1 /* $OpenBSD: crypt.c,v 1.22 2014/05/17 13:27:55 tedu Exp $ */ 2 3 /* 4 * FreeSec: libcrypt 5 * 6 * Copyright (c) 1994 David Burren 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 4. Neither the name of the author nor the names of other contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 * 33 * 34 * This is an original implementation of the DES and the crypt(3) interfaces 35 * by David Burren <davidb@werj.com.au>. 36 * 37 * An excellent reference on the underlying algorithm (and related 38 * algorithms) is: 39 * 40 * B. Schneier, Applied Cryptography: protocols, algorithms, 41 * and source code in C, John Wiley & Sons, 1994. 42 * 43 * Note that in that book's description of DES the lookups for the initial, 44 * pbox, and final permutations are inverted (this has been brought to the 45 * attention of the author). A list of errata for this book has been 46 * posted to the sci.crypt newsgroup by the author and is available for FTP. 47 */ 48 49 #include <sys/types.h> 50 #include <sys/param.h> 51 #include <pwd.h> 52 #include <unistd.h> 53 #include <string.h> 54 55 #ifdef DEBUG 56 # include <stdio.h> 57 #endif 58 59 static const u_char IP[64] = { 60 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4, 61 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8, 62 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3, 63 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7 64 }; 65 66 static u_char inv_key_perm[64]; 67 static u_char u_key_perm[56]; 68 static u_char const key_perm[56] = { 69 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, 70 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36, 71 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22, 72 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4 73 }; 74 75 static const u_char key_shifts[16] = { 76 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 77 }; 78 79 static u_char inv_comp_perm[56]; 80 static const u_char comp_perm[48] = { 81 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10, 82 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2, 83 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48, 84 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32 85 }; 86 87 /* 88 * No E box is used, as it's replaced by some ANDs, shifts, and ORs. 89 */ 90 91 static u_char u_sbox[8][64]; 92 static const u_char sbox[8][64] = { 93 { 94 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 95 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 96 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, 97 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 98 }, 99 { 100 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, 101 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, 102 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, 103 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 104 }, 105 { 106 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, 107 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, 108 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, 109 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 110 }, 111 { 112 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, 113 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, 114 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, 115 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 116 }, 117 { 118 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, 119 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, 120 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, 121 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 122 }, 123 { 124 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, 125 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, 126 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, 127 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13 128 }, 129 { 130 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, 131 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, 132 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, 133 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 134 }, 135 { 136 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, 137 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, 138 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, 139 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 140 } 141 }; 142 143 static u_char un_pbox[32]; 144 static const u_char pbox[32] = { 145 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10, 146 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25 147 }; 148 149 const u_int32_t _des_bits32[32] = 150 { 151 0x80000000, 0x40000000, 0x20000000, 0x10000000, 152 0x08000000, 0x04000000, 0x02000000, 0x01000000, 153 0x00800000, 0x00400000, 0x00200000, 0x00100000, 154 0x00080000, 0x00040000, 0x00020000, 0x00010000, 155 0x00008000, 0x00004000, 0x00002000, 0x00001000, 156 0x00000800, 0x00000400, 0x00000200, 0x00000100, 157 0x00000080, 0x00000040, 0x00000020, 0x00000010, 158 0x00000008, 0x00000004, 0x00000002, 0x00000001 159 }; 160 161 const u_char _des_bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 }; 162 163 static const u_int32_t *bits28, *bits24; 164 static u_char init_perm[64], final_perm[64]; 165 static u_int32_t en_keysl[16], en_keysr[16]; 166 static u_int32_t de_keysl[16], de_keysr[16]; 167 int _des_initialised = 0; 168 static u_char m_sbox[4][4096]; 169 static u_int32_t psbox[4][256]; 170 static u_int32_t ip_maskl[8][256], ip_maskr[8][256]; 171 static u_int32_t fp_maskl[8][256], fp_maskr[8][256]; 172 static u_int32_t key_perm_maskl[8][128], key_perm_maskr[8][128]; 173 static u_int32_t comp_maskl[8][128], comp_maskr[8][128]; 174 static u_int32_t old_rawkey0, old_rawkey1; 175 176 static u_char ascii64[] = 177 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 178 /* 0000000000111111111122222222223333333333444444444455555555556666 */ 179 /* 0123456789012345678901234567890123456789012345678901234567890123 */ 180 181 static __inline int 182 ascii_to_bin(char ch) 183 { 184 if (ch > 'z') 185 return(0); 186 if (ch >= 'a') 187 return(ch - 'a' + 38); 188 if (ch > 'Z') 189 return(0); 190 if (ch >= 'A') 191 return(ch - 'A' + 12); 192 if (ch > '9') 193 return(0); 194 if (ch >= '.') 195 return(ch - '.'); 196 return(0); 197 } 198 199 void 200 _des_init(void) 201 { 202 int i, j, b, k, inbit, obit; 203 u_int32_t *p, *il, *ir, *fl, *fr; 204 205 old_rawkey0 = old_rawkey1 = 0; 206 bits24 = (bits28 = _des_bits32 + 4) + 4; 207 208 /* 209 * Invert the S-boxes, reordering the input bits. 210 */ 211 for (i = 0; i < 8; i++) 212 for (j = 0; j < 64; j++) { 213 b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf); 214 u_sbox[i][j] = sbox[i][b]; 215 } 216 217 /* 218 * Convert the inverted S-boxes into 4 arrays of 8 bits. 219 * Each will handle 12 bits of the S-box input. 220 */ 221 for (b = 0; b < 4; b++) 222 for (i = 0; i < 64; i++) 223 for (j = 0; j < 64; j++) 224 m_sbox[b][(i << 6) | j] = 225 (u_sbox[(b << 1)][i] << 4) | 226 u_sbox[(b << 1) + 1][j]; 227 228 /* 229 * Set up the initial & final permutations into a useful form, and 230 * initialise the inverted key permutation. 231 */ 232 for (i = 0; i < 64; i++) { 233 init_perm[final_perm[i] = IP[i] - 1] = i; 234 inv_key_perm[i] = 255; 235 } 236 237 /* 238 * Invert the key permutation and initialise the inverted key 239 * compression permutation. 240 */ 241 for (i = 0; i < 56; i++) { 242 u_key_perm[i] = key_perm[i] - 1; 243 inv_key_perm[key_perm[i] - 1] = i; 244 inv_comp_perm[i] = 255; 245 } 246 247 /* 248 * Invert the key compression permutation. 249 */ 250 for (i = 0; i < 48; i++) { 251 inv_comp_perm[comp_perm[i] - 1] = i; 252 } 253 254 /* 255 * Set up the OR-mask arrays for the initial and final permutations, 256 * and for the key initial and compression permutations. 257 */ 258 for (k = 0; k < 8; k++) { 259 for (i = 0; i < 256; i++) { 260 *(il = &ip_maskl[k][i]) = 0; 261 *(ir = &ip_maskr[k][i]) = 0; 262 *(fl = &fp_maskl[k][i]) = 0; 263 *(fr = &fp_maskr[k][i]) = 0; 264 for (j = 0; j < 8; j++) { 265 inbit = 8 * k + j; 266 if (i & _des_bits8[j]) { 267 if ((obit = init_perm[inbit]) < 32) 268 *il |= _des_bits32[obit]; 269 else 270 *ir |= _des_bits32[obit-32]; 271 if ((obit = final_perm[inbit]) < 32) 272 *fl |= _des_bits32[obit]; 273 else 274 *fr |= _des_bits32[obit - 32]; 275 } 276 } 277 } 278 for (i = 0; i < 128; i++) { 279 *(il = &key_perm_maskl[k][i]) = 0; 280 *(ir = &key_perm_maskr[k][i]) = 0; 281 for (j = 0; j < 7; j++) { 282 inbit = 8 * k + j; 283 if (i & _des_bits8[j + 1]) { 284 if ((obit = inv_key_perm[inbit]) == 255) 285 continue; 286 if (obit < 28) 287 *il |= bits28[obit]; 288 else 289 *ir |= bits28[obit - 28]; 290 } 291 } 292 *(il = &comp_maskl[k][i]) = 0; 293 *(ir = &comp_maskr[k][i]) = 0; 294 for (j = 0; j < 7; j++) { 295 inbit = 7 * k + j; 296 if (i & _des_bits8[j + 1]) { 297 if ((obit=inv_comp_perm[inbit]) == 255) 298 continue; 299 if (obit < 24) 300 *il |= bits24[obit]; 301 else 302 *ir |= bits24[obit - 24]; 303 } 304 } 305 } 306 } 307 308 /* 309 * Invert the P-box permutation, and convert into OR-masks for 310 * handling the output of the S-box arrays setup above. 311 */ 312 for (i = 0; i < 32; i++) 313 un_pbox[pbox[i] - 1] = i; 314 315 for (b = 0; b < 4; b++) 316 for (i = 0; i < 256; i++) { 317 *(p = &psbox[b][i]) = 0; 318 for (j = 0; j < 8; j++) { 319 if (i & _des_bits8[j]) 320 *p |= _des_bits32[un_pbox[8 * b + j]]; 321 } 322 } 323 324 _des_initialised = 1; 325 } 326 327 u_int32_t 328 _des_setup_salt(int32_t salt) 329 { 330 u_int32_t obit, saltbit, saltbits; 331 int i; 332 333 saltbits = 0; 334 saltbit = 1; 335 obit = 0x800000; 336 for (i = 0; i < 24; i++) { 337 if (salt & saltbit) 338 saltbits |= obit; 339 saltbit <<= 1; 340 obit >>= 1; 341 } 342 return saltbits; 343 } 344 345 int 346 des_setkey(const char *key) 347 { 348 u_int32_t k0, k1, rawkey0, rawkey1; 349 int shifts, round; 350 351 if (!_des_initialised) 352 _des_init(); 353 354 rawkey0 = ntohl(*(u_int32_t *) key); 355 rawkey1 = ntohl(*(u_int32_t *) (key + 4)); 356 357 if ((rawkey0 | rawkey1) 358 && rawkey0 == old_rawkey0 359 && rawkey1 == old_rawkey1) { 360 /* 361 * Already setup for this key. 362 * This optimisation fails on a zero key (which is weak and 363 * has bad parity anyway) in order to simplify the starting 364 * conditions. 365 */ 366 return(0); 367 } 368 old_rawkey0 = rawkey0; 369 old_rawkey1 = rawkey1; 370 371 /* 372 * Do key permutation and split into two 28-bit subkeys. 373 */ 374 k0 = key_perm_maskl[0][rawkey0 >> 25] 375 | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f] 376 | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f] 377 | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f] 378 | key_perm_maskl[4][rawkey1 >> 25] 379 | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f] 380 | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f] 381 | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f]; 382 k1 = key_perm_maskr[0][rawkey0 >> 25] 383 | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f] 384 | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f] 385 | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f] 386 | key_perm_maskr[4][rawkey1 >> 25] 387 | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f] 388 | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f] 389 | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f]; 390 /* 391 * Rotate subkeys and do compression permutation. 392 */ 393 shifts = 0; 394 for (round = 0; round < 16; round++) { 395 u_int32_t t0, t1; 396 397 shifts += key_shifts[round]; 398 399 t0 = (k0 << shifts) | (k0 >> (28 - shifts)); 400 t1 = (k1 << shifts) | (k1 >> (28 - shifts)); 401 402 de_keysl[15 - round] = 403 en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f] 404 | comp_maskl[1][(t0 >> 14) & 0x7f] 405 | comp_maskl[2][(t0 >> 7) & 0x7f] 406 | comp_maskl[3][t0 & 0x7f] 407 | comp_maskl[4][(t1 >> 21) & 0x7f] 408 | comp_maskl[5][(t1 >> 14) & 0x7f] 409 | comp_maskl[6][(t1 >> 7) & 0x7f] 410 | comp_maskl[7][t1 & 0x7f]; 411 412 de_keysr[15 - round] = 413 en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f] 414 | comp_maskr[1][(t0 >> 14) & 0x7f] 415 | comp_maskr[2][(t0 >> 7) & 0x7f] 416 | comp_maskr[3][t0 & 0x7f] 417 | comp_maskr[4][(t1 >> 21) & 0x7f] 418 | comp_maskr[5][(t1 >> 14) & 0x7f] 419 | comp_maskr[6][(t1 >> 7) & 0x7f] 420 | comp_maskr[7][t1 & 0x7f]; 421 } 422 return(0); 423 } 424 425 int 426 _des_do_des(u_int32_t l_in, u_int32_t r_in, u_int32_t *l_out, u_int32_t *r_out, 427 int count, u_int32_t saltbits) 428 { 429 /* 430 * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format. 431 */ 432 u_int32_t l, r, *kl, *kr, *kl1, *kr1; 433 u_int32_t f, r48l, r48r; 434 int round; 435 436 if (count == 0) { 437 return(1); 438 } else if (count > 0) { 439 /* 440 * Encrypting 441 */ 442 kl1 = en_keysl; 443 kr1 = en_keysr; 444 } else { 445 /* 446 * Decrypting 447 */ 448 count = -count; 449 kl1 = de_keysl; 450 kr1 = de_keysr; 451 } 452 453 /* 454 * Do initial permutation (IP). 455 */ 456 l = ip_maskl[0][l_in >> 24] 457 | ip_maskl[1][(l_in >> 16) & 0xff] 458 | ip_maskl[2][(l_in >> 8) & 0xff] 459 | ip_maskl[3][l_in & 0xff] 460 | ip_maskl[4][r_in >> 24] 461 | ip_maskl[5][(r_in >> 16) & 0xff] 462 | ip_maskl[6][(r_in >> 8) & 0xff] 463 | ip_maskl[7][r_in & 0xff]; 464 r = ip_maskr[0][l_in >> 24] 465 | ip_maskr[1][(l_in >> 16) & 0xff] 466 | ip_maskr[2][(l_in >> 8) & 0xff] 467 | ip_maskr[3][l_in & 0xff] 468 | ip_maskr[4][r_in >> 24] 469 | ip_maskr[5][(r_in >> 16) & 0xff] 470 | ip_maskr[6][(r_in >> 8) & 0xff] 471 | ip_maskr[7][r_in & 0xff]; 472 473 while (count--) { 474 /* 475 * Do each round. 476 */ 477 kl = kl1; 478 kr = kr1; 479 round = 16; 480 while (round--) { 481 /* 482 * Expand R to 48 bits (simulate the E-box). 483 */ 484 r48l = ((r & 0x00000001) << 23) 485 | ((r & 0xf8000000) >> 9) 486 | ((r & 0x1f800000) >> 11) 487 | ((r & 0x01f80000) >> 13) 488 | ((r & 0x001f8000) >> 15); 489 490 r48r = ((r & 0x0001f800) << 7) 491 | ((r & 0x00001f80) << 5) 492 | ((r & 0x000001f8) << 3) 493 | ((r & 0x0000001f) << 1) 494 | ((r & 0x80000000) >> 31); 495 /* 496 * Do salting for crypt() and friends, and 497 * XOR with the permuted key. 498 */ 499 f = (r48l ^ r48r) & saltbits; 500 r48l ^= f ^ *kl++; 501 r48r ^= f ^ *kr++; 502 /* 503 * Do sbox lookups (which shrink it back to 32 bits) 504 * and do the pbox permutation at the same time. 505 */ 506 f = psbox[0][m_sbox[0][r48l >> 12]] 507 | psbox[1][m_sbox[1][r48l & 0xfff]] 508 | psbox[2][m_sbox[2][r48r >> 12]] 509 | psbox[3][m_sbox[3][r48r & 0xfff]]; 510 /* 511 * Now that we've permuted things, complete f(). 512 */ 513 f ^= l; 514 l = r; 515 r = f; 516 } 517 r = l; 518 l = f; 519 } 520 /* 521 * Do final permutation (inverse of IP). 522 */ 523 *l_out = fp_maskl[0][l >> 24] 524 | fp_maskl[1][(l >> 16) & 0xff] 525 | fp_maskl[2][(l >> 8) & 0xff] 526 | fp_maskl[3][l & 0xff] 527 | fp_maskl[4][r >> 24] 528 | fp_maskl[5][(r >> 16) & 0xff] 529 | fp_maskl[6][(r >> 8) & 0xff] 530 | fp_maskl[7][r & 0xff]; 531 *r_out = fp_maskr[0][l >> 24] 532 | fp_maskr[1][(l >> 16) & 0xff] 533 | fp_maskr[2][(l >> 8) & 0xff] 534 | fp_maskr[3][l & 0xff] 535 | fp_maskr[4][r >> 24] 536 | fp_maskr[5][(r >> 16) & 0xff] 537 | fp_maskr[6][(r >> 8) & 0xff] 538 | fp_maskr[7][r & 0xff]; 539 return(0); 540 } 541 542 int 543 des_cipher(const char *in, char *out, int32_t salt, int count) 544 { 545 u_int32_t l_out, r_out, rawl, rawr, saltbits; 546 u_int32_t x[2]; 547 int retval; 548 549 if (!_des_initialised) 550 _des_init(); 551 552 saltbits = _des_setup_salt(salt); 553 554 memcpy(x, in, sizeof x); 555 rawl = ntohl(x[0]); 556 rawr = ntohl(x[1]); 557 retval = _des_do_des(rawl, rawr, &l_out, &r_out, count, saltbits); 558 559 x[0] = htonl(l_out); 560 x[1] = htonl(r_out); 561 memcpy(out, x, sizeof x); 562 return(retval); 563 } 564 565 static int 566 crypt_hashpass(const char *key, const char *setting, char *output) 567 { 568 int i; 569 u_int32_t count, salt, l, r0, r1, saltbits, keybuf[2]; 570 u_char *p, *q; 571 572 if (!_des_initialised) 573 _des_init(); 574 575 /* 576 * Copy the key, shifting each character up by one bit 577 * and padding with zeros. 578 */ 579 q = (u_char *) keybuf; 580 while ((q - (u_char *) keybuf) < sizeof(keybuf)) { 581 if ((*q++ = *key << 1)) 582 key++; 583 } 584 if (des_setkey((char *) keybuf)) 585 return(-1); 586 587 if (*setting == _PASSWORD_EFMT1) { 588 /* 589 * "new"-style: 590 * setting - underscore, 4 bytes of count, 4 bytes of salt 591 * key - unlimited characters 592 */ 593 for (i = 1, count = 0; i < 5; i++) 594 count |= ascii_to_bin(setting[i]) << (i - 1) * 6; 595 596 for (i = 5, salt = 0; i < 9; i++) 597 salt |= ascii_to_bin(setting[i]) << (i - 5) * 6; 598 599 while (*key) { 600 /* 601 * Encrypt the key with itself. 602 */ 603 if (des_cipher((char *)keybuf, (char *)keybuf, 0, 1)) 604 return(-1); 605 /* 606 * And XOR with the next 8 characters of the key. 607 */ 608 q = (u_char *) keybuf; 609 while (((q - (u_char *) keybuf) < sizeof(keybuf)) && 610 *key) 611 *q++ ^= *key++ << 1; 612 613 if (des_setkey((char *) keybuf)) 614 return(-1); 615 } 616 strlcpy((char *)output, setting, 10); 617 618 /* 619 * Double check that we weren't given a short setting. 620 * If we were, the above code will probably have created 621 * weird values for count and salt, but we don't really care. 622 * Just make sure the output string doesn't have an extra 623 * NUL in it. 624 */ 625 p = output + strlen((const char *)output); 626 } else { 627 /* 628 * "old"-style: 629 * setting - 2 bytes of salt 630 * key - up to 8 characters 631 */ 632 count = 25; 633 634 salt = (ascii_to_bin(setting[1]) << 6) 635 | ascii_to_bin(setting[0]); 636 637 output[0] = setting[0]; 638 /* 639 * If the encrypted password that the salt was extracted from 640 * is only 1 character long, the salt will be corrupted. We 641 * need to ensure that the output string doesn't have an extra 642 * NUL in it! 643 */ 644 output[1] = setting[1] ? setting[1] : output[0]; 645 646 p = output + 2; 647 } 648 saltbits = _des_setup_salt(salt); 649 650 /* 651 * Do it. 652 */ 653 if (_des_do_des(0, 0, &r0, &r1, count, saltbits)) 654 return(-1); 655 /* 656 * Now encode the result... 657 */ 658 l = (r0 >> 8); 659 *p++ = ascii64[(l >> 18) & 0x3f]; 660 *p++ = ascii64[(l >> 12) & 0x3f]; 661 *p++ = ascii64[(l >> 6) & 0x3f]; 662 *p++ = ascii64[l & 0x3f]; 663 664 l = (r0 << 16) | ((r1 >> 16) & 0xffff); 665 *p++ = ascii64[(l >> 18) & 0x3f]; 666 *p++ = ascii64[(l >> 12) & 0x3f]; 667 *p++ = ascii64[(l >> 6) & 0x3f]; 668 *p++ = ascii64[l & 0x3f]; 669 670 l = r1 << 2; 671 *p++ = ascii64[(l >> 12) & 0x3f]; 672 *p++ = ascii64[(l >> 6) & 0x3f]; 673 *p++ = ascii64[l & 0x3f]; 674 *p = 0; 675 676 return(0); 677 } 678 679 char * 680 crypt(const char *key, const char *setting) 681 { 682 static u_char goutput[21]; 683 extern char *bcrypt(const char *, const char *); 684 685 if (setting[0] == '$') { 686 switch (setting[1]) { 687 case '2': 688 return bcrypt(key, setting); 689 default: 690 return (NULL); 691 } 692 } 693 694 memset(goutput, 0, sizeof(goutput)); 695 if (crypt_hashpass(key, setting, goutput) != 0) 696 return (NULL); 697 return goutput; 698 } 699