1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 23 /* 24 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 25 * Use is subject to license terms. 26 */ 27 28 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */ 29 /* All Rights Reserved */ 30 31 /* 32 * Portions of this source code were derived from Berkeley 4.3 BSD 33 * under license from the Regents of the University of California. 34 */ 35 36 #pragma ident "%Z%%M% %I% %E% SMI" 37 38 /* 39 * Warning! Things are arranged very carefully in this file to 40 * allow read-only data to be moved to the text segment. The 41 * various DES tables must appear before any function definitions 42 * (this is arranged by including them immediately below) and partab 43 * must also appear before and function definitions 44 * This arrangement allows all data up through the first text to 45 * be moved to text. 46 */ 47 48 #include <sys/types.h> 49 #include <des/softdes.h> 50 #include <des/desdata.h> 51 #ifdef sun 52 #include <sys/ioctl.h> 53 #include <sys/des.h> 54 #else 55 #include <des/des.h> 56 #endif 57 #include <rpcsvc/nis_dhext.h> 58 59 /* 60 * Fast (?) software implementation of DES 61 * Has been seen going at 2000 bytes/sec on a Sun-2 62 * Works on a VAX too. 63 * Won't work without 8 bit chars and 32 bit longs 64 */ 65 66 #define btst(k, b) (k[b >> 3] & (0x80 >> (b & 07))) 67 #define BIT28 (1<<28) 68 69 static int __des_encrypt(uchar_t *, struct deskeydata *); 70 static int __des_setkey(uchar_t[8], struct deskeydata *, unsigned); 71 72 73 /* 74 * Table giving odd parity in the low bit for ASCII characters 75 */ 76 const char partab[128] = { 77 0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07, 78 0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e, 79 0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16, 80 0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f, 81 0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26, 82 0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f, 83 0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37, 84 0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e, 85 0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46, 86 0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f, 87 0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57, 88 0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e, 89 0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67, 90 0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e, 91 0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76, 92 0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f, 93 }; 94 95 /* 96 * Add odd parity to low bit of 8 byte key 97 */ 98 void 99 des_setparity(char *p) 100 { 101 int i; 102 103 for (i = 0; i < 8; i++) { 104 *p = partab[*p & 0x7f]; 105 p++; 106 } 107 } 108 109 static const unsigned char partab_g[256] = { 110 0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07, 111 0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e, 112 0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16, 113 0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f, 114 0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26, 115 0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f, 116 0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37, 117 0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e, 118 0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46, 119 0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f, 120 0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57, 121 0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e, 122 0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67, 123 0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e, 124 0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76, 125 0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f, 126 0x80, 0x80, 0x83, 0x83, 0x85, 0x85, 0x86, 0x86, 127 0x89, 0x89, 0x8a, 0x8a, 0x8c, 0x8c, 0x8f, 0x8f, 128 0x91, 0x91, 0x92, 0x92, 0x94, 0x94, 0x97, 0x97, 129 0x98, 0x98, 0x9b, 0x9b, 0x9d, 0x9d, 0x9e, 0x9e, 130 0xa1, 0xa1, 0xa2, 0xa2, 0xa4, 0xa4, 0xa7, 0xa7, 131 0xa8, 0xa8, 0xab, 0xab, 0xad, 0xad, 0xae, 0xae, 132 0xb0, 0xb0, 0xb3, 0xb3, 0xb5, 0xb5, 0xb6, 0xb6, 133 0xb9, 0xb9, 0xba, 0xba, 0xbc, 0xbc, 0xbf, 0xbf, 134 0xc1, 0xc1, 0xc2, 0xc2, 0xc4, 0xc4, 0xc7, 0xc7, 135 0xc8, 0xc8, 0xcb, 0xcb, 0xcd, 0xcd, 0xce, 0xce, 136 0xd0, 0xd0, 0xd3, 0xd3, 0xd5, 0xd5, 0xd6, 0xd6, 137 0xd9, 0xd9, 0xda, 0xda, 0xdc, 0xdc, 0xdf, 0xdf, 138 0xe0, 0xe0, 0xe3, 0xe3, 0xe5, 0xe5, 0xe6, 0xe6, 139 0xe9, 0xe9, 0xea, 0xea, 0xec, 0xec, 0xef, 0xef, 140 0xf1, 0xf1, 0xf2, 0xf2, 0xf4, 0xf4, 0xf7, 0xf7, 141 0xf8, 0xf8, 0xfb, 0xfb, 0xfd, 0xfd, 0xfe, 0xfe 142 }; 143 144 /* 145 * A corrected version of des_setparity (see bug 1149767). 146 */ 147 void 148 des_setparity_g(des_block *p) 149 { 150 int i; 151 152 for (i = 0; i < 8; i++) { 153 (*p).c[i] = partab_g[(*p).c[i]]; 154 } 155 } 156 157 /* 158 * Software encrypt or decrypt a block of data (multiple of 8 bytes) 159 * Do the CBC ourselves if needed. 160 */ 161 int 162 __des_crypt(char *buf, unsigned len, struct desparams *desp) 163 { 164 /* EXPORT DELETE START */ 165 short i; 166 unsigned mode; 167 unsigned dir; 168 char nextiv[8]; 169 struct deskeydata softkey; 170 171 mode = (unsigned)desp->des_mode; 172 dir = (unsigned)desp->des_dir; 173 (void) __des_setkey(desp->des_key, &softkey, dir); 174 while (len != 0) { 175 switch (mode) { 176 case CBC: 177 switch (dir) { 178 case ENCRYPT: 179 for (i = 0; i < 8; i++) 180 buf[i] ^= desp->des_ivec[i]; 181 (void) __des_encrypt((uchar_t *)buf, &softkey); 182 for (i = 0; i < 8; i++) 183 desp->des_ivec[i] = buf[i]; 184 break; 185 case DECRYPT: 186 for (i = 0; i < 8; i++) 187 nextiv[i] = buf[i]; 188 (void) __des_encrypt((uchar_t *)buf, &softkey); 189 for (i = 0; i < 8; i++) { 190 buf[i] ^= desp->des_ivec[i]; 191 desp->des_ivec[i] = nextiv[i]; 192 } 193 break; 194 } 195 break; 196 case ECB: 197 (void) __des_encrypt((uchar_t *)buf, &softkey); 198 break; 199 } 200 buf += 8; 201 len -= 8; 202 } 203 /* EXPORT DELETE END */ 204 return (1); 205 } 206 207 208 /* 209 * Set the key and direction for an encryption operation 210 * We build the 16 key entries here 211 */ 212 static int 213 __des_setkey(uchar_t userkey[8], struct deskeydata *kd, unsigned dir) 214 { 215 /* EXPORT DELETE START */ 216 int32_t C, D; 217 short i; 218 219 /* 220 * First, generate C and D by permuting 221 * the key. The low order bit of each 222 * 8-bit char is not used, so C and D are only 28 223 * bits apiece. 224 */ 225 { 226 short bit; 227 const short *pcc = PC1_C, *pcd = PC1_D; 228 229 C = D = 0; 230 for (i = 0; i < 28; i++) { 231 C <<= 1; 232 D <<= 1; 233 bit = *pcc++; 234 if (btst(userkey, bit)) 235 C |= 1; 236 bit = *pcd++; 237 if (btst(userkey, bit)) 238 D |= 1; 239 } 240 } 241 /* 242 * To generate Ki, rotate C and D according 243 * to schedule and pick up a permutation 244 * using PC2. 245 */ 246 for (i = 0; i < 16; i++) { 247 chunk_t *c; 248 short j, k, bit; 249 uint32_t bbit; 250 251 /* 252 * Do the "left shift" (rotate) 253 * We know we always rotate by either 1 or 2 bits 254 * the shifts table tells us if its 2 255 */ 256 C <<= 1; 257 if (C & BIT28) 258 C |= 1; 259 D <<= 1; 260 if (D & BIT28) 261 D |= 1; 262 if (shifts[i]) { 263 C <<= 1; 264 if (C & BIT28) 265 C |= 1; 266 D <<= 1; 267 if (D & BIT28) 268 D |= 1; 269 } 270 /* 271 * get Ki. Note C and D are concatenated. 272 */ 273 bit = 0; 274 switch (dir) { 275 case ENCRYPT: 276 c = &kd->keyval[i]; break; 277 case DECRYPT: 278 c = &kd->keyval[15 - i]; break; 279 } 280 c->long0 = 0; 281 c->long1 = 0; 282 bbit = (1 << 5) << 24; 283 for (j = 0; j < 4; j++) { 284 for (k = 0; k < 6; k++) { 285 if (C & (BIT28 >> PC2_C[bit])) 286 c->long0 |= bbit >> k; 287 if (D & (BIT28 >> PC2_D[bit])) 288 c->long1 |= bbit >> k; 289 bit++; 290 } 291 bbit >>= 8; 292 } 293 294 } 295 /* EXPORT DELETE END */ 296 return (1); 297 } 298 299 300 301 /* 302 * Do an encryption operation 303 * Much pain is taken (with preprocessor) to avoid loops so the compiler 304 * can do address arithmetic instead of doing it at runtime. 305 * Note that the byte-to-chunk conversion is necessary to guarantee 306 * processor byte-order independence. 307 */ 308 static int 309 __des_encrypt(uchar_t *data, struct deskeydata *kd) 310 { 311 /* EXPORT DELETE START */ 312 chunk_t work1, work2; 313 314 /* 315 * Initial permutation 316 * and byte to chunk conversion 317 */ 318 { 319 const uint32_t *lp; 320 uint32_t l0, l1, w; 321 short i, pbit; 322 323 work1.byte0 = data[0]; 324 work1.byte1 = data[1]; 325 work1.byte2 = data[2]; 326 work1.byte3 = data[3]; 327 work1.byte4 = data[4]; 328 work1.byte5 = data[5]; 329 work1.byte6 = data[6]; 330 work1.byte7 = data[7]; 331 l0 = l1 = 0; 332 w = work1.long0; 333 for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) { 334 if (w & *lp++) { 335 pbit = IPtab[i]; 336 if (pbit < 32) 337 l0 |= longtab[pbit]; 338 else 339 l1 |= longtab[pbit-32]; 340 } 341 } 342 w = work1.long1; 343 for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) { 344 if (w & *lp++) { 345 pbit = IPtab[i]; 346 if (pbit < 32) 347 l0 |= longtab[pbit]; 348 else 349 l1 |= longtab[pbit-32]; 350 } 351 } 352 work2.long0 = l0; 353 work2.long1 = l1; 354 } 355 356 /* 357 * Expand 8 bits of 32 bit R to 48 bit R 358 */ 359 #define do_R_to_ER(op, b) { \ 360 const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b]; \ 361 e0 op p->l0; \ 362 e1 op p->l1; \ 363 } 364 365 /* 366 * Inner part of the algorithm: 367 * Expand R from 32 to 48 bits; xor key value; 368 * apply S boxes; permute 32 bits of output 369 */ 370 /* BEGIN CSTYLED */ 371 #define do_F(iter, inR, outR) { \ 372 chunk_t R, ER; \ 373 uint32_t e0, e1; \ 374 R.long0 = inR; \ 375 do_R_to_ER(=, 0); \ 376 do_R_to_ER(|=, 1); \ 377 do_R_to_ER(|=, 2); \ 378 do_R_to_ER(|=, 3); \ 379 ER.long0 = e0 ^ kd->keyval[iter].long0; \ 380 ER.long1 = e1 ^ kd->keyval[iter].long1; \ 381 R.long0 = \ 382 S_tab[0][ER.byte0] + \ 383 S_tab[1][ER.byte1] + \ 384 S_tab[2][ER.byte2] + \ 385 S_tab[3][ER.byte3] + \ 386 S_tab[4][ER.byte4] + \ 387 S_tab[5][ER.byte5] + \ 388 S_tab[6][ER.byte6] + \ 389 S_tab[7][ER.byte7]; \ 390 outR = \ 391 P_tab[0][R.byte0] + \ 392 P_tab[1][R.byte1] + \ 393 P_tab[2][R.byte2] + \ 394 P_tab[3][R.byte3]; \ 395 } 396 /* END CSTYLED */ 397 398 /* 399 * Do a cipher step 400 * Apply inner part; do xor and exchange of 32 bit parts 401 */ 402 #define cipher(iter, inR, inL, outR, outL) { \ 403 do_F(iter, inR, outR); \ 404 outR ^= inL; \ 405 outL = inR; \ 406 } 407 408 /* 409 * Apply the 16 ciphering steps 410 */ 411 { 412 uint32_t r0, l0, r1, l1; 413 414 l0 = work2.long0; 415 r0 = work2.long1; 416 cipher(0, r0, l0, r1, l1); 417 cipher(1, r1, l1, r0, l0); 418 cipher(2, r0, l0, r1, l1); 419 cipher(3, r1, l1, r0, l0); 420 cipher(4, r0, l0, r1, l1); 421 cipher(5, r1, l1, r0, l0); 422 cipher(6, r0, l0, r1, l1); 423 cipher(7, r1, l1, r0, l0); 424 cipher(8, r0, l0, r1, l1); 425 cipher(9, r1, l1, r0, l0); 426 cipher(10, r0, l0, r1, l1); 427 cipher(11, r1, l1, r0, l0); 428 cipher(12, r0, l0, r1, l1); 429 cipher(13, r1, l1, r0, l0); 430 cipher(14, r0, l0, r1, l1); 431 cipher(15, r1, l1, r0, l0); 432 work1.long0 = r0; 433 work1.long1 = l0; 434 } 435 436 /* 437 * Final permutation 438 * and chunk to byte conversion 439 */ 440 { 441 uint32_t *lp; 442 uint32_t l0, l1, w; 443 short i, pbit; 444 445 l0 = l1 = 0; 446 w = work1.long0; 447 for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) { 448 if (w & *lp++) { 449 pbit = FPtab[i]; 450 if (pbit < 32) 451 l0 |= longtab[pbit]; 452 else 453 l1 |= longtab[pbit-32]; 454 } 455 } 456 w = work1.long1; 457 for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) { 458 if (w & *lp++) { 459 pbit = FPtab[i]; 460 if (pbit < 32) 461 l0 |= longtab[pbit]; 462 else 463 l1 |= longtab[pbit-32]; 464 } 465 } 466 work2.long0 = l0; 467 work2.long1 = l1; 468 } 469 data[0] = work2.byte0; 470 data[1] = work2.byte1; 471 data[2] = work2.byte2; 472 data[3] = work2.byte3; 473 data[4] = work2.byte4; 474 data[5] = work2.byte5; 475 data[6] = work2.byte6; 476 data[7] = work2.byte7; 477 478 /* EXPORT DELETE END */ 479 return (1); 480 } 481