xref: /illumos-gate/usr/src/lib/libcrypt/common/des_soft.c (revision f37b3cbb6f67aaea5eec1c335bdc7bf432867d64) 
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*	Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T	*/
28 /*	  All Rights Reserved  	*/
29 
30 /*
31  * Portions of this source code were derived from Berkeley 4.3 BSD
32  * under license from the Regents of the University of California.
33  */
34 
35 /*
36  * Warning!  Things are arranged very carefully in this file to
37  * allow read-only data to be moved to the text segment.  The
38  * various DES tables must appear before any function definitions
39  * (this is arranged by including them immediately below) and partab
40  * must also appear before and function definitions
41  * This arrangement allows all data up through the first text to
42  * be moved to text.
43  */
44 
45 #ifndef _KERNEL
46 #define	CRYPT	/* cannot configure out of user-level code */
47 #endif
48 
49 #ifdef CRYPT
50 #include <sys/types.h>
51 #include <des/softdes.h>
52 #include <des/desdata.h>
53 
54 #ifdef sun
55 #include <sys/ioctl.h>
56 #include <sys/des.h>
57 #else
58 #include <des/des.h>
59 #endif
60 
61 #include "des_soft.h"
62 
63 /*
64  * Fast (?) software implementation of DES
65  * Has been seen going at 2000 bytes/sec on a Sun-2
66  * Works on a VAX too.
67  * Won't work without 8 bit chars and 32 bit longs
68  */
69 
70 #define	btst(k, b)	(k[b >> 3] & (0x80 >> (b & 07)))
71 #define	BIT28	(1<<28)
72 
73 
74 #endif /* def CRYPT */
75 
76 static void des_setkey(uchar_t [8], struct deskeydata *, unsigned);
77 static void des_encrypt(uchar_t *, struct deskeydata *);
78 
79 #ifndef	_KERNEL
80 /*
81  * Table giving odd parity in the low bit for ASCII characters
82  */
83 static char partab[128] = {
84 	0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
85 	0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
86 	0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
87 	0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
88 	0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
89 	0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
90 	0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
91 	0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
92 	0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
93 	0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
94 	0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
95 	0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
96 	0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
97 	0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
98 	0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
99 	0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
100 };
101 
102 
103 
104 /*
105  * Add odd parity to low bit of 8 byte key
106  */
107 void
108 des_setparity(char *p)
109 {
110 	int i;
111 
112 	for (i = 0; i < 8; i++) {
113 		*p = partab[*p & 0x7f];
114 		p++;
115 	}
116 }
117 #endif /* def _KERNEL */
118 
119 #ifdef CRYPT
120 /*
121  * Software encrypt or decrypt a block of data (multiple of 8 bytes)
122  * Do the CBC ourselves if needed.
123  */
124 int
125 __des_crypt(char *buf, unsigned int len, struct desparams *desp)
126 {
127 	short i;
128 	unsigned mode;
129 	unsigned dir;
130 	char nextiv[8];
131 	struct deskeydata softkey;
132 
133 	mode = (unsigned)desp->des_mode;
134 	dir = (unsigned)desp->des_dir;
135 	des_setkey(desp->des_key, &softkey, dir);
136 	while (len != 0) {
137 		switch (mode) {
138 		case CBC:
139 			switch (dir) {
140 			case ENCRYPT:
141 				for (i = 0; i < 8; i++)
142 					buf[i] ^= desp->des_ivec[i];
143 				des_encrypt((uchar_t *)buf, &softkey);
144 				for (i = 0; i < 8; i++)
145 					desp->des_ivec[i] = buf[i];
146 				break;
147 			case DECRYPT:
148 				for (i = 0; i < 8; i++)
149 					nextiv[i] = buf[i];
150 				des_encrypt((uchar_t *)buf, &softkey);
151 				for (i = 0; i < 8; i++) {
152 					buf[i] ^= desp->des_ivec[i];
153 					desp->des_ivec[i] = nextiv[i];
154 				}
155 				break;
156 			}
157 			break;
158 		case ECB:
159 			des_encrypt((uchar_t *)buf, &softkey);
160 			break;
161 		}
162 		buf += 8;
163 		len -= 8;
164 	}
165 	return (1);
166 }
167 
168 
169 /*
170  * Set the key and direction for an encryption operation
171  * We build the 16 key entries here
172  */
173 static void
174 des_setkey(uchar_t userkey[8], struct deskeydata *kd, unsigned int dir)
175 {
176 	long C, D;
177 	short i;
178 
179 	/*
180 	 * First, generate C and D by permuting
181 	 * the key. The low order bit of each
182 	 * 8-bit char is not used, so C and D are only 28
183 	 * bits apiece.
184 	 */
185 	{
186 		short bit;
187 		const short *pcc = PC1_C, *pcd = PC1_D;
188 
189 		C = D = 0;
190 		for (i = 0; i < 28; i++) {
191 			C <<= 1;
192 			D <<= 1;
193 			bit = *pcc++;
194 			if (btst(userkey, bit))
195 				C |= 1;
196 			bit = *pcd++;
197 			if (btst(userkey, bit))
198 				D |= 1;
199 		}
200 	}
201 	/*
202 	 * To generate Ki, rotate C and D according
203 	 * to schedule and pick up a permutation
204 	 * using PC2.
205 	 */
206 	for (i = 0; i < 16; i++) {
207 		chunk_t *c;
208 		short j, k, bit;
209 		long bbit;
210 
211 		/*
212 		 * Do the "left shift" (rotate)
213 		 * We know we always rotate by either 1 or 2 bits
214 		 * the shifts table tells us if its 2
215 		 */
216 		C <<= 1;
217 		if (C & BIT28)
218 			C |= 1;
219 		D <<= 1;
220 		if (D & BIT28)
221 			D |= 1;
222 		if (shifts[i]) {
223 			C <<= 1;
224 			if (C & BIT28)
225 				C |= 1;
226 			D <<= 1;
227 			if (D & BIT28)
228 				D |= 1;
229 		}
230 		/*
231 		 * get Ki. Note C and D are concatenated.
232 		 */
233 		bit = 0;
234 		switch (dir) {
235 		case ENCRYPT:
236 			c = &kd->keyval[i]; break;
237 		case DECRYPT:
238 			c = &kd->keyval[15 - i]; break;
239 		}
240 		c->long0 = 0;
241 		c->long1 = 0;
242 		bbit = (1 << 5) << 24;
243 		for (j = 0; j < 4; j++) {
244 			for (k = 0; k < 6; k++) {
245 				if (C & (BIT28 >> PC2_C[bit]))
246 					c->long0 |= bbit >> k;
247 				if (D & (BIT28 >> PC2_D[bit]))
248 					c->long1 |= bbit >> k;
249 				bit++;
250 			}
251 			bbit >>= 8;
252 		}
253 
254 	}
255 }
256 
257 
258 
259 /*
260  * Do an encryption operation
261  * Much pain is taken (with preprocessor) to avoid loops so the compiler
262  * can do address arithmetic instead of doing it at runtime.
263  * Note that the byte-to-chunk conversion is necessary to guarantee
264  * processor byte-order independence.
265  */
266 static void
267 des_encrypt(uchar_t *data, struct deskeydata *kd)
268 {
269 	chunk_t work1, work2;
270 
271 	/*
272 	 * Initial permutation
273 	 * and byte to chunk conversion
274 	 */
275 	{
276 		const uint32_t *lp;
277 		uint32_t l0, l1, w;
278 		short i, pbit;
279 
280 		work1.byte0 = data[0];
281 		work1.byte1 = data[1];
282 		work1.byte2 = data[2];
283 		work1.byte3 = data[3];
284 		work1.byte4 = data[4];
285 		work1.byte5 = data[5];
286 		work1.byte6 = data[6];
287 		work1.byte7 = data[7];
288 		l0 = l1 = 0;
289 		w = work1.long0;
290 		for (lp = &longtab[0], i = 0; i < 32; i++) {
291 			if (w & *lp++) {
292 				pbit = IPtab[i];
293 				if (pbit < 32)
294 					l0 |= longtab[pbit];
295 				else
296 					l1 |= longtab[pbit-32];
297 			}
298 		}
299 		w = work1.long1;
300 		for (lp = &longtab[0], i = 32; i < 64; i++) {
301 			if (w & *lp++) {
302 				pbit = IPtab[i];
303 				if (pbit < 32)
304 					l0 |= longtab[pbit];
305 				else
306 					l1 |= longtab[pbit-32];
307 			}
308 		}
309 		work2.long0 = l0;
310 		work2.long1 = l1;
311 	}
312 
313 /*
314  * Expand 8 bits of 32 bit R to 48 bit R
315  */
316 #define	do_R_to_ER(op, b)	{			\
317 	const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b];	\
318 	e0 op p->l0;				\
319 	e1 op p->l1;				\
320 }
321 
322 /*
323  * Inner part of the algorithm:
324  * Expand R from 32 to 48 bits; xor key value;
325  * apply S boxes; permute 32 bits of output
326  */
327 #define	do_F(iter, inR, outR) 	{			\
328 	chunk_t R, ER;					\
329 	uint32_t e0, e1;				\
330 	R.long0 = inR;					\
331 	/* CSTYLED */					\
332 	do_R_to_ER(=, 0);				\
333 	/* CSTYLED */					\
334 	do_R_to_ER(|=, 1);				\
335 	/* CSTYLED */					\
336 	do_R_to_ER(|=, 2);				\
337 	/* CSTYLED */					\
338 	do_R_to_ER(|=, 3);				\
339 	ER.long0 = e0 ^ kd->keyval[iter].long0;		\
340 	ER.long1 = e1 ^ kd->keyval[iter].long1;		\
341 	R.long0 = 					\
342 		S_tab[0][ER.byte0] +			\
343 		S_tab[1][ER.byte1] +			\
344 		S_tab[2][ER.byte2] +			\
345 		S_tab[3][ER.byte3] +			\
346 		S_tab[4][ER.byte4] +			\
347 		S_tab[5][ER.byte5] +			\
348 		S_tab[6][ER.byte6] +			\
349 		S_tab[7][ER.byte7]; 			\
350 	outR = 						\
351 		P_tab[0][R.byte0] +			\
352 		P_tab[1][R.byte1] +			\
353 		P_tab[2][R.byte2] +			\
354 		P_tab[3][R.byte3]; 			\
355 }
356 
357 /*
358  * Do a cipher step
359  * Apply inner part; do xor and exchange of 32 bit parts
360  */
361 #define	cipher(iter, inR, inL, outR, outL)	{	\
362 	do_F(iter, inR, outR);				\
363 	outR ^= inL;					\
364 	outL = inR;					\
365 }
366 
367 	/*
368 	 * Apply the 16 ciphering steps
369 	 */
370 	{
371 		uint32_t r0, l0, r1, l1;
372 
373 		l0 = work2.long0;
374 		r0 = work2.long1;
375 		cipher(0, r0, l0, r1, l1);
376 		cipher(1, r1, l1, r0, l0);
377 		cipher(2, r0, l0, r1, l1);
378 		cipher(3, r1, l1, r0, l0);
379 		cipher(4, r0, l0, r1, l1);
380 		cipher(5, r1, l1, r0, l0);
381 		cipher(6, r0, l0, r1, l1);
382 		cipher(7, r1, l1, r0, l0);
383 		cipher(8, r0, l0, r1, l1);
384 		cipher(9, r1, l1, r0, l0);
385 		cipher(10, r0, l0, r1, l1);
386 		cipher(11, r1, l1, r0, l0);
387 		cipher(12, r0, l0, r1, l1);
388 		cipher(13, r1, l1, r0, l0);
389 		cipher(14, r0, l0, r1, l1);
390 		cipher(15, r1, l1, r0, l0);
391 		work1.long0 = r0;
392 		work1.long1 = l0;
393 	}
394 
395 	/*
396 	 * Final permutation
397 	 * and chunk to byte conversion
398 	 */
399 	{
400 		const uint32_t *lp;
401 		uint32_t l0, l1, w;
402 		short i, pbit;
403 
404 		l0 = l1 = 0;
405 		w = work1.long0;
406 		for (lp = &longtab[0], i = 0; i < 32; i++) {
407 			if (w & *lp++) {
408 				pbit = FPtab[i];
409 				if (pbit < 32)
410 					l0 |= longtab[pbit];
411 				else
412 					l1 |= longtab[pbit-32];
413 			}
414 		}
415 		w = work1.long1;
416 		for (lp = &longtab[0], i = 32; i < 64; i++) {
417 			if (w & *lp++) {
418 				pbit = FPtab[i];
419 				if (pbit < 32)
420 					l0 |= longtab[pbit];
421 				else
422 					l1 |= longtab[pbit-32];
423 			}
424 		}
425 		work2.long0 = l0;
426 		work2.long1 = l1;
427 	}
428 	data[0] = work2.byte0;
429 	data[1] = work2.byte1;
430 	data[2] = work2.byte2;
431 	data[3] = work2.byte3;
432 	data[4] = work2.byte4;
433 	data[5] = work2.byte5;
434 	data[6] = work2.byte6;
435 	data[7] = work2.byte7;
436 }
437 #endif /* def CRYPT */
438