1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22/*
23 * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
24 * Use is subject to license terms.
25 */
26
27/*	Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T	*/
28/*	  All Rights Reserved  	*/
29
30/*
31 * Portions of this source code were derived from Berkeley 4.3 BSD
32 * under license from the Regents of the University of California.
33 */
34
35#pragma ident	"%Z%%M%	%I%	%E% SMI"
36
37/*
38 * Warning!  Things are arranged very carefully in this file to
39 * allow read-only data to be moved to the text segment.  The
40 * various DES tables must appear before any function definitions
41 * (this is arranged by including them immediately below) and partab
42 * must also appear before and function definitions
43 * This arrangement allows all data up through the first text to
44 * be moved to text.
45 */
46
47#ifndef _KERNEL
48#define	CRYPT	/* cannot configure out of user-level code */
49#endif
50
51#ifdef CRYPT
52#include <sys/types.h>
53#include <des/softdes.h>
54#include <des/desdata.h>
55
56#ifdef sun
57#include <sys/ioctl.h>
58#include <sys/des.h>
59#else
60#include <des/des.h>
61#endif
62
63#include "des_soft.h"
64
65/*
66 * Fast (?) software implementation of DES
67 * Has been seen going at 2000 bytes/sec on a Sun-2
68 * Works on a VAX too.
69 * Won't work without 8 bit chars and 32 bit longs
70 */
71
72#define	btst(k, b)	(k[b >> 3] & (0x80 >> (b & 07)))
73#define	BIT28	(1<<28)
74
75
76#endif /* def CRYPT */
77
78static void des_setkey(uchar_t [8], struct deskeydata *, unsigned);
79static void des_encrypt(uchar_t *, struct deskeydata *);
80
81#ifndef	_KERNEL
82/*
83 * Table giving odd parity in the low bit for ASCII characters
84 */
85static char partab[128] = {
86	0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
87	0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
88	0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
89	0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
90	0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
91	0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
92	0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
93	0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
94	0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
95	0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
96	0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
97	0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
98	0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
99	0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
100	0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
101	0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
102};
103
104
105
106/*
107 * Add odd parity to low bit of 8 byte key
108 */
109void
110des_setparity(char *p)
111{
112	int i;
113
114	for (i = 0; i < 8; i++) {
115		*p = partab[*p & 0x7f];
116		p++;
117	}
118}
119#endif /* def _KERNEL */
120
121#ifdef CRYPT
122/*
123 * Software encrypt or decrypt a block of data (multiple of 8 bytes)
124 * Do the CBC ourselves if needed.
125 */
126int
127__des_crypt(char *buf, unsigned int len, struct desparams *desp)
128{
129/* EXPORT DELETE START */
130	short i;
131	unsigned mode;
132	unsigned dir;
133	char nextiv[8];
134	struct deskeydata softkey;
135
136	mode = (unsigned)desp->des_mode;
137	dir = (unsigned)desp->des_dir;
138	des_setkey(desp->des_key, &softkey, dir);
139	while (len != 0) {
140		switch (mode) {
141		case CBC:
142			switch (dir) {
143			case ENCRYPT:
144				for (i = 0; i < 8; i++)
145					buf[i] ^= desp->des_ivec[i];
146				des_encrypt((uchar_t *)buf, &softkey);
147				for (i = 0; i < 8; i++)
148					desp->des_ivec[i] = buf[i];
149				break;
150			case DECRYPT:
151				for (i = 0; i < 8; i++)
152					nextiv[i] = buf[i];
153				des_encrypt((uchar_t *)buf, &softkey);
154				for (i = 0; i < 8; i++) {
155					buf[i] ^= desp->des_ivec[i];
156					desp->des_ivec[i] = nextiv[i];
157				}
158				break;
159			}
160			break;
161		case ECB:
162			des_encrypt((uchar_t *)buf, &softkey);
163			break;
164		}
165		buf += 8;
166		len -= 8;
167	}
168/* EXPORT DELETE END */
169	return (1);
170}
171
172
173/*
174 * Set the key and direction for an encryption operation
175 * We build the 16 key entries here
176 */
177static void
178des_setkey(uchar_t userkey[8], struct deskeydata *kd, unsigned int dir)
179{
180/* EXPORT DELETE START */
181	long C, D;
182	short i;
183
184	/*
185	 * First, generate C and D by permuting
186	 * the key. The low order bit of each
187	 * 8-bit char is not used, so C and D are only 28
188	 * bits apiece.
189	 */
190	{
191		short bit;
192		const short *pcc = PC1_C, *pcd = PC1_D;
193
194		C = D = 0;
195		for (i = 0; i < 28; i++) {
196			C <<= 1;
197			D <<= 1;
198			bit = *pcc++;
199			if (btst(userkey, bit))
200				C |= 1;
201			bit = *pcd++;
202			if (btst(userkey, bit))
203				D |= 1;
204		}
205	}
206	/*
207	 * To generate Ki, rotate C and D according
208	 * to schedule and pick up a permutation
209	 * using PC2.
210	 */
211	for (i = 0; i < 16; i++) {
212		chunk_t *c;
213		short j, k, bit;
214		long bbit;
215
216		/*
217		 * Do the "left shift" (rotate)
218		 * We know we always rotate by either 1 or 2 bits
219		 * the shifts table tells us if its 2
220		 */
221		C <<= 1;
222		if (C & BIT28)
223			C |= 1;
224		D <<= 1;
225		if (D & BIT28)
226			D |= 1;
227		if (shifts[i]) {
228			C <<= 1;
229			if (C & BIT28)
230				C |= 1;
231			D <<= 1;
232			if (D & BIT28)
233				D |= 1;
234		}
235		/*
236		 * get Ki. Note C and D are concatenated.
237		 */
238		bit = 0;
239		switch (dir) {
240		case ENCRYPT:
241			c = &kd->keyval[i]; break;
242		case DECRYPT:
243			c = &kd->keyval[15 - i]; break;
244		}
245		c->long0 = 0;
246		c->long1 = 0;
247		bbit = (1 << 5) << 24;
248		for (j = 0; j < 4; j++) {
249			for (k = 0; k < 6; k++) {
250				if (C & (BIT28 >> PC2_C[bit]))
251					c->long0 |= bbit >> k;
252				if (D & (BIT28 >> PC2_D[bit]))
253					c->long1 |= bbit >> k;
254				bit++;
255			}
256			bbit >>= 8;
257		}
258
259	}
260/* EXPORT DELETE END */
261}
262
263
264
265/*
266 * Do an encryption operation
267 * Much pain is taken (with preprocessor) to avoid loops so the compiler
268 * can do address arithmetic instead of doing it at runtime.
269 * Note that the byte-to-chunk conversion is necessary to guarantee
270 * processor byte-order independence.
271 */
272static void
273des_encrypt(uchar_t *data, struct deskeydata *kd)
274{
275/* EXPORT DELETE START */
276	chunk_t work1, work2;
277
278	/*
279	 * Initial permutation
280	 * and byte to chunk conversion
281	 */
282	{
283		const uint32_t *lp;
284		uint32_t l0, l1, w;
285		short i, pbit;
286
287		work1.byte0 = data[0];
288		work1.byte1 = data[1];
289		work1.byte2 = data[2];
290		work1.byte3 = data[3];
291		work1.byte4 = data[4];
292		work1.byte5 = data[5];
293		work1.byte6 = data[6];
294		work1.byte7 = data[7];
295		l0 = l1 = 0;
296		w = work1.long0;
297		for (lp = &longtab[0], i = 0; i < 32; i++) {
298			if (w & *lp++) {
299				pbit = IPtab[i];
300				if (pbit < 32)
301					l0 |= longtab[pbit];
302				else
303					l1 |= longtab[pbit-32];
304			}
305		}
306		w = work1.long1;
307		for (lp = &longtab[0], i = 32; i < 64; i++) {
308			if (w & *lp++) {
309				pbit = IPtab[i];
310				if (pbit < 32)
311					l0 |= longtab[pbit];
312				else
313					l1 |= longtab[pbit-32];
314			}
315		}
316		work2.long0 = l0;
317		work2.long1 = l1;
318	}
319
320/*
321 * Expand 8 bits of 32 bit R to 48 bit R
322 */
323#define	do_R_to_ER(op, b)	{			\
324	const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b];	\
325	e0 op p->l0;				\
326	e1 op p->l1;				\
327}
328
329/*
330 * Inner part of the algorithm:
331 * Expand R from 32 to 48 bits; xor key value;
332 * apply S boxes; permute 32 bits of output
333 */
334#define	do_F(iter, inR, outR) 	{			\
335	chunk_t R, ER;					\
336	uint32_t e0, e1;				\
337	R.long0 = inR;					\
338	/* CSTYLED */					\
339	do_R_to_ER(=, 0);				\
340	/* CSTYLED */					\
341	do_R_to_ER(|=, 1);				\
342	/* CSTYLED */					\
343	do_R_to_ER(|=, 2);				\
344	/* CSTYLED */					\
345	do_R_to_ER(|=, 3);				\
346	ER.long0 = e0 ^ kd->keyval[iter].long0;		\
347	ER.long1 = e1 ^ kd->keyval[iter].long1;		\
348	R.long0 = 					\
349		S_tab[0][ER.byte0] +			\
350		S_tab[1][ER.byte1] +			\
351		S_tab[2][ER.byte2] +			\
352		S_tab[3][ER.byte3] +			\
353		S_tab[4][ER.byte4] +			\
354		S_tab[5][ER.byte5] +			\
355		S_tab[6][ER.byte6] +			\
356		S_tab[7][ER.byte7]; 			\
357	outR = 						\
358		P_tab[0][R.byte0] +			\
359		P_tab[1][R.byte1] +			\
360		P_tab[2][R.byte2] +			\
361		P_tab[3][R.byte3]; 			\
362}
363
364/*
365 * Do a cipher step
366 * Apply inner part; do xor and exchange of 32 bit parts
367 */
368#define	cipher(iter, inR, inL, outR, outL)	{	\
369	do_F(iter, inR, outR);				\
370	outR ^= inL;					\
371	outL = inR;					\
372}
373
374	/*
375	 * Apply the 16 ciphering steps
376	 */
377	{
378		uint32_t r0, l0, r1, l1;
379
380		l0 = work2.long0;
381		r0 = work2.long1;
382		cipher(0, r0, l0, r1, l1);
383		cipher(1, r1, l1, r0, l0);
384		cipher(2, r0, l0, r1, l1);
385		cipher(3, r1, l1, r0, l0);
386		cipher(4, r0, l0, r1, l1);
387		cipher(5, r1, l1, r0, l0);
388		cipher(6, r0, l0, r1, l1);
389		cipher(7, r1, l1, r0, l0);
390		cipher(8, r0, l0, r1, l1);
391		cipher(9, r1, l1, r0, l0);
392		cipher(10, r0, l0, r1, l1);
393		cipher(11, r1, l1, r0, l0);
394		cipher(12, r0, l0, r1, l1);
395		cipher(13, r1, l1, r0, l0);
396		cipher(14, r0, l0, r1, l1);
397		cipher(15, r1, l1, r0, l0);
398		work1.long0 = r0;
399		work1.long1 = l0;
400	}
401
402	/*
403	 * Final permutation
404	 * and chunk to byte conversion
405	 */
406	{
407		const uint32_t *lp;
408		uint32_t l0, l1, w;
409		short i, pbit;
410
411		l0 = l1 = 0;
412		w = work1.long0;
413		for (lp = &longtab[0], i = 0; i < 32; i++) {
414			if (w & *lp++) {
415				pbit = FPtab[i];
416				if (pbit < 32)
417					l0 |= longtab[pbit];
418				else
419					l1 |= longtab[pbit-32];
420			}
421		}
422		w = work1.long1;
423		for (lp = &longtab[0], i = 32; i < 64; i++) {
424			if (w & *lp++) {
425				pbit = FPtab[i];
426				if (pbit < 32)
427					l0 |= longtab[pbit];
428				else
429					l1 |= longtab[pbit-32];
430			}
431		}
432		work2.long0 = l0;
433		work2.long1 = l1;
434	}
435	data[0] = work2.byte0;
436	data[1] = work2.byte1;
437	data[2] = work2.byte2;
438	data[3] = work2.byte3;
439	data[4] = work2.byte4;
440	data[5] = work2.byte5;
441	data[6] = work2.byte6;
442	data[7] = work2.byte7;
443
444/* EXPORT DELETE END */
445}
446#endif /* def CRYPT */
447