (pbit < 32)
 422                                         l0 |= longtab[pbit];
 423                                 else
 424                                         l1 |= longtab[pbit-32];
 425                         }
 426                 }
 427                 work2.long0 = l0;
 428                 work2.long1 = l1;
 429         }
 430         data[0] = work2.byte0;
 431         data[1] = work2.byte1;
 432         data[2] = work2.byte2;
 433         data[3] = work2.byte3;
 434         data[4] = work2.byte4;
 435         data[5] = work2.byte5;
 436         data[6] = work2.byte6;
 437         data[7] = work2.byte7;
 438 }
 439 #endif /* def CRYPT */