1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License, Version 1.0 only
6 * (the "License"). You may not use this file except in compliance
7 * with the License.
8 *
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or http://www.opensolaris.org/os/licensing.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
13 *
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 *
20 * CDDL HEADER END
21 */
22
23 /*
24 * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
25 * Use is subject to license terms.
26 */
27
28 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */
29 /* All Rights Reserved */
30
31 /*
32 * Portions of this source code were derived from Berkeley 4.3 BSD
33 * under license from the Regents of the University of California.
34 */
35
36 /*
37 * Warning! Things are arranged very carefully in this file to
38 * allow read-only data to be moved to the text segment. The
39 * various DES tables must appear before any function definitions
40 * (this is arranged by including them immediately below) and partab
41 * must also appear before and function definitions
42 * This arrangement allows all data up through the first text to
43 * be moved to text.
44 */
45
46 #include "mt.h"
47 #include <sys/types.h>
48 #include <des/softdes.h>
49 #include <des/desdata.h>
50 #ifdef sun
51 #include <sys/ioctl.h>
52 #include <sys/des.h>
53 #else
54 #include <des/des.h>
55 #endif
56 #include <rpcsvc/nis_dhext.h>
57
58 /*
59 * Fast (?) software implementation of DES
60 * Has been seen going at 2000 bytes/sec on a Sun-2
61 * Works on a VAX too.
62 * Won't work without 8 bit chars and 32 bit longs
63 */
64
65 #define btst(k, b) (k[b >> 3] & (0x80 >> (b & 07)))
66 #define BIT28 (1<<28)
67
68 static int __des_encrypt(uchar_t *, struct deskeydata *);
69 static int __des_setkey(uchar_t[8], struct deskeydata *, unsigned);
70
71
72 /*
73 * Table giving odd parity in the low bit for ASCII characters
74 */
75 const char partab[128] = {
76 0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
77 0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
78 0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
79 0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
80 0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
81 0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
82 0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
83 0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
84 0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
85 0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
86 0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
87 0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
88 0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
89 0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
90 0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
91 0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
92 };
93
94 /*
95 * Add odd parity to low bit of 8 byte key
96 */
97 void
des_setparity(char * p)98 des_setparity(char *p)
99 {
100 int i;
101
102 for (i = 0; i < 8; i++) {
103 *p = partab[*p & 0x7f];
104 p++;
105 }
106 }
107
108 static const unsigned char partab_g[256] = {
109 0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
110 0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
111 0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
112 0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
113 0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
114 0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
115 0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
116 0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
117 0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
118 0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
119 0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
120 0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
121 0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
122 0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
123 0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
124 0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
125 0x80, 0x80, 0x83, 0x83, 0x85, 0x85, 0x86, 0x86,
126 0x89, 0x89, 0x8a, 0x8a, 0x8c, 0x8c, 0x8f, 0x8f,
127 0x91, 0x91, 0x92, 0x92, 0x94, 0x94, 0x97, 0x97,
128 0x98, 0x98, 0x9b, 0x9b, 0x9d, 0x9d, 0x9e, 0x9e,
129 0xa1, 0xa1, 0xa2, 0xa2, 0xa4, 0xa4, 0xa7, 0xa7,
130 0xa8, 0xa8, 0xab, 0xab, 0xad, 0xad, 0xae, 0xae,
131 0xb0, 0xb0, 0xb3, 0xb3, 0xb5, 0xb5, 0xb6, 0xb6,
132 0xb9, 0xb9, 0xba, 0xba, 0xbc, 0xbc, 0xbf, 0xbf,
133 0xc1, 0xc1, 0xc2, 0xc2, 0xc4, 0xc4, 0xc7, 0xc7,
134 0xc8, 0xc8, 0xcb, 0xcb, 0xcd, 0xcd, 0xce, 0xce,
135 0xd0, 0xd0, 0xd3, 0xd3, 0xd5, 0xd5, 0xd6, 0xd6,
136 0xd9, 0xd9, 0xda, 0xda, 0xdc, 0xdc, 0xdf, 0xdf,
137 0xe0, 0xe0, 0xe3, 0xe3, 0xe5, 0xe5, 0xe6, 0xe6,
138 0xe9, 0xe9, 0xea, 0xea, 0xec, 0xec, 0xef, 0xef,
139 0xf1, 0xf1, 0xf2, 0xf2, 0xf4, 0xf4, 0xf7, 0xf7,
140 0xf8, 0xf8, 0xfb, 0xfb, 0xfd, 0xfd, 0xfe, 0xfe
141 };
142
143 /*
144 * A corrected version of des_setparity (see bug 1149767).
145 */
146 void
des_setparity_g(des_block * p)147 des_setparity_g(des_block *p)
148 {
149 int i;
150
151 for (i = 0; i < 8; i++) {
152 (*p).c[i] = partab_g[(*p).c[i]];
153 }
154 }
155
156 /*
157 * Software encrypt or decrypt a block of data (multiple of 8 bytes)
158 * Do the CBC ourselves if needed.
159 */
160 int
__des_crypt(char * buf,unsigned len,struct desparams * desp)161 __des_crypt(char *buf, unsigned len, struct desparams *desp)
162 {
163 short i;
164 unsigned mode;
165 unsigned dir;
166 char nextiv[8];
167 struct deskeydata softkey;
168
169 mode = (unsigned)desp->des_mode;
170 dir = (unsigned)desp->des_dir;
171 (void) __des_setkey(desp->des_key, &softkey, dir);
172 while (len != 0) {
173 switch (mode) {
174 case CBC:
175 switch (dir) {
176 case ENCRYPT:
177 for (i = 0; i < 8; i++)
178 buf[i] ^= desp->des_ivec[i];
179 (void) __des_encrypt((uchar_t *)buf, &softkey);
180 for (i = 0; i < 8; i++)
181 desp->des_ivec[i] = buf[i];
182 break;
183 case DECRYPT:
184 for (i = 0; i < 8; i++)
185 nextiv[i] = buf[i];
186 (void) __des_encrypt((uchar_t *)buf, &softkey);
187 for (i = 0; i < 8; i++) {
188 buf[i] ^= desp->des_ivec[i];
189 desp->des_ivec[i] = nextiv[i];
190 }
191 break;
192 }
193 break;
194 case ECB:
195 (void) __des_encrypt((uchar_t *)buf, &softkey);
196 break;
197 }
198 buf += 8;
199 len -= 8;
200 }
201 return (1);
202 }
203
204
205 /*
206 * Set the key and direction for an encryption operation
207 * We build the 16 key entries here
208 */
209 static int
__des_setkey(uchar_t userkey[8],struct deskeydata * kd,unsigned dir)210 __des_setkey(uchar_t userkey[8], struct deskeydata *kd, unsigned dir)
211 {
212 int32_t C, D;
213 short i;
214
215 /*
216 * First, generate C and D by permuting
217 * the key. The low order bit of each
218 * 8-bit char is not used, so C and D are only 28
219 * bits apiece.
220 */
221 {
222 short bit;
223 const short *pcc = PC1_C, *pcd = PC1_D;
224
225 C = D = 0;
226 for (i = 0; i < 28; i++) {
227 C <<= 1;
228 D <<= 1;
229 bit = *pcc++;
230 if (btst(userkey, bit))
231 C |= 1;
232 bit = *pcd++;
233 if (btst(userkey, bit))
234 D |= 1;
235 }
236 }
237 /*
238 * To generate Ki, rotate C and D according
239 * to schedule and pick up a permutation
240 * using PC2.
241 */
242 for (i = 0; i < 16; i++) {
243 chunk_t *c;
244 short j, k, bit;
245 uint32_t bbit;
246
247 /*
248 * Do the "left shift" (rotate)
249 * We know we always rotate by either 1 or 2 bits
250 * the shifts table tells us if its 2
251 */
252 C <<= 1;
253 if (C & BIT28)
254 C |= 1;
255 D <<= 1;
256 if (D & BIT28)
257 D |= 1;
258 if (shifts[i]) {
259 C <<= 1;
260 if (C & BIT28)
261 C |= 1;
262 D <<= 1;
263 if (D & BIT28)
264 D |= 1;
265 }
266 /*
267 * get Ki. Note C and D are concatenated.
268 */
269 bit = 0;
270 switch (dir) {
271 case ENCRYPT:
272 c = &kd->keyval[i]; break;
273 case DECRYPT:
274 c = &kd->keyval[15 - i]; break;
275 }
276 c->long0 = 0;
277 c->long1 = 0;
278 bbit = (1 << 5) << 24;
279 for (j = 0; j < 4; j++) {
280 for (k = 0; k < 6; k++) {
281 if (C & (BIT28 >> PC2_C[bit]))
282 c->long0 |= bbit >> k;
283 if (D & (BIT28 >> PC2_D[bit]))
284 c->long1 |= bbit >> k;
285 bit++;
286 }
287 bbit >>= 8;
288 }
289
290 }
291 return (1);
292 }
293
294
295
296 /*
297 * Do an encryption operation
298 * Much pain is taken (with preprocessor) to avoid loops so the compiler
299 * can do address arithmetic instead of doing it at runtime.
300 * Note that the byte-to-chunk conversion is necessary to guarantee
301 * processor byte-order independence.
302 */
303 static int
__des_encrypt(uchar_t * data,struct deskeydata * kd)304 __des_encrypt(uchar_t *data, struct deskeydata *kd)
305 {
306 chunk_t work1, work2;
307
308 /*
309 * Initial permutation
310 * and byte to chunk conversion
311 */
312 {
313 const uint32_t *lp;
314 uint32_t l0, l1, w;
315 short i, pbit;
316
317 work1.byte0 = data[0];
318 work1.byte1 = data[1];
319 work1.byte2 = data[2];
320 work1.byte3 = data[3];
321 work1.byte4 = data[4];
322 work1.byte5 = data[5];
323 work1.byte6 = data[6];
324 work1.byte7 = data[7];
325 l0 = l1 = 0;
326 w = work1.long0;
327 for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) {
328 if (w & *lp++) {
329 pbit = IPtab[i];
330 if (pbit < 32)
331 l0 |= longtab[pbit];
332 else
333 l1 |= longtab[pbit-32];
334 }
335 }
336 w = work1.long1;
337 for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) {
338 if (w & *lp++) {
339 pbit = IPtab[i];
340 if (pbit < 32)
341 l0 |= longtab[pbit];
342 else
343 l1 |= longtab[pbit-32];
344 }
345 }
346 work2.long0 = l0;
347 work2.long1 = l1;
348 }
349
350 /*
351 * Expand 8 bits of 32 bit R to 48 bit R
352 */
353 #define do_R_to_ER(op, b) { \
354 const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b]; \
355 e0 op p->l0; \
356 e1 op p->l1; \
357 }
358
359 /*
360 * Inner part of the algorithm:
361 * Expand R from 32 to 48 bits; xor key value;
362 * apply S boxes; permute 32 bits of output
363 */
364 /* BEGIN CSTYLED */
365 #define do_F(iter, inR, outR) { \
366 chunk_t R, ER; \
367 uint32_t e0, e1; \
368 R.long0 = inR; \
369 do_R_to_ER(=, 0); \
370 do_R_to_ER(|=, 1); \
371 do_R_to_ER(|=, 2); \
372 do_R_to_ER(|=, 3); \
373 ER.long0 = e0 ^ kd->keyval[iter].long0; \
374 ER.long1 = e1 ^ kd->keyval[iter].long1; \
375 R.long0 = \
376 S_tab[0][ER.byte0] + \
377 S_tab[1][ER.byte1] + \
378 S_tab[2][ER.byte2] + \
379 S_tab[3][ER.byte3] + \
380 S_tab[4][ER.byte4] + \
381 S_tab[5][ER.byte5] + \
382 S_tab[6][ER.byte6] + \
383 S_tab[7][ER.byte7]; \
384 outR = \
385 P_tab[0][R.byte0] + \
386 P_tab[1][R.byte1] + \
387 P_tab[2][R.byte2] + \
388 P_tab[3][R.byte3]; \
389 }
390 /* END CSTYLED */
391
392 /*
393 * Do a cipher step
394 * Apply inner part; do xor and exchange of 32 bit parts
395 */
396 #define cipher(iter, inR, inL, outR, outL) { \
397 do_F(iter, inR, outR); \
398 outR ^= inL; \
399 outL = inR; \
400 }
401
402 /*
403 * Apply the 16 ciphering steps
404 */
405 {
406 uint32_t r0, l0, r1, l1;
407
408 l0 = work2.long0;
409 r0 = work2.long1;
410 cipher(0, r0, l0, r1, l1);
411 cipher(1, r1, l1, r0, l0);
412 cipher(2, r0, l0, r1, l1);
413 cipher(3, r1, l1, r0, l0);
414 cipher(4, r0, l0, r1, l1);
415 cipher(5, r1, l1, r0, l0);
416 cipher(6, r0, l0, r1, l1);
417 cipher(7, r1, l1, r0, l0);
418 cipher(8, r0, l0, r1, l1);
419 cipher(9, r1, l1, r0, l0);
420 cipher(10, r0, l0, r1, l1);
421 cipher(11, r1, l1, r0, l0);
422 cipher(12, r0, l0, r1, l1);
423 cipher(13, r1, l1, r0, l0);
424 cipher(14, r0, l0, r1, l1);
425 cipher(15, r1, l1, r0, l0);
426 work1.long0 = r0;
427 work1.long1 = l0;
428 }
429
430 /*
431 * Final permutation
432 * and chunk to byte conversion
433 */
434 {
435 uint32_t *lp;
436 uint32_t l0, l1, w;
437 short i, pbit;
438
439 l0 = l1 = 0;
440 w = work1.long0;
441 for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) {
442 if (w & *lp++) {
443 pbit = FPtab[i];
444 if (pbit < 32)
445 l0 |= longtab[pbit];
446 else
447 l1 |= longtab[pbit-32];
448 }
449 }
450 w = work1.long1;
451 for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) {
452 if (w & *lp++) {
453 pbit = FPtab[i];
454 if (pbit < 32)
455 l0 |= longtab[pbit];
456 else
457 l1 |= longtab[pbit-32];
458 }
459 }
460 work2.long0 = l0;
461 work2.long1 = l1;
462 }
463 data[0] = work2.byte0;
464 data[1] = work2.byte1;
465 data[2] = work2.byte2;
466 data[3] = work2.byte3;
467 data[4] = work2.byte4;
468 data[5] = work2.byte5;
469 data[6] = work2.byte6;
470 data[7] = work2.byte7;
471
472 return (1);
473 }
474