1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License, Version 1.0 only 6 * (the "License"). You may not use this file except in compliance 7 * with the License. 8 * 9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10 * or http://www.opensolaris.org/os/licensing. 11 * See the License for the specific language governing permissions 12 * and limitations under the License. 13 * 14 * When distributing Covered Code, include this CDDL HEADER in each 15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16 * If applicable, add the following below this CDDL HEADER, with the 17 * fields enclosed by brackets "[]" replaced with your own identifying 18 * information: Portions Copyright [yyyy] [name of copyright owner] 19 * 20 * CDDL HEADER END 21 * 22 * Copyright 1989 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 /* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */ 27 /* All Rights Reserved */ 28 29 /* 30 * Portions of this source code were derived from Berkeley 4.3 BSD 31 * under license from the Regents of the University of California. 32 */ 33 34 #ident "%Z%%M% %I% %E% SMI" 35 36 /* 37 * Warning! Things are arranged very carefully in this file to 38 * allow read-only data to be moved to the text segment. The 39 * various DES tables must appear before any function definitions 40 * (this is arranged by including them immediately below) and partab 41 * must also appear before and function definitions 42 * This arrangement allows all data up through the first text to 43 * be moved to text. 44 */ 45 46 /* 47 * Fast (?) software implementation of DES 48 * Has been seen going at 2000 bytes/sec on a Sun-2 49 * Works on a VAX too. 50 * Won't work without 8 bit chars and 32 bit longs 51 */ 52 53 #include <sys/types.h> 54 #include <des/des.h> 55 #include <des/softdes.h> 56 #include <des/desdata.h> 57 #include <sys/debug.h> 58 59 static void des_setkey(u_char userkey[8], struct deskeydata *kd, 60 unsigned int dir); 61 static void des_encrypt(u_char *data, struct deskeydata *kd); 62 63 #define btst(k, b) (k[b >> 3] & (0x80 >> (b & 07))) 64 #define BIT28 (1<<28) 65 66 /* 67 * Software encrypt or decrypt a block of data (multiple of 8 bytes) 68 * Do the CBC ourselves if needed. 69 */ 70 /* ARGSUSED */ 71 int 72 _des_crypt(char *buf, size_t len, struct desparams *desp) 73 { 74 short i; 75 uint_t mode; 76 uint_t dir; 77 char nextiv[8]; 78 struct deskeydata softkey; 79 80 mode = desp->des_mode; 81 dir = desp->des_dir; 82 des_setkey(desp->des_key, &softkey, dir); 83 while (len != 0) { 84 switch (mode) { 85 case CBC: 86 switch (dir) { 87 case ENCRYPT: 88 for (i = 0; i < 8; i++) 89 buf[i] ^= desp->des_ivec[i]; 90 des_encrypt((u_char *)buf, &softkey); 91 for (i = 0; i < 8; i++) 92 desp->des_ivec[i] = buf[i]; 93 break; 94 case DECRYPT: 95 for (i = 0; i < 8; i++) 96 nextiv[i] = buf[i]; 97 des_encrypt((u_char *)buf, &softkey); 98 for (i = 0; i < 8; i++) { 99 buf[i] ^= desp->des_ivec[i]; 100 desp->des_ivec[i] = nextiv[i]; 101 } 102 break; 103 } 104 break; 105 case ECB: 106 des_encrypt((u_char *)buf, &softkey); 107 break; 108 } 109 buf += 8; 110 len -= 8; 111 } 112 return (1); 113 } 114 115 116 /* 117 * Set the key and direction for an encryption operation 118 * We build the 16 key entries here 119 */ 120 /* ARGSUSED */ 121 static void 122 des_setkey(u_char userkey[8], struct deskeydata *kd, unsigned int dir) 123 { 124 int32_t C, D; 125 short i; 126 127 /* 128 * First, generate C and D by permuting 129 * the key. The low order bit of each 130 * 8-bit char is not used, so C and D are only 28 131 * bits apiece. 132 */ 133 { 134 short bit; 135 short *pcc = (short *)PC1_C, *pcd = (short *)PC1_D; 136 137 C = D = 0; 138 for (i = 0; i < 28; i++) { 139 C <<= 1; 140 D <<= 1; 141 bit = *pcc++; 142 if (btst(userkey, bit)) 143 C |= 1; 144 bit = *pcd++; 145 if (btst(userkey, bit)) 146 D |= 1; 147 } 148 } 149 /* 150 * To generate Ki, rotate C and D according 151 * to schedule and pick up a permutation 152 * using PC2. 153 */ 154 for (i = 0; i < 16; i++) { 155 chunk_t *c; 156 short j, k, bit; 157 int bbit; 158 159 /* 160 * Do the "left shift" (rotate) 161 * We know we always rotate by either 1 or 2 bits 162 * the shifts table tells us if its 2 163 */ 164 C <<= 1; 165 if (C & BIT28) 166 C |= 1; 167 D <<= 1; 168 if (D & BIT28) 169 D |= 1; 170 if (shifts[i]) { 171 C <<= 1; 172 if (C & BIT28) 173 C |= 1; 174 D <<= 1; 175 if (D & BIT28) 176 D |= 1; 177 } 178 /* 179 * get Ki. Note C and D are concatenated. 180 */ 181 bit = 0; 182 switch (dir) { 183 case ENCRYPT: 184 c = &kd->keyval[i]; 185 break; 186 case DECRYPT: 187 c = &kd->keyval[15 - i]; 188 break; 189 } 190 c->long0 = 0; 191 c->long1 = 0; 192 bbit = (1 << 5) << 24; 193 for (j = 0; j < 4; j++) { 194 for (k = 0; k < 6; k++) { 195 if (C & (BIT28 >> PC2_C[bit])) 196 c->long0 |= bbit >> k; 197 if (D & (BIT28 >> PC2_D[bit])) 198 c->long1 |= bbit >> k; 199 bit++; 200 } 201 bbit >>= 8; 202 } 203 } 204 } 205 206 207 208 /* 209 * Do an encryption operation 210 * Much pain is taken (with preprocessor) to avoid loops so the compiler 211 * can do address arithmetic instead of doing it at runtime. 212 * Note that the byte-to-chunk conversion is necessary to guarantee 213 * processor byte-order independence. 214 */ 215 /* ARGSUSED */ 216 static void 217 des_encrypt(u_char *data, struct deskeydata *kd) 218 { 219 chunk_t work1, work2; 220 221 /* 222 * Initial permutation 223 * and byte to chunk conversion 224 */ 225 { 226 const uint32_t *lp; 227 uint32_t l0, l1, w; 228 short i, pbit; 229 230 work1.byte0 = data[0]; 231 work1.byte1 = data[1]; 232 work1.byte2 = data[2]; 233 work1.byte3 = data[3]; 234 work1.byte4 = data[4]; 235 work1.byte5 = data[5]; 236 work1.byte6 = data[6]; 237 work1.byte7 = data[7]; 238 l0 = l1 = 0; 239 w = work1.long0; 240 for (lp = &longtab[0], i = 0; i < 32; i++) { 241 if (w & *lp++) { 242 pbit = IPtab[i]; 243 if (pbit < 32) 244 l0 |= longtab[pbit]; 245 else 246 l1 |= longtab[pbit-32]; 247 } 248 } 249 w = work1.long1; 250 for (lp = &longtab[0], i = 32; i < 64; i++) { 251 if (w & *lp++) { 252 pbit = IPtab[i]; 253 if (pbit < 32) 254 l0 |= longtab[pbit]; 255 else 256 l1 |= longtab[pbit-32]; 257 } 258 } 259 work2.long0 = l0; 260 work2.long1 = l1; 261 } 262 263 /* 264 * Expand 8 bits of 32 bit R to 48 bit R 265 */ 266 #ifdef __STDC__ 267 #define do_R_to_ER(op, b) { \ 268 struct R_to_ER *p = \ 269 (struct R_to_ER *)&R_to_ER_tab[b][R.byte##b]; \ 270 e0 op p->l0; \ 271 e1 op p->l1; \ 272 } 273 #else 274 #define do_R_to_ER(op, b) { \ 275 /*CSTYLED*/ \ 276 struct R_to_ER *p = &R_to_ER_tab[b][R.byte/**/b]; \ 277 e0 op p->l0; \ 278 e1 op p->l1; \ 279 } 280 #endif 281 282 /* 283 * Inner part of the algorithm: 284 * Expand R from 32 to 48 bits; xor key value; 285 * apply S boxes; permute 32 bits of output 286 */ 287 #define do_F(iter, inR, outR) { \ 288 chunk_t R, ER; \ 289 u_int e0, e1; \ 290 R.long0 = inR; \ 291 /*CSTYLED*/ \ 292 do_R_to_ER(=,0); \ 293 /*CSTYLED*/ \ 294 do_R_to_ER(|=,1); \ 295 /*CSTYLED*/ \ 296 do_R_to_ER(|=,2); \ 297 /*CSTYLED*/ \ 298 do_R_to_ER(|=,3); \ 299 ER.long0 = e0 ^ kd->keyval[iter].long0; \ 300 ER.long1 = e1 ^ kd->keyval[iter].long1; \ 301 R.long0 = \ 302 S_tab[0][ER.byte0] + \ 303 S_tab[1][ER.byte1] + \ 304 S_tab[2][ER.byte2] + \ 305 S_tab[3][ER.byte3] + \ 306 S_tab[4][ER.byte4] + \ 307 S_tab[5][ER.byte5] + \ 308 S_tab[6][ER.byte6] + \ 309 S_tab[7][ER.byte7]; \ 310 outR = \ 311 P_tab[0][R.byte0] + \ 312 P_tab[1][R.byte1] + \ 313 P_tab[2][R.byte2] + \ 314 P_tab[3][R.byte3]; \ 315 } 316 317 /* 318 * Do a cipher step 319 * Apply inner part; do xor and exchange of 32 bit parts 320 */ 321 #define cipher(iter, inR, inL, outR, outL) { \ 322 do_F(iter, inR, outR); \ 323 outR ^= inL; \ 324 outL = inR; \ 325 } 326 327 /* 328 * Apply the 16 ciphering steps 329 */ 330 { 331 u_int r0, l0, r1, l1; 332 333 l0 = work2.long0; 334 r0 = work2.long1; 335 cipher(0, r0, l0, r1, l1); 336 cipher(1, r1, l1, r0, l0); 337 cipher(2, r0, l0, r1, l1); 338 cipher(3, r1, l1, r0, l0); 339 cipher(4, r0, l0, r1, l1); 340 cipher(5, r1, l1, r0, l0); 341 cipher(6, r0, l0, r1, l1); 342 cipher(7, r1, l1, r0, l0); 343 cipher(8, r0, l0, r1, l1); 344 cipher(9, r1, l1, r0, l0); 345 cipher(10, r0, l0, r1, l1); 346 cipher(11, r1, l1, r0, l0); 347 cipher(12, r0, l0, r1, l1); 348 cipher(13, r1, l1, r0, l0); 349 cipher(14, r0, l0, r1, l1); 350 cipher(15, r1, l1, r0, l0); 351 work1.long0 = r0; 352 work1.long1 = l0; 353 } 354 355 /* 356 * Final permutation 357 * and chunk to byte conversion 358 */ 359 { 360 const uint32_t *lp; 361 uint32_t l0, l1, w; 362 short i, pbit; 363 364 l0 = l1 = 0; 365 w = work1.long0; 366 for (lp = &longtab[0], i = 0; i < 32; i++) { 367 if (w & *lp++) { 368 pbit = FPtab[i]; 369 if (pbit < 32) 370 l0 |= longtab[pbit]; 371 else 372 l1 |= longtab[pbit-32]; 373 } 374 } 375 w = work1.long1; 376 for (lp = &longtab[0], i = 32; i < 64; i++) { 377 if (w & *lp++) { 378 pbit = FPtab[i]; 379 if (pbit < 32) 380 l0 |= longtab[pbit]; 381 else 382 l1 |= longtab[pbit-32]; 383 } 384 } 385 work2.long0 = l0; 386 work2.long1 = l1; 387 } 388 data[0] = work2.byte0; 389 data[1] = work2.byte1; 390 data[2] = work2.byte2; 391 data[3] = work2.byte3; 392 data[4] = work2.byte4; 393 data[5] = work2.byte5; 394 data[6] = work2.byte6; 395 data[7] = work2.byte7; 396 }