1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License, Version 1.0 only
   6  * (the "License").  You may not use this file except in compliance
   7  * with the License.
   8  *
   9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  10  * or http://www.opensolaris.org/os/licensing.
  11  * See the License for the specific language governing permissions
  12  * and limitations under the License.
  13  *
  14  * When distributing Covered Code, include this CDDL HEADER in each
  15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  16  * If applicable, add the following below this CDDL HEADER, with the
  17  * fields enclosed by brackets "[]" replaced with your own identifying
  18  * information: Portions Copyright [yyyy] [name of copyright owner]
  19  *
  20  * CDDL HEADER END
  21  *
  22  * Copyright 1989 Sun Microsystems, Inc.  All rights reserved.
  23  * Use is subject to license terms.
  24  */
  25 
  26 /*      Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */
  27 /*        All Rights Reserved   */
  28 
  29 /*
  30  * Portions of this source code were derived from Berkeley 4.3 BSD
  31  * under license from the Regents of the University of California.
  32  */
  33 
  34 #ident  "%Z%%M% %I%     %E% SMI"
  35 
  36 /*
  37  * Warning!  Things are arranged very carefully in this file to
  38  * allow read-only data to be moved to the text segment.  The
  39  * various DES tables must appear before any function definitions
  40  * (this is arranged by including them immediately below) and partab
  41  * must also appear before and function definitions
  42  * This arrangement allows all data up through the first text to
  43  * be moved to text.
  44  */
  45 
  46 /*
  47  * Fast (?) software implementation of DES
  48  * Has been seen going at 2000 bytes/sec on a Sun-2
  49  * Works on a VAX too.
  50  * Won't work without 8 bit chars and 32 bit longs
  51  */
  52 
  53 #include <sys/types.h>
  54 #include <des/des.h>
  55 #include <des/softdes.h>
  56 #include <des/desdata.h>
  57 #include <sys/debug.h>
  58 
  59 static void des_setkey(u_char userkey[8], struct deskeydata *kd,
  60     unsigned int dir);
  61 static void des_encrypt(u_char *data, struct deskeydata *kd);
  62 
  63 /* EXPORT DELETE START */
  64 #define btst(k, b)      (k[b >> 3] & (0x80 >> (b & 07)))
  65 #define BIT28   (1<<28)
  66 /* EXPORT DELETE END */
  67 
  68 /*
  69  * Software encrypt or decrypt a block of data (multiple of 8 bytes)
  70  * Do the CBC ourselves if needed.
  71  */
  72 /* ARGSUSED */
  73 int
  74 _des_crypt(char *buf, size_t len, struct desparams *desp)
  75 {
  76 /* EXPORT DELETE START */
  77         short i;
  78         uint_t mode;
  79         uint_t dir;
  80         char nextiv[8];
  81         struct deskeydata softkey;
  82 
  83         mode = desp->des_mode;
  84         dir = desp->des_dir;
  85         des_setkey(desp->des_key, &softkey, dir);
  86         while (len != 0) {
  87                 switch (mode) {
  88                 case CBC:
  89                         switch (dir) {
  90                         case ENCRYPT:
  91                                 for (i = 0; i < 8; i++)
  92                                         buf[i] ^= desp->des_ivec[i];
  93                                 des_encrypt((u_char *)buf, &softkey);
  94                                 for (i = 0; i < 8; i++)
  95                                         desp->des_ivec[i] = buf[i];
  96                                 break;
  97                         case DECRYPT:
  98                                 for (i = 0; i < 8; i++)
  99                                         nextiv[i] = buf[i];
 100                                 des_encrypt((u_char *)buf, &softkey);
 101                                 for (i = 0; i < 8; i++) {
 102                                         buf[i] ^= desp->des_ivec[i];
 103                                         desp->des_ivec[i] = nextiv[i];
 104                                 }
 105                                 break;
 106                         }
 107                         break;
 108                 case ECB:
 109                         des_encrypt((u_char *)buf, &softkey);
 110                         break;
 111                 }
 112                 buf += 8;
 113                 len -= 8;
 114         }
 115 /* EXPORT DELETE END */
 116         return (1);
 117 }
 118 
 119 
 120 /*
 121  * Set the key and direction for an encryption operation
 122  * We build the 16 key entries here
 123  */
 124 /* ARGSUSED */
 125 static void
 126 des_setkey(u_char userkey[8], struct deskeydata *kd, unsigned int dir)
 127 {
 128 /* EXPORT DELETE START */
 129         int32_t C, D;
 130         short i;
 131 
 132         /*
 133          * First, generate C and D by permuting
 134          * the key. The low order bit of each
 135          * 8-bit char is not used, so C and D are only 28
 136          * bits apiece.
 137          */
 138         {
 139                 short bit;
 140                 short *pcc = (short *)PC1_C, *pcd = (short *)PC1_D;
 141 
 142                 C = D = 0;
 143                 for (i = 0; i < 28; i++) {
 144                         C <<= 1;
 145                         D <<= 1;
 146                         bit = *pcc++;
 147                         if (btst(userkey, bit))
 148                                 C |= 1;
 149                         bit = *pcd++;
 150                         if (btst(userkey, bit))
 151                                 D |= 1;
 152                 }
 153         }
 154         /*
 155          * To generate Ki, rotate C and D according
 156          * to schedule and pick up a permutation
 157          * using PC2.
 158          */
 159         for (i = 0; i < 16; i++) {
 160                 chunk_t *c;
 161                 short j, k, bit;
 162                 int bbit;
 163 
 164                 /*
 165                  * Do the "left shift" (rotate)
 166                  * We know we always rotate by either 1 or 2 bits
 167                  * the shifts table tells us if its 2
 168                  */
 169                 C <<= 1;
 170                 if (C & BIT28)
 171                         C |= 1;
 172                 D <<= 1;
 173                 if (D & BIT28)
 174                         D |= 1;
 175                 if (shifts[i]) {
 176                         C <<= 1;
 177                         if (C & BIT28)
 178                                 C |= 1;
 179                         D <<= 1;
 180                         if (D & BIT28)
 181                                 D |= 1;
 182                 }
 183                 /*
 184                  * get Ki. Note C and D are concatenated.
 185                  */
 186                 bit = 0;
 187                 switch (dir) {
 188                 case ENCRYPT:
 189                         c = &kd->keyval[i];
 190                         break;
 191                 case DECRYPT:
 192                         c = &kd->keyval[15 - i];
 193                         break;
 194                 }
 195                 c->long0 = 0;
 196                 c->long1 = 0;
 197                 bbit = (1 << 5) << 24;
 198                 for (j = 0; j < 4; j++) {
 199                         for (k = 0; k < 6; k++) {
 200                                 if (C & (BIT28 >> PC2_C[bit]))
 201                                         c->long0 |= bbit >> k;
 202                                 if (D & (BIT28 >> PC2_D[bit]))
 203                                         c->long1 |= bbit >> k;
 204                                 bit++;
 205                         }
 206                         bbit >>= 8;
 207                 }
 208         }
 209 /* EXPORT DELETE END */
 210 }
 211 
 212 
 213 
 214 /*
 215  * Do an encryption operation
 216  * Much pain is taken (with preprocessor) to avoid loops so the compiler
 217  * can do address arithmetic instead of doing it at runtime.
 218  * Note that the byte-to-chunk conversion is necessary to guarantee
 219  * processor byte-order independence.
 220  */
 221 /* ARGSUSED */
 222 static void
 223 des_encrypt(u_char *data, struct deskeydata *kd)
 224 {
 225 /* EXPORT DELETE START */
 226         chunk_t work1, work2;
 227 
 228         /*
 229          * Initial permutation
 230          * and byte to chunk conversion
 231          */
 232         {
 233                 const uint32_t *lp;
 234                 uint32_t l0, l1, w;
 235                 short i, pbit;
 236 
 237                 work1.byte0 = data[0];
 238                 work1.byte1 = data[1];
 239                 work1.byte2 = data[2];
 240                 work1.byte3 = data[3];
 241                 work1.byte4 = data[4];
 242                 work1.byte5 = data[5];
 243                 work1.byte6 = data[6];
 244                 work1.byte7 = data[7];
 245                 l0 = l1 = 0;
 246                 w = work1.long0;
 247                 for (lp = &longtab[0], i = 0; i < 32; i++) {
 248                         if (w & *lp++) {
 249                                 pbit = IPtab[i];
 250                                 if (pbit < 32)
 251                                         l0 |= longtab[pbit];
 252                                 else
 253                                         l1 |= longtab[pbit-32];
 254                         }
 255                 }
 256                 w = work1.long1;
 257                 for (lp = &longtab[0], i = 32; i < 64; i++) {
 258                         if (w & *lp++) {
 259                                 pbit = IPtab[i];
 260                                 if (pbit < 32)
 261                                         l0 |= longtab[pbit];
 262                                 else
 263                                         l1 |= longtab[pbit-32];
 264                         }
 265                 }
 266                 work2.long0 = l0;
 267                 work2.long1 = l1;
 268         }
 269 
 270 /*
 271  * Expand 8 bits of 32 bit R to 48 bit R
 272  */
 273 #ifdef __STDC__
 274 #define do_R_to_ER(op, b) {                                     \
 275         struct R_to_ER *p =                                     \
 276             (struct R_to_ER *)&R_to_ER_tab[b][R.byte##b];   \
 277         e0 op p->l0;                                         \
 278         e1 op p->l1;                                         \
 279 }
 280 #else
 281 #define do_R_to_ER(op, b)       {                               \
 282         /*CSTYLED*/                                             \
 283         struct R_to_ER *p = &R_to_ER_tab[b][R.byte/**/b];   \
 284         e0 op p->l0;                                         \
 285         e1 op p->l1;                                         \
 286 }
 287 #endif
 288 
 289 /*
 290  * Inner part of the algorithm:
 291  * Expand R from 32 to 48 bits; xor key value;
 292  * apply S boxes; permute 32 bits of output
 293  */
 294 #define do_F(iter, inR, outR)   {                       \
 295         chunk_t R, ER;                                  \
 296         u_int e0, e1;                                   \
 297         R.long0 = inR;                                  \
 298         /*CSTYLED*/                                     \
 299         do_R_to_ER(=,0);                                \
 300         /*CSTYLED*/                                     \
 301         do_R_to_ER(|=,1);                               \
 302         /*CSTYLED*/                                     \
 303         do_R_to_ER(|=,2);                               \
 304         /*CSTYLED*/                                     \
 305         do_R_to_ER(|=,3);                               \
 306         ER.long0 = e0 ^ kd->keyval[iter].long0;              \
 307         ER.long1 = e1 ^ kd->keyval[iter].long1;              \
 308         R.long0 =                                       \
 309                 S_tab[0][ER.byte0] +                    \
 310                 S_tab[1][ER.byte1] +                    \
 311                 S_tab[2][ER.byte2] +                    \
 312                 S_tab[3][ER.byte3] +                    \
 313                 S_tab[4][ER.byte4] +                    \
 314                 S_tab[5][ER.byte5] +                    \
 315                 S_tab[6][ER.byte6] +                    \
 316                 S_tab[7][ER.byte7];                     \
 317         outR =                                          \
 318                 P_tab[0][R.byte0] +                     \
 319                 P_tab[1][R.byte1] +                     \
 320                 P_tab[2][R.byte2] +                     \
 321                 P_tab[3][R.byte3];                      \
 322 }
 323 
 324 /*
 325  * Do a cipher step
 326  * Apply inner part; do xor and exchange of 32 bit parts
 327  */
 328 #define cipher(iter, inR, inL, outR, outL)      {       \
 329         do_F(iter, inR, outR);                          \
 330         outR ^= inL;                                    \
 331         outL = inR;                                     \
 332 }
 333 
 334         /*
 335          * Apply the 16 ciphering steps
 336          */
 337         {
 338                 u_int r0, l0, r1, l1;
 339 
 340                 l0 = work2.long0;
 341                 r0 = work2.long1;
 342                 cipher(0, r0, l0, r1, l1);
 343                 cipher(1, r1, l1, r0, l0);
 344                 cipher(2, r0, l0, r1, l1);
 345                 cipher(3, r1, l1, r0, l0);
 346                 cipher(4, r0, l0, r1, l1);
 347                 cipher(5, r1, l1, r0, l0);
 348                 cipher(6, r0, l0, r1, l1);
 349                 cipher(7, r1, l1, r0, l0);
 350                 cipher(8, r0, l0, r1, l1);
 351                 cipher(9, r1, l1, r0, l0);
 352                 cipher(10, r0, l0, r1, l1);
 353                 cipher(11, r1, l1, r0, l0);
 354                 cipher(12, r0, l0, r1, l1);
 355                 cipher(13, r1, l1, r0, l0);
 356                 cipher(14, r0, l0, r1, l1);
 357                 cipher(15, r1, l1, r0, l0);
 358                 work1.long0 = r0;
 359                 work1.long1 = l0;
 360         }
 361 
 362         /*
 363          * Final permutation
 364          * and chunk to byte conversion
 365          */
 366         {
 367                 const uint32_t *lp;
 368                 uint32_t l0, l1, w;
 369                 short i, pbit;
 370 
 371                 l0 = l1 = 0;
 372                 w = work1.long0;
 373                 for (lp = &longtab[0], i = 0; i < 32; i++) {
 374                         if (w & *lp++) {
 375                                 pbit = FPtab[i];
 376                                 if (pbit < 32)
 377                                         l0 |= longtab[pbit];
 378                                 else
 379                                         l1 |= longtab[pbit-32];
 380                         }
 381                 }
 382                 w = work1.long1;
 383                 for (lp = &longtab[0], i = 32; i < 64; i++) {
 384                         if (w & *lp++) {
 385                                 pbit = FPtab[i];
 386                                 if (pbit < 32)
 387                                         l0 |= longtab[pbit];
 388                                 else
 389                                         l1 |= longtab[pbit-32];
 390                         }
 391                 }
 392                 work2.long0 = l0;
 393                 work2.long1 = l1;
 394         }
 395         data[0] = work2.byte0;
 396         data[1] = work2.byte1;
 397         data[2] = work2.byte2;
 398         data[3] = work2.byte3;
 399         data[4] = work2.byte4;
 400         data[5] = work2.byte5;
 401         data[6] = work2.byte6;
 402         data[7] = work2.byte7;
 403 /* EXPORT DELETE END */
 404 }