1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 23 /* 24 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 25 * Use is subject to license terms. 26 */ 27 28 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */ 29 /* All Rights Reserved */ 30 31 /* 32 * Portions of this source code were derived from Berkeley 4.3 BSD 33 * under license from the Regents of the University of California. 34 */ 35 36 /* 37 * Warning! Things are arranged very carefully in this file to 38 * allow read-only data to be moved to the text segment. The 39 * various DES tables must appear before any function definitions 40 * (this is arranged by including them immediately below) and partab 41 * must also appear before and function definitions 42 * This arrangement allows all data up through the first text to 43 * be moved to text. 44 */ 45 46 #include "mt.h" 47 #include <sys/types.h> 48 #include <des/softdes.h> 49 #include <des/desdata.h> 50 #ifdef sun 51 #include <sys/ioctl.h> 52 #include <sys/des.h> 53 #else 54 #include <des/des.h> 55 #endif 56 #include <rpcsvc/nis_dhext.h> 57 58 /* 59 * Fast (?) software implementation of DES 60 * Has been seen going at 2000 bytes/sec on a Sun-2 61 * Works on a VAX too. 62 * Won't work without 8 bit chars and 32 bit longs 63 */ 64 65 #define btst(k, b) (k[b >> 3] & (0x80 >> (b & 07))) 66 #define BIT28 (1<<28) 67 68 static int __des_encrypt(uchar_t *, struct deskeydata *); 69 static int __des_setkey(uchar_t[8], struct deskeydata *, unsigned); 70 71 72 /* 73 * Table giving odd parity in the low bit for ASCII characters 74 */ 75 const char partab[128] = { 76 0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07, 77 0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e, 78 0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16, 79 0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f, 80 0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26, 81 0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f, 82 0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37, 83 0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e, 84 0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46, 85 0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f, 86 0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57, 87 0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e, 88 0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67, 89 0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e, 90 0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76, 91 0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f, 92 }; 93 94 /* 95 * Add odd parity to low bit of 8 byte key 96 */ 97 void 98 des_setparity(char *p) 99 { 100 int i; 101 102 for (i = 0; i < 8; i++) { 103 *p = partab[*p & 0x7f]; 104 p++; 105 } 106 } 107 108 static const unsigned char partab_g[256] = { 109 0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07, 110 0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e, 111 0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16, 112 0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f, 113 0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26, 114 0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f, 115 0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37, 116 0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e, 117 0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46, 118 0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f, 119 0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57, 120 0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e, 121 0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67, 122 0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e, 123 0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76, 124 0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f, 125 0x80, 0x80, 0x83, 0x83, 0x85, 0x85, 0x86, 0x86, 126 0x89, 0x89, 0x8a, 0x8a, 0x8c, 0x8c, 0x8f, 0x8f, 127 0x91, 0x91, 0x92, 0x92, 0x94, 0x94, 0x97, 0x97, 128 0x98, 0x98, 0x9b, 0x9b, 0x9d, 0x9d, 0x9e, 0x9e, 129 0xa1, 0xa1, 0xa2, 0xa2, 0xa4, 0xa4, 0xa7, 0xa7, 130 0xa8, 0xa8, 0xab, 0xab, 0xad, 0xad, 0xae, 0xae, 131 0xb0, 0xb0, 0xb3, 0xb3, 0xb5, 0xb5, 0xb6, 0xb6, 132 0xb9, 0xb9, 0xba, 0xba, 0xbc, 0xbc, 0xbf, 0xbf, 133 0xc1, 0xc1, 0xc2, 0xc2, 0xc4, 0xc4, 0xc7, 0xc7, 134 0xc8, 0xc8, 0xcb, 0xcb, 0xcd, 0xcd, 0xce, 0xce, 135 0xd0, 0xd0, 0xd3, 0xd3, 0xd5, 0xd5, 0xd6, 0xd6, 136 0xd9, 0xd9, 0xda, 0xda, 0xdc, 0xdc, 0xdf, 0xdf, 137 0xe0, 0xe0, 0xe3, 0xe3, 0xe5, 0xe5, 0xe6, 0xe6, 138 0xe9, 0xe9, 0xea, 0xea, 0xec, 0xec, 0xef, 0xef, 139 0xf1, 0xf1, 0xf2, 0xf2, 0xf4, 0xf4, 0xf7, 0xf7, 140 0xf8, 0xf8, 0xfb, 0xfb, 0xfd, 0xfd, 0xfe, 0xfe 141 }; 142 143 /* 144 * A corrected version of des_setparity (see bug 1149767). 145 */ 146 void 147 des_setparity_g(des_block *p) 148 { 149 int i; 150 151 for (i = 0; i < 8; i++) { 152 (*p).c[i] = partab_g[(*p).c[i]]; 153 } 154 } 155 156 /* 157 * Software encrypt or decrypt a block of data (multiple of 8 bytes) 158 * Do the CBC ourselves if needed. 159 */ 160 int 161 __des_crypt(char *buf, unsigned len, struct desparams *desp) 162 { 163 short i; 164 unsigned mode; 165 unsigned dir; 166 char nextiv[8]; 167 struct deskeydata softkey; 168 169 mode = (unsigned)desp->des_mode; 170 dir = (unsigned)desp->des_dir; 171 (void) __des_setkey(desp->des_key, &softkey, dir); 172 while (len != 0) { 173 switch (mode) { 174 case CBC: 175 switch (dir) { 176 case ENCRYPT: 177 for (i = 0; i < 8; i++) 178 buf[i] ^= desp->des_ivec[i]; 179 (void) __des_encrypt((uchar_t *)buf, &softkey); 180 for (i = 0; i < 8; i++) 181 desp->des_ivec[i] = buf[i]; 182 break; 183 case DECRYPT: 184 for (i = 0; i < 8; i++) 185 nextiv[i] = buf[i]; 186 (void) __des_encrypt((uchar_t *)buf, &softkey); 187 for (i = 0; i < 8; i++) { 188 buf[i] ^= desp->des_ivec[i]; 189 desp->des_ivec[i] = nextiv[i]; 190 } 191 break; 192 } 193 break; 194 case ECB: 195 (void) __des_encrypt((uchar_t *)buf, &softkey); 196 break; 197 } 198 buf += 8; 199 len -= 8; 200 } 201 return (1); 202 } 203 204 205 /* 206 * Set the key and direction for an encryption operation 207 * We build the 16 key entries here 208 */ 209 static int 210 __des_setkey(uchar_t userkey[8], struct deskeydata *kd, unsigned dir) 211 { 212 int32_t C, D; 213 short i; 214 215 /* 216 * First, generate C and D by permuting 217 * the key. The low order bit of each 218 * 8-bit char is not used, so C and D are only 28 219 * bits apiece. 220 */ 221 { 222 short bit; 223 const short *pcc = PC1_C, *pcd = PC1_D; 224 225 C = D = 0; 226 for (i = 0; i < 28; i++) { 227 C <<= 1; 228 D <<= 1; 229 bit = *pcc++; 230 if (btst(userkey, bit)) 231 C |= 1; 232 bit = *pcd++; 233 if (btst(userkey, bit)) 234 D |= 1; 235 } 236 } 237 /* 238 * To generate Ki, rotate C and D according 239 * to schedule and pick up a permutation 240 * using PC2. 241 */ 242 for (i = 0; i < 16; i++) { 243 chunk_t *c; 244 short j, k, bit; 245 uint32_t bbit; 246 247 /* 248 * Do the "left shift" (rotate) 249 * We know we always rotate by either 1 or 2 bits 250 * the shifts table tells us if its 2 251 */ 252 C <<= 1; 253 if (C & BIT28) 254 C |= 1; 255 D <<= 1; 256 if (D & BIT28) 257 D |= 1; 258 if (shifts[i]) { 259 C <<= 1; 260 if (C & BIT28) 261 C |= 1; 262 D <<= 1; 263 if (D & BIT28) 264 D |= 1; 265 } 266 /* 267 * get Ki. Note C and D are concatenated. 268 */ 269 bit = 0; 270 switch (dir) { 271 case ENCRYPT: 272 c = &kd->keyval[i]; break; 273 case DECRYPT: 274 c = &kd->keyval[15 - i]; break; 275 } 276 c->long0 = 0; 277 c->long1 = 0; 278 bbit = (1 << 5) << 24; 279 for (j = 0; j < 4; j++) { 280 for (k = 0; k < 6; k++) { 281 if (C & (BIT28 >> PC2_C[bit])) 282 c->long0 |= bbit >> k; 283 if (D & (BIT28 >> PC2_D[bit])) 284 c->long1 |= bbit >> k; 285 bit++; 286 } 287 bbit >>= 8; 288 } 289 290 } 291 return (1); 292 } 293 294 295 296 /* 297 * Do an encryption operation 298 * Much pain is taken (with preprocessor) to avoid loops so the compiler 299 * can do address arithmetic instead of doing it at runtime. 300 * Note that the byte-to-chunk conversion is necessary to guarantee 301 * processor byte-order independence. 302 */ 303 static int 304 __des_encrypt(uchar_t *data, struct deskeydata *kd) 305 { 306 chunk_t work1, work2; 307 308 /* 309 * Initial permutation 310 * and byte to chunk conversion 311 */ 312 { 313 const uint32_t *lp; 314 uint32_t l0, l1, w; 315 short i, pbit; 316 317 work1.byte0 = data[0]; 318 work1.byte1 = data[1]; 319 work1.byte2 = data[2]; 320 work1.byte3 = data[3]; 321 work1.byte4 = data[4]; 322 work1.byte5 = data[5]; 323 work1.byte6 = data[6]; 324 work1.byte7 = data[7]; 325 l0 = l1 = 0; 326 w = work1.long0; 327 for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) { 328 if (w & *lp++) { 329 pbit = IPtab[i]; 330 if (pbit < 32) 331 l0 |= longtab[pbit]; 332 else 333 l1 |= longtab[pbit-32]; 334 } 335 } 336 w = work1.long1; 337 for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) { 338 if (w & *lp++) { 339 pbit = IPtab[i]; 340 if (pbit < 32) 341 l0 |= longtab[pbit]; 342 else 343 l1 |= longtab[pbit-32]; 344 } 345 } 346 work2.long0 = l0; 347 work2.long1 = l1; 348 } 349 350 /* 351 * Expand 8 bits of 32 bit R to 48 bit R 352 */ 353 #define do_R_to_ER(op, b) { \ 354 const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b]; \ 355 e0 op p->l0; \ 356 e1 op p->l1; \ 357 } 358 359 /* 360 * Inner part of the algorithm: 361 * Expand R from 32 to 48 bits; xor key value; 362 * apply S boxes; permute 32 bits of output 363 */ 364 /* BEGIN CSTYLED */ 365 #define do_F(iter, inR, outR) { \ 366 chunk_t R, ER; \ 367 uint32_t e0, e1; \ 368 R.long0 = inR; \ 369 do_R_to_ER(=, 0); \ 370 do_R_to_ER(|=, 1); \ 371 do_R_to_ER(|=, 2); \ 372 do_R_to_ER(|=, 3); \ 373 ER.long0 = e0 ^ kd->keyval[iter].long0; \ 374 ER.long1 = e1 ^ kd->keyval[iter].long1; \ 375 R.long0 = \ 376 S_tab[0][ER.byte0] + \ 377 S_tab[1][ER.byte1] + \ 378 S_tab[2][ER.byte2] + \ 379 S_tab[3][ER.byte3] + \ 380 S_tab[4][ER.byte4] + \ 381 S_tab[5][ER.byte5] + \ 382 S_tab[6][ER.byte6] + \ 383 S_tab[7][ER.byte7]; \ 384 outR = \ 385 P_tab[0][R.byte0] + \ 386 P_tab[1][R.byte1] + \ 387 P_tab[2][R.byte2] + \ 388 P_tab[3][R.byte3]; \ 389 } 390 /* END CSTYLED */ 391 392 /* 393 * Do a cipher step 394 * Apply inner part; do xor and exchange of 32 bit parts 395 */ 396 #define cipher(iter, inR, inL, outR, outL) { \ 397 do_F(iter, inR, outR); \ 398 outR ^= inL; \ 399 outL = inR; \ 400 } 401 402 /* 403 * Apply the 16 ciphering steps 404 */ 405 { 406 uint32_t r0, l0, r1, l1; 407 408 l0 = work2.long0; 409 r0 = work2.long1; 410 cipher(0, r0, l0, r1, l1); 411 cipher(1, r1, l1, r0, l0); 412 cipher(2, r0, l0, r1, l1); 413 cipher(3, r1, l1, r0, l0); 414 cipher(4, r0, l0, r1, l1); 415 cipher(5, r1, l1, r0, l0); 416 cipher(6, r0, l0, r1, l1); 417 cipher(7, r1, l1, r0, l0); 418 cipher(8, r0, l0, r1, l1); 419 cipher(9, r1, l1, r0, l0); 420 cipher(10, r0, l0, r1, l1); 421 cipher(11, r1, l1, r0, l0); 422 cipher(12, r0, l0, r1, l1); 423 cipher(13, r1, l1, r0, l0); 424 cipher(14, r0, l0, r1, l1); 425 cipher(15, r1, l1, r0, l0); 426 work1.long0 = r0; 427 work1.long1 = l0; 428 } 429 430 /* 431 * Final permutation 432 * and chunk to byte conversion 433 */ 434 { 435 uint32_t *lp; 436 uint32_t l0, l1, w; 437 short i, pbit; 438 439 l0 = l1 = 0; 440 w = work1.long0; 441 for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) { 442 if (w & *lp++) { 443 pbit = FPtab[i]; 444 if (pbit < 32) 445 l0 |= longtab[pbit]; 446 else 447 l1 |= longtab[pbit-32]; 448 } 449 } 450 w = work1.long1; 451 for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) { 452 if (w & *lp++) { 453 pbit = FPtab[i]; 454 if (pbit < 32) 455 l0 |= longtab[pbit]; 456 else 457 l1 |= longtab[pbit-32]; 458 } 459 } 460 work2.long0 = l0; 461 work2.long1 = l1; 462 } 463 data[0] = work2.byte0; 464 data[1] = work2.byte1; 465 data[2] = work2.byte2; 466 data[3] = work2.byte3; 467 data[4] = work2.byte4; 468 data[5] = work2.byte5; 469 data[6] = work2.byte6; 470 data[7] = work2.byte7; 471 472 return (1); 473 } 474