1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 */ 22 23 /* 24 * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 25 * Use is subject to license terms. 26 */ 27 28 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */ 29 /* All Rights Reserved */ 30 31 /* 32 * Portions of this source code were derived from Berkeley 4.3 BSD 33 * under license from the Regents of the University of California. 34 */ 35 36 #pragma ident "%Z%%M% %I% %E% SMI" 37 38 /* 39 * Warning! Things are arranged very carefully in this file to 40 * allow read-only data to be moved to the text segment. The 41 * various DES tables must appear before any function definitions 42 * (this is arranged by including them immediately below) and partab 43 * must also appear before and function definitions 44 * This arrangement allows all data up through the first text to 45 * be moved to text. 46 */ 47 48 #include "mt.h" 49 #include <sys/types.h> 50 #include <des/softdes.h> 51 #include <des/desdata.h> 52 #ifdef sun 53 #include <sys/ioctl.h> 54 #include <sys/des.h> 55 #else 56 #include <des/des.h> 57 #endif 58 #include <rpcsvc/nis_dhext.h> 59 60 /* 61 * Fast (?) software implementation of DES 62 * Has been seen going at 2000 bytes/sec on a Sun-2 63 * Works on a VAX too. 64 * Won't work without 8 bit chars and 32 bit longs 65 */ 66 67 #define btst(k, b) (k[b >> 3] & (0x80 >> (b & 07))) 68 #define BIT28 (1<<28) 69 70 static int __des_encrypt(uchar_t *, struct deskeydata *); 71 static int __des_setkey(uchar_t[8], struct deskeydata *, unsigned); 72 73 74 /* 75 * Table giving odd parity in the low bit for ASCII characters 76 */ 77 const char partab[128] = { 78 0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07, 79 0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e, 80 0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16, 81 0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f, 82 0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26, 83 0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f, 84 0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37, 85 0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e, 86 0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46, 87 0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f, 88 0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57, 89 0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e, 90 0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67, 91 0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e, 92 0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76, 93 0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f, 94 }; 95 96 /* 97 * Add odd parity to low bit of 8 byte key 98 */ 99 void 100 des_setparity(char *p) 101 { 102 int i; 103 104 for (i = 0; i < 8; i++) { 105 *p = partab[*p & 0x7f]; 106 p++; 107 } 108 } 109 110 static const unsigned char partab_g[256] = { 111 0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07, 112 0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e, 113 0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16, 114 0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f, 115 0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26, 116 0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f, 117 0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37, 118 0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e, 119 0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46, 120 0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f, 121 0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57, 122 0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e, 123 0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67, 124 0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e, 125 0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76, 126 0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f, 127 0x80, 0x80, 0x83, 0x83, 0x85, 0x85, 0x86, 0x86, 128 0x89, 0x89, 0x8a, 0x8a, 0x8c, 0x8c, 0x8f, 0x8f, 129 0x91, 0x91, 0x92, 0x92, 0x94, 0x94, 0x97, 0x97, 130 0x98, 0x98, 0x9b, 0x9b, 0x9d, 0x9d, 0x9e, 0x9e, 131 0xa1, 0xa1, 0xa2, 0xa2, 0xa4, 0xa4, 0xa7, 0xa7, 132 0xa8, 0xa8, 0xab, 0xab, 0xad, 0xad, 0xae, 0xae, 133 0xb0, 0xb0, 0xb3, 0xb3, 0xb5, 0xb5, 0xb6, 0xb6, 134 0xb9, 0xb9, 0xba, 0xba, 0xbc, 0xbc, 0xbf, 0xbf, 135 0xc1, 0xc1, 0xc2, 0xc2, 0xc4, 0xc4, 0xc7, 0xc7, 136 0xc8, 0xc8, 0xcb, 0xcb, 0xcd, 0xcd, 0xce, 0xce, 137 0xd0, 0xd0, 0xd3, 0xd3, 0xd5, 0xd5, 0xd6, 0xd6, 138 0xd9, 0xd9, 0xda, 0xda, 0xdc, 0xdc, 0xdf, 0xdf, 139 0xe0, 0xe0, 0xe3, 0xe3, 0xe5, 0xe5, 0xe6, 0xe6, 140 0xe9, 0xe9, 0xea, 0xea, 0xec, 0xec, 0xef, 0xef, 141 0xf1, 0xf1, 0xf2, 0xf2, 0xf4, 0xf4, 0xf7, 0xf7, 142 0xf8, 0xf8, 0xfb, 0xfb, 0xfd, 0xfd, 0xfe, 0xfe 143 }; 144 145 /* 146 * A corrected version of des_setparity (see bug 1149767). 147 */ 148 void 149 des_setparity_g(des_block *p) 150 { 151 int i; 152 153 for (i = 0; i < 8; i++) { 154 (*p).c[i] = partab_g[(*p).c[i]]; 155 } 156 } 157 158 /* 159 * Software encrypt or decrypt a block of data (multiple of 8 bytes) 160 * Do the CBC ourselves if needed. 161 */ 162 int 163 __des_crypt(char *buf, unsigned len, struct desparams *desp) 164 { 165 short i; 166 unsigned mode; 167 unsigned dir; 168 char nextiv[8]; 169 struct deskeydata softkey; 170 171 mode = (unsigned)desp->des_mode; 172 dir = (unsigned)desp->des_dir; 173 (void) __des_setkey(desp->des_key, &softkey, dir); 174 while (len != 0) { 175 switch (mode) { 176 case CBC: 177 switch (dir) { 178 case ENCRYPT: 179 for (i = 0; i < 8; i++) 180 buf[i] ^= desp->des_ivec[i]; 181 (void) __des_encrypt((uchar_t *)buf, &softkey); 182 for (i = 0; i < 8; i++) 183 desp->des_ivec[i] = buf[i]; 184 break; 185 case DECRYPT: 186 for (i = 0; i < 8; i++) 187 nextiv[i] = buf[i]; 188 (void) __des_encrypt((uchar_t *)buf, &softkey); 189 for (i = 0; i < 8; i++) { 190 buf[i] ^= desp->des_ivec[i]; 191 desp->des_ivec[i] = nextiv[i]; 192 } 193 break; 194 } 195 break; 196 case ECB: 197 (void) __des_encrypt((uchar_t *)buf, &softkey); 198 break; 199 } 200 buf += 8; 201 len -= 8; 202 } 203 return (1); 204 } 205 206 207 /* 208 * Set the key and direction for an encryption operation 209 * We build the 16 key entries here 210 */ 211 static int 212 __des_setkey(uchar_t userkey[8], struct deskeydata *kd, unsigned dir) 213 { 214 int32_t C, D; 215 short i; 216 217 /* 218 * First, generate C and D by permuting 219 * the key. The low order bit of each 220 * 8-bit char is not used, so C and D are only 28 221 * bits apiece. 222 */ 223 { 224 short bit; 225 const short *pcc = PC1_C, *pcd = PC1_D; 226 227 C = D = 0; 228 for (i = 0; i < 28; i++) { 229 C <<= 1; 230 D <<= 1; 231 bit = *pcc++; 232 if (btst(userkey, bit)) 233 C |= 1; 234 bit = *pcd++; 235 if (btst(userkey, bit)) 236 D |= 1; 237 } 238 } 239 /* 240 * To generate Ki, rotate C and D according 241 * to schedule and pick up a permutation 242 * using PC2. 243 */ 244 for (i = 0; i < 16; i++) { 245 chunk_t *c; 246 short j, k, bit; 247 uint32_t bbit; 248 249 /* 250 * Do the "left shift" (rotate) 251 * We know we always rotate by either 1 or 2 bits 252 * the shifts table tells us if its 2 253 */ 254 C <<= 1; 255 if (C & BIT28) 256 C |= 1; 257 D <<= 1; 258 if (D & BIT28) 259 D |= 1; 260 if (shifts[i]) { 261 C <<= 1; 262 if (C & BIT28) 263 C |= 1; 264 D <<= 1; 265 if (D & BIT28) 266 D |= 1; 267 } 268 /* 269 * get Ki. Note C and D are concatenated. 270 */ 271 bit = 0; 272 switch (dir) { 273 case ENCRYPT: 274 c = &kd->keyval[i]; break; 275 case DECRYPT: 276 c = &kd->keyval[15 - i]; break; 277 } 278 c->long0 = 0; 279 c->long1 = 0; 280 bbit = (1 << 5) << 24; 281 for (j = 0; j < 4; j++) { 282 for (k = 0; k < 6; k++) { 283 if (C & (BIT28 >> PC2_C[bit])) 284 c->long0 |= bbit >> k; 285 if (D & (BIT28 >> PC2_D[bit])) 286 c->long1 |= bbit >> k; 287 bit++; 288 } 289 bbit >>= 8; 290 } 291 292 } 293 return (1); 294 } 295 296 297 298 /* 299 * Do an encryption operation 300 * Much pain is taken (with preprocessor) to avoid loops so the compiler 301 * can do address arithmetic instead of doing it at runtime. 302 * Note that the byte-to-chunk conversion is necessary to guarantee 303 * processor byte-order independence. 304 */ 305 static int 306 __des_encrypt(uchar_t *data, struct deskeydata *kd) 307 { 308 chunk_t work1, work2; 309 310 /* 311 * Initial permutation 312 * and byte to chunk conversion 313 */ 314 { 315 const uint32_t *lp; 316 uint32_t l0, l1, w; 317 short i, pbit; 318 319 work1.byte0 = data[0]; 320 work1.byte1 = data[1]; 321 work1.byte2 = data[2]; 322 work1.byte3 = data[3]; 323 work1.byte4 = data[4]; 324 work1.byte5 = data[5]; 325 work1.byte6 = data[6]; 326 work1.byte7 = data[7]; 327 l0 = l1 = 0; 328 w = work1.long0; 329 for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) { 330 if (w & *lp++) { 331 pbit = IPtab[i]; 332 if (pbit < 32) 333 l0 |= longtab[pbit]; 334 else 335 l1 |= longtab[pbit-32]; 336 } 337 } 338 w = work1.long1; 339 for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) { 340 if (w & *lp++) { 341 pbit = IPtab[i]; 342 if (pbit < 32) 343 l0 |= longtab[pbit]; 344 else 345 l1 |= longtab[pbit-32]; 346 } 347 } 348 work2.long0 = l0; 349 work2.long1 = l1; 350 } 351 352 /* 353 * Expand 8 bits of 32 bit R to 48 bit R 354 */ 355 #define do_R_to_ER(op, b) { \ 356 const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b]; \ 357 e0 op p->l0; \ 358 e1 op p->l1; \ 359 } 360 361 /* 362 * Inner part of the algorithm: 363 * Expand R from 32 to 48 bits; xor key value; 364 * apply S boxes; permute 32 bits of output 365 */ 366 /* BEGIN CSTYLED */ 367 #define do_F(iter, inR, outR) { \ 368 chunk_t R, ER; \ 369 uint32_t e0, e1; \ 370 R.long0 = inR; \ 371 do_R_to_ER(=, 0); \ 372 do_R_to_ER(|=, 1); \ 373 do_R_to_ER(|=, 2); \ 374 do_R_to_ER(|=, 3); \ 375 ER.long0 = e0 ^ kd->keyval[iter].long0; \ 376 ER.long1 = e1 ^ kd->keyval[iter].long1; \ 377 R.long0 = \ 378 S_tab[0][ER.byte0] + \ 379 S_tab[1][ER.byte1] + \ 380 S_tab[2][ER.byte2] + \ 381 S_tab[3][ER.byte3] + \ 382 S_tab[4][ER.byte4] + \ 383 S_tab[5][ER.byte5] + \ 384 S_tab[6][ER.byte6] + \ 385 S_tab[7][ER.byte7]; \ 386 outR = \ 387 P_tab[0][R.byte0] + \ 388 P_tab[1][R.byte1] + \ 389 P_tab[2][R.byte2] + \ 390 P_tab[3][R.byte3]; \ 391 } 392 /* END CSTYLED */ 393 394 /* 395 * Do a cipher step 396 * Apply inner part; do xor and exchange of 32 bit parts 397 */ 398 #define cipher(iter, inR, inL, outR, outL) { \ 399 do_F(iter, inR, outR); \ 400 outR ^= inL; \ 401 outL = inR; \ 402 } 403 404 /* 405 * Apply the 16 ciphering steps 406 */ 407 { 408 uint32_t r0, l0, r1, l1; 409 410 l0 = work2.long0; 411 r0 = work2.long1; 412 cipher(0, r0, l0, r1, l1); 413 cipher(1, r1, l1, r0, l0); 414 cipher(2, r0, l0, r1, l1); 415 cipher(3, r1, l1, r0, l0); 416 cipher(4, r0, l0, r1, l1); 417 cipher(5, r1, l1, r0, l0); 418 cipher(6, r0, l0, r1, l1); 419 cipher(7, r1, l1, r0, l0); 420 cipher(8, r0, l0, r1, l1); 421 cipher(9, r1, l1, r0, l0); 422 cipher(10, r0, l0, r1, l1); 423 cipher(11, r1, l1, r0, l0); 424 cipher(12, r0, l0, r1, l1); 425 cipher(13, r1, l1, r0, l0); 426 cipher(14, r0, l0, r1, l1); 427 cipher(15, r1, l1, r0, l0); 428 work1.long0 = r0; 429 work1.long1 = l0; 430 } 431 432 /* 433 * Final permutation 434 * and chunk to byte conversion 435 */ 436 { 437 uint32_t *lp; 438 uint32_t l0, l1, w; 439 short i, pbit; 440 441 l0 = l1 = 0; 442 w = work1.long0; 443 for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) { 444 if (w & *lp++) { 445 pbit = FPtab[i]; 446 if (pbit < 32) 447 l0 |= longtab[pbit]; 448 else 449 l1 |= longtab[pbit-32]; 450 } 451 } 452 w = work1.long1; 453 for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) { 454 if (w & *lp++) { 455 pbit = FPtab[i]; 456 if (pbit < 32) 457 l0 |= longtab[pbit]; 458 else 459 l1 |= longtab[pbit-32]; 460 } 461 } 462 work2.long0 = l0; 463 work2.long1 = l1; 464 } 465 data[0] = work2.byte0; 466 data[1] = work2.byte1; 467 data[2] = work2.byte2; 468 data[3] = work2.byte3; 469 data[4] = work2.byte4; 470 data[5] = work2.byte5; 471 data[6] = work2.byte6; 472 data[7] = work2.byte7; 473 474 return (1); 475 }