xref: /illumos-gate/usr/src/lib/libcrypt/common/des_soft.c (revision 89b2a9fbeabf42fa54594df0e5927bcc50a07cc9)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*	Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T	*/
28 /*	  All Rights Reserved  	*/
29 
30 /*
31  * Portions of this source code were derived from Berkeley 4.3 BSD
32  * under license from the Regents of the University of California.
33  */
34 
35 #pragma ident	"%Z%%M%	%I%	%E% SMI"
36 
37 /*
38  * Warning!  Things are arranged very carefully in this file to
39  * allow read-only data to be moved to the text segment.  The
40  * various DES tables must appear before any function definitions
41  * (this is arranged by including them immediately below) and partab
42  * must also appear before and function definitions
43  * This arrangement allows all data up through the first text to
44  * be moved to text.
45  */
46 
47 #ifndef _KERNEL
48 #define	CRYPT	/* cannot configure out of user-level code */
49 #endif
50 
51 #ifdef CRYPT
52 #include <sys/types.h>
53 #include <des/softdes.h>
54 #include <des/desdata.h>
55 
56 #ifdef sun
57 #include <sys/ioctl.h>
58 #include <sys/des.h>
59 #else
60 #include <des/des.h>
61 #endif
62 
63 #include "des_soft.h"
64 
65 /*
66  * Fast (?) software implementation of DES
67  * Has been seen going at 2000 bytes/sec on a Sun-2
68  * Works on a VAX too.
69  * Won't work without 8 bit chars and 32 bit longs
70  */
71 
72 #define	btst(k, b)	(k[b >> 3] & (0x80 >> (b & 07)))
73 #define	BIT28	(1<<28)
74 
75 
76 #endif /* def CRYPT */
77 
78 static void des_setkey(uchar_t [8], struct deskeydata *, unsigned);
79 static void des_encrypt(uchar_t *, struct deskeydata *);
80 
81 #ifndef	_KERNEL
82 /*
83  * Table giving odd parity in the low bit for ASCII characters
84  */
85 static char partab[128] = {
86 	0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
87 	0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
88 	0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
89 	0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
90 	0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
91 	0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
92 	0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
93 	0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
94 	0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
95 	0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
96 	0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
97 	0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
98 	0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
99 	0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
100 	0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
101 	0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
102 };
103 
104 
105 
106 /*
107  * Add odd parity to low bit of 8 byte key
108  */
109 void
110 des_setparity(char *p)
111 {
112 	int i;
113 
114 	for (i = 0; i < 8; i++) {
115 		*p = partab[*p & 0x7f];
116 		p++;
117 	}
118 }
119 #endif /* def _KERNEL */
120 
121 #ifdef CRYPT
122 /*
123  * Software encrypt or decrypt a block of data (multiple of 8 bytes)
124  * Do the CBC ourselves if needed.
125  */
126 int
127 __des_crypt(char *buf, unsigned int len, struct desparams *desp)
128 {
129 /* EXPORT DELETE START */
130 	short i;
131 	unsigned mode;
132 	unsigned dir;
133 	char nextiv[8];
134 	struct deskeydata softkey;
135 
136 	mode = (unsigned)desp->des_mode;
137 	dir = (unsigned)desp->des_dir;
138 	des_setkey(desp->des_key, &softkey, dir);
139 	while (len != 0) {
140 		switch (mode) {
141 		case CBC:
142 			switch (dir) {
143 			case ENCRYPT:
144 				for (i = 0; i < 8; i++)
145 					buf[i] ^= desp->des_ivec[i];
146 				des_encrypt((uchar_t *)buf, &softkey);
147 				for (i = 0; i < 8; i++)
148 					desp->des_ivec[i] = buf[i];
149 				break;
150 			case DECRYPT:
151 				for (i = 0; i < 8; i++)
152 					nextiv[i] = buf[i];
153 				des_encrypt((uchar_t *)buf, &softkey);
154 				for (i = 0; i < 8; i++) {
155 					buf[i] ^= desp->des_ivec[i];
156 					desp->des_ivec[i] = nextiv[i];
157 				}
158 				break;
159 			}
160 			break;
161 		case ECB:
162 			des_encrypt((uchar_t *)buf, &softkey);
163 			break;
164 		}
165 		buf += 8;
166 		len -= 8;
167 	}
168 /* EXPORT DELETE END */
169 	return (1);
170 }
171 
172 
173 /*
174  * Set the key and direction for an encryption operation
175  * We build the 16 key entries here
176  */
177 static void
178 des_setkey(uchar_t userkey[8], struct deskeydata *kd, unsigned int dir)
179 {
180 /* EXPORT DELETE START */
181 	long C, D;
182 	short i;
183 
184 	/*
185 	 * First, generate C and D by permuting
186 	 * the key. The low order bit of each
187 	 * 8-bit char is not used, so C and D are only 28
188 	 * bits apiece.
189 	 */
190 	{
191 		short bit;
192 		const short *pcc = PC1_C, *pcd = PC1_D;
193 
194 		C = D = 0;
195 		for (i = 0; i < 28; i++) {
196 			C <<= 1;
197 			D <<= 1;
198 			bit = *pcc++;
199 			if (btst(userkey, bit))
200 				C |= 1;
201 			bit = *pcd++;
202 			if (btst(userkey, bit))
203 				D |= 1;
204 		}
205 	}
206 	/*
207 	 * To generate Ki, rotate C and D according
208 	 * to schedule and pick up a permutation
209 	 * using PC2.
210 	 */
211 	for (i = 0; i < 16; i++) {
212 		chunk_t *c;
213 		short j, k, bit;
214 		long bbit;
215 
216 		/*
217 		 * Do the "left shift" (rotate)
218 		 * We know we always rotate by either 1 or 2 bits
219 		 * the shifts table tells us if its 2
220 		 */
221 		C <<= 1;
222 		if (C & BIT28)
223 			C |= 1;
224 		D <<= 1;
225 		if (D & BIT28)
226 			D |= 1;
227 		if (shifts[i]) {
228 			C <<= 1;
229 			if (C & BIT28)
230 				C |= 1;
231 			D <<= 1;
232 			if (D & BIT28)
233 				D |= 1;
234 		}
235 		/*
236 		 * get Ki. Note C and D are concatenated.
237 		 */
238 		bit = 0;
239 		switch (dir) {
240 		case ENCRYPT:
241 			c = &kd->keyval[i]; break;
242 		case DECRYPT:
243 			c = &kd->keyval[15 - i]; break;
244 		}
245 		c->long0 = 0;
246 		c->long1 = 0;
247 		bbit = (1 << 5) << 24;
248 		for (j = 0; j < 4; j++) {
249 			for (k = 0; k < 6; k++) {
250 				if (C & (BIT28 >> PC2_C[bit]))
251 					c->long0 |= bbit >> k;
252 				if (D & (BIT28 >> PC2_D[bit]))
253 					c->long1 |= bbit >> k;
254 				bit++;
255 			}
256 			bbit >>= 8;
257 		}
258 
259 	}
260 /* EXPORT DELETE END */
261 }
262 
263 
264 
265 /*
266  * Do an encryption operation
267  * Much pain is taken (with preprocessor) to avoid loops so the compiler
268  * can do address arithmetic instead of doing it at runtime.
269  * Note that the byte-to-chunk conversion is necessary to guarantee
270  * processor byte-order independence.
271  */
272 static void
273 des_encrypt(uchar_t *data, struct deskeydata *kd)
274 {
275 /* EXPORT DELETE START */
276 	chunk_t work1, work2;
277 
278 	/*
279 	 * Initial permutation
280 	 * and byte to chunk conversion
281 	 */
282 	{
283 		const uint32_t *lp;
284 		uint32_t l0, l1, w;
285 		short i, pbit;
286 
287 		work1.byte0 = data[0];
288 		work1.byte1 = data[1];
289 		work1.byte2 = data[2];
290 		work1.byte3 = data[3];
291 		work1.byte4 = data[4];
292 		work1.byte5 = data[5];
293 		work1.byte6 = data[6];
294 		work1.byte7 = data[7];
295 		l0 = l1 = 0;
296 		w = work1.long0;
297 		for (lp = &longtab[0], i = 0; i < 32; i++) {
298 			if (w & *lp++) {
299 				pbit = IPtab[i];
300 				if (pbit < 32)
301 					l0 |= longtab[pbit];
302 				else
303 					l1 |= longtab[pbit-32];
304 			}
305 		}
306 		w = work1.long1;
307 		for (lp = &longtab[0], i = 32; i < 64; i++) {
308 			if (w & *lp++) {
309 				pbit = IPtab[i];
310 				if (pbit < 32)
311 					l0 |= longtab[pbit];
312 				else
313 					l1 |= longtab[pbit-32];
314 			}
315 		}
316 		work2.long0 = l0;
317 		work2.long1 = l1;
318 	}
319 
320 /*
321  * Expand 8 bits of 32 bit R to 48 bit R
322  */
323 #define	do_R_to_ER(op, b)	{			\
324 	const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b];	\
325 	e0 op p->l0;				\
326 	e1 op p->l1;				\
327 }
328 
329 /*
330  * Inner part of the algorithm:
331  * Expand R from 32 to 48 bits; xor key value;
332  * apply S boxes; permute 32 bits of output
333  */
334 #define	do_F(iter, inR, outR) 	{			\
335 	chunk_t R, ER;					\
336 	uint32_t e0, e1;				\
337 	R.long0 = inR;					\
338 	/* CSTYLED */					\
339 	do_R_to_ER(=, 0);				\
340 	/* CSTYLED */					\
341 	do_R_to_ER(|=, 1);				\
342 	/* CSTYLED */					\
343 	do_R_to_ER(|=, 2);				\
344 	/* CSTYLED */					\
345 	do_R_to_ER(|=, 3);				\
346 	ER.long0 = e0 ^ kd->keyval[iter].long0;		\
347 	ER.long1 = e1 ^ kd->keyval[iter].long1;		\
348 	R.long0 = 					\
349 		S_tab[0][ER.byte0] +			\
350 		S_tab[1][ER.byte1] +			\
351 		S_tab[2][ER.byte2] +			\
352 		S_tab[3][ER.byte3] +			\
353 		S_tab[4][ER.byte4] +			\
354 		S_tab[5][ER.byte5] +			\
355 		S_tab[6][ER.byte6] +			\
356 		S_tab[7][ER.byte7]; 			\
357 	outR = 						\
358 		P_tab[0][R.byte0] +			\
359 		P_tab[1][R.byte1] +			\
360 		P_tab[2][R.byte2] +			\
361 		P_tab[3][R.byte3]; 			\
362 }
363 
364 /*
365  * Do a cipher step
366  * Apply inner part; do xor and exchange of 32 bit parts
367  */
368 #define	cipher(iter, inR, inL, outR, outL)	{	\
369 	do_F(iter, inR, outR);				\
370 	outR ^= inL;					\
371 	outL = inR;					\
372 }
373 
374 	/*
375 	 * Apply the 16 ciphering steps
376 	 */
377 	{
378 		uint32_t r0, l0, r1, l1;
379 
380 		l0 = work2.long0;
381 		r0 = work2.long1;
382 		cipher(0, r0, l0, r1, l1);
383 		cipher(1, r1, l1, r0, l0);
384 		cipher(2, r0, l0, r1, l1);
385 		cipher(3, r1, l1, r0, l0);
386 		cipher(4, r0, l0, r1, l1);
387 		cipher(5, r1, l1, r0, l0);
388 		cipher(6, r0, l0, r1, l1);
389 		cipher(7, r1, l1, r0, l0);
390 		cipher(8, r0, l0, r1, l1);
391 		cipher(9, r1, l1, r0, l0);
392 		cipher(10, r0, l0, r1, l1);
393 		cipher(11, r1, l1, r0, l0);
394 		cipher(12, r0, l0, r1, l1);
395 		cipher(13, r1, l1, r0, l0);
396 		cipher(14, r0, l0, r1, l1);
397 		cipher(15, r1, l1, r0, l0);
398 		work1.long0 = r0;
399 		work1.long1 = l0;
400 	}
401 
402 	/*
403 	 * Final permutation
404 	 * and chunk to byte conversion
405 	 */
406 	{
407 		const uint32_t *lp;
408 		uint32_t l0, l1, w;
409 		short i, pbit;
410 
411 		l0 = l1 = 0;
412 		w = work1.long0;
413 		for (lp = &longtab[0], i = 0; i < 32; i++) {
414 			if (w & *lp++) {
415 				pbit = FPtab[i];
416 				if (pbit < 32)
417 					l0 |= longtab[pbit];
418 				else
419 					l1 |= longtab[pbit-32];
420 			}
421 		}
422 		w = work1.long1;
423 		for (lp = &longtab[0], i = 32; i < 64; i++) {
424 			if (w & *lp++) {
425 				pbit = FPtab[i];
426 				if (pbit < 32)
427 					l0 |= longtab[pbit];
428 				else
429 					l1 |= longtab[pbit-32];
430 			}
431 		}
432 		work2.long0 = l0;
433 		work2.long1 = l1;
434 	}
435 	data[0] = work2.byte0;
436 	data[1] = work2.byte1;
437 	data[2] = work2.byte2;
438 	data[3] = work2.byte3;
439 	data[4] = work2.byte4;
440 	data[5] = work2.byte5;
441 	data[6] = work2.byte6;
442 	data[7] = work2.byte7;
443 
444 /* EXPORT DELETE END */
445 }
446 #endif /* def CRYPT */
447