1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */ 28 /* All Rights Reserved */ 29 30 /* 31 * Portions of this source code were derived from Berkeley 4.3 BSD 32 * under license from the Regents of the University of California. 33 */ 34 35 #pragma ident "%Z%%M% %I% %E% SMI" 36 37 /* 38 * Warning! Things are arranged very carefully in this file to 39 * allow read-only data to be moved to the text segment. The 40 * various DES tables must appear before any function definitions 41 * (this is arranged by including them immediately below) and partab 42 * must also appear before and function definitions 43 * This arrangement allows all data up through the first text to 44 * be moved to text. 45 */ 46 47 #ifndef _KERNEL 48 #define CRYPT /* cannot configure out of user-level code */ 49 #endif 50 51 #ifdef CRYPT 52 #include <sys/types.h> 53 #include <des/softdes.h> 54 #include <des/desdata.h> 55 56 #ifdef sun 57 #include <sys/ioctl.h> 58 #include <sys/des.h> 59 #else 60 #include <des/des.h> 61 #endif 62 63 #include "des_soft.h" 64 65 /* 66 * Fast (?) software implementation of DES 67 * Has been seen going at 2000 bytes/sec on a Sun-2 68 * Works on a VAX too. 69 * Won't work without 8 bit chars and 32 bit longs 70 */ 71 72 #define btst(k, b) (k[b >> 3] & (0x80 >> (b & 07))) 73 #define BIT28 (1<<28) 74 75 76 #endif /* def CRYPT */ 77 78 static void des_setkey(uchar_t [8], struct deskeydata *, unsigned); 79 static void des_encrypt(uchar_t *, struct deskeydata *); 80 81 #ifndef _KERNEL 82 /* 83 * Table giving odd parity in the low bit for ASCII characters 84 */ 85 static char partab[128] = { 86 0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07, 87 0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e, 88 0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16, 89 0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f, 90 0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26, 91 0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f, 92 0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37, 93 0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e, 94 0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46, 95 0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f, 96 0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57, 97 0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e, 98 0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67, 99 0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e, 100 0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76, 101 0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f, 102 }; 103 104 105 106 /* 107 * Add odd parity to low bit of 8 byte key 108 */ 109 void 110 des_setparity(char *p) 111 { 112 int i; 113 114 for (i = 0; i < 8; i++) { 115 *p = partab[*p & 0x7f]; 116 p++; 117 } 118 } 119 #endif /* def _KERNEL */ 120 121 #ifdef CRYPT 122 /* 123 * Software encrypt or decrypt a block of data (multiple of 8 bytes) 124 * Do the CBC ourselves if needed. 125 */ 126 int 127 __des_crypt(char *buf, unsigned int len, struct desparams *desp) 128 { 129 short i; 130 unsigned mode; 131 unsigned dir; 132 char nextiv[8]; 133 struct deskeydata softkey; 134 135 mode = (unsigned)desp->des_mode; 136 dir = (unsigned)desp->des_dir; 137 des_setkey(desp->des_key, &softkey, dir); 138 while (len != 0) { 139 switch (mode) { 140 case CBC: 141 switch (dir) { 142 case ENCRYPT: 143 for (i = 0; i < 8; i++) 144 buf[i] ^= desp->des_ivec[i]; 145 des_encrypt((uchar_t *)buf, &softkey); 146 for (i = 0; i < 8; i++) 147 desp->des_ivec[i] = buf[i]; 148 break; 149 case DECRYPT: 150 for (i = 0; i < 8; i++) 151 nextiv[i] = buf[i]; 152 des_encrypt((uchar_t *)buf, &softkey); 153 for (i = 0; i < 8; i++) { 154 buf[i] ^= desp->des_ivec[i]; 155 desp->des_ivec[i] = nextiv[i]; 156 } 157 break; 158 } 159 break; 160 case ECB: 161 des_encrypt((uchar_t *)buf, &softkey); 162 break; 163 } 164 buf += 8; 165 len -= 8; 166 } 167 return (1); 168 } 169 170 171 /* 172 * Set the key and direction for an encryption operation 173 * We build the 16 key entries here 174 */ 175 static void 176 des_setkey(uchar_t userkey[8], struct deskeydata *kd, unsigned int dir) 177 { 178 long C, D; 179 short i; 180 181 /* 182 * First, generate C and D by permuting 183 * the key. The low order bit of each 184 * 8-bit char is not used, so C and D are only 28 185 * bits apiece. 186 */ 187 { 188 short bit; 189 const short *pcc = PC1_C, *pcd = PC1_D; 190 191 C = D = 0; 192 for (i = 0; i < 28; i++) { 193 C <<= 1; 194 D <<= 1; 195 bit = *pcc++; 196 if (btst(userkey, bit)) 197 C |= 1; 198 bit = *pcd++; 199 if (btst(userkey, bit)) 200 D |= 1; 201 } 202 } 203 /* 204 * To generate Ki, rotate C and D according 205 * to schedule and pick up a permutation 206 * using PC2. 207 */ 208 for (i = 0; i < 16; i++) { 209 chunk_t *c; 210 short j, k, bit; 211 long bbit; 212 213 /* 214 * Do the "left shift" (rotate) 215 * We know we always rotate by either 1 or 2 bits 216 * the shifts table tells us if its 2 217 */ 218 C <<= 1; 219 if (C & BIT28) 220 C |= 1; 221 D <<= 1; 222 if (D & BIT28) 223 D |= 1; 224 if (shifts[i]) { 225 C <<= 1; 226 if (C & BIT28) 227 C |= 1; 228 D <<= 1; 229 if (D & BIT28) 230 D |= 1; 231 } 232 /* 233 * get Ki. Note C and D are concatenated. 234 */ 235 bit = 0; 236 switch (dir) { 237 case ENCRYPT: 238 c = &kd->keyval[i]; break; 239 case DECRYPT: 240 c = &kd->keyval[15 - i]; break; 241 } 242 c->long0 = 0; 243 c->long1 = 0; 244 bbit = (1 << 5) << 24; 245 for (j = 0; j < 4; j++) { 246 for (k = 0; k < 6; k++) { 247 if (C & (BIT28 >> PC2_C[bit])) 248 c->long0 |= bbit >> k; 249 if (D & (BIT28 >> PC2_D[bit])) 250 c->long1 |= bbit >> k; 251 bit++; 252 } 253 bbit >>= 8; 254 } 255 256 } 257 } 258 259 260 261 /* 262 * Do an encryption operation 263 * Much pain is taken (with preprocessor) to avoid loops so the compiler 264 * can do address arithmetic instead of doing it at runtime. 265 * Note that the byte-to-chunk conversion is necessary to guarantee 266 * processor byte-order independence. 267 */ 268 static void 269 des_encrypt(uchar_t *data, struct deskeydata *kd) 270 { 271 chunk_t work1, work2; 272 273 /* 274 * Initial permutation 275 * and byte to chunk conversion 276 */ 277 { 278 const uint32_t *lp; 279 uint32_t l0, l1, w; 280 short i, pbit; 281 282 work1.byte0 = data[0]; 283 work1.byte1 = data[1]; 284 work1.byte2 = data[2]; 285 work1.byte3 = data[3]; 286 work1.byte4 = data[4]; 287 work1.byte5 = data[5]; 288 work1.byte6 = data[6]; 289 work1.byte7 = data[7]; 290 l0 = l1 = 0; 291 w = work1.long0; 292 for (lp = &longtab[0], i = 0; i < 32; i++) { 293 if (w & *lp++) { 294 pbit = IPtab[i]; 295 if (pbit < 32) 296 l0 |= longtab[pbit]; 297 else 298 l1 |= longtab[pbit-32]; 299 } 300 } 301 w = work1.long1; 302 for (lp = &longtab[0], i = 32; i < 64; i++) { 303 if (w & *lp++) { 304 pbit = IPtab[i]; 305 if (pbit < 32) 306 l0 |= longtab[pbit]; 307 else 308 l1 |= longtab[pbit-32]; 309 } 310 } 311 work2.long0 = l0; 312 work2.long1 = l1; 313 } 314 315 /* 316 * Expand 8 bits of 32 bit R to 48 bit R 317 */ 318 #define do_R_to_ER(op, b) { \ 319 const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b]; \ 320 e0 op p->l0; \ 321 e1 op p->l1; \ 322 } 323 324 /* 325 * Inner part of the algorithm: 326 * Expand R from 32 to 48 bits; xor key value; 327 * apply S boxes; permute 32 bits of output 328 */ 329 #define do_F(iter, inR, outR) { \ 330 chunk_t R, ER; \ 331 uint32_t e0, e1; \ 332 R.long0 = inR; \ 333 /* CSTYLED */ \ 334 do_R_to_ER(=, 0); \ 335 /* CSTYLED */ \ 336 do_R_to_ER(|=, 1); \ 337 /* CSTYLED */ \ 338 do_R_to_ER(|=, 2); \ 339 /* CSTYLED */ \ 340 do_R_to_ER(|=, 3); \ 341 ER.long0 = e0 ^ kd->keyval[iter].long0; \ 342 ER.long1 = e1 ^ kd->keyval[iter].long1; \ 343 R.long0 = \ 344 S_tab[0][ER.byte0] + \ 345 S_tab[1][ER.byte1] + \ 346 S_tab[2][ER.byte2] + \ 347 S_tab[3][ER.byte3] + \ 348 S_tab[4][ER.byte4] + \ 349 S_tab[5][ER.byte5] + \ 350 S_tab[6][ER.byte6] + \ 351 S_tab[7][ER.byte7]; \ 352 outR = \ 353 P_tab[0][R.byte0] + \ 354 P_tab[1][R.byte1] + \ 355 P_tab[2][R.byte2] + \ 356 P_tab[3][R.byte3]; \ 357 } 358 359 /* 360 * Do a cipher step 361 * Apply inner part; do xor and exchange of 32 bit parts 362 */ 363 #define cipher(iter, inR, inL, outR, outL) { \ 364 do_F(iter, inR, outR); \ 365 outR ^= inL; \ 366 outL = inR; \ 367 } 368 369 /* 370 * Apply the 16 ciphering steps 371 */ 372 { 373 uint32_t r0, l0, r1, l1; 374 375 l0 = work2.long0; 376 r0 = work2.long1; 377 cipher(0, r0, l0, r1, l1); 378 cipher(1, r1, l1, r0, l0); 379 cipher(2, r0, l0, r1, l1); 380 cipher(3, r1, l1, r0, l0); 381 cipher(4, r0, l0, r1, l1); 382 cipher(5, r1, l1, r0, l0); 383 cipher(6, r0, l0, r1, l1); 384 cipher(7, r1, l1, r0, l0); 385 cipher(8, r0, l0, r1, l1); 386 cipher(9, r1, l1, r0, l0); 387 cipher(10, r0, l0, r1, l1); 388 cipher(11, r1, l1, r0, l0); 389 cipher(12, r0, l0, r1, l1); 390 cipher(13, r1, l1, r0, l0); 391 cipher(14, r0, l0, r1, l1); 392 cipher(15, r1, l1, r0, l0); 393 work1.long0 = r0; 394 work1.long1 = l0; 395 } 396 397 /* 398 * Final permutation 399 * and chunk to byte conversion 400 */ 401 { 402 const uint32_t *lp; 403 uint32_t l0, l1, w; 404 short i, pbit; 405 406 l0 = l1 = 0; 407 w = work1.long0; 408 for (lp = &longtab[0], i = 0; i < 32; i++) { 409 if (w & *lp++) { 410 pbit = FPtab[i]; 411 if (pbit < 32) 412 l0 |= longtab[pbit]; 413 else 414 l1 |= longtab[pbit-32]; 415 } 416 } 417 w = work1.long1; 418 for (lp = &longtab[0], i = 32; i < 64; i++) { 419 if (w & *lp++) { 420 pbit = FPtab[i]; 421 if (pbit < 32) 422 l0 |= longtab[pbit]; 423 else 424 l1 |= longtab[pbit-32]; 425 } 426 } 427 work2.long0 = l0; 428 work2.long1 = l1; 429 } 430 data[0] = work2.byte0; 431 data[1] = work2.byte1; 432 data[2] = work2.byte2; 433 data[3] = work2.byte3; 434 data[4] = work2.byte4; 435 data[5] = work2.byte5; 436 data[6] = work2.byte6; 437 data[7] = work2.byte7; 438 } 439 #endif /* def CRYPT */