xref: /titanic_41/usr/src/common/net/wanboot/crypt/des3.c (revision 2449e17f82f6097fd2c665b64723e31ceecbeca6)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #pragma ident	"%Z%%M%	%I%	%E% SMI"
28 
29 #include <stdlib.h>
30 #include <strings.h>
31 #include <sys/sysmacros.h>
32 
33 #include "des3.h"
34 #include "des.h"
35 
36 typedef struct keysched_s {
37 	uint32_t ksch_encrypt1[16][2];
38 	uint32_t ksch_encrypt2[16][2];
39 	uint32_t ksch_encrypt3[16][2];
40 
41 	uint32_t ksch_decrypt1[16][2];
42 	uint32_t ksch_decrypt2[16][2];
43 	uint32_t ksch_decrypt3[16][2];
44 } keysched_t;
45 
46 int
47 des3_init(void **cookie)
48 {
49 	if ((*cookie = malloc(sizeof (keysched_t))) == NULL) {
50 		return (-1);
51 	}
52 	return (0);
53 }
54 
55 void
56 des3_fini(void *cookie)
57 {
58 	free(cookie);
59 }
60 
61 void
62 des3_encrypt(void *cookie, uint8_t *block)
63 {
64 	keysched_t *ksch = (keysched_t *)cookie;
65 
66 	des(ksch->ksch_encrypt1, block);
67 	des(ksch->ksch_decrypt2, block);
68 	des(ksch->ksch_encrypt3, block);
69 }
70 
71 void
72 des3_decrypt(void *cookie, uint8_t *block)
73 {
74 	keysched_t *ksch = (keysched_t *)cookie;
75 
76 	des(ksch->ksch_decrypt3, block);
77 	des(ksch->ksch_encrypt2, block);
78 	des(ksch->ksch_decrypt1, block);
79 }
80 
81 /*
82  * Generate key schedule for triple DES in E-D-E (or D-E-D) mode.
83  *
84  * The key argument is taken to be 24 bytes. The first 8 bytes are K1
85  * for the first stage, the second 8 bytes are K2 for the middle stage
86  * and the third 8 bytes are K3 for the last stage
87  */
88 void
89 des3_key(void *cookie, const uint8_t *key)
90 {
91 	keysched_t *ks = (keysched_t *)cookie;
92 	uint8_t *k1 = (uint8_t *)key;
93 	uint8_t *k2 = k1 + DES_KEY_SIZE;
94 	uint8_t *k3 = k2 + DES_KEY_SIZE;
95 
96 	des_key(ks->ksch_decrypt1, k1, B_TRUE);
97 	des_key(ks->ksch_encrypt1, k1, B_FALSE);
98 	des_key(ks->ksch_decrypt2, k2, B_TRUE);
99 	des_key(ks->ksch_encrypt2, k2, B_FALSE);
100 	des_key(ks->ksch_decrypt3, k3, B_TRUE);
101 	des_key(ks->ksch_encrypt3, k3, B_FALSE);
102 }
103 
104 
105 boolean_t
106 des3_keycheck(const uint8_t *key)
107 {
108 	uint64_t key_so_far;
109 	uint64_t scratch;
110 	uint64_t *currentkey;
111 	uint64_t tmpbuf[3];
112 	uint_t parity;
113 	uint_t num_weakkeys = 0;
114 	uint_t i;
115 	uint_t j;
116 
117 	/*
118 	 * Table of weak and semi-weak keys.  Fortunately, weak keys are
119 	 * endian-independent, and some semi-weak keys can be paired up in
120 	 * endian-opposite order.  Since keys are stored as uint64_t's,
121 	 * use the ifdef _LITTLE_ENDIAN where appropriate.
122 	 */
123 	static uint64_t des_weak_keys[] = {
124 		/* Really weak keys.  Byte-order independent values. */
125 		0x0101010101010101ULL,
126 		0x1f1f1f1f0e0e0e0eULL,
127 		0xe0e0e0e0f1f1f1f1ULL,
128 		0xfefefefefefefefeULL,
129 
130 		/* Semi-weak (and a few possibly-weak) keys. */
131 
132 		/* Byte-order independent semi-weak keys. */
133 		0x01fe01fe01fe01feULL,	0xfe01fe01fe01fe01ULL,
134 
135 		/* Byte-order dependent semi-weak keys. */
136 #ifdef _LITTLE_ENDIAN
137 		0xf10ef10ee01fe01fULL,	0x0ef10ef11fe01fe0ULL,
138 		0x01f101f101e001e0ULL,	0xf101f101e001e001ULL,
139 		0x0efe0efe1ffe1ffeULL,	0xfe0efe0efe1ffe1fULL,
140 		0x010e010e011f011fULL,	0x0e010e011f011f01ULL,
141 		0xf1fef1fee0fee0feULL,	0xfef1fef1fee0fee0ULL,
142 #else	/* Big endian */
143 		0x1fe01fe00ef10ef1ULL,	0xe01fe01ff10ef10eULL,
144 		0x01e001e001f101f1ULL,	0xe001e001f101f101ULL,
145 		0x1ffe1ffe0efe0efeULL,	0xfe1ffe1ffe0efe0eULL,
146 		0x011f011f010e010eULL,	0x1f011f010e010e01ULL,
147 		0xe0fee0fef1fef1feULL,	0xfee0fee0fef1fef1ULL,
148 #endif
149 
150 		/* We'll save the other possibly-weak keys for the future. */
151 	};
152 
153 	if (IS_P2ALIGNED(key, sizeof (uint64_t))) {
154 		/* LINTED */
155 		currentkey = (uint64_t *)key;
156 	} else {
157 		currentkey = tmpbuf;
158 		bcopy(key, currentkey, 3 * sizeof (uint64_t));
159 	}
160 
161 	for (j = 0; j < 3; j++) {
162 		key_so_far = currentkey[j];
163 		scratch = key_so_far;
164 
165 		/* Unroll the loop within each byte. */
166 		for (i = 0; i < 8; i++) {
167 			parity = 1;
168 
169 			/*
170 			 * Start shifting at byte n, right to left.
171 			 * Low bit (0) doesn't count.
172 			 */
173 			scratch >>= 1;
174 			if (scratch & 0x1)	/* bit 1 */
175 				parity++;
176 			scratch >>= 1;
177 			if (scratch & 0x1)	/* bit 2 */
178 				parity++;
179 			scratch >>= 1;
180 			if (scratch & 0x1)	/* bit 3 */
181 				parity++;
182 			scratch >>= 1;
183 			if (scratch & 0x1)	/* bit 4 */
184 				parity++;
185 			scratch >>= 1;
186 			if (scratch & 0x1)	/* bit 5 */
187 				parity++;
188 			scratch >>= 1;
189 			if (scratch & 0x1)	/* bit 6 */
190 			parity++;
191 			scratch >>= 1;
192 			if (scratch & 0x1)	/* bit 7 */
193 				parity++;
194 			scratch >>= 1;
195 
196 			parity &= 1;	/* Mask off other bits. */
197 
198 			/* Will common subexpression elimination help me? */
199 			key_so_far &= ~((uint64_t)1 << (i << 3));
200 			key_so_far |= ((uint64_t)parity << (i << 3));
201 		}
202 
203 		/* Do weak key check itself. */
204 		for (i = 0; i < (sizeof (des_weak_keys) / sizeof (uint64_t));
205 		    i++) {
206 			if (key_so_far == des_weak_keys[i]) {
207 				/* In 3DES, one weak key is OK.  Two is bad. */
208 				if (++num_weakkeys > 1) {
209 					return (B_FALSE);
210 				} else {
211 					/*
212 					 * We found a weak key, but since
213 					 * we've only found one weak key,
214 					 * we can not reject the whole 3DES
215 					 * set of keys as weak.
216 					 *
217 					 * Break from the weak key loop
218 					 * (since this DES key is weak) and
219 					 * continue on.
220 					 */
221 					break;
222 				}
223 			}
224 		}
225 
226 		/*
227 		 * Fix key extension, adjust bits if necessary.
228 		 */
229 		currentkey[j] = key_so_far;
230 	}
231 
232 	/*
233 	 * Perform key equivalence checks, now that parity is properly set.
234 	 * All three keys must be unique.
235 	 */
236 	if (currentkey[0] == currentkey[1] || currentkey[1] == currentkey[2] ||
237 	    currentkey[2] == currentkey[0]) {
238 		return (B_FALSE);
239 	}
240 
241 	return (B_TRUE);
242 }
243