1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License, Version 1.0 only
   6  * (the "License").  You may not use this file except in compliance
   7  * with the License.
   8  *
   9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  10  * or http://www.opensolaris.org/os/licensing.
  11  * See the License for the specific language governing permissions
  12  * and limitations under the License.
  13  *
  14  * When distributing Covered Code, include this CDDL HEADER in each
  15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  16  * If applicable, add the following below this CDDL HEADER, with the
  17  * fields enclosed by brackets "[]" replaced with your own identifying
  18  * information: Portions Copyright [yyyy] [name of copyright owner]
  19  *
  20  * CDDL HEADER END
  21  */
  22 
  23 /*
  24  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  25  * Use is subject to license terms.
  26  */
  27 
  28 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */
  29 /* All Rights Reserved */
  30 
  31 /*
  32  * Portions of this source code were derived from Berkeley 4.3 BSD
  33  * under license from the Regents of the University of California.
  34  */
  35 
  36 #pragma ident   "%Z%%M% %I%     %E% SMI"
  37 
  38 /*
  39  * Warning!  Things are arranged very carefully in this file to
  40  * allow read-only data to be moved to the text segment.  The
  41  * various DES tables must appear before any function definitions
  42  * (this is arranged by including them immediately below) and partab
  43  * must also appear before and function definitions
  44  * This arrangement allows all data up through the first text to
  45  * be moved to text.
  46  */
  47 
  48 #include "mt.h"
  49 #include <sys/types.h>
  50 #include <des/softdes.h>
  51 #include <des/desdata.h>
  52 #ifdef sun
  53 #include <sys/ioctl.h>
  54 #include <sys/des.h>
  55 #else
  56 #include <des/des.h>
  57 #endif
  58 #include <rpcsvc/nis_dhext.h>
  59 
  60 /*
  61  * Fast (?) software implementation of DES
  62  * Has been seen going at 2000 bytes/sec on a Sun-2
  63  * Works on a VAX too.
  64  * Won't work without 8 bit chars and 32 bit longs
  65  */
  66 
  67 #define btst(k, b)      (k[b >> 3] & (0x80 >> (b & 07)))
  68 #define BIT28   (1<<28)
  69 
  70 static int      __des_encrypt(uchar_t *, struct deskeydata *);
  71 static int      __des_setkey(uchar_t[8], struct deskeydata *, unsigned);
  72 
  73 
  74 /*
  75  * Table giving odd parity in the low bit for ASCII characters
  76  */
  77 const char partab[128] = {
  78         0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
  79         0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
  80         0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
  81         0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
  82         0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
  83         0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
  84         0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
  85         0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
  86         0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
  87         0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
  88         0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
  89         0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
  90         0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
  91         0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
  92         0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
  93         0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
  94 };
  95 
  96 /*
  97  * Add odd parity to low bit of 8 byte key
  98  */
  99 void
 100 des_setparity(char *p)
 101 {
 102         int i;
 103 
 104         for (i = 0; i < 8; i++) {
 105                 *p = partab[*p & 0x7f];
 106                 p++;
 107         }
 108 }
 109 
 110 static const unsigned char partab_g[256] = {
 111         0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
 112         0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
 113         0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
 114         0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
 115         0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
 116         0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
 117         0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
 118         0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
 119         0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
 120         0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
 121         0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
 122         0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
 123         0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
 124         0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
 125         0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
 126         0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
 127         0x80, 0x80, 0x83, 0x83, 0x85, 0x85, 0x86, 0x86,
 128         0x89, 0x89, 0x8a, 0x8a, 0x8c, 0x8c, 0x8f, 0x8f,
 129         0x91, 0x91, 0x92, 0x92, 0x94, 0x94, 0x97, 0x97,
 130         0x98, 0x98, 0x9b, 0x9b, 0x9d, 0x9d, 0x9e, 0x9e,
 131         0xa1, 0xa1, 0xa2, 0xa2, 0xa4, 0xa4, 0xa7, 0xa7,
 132         0xa8, 0xa8, 0xab, 0xab, 0xad, 0xad, 0xae, 0xae,
 133         0xb0, 0xb0, 0xb3, 0xb3, 0xb5, 0xb5, 0xb6, 0xb6,
 134         0xb9, 0xb9, 0xba, 0xba, 0xbc, 0xbc, 0xbf, 0xbf,
 135         0xc1, 0xc1, 0xc2, 0xc2, 0xc4, 0xc4, 0xc7, 0xc7,
 136         0xc8, 0xc8, 0xcb, 0xcb, 0xcd, 0xcd, 0xce, 0xce,
 137         0xd0, 0xd0, 0xd3, 0xd3, 0xd5, 0xd5, 0xd6, 0xd6,
 138         0xd9, 0xd9, 0xda, 0xda, 0xdc, 0xdc, 0xdf, 0xdf,
 139         0xe0, 0xe0, 0xe3, 0xe3, 0xe5, 0xe5, 0xe6, 0xe6,
 140         0xe9, 0xe9, 0xea, 0xea, 0xec, 0xec, 0xef, 0xef,
 141         0xf1, 0xf1, 0xf2, 0xf2, 0xf4, 0xf4, 0xf7, 0xf7,
 142         0xf8, 0xf8, 0xfb, 0xfb, 0xfd, 0xfd, 0xfe, 0xfe
 143 };
 144 
 145 /*
 146  * A corrected version of des_setparity (see bug 1149767).
 147  */
 148 void
 149 des_setparity_g(des_block *p)
 150 {
 151         int i;
 152 
 153         for (i = 0; i < 8; i++) {
 154                 (*p).c[i] = partab_g[(*p).c[i]];
 155         }
 156 }
 157 
 158 /*
 159  * Software encrypt or decrypt a block of data (multiple of 8 bytes)
 160  * Do the CBC ourselves if needed.
 161  */
 162 int
 163 __des_crypt(char *buf, unsigned len, struct desparams *desp)
 164 {
 165         short i;
 166         unsigned mode;
 167         unsigned dir;
 168         char nextiv[8];
 169         struct deskeydata softkey;
 170 
 171         mode = (unsigned)desp->des_mode;
 172         dir = (unsigned)desp->des_dir;
 173         (void) __des_setkey(desp->des_key, &softkey, dir);
 174         while (len != 0) {
 175                 switch (mode) {
 176                 case CBC:
 177                         switch (dir) {
 178                         case ENCRYPT:
 179                                 for (i = 0; i < 8; i++)
 180                                         buf[i] ^= desp->des_ivec[i];
 181                                 (void) __des_encrypt((uchar_t *)buf, &softkey);
 182                                 for (i = 0; i < 8; i++)
 183                                         desp->des_ivec[i] = buf[i];
 184                                 break;
 185                         case DECRYPT:
 186                                 for (i = 0; i < 8; i++)
 187                                         nextiv[i] = buf[i];
 188                                 (void) __des_encrypt((uchar_t *)buf, &softkey);
 189                                 for (i = 0; i < 8; i++) {
 190                                         buf[i] ^= desp->des_ivec[i];
 191                                         desp->des_ivec[i] = nextiv[i];
 192                                 }
 193                                 break;
 194                         }
 195                         break;
 196                 case ECB:
 197                         (void) __des_encrypt((uchar_t *)buf, &softkey);
 198                         break;
 199                 }
 200                 buf += 8;
 201                 len -= 8;
 202         }
 203         return (1);
 204 }
 205 
 206 
 207 /*
 208  * Set the key and direction for an encryption operation
 209  * We build the 16 key entries here
 210  */
 211 static int
 212 __des_setkey(uchar_t userkey[8], struct deskeydata *kd, unsigned dir)
 213 {
 214         int32_t C, D;
 215         short i;
 216 
 217         /*
 218          * First, generate C and D by permuting
 219          * the key. The low order bit of each
 220          * 8-bit char is not used, so C and D are only 28
 221          * bits apiece.
 222          */
 223         {
 224                 short bit;
 225                 const short *pcc = PC1_C, *pcd = PC1_D;
 226 
 227                 C = D = 0;
 228                 for (i = 0; i < 28; i++) {
 229                         C <<= 1;
 230                         D <<= 1;
 231                         bit = *pcc++;
 232                         if (btst(userkey, bit))
 233                                 C |= 1;
 234                         bit = *pcd++;
 235                         if (btst(userkey, bit))
 236                                 D |= 1;
 237                 }
 238         }
 239         /*
 240          * To generate Ki, rotate C and D according
 241          * to schedule and pick up a permutation
 242          * using PC2.
 243          */
 244         for (i = 0; i < 16; i++) {
 245                 chunk_t *c;
 246                 short j, k, bit;
 247                 uint32_t bbit;
 248 
 249                 /*
 250                  * Do the "left shift" (rotate)
 251                  * We know we always rotate by either 1 or 2 bits
 252                  * the shifts table tells us if its 2
 253                  */
 254                 C <<= 1;
 255                 if (C & BIT28)
 256                         C |= 1;
 257                 D <<= 1;
 258                 if (D & BIT28)
 259                         D |= 1;
 260                 if (shifts[i]) {
 261                         C <<= 1;
 262                         if (C & BIT28)
 263                                 C |= 1;
 264                         D <<= 1;
 265                         if (D & BIT28)
 266                                 D |= 1;
 267                 }
 268                 /*
 269                  * get Ki. Note C and D are concatenated.
 270                  */
 271                 bit = 0;
 272                 switch (dir) {
 273                 case ENCRYPT:
 274                         c = &kd->keyval[i]; break;
 275                 case DECRYPT:
 276                         c = &kd->keyval[15 - i]; break;
 277                 }
 278                 c->long0 = 0;
 279                 c->long1 = 0;
 280                 bbit = (1 << 5) << 24;
 281                 for (j = 0; j < 4; j++) {
 282                         for (k = 0; k < 6; k++) {
 283                                 if (C & (BIT28 >> PC2_C[bit]))
 284                                         c->long0 |= bbit >> k;
 285                                 if (D & (BIT28 >> PC2_D[bit]))
 286                                         c->long1 |= bbit >> k;
 287                                 bit++;
 288                         }
 289                         bbit >>= 8;
 290                 }
 291 
 292         }
 293         return (1);
 294 }
 295 
 296 
 297 
 298 /*
 299  * Do an encryption operation
 300  * Much pain is taken (with preprocessor) to avoid loops so the compiler
 301  * can do address arithmetic instead of doing it at runtime.
 302  * Note that the byte-to-chunk conversion is necessary to guarantee
 303  * processor byte-order independence.
 304  */
 305 static int
 306 __des_encrypt(uchar_t *data, struct deskeydata *kd)
 307 {
 308         chunk_t work1, work2;
 309 
 310         /*
 311          * Initial permutation
 312          * and byte to chunk conversion
 313          */
 314         {
 315                 const uint32_t *lp;
 316                 uint32_t l0, l1, w;
 317                 short i, pbit;
 318 
 319                 work1.byte0 = data[0];
 320                 work1.byte1 = data[1];
 321                 work1.byte2 = data[2];
 322                 work1.byte3 = data[3];
 323                 work1.byte4 = data[4];
 324                 work1.byte5 = data[5];
 325                 work1.byte6 = data[6];
 326                 work1.byte7 = data[7];
 327                 l0 = l1 = 0;
 328                 w = work1.long0;
 329                 for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) {
 330                         if (w & *lp++) {
 331                                 pbit = IPtab[i];
 332                                 if (pbit < 32)
 333                                         l0 |= longtab[pbit];
 334                                 else
 335                                         l1 |= longtab[pbit-32];
 336                         }
 337                 }
 338                 w = work1.long1;
 339                 for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) {
 340                         if (w & *lp++) {
 341                                 pbit = IPtab[i];
 342                                 if (pbit < 32)
 343                                         l0 |= longtab[pbit];
 344                                 else
 345                                         l1 |= longtab[pbit-32];
 346                         }
 347                 }
 348                 work2.long0 = l0;
 349                 work2.long1 = l1;
 350         }
 351 
 352 /*
 353  * Expand 8 bits of 32 bit R to 48 bit R
 354  */
 355 #define do_R_to_ER(op, b)       {                       \
 356         const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b];       \
 357         e0 op p->l0;                         \
 358         e1 op p->l1;                         \
 359 }
 360 
 361 /*
 362  * Inner part of the algorithm:
 363  * Expand R from 32 to 48 bits; xor key value;
 364  * apply S boxes; permute 32 bits of output
 365  */
 366 /* BEGIN CSTYLED */
 367 #define do_F(iter, inR, outR)   {                       \
 368         chunk_t R, ER;                                  \
 369         uint32_t e0, e1;                                \
 370         R.long0 = inR;                                  \
 371         do_R_to_ER(=, 0);                               \
 372         do_R_to_ER(|=, 1);                              \
 373         do_R_to_ER(|=, 2);                              \
 374         do_R_to_ER(|=, 3);                              \
 375         ER.long0 = e0 ^ kd->keyval[iter].long0;              \
 376         ER.long1 = e1 ^ kd->keyval[iter].long1;              \
 377         R.long0 =                                       \
 378                 S_tab[0][ER.byte0] +                    \
 379                 S_tab[1][ER.byte1] +                    \
 380                 S_tab[2][ER.byte2] +                    \
 381                 S_tab[3][ER.byte3] +                    \
 382                 S_tab[4][ER.byte4] +                    \
 383                 S_tab[5][ER.byte5] +                    \
 384                 S_tab[6][ER.byte6] +                    \
 385                 S_tab[7][ER.byte7];                     \
 386         outR =                                          \
 387                 P_tab[0][R.byte0] +                     \
 388                 P_tab[1][R.byte1] +                     \
 389                 P_tab[2][R.byte2] +                     \
 390                 P_tab[3][R.byte3];                      \
 391 }
 392 /* END CSTYLED */
 393 
 394 /*
 395  * Do a cipher step
 396  * Apply inner part; do xor and exchange of 32 bit parts
 397  */
 398 #define cipher(iter, inR, inL, outR, outL)      {       \
 399         do_F(iter, inR, outR);                          \
 400         outR ^= inL;                                    \
 401         outL = inR;                                     \
 402 }
 403 
 404         /*
 405          * Apply the 16 ciphering steps
 406          */
 407         {
 408                 uint32_t r0, l0, r1, l1;
 409 
 410                 l0 = work2.long0;
 411                 r0 = work2.long1;
 412                 cipher(0, r0, l0, r1, l1);
 413                 cipher(1, r1, l1, r0, l0);
 414                 cipher(2, r0, l0, r1, l1);
 415                 cipher(3, r1, l1, r0, l0);
 416                 cipher(4, r0, l0, r1, l1);
 417                 cipher(5, r1, l1, r0, l0);
 418                 cipher(6, r0, l0, r1, l1);
 419                 cipher(7, r1, l1, r0, l0);
 420                 cipher(8, r0, l0, r1, l1);
 421                 cipher(9, r1, l1, r0, l0);
 422                 cipher(10, r0, l0, r1, l1);
 423                 cipher(11, r1, l1, r0, l0);
 424                 cipher(12, r0, l0, r1, l1);
 425                 cipher(13, r1, l1, r0, l0);
 426                 cipher(14, r0, l0, r1, l1);
 427                 cipher(15, r1, l1, r0, l0);
 428                 work1.long0 = r0;
 429                 work1.long1 = l0;
 430         }
 431 
 432         /*
 433          * Final permutation
 434          * and chunk to byte conversion
 435          */
 436         {
 437                 uint32_t *lp;
 438                 uint32_t l0, l1, w;
 439                 short i, pbit;
 440 
 441                 l0 = l1 = 0;
 442                 w = work1.long0;
 443                 for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) {
 444                         if (w & *lp++) {
 445                                 pbit = FPtab[i];
 446                                 if (pbit < 32)
 447                                         l0 |= longtab[pbit];
 448                                 else
 449                                         l1 |= longtab[pbit-32];
 450                         }
 451                 }
 452                 w = work1.long1;
 453                 for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) {
 454                         if (w & *lp++) {
 455                                 pbit = FPtab[i];
 456                                 if (pbit < 32)
 457                                         l0 |= longtab[pbit];
 458                                 else
 459                                         l1 |= longtab[pbit-32];
 460                         }
 461                 }
 462                 work2.long0 = l0;
 463                 work2.long1 = l1;
 464         }
 465         data[0] = work2.byte0;
 466         data[1] = work2.byte1;
 467         data[2] = work2.byte2;
 468         data[3] = work2.byte3;
 469         data[4] = work2.byte4;
 470         data[5] = work2.byte5;
 471         data[6] = work2.byte6;
 472         data[7] = work2.byte7;
 473 
 474         return (1);
 475 }