1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 * 22 * Copyright 1989 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */ 27 /* All Rights Reserved */ 28 29 /* 30 * Portions of this source code were derived from Berkeley 4.3 BSD 31 * under license from the Regents of the University of California. 32 */ 33 34 #ident "%Z%%M% %I% %E% SMI" 35 36 /* 37 * Warning! Things are arranged very carefully in this file to 38 * allow read-only data to be moved to the text segment. The 39 * various DES tables must appear before any function definitions 40 * (this is arranged by including them immediately below) and partab 41 * must also appear before and function definitions 42 * This arrangement allows all data up through the first text to 43 * be moved to text. 44 */ 45 46 /* 47 * Fast (?) software implementation of DES 48 * Has been seen going at 2000 bytes/sec on a Sun-2 49 * Works on a VAX too. 50 * Won't work without 8 bit chars and 32 bit longs 51 */ 52 53 #include <sys/types.h> 54 #include <des/des.h> 55 #include <des/softdes.h> 56 #include <des/desdata.h> 57 #include <sys/debug.h> 58 59 static void des_setkey(u_char userkey[8], struct deskeydata *kd, 60 unsigned int dir); 61 static void des_encrypt(u_char *data, struct deskeydata *kd); 62 63 /* EXPORT DELETE START */ 64 #define btst(k, b) (k[b >> 3] & (0x80 >> (b & 07))) 65 #define BIT28 (1<<28) 66 /* EXPORT DELETE END */ 67 68 /* 69 * Software encrypt or decrypt a block of data (multiple of 8 bytes) 70 * Do the CBC ourselves if needed. 71 */ 72 /* ARGSUSED */ 73 int 74 _des_crypt(char *buf, size_t len, struct desparams *desp) 75 { 76 /* EXPORT DELETE START */ 77 short i; 78 uint_t mode; 79 uint_t dir; 80 char nextiv[8]; 81 struct deskeydata softkey; 82 83 mode = desp->des_mode; 84 dir = desp->des_dir; 85 des_setkey(desp->des_key, &softkey, dir); 86 while (len != 0) { 87 switch (mode) { 88 case CBC: 89 switch (dir) { 90 case ENCRYPT: 91 for (i = 0; i < 8; i++) 92 buf[i] ^= desp->des_ivec[i]; 93 des_encrypt((u_char *)buf, &softkey); 94 for (i = 0; i < 8; i++) 95 desp->des_ivec[i] = buf[i]; 96 break; 97 case DECRYPT: 98 for (i = 0; i < 8; i++) 99 nextiv[i] = buf[i]; 100 des_encrypt((u_char *)buf, &softkey); 101 for (i = 0; i < 8; i++) { 102 buf[i] ^= desp->des_ivec[i]; 103 desp->des_ivec[i] = nextiv[i]; 104 } 105 break; 106 } 107 break; 108 case ECB: 109 des_encrypt((u_char *)buf, &softkey); 110 break; 111 } 112 buf += 8; 113 len -= 8; 114 } 115 /* EXPORT DELETE END */ 116 return (1); 117 } 118 119 120 /* 121 * Set the key and direction for an encryption operation 122 * We build the 16 key entries here 123 */ 124 /* ARGSUSED */ 125 static void 126 des_setkey(u_char userkey[8], struct deskeydata *kd, unsigned int dir) 127 { 128 /* EXPORT DELETE START */ 129 int32_t C, D; 130 short i; 131 132 /* 133 * First, generate C and D by permuting 134 * the key. The low order bit of each 135 * 8-bit char is not used, so C and D are only 28 136 * bits apiece. 137 */ 138 { 139 short bit; 140 short *pcc = (short *)PC1_C, *pcd = (short *)PC1_D; 141 142 C = D = 0; 143 for (i = 0; i < 28; i++) { 144 C <<= 1; 145 D <<= 1; 146 bit = *pcc++; 147 if (btst(userkey, bit)) 148 C |= 1; 149 bit = *pcd++; 150 if (btst(userkey, bit)) 151 D |= 1; 152 } 153 } 154 /* 155 * To generate Ki, rotate C and D according 156 * to schedule and pick up a permutation 157 * using PC2. 158 */ 159 for (i = 0; i < 16; i++) { 160 chunk_t *c; 161 short j, k, bit; 162 int bbit; 163 164 /* 165 * Do the "left shift" (rotate) 166 * We know we always rotate by either 1 or 2 bits 167 * the shifts table tells us if its 2 168 */ 169 C <<= 1; 170 if (C & BIT28) 171 C |= 1; 172 D <<= 1; 173 if (D & BIT28) 174 D |= 1; 175 if (shifts[i]) { 176 C <<= 1; 177 if (C & BIT28) 178 C |= 1; 179 D <<= 1; 180 if (D & BIT28) 181 D |= 1; 182 } 183 /* 184 * get Ki. Note C and D are concatenated. 185 */ 186 bit = 0; 187 switch (dir) { 188 case ENCRYPT: 189 c = &kd->keyval[i]; 190 break; 191 case DECRYPT: 192 c = &kd->keyval[15 - i]; 193 break; 194 } 195 c->long0 = 0; 196 c->long1 = 0; 197 bbit = (1 << 5) << 24; 198 for (j = 0; j < 4; j++) { 199 for (k = 0; k < 6; k++) { 200 if (C & (BIT28 >> PC2_C[bit])) 201 c->long0 |= bbit >> k; 202 if (D & (BIT28 >> PC2_D[bit])) 203 c->long1 |= bbit >> k; 204 bit++; 205 } 206 bbit >>= 8; 207 } 208 } 209 /* EXPORT DELETE END */ 210 } 211 212 213 214 /* 215 * Do an encryption operation 216 * Much pain is taken (with preprocessor) to avoid loops so the compiler 217 * can do address arithmetic instead of doing it at runtime. 218 * Note that the byte-to-chunk conversion is necessary to guarantee 219 * processor byte-order independence. 220 */ 221 /* ARGSUSED */ 222 static void 223 des_encrypt(u_char *data, struct deskeydata *kd) 224 { 225 /* EXPORT DELETE START */ 226 chunk_t work1, work2; 227 228 /* 229 * Initial permutation 230 * and byte to chunk conversion 231 */ 232 { 233 const uint32_t *lp; 234 uint32_t l0, l1, w; 235 short i, pbit; 236 237 work1.byte0 = data[0]; 238 work1.byte1 = data[1]; 239 work1.byte2 = data[2]; 240 work1.byte3 = data[3]; 241 work1.byte4 = data[4]; 242 work1.byte5 = data[5]; 243 work1.byte6 = data[6]; 244 work1.byte7 = data[7]; 245 l0 = l1 = 0; 246 w = work1.long0; 247 for (lp = &longtab[0], i = 0; i < 32; i++) { 248 if (w & *lp++) { 249 pbit = IPtab[i]; 250 if (pbit < 32) 251 l0 |= longtab[pbit]; 252 else 253 l1 |= longtab[pbit-32]; 254 } 255 } 256 w = work1.long1; 257 for (lp = &longtab[0], i = 32; i < 64; i++) { 258 if (w & *lp++) { 259 pbit = IPtab[i]; 260 if (pbit < 32) 261 l0 |= longtab[pbit]; 262 else 263 l1 |= longtab[pbit-32]; 264 } 265 } 266 work2.long0 = l0; 267 work2.long1 = l1; 268 } 269 270 /* 271 * Expand 8 bits of 32 bit R to 48 bit R 272 */ 273 #ifdef __STDC__ 274 #define do_R_to_ER(op, b) { \ 275 struct R_to_ER *p = \ 276 (struct R_to_ER *)&R_to_ER_tab[b][R.byte##b]; \ 277 e0 op p->l0; \ 278 e1 op p->l1; \ 279 } 280 #else 281 #define do_R_to_ER(op, b) { \ 282 /*CSTYLED*/ \ 283 struct R_to_ER *p = &R_to_ER_tab[b][R.byte/**/b]; \ 284 e0 op p->l0; \ 285 e1 op p->l1; \ 286 } 287 #endif 288 289 /* 290 * Inner part of the algorithm: 291 * Expand R from 32 to 48 bits; xor key value; 292 * apply S boxes; permute 32 bits of output 293 */ 294 #define do_F(iter, inR, outR) { \ 295 chunk_t R, ER; \ 296 u_int e0, e1; \ 297 R.long0 = inR; \ 298 /*CSTYLED*/ \ 299 do_R_to_ER(=,0); \ 300 /*CSTYLED*/ \ 301 do_R_to_ER(|=,1); \ 302 /*CSTYLED*/ \ 303 do_R_to_ER(|=,2); \ 304 /*CSTYLED*/ \ 305 do_R_to_ER(|=,3); \ 306 ER.long0 = e0 ^ kd->keyval[iter].long0; \ 307 ER.long1 = e1 ^ kd->keyval[iter].long1; \ 308 R.long0 = \ 309 S_tab[0][ER.byte0] + \ 310 S_tab[1][ER.byte1] + \ 311 S_tab[2][ER.byte2] + \ 312 S_tab[3][ER.byte3] + \ 313 S_tab[4][ER.byte4] + \ 314 S_tab[5][ER.byte5] + \ 315 S_tab[6][ER.byte6] + \ 316 S_tab[7][ER.byte7]; \ 317 outR = \ 318 P_tab[0][R.byte0] + \ 319 P_tab[1][R.byte1] + \ 320 P_tab[2][R.byte2] + \ 321 P_tab[3][R.byte3]; \ 322 } 323 324 /* 325 * Do a cipher step 326 * Apply inner part; do xor and exchange of 32 bit parts 327 */ 328 #define cipher(iter, inR, inL, outR, outL) { \ 329 do_F(iter, inR, outR); \ 330 outR ^= inL; \ 331 outL = inR; \ 332 } 333 334 /* 335 * Apply the 16 ciphering steps 336 */ 337 { 338 u_int r0, l0, r1, l1; 339 340 l0 = work2.long0; 341 r0 = work2.long1; 342 cipher(0, r0, l0, r1, l1); 343 cipher(1, r1, l1, r0, l0); 344 cipher(2, r0, l0, r1, l1); 345 cipher(3, r1, l1, r0, l0); 346 cipher(4, r0, l0, r1, l1); 347 cipher(5, r1, l1, r0, l0); 348 cipher(6, r0, l0, r1, l1); 349 cipher(7, r1, l1, r0, l0); 350 cipher(8, r0, l0, r1, l1); 351 cipher(9, r1, l1, r0, l0); 352 cipher(10, r0, l0, r1, l1); 353 cipher(11, r1, l1, r0, l0); 354 cipher(12, r0, l0, r1, l1); 355 cipher(13, r1, l1, r0, l0); 356 cipher(14, r0, l0, r1, l1); 357 cipher(15, r1, l1, r0, l0); 358 work1.long0 = r0; 359 work1.long1 = l0; 360 } 361 362 /* 363 * Final permutation 364 * and chunk to byte conversion 365 */ 366 { 367 const uint32_t *lp; 368 uint32_t l0, l1, w; 369 short i, pbit; 370 371 l0 = l1 = 0; 372 w = work1.long0; 373 for (lp = &longtab[0], i = 0; i < 32; i++) { 374 if (w & *lp++) { 375 pbit = FPtab[i]; 376 if (pbit < 32) 377 l0 |= longtab[pbit]; 378 else 379 l1 |= longtab[pbit-32]; 380 } 381 } 382 w = work1.long1; 383 for (lp = &longtab[0], i = 32; i < 64; i++) { 384 if (w & *lp++) { 385 pbit = FPtab[i]; 386 if (pbit < 32) 387 l0 |= longtab[pbit]; 388 else 389 l1 |= longtab[pbit-32]; 390 } 391 } 392 work2.long0 = l0; 393 work2.long1 = l1; 394 } 395 data[0] = work2.byte0; 396 data[1] = work2.byte1; 397 data[2] = work2.byte2; 398 data[3] = work2.byte3; 399 data[4] = work2.byte4; 400 data[5] = work2.byte5; 401 data[6] = work2.byte6; 402 data[7] = work2.byte7; 403 /* EXPORT DELETE END */ 404 } 405