usr/src/lib/libnsl/des/des_soft.c

root/usr/src/lib/libnsl/des/des_soft.c
/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */

/*
 * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

/* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */
/* All Rights Reserved */

/*
 * Portions of this source code were derived from Berkeley 4.3 BSD
 * under license from the Regents of the University of California.
 */

/*
 * Warning!  Things are arranged very carefully in this file to
 * allow read-only data to be moved to the text segment.  The
 * various DES tables must appear before any function definitions
 * (this is arranged by including them immediately below) and partab
 * must also appear before and function definitions
 * This arrangement allows all data up through the first text to
 * be moved to text.
 */

#include "mt.h"
#include <sys/types.h>
#include <des/softdes.h>
#include <des/desdata.h>
#ifdef sun
#include <sys/ioctl.h>
#include <sys/des.h>
#else
#include <des/des.h>
#endif
#include <rpcsvc/nis_dhext.h>

/*
 * Fast (?) software implementation of DES
 * Has been seen going at 2000 bytes/sec on a Sun-2
 * Works on a VAX too.
 * Won't work without 8 bit chars and 32 bit longs
 */

#define btst(k, b)      (k[b >> 3] & (0x80 >> (b & 07)))
#define BIT28   (1<<28)

static int      __des_encrypt(uchar_t *, struct deskeydata *);
static int      __des_setkey(uchar_t[8], struct deskeydata *, unsigned);


/*
 * Table giving odd parity in the low bit for ASCII characters
 */
const char partab[128] = {
        0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
        0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
        0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
        0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
        0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
        0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
        0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
        0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
        0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
        0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
        0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
        0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
        0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
        0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
        0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
        0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
};

/*
 * Add odd parity to low bit of 8 byte key
 */
void
des_setparity(char *p)
{
        int i;

        for (i = 0; i < 8; i++) {
                *p = partab[*p & 0x7f];
                p++;
        }
}

static const unsigned char partab_g[256] = {
        0x01, 0x01, 0x02, 0x02, 0x04, 0x04, 0x07, 0x07,
        0x08, 0x08, 0x0b, 0x0b, 0x0d, 0x0d, 0x0e, 0x0e,
        0x10, 0x10, 0x13, 0x13, 0x15, 0x15, 0x16, 0x16,
        0x19, 0x19, 0x1a, 0x1a, 0x1c, 0x1c, 0x1f, 0x1f,
        0x20, 0x20, 0x23, 0x23, 0x25, 0x25, 0x26, 0x26,
        0x29, 0x29, 0x2a, 0x2a, 0x2c, 0x2c, 0x2f, 0x2f,
        0x31, 0x31, 0x32, 0x32, 0x34, 0x34, 0x37, 0x37,
        0x38, 0x38, 0x3b, 0x3b, 0x3d, 0x3d, 0x3e, 0x3e,
        0x40, 0x40, 0x43, 0x43, 0x45, 0x45, 0x46, 0x46,
        0x49, 0x49, 0x4a, 0x4a, 0x4c, 0x4c, 0x4f, 0x4f,
        0x51, 0x51, 0x52, 0x52, 0x54, 0x54, 0x57, 0x57,
        0x58, 0x58, 0x5b, 0x5b, 0x5d, 0x5d, 0x5e, 0x5e,
        0x61, 0x61, 0x62, 0x62, 0x64, 0x64, 0x67, 0x67,
        0x68, 0x68, 0x6b, 0x6b, 0x6d, 0x6d, 0x6e, 0x6e,
        0x70, 0x70, 0x73, 0x73, 0x75, 0x75, 0x76, 0x76,
        0x79, 0x79, 0x7a, 0x7a, 0x7c, 0x7c, 0x7f, 0x7f,
        0x80, 0x80, 0x83, 0x83, 0x85, 0x85, 0x86, 0x86,
        0x89, 0x89, 0x8a, 0x8a, 0x8c, 0x8c, 0x8f, 0x8f,
        0x91, 0x91, 0x92, 0x92, 0x94, 0x94, 0x97, 0x97,
        0x98, 0x98, 0x9b, 0x9b, 0x9d, 0x9d, 0x9e, 0x9e,
        0xa1, 0xa1, 0xa2, 0xa2, 0xa4, 0xa4, 0xa7, 0xa7,
        0xa8, 0xa8, 0xab, 0xab, 0xad, 0xad, 0xae, 0xae,
        0xb0, 0xb0, 0xb3, 0xb3, 0xb5, 0xb5, 0xb6, 0xb6,
        0xb9, 0xb9, 0xba, 0xba, 0xbc, 0xbc, 0xbf, 0xbf,
        0xc1, 0xc1, 0xc2, 0xc2, 0xc4, 0xc4, 0xc7, 0xc7,
        0xc8, 0xc8, 0xcb, 0xcb, 0xcd, 0xcd, 0xce, 0xce,
        0xd0, 0xd0, 0xd3, 0xd3, 0xd5, 0xd5, 0xd6, 0xd6,
        0xd9, 0xd9, 0xda, 0xda, 0xdc, 0xdc, 0xdf, 0xdf,
        0xe0, 0xe0, 0xe3, 0xe3, 0xe5, 0xe5, 0xe6, 0xe6,
        0xe9, 0xe9, 0xea, 0xea, 0xec, 0xec, 0xef, 0xef,
        0xf1, 0xf1, 0xf2, 0xf2, 0xf4, 0xf4, 0xf7, 0xf7,
        0xf8, 0xf8, 0xfb, 0xfb, 0xfd, 0xfd, 0xfe, 0xfe
};

/*
 * A corrected version of des_setparity (see bug 1149767).
 */
void
des_setparity_g(des_block *p)
{
        int i;

        for (i = 0; i < 8; i++) {
                (*p).c[i] = partab_g[(*p).c[i]];
        }
}

/*
 * Software encrypt or decrypt a block of data (multiple of 8 bytes)
 * Do the CBC ourselves if needed.
 */
int
__des_crypt(char *buf, unsigned len, struct desparams *desp)
{
        short i;
        unsigned mode;
        unsigned dir;
        char nextiv[8];
        struct deskeydata softkey;

        mode = (unsigned)desp->des_mode;
        dir = (unsigned)desp->des_dir;
        (void) __des_setkey(desp->des_key, &softkey, dir);
        while (len != 0) {
                switch (mode) {
                case CBC:
                        switch (dir) {
                        case ENCRYPT:
                                for (i = 0; i < 8; i++)
                                        buf[i] ^= desp->des_ivec[i];
                                (void) __des_encrypt((uchar_t *)buf, &softkey);
                                for (i = 0; i < 8; i++)
                                        desp->des_ivec[i] = buf[i];
                                break;
                        case DECRYPT:
                                for (i = 0; i < 8; i++)
                                        nextiv[i] = buf[i];
                                (void) __des_encrypt((uchar_t *)buf, &softkey);
                                for (i = 0; i < 8; i++) {
                                        buf[i] ^= desp->des_ivec[i];
                                        desp->des_ivec[i] = nextiv[i];
                                }
                                break;
                        }
                        break;
                case ECB:
                        (void) __des_encrypt((uchar_t *)buf, &softkey);
                        break;
                }
                buf += 8;
                len -= 8;
        }
        return (1);
}


/*
 * Set the key and direction for an encryption operation
 * We build the 16 key entries here
 */
static int
__des_setkey(uchar_t userkey[8], struct deskeydata *kd, unsigned dir)
{
        int32_t C, D;
        short i;

        /*
         * First, generate C and D by permuting
         * the key. The low order bit of each
         * 8-bit char is not used, so C and D are only 28
         * bits apiece.
         */
        {
                short bit;
                const short *pcc = PC1_C, *pcd = PC1_D;

                C = D = 0;
                for (i = 0; i < 28; i++) {
                        C <<= 1;
                        D <<= 1;
                        bit = *pcc++;
                        if (btst(userkey, bit))
                                C |= 1;
                        bit = *pcd++;
                        if (btst(userkey, bit))
                                D |= 1;
                }
        }
        /*
         * To generate Ki, rotate C and D according
         * to schedule and pick up a permutation
         * using PC2.
         */
        for (i = 0; i < 16; i++) {
                chunk_t *c;
                short j, k, bit;
                uint32_t bbit;

                /*
                 * Do the "left shift" (rotate)
                 * We know we always rotate by either 1 or 2 bits
                 * the shifts table tells us if its 2
                 */
                C <<= 1;
                if (C & BIT28)
                        C |= 1;
                D <<= 1;
                if (D & BIT28)
                        D |= 1;
                if (shifts[i]) {
                        C <<= 1;
                        if (C & BIT28)
                                C |= 1;
                        D <<= 1;
                        if (D & BIT28)
                                D |= 1;
                }
                /*
                 * get Ki. Note C and D are concatenated.
                 */
                bit = 0;
                switch (dir) {
                case ENCRYPT:
                        c = &kd->keyval[i]; break;
                case DECRYPT:
                        c = &kd->keyval[15 - i]; break;
                }
                c->long0 = 0;
                c->long1 = 0;
                bbit = (1 << 5) << 24;
                for (j = 0; j < 4; j++) {
                        for (k = 0; k < 6; k++) {
                                if (C & (BIT28 >> PC2_C[bit]))
                                        c->long0 |= bbit >> k;
                                if (D & (BIT28 >> PC2_D[bit]))
                                        c->long1 |= bbit >> k;
                                bit++;
                        }
                        bbit >>= 8;
                }

        }
        return (1);
}



/*
 * Do an encryption operation
 * Much pain is taken (with preprocessor) to avoid loops so the compiler
 * can do address arithmetic instead of doing it at runtime.
 * Note that the byte-to-chunk conversion is necessary to guarantee
 * processor byte-order independence.
 */
static int
__des_encrypt(uchar_t *data, struct deskeydata *kd)
{
        chunk_t work1, work2;

        /*
         * Initial permutation
         * and byte to chunk conversion
         */
        {
                const uint32_t *lp;
                uint32_t l0, l1, w;
                short i, pbit;

                work1.byte0 = data[0];
                work1.byte1 = data[1];
                work1.byte2 = data[2];
                work1.byte3 = data[3];
                work1.byte4 = data[4];
                work1.byte5 = data[5];
                work1.byte6 = data[6];
                work1.byte7 = data[7];
                l0 = l1 = 0;
                w = work1.long0;
                for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) {
                        if (w & *lp++) {
                                pbit = IPtab[i];
                                if (pbit < 32)
                                        l0 |= longtab[pbit];
                                else
                                        l1 |= longtab[pbit-32];
                        }
                }
                w = work1.long1;
                for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) {
                        if (w & *lp++) {
                                pbit = IPtab[i];
                                if (pbit < 32)
                                        l0 |= longtab[pbit];
                                else
                                        l1 |= longtab[pbit-32];
                        }
                }
                work2.long0 = l0;
                work2.long1 = l1;
        }

/*
 * Expand 8 bits of 32 bit R to 48 bit R
 */
#define do_R_to_ER(op, b)       {                       \
        const struct R_to_ER *p = &R_to_ER_tab[b][R.byte##b];   \
        e0 op p->l0;                            \
        e1 op p->l1;                            \
}

/*
 * Inner part of the algorithm:
 * Expand R from 32 to 48 bits; xor key value;
 * apply S boxes; permute 32 bits of output
 */
/* BEGIN CSTYLED */
#define do_F(iter, inR, outR)   {                       \
        chunk_t R, ER;                                  \
        uint32_t e0, e1;                                \
        R.long0 = inR;                                  \
        do_R_to_ER(=, 0);                               \
        do_R_to_ER(|=, 1);                              \
        do_R_to_ER(|=, 2);                              \
        do_R_to_ER(|=, 3);                              \
        ER.long0 = e0 ^ kd->keyval[iter].long0;         \
        ER.long1 = e1 ^ kd->keyval[iter].long1;         \
        R.long0 =                                       \
                S_tab[0][ER.byte0] +                    \
                S_tab[1][ER.byte1] +                    \
                S_tab[2][ER.byte2] +                    \
                S_tab[3][ER.byte3] +                    \
                S_tab[4][ER.byte4] +                    \
                S_tab[5][ER.byte5] +                    \
                S_tab[6][ER.byte6] +                    \
                S_tab[7][ER.byte7];                     \
        outR =                                          \
                P_tab[0][R.byte0] +                     \
                P_tab[1][R.byte1] +                     \
                P_tab[2][R.byte2] +                     \
                P_tab[3][R.byte3];                      \
}
/* END CSTYLED */

/*
 * Do a cipher step
 * Apply inner part; do xor and exchange of 32 bit parts
 */
#define cipher(iter, inR, inL, outR, outL)      {       \
        do_F(iter, inR, outR);                          \
        outR ^= inL;                                    \
        outL = inR;                                     \
}

        /*
         * Apply the 16 ciphering steps
         */
        {
                uint32_t r0, l0, r1, l1;

                l0 = work2.long0;
                r0 = work2.long1;
                cipher(0, r0, l0, r1, l1);
                cipher(1, r1, l1, r0, l0);
                cipher(2, r0, l0, r1, l1);
                cipher(3, r1, l1, r0, l0);
                cipher(4, r0, l0, r1, l1);
                cipher(5, r1, l1, r0, l0);
                cipher(6, r0, l0, r1, l1);
                cipher(7, r1, l1, r0, l0);
                cipher(8, r0, l0, r1, l1);
                cipher(9, r1, l1, r0, l0);
                cipher(10, r0, l0, r1, l1);
                cipher(11, r1, l1, r0, l0);
                cipher(12, r0, l0, r1, l1);
                cipher(13, r1, l1, r0, l0);
                cipher(14, r0, l0, r1, l1);
                cipher(15, r1, l1, r0, l0);
                work1.long0 = r0;
                work1.long1 = l0;
        }

        /*
         * Final permutation
         * and chunk to byte conversion
         */
        {
                uint32_t *lp;
                uint32_t l0, l1, w;
                short i, pbit;

                l0 = l1 = 0;
                w = work1.long0;
                for (lp = (uint32_t *)&longtab[0], i = 0; i < 32; i++) {
                        if (w & *lp++) {
                                pbit = FPtab[i];
                                if (pbit < 32)
                                        l0 |= longtab[pbit];
                                else
                                        l1 |= longtab[pbit-32];
                        }
                }
                w = work1.long1;
                for (lp = (uint32_t *)&longtab[0], i = 32; i < 64; i++) {
                        if (w & *lp++) {
                                pbit = FPtab[i];
                                if (pbit < 32)
                                        l0 |= longtab[pbit];
                                else
                                        l1 |= longtab[pbit-32];
                        }
                }
                work2.long0 = l0;
                work2.long1 = l1;
        }
        data[0] = work2.byte0;
        data[1] = work2.byte1;
        data[2] = work2.byte2;
        data[3] = work2.byte3;
        data[4] = work2.byte4;
        data[5] = work2.byte5;
        data[6] = work2.byte6;
        data[7] = work2.byte7;

        return (1);
}
Illumos
