1*0a6a1f1dSLionel Sambuc /* $NetBSD: crypt.c,v 1.34 2015/06/17 00:15:26 christos Exp $ */
2ebffaa42SBen Gras
3ebffaa42SBen Gras /*
4ebffaa42SBen Gras * Copyright (c) 1989, 1993
5ebffaa42SBen Gras * The Regents of the University of California. All rights reserved.
6ebffaa42SBen Gras *
7ebffaa42SBen Gras * This code is derived from software contributed to Berkeley by
8ebffaa42SBen Gras * Tom Truscott.
9ebffaa42SBen Gras *
10ebffaa42SBen Gras * Redistribution and use in source and binary forms, with or without
11ebffaa42SBen Gras * modification, are permitted provided that the following conditions
12ebffaa42SBen Gras * are met:
13ebffaa42SBen Gras * 1. Redistributions of source code must retain the above copyright
14ebffaa42SBen Gras * notice, this list of conditions and the following disclaimer.
15ebffaa42SBen Gras * 2. Redistributions in binary form must reproduce the above copyright
16ebffaa42SBen Gras * notice, this list of conditions and the following disclaimer in the
17ebffaa42SBen Gras * documentation and/or other materials provided with the distribution.
18ebffaa42SBen Gras * 3. Neither the name of the University nor the names of its contributors
19ebffaa42SBen Gras * may be used to endorse or promote products derived from this software
20ebffaa42SBen Gras * without specific prior written permission.
21ebffaa42SBen Gras *
22ebffaa42SBen Gras * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
23ebffaa42SBen Gras * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24ebffaa42SBen Gras * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25ebffaa42SBen Gras * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
26ebffaa42SBen Gras * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27ebffaa42SBen Gras * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28ebffaa42SBen Gras * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29ebffaa42SBen Gras * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30ebffaa42SBen Gras * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31ebffaa42SBen Gras * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32ebffaa42SBen Gras * SUCH DAMAGE.
33ebffaa42SBen Gras */
34ebffaa42SBen Gras
35ebffaa42SBen Gras #include <sys/cdefs.h>
36ebffaa42SBen Gras #if !defined(lint)
37ebffaa42SBen Gras #if 0
38ebffaa42SBen Gras static char sccsid[] = "@(#)crypt.c 8.1.1.1 (Berkeley) 8/18/93";
39ebffaa42SBen Gras #else
40*0a6a1f1dSLionel Sambuc __RCSID("$NetBSD: crypt.c,v 1.34 2015/06/17 00:15:26 christos Exp $");
41ebffaa42SBen Gras #endif
42ebffaa42SBen Gras #endif /* not lint */
43ebffaa42SBen Gras
44ebffaa42SBen Gras #include <limits.h>
45ebffaa42SBen Gras #include <pwd.h>
46ebffaa42SBen Gras #include <stdlib.h>
47ebffaa42SBen Gras #include <unistd.h>
48ebffaa42SBen Gras #if defined(DEBUG) || defined(MAIN) || defined(UNIT_TEST)
49ebffaa42SBen Gras #include <stdio.h>
50ebffaa42SBen Gras #endif
51ebffaa42SBen Gras
52ebffaa42SBen Gras #include "crypt.h"
53ebffaa42SBen Gras
54ebffaa42SBen Gras /*
55ebffaa42SBen Gras * UNIX password, and DES, encryption.
56ebffaa42SBen Gras * By Tom Truscott, trt@rti.rti.org,
57ebffaa42SBen Gras * from algorithms by Robert W. Baldwin and James Gillogly.
58ebffaa42SBen Gras *
59ebffaa42SBen Gras * References:
60ebffaa42SBen Gras * "Mathematical Cryptology for Computer Scientists and Mathematicians,"
61ebffaa42SBen Gras * by Wayne Patterson, 1987, ISBN 0-8476-7438-X.
62ebffaa42SBen Gras *
63ebffaa42SBen Gras * "Password Security: A Case History," R. Morris and Ken Thompson,
64ebffaa42SBen Gras * Communications of the ACM, vol. 22, pp. 594-597, Nov. 1979.
65ebffaa42SBen Gras *
66ebffaa42SBen Gras * "DES will be Totally Insecure within Ten Years," M.E. Hellman,
67ebffaa42SBen Gras * IEEE Spectrum, vol. 16, pp. 32-39, July 1979.
68ebffaa42SBen Gras */
69ebffaa42SBen Gras
70ebffaa42SBen Gras /* ===== Configuration ==================== */
71ebffaa42SBen Gras
72ebffaa42SBen Gras /*
73ebffaa42SBen Gras * define "MUST_ALIGN" if your compiler cannot load/store
74ebffaa42SBen Gras * long integers at arbitrary (e.g. odd) memory locations.
75ebffaa42SBen Gras * (Either that or never pass unaligned addresses to des_cipher!)
76ebffaa42SBen Gras */
77ebffaa42SBen Gras #if !defined(__vax__) && !defined(__i386__)
78ebffaa42SBen Gras #define MUST_ALIGN
79ebffaa42SBen Gras #endif
80ebffaa42SBen Gras
81ebffaa42SBen Gras #ifdef CHAR_BITS
82ebffaa42SBen Gras #if CHAR_BITS != 8
83ebffaa42SBen Gras #error C_block structure assumes 8 bit characters
84ebffaa42SBen Gras #endif
85ebffaa42SBen Gras #endif
86ebffaa42SBen Gras
87ebffaa42SBen Gras /*
88ebffaa42SBen Gras * define "B64" to be the declaration for a 64 bit integer.
89ebffaa42SBen Gras * XXX this feature is currently unused, see "endian" comment below.
90ebffaa42SBen Gras */
91ebffaa42SBen Gras #if defined(cray)
92ebffaa42SBen Gras #define B64 long
93ebffaa42SBen Gras #endif
94ebffaa42SBen Gras #if defined(convex)
95ebffaa42SBen Gras #define B64 long long
96ebffaa42SBen Gras #endif
97ebffaa42SBen Gras
98ebffaa42SBen Gras /*
99ebffaa42SBen Gras * define "LARGEDATA" to get faster permutations, by using about 72 kilobytes
100ebffaa42SBen Gras * of lookup tables. This speeds up des_setkey() and des_cipher(), but has
101ebffaa42SBen Gras * little effect on crypt().
102ebffaa42SBen Gras */
103ebffaa42SBen Gras #if defined(notdef)
104ebffaa42SBen Gras #define LARGEDATA
105ebffaa42SBen Gras #endif
106ebffaa42SBen Gras
107ebffaa42SBen Gras /* compile with "-DSTATIC=void" when profiling */
108ebffaa42SBen Gras #ifndef STATIC
109ebffaa42SBen Gras #define STATIC static void
110ebffaa42SBen Gras #endif
111ebffaa42SBen Gras
112ebffaa42SBen Gras /* ==================================== */
113ebffaa42SBen Gras
114ebffaa42SBen Gras /*
115ebffaa42SBen Gras * Cipher-block representation (Bob Baldwin):
116ebffaa42SBen Gras *
117ebffaa42SBen Gras * DES operates on groups of 64 bits, numbered 1..64 (sigh). One
118ebffaa42SBen Gras * representation is to store one bit per byte in an array of bytes. Bit N of
119ebffaa42SBen Gras * the NBS spec is stored as the LSB of the Nth byte (index N-1) in the array.
120ebffaa42SBen Gras * Another representation stores the 64 bits in 8 bytes, with bits 1..8 in the
121ebffaa42SBen Gras * first byte, 9..16 in the second, and so on. The DES spec apparently has
122ebffaa42SBen Gras * bit 1 in the MSB of the first byte, but that is particularly noxious so we
123ebffaa42SBen Gras * bit-reverse each byte so that bit 1 is the LSB of the first byte, bit 8 is
124ebffaa42SBen Gras * the MSB of the first byte. Specifically, the 64-bit input data and key are
125ebffaa42SBen Gras * converted to LSB format, and the output 64-bit block is converted back into
126ebffaa42SBen Gras * MSB format.
127ebffaa42SBen Gras *
128ebffaa42SBen Gras * DES operates internally on groups of 32 bits which are expanded to 48 bits
129ebffaa42SBen Gras * by permutation E and shrunk back to 32 bits by the S boxes. To speed up
130ebffaa42SBen Gras * the computation, the expansion is applied only once, the expanded
131ebffaa42SBen Gras * representation is maintained during the encryption, and a compression
132ebffaa42SBen Gras * permutation is applied only at the end. To speed up the S-box lookups,
133ebffaa42SBen Gras * the 48 bits are maintained as eight 6 bit groups, one per byte, which
134ebffaa42SBen Gras * directly feed the eight S-boxes. Within each byte, the 6 bits are the
135ebffaa42SBen Gras * most significant ones. The low two bits of each byte are zero. (Thus,
136ebffaa42SBen Gras * bit 1 of the 48 bit E expansion is stored as the "4"-valued bit of the
137ebffaa42SBen Gras * first byte in the eight byte representation, bit 2 of the 48 bit value is
138ebffaa42SBen Gras * the "8"-valued bit, and so on.) In fact, a combined "SPE"-box lookup is
139ebffaa42SBen Gras * used, in which the output is the 64 bit result of an S-box lookup which
140ebffaa42SBen Gras * has been permuted by P and expanded by E, and is ready for use in the next
141ebffaa42SBen Gras * iteration. Two 32-bit wide tables, SPE[0] and SPE[1], are used for this
142ebffaa42SBen Gras * lookup. Since each byte in the 48 bit path is a multiple of four, indexed
143ebffaa42SBen Gras * lookup of SPE[0] and SPE[1] is simple and fast. The key schedule and
144ebffaa42SBen Gras * "salt" are also converted to this 8*(6+2) format. The SPE table size is
145ebffaa42SBen Gras * 8*64*8 = 4K bytes.
146ebffaa42SBen Gras *
147ebffaa42SBen Gras * To speed up bit-parallel operations (such as XOR), the 8 byte
148ebffaa42SBen Gras * representation is "union"ed with 32 bit values "i0" and "i1", and, on
149ebffaa42SBen Gras * machines which support it, a 64 bit value "b64". This data structure,
150ebffaa42SBen Gras * "C_block", has two problems. First, alignment restrictions must be
151ebffaa42SBen Gras * honored. Second, the byte-order (e.g. little-endian or big-endian) of
152ebffaa42SBen Gras * the architecture becomes visible.
153ebffaa42SBen Gras *
154ebffaa42SBen Gras * The byte-order problem is unfortunate, since on the one hand it is good
155ebffaa42SBen Gras * to have a machine-independent C_block representation (bits 1..8 in the
156ebffaa42SBen Gras * first byte, etc.), and on the other hand it is good for the LSB of the
157ebffaa42SBen Gras * first byte to be the LSB of i0. We cannot have both these things, so we
158ebffaa42SBen Gras * currently use the "little-endian" representation and avoid any multi-byte
159ebffaa42SBen Gras * operations that depend on byte order. This largely precludes use of the
160ebffaa42SBen Gras * 64-bit datatype since the relative order of i0 and i1 are unknown. It
161ebffaa42SBen Gras * also inhibits grouping the SPE table to look up 12 bits at a time. (The
162ebffaa42SBen Gras * 12 bits can be stored in a 16-bit field with 3 low-order zeroes and 1
163ebffaa42SBen Gras * high-order zero, providing fast indexing into a 64-bit wide SPE.) On the
164ebffaa42SBen Gras * other hand, 64-bit datatypes are currently rare, and a 12-bit SPE lookup
165ebffaa42SBen Gras * requires a 128 kilobyte table, so perhaps this is not a big loss.
166ebffaa42SBen Gras *
167ebffaa42SBen Gras * Permutation representation (Jim Gillogly):
168ebffaa42SBen Gras *
169ebffaa42SBen Gras * A transformation is defined by its effect on each of the 8 bytes of the
170ebffaa42SBen Gras * 64-bit input. For each byte we give a 64-bit output that has the bits in
171ebffaa42SBen Gras * the input distributed appropriately. The transformation is then the OR
172ebffaa42SBen Gras * of the 8 sets of 64-bits. This uses 8*256*8 = 16K bytes of storage for
173ebffaa42SBen Gras * each transformation. Unless LARGEDATA is defined, however, a more compact
174ebffaa42SBen Gras * table is used which looks up 16 4-bit "chunks" rather than 8 8-bit chunks.
175ebffaa42SBen Gras * The smaller table uses 16*16*8 = 2K bytes for each transformation. This
176ebffaa42SBen Gras * is slower but tolerable, particularly for password encryption in which
177ebffaa42SBen Gras * the SPE transformation is iterated many times. The small tables total 9K
178ebffaa42SBen Gras * bytes, the large tables total 72K bytes.
179ebffaa42SBen Gras *
180ebffaa42SBen Gras * The transformations used are:
181ebffaa42SBen Gras * IE3264: MSB->LSB conversion, initial permutation, and expansion.
182ebffaa42SBen Gras * This is done by collecting the 32 even-numbered bits and applying
183ebffaa42SBen Gras * a 32->64 bit transformation, and then collecting the 32 odd-numbered
184ebffaa42SBen Gras * bits and applying the same transformation. Since there are only
185ebffaa42SBen Gras * 32 input bits, the IE3264 transformation table is half the size of
186ebffaa42SBen Gras * the usual table.
187ebffaa42SBen Gras * CF6464: Compression, final permutation, and LSB->MSB conversion.
188ebffaa42SBen Gras * This is done by two trivial 48->32 bit compressions to obtain
189ebffaa42SBen Gras * a 64-bit block (the bit numbering is given in the "CIFP" table)
190ebffaa42SBen Gras * followed by a 64->64 bit "cleanup" transformation. (It would
191ebffaa42SBen Gras * be possible to group the bits in the 64-bit block so that 2
192ebffaa42SBen Gras * identical 32->32 bit transformations could be used instead,
193ebffaa42SBen Gras * saving a factor of 4 in space and possibly 2 in time, but
194ebffaa42SBen Gras * byte-ordering and other complications rear their ugly head.
195ebffaa42SBen Gras * Similar opportunities/problems arise in the key schedule
196ebffaa42SBen Gras * transforms.)
197ebffaa42SBen Gras * PC1ROT: MSB->LSB, PC1 permutation, rotate, and PC2 permutation.
198ebffaa42SBen Gras * This admittedly baroque 64->64 bit transformation is used to
199ebffaa42SBen Gras * produce the first code (in 8*(6+2) format) of the key schedule.
200ebffaa42SBen Gras * PC2ROT[0]: Inverse PC2 permutation, rotate, and PC2 permutation.
201ebffaa42SBen Gras * It would be possible to define 15 more transformations, each
202ebffaa42SBen Gras * with a different rotation, to generate the entire key schedule.
203ebffaa42SBen Gras * To save space, however, we instead permute each code into the
204ebffaa42SBen Gras * next by using a transformation that "undoes" the PC2 permutation,
205ebffaa42SBen Gras * rotates the code, and then applies PC2. Unfortunately, PC2
206ebffaa42SBen Gras * transforms 56 bits into 48 bits, dropping 8 bits, so PC2 is not
207ebffaa42SBen Gras * invertible. We get around that problem by using a modified PC2
208ebffaa42SBen Gras * which retains the 8 otherwise-lost bits in the unused low-order
209ebffaa42SBen Gras * bits of each byte. The low-order bits are cleared when the
210ebffaa42SBen Gras * codes are stored into the key schedule.
211ebffaa42SBen Gras * PC2ROT[1]: Same as PC2ROT[0], but with two rotations.
212ebffaa42SBen Gras * This is faster than applying PC2ROT[0] twice,
213ebffaa42SBen Gras *
214ebffaa42SBen Gras * The Bell Labs "salt" (Bob Baldwin):
215ebffaa42SBen Gras *
216ebffaa42SBen Gras * The salting is a simple permutation applied to the 48-bit result of E.
217ebffaa42SBen Gras * Specifically, if bit i (1 <= i <= 24) of the salt is set then bits i and
218ebffaa42SBen Gras * i+24 of the result are swapped. The salt is thus a 24 bit number, with
219ebffaa42SBen Gras * 16777216 possible values. (The original salt was 12 bits and could not
220ebffaa42SBen Gras * swap bits 13..24 with 36..48.)
221ebffaa42SBen Gras *
222ebffaa42SBen Gras * It is possible, but ugly, to warp the SPE table to account for the salt
223ebffaa42SBen Gras * permutation. Fortunately, the conditional bit swapping requires only
224ebffaa42SBen Gras * about four machine instructions and can be done on-the-fly with about an
225ebffaa42SBen Gras * 8% performance penalty.
226ebffaa42SBen Gras */
227ebffaa42SBen Gras
228ebffaa42SBen Gras typedef union {
229ebffaa42SBen Gras unsigned char b[8];
230ebffaa42SBen Gras struct {
231ebffaa42SBen Gras int32_t i0;
232ebffaa42SBen Gras int32_t i1;
233ebffaa42SBen Gras } b32;
234ebffaa42SBen Gras #if defined(B64)
235ebffaa42SBen Gras B64 b64;
236ebffaa42SBen Gras #endif
237ebffaa42SBen Gras } C_block;
238ebffaa42SBen Gras
239ebffaa42SBen Gras /*
240ebffaa42SBen Gras * Convert twenty-four-bit long in host-order
241ebffaa42SBen Gras * to six bits (and 2 low-order zeroes) per char little-endian format.
242ebffaa42SBen Gras */
243ebffaa42SBen Gras #define TO_SIX_BIT(rslt, src) { \
244ebffaa42SBen Gras C_block cvt; \
245ebffaa42SBen Gras cvt.b[0] = src; src >>= 6; \
246ebffaa42SBen Gras cvt.b[1] = src; src >>= 6; \
247ebffaa42SBen Gras cvt.b[2] = src; src >>= 6; \
248ebffaa42SBen Gras cvt.b[3] = src; \
249ebffaa42SBen Gras rslt = (cvt.b32.i0 & 0x3f3f3f3fL) << 2; \
250ebffaa42SBen Gras }
251ebffaa42SBen Gras
252ebffaa42SBen Gras /*
253ebffaa42SBen Gras * These macros may someday permit efficient use of 64-bit integers.
254ebffaa42SBen Gras */
255ebffaa42SBen Gras #define ZERO(d,d0,d1) d0 = 0, d1 = 0
256ebffaa42SBen Gras #define LOAD(d,d0,d1,bl) d0 = (bl).b32.i0, d1 = (bl).b32.i1
257ebffaa42SBen Gras #define LOADREG(d,d0,d1,s,s0,s1) d0 = s0, d1 = s1
258ebffaa42SBen Gras #define OR(d,d0,d1,bl) d0 |= (bl).b32.i0, d1 |= (bl).b32.i1
259ebffaa42SBen Gras #define STORE(s,s0,s1,bl) (bl).b32.i0 = s0, (bl).b32.i1 = s1
260ebffaa42SBen Gras #define DCL_BLOCK(d,d0,d1) int32_t d0, d1
261ebffaa42SBen Gras
262ebffaa42SBen Gras #if defined(LARGEDATA)
263ebffaa42SBen Gras /* Waste memory like crazy. Also, do permutations in line */
264ebffaa42SBen Gras #define LGCHUNKBITS 3
265ebffaa42SBen Gras #define CHUNKBITS (1<<LGCHUNKBITS)
266ebffaa42SBen Gras #define PERM6464(d,d0,d1,cpp,p) \
267ebffaa42SBen Gras LOAD(d,d0,d1,(p)[(0<<CHUNKBITS)+(cpp)[0]]); \
268ebffaa42SBen Gras OR (d,d0,d1,(p)[(1<<CHUNKBITS)+(cpp)[1]]); \
269ebffaa42SBen Gras OR (d,d0,d1,(p)[(2<<CHUNKBITS)+(cpp)[2]]); \
270ebffaa42SBen Gras OR (d,d0,d1,(p)[(3<<CHUNKBITS)+(cpp)[3]]); \
271ebffaa42SBen Gras OR (d,d0,d1,(p)[(4<<CHUNKBITS)+(cpp)[4]]); \
272ebffaa42SBen Gras OR (d,d0,d1,(p)[(5<<CHUNKBITS)+(cpp)[5]]); \
273ebffaa42SBen Gras OR (d,d0,d1,(p)[(6<<CHUNKBITS)+(cpp)[6]]); \
274ebffaa42SBen Gras OR (d,d0,d1,(p)[(7<<CHUNKBITS)+(cpp)[7]]);
275ebffaa42SBen Gras #define PERM3264(d,d0,d1,cpp,p) \
276ebffaa42SBen Gras LOAD(d,d0,d1,(p)[(0<<CHUNKBITS)+(cpp)[0]]); \
277ebffaa42SBen Gras OR (d,d0,d1,(p)[(1<<CHUNKBITS)+(cpp)[1]]); \
278ebffaa42SBen Gras OR (d,d0,d1,(p)[(2<<CHUNKBITS)+(cpp)[2]]); \
279ebffaa42SBen Gras OR (d,d0,d1,(p)[(3<<CHUNKBITS)+(cpp)[3]]);
280ebffaa42SBen Gras #else
281ebffaa42SBen Gras /* "small data" */
282ebffaa42SBen Gras #define LGCHUNKBITS 2
283ebffaa42SBen Gras #define CHUNKBITS (1<<LGCHUNKBITS)
284ebffaa42SBen Gras #define PERM6464(d,d0,d1,cpp,p) \
285ebffaa42SBen Gras { C_block tblk; permute(cpp,&tblk,p,8); LOAD (d,d0,d1,tblk); }
286ebffaa42SBen Gras #define PERM3264(d,d0,d1,cpp,p) \
287ebffaa42SBen Gras { C_block tblk; permute(cpp,&tblk,p,4); LOAD (d,d0,d1,tblk); }
288ebffaa42SBen Gras #endif /* LARGEDATA */
289ebffaa42SBen Gras
290ebffaa42SBen Gras STATIC init_des(void);
291ebffaa42SBen Gras STATIC init_perm(C_block [64/CHUNKBITS][1<<CHUNKBITS],
292ebffaa42SBen Gras const unsigned char [64], int, int);
293ebffaa42SBen Gras #ifndef LARGEDATA
294ebffaa42SBen Gras STATIC permute(const unsigned char *, C_block *, C_block *, int);
295ebffaa42SBen Gras #endif
296ebffaa42SBen Gras #ifdef DEBUG
297ebffaa42SBen Gras STATIC prtab(const char *, unsigned char *, int);
298ebffaa42SBen Gras #endif
299ebffaa42SBen Gras
300ebffaa42SBen Gras
301ebffaa42SBen Gras #ifndef LARGEDATA
302ebffaa42SBen Gras STATIC
permute(const unsigned char * cp,C_block * out,C_block * p,int chars_in)303ebffaa42SBen Gras permute(const unsigned char *cp, C_block *out, C_block *p, int chars_in)
304ebffaa42SBen Gras {
305ebffaa42SBen Gras DCL_BLOCK(D,D0,D1);
306ebffaa42SBen Gras C_block *tp;
307ebffaa42SBen Gras int t;
308ebffaa42SBen Gras
309ebffaa42SBen Gras ZERO(D,D0,D1);
310ebffaa42SBen Gras do {
311ebffaa42SBen Gras t = *cp++;
312ebffaa42SBen Gras tp = &p[t&0xf]; OR(D,D0,D1,*tp); p += (1<<CHUNKBITS);
313ebffaa42SBen Gras tp = &p[t>>4]; OR(D,D0,D1,*tp); p += (1<<CHUNKBITS);
314ebffaa42SBen Gras } while (--chars_in > 0);
315ebffaa42SBen Gras STORE(D,D0,D1,*out);
316ebffaa42SBen Gras }
317ebffaa42SBen Gras #endif /* LARGEDATA */
318ebffaa42SBen Gras
319ebffaa42SBen Gras
320ebffaa42SBen Gras /* ===== (mostly) Standard DES Tables ==================== */
321ebffaa42SBen Gras
322ebffaa42SBen Gras static const unsigned char IP[] = { /* initial permutation */
323ebffaa42SBen Gras 58, 50, 42, 34, 26, 18, 10, 2,
324ebffaa42SBen Gras 60, 52, 44, 36, 28, 20, 12, 4,
325ebffaa42SBen Gras 62, 54, 46, 38, 30, 22, 14, 6,
326ebffaa42SBen Gras 64, 56, 48, 40, 32, 24, 16, 8,
327ebffaa42SBen Gras 57, 49, 41, 33, 25, 17, 9, 1,
328ebffaa42SBen Gras 59, 51, 43, 35, 27, 19, 11, 3,
329ebffaa42SBen Gras 61, 53, 45, 37, 29, 21, 13, 5,
330ebffaa42SBen Gras 63, 55, 47, 39, 31, 23, 15, 7,
331ebffaa42SBen Gras };
332ebffaa42SBen Gras
333ebffaa42SBen Gras /* The final permutation is the inverse of IP - no table is necessary */
334ebffaa42SBen Gras
335ebffaa42SBen Gras static const unsigned char ExpandTr[] = { /* expansion operation */
336ebffaa42SBen Gras 32, 1, 2, 3, 4, 5,
337ebffaa42SBen Gras 4, 5, 6, 7, 8, 9,
338ebffaa42SBen Gras 8, 9, 10, 11, 12, 13,
339ebffaa42SBen Gras 12, 13, 14, 15, 16, 17,
340ebffaa42SBen Gras 16, 17, 18, 19, 20, 21,
341ebffaa42SBen Gras 20, 21, 22, 23, 24, 25,
342ebffaa42SBen Gras 24, 25, 26, 27, 28, 29,
343ebffaa42SBen Gras 28, 29, 30, 31, 32, 1,
344ebffaa42SBen Gras };
345ebffaa42SBen Gras
346ebffaa42SBen Gras static const unsigned char PC1[] = { /* permuted choice table 1 */
347ebffaa42SBen Gras 57, 49, 41, 33, 25, 17, 9,
348ebffaa42SBen Gras 1, 58, 50, 42, 34, 26, 18,
349ebffaa42SBen Gras 10, 2, 59, 51, 43, 35, 27,
350ebffaa42SBen Gras 19, 11, 3, 60, 52, 44, 36,
351ebffaa42SBen Gras
352ebffaa42SBen Gras 63, 55, 47, 39, 31, 23, 15,
353ebffaa42SBen Gras 7, 62, 54, 46, 38, 30, 22,
354ebffaa42SBen Gras 14, 6, 61, 53, 45, 37, 29,
355ebffaa42SBen Gras 21, 13, 5, 28, 20, 12, 4,
356ebffaa42SBen Gras };
357ebffaa42SBen Gras
358ebffaa42SBen Gras static const unsigned char Rotates[] = {/* PC1 rotation schedule */
359ebffaa42SBen Gras 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1,
360ebffaa42SBen Gras };
361ebffaa42SBen Gras
362ebffaa42SBen Gras /* note: each "row" of PC2 is left-padded with bits that make it invertible */
363ebffaa42SBen Gras static const unsigned char PC2[] = { /* permuted choice table 2 */
364ebffaa42SBen Gras 9, 18, 14, 17, 11, 24, 1, 5,
365ebffaa42SBen Gras 22, 25, 3, 28, 15, 6, 21, 10,
366ebffaa42SBen Gras 35, 38, 23, 19, 12, 4, 26, 8,
367ebffaa42SBen Gras 43, 54, 16, 7, 27, 20, 13, 2,
368ebffaa42SBen Gras
369ebffaa42SBen Gras 0, 0, 41, 52, 31, 37, 47, 55,
370ebffaa42SBen Gras 0, 0, 30, 40, 51, 45, 33, 48,
371ebffaa42SBen Gras 0, 0, 44, 49, 39, 56, 34, 53,
372ebffaa42SBen Gras 0, 0, 46, 42, 50, 36, 29, 32,
373ebffaa42SBen Gras };
374ebffaa42SBen Gras
375ebffaa42SBen Gras static const unsigned char S[8][64] = { /* 48->32 bit substitution tables */
376ebffaa42SBen Gras /* S[1] */
377ebffaa42SBen Gras { 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
378ebffaa42SBen Gras 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
379ebffaa42SBen Gras 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
380ebffaa42SBen Gras 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 },
381ebffaa42SBen Gras /* S[2] */
382ebffaa42SBen Gras { 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
383ebffaa42SBen Gras 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
384ebffaa42SBen Gras 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
385ebffaa42SBen Gras 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 },
386ebffaa42SBen Gras /* S[3] */
387ebffaa42SBen Gras { 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
388ebffaa42SBen Gras 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
389ebffaa42SBen Gras 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
390ebffaa42SBen Gras 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 },
391ebffaa42SBen Gras /* S[4] */
392ebffaa42SBen Gras { 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
393ebffaa42SBen Gras 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
394ebffaa42SBen Gras 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
395ebffaa42SBen Gras 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 },
396ebffaa42SBen Gras /* S[5] */
397ebffaa42SBen Gras { 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
398ebffaa42SBen Gras 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
399ebffaa42SBen Gras 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
400ebffaa42SBen Gras 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 },
401ebffaa42SBen Gras /* S[6] */
402ebffaa42SBen Gras { 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
403ebffaa42SBen Gras 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
404ebffaa42SBen Gras 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
405ebffaa42SBen Gras 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13 },
406ebffaa42SBen Gras /* S[7] */
407ebffaa42SBen Gras { 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
408ebffaa42SBen Gras 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
409ebffaa42SBen Gras 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
410ebffaa42SBen Gras 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 },
411ebffaa42SBen Gras /* S[8] */
412ebffaa42SBen Gras { 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
413ebffaa42SBen Gras 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
414ebffaa42SBen Gras 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
415ebffaa42SBen Gras 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 }
416ebffaa42SBen Gras };
417ebffaa42SBen Gras
418ebffaa42SBen Gras static const unsigned char P32Tr[] = { /* 32-bit permutation function */
419ebffaa42SBen Gras 16, 7, 20, 21,
420ebffaa42SBen Gras 29, 12, 28, 17,
421ebffaa42SBen Gras 1, 15, 23, 26,
422ebffaa42SBen Gras 5, 18, 31, 10,
423ebffaa42SBen Gras 2, 8, 24, 14,
424ebffaa42SBen Gras 32, 27, 3, 9,
425ebffaa42SBen Gras 19, 13, 30, 6,
426ebffaa42SBen Gras 22, 11, 4, 25,
427ebffaa42SBen Gras };
428ebffaa42SBen Gras
429ebffaa42SBen Gras static const unsigned char CIFP[] = { /* compressed/interleaved permutation */
430ebffaa42SBen Gras 1, 2, 3, 4, 17, 18, 19, 20,
431ebffaa42SBen Gras 5, 6, 7, 8, 21, 22, 23, 24,
432ebffaa42SBen Gras 9, 10, 11, 12, 25, 26, 27, 28,
433ebffaa42SBen Gras 13, 14, 15, 16, 29, 30, 31, 32,
434ebffaa42SBen Gras
435ebffaa42SBen Gras 33, 34, 35, 36, 49, 50, 51, 52,
436ebffaa42SBen Gras 37, 38, 39, 40, 53, 54, 55, 56,
437ebffaa42SBen Gras 41, 42, 43, 44, 57, 58, 59, 60,
438ebffaa42SBen Gras 45, 46, 47, 48, 61, 62, 63, 64,
439ebffaa42SBen Gras };
440ebffaa42SBen Gras
441ebffaa42SBen Gras static const unsigned char itoa64[] = /* 0..63 => ascii-64 */
442ebffaa42SBen Gras "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
443ebffaa42SBen Gras
444ebffaa42SBen Gras
445ebffaa42SBen Gras /* ===== Tables that are initialized at run time ==================== */
446ebffaa42SBen Gras
447ebffaa42SBen Gras
448ebffaa42SBen Gras /* Initial key schedule permutation */
449ebffaa42SBen Gras static C_block PC1ROT[64/CHUNKBITS][1<<CHUNKBITS];
450ebffaa42SBen Gras
451ebffaa42SBen Gras /* Subsequent key schedule rotation permutations */
452ebffaa42SBen Gras static C_block PC2ROT[2][64/CHUNKBITS][1<<CHUNKBITS];
453ebffaa42SBen Gras
454ebffaa42SBen Gras /* Initial permutation/expansion table */
455ebffaa42SBen Gras static C_block IE3264[32/CHUNKBITS][1<<CHUNKBITS];
456ebffaa42SBen Gras
457ebffaa42SBen Gras /* Table that combines the S, P, and E operations. */
458ebffaa42SBen Gras static int32_t SPE[2][8][64];
459ebffaa42SBen Gras
460ebffaa42SBen Gras /* compressed/interleaved => final permutation table */
461ebffaa42SBen Gras static C_block CF6464[64/CHUNKBITS][1<<CHUNKBITS];
462ebffaa42SBen Gras
463ebffaa42SBen Gras
464ebffaa42SBen Gras /* ==================================== */
465ebffaa42SBen Gras
466ebffaa42SBen Gras
467ebffaa42SBen Gras static C_block constdatablock; /* encryption constant */
468ebffaa42SBen Gras static char cryptresult[1+4+4+11+1]; /* encrypted result */
469ebffaa42SBen Gras
470f5435c74SLionel Sambuc /*
471f5435c74SLionel Sambuc * We match the behavior of UFC-crypt on systems where "char" is signed by
472f5435c74SLionel Sambuc * default (the majority), regardless of char's signedness on our system.
473f5435c74SLionel Sambuc */
474f5435c74SLionel Sambuc static inline int
ascii_to_bin(char ch)475f5435c74SLionel Sambuc ascii_to_bin(char ch)
476f5435c74SLionel Sambuc {
477f5435c74SLionel Sambuc signed char sch = ch;
478f5435c74SLionel Sambuc int retval;
479f5435c74SLionel Sambuc
480f5435c74SLionel Sambuc if (sch >= 'a')
481f5435c74SLionel Sambuc retval = sch - ('a' - 38);
482f5435c74SLionel Sambuc else if (sch >= 'A')
483f5435c74SLionel Sambuc retval = sch - ('A' - 12);
484f5435c74SLionel Sambuc else
485f5435c74SLionel Sambuc retval = sch - '.';
486f5435c74SLionel Sambuc
487f5435c74SLionel Sambuc return retval & 0x3f;
488f5435c74SLionel Sambuc }
489f5435c74SLionel Sambuc
490f5435c74SLionel Sambuc /*
491f5435c74SLionel Sambuc * When we choose to "support" invalid salts, nevertheless disallow those
492f5435c74SLionel Sambuc * containing characters that would violate the passwd file format.
493f5435c74SLionel Sambuc */
494f5435c74SLionel Sambuc static inline int
ascii_is_unsafe(char ch)495f5435c74SLionel Sambuc ascii_is_unsafe(char ch)
496f5435c74SLionel Sambuc {
497f5435c74SLionel Sambuc return !ch || ch == '\n' || ch == ':';
498f5435c74SLionel Sambuc }
499ebffaa42SBen Gras
500ebffaa42SBen Gras /*
501ebffaa42SBen Gras * Return a pointer to static data consisting of the "setting"
502ebffaa42SBen Gras * followed by an encryption produced by the "key" and "setting".
503ebffaa42SBen Gras */
504f5435c74SLionel Sambuc static char *
__crypt(const char * key,const char * setting)505f5435c74SLionel Sambuc __crypt(const char *key, const char *setting)
506ebffaa42SBen Gras {
507ebffaa42SBen Gras char *encp;
508ebffaa42SBen Gras int32_t i;
509ebffaa42SBen Gras int t;
510ebffaa42SBen Gras int32_t salt;
511ebffaa42SBen Gras int num_iter, salt_size;
512ebffaa42SBen Gras C_block keyblock, rsltblock;
513ebffaa42SBen Gras
514ebffaa42SBen Gras /* Non-DES encryption schemes hook in here. */
515ebffaa42SBen Gras if (setting[0] == _PASSWORD_NONDES) {
516ebffaa42SBen Gras switch (setting[1]) {
517ebffaa42SBen Gras case '2':
518ebffaa42SBen Gras return (__bcrypt(key, setting));
519ebffaa42SBen Gras case 's':
520ebffaa42SBen Gras return (__crypt_sha1(key, setting));
521ebffaa42SBen Gras case '1':
522ebffaa42SBen Gras default:
523ebffaa42SBen Gras return (__md5crypt(key, setting));
524ebffaa42SBen Gras }
525ebffaa42SBen Gras }
526ebffaa42SBen Gras
527ebffaa42SBen Gras for (i = 0; i < 8; i++) {
528ebffaa42SBen Gras if ((t = 2*(unsigned char)(*key)) != 0)
529ebffaa42SBen Gras key++;
530ebffaa42SBen Gras keyblock.b[i] = t;
531ebffaa42SBen Gras }
532f5435c74SLionel Sambuc if (des_setkey((char *)keyblock.b))
533ebffaa42SBen Gras return (NULL);
534ebffaa42SBen Gras
535ebffaa42SBen Gras encp = &cryptresult[0];
536ebffaa42SBen Gras switch (*setting) {
537ebffaa42SBen Gras case _PASSWORD_EFMT1:
538ebffaa42SBen Gras /*
539ebffaa42SBen Gras * Involve the rest of the password 8 characters at a time.
540ebffaa42SBen Gras */
541ebffaa42SBen Gras while (*key) {
542ebffaa42SBen Gras if (des_cipher((char *)(void *)&keyblock,
543ebffaa42SBen Gras (char *)(void *)&keyblock, 0L, 1))
544ebffaa42SBen Gras return (NULL);
545ebffaa42SBen Gras for (i = 0; i < 8; i++) {
546ebffaa42SBen Gras if ((t = 2*(unsigned char)(*key)) != 0)
547ebffaa42SBen Gras key++;
548ebffaa42SBen Gras keyblock.b[i] ^= t;
549ebffaa42SBen Gras }
550ebffaa42SBen Gras if (des_setkey((char *)keyblock.b))
551ebffaa42SBen Gras return (NULL);
552ebffaa42SBen Gras }
553ebffaa42SBen Gras
554ebffaa42SBen Gras *encp++ = *setting++;
555ebffaa42SBen Gras
556ebffaa42SBen Gras /* get iteration count */
557ebffaa42SBen Gras num_iter = 0;
558ebffaa42SBen Gras for (i = 4; --i >= 0; ) {
559f5435c74SLionel Sambuc int value = ascii_to_bin(setting[i]);
560f5435c74SLionel Sambuc if (itoa64[value] != setting[i])
561f5435c74SLionel Sambuc return NULL;
562f5435c74SLionel Sambuc encp[i] = setting[i];
563f5435c74SLionel Sambuc num_iter = (num_iter << 6) | value;
564ebffaa42SBen Gras }
565f5435c74SLionel Sambuc if (num_iter == 0)
566f5435c74SLionel Sambuc return NULL;
567ebffaa42SBen Gras setting += 4;
568ebffaa42SBen Gras encp += 4;
569ebffaa42SBen Gras salt_size = 4;
570ebffaa42SBen Gras break;
571ebffaa42SBen Gras default:
572ebffaa42SBen Gras num_iter = 25;
573ebffaa42SBen Gras salt_size = 2;
574f5435c74SLionel Sambuc if (ascii_is_unsafe(setting[0]) || ascii_is_unsafe(setting[1]))
575f5435c74SLionel Sambuc return NULL;
576ebffaa42SBen Gras }
577ebffaa42SBen Gras
578ebffaa42SBen Gras salt = 0;
579ebffaa42SBen Gras for (i = salt_size; --i >= 0; ) {
580f5435c74SLionel Sambuc int value = ascii_to_bin(setting[i]);
581f5435c74SLionel Sambuc if (salt_size > 2 && itoa64[value] != setting[i])
582f5435c74SLionel Sambuc return NULL;
583f5435c74SLionel Sambuc encp[i] = setting[i];
584f5435c74SLionel Sambuc salt = (salt << 6) | value;
585ebffaa42SBen Gras }
586ebffaa42SBen Gras encp += salt_size;
587ebffaa42SBen Gras if (des_cipher((char *)(void *)&constdatablock,
588ebffaa42SBen Gras (char *)(void *)&rsltblock, salt, num_iter))
589ebffaa42SBen Gras return (NULL);
590ebffaa42SBen Gras
591ebffaa42SBen Gras /*
592ebffaa42SBen Gras * Encode the 64 cipher bits as 11 ascii characters.
593ebffaa42SBen Gras */
594ebffaa42SBen Gras i = ((int32_t)((rsltblock.b[0]<<8) | rsltblock.b[1])<<8) |
595ebffaa42SBen Gras rsltblock.b[2];
596ebffaa42SBen Gras encp[3] = itoa64[i&0x3f]; i >>= 6;
597ebffaa42SBen Gras encp[2] = itoa64[i&0x3f]; i >>= 6;
598ebffaa42SBen Gras encp[1] = itoa64[i&0x3f]; i >>= 6;
599ebffaa42SBen Gras encp[0] = itoa64[i]; encp += 4;
600ebffaa42SBen Gras i = ((int32_t)((rsltblock.b[3]<<8) | rsltblock.b[4])<<8) |
601ebffaa42SBen Gras rsltblock.b[5];
602ebffaa42SBen Gras encp[3] = itoa64[i&0x3f]; i >>= 6;
603ebffaa42SBen Gras encp[2] = itoa64[i&0x3f]; i >>= 6;
604ebffaa42SBen Gras encp[1] = itoa64[i&0x3f]; i >>= 6;
605ebffaa42SBen Gras encp[0] = itoa64[i]; encp += 4;
606ebffaa42SBen Gras i = ((int32_t)((rsltblock.b[6])<<8) | rsltblock.b[7])<<2;
607ebffaa42SBen Gras encp[2] = itoa64[i&0x3f]; i >>= 6;
608ebffaa42SBen Gras encp[1] = itoa64[i&0x3f]; i >>= 6;
609ebffaa42SBen Gras encp[0] = itoa64[i];
610ebffaa42SBen Gras
611ebffaa42SBen Gras encp[3] = 0;
612ebffaa42SBen Gras
613ebffaa42SBen Gras return (cryptresult);
614ebffaa42SBen Gras }
615ebffaa42SBen Gras
616f5435c74SLionel Sambuc char *
crypt(const char * key,const char * salt)617f5435c74SLionel Sambuc crypt(const char *key, const char *salt)
618f5435c74SLionel Sambuc {
619f5435c74SLionel Sambuc char *res = __crypt(key, salt);
620f5435c74SLionel Sambuc if (res)
621f5435c74SLionel Sambuc return res;
622f5435c74SLionel Sambuc /* How do I handle errors ? Return "*0" or "*1" */
623f5435c74SLionel Sambuc return __UNCONST(salt[0] == '*' && salt[1] == '0' ? "*1" : "*0");
624f5435c74SLionel Sambuc }
625ebffaa42SBen Gras
626ebffaa42SBen Gras /*
627ebffaa42SBen Gras * The Key Schedule, filled in by des_setkey() or setkey().
628ebffaa42SBen Gras */
629ebffaa42SBen Gras #define KS_SIZE 16
630ebffaa42SBen Gras static C_block KS[KS_SIZE];
631ebffaa42SBen Gras
632ebffaa42SBen Gras /*
633ebffaa42SBen Gras * Set up the key schedule from the key.
634ebffaa42SBen Gras */
635ebffaa42SBen Gras int
des_setkey(const char * key)636ebffaa42SBen Gras des_setkey(const char *key)
637ebffaa42SBen Gras {
638ebffaa42SBen Gras DCL_BLOCK(K, K0, K1);
639ebffaa42SBen Gras C_block *help, *ptabp;
640ebffaa42SBen Gras int i;
641ebffaa42SBen Gras static int des_ready = 0;
642ebffaa42SBen Gras
643ebffaa42SBen Gras if (!des_ready) {
644ebffaa42SBen Gras init_des();
645ebffaa42SBen Gras des_ready = 1;
646ebffaa42SBen Gras }
647ebffaa42SBen Gras
648ebffaa42SBen Gras PERM6464(K,K0,K1,(const unsigned char *)key,(C_block *)PC1ROT);
649ebffaa42SBen Gras help = &KS[0];
650ebffaa42SBen Gras STORE(K&~0x03030303L, K0&~0x03030303L, K1, *help);
651ebffaa42SBen Gras for (i = 1; i < 16; i++) {
652ebffaa42SBen Gras help++;
653ebffaa42SBen Gras STORE(K,K0,K1,*help);
654ebffaa42SBen Gras ptabp = (C_block *)PC2ROT[Rotates[i]-1];
655ebffaa42SBen Gras PERM6464(K,K0,K1,(const unsigned char *)help,ptabp);
656ebffaa42SBen Gras STORE(K&~0x03030303L, K0&~0x03030303L, K1, *help);
657ebffaa42SBen Gras }
658ebffaa42SBen Gras return (0);
659ebffaa42SBen Gras }
660ebffaa42SBen Gras
661ebffaa42SBen Gras /*
662ebffaa42SBen Gras * Encrypt (or decrypt if num_iter < 0) the 8 chars at "in" with abs(num_iter)
663ebffaa42SBen Gras * iterations of DES, using the given 24-bit salt and the pre-computed key
664ebffaa42SBen Gras * schedule, and store the resulting 8 chars at "out" (in == out is permitted).
665ebffaa42SBen Gras *
666ebffaa42SBen Gras * NOTE: the performance of this routine is critically dependent on your
667ebffaa42SBen Gras * compiler and machine architecture.
668ebffaa42SBen Gras */
669ebffaa42SBen Gras int
des_cipher(const char * in,char * out,long salt,int num_iter)670ebffaa42SBen Gras des_cipher(const char *in, char *out, long salt, int num_iter)
671ebffaa42SBen Gras {
672ebffaa42SBen Gras /* variables that we want in registers, most important first */
673ebffaa42SBen Gras #if defined(pdp11)
674ebffaa42SBen Gras int j;
675ebffaa42SBen Gras #endif
676ebffaa42SBen Gras int32_t L0, L1, R0, R1, k;
677ebffaa42SBen Gras C_block *kp;
678ebffaa42SBen Gras int ks_inc, loop_count;
679ebffaa42SBen Gras C_block B;
680ebffaa42SBen Gras
681ebffaa42SBen Gras L0 = salt;
682ebffaa42SBen Gras TO_SIX_BIT(salt, L0); /* convert to 4*(6+2) format */
683ebffaa42SBen Gras
684ebffaa42SBen Gras #if defined(__vax__) || defined(pdp11)
685ebffaa42SBen Gras salt = ~salt; /* "x &~ y" is faster than "x & y". */
686ebffaa42SBen Gras #define SALT (~salt)
687ebffaa42SBen Gras #else
688ebffaa42SBen Gras #define SALT salt
689ebffaa42SBen Gras #endif
690ebffaa42SBen Gras
691ebffaa42SBen Gras #if defined(MUST_ALIGN)
692ebffaa42SBen Gras B.b[0] = in[0]; B.b[1] = in[1]; B.b[2] = in[2]; B.b[3] = in[3];
693ebffaa42SBen Gras B.b[4] = in[4]; B.b[5] = in[5]; B.b[6] = in[6]; B.b[7] = in[7];
694ebffaa42SBen Gras LOAD(L,L0,L1,B);
695ebffaa42SBen Gras #else
696ebffaa42SBen Gras LOAD(L,L0,L1,*(const C_block *)in);
697ebffaa42SBen Gras #endif
698ebffaa42SBen Gras LOADREG(R,R0,R1,L,L0,L1);
699ebffaa42SBen Gras L0 &= 0x55555555L;
700ebffaa42SBen Gras L1 &= 0x55555555L;
701ebffaa42SBen Gras L0 = (L0 << 1) | L1; /* L0 is the even-numbered input bits */
702ebffaa42SBen Gras R0 &= 0xaaaaaaaaL;
703ebffaa42SBen Gras R1 = (R1 >> 1) & 0x55555555L;
704ebffaa42SBen Gras L1 = R0 | R1; /* L1 is the odd-numbered input bits */
705ebffaa42SBen Gras STORE(L,L0,L1,B);
706ebffaa42SBen Gras PERM3264(L,L0,L1,B.b, (C_block *)IE3264); /* even bits */
707ebffaa42SBen Gras PERM3264(R,R0,R1,B.b+4,(C_block *)IE3264); /* odd bits */
708ebffaa42SBen Gras
709ebffaa42SBen Gras if (num_iter >= 0)
710ebffaa42SBen Gras { /* encryption */
711ebffaa42SBen Gras kp = &KS[0];
712ebffaa42SBen Gras ks_inc = sizeof(*kp);
713ebffaa42SBen Gras }
714ebffaa42SBen Gras else
715ebffaa42SBen Gras { /* decryption */
716ebffaa42SBen Gras num_iter = -num_iter;
717ebffaa42SBen Gras kp = &KS[KS_SIZE-1];
718ebffaa42SBen Gras ks_inc = -(long)sizeof(*kp);
719ebffaa42SBen Gras }
720ebffaa42SBen Gras
721ebffaa42SBen Gras while (--num_iter >= 0) {
722ebffaa42SBen Gras loop_count = 8;
723ebffaa42SBen Gras do {
724ebffaa42SBen Gras
725ebffaa42SBen Gras #define SPTAB(t, i) \
726ebffaa42SBen Gras (*(int32_t *)((unsigned char *)t + i*(sizeof(int32_t)/4)))
727ebffaa42SBen Gras #if defined(gould)
728ebffaa42SBen Gras /* use this if B.b[i] is evaluated just once ... */
729ebffaa42SBen Gras #define DOXOR(x,y,i) x^=SPTAB(SPE[0][i],B.b[i]); y^=SPTAB(SPE[1][i],B.b[i]);
730ebffaa42SBen Gras #else
731ebffaa42SBen Gras #if defined(pdp11)
732ebffaa42SBen Gras /* use this if your "long" int indexing is slow */
733ebffaa42SBen Gras #define DOXOR(x,y,i) j=B.b[i]; x^=SPTAB(SPE[0][i],j); y^=SPTAB(SPE[1][i],j);
734ebffaa42SBen Gras #else
735ebffaa42SBen Gras /* use this if "k" is allocated to a register ... */
736ebffaa42SBen Gras #define DOXOR(x,y,i) k=B.b[i]; x^=SPTAB(SPE[0][i],k); y^=SPTAB(SPE[1][i],k);
737ebffaa42SBen Gras #endif
738ebffaa42SBen Gras #endif
739ebffaa42SBen Gras
740ebffaa42SBen Gras #define CRUNCH(p0, p1, q0, q1) \
741ebffaa42SBen Gras k = (q0 ^ q1) & SALT; \
742ebffaa42SBen Gras B.b32.i0 = k ^ q0 ^ kp->b32.i0; \
743ebffaa42SBen Gras B.b32.i1 = k ^ q1 ^ kp->b32.i1; \
744ebffaa42SBen Gras kp = (C_block *)((char *)kp+ks_inc); \
745ebffaa42SBen Gras \
746ebffaa42SBen Gras DOXOR(p0, p1, 0); \
747ebffaa42SBen Gras DOXOR(p0, p1, 1); \
748ebffaa42SBen Gras DOXOR(p0, p1, 2); \
749ebffaa42SBen Gras DOXOR(p0, p1, 3); \
750ebffaa42SBen Gras DOXOR(p0, p1, 4); \
751ebffaa42SBen Gras DOXOR(p0, p1, 5); \
752ebffaa42SBen Gras DOXOR(p0, p1, 6); \
753ebffaa42SBen Gras DOXOR(p0, p1, 7);
754ebffaa42SBen Gras
755ebffaa42SBen Gras CRUNCH(L0, L1, R0, R1);
756ebffaa42SBen Gras CRUNCH(R0, R1, L0, L1);
757ebffaa42SBen Gras } while (--loop_count != 0);
758ebffaa42SBen Gras kp = (C_block *)((char *)kp-(ks_inc*KS_SIZE));
759ebffaa42SBen Gras
760ebffaa42SBen Gras
761ebffaa42SBen Gras /* swap L and R */
762ebffaa42SBen Gras L0 ^= R0; L1 ^= R1;
763ebffaa42SBen Gras R0 ^= L0; R1 ^= L1;
764ebffaa42SBen Gras L0 ^= R0; L1 ^= R1;
765ebffaa42SBen Gras }
766ebffaa42SBen Gras
767ebffaa42SBen Gras /* store the encrypted (or decrypted) result */
768ebffaa42SBen Gras L0 = ((L0 >> 3) & 0x0f0f0f0fL) | ((L1 << 1) & 0xf0f0f0f0L);
769ebffaa42SBen Gras L1 = ((R0 >> 3) & 0x0f0f0f0fL) | ((R1 << 1) & 0xf0f0f0f0L);
770ebffaa42SBen Gras STORE(L,L0,L1,B);
771ebffaa42SBen Gras PERM6464(L,L0,L1,B.b, (C_block *)CF6464);
772ebffaa42SBen Gras #if defined(MUST_ALIGN)
773ebffaa42SBen Gras STORE(L,L0,L1,B);
774ebffaa42SBen Gras out[0] = B.b[0]; out[1] = B.b[1]; out[2] = B.b[2]; out[3] = B.b[3];
775ebffaa42SBen Gras out[4] = B.b[4]; out[5] = B.b[5]; out[6] = B.b[6]; out[7] = B.b[7];
776ebffaa42SBen Gras #else
777ebffaa42SBen Gras STORE(L,L0,L1,*(C_block *)out);
778ebffaa42SBen Gras #endif
779ebffaa42SBen Gras return (0);
780ebffaa42SBen Gras }
781ebffaa42SBen Gras
782ebffaa42SBen Gras
783ebffaa42SBen Gras /*
784ebffaa42SBen Gras * Initialize various tables. This need only be done once. It could even be
785ebffaa42SBen Gras * done at compile time, if the compiler were capable of that sort of thing.
786ebffaa42SBen Gras */
787ebffaa42SBen Gras STATIC
init_des(void)788ebffaa42SBen Gras init_des(void)
789ebffaa42SBen Gras {
790ebffaa42SBen Gras int i, j;
791ebffaa42SBen Gras int32_t k;
792ebffaa42SBen Gras int tableno;
793ebffaa42SBen Gras static unsigned char perm[64], tmp32[32]; /* "static" for speed */
794ebffaa42SBen Gras
795ebffaa42SBen Gras /*
796ebffaa42SBen Gras * PC1ROT - bit reverse, then PC1, then Rotate, then PC2.
797ebffaa42SBen Gras */
798ebffaa42SBen Gras for (i = 0; i < 64; i++)
799ebffaa42SBen Gras perm[i] = 0;
800ebffaa42SBen Gras for (i = 0; i < 64; i++) {
801ebffaa42SBen Gras if ((k = PC2[i]) == 0)
802ebffaa42SBen Gras continue;
803ebffaa42SBen Gras k += Rotates[0]-1;
804ebffaa42SBen Gras if ((k%28) < Rotates[0]) k -= 28;
805ebffaa42SBen Gras k = PC1[k];
806ebffaa42SBen Gras if (k > 0) {
807ebffaa42SBen Gras k--;
808ebffaa42SBen Gras k = (k|07) - (k&07);
809ebffaa42SBen Gras k++;
810ebffaa42SBen Gras }
811ebffaa42SBen Gras perm[i] = k;
812ebffaa42SBen Gras }
813ebffaa42SBen Gras #ifdef DEBUG
814ebffaa42SBen Gras prtab("pc1tab", perm, 8);
815ebffaa42SBen Gras #endif
816ebffaa42SBen Gras init_perm(PC1ROT, perm, 8, 8);
817ebffaa42SBen Gras
818ebffaa42SBen Gras /*
819ebffaa42SBen Gras * PC2ROT - PC2 inverse, then Rotate (once or twice), then PC2.
820ebffaa42SBen Gras */
821ebffaa42SBen Gras for (j = 0; j < 2; j++) {
822ebffaa42SBen Gras unsigned char pc2inv[64];
823ebffaa42SBen Gras for (i = 0; i < 64; i++)
824ebffaa42SBen Gras perm[i] = pc2inv[i] = 0;
825ebffaa42SBen Gras for (i = 0; i < 64; i++) {
826ebffaa42SBen Gras if ((k = PC2[i]) == 0)
827ebffaa42SBen Gras continue;
828ebffaa42SBen Gras pc2inv[k-1] = i+1;
829ebffaa42SBen Gras }
830ebffaa42SBen Gras for (i = 0; i < 64; i++) {
831ebffaa42SBen Gras if ((k = PC2[i]) == 0)
832ebffaa42SBen Gras continue;
833ebffaa42SBen Gras k += j;
834ebffaa42SBen Gras if ((k%28) <= j) k -= 28;
835ebffaa42SBen Gras perm[i] = pc2inv[k];
836ebffaa42SBen Gras }
837ebffaa42SBen Gras #ifdef DEBUG
838ebffaa42SBen Gras prtab("pc2tab", perm, 8);
839ebffaa42SBen Gras #endif
840ebffaa42SBen Gras init_perm(PC2ROT[j], perm, 8, 8);
841ebffaa42SBen Gras }
842ebffaa42SBen Gras
843ebffaa42SBen Gras /*
844ebffaa42SBen Gras * Bit reverse, then initial permutation, then expansion.
845ebffaa42SBen Gras */
846ebffaa42SBen Gras for (i = 0; i < 8; i++) {
847ebffaa42SBen Gras for (j = 0; j < 8; j++) {
848ebffaa42SBen Gras k = (j < 2)? 0: IP[ExpandTr[i*6+j-2]-1];
849ebffaa42SBen Gras if (k > 32)
850ebffaa42SBen Gras k -= 32;
851ebffaa42SBen Gras else if (k > 0)
852ebffaa42SBen Gras k--;
853ebffaa42SBen Gras if (k > 0) {
854ebffaa42SBen Gras k--;
855ebffaa42SBen Gras k = (k|07) - (k&07);
856ebffaa42SBen Gras k++;
857ebffaa42SBen Gras }
858ebffaa42SBen Gras perm[i*8+j] = k;
859ebffaa42SBen Gras }
860ebffaa42SBen Gras }
861ebffaa42SBen Gras #ifdef DEBUG
862ebffaa42SBen Gras prtab("ietab", perm, 8);
863ebffaa42SBen Gras #endif
864ebffaa42SBen Gras init_perm(IE3264, perm, 4, 8);
865ebffaa42SBen Gras
866ebffaa42SBen Gras /*
867ebffaa42SBen Gras * Compression, then final permutation, then bit reverse.
868ebffaa42SBen Gras */
869ebffaa42SBen Gras for (i = 0; i < 64; i++) {
870ebffaa42SBen Gras k = IP[CIFP[i]-1];
871ebffaa42SBen Gras if (k > 0) {
872ebffaa42SBen Gras k--;
873ebffaa42SBen Gras k = (k|07) - (k&07);
874ebffaa42SBen Gras k++;
875ebffaa42SBen Gras }
876ebffaa42SBen Gras perm[k-1] = i+1;
877ebffaa42SBen Gras }
878ebffaa42SBen Gras #ifdef DEBUG
879ebffaa42SBen Gras prtab("cftab", perm, 8);
880ebffaa42SBen Gras #endif
881ebffaa42SBen Gras init_perm(CF6464, perm, 8, 8);
882ebffaa42SBen Gras
883ebffaa42SBen Gras /*
884ebffaa42SBen Gras * SPE table
885ebffaa42SBen Gras */
886ebffaa42SBen Gras for (i = 0; i < 48; i++)
887ebffaa42SBen Gras perm[i] = P32Tr[ExpandTr[i]-1];
888ebffaa42SBen Gras for (tableno = 0; tableno < 8; tableno++) {
889ebffaa42SBen Gras for (j = 0; j < 64; j++) {
890ebffaa42SBen Gras k = (((j >> 0) &01) << 5)|
891ebffaa42SBen Gras (((j >> 1) &01) << 3)|
892ebffaa42SBen Gras (((j >> 2) &01) << 2)|
893ebffaa42SBen Gras (((j >> 3) &01) << 1)|
894ebffaa42SBen Gras (((j >> 4) &01) << 0)|
895ebffaa42SBen Gras (((j >> 5) &01) << 4);
896ebffaa42SBen Gras k = S[tableno][k];
897ebffaa42SBen Gras k = (((k >> 3)&01) << 0)|
898ebffaa42SBen Gras (((k >> 2)&01) << 1)|
899ebffaa42SBen Gras (((k >> 1)&01) << 2)|
900ebffaa42SBen Gras (((k >> 0)&01) << 3);
901ebffaa42SBen Gras for (i = 0; i < 32; i++)
902ebffaa42SBen Gras tmp32[i] = 0;
903ebffaa42SBen Gras for (i = 0; i < 4; i++)
904ebffaa42SBen Gras tmp32[4 * tableno + i] = (k >> i) & 01;
905ebffaa42SBen Gras k = 0;
906ebffaa42SBen Gras for (i = 24; --i >= 0; )
907ebffaa42SBen Gras k = (k<<1) | tmp32[perm[i]-1];
908ebffaa42SBen Gras TO_SIX_BIT(SPE[0][tableno][j], k);
909ebffaa42SBen Gras k = 0;
910ebffaa42SBen Gras for (i = 24; --i >= 0; )
911ebffaa42SBen Gras k = (k<<1) | tmp32[perm[i+24]-1];
912ebffaa42SBen Gras TO_SIX_BIT(SPE[1][tableno][j], k);
913ebffaa42SBen Gras }
914ebffaa42SBen Gras }
915ebffaa42SBen Gras }
916ebffaa42SBen Gras
917ebffaa42SBen Gras /*
918ebffaa42SBen Gras * Initialize "perm" to represent transformation "p", which rearranges
919ebffaa42SBen Gras * (perhaps with expansion and/or contraction) one packed array of bits
920ebffaa42SBen Gras * (of size "chars_in" characters) into another array (of size "chars_out"
921ebffaa42SBen Gras * characters).
922ebffaa42SBen Gras *
923ebffaa42SBen Gras * "perm" must be all-zeroes on entry to this routine.
924ebffaa42SBen Gras */
925ebffaa42SBen Gras STATIC
init_perm(C_block perm[64/CHUNKBITS][1<<CHUNKBITS],const unsigned char p[64],int chars_in,int chars_out)926ebffaa42SBen Gras init_perm(C_block perm[64/CHUNKBITS][1<<CHUNKBITS], const unsigned char p[64],
927ebffaa42SBen Gras int chars_in, int chars_out)
928ebffaa42SBen Gras {
929ebffaa42SBen Gras int i, j, k, l;
930ebffaa42SBen Gras
931ebffaa42SBen Gras for (k = 0; k < chars_out*8; k++) { /* each output bit position */
932ebffaa42SBen Gras l = p[k] - 1; /* where this bit comes from */
933ebffaa42SBen Gras if (l < 0)
934ebffaa42SBen Gras continue; /* output bit is always 0 */
935ebffaa42SBen Gras i = l>>LGCHUNKBITS; /* which chunk this bit comes from */
936ebffaa42SBen Gras l = 1<<(l&(CHUNKBITS-1)); /* mask for this bit */
937ebffaa42SBen Gras for (j = 0; j < (1<<CHUNKBITS); j++) { /* each chunk value */
938ebffaa42SBen Gras if ((j & l) != 0)
939ebffaa42SBen Gras perm[i][j].b[k>>3] |= 1<<(k&07);
940ebffaa42SBen Gras }
941ebffaa42SBen Gras }
942ebffaa42SBen Gras }
943ebffaa42SBen Gras
944ebffaa42SBen Gras /*
945ebffaa42SBen Gras * "setkey" routine (for backwards compatibility)
946ebffaa42SBen Gras */
947ebffaa42SBen Gras int
setkey(const char * key)948ebffaa42SBen Gras setkey(const char *key)
949ebffaa42SBen Gras {
950ebffaa42SBen Gras int i, j, k;
951ebffaa42SBen Gras C_block keyblock;
952ebffaa42SBen Gras
953ebffaa42SBen Gras for (i = 0; i < 8; i++) {
954ebffaa42SBen Gras k = 0;
955ebffaa42SBen Gras for (j = 0; j < 8; j++) {
956ebffaa42SBen Gras k <<= 1;
957ebffaa42SBen Gras k |= (unsigned char)*key++;
958ebffaa42SBen Gras }
959ebffaa42SBen Gras keyblock.b[i] = k;
960ebffaa42SBen Gras }
961ebffaa42SBen Gras return (des_setkey((char *)keyblock.b));
962ebffaa42SBen Gras }
963ebffaa42SBen Gras
964ebffaa42SBen Gras /*
965ebffaa42SBen Gras * "encrypt" routine (for backwards compatibility)
966ebffaa42SBen Gras */
967ebffaa42SBen Gras int
encrypt(char * block,int flag)968ebffaa42SBen Gras encrypt(char *block, int flag)
969ebffaa42SBen Gras {
970ebffaa42SBen Gras int i, j, k;
971ebffaa42SBen Gras C_block cblock;
972ebffaa42SBen Gras
973ebffaa42SBen Gras for (i = 0; i < 8; i++) {
974ebffaa42SBen Gras k = 0;
975ebffaa42SBen Gras for (j = 0; j < 8; j++) {
976ebffaa42SBen Gras k <<= 1;
977ebffaa42SBen Gras k |= (unsigned char)*block++;
978ebffaa42SBen Gras }
979ebffaa42SBen Gras cblock.b[i] = k;
980ebffaa42SBen Gras }
981ebffaa42SBen Gras if (des_cipher((char *)&cblock, (char *)&cblock, 0L, (flag ? -1: 1)))
982ebffaa42SBen Gras return (1);
983ebffaa42SBen Gras for (i = 7; i >= 0; i--) {
984ebffaa42SBen Gras k = cblock.b[i];
985ebffaa42SBen Gras for (j = 7; j >= 0; j--) {
986ebffaa42SBen Gras *--block = k&01;
987ebffaa42SBen Gras k >>= 1;
988ebffaa42SBen Gras }
989ebffaa42SBen Gras }
990ebffaa42SBen Gras return (0);
991ebffaa42SBen Gras }
992ebffaa42SBen Gras
993ebffaa42SBen Gras #ifdef DEBUG
994ebffaa42SBen Gras STATIC
prtab(const char * s,unsigned char * t,int num_rows)995ebffaa42SBen Gras prtab(const char *s, unsigned char *t, int num_rows)
996ebffaa42SBen Gras {
997ebffaa42SBen Gras int i, j;
998ebffaa42SBen Gras
999ebffaa42SBen Gras (void)printf("%s:\n", s);
1000ebffaa42SBen Gras for (i = 0; i < num_rows; i++) {
1001ebffaa42SBen Gras for (j = 0; j < 8; j++) {
1002ebffaa42SBen Gras (void)printf("%3d", t[i*8+j]);
1003ebffaa42SBen Gras }
1004ebffaa42SBen Gras (void)printf("\n");
1005ebffaa42SBen Gras }
1006ebffaa42SBen Gras (void)printf("\n");
1007ebffaa42SBen Gras }
1008ebffaa42SBen Gras #endif
1009ebffaa42SBen Gras
1010ebffaa42SBen Gras #if defined(MAIN) || defined(UNIT_TEST)
1011ebffaa42SBen Gras #include <err.h>
1012ebffaa42SBen Gras
1013ebffaa42SBen Gras int
main(int argc,char * argv[])1014ebffaa42SBen Gras main(int argc, char *argv[])
1015ebffaa42SBen Gras {
1016*0a6a1f1dSLionel Sambuc if (argc < 2) {
1017*0a6a1f1dSLionel Sambuc fprintf(stderr, "Usage: %s password [salt]\n", getprogname());
1018*0a6a1f1dSLionel Sambuc return EXIT_FAILURE;
1019*0a6a1f1dSLionel Sambuc }
1020ebffaa42SBen Gras
1021ebffaa42SBen Gras printf("%s\n", crypt(argv[1], (argc > 2) ? argv[2] : argv[1]));
1022*0a6a1f1dSLionel Sambuc return EXIT_SUCCESS;
1023ebffaa42SBen Gras }
1024ebffaa42SBen Gras #endif
1025