xref: /illumos-gate/usr/src/lib/libnsl/des/des_soft.c (revision f928ce67ef743c33ea27c573c9c7e2d4a4833cbd)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 
23 /*
24  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
25  * Use is subject to license terms.
26  */
27 
28 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */
29 /* All Rights Reserved */
30 
31 /*
32  * Portions of this source code were derived from Berkeley 4.3 BSD
33  * under license from the Regents of the University of California.
34  */
35 
36 #pragma ident	"%Z%%M%	%I%	%E% SMI"
37 
38 /*
39  * Warning!  Things are arranged very carefully in this file to
40  * allow read-only data to be moved to the text segment.  The
41  * various DES tables must appear before any function definitions
42  * (this is arranged by including them immediately below) and partab
43  * must also appear before and function definitions
44  * This arrangement allows all data up through the first text to
45  * be moved to text.
46  */
47 
48 #include <sys/types.h>
49 #include <des/softdes.h>
50 #include <des/desdata.h>
51 #ifdef sun
52 #include <sys/ioctl.h>
53 #include <sys/des.h>
54 #else
55 #include <des/des.h>
56 #endif
57 #include <rpcsvc/nis_dhext.h>
58 
59 /*
60  * Fast (?) software implementation of DES
61  * Has been seen going at 2000 bytes/sec on a Sun-2
62  * Works on a VAX too.
63  * Won't work without 8 bit chars and 32 bit longs
64  */
65 
66 #define	btst(k, b)	(k[b >> 3] & (0x80 >> (b & 07)))
67 #define	BIT28	(1<<28)
68 
69 static int	__des_encrypt(uchar_t *, struct deskeydata *);
70 static int	__des_setkey(uchar_t[8], struct deskeydata *, unsigned);
71 
72 
73 /*
74  * Table giving odd parity in the low bit for ASCII characters
75  */
76 const char partab[128] = {
77 	0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
78 	0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
79 	0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
80 	0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
81 	0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
82 	0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
83 	0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
84 	0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
85 	0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
86 	0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
87 	0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
88 	0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
89 	0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
90 	0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
91 	0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
92 	0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
93 };
94 
95 /*
96  * Add odd parity to low bit of 8 byte key
97  */
98 void
99 des_setparity(char *p)
100 {
101 	int i;
102 
103 	for (i = 0; i < 8; i++) {
104 		*p = partab[*p & 0x7f];
105 		p++;
106 	}
107 }
108 
109 static const unsigned char partab_g[256] = {
110 	0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
111 	0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
112 	0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
113 	0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
114 	0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
115 	0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
116 	0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
117 	0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
118 	0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
119 	0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
120 	0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
121 	0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
122 	0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
123 	0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
124 	0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
125 	0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
126 	0x80, 0x80, 0x83, 0x83, 0x85, 0x85, 0x86, 0x86,
127 	0x89, 0x89, 0x8a, 0x8a, 0x8c, 0x8c, 0x8f, 0x8f,
128 	0x91, 0x91, 0x92, 0x92, 0x94, 0x94, 0x97, 0x97,
129 	0x98, 0x98, 0x9b, 0x9b, 0x9d, 0x9d, 0x9e, 0x9e,
130 	0xa1, 0xa1, 0xa2, 0xa2, 0xa4, 0xa4, 0xa7, 0xa7,
131 	0xa8, 0xa8, 0xab, 0xab, 0xad, 0xad, 0xae, 0xae,
132 	0xb0, 0xb0, 0xb3, 0xb3, 0xb5, 0xb5, 0xb6, 0xb6,
133 	0xb9, 0xb9, 0xba, 0xba, 0xbc, 0xbc, 0xbf, 0xbf,
134 	0xc1, 0xc1, 0xc2, 0xc2, 0xc4, 0xc4, 0xc7, 0xc7,
135 	0xc8, 0xc8, 0xcb, 0xcb, 0xcd, 0xcd, 0xce, 0xce,
136 	0xd0, 0xd0, 0xd3, 0xd3, 0xd5, 0xd5, 0xd6, 0xd6,
137 	0xd9, 0xd9, 0xda, 0xda, 0xdc, 0xdc, 0xdf, 0xdf,
138 	0xe0, 0xe0, 0xe3, 0xe3, 0xe5, 0xe5, 0xe6, 0xe6,
139 	0xe9, 0xe9, 0xea, 0xea, 0xec, 0xec, 0xef, 0xef,
140 	0xf1, 0xf1, 0xf2, 0xf2, 0xf4, 0xf4, 0xf7, 0xf7,
141 	0xf8, 0xf8, 0xfb, 0xfb, 0xfd, 0xfd, 0xfe, 0xfe
142 };
143 
144 /*
145  * A corrected version of des_setparity (see bug 1149767).
146  */
147 void
148 des_setparity_g(des_block *p)
149 {
150 	int i;
151 
152 	for (i = 0; i < 8; i++) {
153 		(*p).c[i] = partab_g[(*p).c[i]];
154 	}
155 }
156 
157 /*
158  * Software encrypt or decrypt a block of data (multiple of 8 bytes)
159  * Do the CBC ourselves if needed.
160  */
161 int
162 __des_crypt(char *buf, unsigned len, struct desparams *desp)
163 {
164 /* EXPORT DELETE START */
165 	short i;
166 	unsigned mode;
167 	unsigned dir;
168 	char nextiv[8];
169 	struct deskeydata softkey;
170 
171 	mode = (unsigned)desp->des_mode;
172 	dir = (unsigned)desp->des_dir;
173 	(void) __des_setkey(desp->des_key, &softkey, dir);
174 	while (len != 0) {
175 		switch (mode) {
176 		case CBC:
177 			switch (dir) {
178 			case ENCRYPT:
179 				for (i = 0; i < 8; i++)
180 					buf[i] ^= desp->des_ivec[i];
181 				(void) __des_encrypt((uchar_t *)buf, &softkey);
182 				for (i = 0; i < 8; i++)
183 					desp->des_ivec[i] = buf[i];
184 				break;
185 			case DECRYPT:
186 				for (i = 0; i < 8; i++)
187 					nextiv[i] = buf[i];
188 				(void) __des_encrypt((uchar_t *)buf, &softkey);
189 				for (i = 0; i < 8; i++) {
190 					buf[i] ^= desp->des_ivec[i];
191 					desp->des_ivec[i] = nextiv[i];
192 				}
193 				break;
194 			}
195 			break;
196 		case ECB:
197 			(void) __des_encrypt((uchar_t *)buf, &softkey);
198 			break;
199 		}
200 		buf += 8;
201 		len -= 8;
202 	}
203 /* EXPORT DELETE END */
204 	return (1);
205 }
206 
207 
208 /*
209  * Set the key and direction for an encryption operation
210  * We build the 16 key entries here
211  */
212 static int
213 __des_setkey(uchar_t userkey[8], struct deskeydata *kd, unsigned dir)
214 {
215 /* EXPORT DELETE START */
216 	int32_t C, D;
217 	short i;
218 
219 	/*
220 	 * First, generate C and D by permuting
221 	 * the key. The low order bit of each
222 	 * 8-bit char is not used, so C and D are only 28
223 	 * bits apiece.
224 	 */
225 	{
226 		short bit;
227 		const short *pcc = PC1_C, *pcd = PC1_D;
228 
229 		C = D = 0;
230 		for (i = 0; i < 28; i++) {
231 			C <<= 1;
232 			D <<= 1;
233 			bit = *pcc++;
234 			if (btst(userkey, bit))
235 				C |= 1;
236 			bit = *pcd++;
237 			if (btst(userkey, bit))
238 				D |= 1;
239 		}
240 	}
241 	/*
242 	 * To generate Ki, rotate C and D according
243 	 * to schedule and pick up a permutation
244 	 * using PC2.
245 	 */
246 	for (i = 0; i < 16; i++) {
247 		chunk_t *c;
248 		short j, k, bit;
249 		uint32_t bbit;
250 
251 		/*
252 		 * Do the "left shift" (rotate)
253 		 * We know we always rotate by either 1 or 2 bits
254 		 * the shifts table tells us if its 2
255 		 */
256 		C <<= 1;
257 		if (C & BIT28)
258 			C |= 1;
259 		D <<= 1;
260 		if (D & BIT28)
261 			D |= 1;
262 		if (shifts[i]) {
263 			C <<= 1;
264 			if (C & BIT28)
265 				C |= 1;
266 			D <<= 1;
267 			if (D & BIT28)
268 				D |= 1;
269 		}
270 		/*
271 		 * get Ki. Note C and D are concatenated.
272 		 */
273 		bit = 0;
274 		switch (dir) {
275 		case ENCRYPT:
276 			c = &kd->keyval[i]; break;
277 		case DECRYPT:
278 			c = &kd->keyval[15 - i]; break;
279 		}
280 		c->long0 = 0;
281 		c->long1 = 0;
282 		bbit = (1 << 5) << 24;
283 		for (j = 0; j < 4; j++) {
284 			for (k = 0; k < 6; k++) {
285 				if (C & (BIT28 >> PC2_C[bit]))
286 					c->long0 |= bbit >> k;
287 				if (D & (BIT28 >> PC2_D[bit]))
288 					c->long1 |= bbit >> k;
289 				bit++;
290 			}
291 			bbit >>= 8;
292 		}
293 
294 	}
295 /* EXPORT DELETE END */
296 	return (1);
297 }
298 
299 
300 
301 /*
302  * Do an encryption operation
303  * Much pain is taken (with preprocessor) to avoid loops so the compiler
304  * can do address arithmetic instead of doing it at runtime.
305  * Note that the byte-to-chunk conversion is necessary to guarantee
306  * processor byte-order independence.
307  */
308 static int
309 __des_encrypt(uchar_t *data, struct deskeydata *kd)
310 {
311 /* EXPORT DELETE START */
312 	chunk_t work1, work2;
313 
314 	/*
315 	 * Initial permutation
316 	 * and byte to chunk conversion
317 	 */
318 	{
319 		const uint32_t *lp;
320 		uint32_t l0, l1, w;
321 		short i, pbit;
322 
323 		work1.byte0 = data[0];
324 		work1.byte1 = data[1];
325 		work1.byte2 = data[2];
326 		work1.byte3 = data[3];
327 		work1.byte4 = data[4];
328 		work1.byte5 = data[5];
329 		work1.byte6 = data[6];
330 		work1.byte7 = data[7];
331 		l0 = l1 = 0;
332 		w = work1.long0;
333 		for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) {
334 			if (w & *lp++) {
335 				pbit = IPtab[i];
336 				if (pbit < 32)
337 					l0 |= longtab[pbit];
338 				else
339 					l1 |= longtab[pbit-32];
340 			}
341 		}
342 		w = work1.long1;
343 		for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) {
344 			if (w & *lp++) {
345 				pbit = IPtab[i];
346 				if (pbit < 32)
347 					l0 |= longtab[pbit];
348 				else
349 					l1 |= longtab[pbit-32];
350 			}
351 		}
352 		work2.long0 = l0;
353 		work2.long1 = l1;
354 	}
355 
356 /*
357  * Expand 8 bits of 32 bit R to 48 bit R
358  */
359 #define	do_R_to_ER(op, b)	{			\
360 	const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b];	\
361 	e0 op p->l0;				\
362 	e1 op p->l1;				\
363 }
364 
365 /*
366  * Inner part of the algorithm:
367  * Expand R from 32 to 48 bits; xor key value;
368  * apply S boxes; permute 32 bits of output
369  */
370 /* BEGIN CSTYLED */
371 #define	do_F(iter, inR, outR) 	{			\
372 	chunk_t R, ER;					\
373 	uint32_t e0, e1;				\
374 	R.long0 = inR;					\
375 	do_R_to_ER(=, 0);				\
376 	do_R_to_ER(|=, 1);				\
377 	do_R_to_ER(|=, 2);				\
378 	do_R_to_ER(|=, 3);				\
379 	ER.long0 = e0 ^ kd->keyval[iter].long0;		\
380 	ER.long1 = e1 ^ kd->keyval[iter].long1;		\
381 	R.long0 =					\
382 		S_tab[0][ER.byte0] +			\
383 		S_tab[1][ER.byte1] +			\
384 		S_tab[2][ER.byte2] +			\
385 		S_tab[3][ER.byte3] +			\
386 		S_tab[4][ER.byte4] +			\
387 		S_tab[5][ER.byte5] +			\
388 		S_tab[6][ER.byte6] +			\
389 		S_tab[7][ER.byte7]; 			\
390 	outR =						\
391 		P_tab[0][R.byte0] +			\
392 		P_tab[1][R.byte1] +			\
393 		P_tab[2][R.byte2] +			\
394 		P_tab[3][R.byte3]; 			\
395 }
396 /* END CSTYLED */
397 
398 /*
399  * Do a cipher step
400  * Apply inner part; do xor and exchange of 32 bit parts
401  */
402 #define	cipher(iter, inR, inL, outR, outL)	{	\
403 	do_F(iter, inR, outR);				\
404 	outR ^= inL;					\
405 	outL = inR;					\
406 }
407 
408 	/*
409 	 * Apply the 16 ciphering steps
410 	 */
411 	{
412 		uint32_t r0, l0, r1, l1;
413 
414 		l0 = work2.long0;
415 		r0 = work2.long1;
416 		cipher(0, r0, l0, r1, l1);
417 		cipher(1, r1, l1, r0, l0);
418 		cipher(2, r0, l0, r1, l1);
419 		cipher(3, r1, l1, r0, l0);
420 		cipher(4, r0, l0, r1, l1);
421 		cipher(5, r1, l1, r0, l0);
422 		cipher(6, r0, l0, r1, l1);
423 		cipher(7, r1, l1, r0, l0);
424 		cipher(8, r0, l0, r1, l1);
425 		cipher(9, r1, l1, r0, l0);
426 		cipher(10, r0, l0, r1, l1);
427 		cipher(11, r1, l1, r0, l0);
428 		cipher(12, r0, l0, r1, l1);
429 		cipher(13, r1, l1, r0, l0);
430 		cipher(14, r0, l0, r1, l1);
431 		cipher(15, r1, l1, r0, l0);
432 		work1.long0 = r0;
433 		work1.long1 = l0;
434 	}
435 
436 	/*
437 	 * Final permutation
438 	 * and chunk to byte conversion
439 	 */
440 	{
441 		uint32_t *lp;
442 		uint32_t l0, l1, w;
443 		short i, pbit;
444 
445 		l0 = l1 = 0;
446 		w = work1.long0;
447 		for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) {
448 			if (w & *lp++) {
449 				pbit = FPtab[i];
450 				if (pbit < 32)
451 					l0 |= longtab[pbit];
452 				else
453 					l1 |= longtab[pbit-32];
454 			}
455 		}
456 		w = work1.long1;
457 		for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) {
458 			if (w & *lp++) {
459 				pbit = FPtab[i];
460 				if (pbit < 32)
461 					l0 |= longtab[pbit];
462 				else
463 					l1 |= longtab[pbit-32];
464 			}
465 		}
466 		work2.long0 = l0;
467 		work2.long1 = l1;
468 	}
469 	data[0] = work2.byte0;
470 	data[1] = work2.byte1;
471 	data[2] = work2.byte2;
472 	data[3] = work2.byte3;
473 	data[4] = work2.byte4;
474 	data[5] = work2.byte5;
475 	data[6] = work2.byte6;
476 	data[7] = work2.byte7;
477 
478 /* EXPORT DELETE END */
479 	return (1);
480 }
481