xref: /illumos-gate/usr/src/lib/libcrypt/common/des_soft.c (revision 141040e8a310da49386b596573e5dde5580572ec)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 
23 /*
24  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
25  * Use is subject to license terms.
26  */
27 
28 /*	Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T	*/
29 /*	  All Rights Reserved  	*/
30 
31 /*
32  * Portions of this source code were derived from Berkeley 4.3 BSD
33  * under license from the Regents of the University of California.
34  */
35 
36 #pragma ident	"%Z%%M%	%I%	%E% SMI"
37 /*LINTLIBRARY*/
38 
39 /*
40  * Warning!  Things are arranged very carefully in this file to
41  * allow read-only data to be moved to the text segment.  The
42  * various DES tables must appear before any function definitions
43  * (this is arranged by including them immediately below) and partab
44  * must also appear before and function definitions
45  * This arrangement allows all data up through the first text to
46  * be moved to text.
47  */
48 
49 #ifndef _KERNEL
50 #define	CRYPT	/* cannot configure out of user-level code */
51 #endif
52 
53 #include "des_synonyms.h"
54 #ifdef CRYPT
55 #include <sys/types.h>
56 #include <des/softdes.h>
57 #include <des/desdata.h>
58 
59 #ifdef sun
60 #include <sys/ioctl.h>
61 #include <sys/des.h>
62 #else
63 #include <des/des.h>
64 #endif
65 
66 #include "des_soft.h"
67 
68 /*
69  * Fast (?) software implementation of DES
70  * Has been seen going at 2000 bytes/sec on a Sun-2
71  * Works on a VAX too.
72  * Won't work without 8 bit chars and 32 bit longs
73  */
74 
75 #define	btst(k, b)	(k[b >> 3] & (0x80 >> (b & 07)))
76 #define	BIT28	(1<<28)
77 
78 
79 #endif /* def CRYPT */
80 
81 static void des_setkey(u_char [8], struct deskeydata *, unsigned);
82 static void des_encrypt(u_char *, struct deskeydata *);
83 
84 #ifndef	_KERNEL
85 /*
86  * Table giving odd parity in the low bit for ASCII characters
87  */
88 static char partab[128] = {
89 	0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
90 	0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
91 	0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
92 	0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
93 	0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
94 	0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
95 	0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
96 	0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
97 	0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
98 	0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
99 	0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
100 	0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
101 	0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
102 	0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
103 	0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
104 	0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
105 };
106 
107 
108 
109 /*
110  * Add odd parity to low bit of 8 byte key
111  */
112 void
113 des_setparity(char *p)
114 {
115 	int i;
116 
117 	for (i = 0; i < 8; i++) {
118 		*p = partab[*p & 0x7f];
119 		p++;
120 	}
121 }
122 #endif /* def _KERNEL */
123 
124 #ifdef CRYPT
125 /*
126  * Software encrypt or decrypt a block of data (multiple of 8 bytes)
127  * Do the CBC ourselves if needed.
128  */
129 int
130 __des_crypt(char *buf, unsigned int len, struct desparams *desp)
131 {
132 /* EXPORT DELETE START */
133 	short i;
134 	unsigned mode;
135 	unsigned dir;
136 	char nextiv[8];
137 	struct deskeydata softkey;
138 
139 	mode = (unsigned) desp->des_mode;
140 	dir = (unsigned) desp->des_dir;
141 	des_setkey(desp->des_key, &softkey, dir);
142 	while (len != 0) {
143 		switch (mode) {
144 		case CBC:
145 			switch (dir) {
146 			case ENCRYPT:
147 				for (i = 0; i < 8; i++)
148 					buf[i] ^= desp->des_ivec[i];
149 				des_encrypt((u_char *)buf, &softkey);
150 				for (i = 0; i < 8; i++)
151 					desp->des_ivec[i] = buf[i];
152 				break;
153 			case DECRYPT:
154 				for (i = 0; i < 8; i++)
155 					nextiv[i] = buf[i];
156 				des_encrypt((u_char *)buf, &softkey);
157 				for (i = 0; i < 8; i++) {
158 					buf[i] ^= desp->des_ivec[i];
159 					desp->des_ivec[i] = nextiv[i];
160 				}
161 				break;
162 			}
163 			break;
164 		case ECB:
165 			des_encrypt((u_char *)buf, &softkey);
166 			break;
167 		}
168 		buf += 8;
169 		len -= 8;
170 	}
171 /* EXPORT DELETE END */
172 	return (1);
173 }
174 
175 
176 /*
177  * Set the key and direction for an encryption operation
178  * We build the 16 key entries here
179  */
180 static void
181 des_setkey(u_char userkey[8], struct deskeydata *kd, unsigned int dir)
182 {
183 /* EXPORT DELETE START */
184 	long C, D;
185 	short i;
186 
187 	/*
188 	 * First, generate C and D by permuting
189 	 * the key. The low order bit of each
190 	 * 8-bit char is not used, so C and D are only 28
191 	 * bits apiece.
192 	 */
193 	{
194 		short bit;
195 		const short *pcc = PC1_C, *pcd = PC1_D;
196 
197 		C = D = 0;
198 		for (i = 0; i < 28; i++) {
199 			C <<= 1;
200 			D <<= 1;
201 			bit = *pcc++;
202 			if (btst(userkey, bit))
203 				C |= 1;
204 			bit = *pcd++;
205 			if (btst(userkey, bit))
206 				D |= 1;
207 		}
208 	}
209 	/*
210 	 * To generate Ki, rotate C and D according
211 	 * to schedule and pick up a permutation
212 	 * using PC2.
213 	 */
214 	for (i = 0; i < 16; i++) {
215 		chunk_t *c;
216 		short j, k, bit;
217 		long bbit;
218 
219 		/*
220 		 * Do the "left shift" (rotate)
221 		 * We know we always rotate by either 1 or 2 bits
222 		 * the shifts table tells us if its 2
223 		 */
224 		C <<= 1;
225 		if (C & BIT28)
226 			C |= 1;
227 		D <<= 1;
228 		if (D & BIT28)
229 			D |= 1;
230 		if (shifts[i]) {
231 			C <<= 1;
232 			if (C & BIT28)
233 				C |= 1;
234 			D <<= 1;
235 			if (D & BIT28)
236 				D |= 1;
237 		}
238 		/*
239 		 * get Ki. Note C and D are concatenated.
240 		 */
241 		bit = 0;
242 		switch (dir) {
243 		case ENCRYPT:
244 			c = &kd->keyval[i]; break;
245 		case DECRYPT:
246 			c = &kd->keyval[15 - i]; break;
247 		}
248 		c->long0 = 0;
249 		c->long1 = 0;
250 		bbit = (1 << 5) << 24;
251 		for (j = 0; j < 4; j++) {
252 			for (k = 0; k < 6; k++) {
253 				if (C & (BIT28 >> PC2_C[bit]))
254 					c->long0 |= bbit >> k;
255 				if (D & (BIT28 >> PC2_D[bit]))
256 					c->long1 |= bbit >> k;
257 				bit++;
258 			}
259 			bbit >>= 8;
260 		}
261 
262 	}
263 /* EXPORT DELETE END */
264 	return;
265 }
266 
267 
268 
269 /*
270  * Do an encryption operation
271  * Much pain is taken (with preprocessor) to avoid loops so the compiler
272  * can do address arithmetic instead of doing it at runtime.
273  * Note that the byte-to-chunk conversion is necessary to guarantee
274  * processor byte-order independence.
275  */
276 static void
277 des_encrypt(u_char *data, struct deskeydata *kd)
278 {
279 /* EXPORT DELETE START */
280 	chunk_t work1, work2;
281 
282 	/*
283 	 * Initial permutation
284 	 * and byte to chunk conversion
285 	 */
286 	{
287 		const uint32_t *lp;
288 		uint32_t l0, l1, w;
289 		short i, pbit;
290 
291 		work1.byte0 = data[0];
292 		work1.byte1 = data[1];
293 		work1.byte2 = data[2];
294 		work1.byte3 = data[3];
295 		work1.byte4 = data[4];
296 		work1.byte5 = data[5];
297 		work1.byte6 = data[6];
298 		work1.byte7 = data[7];
299 		l0 = l1 = 0;
300 		w = work1.long0;
301 		for (lp = &longtab[0], i = 0; i < 32; i++) {
302 			if (w & *lp++) {
303 				pbit = IPtab[i];
304 				if (pbit < 32)
305 					l0 |= longtab[pbit];
306 				else
307 					l1 |= longtab[pbit-32];
308 			}
309 		}
310 		w = work1.long1;
311 		for (lp = &longtab[0], i = 32; i < 64; i++) {
312 			if (w & *lp++) {
313 				pbit = IPtab[i];
314 				if (pbit < 32)
315 					l0 |= longtab[pbit];
316 				else
317 					l1 |= longtab[pbit-32];
318 			}
319 		}
320 		work2.long0 = l0;
321 		work2.long1 = l1;
322 	}
323 
324 /*
325  * Expand 8 bits of 32 bit R to 48 bit R
326  */
327 #define	do_R_to_ER(op, b)	{			\
328 	const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b];	\
329 	e0 op p->l0;				\
330 	e1 op p->l1;				\
331 }
332 
333 /*
334  * Inner part of the algorithm:
335  * Expand R from 32 to 48 bits; xor key value;
336  * apply S boxes; permute 32 bits of output
337  */
338 #define	do_F(iter, inR, outR) 	{			\
339 	chunk_t R, ER;					\
340 	uint32_t e0, e1;				\
341 	R.long0 = inR;					\
342 	do_R_to_ER(=, 0);				\
343 	do_R_to_ER(|=, 1);				\
344 	do_R_to_ER(|=, 2);				\
345 	do_R_to_ER(|=, 3);				\
346 	ER.long0 = e0 ^ kd->keyval[iter].long0;		\
347 	ER.long1 = e1 ^ kd->keyval[iter].long1;		\
348 	R.long0 = 					\
349 		S_tab[0][ER.byte0] +			\
350 		S_tab[1][ER.byte1] +			\
351 		S_tab[2][ER.byte2] +			\
352 		S_tab[3][ER.byte3] +			\
353 		S_tab[4][ER.byte4] +			\
354 		S_tab[5][ER.byte5] +			\
355 		S_tab[6][ER.byte6] +			\
356 		S_tab[7][ER.byte7]; 			\
357 	outR = 						\
358 		P_tab[0][R.byte0] +			\
359 		P_tab[1][R.byte1] +			\
360 		P_tab[2][R.byte2] +			\
361 		P_tab[3][R.byte3]; 			\
362 }
363 
364 /*
365  * Do a cipher step
366  * Apply inner part; do xor and exchange of 32 bit parts
367  */
368 #define	cipher(iter, inR, inL, outR, outL)	{	\
369 	do_F(iter, inR, outR);				\
370 	outR ^= inL;					\
371 	outL = inR;					\
372 }
373 
374 	/*
375 	 * Apply the 16 ciphering steps
376 	 */
377 	{
378 		uint32_t r0, l0, r1, l1;
379 
380 		l0 = work2.long0;
381 		r0 = work2.long1;
382 		cipher(0, r0, l0, r1, l1);
383 		cipher(1, r1, l1, r0, l0);
384 		cipher(2, r0, l0, r1, l1);
385 		cipher(3, r1, l1, r0, l0);
386 		cipher(4, r0, l0, r1, l1);
387 		cipher(5, r1, l1, r0, l0);
388 		cipher(6, r0, l0, r1, l1);
389 		cipher(7, r1, l1, r0, l0);
390 		cipher(8, r0, l0, r1, l1);
391 		cipher(9, r1, l1, r0, l0);
392 		cipher(10, r0, l0, r1, l1);
393 		cipher(11, r1, l1, r0, l0);
394 		cipher(12, r0, l0, r1, l1);
395 		cipher(13, r1, l1, r0, l0);
396 		cipher(14, r0, l0, r1, l1);
397 		cipher(15, r1, l1, r0, l0);
398 		work1.long0 = r0;
399 		work1.long1 = l0;
400 	}
401 
402 	/*
403 	 * Final permutation
404 	 * and chunk to byte conversion
405 	 */
406 	{
407 		const uint32_t *lp;
408 		uint32_t l0, l1, w;
409 		short i, pbit;
410 
411 		l0 = l1 = 0;
412 		w = work1.long0;
413 		for (lp = &longtab[0], i = 0; i < 32; i++) {
414 			if (w & *lp++) {
415 				pbit = FPtab[i];
416 				if (pbit < 32)
417 					l0 |= longtab[pbit];
418 				else
419 					l1 |= longtab[pbit-32];
420 			}
421 		}
422 		w = work1.long1;
423 		for (lp = &longtab[0], i = 32; i < 64; i++) {
424 			if (w & *lp++) {
425 				pbit = FPtab[i];
426 				if (pbit < 32)
427 					l0 |= longtab[pbit];
428 				else
429 					l1 |= longtab[pbit-32];
430 			}
431 		}
432 		work2.long0 = l0;
433 		work2.long1 = l1;
434 	}
435 	data[0] = work2.byte0;
436 	data[1] = work2.byte1;
437 	data[2] = work2.byte2;
438 	data[3] = work2.byte3;
439 	data[4] = work2.byte4;
440 	data[5] = work2.byte5;
441 	data[6] = work2.byte6;
442 	data[7] = work2.byte7;
443 
444 /* EXPORT DELETE END */
445 	return;
446 }
447 #endif /* def CRYPT */
448