1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 /* 23 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 */ 26 27 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */ 28 /* All Rights Reserved */ 29 30 /* 31 * Portions of this source code were derived from Berkeley 4.3 BSD 32 * under license from the Regents of the University of California. 33 */ 34 35 #pragma ident "%Z%%M% %I% %E% SMI" 36 37 /* 38 * Warning! Things are arranged very carefully in this file to 39 * allow read-only data to be moved to the text segment. The 40 * various DES tables must appear before any function definitions 41 * (this is arranged by including them immediately below) and partab 42 * must also appear before and function definitions 43 * This arrangement allows all data up through the first text to 44 * be moved to text. 45 */ 46 47 #include <sys/types.h> 48 #include <rpc/trace.h> 49 #include <des/softdes.h> 50 #include <des/desdata.h> 51 #ifdef sun 52 #include <sys/ioctl.h> 53 #include <sys/des.h> 54 #else 55 #include <des/des.h> 56 #endif 57 #include <rpcsvc/nis_dhext.h> 58 59 /* 60 * Fast (?) software implementation of DES 61 * Has been seen going at 2000 bytes/sec on a Sun-2 62 * Works on a VAX too. 63 * Won't work without 8 bit chars and 32 bit longs 64 */ 65 66 #define btst(k, b) (k[b >> 3] & (0x80 >> (b & 07))) 67 #define BIT28 (1<<28) 68 69 static int __des_encrypt(u_char *, struct deskeydata *); 70 static int __des_setkey(u_char[8], struct deskeydata *, unsigned); 71 72 73 /* 74 * Table giving odd parity in the low bit for ASCII characters 75 */ 76 const char partab[128] = { 77 0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07, 78 0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e, 79 0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16, 80 0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f, 81 0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26, 82 0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f, 83 0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37, 84 0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e, 85 0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46, 86 0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f, 87 0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57, 88 0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e, 89 0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67, 90 0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e, 91 0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76, 92 0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f, 93 }; 94 95 /* 96 * Add odd parity to low bit of 8 byte key 97 */ 98 void 99 des_setparity(p) 100 char *p; 101 { 102 int i; 103 104 trace1(TR_des_setparity, 0); 105 for (i = 0; i < 8; i++) { 106 *p = partab[*p & 0x7f]; 107 p++; 108 } 109 trace1(TR_des_setparity, 1); 110 } 111 112 static const unsigned char partab_g[256] = { 113 0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07, 114 0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e, 115 0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16, 116 0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f, 117 0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26, 118 0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f, 119 0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37, 120 0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e, 121 0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46, 122 0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f, 123 0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57, 124 0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e, 125 0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67, 126 0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e, 127 0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76, 128 0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f, 129 0x80, 0x80, 0x83, 0x83, 0x85, 0x85, 0x86, 0x86, 130 0x89, 0x89, 0x8a, 0x8a, 0x8c, 0x8c, 0x8f, 0x8f, 131 0x91, 0x91, 0x92, 0x92, 0x94, 0x94, 0x97, 0x97, 132 0x98, 0x98, 0x9b, 0x9b, 0x9d, 0x9d, 0x9e, 0x9e, 133 0xa1, 0xa1, 0xa2, 0xa2, 0xa4, 0xa4, 0xa7, 0xa7, 134 0xa8, 0xa8, 0xab, 0xab, 0xad, 0xad, 0xae, 0xae, 135 0xb0, 0xb0, 0xb3, 0xb3, 0xb5, 0xb5, 0xb6, 0xb6, 136 0xb9, 0xb9, 0xba, 0xba, 0xbc, 0xbc, 0xbf, 0xbf, 137 0xc1, 0xc1, 0xc2, 0xc2, 0xc4, 0xc4, 0xc7, 0xc7, 138 0xc8, 0xc8, 0xcb, 0xcb, 0xcd, 0xcd, 0xce, 0xce, 139 0xd0, 0xd0, 0xd3, 0xd3, 0xd5, 0xd5, 0xd6, 0xd6, 140 0xd9, 0xd9, 0xda, 0xda, 0xdc, 0xdc, 0xdf, 0xdf, 141 0xe0, 0xe0, 0xe3, 0xe3, 0xe5, 0xe5, 0xe6, 0xe6, 142 0xe9, 0xe9, 0xea, 0xea, 0xec, 0xec, 0xef, 0xef, 143 0xf1, 0xf1, 0xf2, 0xf2, 0xf4, 0xf4, 0xf7, 0xf7, 144 0xf8, 0xf8, 0xfb, 0xfb, 0xfd, 0xfd, 0xfe, 0xfe 145 }; 146 147 /* 148 * A corrected version of des_setparity (see bug 1149767). 149 */ 150 void 151 des_setparity_g(des_block *p) 152 { 153 int i; 154 155 trace1(TR_des_setparity_g, 0); 156 for (i = 0; i < 8; i++) { 157 (*p).c[i] = partab_g[(*p).c[i]]; 158 } 159 trace1(TR_des_setparity_g, 1); 160 } 161 162 /* 163 * Software encrypt or decrypt a block of data (multiple of 8 bytes) 164 * Do the CBC ourselves if needed. 165 */ 166 int 167 __des_crypt(buf, len, desp) 168 register char *buf; 169 register unsigned len; 170 struct desparams *desp; 171 { 172 /* EXPORT DELETE START */ 173 register short i; 174 register unsigned mode; 175 register unsigned dir; 176 char nextiv[8]; 177 struct deskeydata softkey; 178 179 trace2(TR___des_crypt, 0, len); 180 mode = (unsigned) desp->des_mode; 181 dir = (unsigned) desp->des_dir; 182 __des_setkey(desp->des_key, &softkey, dir); 183 while (len != 0) { 184 switch (mode) { 185 case CBC: 186 switch (dir) { 187 case ENCRYPT: 188 for (i = 0; i < 8; i++) 189 buf[i] ^= desp->des_ivec[i]; 190 __des_encrypt((u_char *)buf, &softkey); 191 for (i = 0; i < 8; i++) 192 desp->des_ivec[i] = buf[i]; 193 break; 194 case DECRYPT: 195 for (i = 0; i < 8; i++) 196 nextiv[i] = buf[i]; 197 __des_encrypt((u_char *)buf, &softkey); 198 for (i = 0; i < 8; i++) { 199 buf[i] ^= desp->des_ivec[i]; 200 desp->des_ivec[i] = nextiv[i]; 201 } 202 break; 203 } 204 break; 205 case ECB: 206 __des_encrypt((u_char *)buf, &softkey); 207 break; 208 } 209 buf += 8; 210 len -= 8; 211 } 212 trace2(TR___des_crypt, 1, len); 213 /* EXPORT DELETE END */ 214 return (1); 215 } 216 217 218 /* 219 * Set the key and direction for an encryption operation 220 * We build the 16 key entries here 221 */ 222 static int 223 __des_setkey(userkey, kd, dir) 224 u_char userkey[8]; 225 register struct deskeydata *kd; 226 unsigned dir; 227 { 228 /* EXPORT DELETE START */ 229 int32_t C, D; 230 register short i; 231 232 trace2(TR___des_setkey, 0, dir); 233 /* 234 * First, generate C and D by permuting 235 * the key. The low order bit of each 236 * 8-bit char is not used, so C and D are only 28 237 * bits apiece. 238 */ 239 { 240 register short bit; 241 register const short *pcc = PC1_C, *pcd = PC1_D; 242 243 C = D = 0; 244 for (i = 0; i < 28; i++) { 245 C <<= 1; 246 D <<= 1; 247 bit = *pcc++; 248 if (btst(userkey, bit)) 249 C |= 1; 250 bit = *pcd++; 251 if (btst(userkey, bit)) 252 D |= 1; 253 } 254 } 255 /* 256 * To generate Ki, rotate C and D according 257 * to schedule and pick up a permutation 258 * using PC2. 259 */ 260 for (i = 0; i < 16; i++) { 261 register chunk_t *c; 262 register short j, k, bit; 263 uint32_t bbit; 264 265 /* 266 * Do the "left shift" (rotate) 267 * We know we always rotate by either 1 or 2 bits 268 * the shifts table tells us if its 2 269 */ 270 C <<= 1; 271 if (C & BIT28) 272 C |= 1; 273 D <<= 1; 274 if (D & BIT28) 275 D |= 1; 276 if (shifts[i]) { 277 C <<= 1; 278 if (C & BIT28) 279 C |= 1; 280 D <<= 1; 281 if (D & BIT28) 282 D |= 1; 283 } 284 /* 285 * get Ki. Note C and D are concatenated. 286 */ 287 bit = 0; 288 switch (dir) { 289 case ENCRYPT: 290 c = &kd->keyval[i]; break; 291 case DECRYPT: 292 c = &kd->keyval[15 - i]; break; 293 } 294 c->long0 = 0; 295 c->long1 = 0; 296 bbit = (1 << 5) << 24; 297 for (j = 0; j < 4; j++) { 298 for (k = 0; k < 6; k++) { 299 if (C & (BIT28 >> PC2_C[bit])) 300 c->long0 |= bbit >> k; 301 if (D & (BIT28 >> PC2_D[bit])) 302 c->long1 |= bbit >> k; 303 bit++; 304 } 305 bbit >>= 8; 306 } 307 308 } 309 trace2(TR___des_setkey, 1, dir); 310 /* EXPORT DELETE END */ 311 return (1); 312 } 313 314 315 316 /* 317 * Do an encryption operation 318 * Much pain is taken (with preprocessor) to avoid loops so the compiler 319 * can do address arithmetic instead of doing it at runtime. 320 * Note that the byte-to-chunk conversion is necessary to guarantee 321 * processor byte-order independence. 322 */ 323 static int 324 __des_encrypt(data, kd) 325 register u_char *data; 326 register struct deskeydata *kd; 327 { 328 /* EXPORT DELETE START */ 329 chunk_t work1, work2; 330 331 trace1(TR___des_encrypt, 0); 332 /* 333 * Initial permutation 334 * and byte to chunk conversion 335 */ 336 { 337 const uint32_t *lp; 338 uint32_t l0, l1, w; 339 register short i, pbit; 340 341 work1.byte0 = data[0]; 342 work1.byte1 = data[1]; 343 work1.byte2 = data[2]; 344 work1.byte3 = data[3]; 345 work1.byte4 = data[4]; 346 work1.byte5 = data[5]; 347 work1.byte6 = data[6]; 348 work1.byte7 = data[7]; 349 l0 = l1 = 0; 350 w = work1.long0; 351 for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) { 352 if (w & *lp++) { 353 pbit = IPtab[i]; 354 if (pbit < 32) 355 l0 |= longtab[pbit]; 356 else 357 l1 |= longtab[pbit-32]; 358 } 359 } 360 w = work1.long1; 361 for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) { 362 if (w & *lp++) { 363 pbit = IPtab[i]; 364 if (pbit < 32) 365 l0 |= longtab[pbit]; 366 else 367 l1 |= longtab[pbit-32]; 368 } 369 } 370 work2.long0 = l0; 371 work2.long1 = l1; 372 } 373 374 /* 375 * Expand 8 bits of 32 bit R to 48 bit R 376 */ 377 #define do_R_to_ER(op, b) { \ 378 register const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b]; \ 379 e0 op p->l0; \ 380 e1 op p->l1; \ 381 } 382 383 /* 384 * Inner part of the algorithm: 385 * Expand R from 32 to 48 bits; xor key value; 386 * apply S boxes; permute 32 bits of output 387 */ 388 #define do_F(iter, inR, outR) { \ 389 chunk_t R, ER; \ 390 uint32_t e0, e1; \ 391 R.long0 = inR; \ 392 do_R_to_ER(=, 0); \ 393 do_R_to_ER(|=, 1); \ 394 do_R_to_ER(|=, 2); \ 395 do_R_to_ER(|=, 3); \ 396 ER.long0 = e0 ^ kd->keyval[iter].long0; \ 397 ER.long1 = e1 ^ kd->keyval[iter].long1; \ 398 R.long0 = \ 399 S_tab[0][ER.byte0] + \ 400 S_tab[1][ER.byte1] + \ 401 S_tab[2][ER.byte2] + \ 402 S_tab[3][ER.byte3] + \ 403 S_tab[4][ER.byte4] + \ 404 S_tab[5][ER.byte5] + \ 405 S_tab[6][ER.byte6] + \ 406 S_tab[7][ER.byte7]; \ 407 outR = \ 408 P_tab[0][R.byte0] + \ 409 P_tab[1][R.byte1] + \ 410 P_tab[2][R.byte2] + \ 411 P_tab[3][R.byte3]; \ 412 } 413 414 /* 415 * Do a cipher step 416 * Apply inner part; do xor and exchange of 32 bit parts 417 */ 418 #define cipher(iter, inR, inL, outR, outL) { \ 419 do_F(iter, inR, outR); \ 420 outR ^= inL; \ 421 outL = inR; \ 422 } 423 424 /* 425 * Apply the 16 ciphering steps 426 */ 427 { 428 uint32_t r0, l0, r1, l1; 429 430 l0 = work2.long0; 431 r0 = work2.long1; 432 cipher(0, r0, l0, r1, l1); 433 cipher(1, r1, l1, r0, l0); 434 cipher(2, r0, l0, r1, l1); 435 cipher(3, r1, l1, r0, l0); 436 cipher(4, r0, l0, r1, l1); 437 cipher(5, r1, l1, r0, l0); 438 cipher(6, r0, l0, r1, l1); 439 cipher(7, r1, l1, r0, l0); 440 cipher(8, r0, l0, r1, l1); 441 cipher(9, r1, l1, r0, l0); 442 cipher(10, r0, l0, r1, l1); 443 cipher(11, r1, l1, r0, l0); 444 cipher(12, r0, l0, r1, l1); 445 cipher(13, r1, l1, r0, l0); 446 cipher(14, r0, l0, r1, l1); 447 cipher(15, r1, l1, r0, l0); 448 work1.long0 = r0; 449 work1.long1 = l0; 450 } 451 452 /* 453 * Final permutation 454 * and chunk to byte conversion 455 */ 456 { 457 uint32_t *lp; 458 uint32_t l0, l1, w; 459 register short i, pbit; 460 461 l0 = l1 = 0; 462 w = work1.long0; 463 for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) { 464 if (w & *lp++) { 465 pbit = FPtab[i]; 466 if (pbit < 32) 467 l0 |= longtab[pbit]; 468 else 469 l1 |= longtab[pbit-32]; 470 } 471 } 472 w = work1.long1; 473 for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) { 474 if (w & *lp++) { 475 pbit = FPtab[i]; 476 if (pbit < 32) 477 l0 |= longtab[pbit]; 478 else 479 l1 |= longtab[pbit-32]; 480 } 481 } 482 work2.long0 = l0; 483 work2.long1 = l1; 484 } 485 data[0] = work2.byte0; 486 data[1] = work2.byte1; 487 data[2] = work2.byte2; 488 data[3] = work2.byte3; 489 data[4] = work2.byte4; 490 data[5] = work2.byte5; 491 data[6] = work2.byte6; 492 data[7] = work2.byte7; 493 494 trace1(TR___des_encrypt, 1); 495 /* EXPORT DELETE END */ 496 return (1); 497 } 498