6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 #pragma ident "%Z%%M% %I% %E% SMI"
27
28 #include <sys/types.h>
29 #include <sys/systm.h>
30 #include <sys/ddi.h>
31 #include <sys/sysmacros.h>
32 #include <sys/strsun.h>
33 #include <sys/crypto/spi.h>
34 #include <modes/modes.h>
35 #include <sys/crypto/common.h>
36 #include "des_impl.h"
37 #ifndef _KERNEL
38 #include <strings.h>
39 #include <stdlib.h>
40 #endif /* !_KERNEL */
41
42 /* EXPORT DELETE START */
43
44 typedef struct keysched_s {
45 uint64_t ksch_encrypt[16];
46 uint64_t ksch_decrypt[16];
47 } keysched_t;
48
49 typedef struct keysched3_s {
50 uint64_t ksch_encrypt[48];
51 uint64_t ksch_decrypt[48];
52 } keysched3_t;
53
54 static void fix_des_parity(uint64_t *);
55
56 #ifndef sun4u
57
58 static const uint64_t sbox_table[8][64]=
59 {
60 /* BEGIN CSTYLED */
61 {
501 /* EXPORT DELETE END */
502
503 int
504 des3_crunch_block(const void *cookie, const uint8_t block[DES_BLOCK_LEN],
505 uint8_t out_block[DES_BLOCK_LEN], boolean_t decrypt)
506 {
507 /* EXPORT DELETE START */
508 keysched3_t *ksch = (keysched3_t *)cookie;
509
510 /*
511 * The code below, that is always executed on LITTLE_ENDIAN machines,
512 * reverses bytes in the block. On BIG_ENDIAN, the same code
513 * copies the block without reversing bytes.
514 */
515 #ifdef _BIG_ENDIAN
516 if (IS_P2ALIGNED(block, sizeof (uint64_t)) &&
517 IS_P2ALIGNED(out_block, sizeof (uint64_t))) {
518 if (decrypt == B_TRUE)
519 /* LINTED */
520 *(uint64_t *)out_block = des_crypt_impl(
521 ksch->ksch_decrypt,
522 /* LINTED */
523 *(uint64_t *)block, 3);
524 else
525 /* LINTED */
526 *(uint64_t *)out_block = des_crypt_impl(
527 ksch->ksch_encrypt,
528 /* LINTED */
529 *(uint64_t *)block, 3);
530 } else {
531 #endif
532 uint64_t tmp;
533
534 tmp = (((uint64_t)block[0] << 56) | ((uint64_t)block[1] << 48) |
535 ((uint64_t)block[2] << 40) | ((uint64_t)block[3] << 32) |
536 ((uint64_t)block[4] << 24) | ((uint64_t)block[5] << 16) |
537 ((uint64_t)block[6] << 8) | (uint64_t)block[7]);
538
539 if (decrypt == B_TRUE)
540 tmp = des_crypt_impl(ksch->ksch_decrypt, tmp, 3);
541 else
542 tmp = des_crypt_impl(ksch->ksch_encrypt, tmp, 3);
543
544 out_block[0] = tmp >> 56;
545 out_block[1] = tmp >> 48;
546 out_block[2] = tmp >> 40;
547 out_block[3] = tmp >> 32;
548 out_block[4] = tmp >> 24;
549 out_block[5] = tmp >> 16;
550 out_block[6] = tmp >> 8;
551 out_block[7] = (uint8_t)tmp;
552 #ifdef _BIG_ENDIAN
553 }
554 #endif
555 /* EXPORT DELETE END */
556 return (CRYPTO_SUCCESS);
557 }
558
559 int
560 des_crunch_block(const void *cookie, const uint8_t block[DES_BLOCK_LEN],
561 uint8_t out_block[DES_BLOCK_LEN], boolean_t decrypt)
562 {
563 /* EXPORT DELETE START */
564 keysched_t *ksch = (keysched_t *)cookie;
565
566 /*
567 * The code below, that is always executed on LITTLE_ENDIAN machines,
568 * reverses bytes in the block. On BIG_ENDIAN, the same code
569 * copies the block without reversing bytes.
570 */
571 #ifdef _BIG_ENDIAN
572 if (IS_P2ALIGNED(block, sizeof (uint64_t)) &&
573 IS_P2ALIGNED(out_block, sizeof (uint64_t))) {
574 if (decrypt == B_TRUE)
575 /* LINTED */
576 *(uint64_t *)out_block = des_crypt_impl(
577 ksch->ksch_decrypt,
578 /* LINTED */
579 *(uint64_t *)block, 1);
580 else
581 /* LINTED */
582 *(uint64_t *)out_block = des_crypt_impl(
583 ksch->ksch_encrypt,
584 /* LINTED */
585 *(uint64_t *)block, 1);
586
587 } else {
588 #endif
589 uint64_t tmp;
590
591 tmp = (((uint64_t)block[0] << 56) | ((uint64_t)block[1] << 48) |
592 ((uint64_t)block[2] << 40) | ((uint64_t)block[3] << 32) |
593 ((uint64_t)block[4] << 24) | ((uint64_t)block[5] << 16) |
594 ((uint64_t)block[6] << 8) | (uint64_t)block[7]);
595
596 if (decrypt == B_TRUE)
597 tmp = des_crypt_impl(ksch->ksch_decrypt, tmp, 1);
598 else
599 tmp = des_crypt_impl(ksch->ksch_encrypt, tmp, 1);
600
601 out_block[0] = tmp >> 56;
602 out_block[1] = tmp >> 48;
603 out_block[2] = tmp >> 40;
604 out_block[3] = tmp >> 32;
605 out_block[4] = tmp >> 24;
606 out_block[5] = tmp >> 16;
607 out_block[6] = tmp >> 8;
608 out_block[7] = (uint8_t)tmp;
609 #ifdef _BIG_ENDIAN
610 }
611 #endif
612 /* EXPORT DELETE END */
613 return (CRYPTO_SUCCESS);
614 }
615
616 static boolean_t
617 keycheck(uint8_t *key, uint8_t *corrected_key)
618 {
619 /* EXPORT DELETE START */
620 uint64_t key_so_far;
621 uint_t i;
622 /*
623 * Table of weak and semi-weak keys. Fortunately, weak keys are
624 * endian-independent, and some semi-weak keys can be paired up in
625 * endian-opposite order. Since keys are stored as uint64_t's,
626 * use the ifdef _LITTLE_ENDIAN where appropriate.
627 */
628 static uint64_t des_weak_keys[] = {
629 /* Really weak keys. Byte-order independent values. */
630 0x0101010101010101ULL,
631 0x1f1f1f1f0e0e0e0eULL,
633 0xfefefefefefefefeULL,
634
635 /* Semi-weak (and a few possibly-weak) keys. */
636
637 /* Byte-order independent semi-weak keys. */
638 0x01fe01fe01fe01feULL, 0xfe01fe01fe01fe01ULL,
639
640 /* Byte-order dependent semi-weak keys. */
641 #ifdef _LITTLE_ENDIAN
642 0xf10ef10ee01fe01fULL, 0x0ef10ef11fe01fe0ULL,
643 0x01f101f101e001e0ULL, 0xf101f101e001e001ULL,
644 0x0efe0efe1ffe1ffeULL, 0xfe0efe0efe1ffe1fULL,
645 0x010e010e011f011fULL, 0x0e010e011f011f01ULL,
646 0xf1fef1fee0fee0feULL, 0xfef1fef1fee0fee0ULL,
647 #else /* Big endian */
648 0x1fe01fe00ef10ef1ULL, 0xe01fe01ff10ef10eULL,
649 0x01e001e001f101f1ULL, 0xe001e001f101f101ULL,
650 0x1ffe1ffe0efe0efeULL, 0xfe1ffe1ffe0efe0eULL,
651 0x011f011f010e010eULL, 0x1f011f010e010e01ULL,
652 0xe0fee0fef1fef1feULL, 0xfee0fee0fef1fef1ULL,
653 #endif
654
655 /* We'll save the other possibly-weak keys for the future. */
656 };
657
658 if (key == NULL)
659 return (B_FALSE);
660
661 /*
662 * The code below reverses the bytes on LITTLE_ENDIAN machines.
663 * On BIG_ENDIAN, the same code copies without reversing
664 * the bytes.
665 */
666 key_so_far = (((uint64_t)key[0] << 56) | ((uint64_t)key[1] << 48) |
667 ((uint64_t)key[2] << 40) | ((uint64_t)key[3] << 32) |
668 ((uint64_t)key[4] << 24) | ((uint64_t)key[5] << 16) |
669 ((uint64_t)key[6] << 8) | (uint64_t)key[7]);
670
671 /*
672 * Fix parity.
673 */
674 fix_des_parity(&key_so_far);
675
676 /* Do weak key check itself. */
677 for (i = 0; i < (sizeof (des_weak_keys) / sizeof (uint64_t)); i++)
678 if (key_so_far == des_weak_keys[i]) {
679 return (B_FALSE);
680 }
681
682 if (corrected_key != NULL) {
683 /*
684 * The code below reverses the bytes on LITTLE_ENDIAN machines.
685 * On BIG_ENDIAN, the same code copies without reversing
686 * the bytes.
687 */
688 corrected_key[0] = key_so_far >> 56;
689 corrected_key[1] = key_so_far >> 48;
690 corrected_key[2] = key_so_far >> 40;
691 corrected_key[3] = key_so_far >> 32;
692 corrected_key[4] = key_so_far >> 24;
693 corrected_key[5] = key_so_far >> 16;
694 corrected_key[6] = key_so_far >> 8;
695 corrected_key[7] = (uint8_t)key_so_far;
696 }
697 /* EXPORT DELETE END */
698 return (B_TRUE);
699 }
700
701 static boolean_t
702 des3_keycheck(uint8_t *key, uint8_t *corrected_key)
703 {
704 /* EXPORT DELETE START */
705 uint64_t aligned_key[DES3_KEYSIZE / sizeof (uint64_t)];
706 uint64_t key_so_far, scratch, *currentkey;
707 uint_t j, num_weakkeys = 0;
708
709 if (key == NULL) {
710 return (B_FALSE);
711 }
712
713 if (!IS_P2ALIGNED(key, sizeof (uint64_t))) {
714 bcopy(key, aligned_key, DES3_KEYSIZE);
715 currentkey = (uint64_t *)aligned_key;
726 return (B_FALSE);
727 }
728 /*
729 * We found a weak key, but since
730 * we've only found one weak key,
731 * we can not reject the whole 3DES
732 * set of keys as weak.
733 *
734 * Break from the weak key loop
735 * (since this DES key is weak) and
736 * continue on.
737 */
738 }
739
740 currentkey[j] = scratch;
741 }
742
743 /*
744 * Perform key equivalence checks, now that parity is properly set.
745 * 1st and 2nd keys must be unique, the 3rd key can be the same as
746 * the 1st key for the 2 key varient of 3DES.
747 */
748 if (currentkey[0] == currentkey[1] || currentkey[1] == currentkey[2])
749 return (B_FALSE);
750
751 if (corrected_key != NULL) {
752 bcopy(currentkey, corrected_key, DES3_KEYSIZE);
753 }
754
755 /* EXPORT DELETE END */
756 return (B_TRUE);
757 }
758
759 boolean_t
760 des_keycheck(uint8_t *key, des_strength_t strength, uint8_t *corrected_key)
761 {
762 if (strength == DES) {
763 return (keycheck(key, corrected_key));
764 } else if (strength == DES3) {
765 return (des3_keycheck(key, corrected_key));
766 } else {
768 }
769 }
770
771 void
772 des_parity_fix(uint8_t *key, des_strength_t strength, uint8_t *corrected_key)
773 {
774 /* EXPORT DELETE START */
775 uint64_t aligned_key[DES3_KEYSIZE / sizeof (uint64_t)];
776 uint8_t *paritied_key;
777 uint64_t key_so_far;
778 int i = 0, offset = 0;
779
780 if (strength == DES)
781 bcopy(key, aligned_key, DES_KEYSIZE);
782 else
783 bcopy(key, aligned_key, DES3_KEYSIZE);
784
785 paritied_key = (uint8_t *)aligned_key;
786 while (strength > i) {
787 offset = 8 * i;
788 key_so_far = (((uint64_t)paritied_key[offset + 0] << 56) |
789 ((uint64_t)paritied_key[offset + 1] << 48) |
790 ((uint64_t)paritied_key[offset + 2] << 40) |
791 ((uint64_t)paritied_key[offset + 3] << 32) |
792 ((uint64_t)paritied_key[offset + 4] << 24) |
793 ((uint64_t)paritied_key[offset + 5] << 16) |
794 ((uint64_t)paritied_key[offset + 6] << 8) |
795 (uint64_t)paritied_key[offset + 7]);
796
797 fix_des_parity(&key_so_far);
798
799 paritied_key[offset + 0] = key_so_far >> 56;
800 paritied_key[offset + 1] = key_so_far >> 48;
801 paritied_key[offset + 2] = key_so_far >> 40;
802 paritied_key[offset + 3] = key_so_far >> 32;
803 paritied_key[offset + 4] = key_so_far >> 24;
804 paritied_key[offset + 5] = key_so_far >> 16;
805 paritied_key[offset + 6] = key_so_far >> 8;
806 paritied_key[offset + 7] = (uint8_t)key_so_far;
807
808 i++;
809 }
810
811 bcopy(paritied_key, corrected_key, DES_KEYSIZE * strength);
812 /* EXPORT DELETE END */
813 }
814
815
816 /*
817 * Initialize key schedule for DES, DES2, and DES3
818 */
819 void
820 des_init_keysched(uint8_t *cipherKey, des_strength_t strength, void *ks)
821 {
822 /* EXPORT DELETE START */
823 uint64_t *encryption_ks;
824 uint64_t *decryption_ks;
825 uint64_t keysched[48];
826 uint64_t key_uint64[3];
838 encryption_ks = ((keysched3_t *)ks)->ksch_encrypt;
839 decryption_ks = ((keysched3_t *)ks)->ksch_decrypt;
840 break;
841 case DES3:
842 keysize = DES3_KEYSIZE;
843 encryption_ks = ((keysched3_t *)ks)->ksch_encrypt;
844 decryption_ks = ((keysched3_t *)ks)->ksch_decrypt;
845 }
846
847 /*
848 * The code below, that is always executed on LITTLE_ENDIAN machines,
849 * reverses every 8 bytes in the key. On BIG_ENDIAN, the same code
850 * copies the key without reversing bytes.
851 */
852 #ifdef _BIG_ENDIAN
853 if (IS_P2ALIGNED(cipherKey, sizeof (uint64_t))) {
854 for (i = 0, j = 0; j < keysize; i++, j += 8) {
855 /* LINTED: pointer alignment */
856 key_uint64[i] = *((uint64_t *)&cipherKey[j]);
857 }
858 } else {
859 #endif
860 {
861 for (i = 0, j = 0; j < keysize; i++, j += 8) {
862 key_uint64[i] = (((uint64_t)cipherKey[j] << 56) |
863 ((uint64_t)cipherKey[j + 1] << 48) |
864 ((uint64_t)cipherKey[j + 2] << 40) |
865 ((uint64_t)cipherKey[j + 3] << 32) |
866 ((uint64_t)cipherKey[j + 4] << 24) |
867 ((uint64_t)cipherKey[j + 5] << 16) |
868 ((uint64_t)cipherKey[j + 6] << 8) |
869 (uint64_t)cipherKey[j + 7]);
870 }
871 }
872 #ifdef _BIG_ENDIAN
873 }
874 #endif
875
876 switch (strength) {
877 case DES:
878 des_ks(keysched, key_uint64[0]);
879 break;
880
881 case DES2:
882 /* DES2 is just DES3 with the first and third keys the same */
883 bcopy(key_uint64, key_uint64 + 2, DES_KEYSIZE);
884 /* FALLTHRU */
885 case DES3:
886 des_ks(keysched, key_uint64[0]);
887 des_ks(keysched + 16, key_uint64[1]);
888 for (i = 0; i < 8; i++) {
889 tmp = keysched[16+i];
890 keysched[16+i] = keysched[31-i];
891 keysched[31-i] = tmp;
892 }
893 des_ks(keysched+32, key_uint64[2]);
894 keysize = DES3_KEYSIZE;
934 #ifdef _KERNEL
935 keysched = (keysched_t *)kmem_alloc(size, kmflag);
936 #else /* !_KERNEL */
937 keysched = (keysched_t *)malloc(size);
938 #endif /* _KERNEL */
939
940 if (keysched == NULL)
941 return (NULL);
942
943 if (keysched_size != NULL)
944 *keysched_size = size;
945
946 /* EXPORT DELETE END */
947
948 return (keysched);
949 }
950
951 /*
952 * Replace the LSB of each byte by the xor of the other
953 * 7 bits. The tricky thing is that the original contents of the LSBs
954 * are nullifed by including them twice in the xor computation.
955 */
956 static void
957 fix_des_parity(uint64_t *keyp)
958 {
959 /* EXPORT DELETE START */
960 uint64_t k = *keyp;
961 k ^= k >> 1;
962 k ^= k >> 2;
963 k ^= k >> 4;
964 *keyp ^= (k & 0x0101010101010101ULL);
965 *keyp ^= 0x0101010101010101ULL;
966 /* EXPORT DELETE END */
967 }
968
969 void
970 des_copy_block(uint8_t *in, uint8_t *out)
971 {
972 if (IS_P2ALIGNED(in, sizeof (uint32_t)) &&
973 IS_P2ALIGNED(out, sizeof (uint32_t))) {
974 /* LINTED: pointer alignment */
|
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
25
26 #include <sys/types.h>
27 #include <sys/systm.h>
28 #include <sys/ddi.h>
29 #include <sys/sysmacros.h>
30 #include <sys/strsun.h>
31 #include <sys/crypto/spi.h>
32 #include <modes/modes.h>
33 #include <sys/crypto/common.h>
34 #include "des_impl.h"
35 #ifndef _KERNEL
36 #include <strings.h>
37 #include <stdlib.h>
38 #endif /* !_KERNEL */
39
40 #if defined(__i386) || defined(__amd64)
41 #include <sys/byteorder.h>
42 #define UNALIGNED_POINTERS_PERMITTED
43 #endif
44
45 /* EXPORT DELETE START */
46
47 typedef struct keysched_s {
48 uint64_t ksch_encrypt[16];
49 uint64_t ksch_decrypt[16];
50 } keysched_t;
51
52 typedef struct keysched3_s {
53 uint64_t ksch_encrypt[48];
54 uint64_t ksch_decrypt[48];
55 } keysched3_t;
56
57 static void fix_des_parity(uint64_t *);
58
59 #ifndef sun4u
60
61 static const uint64_t sbox_table[8][64]=
62 {
63 /* BEGIN CSTYLED */
64 {
504 /* EXPORT DELETE END */
505
506 int
507 des3_crunch_block(const void *cookie, const uint8_t block[DES_BLOCK_LEN],
508 uint8_t out_block[DES_BLOCK_LEN], boolean_t decrypt)
509 {
510 /* EXPORT DELETE START */
511 keysched3_t *ksch = (keysched3_t *)cookie;
512
513 /*
514 * The code below, that is always executed on LITTLE_ENDIAN machines,
515 * reverses bytes in the block. On BIG_ENDIAN, the same code
516 * copies the block without reversing bytes.
517 */
518 #ifdef _BIG_ENDIAN
519 if (IS_P2ALIGNED(block, sizeof (uint64_t)) &&
520 IS_P2ALIGNED(out_block, sizeof (uint64_t))) {
521 if (decrypt == B_TRUE)
522 /* LINTED */
523 *(uint64_t *)out_block = des_crypt_impl(
524 ksch->ksch_decrypt, /* LINTED */
525 *(uint64_t *)block, 3);
526 else
527 /* LINTED */
528 *(uint64_t *)out_block = des_crypt_impl(
529 ksch->ksch_encrypt, /* LINTED */
530 *(uint64_t *)block, 3);
531 } else
532 #endif /* _BIG_ENDIAN */
533 {
534 uint64_t tmp;
535
536 #ifdef UNALIGNED_POINTERS_PERMITTED
537 tmp = htonll(*(uint64_t *)&block[0]);
538 #else
539 tmp = (((uint64_t)block[0] << 56) | ((uint64_t)block[1] << 48) |
540 ((uint64_t)block[2] << 40) | ((uint64_t)block[3] << 32) |
541 ((uint64_t)block[4] << 24) | ((uint64_t)block[5] << 16) |
542 ((uint64_t)block[6] << 8) | (uint64_t)block[7]);
543 #endif /* UNALIGNED_POINTERS_PERMITTED */
544
545 if (decrypt == B_TRUE)
546 tmp = des_crypt_impl(ksch->ksch_decrypt, tmp, 3);
547 else
548 tmp = des_crypt_impl(ksch->ksch_encrypt, tmp, 3);
549
550 #ifdef UNALIGNED_POINTERS_PERMITTED
551 *(uint64_t *)&out_block[0] = htonll(tmp);
552 #else
553 out_block[0] = tmp >> 56;
554 out_block[1] = tmp >> 48;
555 out_block[2] = tmp >> 40;
556 out_block[3] = tmp >> 32;
557 out_block[4] = tmp >> 24;
558 out_block[5] = tmp >> 16;
559 out_block[6] = tmp >> 8;
560 out_block[7] = (uint8_t)tmp;
561 #endif /* UNALIGNED_POINTERS_PERMITTED */
562 }
563 /* EXPORT DELETE END */
564 return (CRYPTO_SUCCESS);
565 }
566
567 int
568 des_crunch_block(const void *cookie, const uint8_t block[DES_BLOCK_LEN],
569 uint8_t out_block[DES_BLOCK_LEN], boolean_t decrypt)
570 {
571 /* EXPORT DELETE START */
572 keysched_t *ksch = (keysched_t *)cookie;
573
574 /*
575 * The code below, that is always executed on LITTLE_ENDIAN machines,
576 * reverses bytes in the block. On BIG_ENDIAN, the same code
577 * copies the block without reversing bytes.
578 */
579 #ifdef _BIG_ENDIAN
580 if (IS_P2ALIGNED(block, sizeof (uint64_t)) &&
581 IS_P2ALIGNED(out_block, sizeof (uint64_t))) {
582 if (decrypt == B_TRUE)
583 /* LINTED */
584 *(uint64_t *)out_block = des_crypt_impl(
585 ksch->ksch_decrypt, /* LINTED */
586 *(uint64_t *)block, 1);
587 else
588 /* LINTED */
589 *(uint64_t *)out_block = des_crypt_impl(
590 ksch->ksch_encrypt, /* LINTED */
591 *(uint64_t *)block, 1);
592
593 } else
594 #endif /* _BIG_ENDIAN */
595 {
596 uint64_t tmp;
597
598 #ifdef UNALIGNED_POINTERS_PERMITTED
599 tmp = htonll(*(uint64_t *)&block[0]);
600 #else
601 tmp = (((uint64_t)block[0] << 56) | ((uint64_t)block[1] << 48) |
602 ((uint64_t)block[2] << 40) | ((uint64_t)block[3] << 32) |
603 ((uint64_t)block[4] << 24) | ((uint64_t)block[5] << 16) |
604 ((uint64_t)block[6] << 8) | (uint64_t)block[7]);
605 #endif /* UNALIGNED_POINTERS_PERMITTED */
606
607
608 if (decrypt == B_TRUE)
609 tmp = des_crypt_impl(ksch->ksch_decrypt, tmp, 1);
610 else
611 tmp = des_crypt_impl(ksch->ksch_encrypt, tmp, 1);
612
613 #ifdef UNALIGNED_POINTERS_PERMITTED
614 *(uint64_t *)&out_block[0] = htonll(tmp);
615 #else
616 out_block[0] = tmp >> 56;
617 out_block[1] = tmp >> 48;
618 out_block[2] = tmp >> 40;
619 out_block[3] = tmp >> 32;
620 out_block[4] = tmp >> 24;
621 out_block[5] = tmp >> 16;
622 out_block[6] = tmp >> 8;
623 out_block[7] = (uint8_t)tmp;
624 #endif /* UNALIGNED_POINTERS_PERMITTED */
625 }
626 /* EXPORT DELETE END */
627 return (CRYPTO_SUCCESS);
628 }
629
630 static boolean_t
631 keycheck(uint8_t *key, uint8_t *corrected_key)
632 {
633 /* EXPORT DELETE START */
634 uint64_t key_so_far;
635 uint_t i;
636 /*
637 * Table of weak and semi-weak keys. Fortunately, weak keys are
638 * endian-independent, and some semi-weak keys can be paired up in
639 * endian-opposite order. Since keys are stored as uint64_t's,
640 * use the ifdef _LITTLE_ENDIAN where appropriate.
641 */
642 static uint64_t des_weak_keys[] = {
643 /* Really weak keys. Byte-order independent values. */
644 0x0101010101010101ULL,
645 0x1f1f1f1f0e0e0e0eULL,
647 0xfefefefefefefefeULL,
648
649 /* Semi-weak (and a few possibly-weak) keys. */
650
651 /* Byte-order independent semi-weak keys. */
652 0x01fe01fe01fe01feULL, 0xfe01fe01fe01fe01ULL,
653
654 /* Byte-order dependent semi-weak keys. */
655 #ifdef _LITTLE_ENDIAN
656 0xf10ef10ee01fe01fULL, 0x0ef10ef11fe01fe0ULL,
657 0x01f101f101e001e0ULL, 0xf101f101e001e001ULL,
658 0x0efe0efe1ffe1ffeULL, 0xfe0efe0efe1ffe1fULL,
659 0x010e010e011f011fULL, 0x0e010e011f011f01ULL,
660 0xf1fef1fee0fee0feULL, 0xfef1fef1fee0fee0ULL,
661 #else /* Big endian */
662 0x1fe01fe00ef10ef1ULL, 0xe01fe01ff10ef10eULL,
663 0x01e001e001f101f1ULL, 0xe001e001f101f101ULL,
664 0x1ffe1ffe0efe0efeULL, 0xfe1ffe1ffe0efe0eULL,
665 0x011f011f010e010eULL, 0x1f011f010e010e01ULL,
666 0xe0fee0fef1fef1feULL, 0xfee0fee0fef1fef1ULL,
667 #endif /* _LITTLE_ENDIAN */
668
669 /* We'll save the other possibly-weak keys for the future. */
670 };
671
672 if (key == NULL)
673 return (B_FALSE);
674
675 #ifdef UNALIGNED_POINTERS_PERMITTED
676 key_so_far = htonll(*(uint64_t *)&key[0]);
677 #else
678 /*
679 * The code below reverses the bytes on LITTLE_ENDIAN machines.
680 * On BIG_ENDIAN, the same code copies without reversing
681 * the bytes.
682 */
683 key_so_far = (((uint64_t)key[0] << 56) | ((uint64_t)key[1] << 48) |
684 ((uint64_t)key[2] << 40) | ((uint64_t)key[3] << 32) |
685 ((uint64_t)key[4] << 24) | ((uint64_t)key[5] << 16) |
686 ((uint64_t)key[6] << 8) | (uint64_t)key[7]);
687 #endif /* UNALIGNED_POINTERS_PERMITTED */
688
689 /*
690 * Fix parity.
691 */
692 fix_des_parity(&key_so_far);
693
694 /* Do weak key check itself. */
695 for (i = 0; i < (sizeof (des_weak_keys) / sizeof (uint64_t)); i++)
696 if (key_so_far == des_weak_keys[i]) {
697 return (B_FALSE);
698 }
699
700 if (corrected_key != NULL) {
701 #ifdef UNALIGNED_POINTERS_PERMITTED
702 *(uint64_t *)&corrected_key[0] = htonll(key_so_far);
703 #else
704 /*
705 * The code below reverses the bytes on LITTLE_ENDIAN machines.
706 * On BIG_ENDIAN, the same code copies without reversing
707 * the bytes.
708 */
709 corrected_key[0] = key_so_far >> 56;
710 corrected_key[1] = key_so_far >> 48;
711 corrected_key[2] = key_so_far >> 40;
712 corrected_key[3] = key_so_far >> 32;
713 corrected_key[4] = key_so_far >> 24;
714 corrected_key[5] = key_so_far >> 16;
715 corrected_key[6] = key_so_far >> 8;
716 corrected_key[7] = (uint8_t)key_so_far;
717 #endif /* UNALIGNED_POINTERS_PERMITTED */
718 }
719 /* EXPORT DELETE END */
720 return (B_TRUE);
721 }
722
723 static boolean_t
724 des3_keycheck(uint8_t *key, uint8_t *corrected_key)
725 {
726 /* EXPORT DELETE START */
727 uint64_t aligned_key[DES3_KEYSIZE / sizeof (uint64_t)];
728 uint64_t key_so_far, scratch, *currentkey;
729 uint_t j, num_weakkeys = 0;
730
731 if (key == NULL) {
732 return (B_FALSE);
733 }
734
735 if (!IS_P2ALIGNED(key, sizeof (uint64_t))) {
736 bcopy(key, aligned_key, DES3_KEYSIZE);
737 currentkey = (uint64_t *)aligned_key;
748 return (B_FALSE);
749 }
750 /*
751 * We found a weak key, but since
752 * we've only found one weak key,
753 * we can not reject the whole 3DES
754 * set of keys as weak.
755 *
756 * Break from the weak key loop
757 * (since this DES key is weak) and
758 * continue on.
759 */
760 }
761
762 currentkey[j] = scratch;
763 }
764
765 /*
766 * Perform key equivalence checks, now that parity is properly set.
767 * 1st and 2nd keys must be unique, the 3rd key can be the same as
768 * the 1st key for the 2 key variant of 3DES.
769 */
770 if (currentkey[0] == currentkey[1] || currentkey[1] == currentkey[2])
771 return (B_FALSE);
772
773 if (corrected_key != NULL) {
774 bcopy(currentkey, corrected_key, DES3_KEYSIZE);
775 }
776
777 /* EXPORT DELETE END */
778 return (B_TRUE);
779 }
780
781 boolean_t
782 des_keycheck(uint8_t *key, des_strength_t strength, uint8_t *corrected_key)
783 {
784 if (strength == DES) {
785 return (keycheck(key, corrected_key));
786 } else if (strength == DES3) {
787 return (des3_keycheck(key, corrected_key));
788 } else {
790 }
791 }
792
793 void
794 des_parity_fix(uint8_t *key, des_strength_t strength, uint8_t *corrected_key)
795 {
796 /* EXPORT DELETE START */
797 uint64_t aligned_key[DES3_KEYSIZE / sizeof (uint64_t)];
798 uint8_t *paritied_key;
799 uint64_t key_so_far;
800 int i = 0, offset = 0;
801
802 if (strength == DES)
803 bcopy(key, aligned_key, DES_KEYSIZE);
804 else
805 bcopy(key, aligned_key, DES3_KEYSIZE);
806
807 paritied_key = (uint8_t *)aligned_key;
808 while (strength > i) {
809 offset = 8 * i;
810 #ifdef UNALIGNED_POINTERS_PERMITTED
811 key_so_far = htonll(*(uint64_t *)&paritied_key[offset]);
812 #else
813 key_so_far = (((uint64_t)paritied_key[offset + 0] << 56) |
814 ((uint64_t)paritied_key[offset + 1] << 48) |
815 ((uint64_t)paritied_key[offset + 2] << 40) |
816 ((uint64_t)paritied_key[offset + 3] << 32) |
817 ((uint64_t)paritied_key[offset + 4] << 24) |
818 ((uint64_t)paritied_key[offset + 5] << 16) |
819 ((uint64_t)paritied_key[offset + 6] << 8) |
820 (uint64_t)paritied_key[offset + 7]);
821 #endif /* UNALIGNED_POINTERS_PERMITTED */
822
823 fix_des_parity(&key_so_far);
824
825 #ifdef UNALIGNED_POINTERS_PERMITTED
826 *(uint64_t *)&paritied_key[offset] = htonll(key_so_far);
827 #else
828 paritied_key[offset + 0] = key_so_far >> 56;
829 paritied_key[offset + 1] = key_so_far >> 48;
830 paritied_key[offset + 2] = key_so_far >> 40;
831 paritied_key[offset + 3] = key_so_far >> 32;
832 paritied_key[offset + 4] = key_so_far >> 24;
833 paritied_key[offset + 5] = key_so_far >> 16;
834 paritied_key[offset + 6] = key_so_far >> 8;
835 paritied_key[offset + 7] = (uint8_t)key_so_far;
836 #endif /* UNALIGNED_POINTERS_PERMITTED */
837
838 i++;
839 }
840
841 bcopy(paritied_key, corrected_key, DES_KEYSIZE * strength);
842 /* EXPORT DELETE END */
843 }
844
845
846 /*
847 * Initialize key schedule for DES, DES2, and DES3
848 */
849 void
850 des_init_keysched(uint8_t *cipherKey, des_strength_t strength, void *ks)
851 {
852 /* EXPORT DELETE START */
853 uint64_t *encryption_ks;
854 uint64_t *decryption_ks;
855 uint64_t keysched[48];
856 uint64_t key_uint64[3];
868 encryption_ks = ((keysched3_t *)ks)->ksch_encrypt;
869 decryption_ks = ((keysched3_t *)ks)->ksch_decrypt;
870 break;
871 case DES3:
872 keysize = DES3_KEYSIZE;
873 encryption_ks = ((keysched3_t *)ks)->ksch_encrypt;
874 decryption_ks = ((keysched3_t *)ks)->ksch_decrypt;
875 }
876
877 /*
878 * The code below, that is always executed on LITTLE_ENDIAN machines,
879 * reverses every 8 bytes in the key. On BIG_ENDIAN, the same code
880 * copies the key without reversing bytes.
881 */
882 #ifdef _BIG_ENDIAN
883 if (IS_P2ALIGNED(cipherKey, sizeof (uint64_t))) {
884 for (i = 0, j = 0; j < keysize; i++, j += 8) {
885 /* LINTED: pointer alignment */
886 key_uint64[i] = *((uint64_t *)&cipherKey[j]);
887 }
888 } else
889 #endif /* _BIG_ENDIAN */
890 {
891 for (i = 0, j = 0; j < keysize; i++, j += 8) {
892 #ifdef UNALIGNED_POINTERS_PERMITTED
893 key_uint64[i] = htonll(*(uint64_t *)&cipherKey[j]);
894 #else
895 key_uint64[i] = (((uint64_t)cipherKey[j] << 56) |
896 ((uint64_t)cipherKey[j + 1] << 48) |
897 ((uint64_t)cipherKey[j + 2] << 40) |
898 ((uint64_t)cipherKey[j + 3] << 32) |
899 ((uint64_t)cipherKey[j + 4] << 24) |
900 ((uint64_t)cipherKey[j + 5] << 16) |
901 ((uint64_t)cipherKey[j + 6] << 8) |
902 (uint64_t)cipherKey[j + 7]);
903 #endif /* UNALIGNED_POINTERS_PERMITTED */
904 }
905 }
906
907 switch (strength) {
908 case DES:
909 des_ks(keysched, key_uint64[0]);
910 break;
911
912 case DES2:
913 /* DES2 is just DES3 with the first and third keys the same */
914 bcopy(key_uint64, key_uint64 + 2, DES_KEYSIZE);
915 /* FALLTHRU */
916 case DES3:
917 des_ks(keysched, key_uint64[0]);
918 des_ks(keysched + 16, key_uint64[1]);
919 for (i = 0; i < 8; i++) {
920 tmp = keysched[16+i];
921 keysched[16+i] = keysched[31-i];
922 keysched[31-i] = tmp;
923 }
924 des_ks(keysched+32, key_uint64[2]);
925 keysize = DES3_KEYSIZE;
965 #ifdef _KERNEL
966 keysched = (keysched_t *)kmem_alloc(size, kmflag);
967 #else /* !_KERNEL */
968 keysched = (keysched_t *)malloc(size);
969 #endif /* _KERNEL */
970
971 if (keysched == NULL)
972 return (NULL);
973
974 if (keysched_size != NULL)
975 *keysched_size = size;
976
977 /* EXPORT DELETE END */
978
979 return (keysched);
980 }
981
982 /*
983 * Replace the LSB of each byte by the xor of the other
984 * 7 bits. The tricky thing is that the original contents of the LSBs
985 * are nullified by including them twice in the xor computation.
986 */
987 static void
988 fix_des_parity(uint64_t *keyp)
989 {
990 /* EXPORT DELETE START */
991 uint64_t k = *keyp;
992 k ^= k >> 1;
993 k ^= k >> 2;
994 k ^= k >> 4;
995 *keyp ^= (k & 0x0101010101010101ULL);
996 *keyp ^= 0x0101010101010101ULL;
997 /* EXPORT DELETE END */
998 }
999
1000 void
1001 des_copy_block(uint8_t *in, uint8_t *out)
1002 {
1003 if (IS_P2ALIGNED(in, sizeof (uint32_t)) &&
1004 IS_P2ALIGNED(out, sizeof (uint32_t))) {
1005 /* LINTED: pointer alignment */
|