1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 23 /* 24 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 25 * Use is subject to license terms. 26 */ 27 28 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */ 29 /* All Rights Reserved */ 30 31 /* 32 * Portions of this source code were derived from Berkeley 4.3 BSD 33 * under license from the Regents of the University of California. 34 */ 35 36 #pragma ident "%Z%%M% %I% %E% SMI" 37 38 /* 39 * Warning! Things are arranged very carefully in this file to 40 * allow read-only data to be moved to the text segment. The 41 * various DES tables must appear before any function definitions 42 * (this is arranged by including them immediately below) and partab 43 * must also appear before and function definitions 44 * This arrangement allows all data up through the first text to 45 * be moved to text. 46 */ 47 48 #include "mt.h" 49 #include <sys/types.h> 50 #include <des/softdes.h> 51 #include <des/desdata.h> 52 #ifdef sun 53 #include <sys/ioctl.h> 54 #include <sys/des.h> 55 #else 56 #include <des/des.h> 57 #endif 58 #include <rpcsvc/nis_dhext.h> 59 60 /* 61 * Fast (?) software implementation of DES 62 * Has been seen going at 2000 bytes/sec on a Sun-2 63 * Works on a VAX too. 64 * Won't work without 8 bit chars and 32 bit longs 65 */ 66 67 #define btst(k, b) (k[b >> 3] & (0x80 >> (b & 07))) 68 #define BIT28 (1<<28) 69 70 static int __des_encrypt(uchar_t *, struct deskeydata *); 71 static int __des_setkey(uchar_t[8], struct deskeydata *, unsigned); 72 73 74 /* 75 * Table giving odd parity in the low bit for ASCII characters 76 */ 77 const char partab[128] = { 78 0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07, 79 0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e, 80 0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16, 81 0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f, 82 0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26, 83 0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f, 84 0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37, 85 0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e, 86 0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46, 87 0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f, 88 0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57, 89 0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e, 90 0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67, 91 0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e, 92 0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76, 93 0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f, 94 }; 95 96 /* 97 * Add odd parity to low bit of 8 byte key 98 */ 99 void 100 des_setparity(char *p) 101 { 102 int i; 103 104 for (i = 0; i < 8; i++) { 105 *p = partab[*p & 0x7f]; 106 p++; 107 } 108 } 109 110 static const unsigned char partab_g[256] = { 111 0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07, 112 0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e, 113 0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16, 114 0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f, 115 0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26, 116 0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f, 117 0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37, 118 0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e, 119 0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46, 120 0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f, 121 0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57, 122 0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e, 123 0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67, 124 0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e, 125 0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76, 126 0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f, 127 0x80, 0x80, 0x83, 0x83, 0x85, 0x85, 0x86, 0x86, 128 0x89, 0x89, 0x8a, 0x8a, 0x8c, 0x8c, 0x8f, 0x8f, 129 0x91, 0x91, 0x92, 0x92, 0x94, 0x94, 0x97, 0x97, 130 0x98, 0x98, 0x9b, 0x9b, 0x9d, 0x9d, 0x9e, 0x9e, 131 0xa1, 0xa1, 0xa2, 0xa2, 0xa4, 0xa4, 0xa7, 0xa7, 132 0xa8, 0xa8, 0xab, 0xab, 0xad, 0xad, 0xae, 0xae, 133 0xb0, 0xb0, 0xb3, 0xb3, 0xb5, 0xb5, 0xb6, 0xb6, 134 0xb9, 0xb9, 0xba, 0xba, 0xbc, 0xbc, 0xbf, 0xbf, 135 0xc1, 0xc1, 0xc2, 0xc2, 0xc4, 0xc4, 0xc7, 0xc7, 136 0xc8, 0xc8, 0xcb, 0xcb, 0xcd, 0xcd, 0xce, 0xce, 137 0xd0, 0xd0, 0xd3, 0xd3, 0xd5, 0xd5, 0xd6, 0xd6, 138 0xd9, 0xd9, 0xda, 0xda, 0xdc, 0xdc, 0xdf, 0xdf, 139 0xe0, 0xe0, 0xe3, 0xe3, 0xe5, 0xe5, 0xe6, 0xe6, 140 0xe9, 0xe9, 0xea, 0xea, 0xec, 0xec, 0xef, 0xef, 141 0xf1, 0xf1, 0xf2, 0xf2, 0xf4, 0xf4, 0xf7, 0xf7, 142 0xf8, 0xf8, 0xfb, 0xfb, 0xfd, 0xfd, 0xfe, 0xfe 143 }; 144 145 /* 146 * A corrected version of des_setparity (see bug 1149767). 147 */ 148 void 149 des_setparity_g(des_block *p) 150 { 151 int i; 152 153 for (i = 0; i < 8; i++) { 154 (*p).c[i] = partab_g[(*p).c[i]]; 155 } 156 } 157 158 /* 159 * Software encrypt or decrypt a block of data (multiple of 8 bytes) 160 * Do the CBC ourselves if needed. 161 */ 162 int 163 __des_crypt(char *buf, unsigned len, struct desparams *desp) 164 { 165 /* EXPORT DELETE START */ 166 short i; 167 unsigned mode; 168 unsigned dir; 169 char nextiv[8]; 170 struct deskeydata softkey; 171 172 mode = (unsigned)desp->des_mode; 173 dir = (unsigned)desp->des_dir; 174 (void) __des_setkey(desp->des_key, &softkey, dir); 175 while (len != 0) { 176 switch (mode) { 177 case CBC: 178 switch (dir) { 179 case ENCRYPT: 180 for (i = 0; i < 8; i++) 181 buf[i] ^= desp->des_ivec[i]; 182 (void) __des_encrypt((uchar_t *)buf, &softkey); 183 for (i = 0; i < 8; i++) 184 desp->des_ivec[i] = buf[i]; 185 break; 186 case DECRYPT: 187 for (i = 0; i < 8; i++) 188 nextiv[i] = buf[i]; 189 (void) __des_encrypt((uchar_t *)buf, &softkey); 190 for (i = 0; i < 8; i++) { 191 buf[i] ^= desp->des_ivec[i]; 192 desp->des_ivec[i] = nextiv[i]; 193 } 194 break; 195 } 196 break; 197 case ECB: 198 (void) __des_encrypt((uchar_t *)buf, &softkey); 199 break; 200 } 201 buf += 8; 202 len -= 8; 203 } 204 /* EXPORT DELETE END */ 205 return (1); 206 } 207 208 209 /* 210 * Set the key and direction for an encryption operation 211 * We build the 16 key entries here 212 */ 213 static int 214 __des_setkey(uchar_t userkey[8], struct deskeydata *kd, unsigned dir) 215 { 216 /* EXPORT DELETE START */ 217 int32_t C, D; 218 short i; 219 220 /* 221 * First, generate C and D by permuting 222 * the key. The low order bit of each 223 * 8-bit char is not used, so C and D are only 28 224 * bits apiece. 225 */ 226 { 227 short bit; 228 const short *pcc = PC1_C, *pcd = PC1_D; 229 230 C = D = 0; 231 for (i = 0; i < 28; i++) { 232 C <<= 1; 233 D <<= 1; 234 bit = *pcc++; 235 if (btst(userkey, bit)) 236 C |= 1; 237 bit = *pcd++; 238 if (btst(userkey, bit)) 239 D |= 1; 240 } 241 } 242 /* 243 * To generate Ki, rotate C and D according 244 * to schedule and pick up a permutation 245 * using PC2. 246 */ 247 for (i = 0; i < 16; i++) { 248 chunk_t *c; 249 short j, k, bit; 250 uint32_t bbit; 251 252 /* 253 * Do the "left shift" (rotate) 254 * We know we always rotate by either 1 or 2 bits 255 * the shifts table tells us if its 2 256 */ 257 C <<= 1; 258 if (C & BIT28) 259 C |= 1; 260 D <<= 1; 261 if (D & BIT28) 262 D |= 1; 263 if (shifts[i]) { 264 C <<= 1; 265 if (C & BIT28) 266 C |= 1; 267 D <<= 1; 268 if (D & BIT28) 269 D |= 1; 270 } 271 /* 272 * get Ki. Note C and D are concatenated. 273 */ 274 bit = 0; 275 switch (dir) { 276 case ENCRYPT: 277 c = &kd->keyval[i]; break; 278 case DECRYPT: 279 c = &kd->keyval[15 - i]; break; 280 } 281 c->long0 = 0; 282 c->long1 = 0; 283 bbit = (1 << 5) << 24; 284 for (j = 0; j < 4; j++) { 285 for (k = 0; k < 6; k++) { 286 if (C & (BIT28 >> PC2_C[bit])) 287 c->long0 |= bbit >> k; 288 if (D & (BIT28 >> PC2_D[bit])) 289 c->long1 |= bbit >> k; 290 bit++; 291 } 292 bbit >>= 8; 293 } 294 295 } 296 /* EXPORT DELETE END */ 297 return (1); 298 } 299 300 301 302 /* 303 * Do an encryption operation 304 * Much pain is taken (with preprocessor) to avoid loops so the compiler 305 * can do address arithmetic instead of doing it at runtime. 306 * Note that the byte-to-chunk conversion is necessary to guarantee 307 * processor byte-order independence. 308 */ 309 static int 310 __des_encrypt(uchar_t *data, struct deskeydata *kd) 311 { 312 /* EXPORT DELETE START */ 313 chunk_t work1, work2; 314 315 /* 316 * Initial permutation 317 * and byte to chunk conversion 318 */ 319 { 320 const uint32_t *lp; 321 uint32_t l0, l1, w; 322 short i, pbit; 323 324 work1.byte0 = data[0]; 325 work1.byte1 = data[1]; 326 work1.byte2 = data[2]; 327 work1.byte3 = data[3]; 328 work1.byte4 = data[4]; 329 work1.byte5 = data[5]; 330 work1.byte6 = data[6]; 331 work1.byte7 = data[7]; 332 l0 = l1 = 0; 333 w = work1.long0; 334 for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) { 335 if (w & *lp++) { 336 pbit = IPtab[i]; 337 if (pbit < 32) 338 l0 |= longtab[pbit]; 339 else 340 l1 |= longtab[pbit-32]; 341 } 342 } 343 w = work1.long1; 344 for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) { 345 if (w & *lp++) { 346 pbit = IPtab[i]; 347 if (pbit < 32) 348 l0 |= longtab[pbit]; 349 else 350 l1 |= longtab[pbit-32]; 351 } 352 } 353 work2.long0 = l0; 354 work2.long1 = l1; 355 } 356 357 /* 358 * Expand 8 bits of 32 bit R to 48 bit R 359 */ 360 #define do_R_to_ER(op, b) { \ 361 const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b]; \ 362 e0 op p->l0; \ 363 e1 op p->l1; \ 364 } 365 366 /* 367 * Inner part of the algorithm: 368 * Expand R from 32 to 48 bits; xor key value; 369 * apply S boxes; permute 32 bits of output 370 */ 371 /* BEGIN CSTYLED */ 372 #define do_F(iter, inR, outR) { \ 373 chunk_t R, ER; \ 374 uint32_t e0, e1; \ 375 R.long0 = inR; \ 376 do_R_to_ER(=, 0); \ 377 do_R_to_ER(|=, 1); \ 378 do_R_to_ER(|=, 2); \ 379 do_R_to_ER(|=, 3); \ 380 ER.long0 = e0 ^ kd->keyval[iter].long0; \ 381 ER.long1 = e1 ^ kd->keyval[iter].long1; \ 382 R.long0 = \ 383 S_tab[0][ER.byte0] + \ 384 S_tab[1][ER.byte1] + \ 385 S_tab[2][ER.byte2] + \ 386 S_tab[3][ER.byte3] + \ 387 S_tab[4][ER.byte4] + \ 388 S_tab[5][ER.byte5] + \ 389 S_tab[6][ER.byte6] + \ 390 S_tab[7][ER.byte7]; \ 391 outR = \ 392 P_tab[0][R.byte0] + \ 393 P_tab[1][R.byte1] + \ 394 P_tab[2][R.byte2] + \ 395 P_tab[3][R.byte3]; \ 396 } 397 /* END CSTYLED */ 398 399 /* 400 * Do a cipher step 401 * Apply inner part; do xor and exchange of 32 bit parts 402 */ 403 #define cipher(iter, inR, inL, outR, outL) { \ 404 do_F(iter, inR, outR); \ 405 outR ^= inL; \ 406 outL = inR; \ 407 } 408 409 /* 410 * Apply the 16 ciphering steps 411 */ 412 { 413 uint32_t r0, l0, r1, l1; 414 415 l0 = work2.long0; 416 r0 = work2.long1; 417 cipher(0, r0, l0, r1, l1); 418 cipher(1, r1, l1, r0, l0); 419 cipher(2, r0, l0, r1, l1); 420 cipher(3, r1, l1, r0, l0); 421 cipher(4, r0, l0, r1, l1); 422 cipher(5, r1, l1, r0, l0); 423 cipher(6, r0, l0, r1, l1); 424 cipher(7, r1, l1, r0, l0); 425 cipher(8, r0, l0, r1, l1); 426 cipher(9, r1, l1, r0, l0); 427 cipher(10, r0, l0, r1, l1); 428 cipher(11, r1, l1, r0, l0); 429 cipher(12, r0, l0, r1, l1); 430 cipher(13, r1, l1, r0, l0); 431 cipher(14, r0, l0, r1, l1); 432 cipher(15, r1, l1, r0, l0); 433 work1.long0 = r0; 434 work1.long1 = l0; 435 } 436 437 /* 438 * Final permutation 439 * and chunk to byte conversion 440 */ 441 { 442 uint32_t *lp; 443 uint32_t l0, l1, w; 444 short i, pbit; 445 446 l0 = l1 = 0; 447 w = work1.long0; 448 for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) { 449 if (w & *lp++) { 450 pbit = FPtab[i]; 451 if (pbit < 32) 452 l0 |= longtab[pbit]; 453 else 454 l1 |= longtab[pbit-32]; 455 } 456 } 457 w = work1.long1; 458 for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) { 459 if (w & *lp++) { 460 pbit = FPtab[i]; 461 if (pbit < 32) 462 l0 |= longtab[pbit]; 463 else 464 l1 |= longtab[pbit-32]; 465 } 466 } 467 work2.long0 = l0; 468 work2.long1 = l1; 469 } 470 data[0] = work2.byte0; 471 data[1] = work2.byte1; 472 data[2] = work2.byte2; 473 data[3] = work2.byte3; 474 data[4] = work2.byte4; 475 data[5] = work2.byte5; 476 data[6] = work2.byte6; 477 data[7] = work2.byte7; 478 479 /* EXPORT DELETE END */ 480 return (1); 481 } 482