xref: /titanic_51/usr/src/lib/libnsl/des/des_soft.c (revision 8eea8e29cc4374d1ee24c25a07f45af132db3499)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */
28 /* All Rights Reserved */
29 
30 /*
31  * Portions of this source code were derived from Berkeley 4.3 BSD
32  * under license from the Regents of the University of California.
33  */
34 
35 #pragma ident	"%Z%%M%	%I%	%E% SMI"
36 
37 /*
38  * Warning!  Things are arranged very carefully in this file to
39  * allow read-only data to be moved to the text segment.  The
40  * various DES tables must appear before any function definitions
41  * (this is arranged by including them immediately below) and partab
42  * must also appear before and function definitions
43  * This arrangement allows all data up through the first text to
44  * be moved to text.
45  */
46 
47 #include <sys/types.h>
48 #include <rpc/trace.h>
49 #include <des/softdes.h>
50 #include <des/desdata.h>
51 #ifdef sun
52 #include <sys/ioctl.h>
53 #include <sys/des.h>
54 #else
55 #include <des/des.h>
56 #endif
57 #include <rpcsvc/nis_dhext.h>
58 
59 /*
60  * Fast (?) software implementation of DES
61  * Has been seen going at 2000 bytes/sec on a Sun-2
62  * Works on a VAX too.
63  * Won't work without 8 bit chars and 32 bit longs
64  */
65 
66 #define	btst(k, b)	(k[b >> 3] & (0x80 >> (b & 07)))
67 #define	BIT28	(1<<28)
68 
69 static int	__des_encrypt(u_char *, struct deskeydata *);
70 static int	__des_setkey(u_char[8], struct deskeydata *, unsigned);
71 
72 
73 /*
74  * Table giving odd parity in the low bit for ASCII characters
75  */
76 const char partab[128] = {
77 	0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
78 	0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
79 	0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
80 	0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
81 	0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
82 	0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
83 	0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
84 	0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
85 	0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
86 	0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
87 	0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
88 	0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
89 	0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
90 	0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
91 	0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
92 	0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
93 };
94 
95 /*
96  * Add odd parity to low bit of 8 byte key
97  */
98 void
99 des_setparity(p)
100 	char *p;
101 {
102 	int i;
103 
104 	trace1(TR_des_setparity, 0);
105 	for (i = 0; i < 8; i++) {
106 		*p = partab[*p & 0x7f];
107 		p++;
108 	}
109 	trace1(TR_des_setparity, 1);
110 }
111 
112 static const unsigned char partab_g[256] = {
113 	0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
114 	0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
115 	0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
116 	0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
117 	0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
118 	0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
119 	0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
120 	0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
121 	0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
122 	0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
123 	0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
124 	0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
125 	0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
126 	0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
127 	0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
128 	0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
129 	0x80, 0x80, 0x83, 0x83, 0x85, 0x85, 0x86, 0x86,
130 	0x89, 0x89, 0x8a, 0x8a, 0x8c, 0x8c, 0x8f, 0x8f,
131 	0x91, 0x91, 0x92, 0x92, 0x94, 0x94, 0x97, 0x97,
132 	0x98, 0x98, 0x9b, 0x9b, 0x9d, 0x9d, 0x9e, 0x9e,
133 	0xa1, 0xa1, 0xa2, 0xa2, 0xa4, 0xa4, 0xa7, 0xa7,
134 	0xa8, 0xa8, 0xab, 0xab, 0xad, 0xad, 0xae, 0xae,
135 	0xb0, 0xb0, 0xb3, 0xb3, 0xb5, 0xb5, 0xb6, 0xb6,
136 	0xb9, 0xb9, 0xba, 0xba, 0xbc, 0xbc, 0xbf, 0xbf,
137 	0xc1, 0xc1, 0xc2, 0xc2, 0xc4, 0xc4, 0xc7, 0xc7,
138 	0xc8, 0xc8, 0xcb, 0xcb, 0xcd, 0xcd, 0xce, 0xce,
139 	0xd0, 0xd0, 0xd3, 0xd3, 0xd5, 0xd5, 0xd6, 0xd6,
140 	0xd9, 0xd9, 0xda, 0xda, 0xdc, 0xdc, 0xdf, 0xdf,
141 	0xe0, 0xe0, 0xe3, 0xe3, 0xe5, 0xe5, 0xe6, 0xe6,
142 	0xe9, 0xe9, 0xea, 0xea, 0xec, 0xec, 0xef, 0xef,
143 	0xf1, 0xf1, 0xf2, 0xf2, 0xf4, 0xf4, 0xf7, 0xf7,
144 	0xf8, 0xf8, 0xfb, 0xfb, 0xfd, 0xfd, 0xfe, 0xfe
145 };
146 
147 /*
148  * A corrected version of des_setparity (see bug 1149767).
149  */
150 void
151 des_setparity_g(des_block *p)
152 {
153 	int i;
154 
155 	trace1(TR_des_setparity_g, 0);
156 	for (i = 0; i < 8; i++) {
157 		(*p).c[i] = partab_g[(*p).c[i]];
158 	}
159 	trace1(TR_des_setparity_g, 1);
160 }
161 
162 /*
163  * Software encrypt or decrypt a block of data (multiple of 8 bytes)
164  * Do the CBC ourselves if needed.
165  */
166 int
167 __des_crypt(buf, len, desp)
168 	register char *buf;
169 	register unsigned len;
170 	struct desparams *desp;
171 {
172 /* EXPORT DELETE START */
173 	register short i;
174 	register unsigned mode;
175 	register unsigned dir;
176 	char nextiv[8];
177 	struct deskeydata softkey;
178 
179 	trace2(TR___des_crypt, 0, len);
180 	mode = (unsigned) desp->des_mode;
181 	dir = (unsigned) desp->des_dir;
182 	__des_setkey(desp->des_key, &softkey, dir);
183 	while (len != 0) {
184 		switch (mode) {
185 		case CBC:
186 			switch (dir) {
187 			case ENCRYPT:
188 				for (i = 0; i < 8; i++)
189 					buf[i] ^= desp->des_ivec[i];
190 				__des_encrypt((u_char *)buf, &softkey);
191 				for (i = 0; i < 8; i++)
192 					desp->des_ivec[i] = buf[i];
193 				break;
194 			case DECRYPT:
195 				for (i = 0; i < 8; i++)
196 					nextiv[i] = buf[i];
197 				__des_encrypt((u_char *)buf, &softkey);
198 				for (i = 0; i < 8; i++) {
199 					buf[i] ^= desp->des_ivec[i];
200 					desp->des_ivec[i] = nextiv[i];
201 				}
202 				break;
203 			}
204 			break;
205 		case ECB:
206 			__des_encrypt((u_char *)buf, &softkey);
207 			break;
208 		}
209 		buf += 8;
210 		len -= 8;
211 	}
212 	trace2(TR___des_crypt, 1, len);
213 /* EXPORT DELETE END */
214 	return (1);
215 }
216 
217 
218 /*
219  * Set the key and direction for an encryption operation
220  * We build the 16 key entries here
221  */
222 static int
223 __des_setkey(userkey, kd, dir)
224 	u_char userkey[8];
225 	register struct deskeydata *kd;
226 	unsigned dir;
227 {
228 /* EXPORT DELETE START */
229 	int32_t C, D;
230 	register short i;
231 
232 	trace2(TR___des_setkey, 0, dir);
233 	/*
234 	 * First, generate C and D by permuting
235 	 * the key. The low order bit of each
236 	 * 8-bit char is not used, so C and D are only 28
237 	 * bits apiece.
238 	 */
239 	{
240 		register short bit;
241 		register const short *pcc = PC1_C, *pcd = PC1_D;
242 
243 		C = D = 0;
244 		for (i = 0; i < 28; i++) {
245 			C <<= 1;
246 			D <<= 1;
247 			bit = *pcc++;
248 			if (btst(userkey, bit))
249 				C |= 1;
250 			bit = *pcd++;
251 			if (btst(userkey, bit))
252 				D |= 1;
253 		}
254 	}
255 	/*
256 	 * To generate Ki, rotate C and D according
257 	 * to schedule and pick up a permutation
258 	 * using PC2.
259 	 */
260 	for (i = 0; i < 16; i++) {
261 		register chunk_t *c;
262 		register short j, k, bit;
263 		uint32_t bbit;
264 
265 		/*
266 		 * Do the "left shift" (rotate)
267 		 * We know we always rotate by either 1 or 2 bits
268 		 * the shifts table tells us if its 2
269 		 */
270 		C <<= 1;
271 		if (C & BIT28)
272 			C |= 1;
273 		D <<= 1;
274 		if (D & BIT28)
275 			D |= 1;
276 		if (shifts[i]) {
277 			C <<= 1;
278 			if (C & BIT28)
279 				C |= 1;
280 			D <<= 1;
281 			if (D & BIT28)
282 				D |= 1;
283 		}
284 		/*
285 		 * get Ki. Note C and D are concatenated.
286 		 */
287 		bit = 0;
288 		switch (dir) {
289 		case ENCRYPT:
290 			c = &kd->keyval[i]; break;
291 		case DECRYPT:
292 			c = &kd->keyval[15 - i]; break;
293 		}
294 		c->long0 = 0;
295 		c->long1 = 0;
296 		bbit = (1 << 5) << 24;
297 		for (j = 0; j < 4; j++) {
298 			for (k = 0; k < 6; k++) {
299 				if (C & (BIT28 >> PC2_C[bit]))
300 					c->long0 |= bbit >> k;
301 				if (D & (BIT28 >> PC2_D[bit]))
302 					c->long1 |= bbit >> k;
303 				bit++;
304 			}
305 			bbit >>= 8;
306 		}
307 
308 	}
309 	trace2(TR___des_setkey, 1, dir);
310 /* EXPORT DELETE END */
311 	return (1);
312 }
313 
314 
315 
316 /*
317  * Do an encryption operation
318  * Much pain is taken (with preprocessor) to avoid loops so the compiler
319  * can do address arithmetic instead of doing it at runtime.
320  * Note that the byte-to-chunk conversion is necessary to guarantee
321  * processor byte-order independence.
322  */
323 static int
324 __des_encrypt(data, kd)
325 	register u_char *data;
326 	register struct deskeydata *kd;
327 {
328 /* EXPORT DELETE START */
329 	chunk_t work1, work2;
330 
331 	trace1(TR___des_encrypt, 0);
332 	/*
333 	 * Initial permutation
334 	 * and byte to chunk conversion
335 	 */
336 	{
337 		const uint32_t *lp;
338 		uint32_t l0, l1, w;
339 		register short i, pbit;
340 
341 		work1.byte0 = data[0];
342 		work1.byte1 = data[1];
343 		work1.byte2 = data[2];
344 		work1.byte3 = data[3];
345 		work1.byte4 = data[4];
346 		work1.byte5 = data[5];
347 		work1.byte6 = data[6];
348 		work1.byte7 = data[7];
349 		l0 = l1 = 0;
350 		w = work1.long0;
351 		for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) {
352 			if (w & *lp++) {
353 				pbit = IPtab[i];
354 				if (pbit < 32)
355 					l0 |= longtab[pbit];
356 				else
357 					l1 |= longtab[pbit-32];
358 			}
359 		}
360 		w = work1.long1;
361 		for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) {
362 			if (w & *lp++) {
363 				pbit = IPtab[i];
364 				if (pbit < 32)
365 					l0 |= longtab[pbit];
366 				else
367 					l1 |= longtab[pbit-32];
368 			}
369 		}
370 		work2.long0 = l0;
371 		work2.long1 = l1;
372 	}
373 
374 /*
375  * Expand 8 bits of 32 bit R to 48 bit R
376  */
377 #define	do_R_to_ER(op, b)	{			\
378 	register const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b];	\
379 	e0 op p->l0;				\
380 	e1 op p->l1;				\
381 }
382 
383 /*
384  * Inner part of the algorithm:
385  * Expand R from 32 to 48 bits; xor key value;
386  * apply S boxes; permute 32 bits of output
387  */
388 #define	do_F(iter, inR, outR) 	{			\
389 	chunk_t R, ER;					\
390 	uint32_t e0, e1;				\
391 	R.long0 = inR;					\
392 	do_R_to_ER(=, 0);				\
393 	do_R_to_ER(|=, 1);				\
394 	do_R_to_ER(|=, 2);				\
395 	do_R_to_ER(|=, 3);				\
396 	ER.long0 = e0 ^ kd->keyval[iter].long0;		\
397 	ER.long1 = e1 ^ kd->keyval[iter].long1;		\
398 	R.long0 =					\
399 		S_tab[0][ER.byte0] +			\
400 		S_tab[1][ER.byte1] +			\
401 		S_tab[2][ER.byte2] +			\
402 		S_tab[3][ER.byte3] +			\
403 		S_tab[4][ER.byte4] +			\
404 		S_tab[5][ER.byte5] +			\
405 		S_tab[6][ER.byte6] +			\
406 		S_tab[7][ER.byte7]; 			\
407 	outR =						\
408 		P_tab[0][R.byte0] +			\
409 		P_tab[1][R.byte1] +			\
410 		P_tab[2][R.byte2] +			\
411 		P_tab[3][R.byte3]; 			\
412 }
413 
414 /*
415  * Do a cipher step
416  * Apply inner part; do xor and exchange of 32 bit parts
417  */
418 #define	cipher(iter, inR, inL, outR, outL)	{	\
419 	do_F(iter, inR, outR);				\
420 	outR ^= inL;					\
421 	outL = inR;					\
422 }
423 
424 	/*
425 	 * Apply the 16 ciphering steps
426 	 */
427 	{
428 		uint32_t r0, l0, r1, l1;
429 
430 		l0 = work2.long0;
431 		r0 = work2.long1;
432 		cipher(0, r0, l0, r1, l1);
433 		cipher(1, r1, l1, r0, l0);
434 		cipher(2, r0, l0, r1, l1);
435 		cipher(3, r1, l1, r0, l0);
436 		cipher(4, r0, l0, r1, l1);
437 		cipher(5, r1, l1, r0, l0);
438 		cipher(6, r0, l0, r1, l1);
439 		cipher(7, r1, l1, r0, l0);
440 		cipher(8, r0, l0, r1, l1);
441 		cipher(9, r1, l1, r0, l0);
442 		cipher(10, r0, l0, r1, l1);
443 		cipher(11, r1, l1, r0, l0);
444 		cipher(12, r0, l0, r1, l1);
445 		cipher(13, r1, l1, r0, l0);
446 		cipher(14, r0, l0, r1, l1);
447 		cipher(15, r1, l1, r0, l0);
448 		work1.long0 = r0;
449 		work1.long1 = l0;
450 	}
451 
452 	/*
453 	 * Final permutation
454 	 * and chunk to byte conversion
455 	 */
456 	{
457 		uint32_t *lp;
458 		uint32_t l0, l1, w;
459 		register short i, pbit;
460 
461 		l0 = l1 = 0;
462 		w = work1.long0;
463 		for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) {
464 			if (w & *lp++) {
465 				pbit = FPtab[i];
466 				if (pbit < 32)
467 					l0 |= longtab[pbit];
468 				else
469 					l1 |= longtab[pbit-32];
470 			}
471 		}
472 		w = work1.long1;
473 		for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) {
474 			if (w & *lp++) {
475 				pbit = FPtab[i];
476 				if (pbit < 32)
477 					l0 |= longtab[pbit];
478 				else
479 					l1 |= longtab[pbit-32];
480 			}
481 		}
482 		work2.long0 = l0;
483 		work2.long1 = l1;
484 	}
485 	data[0] = work2.byte0;
486 	data[1] = work2.byte1;
487 	data[2] = work2.byte2;
488 	data[3] = work2.byte3;
489 	data[4] = work2.byte4;
490 	data[5] = work2.byte5;
491 	data[6] = work2.byte6;
492 	data[7] = work2.byte7;
493 
494 	trace1(TR___des_encrypt, 1);
495 /* EXPORT DELETE END */
496 	return (1);
497 }
498