xref: /titanic_41/usr/src/lib/libcrypt/common/des_soft.c (revision 06e46062ef4f5f4b687cbafb4518fb123fe23920)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*	Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T	*/
28 /*	  All Rights Reserved  	*/
29 
30 /*
31  * Portions of this source code were derived from Berkeley 4.3 BSD
32  * under license from the Regents of the University of California.
33  */
34 
35 #pragma ident	"%Z%%M%	%I%	%E% SMI"
36 /*LINTLIBRARY*/
37 
38 /*
39  * Warning!  Things are arranged very carefully in this file to
40  * allow read-only data to be moved to the text segment.  The
41  * various DES tables must appear before any function definitions
42  * (this is arranged by including them immediately below) and partab
43  * must also appear before and function definitions
44  * This arrangement allows all data up through the first text to
45  * be moved to text.
46  */
47 
48 #ifndef _KERNEL
49 #define	CRYPT	/* cannot configure out of user-level code */
50 #endif
51 
52 #include "synonyms.h"
53 #ifdef CRYPT
54 #include <sys/types.h>
55 #include <des/softdes.h>
56 #include <des/desdata.h>
57 
58 #ifdef sun
59 #include <sys/ioctl.h>
60 #include <sys/des.h>
61 #else
62 #include <des/des.h>
63 #endif
64 
65 #include "des_soft.h"
66 
67 /*
68  * Fast (?) software implementation of DES
69  * Has been seen going at 2000 bytes/sec on a Sun-2
70  * Works on a VAX too.
71  * Won't work without 8 bit chars and 32 bit longs
72  */
73 
74 #define	btst(k, b)	(k[b >> 3] & (0x80 >> (b & 07)))
75 #define	BIT28	(1<<28)
76 
77 
78 #endif /* def CRYPT */
79 
80 static void des_setkey(u_char [8], struct deskeydata *, unsigned);
81 static void des_encrypt(u_char *, struct deskeydata *);
82 
83 #ifndef	_KERNEL
84 /*
85  * Table giving odd parity in the low bit for ASCII characters
86  */
87 static char partab[128] = {
88 	0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
89 	0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
90 	0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
91 	0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
92 	0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
93 	0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
94 	0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
95 	0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
96 	0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
97 	0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
98 	0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
99 	0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
100 	0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
101 	0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
102 	0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
103 	0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
104 };
105 
106 
107 
108 /*
109  * Add odd parity to low bit of 8 byte key
110  */
111 void
112 des_setparity(char *p)
113 {
114 	int i;
115 
116 	for (i = 0; i < 8; i++) {
117 		*p = partab[*p & 0x7f];
118 		p++;
119 	}
120 }
121 #endif /* def _KERNEL */
122 
123 #ifdef CRYPT
124 /*
125  * Software encrypt or decrypt a block of data (multiple of 8 bytes)
126  * Do the CBC ourselves if needed.
127  */
128 int
129 __des_crypt(char *buf, unsigned int len, struct desparams *desp)
130 {
131 /* EXPORT DELETE START */
132 	short i;
133 	unsigned mode;
134 	unsigned dir;
135 	char nextiv[8];
136 	struct deskeydata softkey;
137 
138 	mode = (unsigned) desp->des_mode;
139 	dir = (unsigned) desp->des_dir;
140 	des_setkey(desp->des_key, &softkey, dir);
141 	while (len != 0) {
142 		switch (mode) {
143 		case CBC:
144 			switch (dir) {
145 			case ENCRYPT:
146 				for (i = 0; i < 8; i++)
147 					buf[i] ^= desp->des_ivec[i];
148 				des_encrypt((u_char *)buf, &softkey);
149 				for (i = 0; i < 8; i++)
150 					desp->des_ivec[i] = buf[i];
151 				break;
152 			case DECRYPT:
153 				for (i = 0; i < 8; i++)
154 					nextiv[i] = buf[i];
155 				des_encrypt((u_char *)buf, &softkey);
156 				for (i = 0; i < 8; i++) {
157 					buf[i] ^= desp->des_ivec[i];
158 					desp->des_ivec[i] = nextiv[i];
159 				}
160 				break;
161 			}
162 			break;
163 		case ECB:
164 			des_encrypt((u_char *)buf, &softkey);
165 			break;
166 		}
167 		buf += 8;
168 		len -= 8;
169 	}
170 /* EXPORT DELETE END */
171 	return (1);
172 }
173 
174 
175 /*
176  * Set the key and direction for an encryption operation
177  * We build the 16 key entries here
178  */
179 static void
180 des_setkey(u_char userkey[8], struct deskeydata *kd, unsigned int dir)
181 {
182 /* EXPORT DELETE START */
183 	long C, D;
184 	short i;
185 
186 	/*
187 	 * First, generate C and D by permuting
188 	 * the key. The low order bit of each
189 	 * 8-bit char is not used, so C and D are only 28
190 	 * bits apiece.
191 	 */
192 	{
193 		short bit;
194 		const short *pcc = PC1_C, *pcd = PC1_D;
195 
196 		C = D = 0;
197 		for (i = 0; i < 28; i++) {
198 			C <<= 1;
199 			D <<= 1;
200 			bit = *pcc++;
201 			if (btst(userkey, bit))
202 				C |= 1;
203 			bit = *pcd++;
204 			if (btst(userkey, bit))
205 				D |= 1;
206 		}
207 	}
208 	/*
209 	 * To generate Ki, rotate C and D according
210 	 * to schedule and pick up a permutation
211 	 * using PC2.
212 	 */
213 	for (i = 0; i < 16; i++) {
214 		chunk_t *c;
215 		short j, k, bit;
216 		long bbit;
217 
218 		/*
219 		 * Do the "left shift" (rotate)
220 		 * We know we always rotate by either 1 or 2 bits
221 		 * the shifts table tells us if its 2
222 		 */
223 		C <<= 1;
224 		if (C & BIT28)
225 			C |= 1;
226 		D <<= 1;
227 		if (D & BIT28)
228 			D |= 1;
229 		if (shifts[i]) {
230 			C <<= 1;
231 			if (C & BIT28)
232 				C |= 1;
233 			D <<= 1;
234 			if (D & BIT28)
235 				D |= 1;
236 		}
237 		/*
238 		 * get Ki. Note C and D are concatenated.
239 		 */
240 		bit = 0;
241 		switch (dir) {
242 		case ENCRYPT:
243 			c = &kd->keyval[i]; break;
244 		case DECRYPT:
245 			c = &kd->keyval[15 - i]; break;
246 		}
247 		c->long0 = 0;
248 		c->long1 = 0;
249 		bbit = (1 << 5) << 24;
250 		for (j = 0; j < 4; j++) {
251 			for (k = 0; k < 6; k++) {
252 				if (C & (BIT28 >> PC2_C[bit]))
253 					c->long0 |= bbit >> k;
254 				if (D & (BIT28 >> PC2_D[bit]))
255 					c->long1 |= bbit >> k;
256 				bit++;
257 			}
258 			bbit >>= 8;
259 		}
260 
261 	}
262 /* EXPORT DELETE END */
263 	return;
264 }
265 
266 
267 
268 /*
269  * Do an encryption operation
270  * Much pain is taken (with preprocessor) to avoid loops so the compiler
271  * can do address arithmetic instead of doing it at runtime.
272  * Note that the byte-to-chunk conversion is necessary to guarantee
273  * processor byte-order independence.
274  */
275 static void
276 des_encrypt(u_char *data, struct deskeydata *kd)
277 {
278 /* EXPORT DELETE START */
279 	chunk_t work1, work2;
280 
281 	/*
282 	 * Initial permutation
283 	 * and byte to chunk conversion
284 	 */
285 	{
286 		const uint32_t *lp;
287 		uint32_t l0, l1, w;
288 		short i, pbit;
289 
290 		work1.byte0 = data[0];
291 		work1.byte1 = data[1];
292 		work1.byte2 = data[2];
293 		work1.byte3 = data[3];
294 		work1.byte4 = data[4];
295 		work1.byte5 = data[5];
296 		work1.byte6 = data[6];
297 		work1.byte7 = data[7];
298 		l0 = l1 = 0;
299 		w = work1.long0;
300 		for (lp = &longtab[0], i = 0; i < 32; i++) {
301 			if (w & *lp++) {
302 				pbit = IPtab[i];
303 				if (pbit < 32)
304 					l0 |= longtab[pbit];
305 				else
306 					l1 |= longtab[pbit-32];
307 			}
308 		}
309 		w = work1.long1;
310 		for (lp = &longtab[0], i = 32; i < 64; i++) {
311 			if (w & *lp++) {
312 				pbit = IPtab[i];
313 				if (pbit < 32)
314 					l0 |= longtab[pbit];
315 				else
316 					l1 |= longtab[pbit-32];
317 			}
318 		}
319 		work2.long0 = l0;
320 		work2.long1 = l1;
321 	}
322 
323 /*
324  * Expand 8 bits of 32 bit R to 48 bit R
325  */
326 #define	do_R_to_ER(op, b)	{			\
327 	const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b];	\
328 	e0 op p->l0;				\
329 	e1 op p->l1;				\
330 }
331 
332 /*
333  * Inner part of the algorithm:
334  * Expand R from 32 to 48 bits; xor key value;
335  * apply S boxes; permute 32 bits of output
336  */
337 #define	do_F(iter, inR, outR) 	{			\
338 	chunk_t R, ER;					\
339 	uint32_t e0, e1;				\
340 	R.long0 = inR;					\
341 	do_R_to_ER(=, 0);				\
342 	do_R_to_ER(|=, 1);				\
343 	do_R_to_ER(|=, 2);				\
344 	do_R_to_ER(|=, 3);				\
345 	ER.long0 = e0 ^ kd->keyval[iter].long0;		\
346 	ER.long1 = e1 ^ kd->keyval[iter].long1;		\
347 	R.long0 = 					\
348 		S_tab[0][ER.byte0] +			\
349 		S_tab[1][ER.byte1] +			\
350 		S_tab[2][ER.byte2] +			\
351 		S_tab[3][ER.byte3] +			\
352 		S_tab[4][ER.byte4] +			\
353 		S_tab[5][ER.byte5] +			\
354 		S_tab[6][ER.byte6] +			\
355 		S_tab[7][ER.byte7]; 			\
356 	outR = 						\
357 		P_tab[0][R.byte0] +			\
358 		P_tab[1][R.byte1] +			\
359 		P_tab[2][R.byte2] +			\
360 		P_tab[3][R.byte3]; 			\
361 }
362 
363 /*
364  * Do a cipher step
365  * Apply inner part; do xor and exchange of 32 bit parts
366  */
367 #define	cipher(iter, inR, inL, outR, outL)	{	\
368 	do_F(iter, inR, outR);				\
369 	outR ^= inL;					\
370 	outL = inR;					\
371 }
372 
373 	/*
374 	 * Apply the 16 ciphering steps
375 	 */
376 	{
377 		uint32_t r0, l0, r1, l1;
378 
379 		l0 = work2.long0;
380 		r0 = work2.long1;
381 		cipher(0, r0, l0, r1, l1);
382 		cipher(1, r1, l1, r0, l0);
383 		cipher(2, r0, l0, r1, l1);
384 		cipher(3, r1, l1, r0, l0);
385 		cipher(4, r0, l0, r1, l1);
386 		cipher(5, r1, l1, r0, l0);
387 		cipher(6, r0, l0, r1, l1);
388 		cipher(7, r1, l1, r0, l0);
389 		cipher(8, r0, l0, r1, l1);
390 		cipher(9, r1, l1, r0, l0);
391 		cipher(10, r0, l0, r1, l1);
392 		cipher(11, r1, l1, r0, l0);
393 		cipher(12, r0, l0, r1, l1);
394 		cipher(13, r1, l1, r0, l0);
395 		cipher(14, r0, l0, r1, l1);
396 		cipher(15, r1, l1, r0, l0);
397 		work1.long0 = r0;
398 		work1.long1 = l0;
399 	}
400 
401 	/*
402 	 * Final permutation
403 	 * and chunk to byte conversion
404 	 */
405 	{
406 		const uint32_t *lp;
407 		uint32_t l0, l1, w;
408 		short i, pbit;
409 
410 		l0 = l1 = 0;
411 		w = work1.long0;
412 		for (lp = &longtab[0], i = 0; i < 32; i++) {
413 			if (w & *lp++) {
414 				pbit = FPtab[i];
415 				if (pbit < 32)
416 					l0 |= longtab[pbit];
417 				else
418 					l1 |= longtab[pbit-32];
419 			}
420 		}
421 		w = work1.long1;
422 		for (lp = &longtab[0], i = 32; i < 64; i++) {
423 			if (w & *lp++) {
424 				pbit = FPtab[i];
425 				if (pbit < 32)
426 					l0 |= longtab[pbit];
427 				else
428 					l1 |= longtab[pbit-32];
429 			}
430 		}
431 		work2.long0 = l0;
432 		work2.long1 = l1;
433 	}
434 	data[0] = work2.byte0;
435 	data[1] = work2.byte1;
436 	data[2] = work2.byte2;
437 	data[3] = work2.byte3;
438 	data[4] = work2.byte4;
439 	data[5] = work2.byte5;
440 	data[6] = work2.byte6;
441 	data[7] = work2.byte7;
442 
443 /* EXPORT DELETE END */
444 	return;
445 }
446 #endif /* def CRYPT */
447