xref: /openbsd-src/lib/libc/crypt/crypt.c (revision a4afd6dad3fba28f80e70208181c06c482259988) 
1 /*
2  * FreeSec: libcrypt
3  *
4  * Copyright (c) 1994 David Burren
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 4. Neither the name of the author nor the names of other contributors
16  *    may be used to endorse or promote products derived from this software
17  *    without specific prior written permission.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGE.
30  *
31  *
32  * This is an original implementation of the DES and the crypt(3) interfaces
33  * by David Burren <davidb@werj.com.au>.
34  *
35  * An excellent reference on the underlying algorithm (and related
36  * algorithms) is:
37  *
38  *	B. Schneier, Applied Cryptography: protocols, algorithms,
39  *	and source code in C, John Wiley & Sons, 1994.
40  *
41  * Note that in that book's description of DES the lookups for the initial,
42  * pbox, and final permutations are inverted (this has been brought to the
43  * attention of the author).  A list of errata for this book has been
44  * posted to the sci.crypt newsgroup by the author and is available for FTP.
45  *
46  * NOTE:
47  * This file has a static version of des_setkey() so that crypt.o exports
48  * only the crypt() interface. This is required to make binaries linked
49  * against crypt.o exportable or re-exportable from the USA.
50  */
51 
52 #if defined(LIBC_SCCS) && !defined(lint)
53 static char rcsid[] = "$OpenBSD: crypt.c,v 1.6 1996/08/19 08:19:49 tholo Exp $";
54 #endif /* LIBC_SCCS and not lint */
55 
56 #include <sys/types.h>
57 #include <sys/param.h>
58 #include <pwd.h>
59 #include <string.h>
60 
61 #ifdef DEBUG
62 # include <stdio.h>
63 #endif
64 
65 static u_char	IP[64] = {
66 	58, 50, 42, 34, 26, 18, 10,  2, 60, 52, 44, 36, 28, 20, 12,  4,
67 	62, 54, 46, 38, 30, 22, 14,  6, 64, 56, 48, 40, 32, 24, 16,  8,
68 	57, 49, 41, 33, 25, 17,  9,  1, 59, 51, 43, 35, 27, 19, 11,  3,
69 	61, 53, 45, 37, 29, 21, 13,  5, 63, 55, 47, 39, 31, 23, 15,  7
70 };
71 
72 static u_char	inv_key_perm[64];
73 static u_char	u_key_perm[56];
74 static u_char	key_perm[56] = {
75 	57, 49, 41, 33, 25, 17,  9,  1, 58, 50, 42, 34, 26, 18,
76 	10,  2, 59, 51, 43, 35, 27, 19, 11,  3, 60, 52, 44, 36,
77 	63, 55, 47, 39, 31, 23, 15,  7, 62, 54, 46, 38, 30, 22,
78 	14,  6, 61, 53, 45, 37, 29, 21, 13,  5, 28, 20, 12,  4
79 };
80 
81 static u_char	key_shifts[16] = {
82 	1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
83 };
84 
85 static u_char	inv_comp_perm[56];
86 static u_char	comp_perm[48] = {
87 	14, 17, 11, 24,  1,  5,  3, 28, 15,  6, 21, 10,
88 	23, 19, 12,  4, 26,  8, 16,  7, 27, 20, 13,  2,
89 	41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
90 	44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
91 };
92 
93 /*
94  *	No E box is used, as it's replaced by some ANDs, shifts, and ORs.
95  */
96 
97 static u_char	u_sbox[8][64];
98 static u_char	sbox[8][64] = {
99 	{
100 		14,  4, 13,  1,  2, 15, 11,  8,  3, 10,  6, 12,  5,  9,  0,  7,
101 		 0, 15,  7,  4, 14,  2, 13,  1, 10,  6, 12, 11,  9,  5,  3,  8,
102 		 4,  1, 14,  8, 13,  6,  2, 11, 15, 12,  9,  7,  3, 10,  5,  0,
103 		15, 12,  8,  2,  4,  9,  1,  7,  5, 11,  3, 14, 10,  0,  6, 13
104 	},
105 	{
106 		15,  1,  8, 14,  6, 11,  3,  4,  9,  7,  2, 13, 12,  0,  5, 10,
107 		 3, 13,  4,  7, 15,  2,  8, 14, 12,  0,  1, 10,  6,  9, 11,  5,
108 		 0, 14,  7, 11, 10,  4, 13,  1,  5,  8, 12,  6,  9,  3,  2, 15,
109 		13,  8, 10,  1,  3, 15,  4,  2, 11,  6,  7, 12,  0,  5, 14,  9
110 	},
111 	{
112 		10,  0,  9, 14,  6,  3, 15,  5,  1, 13, 12,  7, 11,  4,  2,  8,
113 		13,  7,  0,  9,  3,  4,  6, 10,  2,  8,  5, 14, 12, 11, 15,  1,
114 		13,  6,  4,  9,  8, 15,  3,  0, 11,  1,  2, 12,  5, 10, 14,  7,
115 		 1, 10, 13,  0,  6,  9,  8,  7,  4, 15, 14,  3, 11,  5,  2, 12
116 	},
117 	{
118 		 7, 13, 14,  3,  0,  6,  9, 10,  1,  2,  8,  5, 11, 12,  4, 15,
119 		13,  8, 11,  5,  6, 15,  0,  3,  4,  7,  2, 12,  1, 10, 14,  9,
120 		10,  6,  9,  0, 12, 11,  7, 13, 15,  1,  3, 14,  5,  2,  8,  4,
121 		 3, 15,  0,  6, 10,  1, 13,  8,  9,  4,  5, 11, 12,  7,  2, 14
122 	},
123 	{
124 		 2, 12,  4,  1,  7, 10, 11,  6,  8,  5,  3, 15, 13,  0, 14,  9,
125 		14, 11,  2, 12,  4,  7, 13,  1,  5,  0, 15, 10,  3,  9,  8,  6,
126 		 4,  2,  1, 11, 10, 13,  7,  8, 15,  9, 12,  5,  6,  3,  0, 14,
127 		11,  8, 12,  7,  1, 14,  2, 13,  6, 15,  0,  9, 10,  4,  5,  3
128 	},
129 	{
130 		12,  1, 10, 15,  9,  2,  6,  8,  0, 13,  3,  4, 14,  7,  5, 11,
131 		10, 15,  4,  2,  7, 12,  9,  5,  6,  1, 13, 14,  0, 11,  3,  8,
132 		 9, 14, 15,  5,  2,  8, 12,  3,  7,  0,  4, 10,  1, 13, 11,  6,
133 		 4,  3,  2, 12,  9,  5, 15, 10, 11, 14,  1,  7,  6,  0,  8, 13
134 	},
135 	{
136 		 4, 11,  2, 14, 15,  0,  8, 13,  3, 12,  9,  7,  5, 10,  6,  1,
137 		13,  0, 11,  7,  4,  9,  1, 10, 14,  3,  5, 12,  2, 15,  8,  6,
138 		 1,  4, 11, 13, 12,  3,  7, 14, 10, 15,  6,  8,  0,  5,  9,  2,
139 		 6, 11, 13,  8,  1,  4, 10,  7,  9,  5,  0, 15, 14,  2,  3, 12
140 	},
141 	{
142 		13,  2,  8,  4,  6, 15, 11,  1, 10,  9,  3, 14,  5,  0, 12,  7,
143 		 1, 15, 13,  8, 10,  3,  7,  4, 12,  5,  6, 11,  0, 14,  9,  2,
144 		 7, 11,  4,  1,  9, 12, 14,  2,  0,  6, 10, 13, 15,  3,  5,  8,
145 		 2,  1, 14,  7,  4, 10,  8, 13, 15, 12,  9,  0,  3,  5,  6, 11
146 	}
147 };
148 
149 static u_char	un_pbox[32];
150 static u_char	pbox[32] = {
151 	16,  7, 20, 21, 29, 12, 28, 17,  1, 15, 23, 26,  5, 18, 31, 10,
152 	 2,  8, 24, 14, 32, 27,  3,  9, 19, 13, 30,  6, 22, 11,  4, 25
153 };
154 
155 static u_int32_t bits32[32] =
156 {
157 	0x80000000, 0x40000000, 0x20000000, 0x10000000,
158 	0x08000000, 0x04000000, 0x02000000, 0x01000000,
159 	0x00800000, 0x00400000, 0x00200000, 0x00100000,
160 	0x00080000, 0x00040000, 0x00020000, 0x00010000,
161 	0x00008000, 0x00004000, 0x00002000, 0x00001000,
162 	0x00000800, 0x00000400, 0x00000200, 0x00000100,
163 	0x00000080, 0x00000040, 0x00000020, 0x00000010,
164 	0x00000008, 0x00000004, 0x00000002, 0x00000001
165 };
166 
167 static u_char	bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
168 
169 static u_int32_t saltbits;
170 static int32_t	old_salt;
171 static u_int32_t *bits28, *bits24;
172 static u_char	init_perm[64], final_perm[64];
173 static u_int32_t en_keysl[16], en_keysr[16];
174 static u_int32_t de_keysl[16], de_keysr[16];
175 static int	des_initialised = 0;
176 static u_char	m_sbox[4][4096];
177 static u_int32_t psbox[4][256];
178 static u_int32_t ip_maskl[8][256], ip_maskr[8][256];
179 static u_int32_t fp_maskl[8][256], fp_maskr[8][256];
180 static u_int32_t key_perm_maskl[8][128], key_perm_maskr[8][128];
181 static u_int32_t comp_maskl[8][128], comp_maskr[8][128];
182 static u_int32_t old_rawkey0, old_rawkey1;
183 
184 static u_char	ascii64[] =
185 	 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
186 /*	  0000000000111111111122222222223333333333444444444455555555556666 */
187 /*	  0123456789012345678901234567890123456789012345678901234567890123 */
188 
189 static __inline int
190 ascii_to_bin(ch)
191 	char ch;
192 {
193 	if (ch > 'z')
194 		return(0);
195 	if (ch >= 'a')
196 		return(ch - 'a' + 38);
197 	if (ch > 'Z')
198 		return(0);
199 	if (ch >= 'A')
200 		return(ch - 'A' + 12);
201 	if (ch > '9')
202 		return(0);
203 	if (ch >= '.')
204 		return(ch - '.');
205 	return(0);
206 }
207 
208 static void
209 des_init()
210 {
211 	int	i, j, b, k, inbit, obit;
212 	u_int32_t	*p, *il, *ir, *fl, *fr;
213 
214 	old_rawkey0 = old_rawkey1 = 0;
215 	saltbits = 0;
216 	old_salt = 0;
217 	bits24 = (bits28 = bits32 + 4) + 4;
218 
219 	/*
220 	 * Invert the S-boxes, reordering the input bits.
221 	 */
222 	for (i = 0; i < 8; i++)
223 		for (j = 0; j < 64; j++) {
224 			b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf);
225 			u_sbox[i][j] = sbox[i][b];
226 		}
227 
228 	/*
229 	 * Convert the inverted S-boxes into 4 arrays of 8 bits.
230 	 * Each will handle 12 bits of the S-box input.
231 	 */
232 	for (b = 0; b < 4; b++)
233 		for (i = 0; i < 64; i++)
234 			for (j = 0; j < 64; j++)
235 				m_sbox[b][(i << 6) | j] =
236 					(u_sbox[(b << 1)][i] << 4) |
237 					u_sbox[(b << 1) + 1][j];
238 
239 	/*
240 	 * Set up the initial & final permutations into a useful form, and
241 	 * initialise the inverted key permutation.
242 	 */
243 	for (i = 0; i < 64; i++) {
244 		init_perm[final_perm[i] = IP[i] - 1] = i;
245 		inv_key_perm[i] = 255;
246 	}
247 
248 	/*
249 	 * Invert the key permutation and initialise the inverted key
250 	 * compression permutation.
251 	 */
252 	for (i = 0; i < 56; i++) {
253 		u_key_perm[i] = key_perm[i] - 1;
254 		inv_key_perm[key_perm[i] - 1] = i;
255 		inv_comp_perm[i] = 255;
256 	}
257 
258 	/*
259 	 * Invert the key compression permutation.
260 	 */
261 	for (i = 0; i < 48; i++) {
262 		inv_comp_perm[comp_perm[i] - 1] = i;
263 	}
264 
265 	/*
266 	 * Set up the OR-mask arrays for the initial and final permutations,
267 	 * and for the key initial and compression permutations.
268 	 */
269 	for (k = 0; k < 8; k++) {
270 		for (i = 0; i < 256; i++) {
271 			*(il = &ip_maskl[k][i]) = 0;
272 			*(ir = &ip_maskr[k][i]) = 0;
273 			*(fl = &fp_maskl[k][i]) = 0;
274 			*(fr = &fp_maskr[k][i]) = 0;
275 			for (j = 0; j < 8; j++) {
276 				inbit = 8 * k + j;
277 				if (i & bits8[j]) {
278 					if ((obit = init_perm[inbit]) < 32)
279 						*il |= bits32[obit];
280 					else
281 						*ir |= bits32[obit-32];
282 					if ((obit = final_perm[inbit]) < 32)
283 						*fl |= bits32[obit];
284 					else
285 						*fr |= bits32[obit - 32];
286 				}
287 			}
288 		}
289 		for (i = 0; i < 128; i++) {
290 			*(il = &key_perm_maskl[k][i]) = 0;
291 			*(ir = &key_perm_maskr[k][i]) = 0;
292 			for (j = 0; j < 7; j++) {
293 				inbit = 8 * k + j;
294 				if (i & bits8[j + 1]) {
295 					if ((obit = inv_key_perm[inbit]) == 255)
296 						continue;
297 					if (obit < 28)
298 						*il |= bits28[obit];
299 					else
300 						*ir |= bits28[obit - 28];
301 				}
302 			}
303 			*(il = &comp_maskl[k][i]) = 0;
304 			*(ir = &comp_maskr[k][i]) = 0;
305 			for (j = 0; j < 7; j++) {
306 				inbit = 7 * k + j;
307 				if (i & bits8[j + 1]) {
308 					if ((obit=inv_comp_perm[inbit]) == 255)
309 						continue;
310 					if (obit < 24)
311 						*il |= bits24[obit];
312 					else
313 						*ir |= bits24[obit - 24];
314 				}
315 			}
316 		}
317 	}
318 
319 	/*
320 	 * Invert the P-box permutation, and convert into OR-masks for
321 	 * handling the output of the S-box arrays setup above.
322 	 */
323 	for (i = 0; i < 32; i++)
324 		un_pbox[pbox[i] - 1] = i;
325 
326 	for (b = 0; b < 4; b++)
327 		for (i = 0; i < 256; i++) {
328 			*(p = &psbox[b][i]) = 0;
329 			for (j = 0; j < 8; j++) {
330 				if (i & bits8[j])
331 					*p |= bits32[un_pbox[8 * b + j]];
332 			}
333 		}
334 
335 	des_initialised = 1;
336 }
337 
338 static void
339 setup_salt(salt)
340 	int32_t salt;
341 {
342 	u_int32_t	obit, saltbit;
343 	int	i;
344 
345 	if (salt == old_salt)
346 		return;
347 	old_salt = salt;
348 
349 	saltbits = 0;
350 	saltbit = 1;
351 	obit = 0x800000;
352 	for (i = 0; i < 24; i++) {
353 		if (salt & saltbit)
354 			saltbits |= obit;
355 		saltbit <<= 1;
356 		obit >>= 1;
357 	}
358 }
359 
360 static int
361 des_setkey(key)
362 	const char *key;
363 {
364 	u_int32_t k0, k1, rawkey0, rawkey1;
365 	int	shifts, round;
366 
367 	if (!des_initialised)
368 		des_init();
369 
370 	rawkey0 = ntohl(*(u_int32_t *) key);
371 	rawkey1 = ntohl(*(u_int32_t *) (key + 4));
372 
373 	if ((rawkey0 | rawkey1)
374 	    && rawkey0 == old_rawkey0
375 	    && rawkey1 == old_rawkey1) {
376 		/*
377 		 * Already setup for this key.
378 		 * This optimisation fails on a zero key (which is weak and
379 		 * has bad parity anyway) in order to simplify the starting
380 		 * conditions.
381 		 */
382 		return(0);
383 	}
384 	old_rawkey0 = rawkey0;
385 	old_rawkey1 = rawkey1;
386 
387 	/*
388 	 *	Do key permutation and split into two 28-bit subkeys.
389 	 */
390 	k0 = key_perm_maskl[0][rawkey0 >> 25]
391 	   | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
392 	   | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
393 	   | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
394 	   | key_perm_maskl[4][rawkey1 >> 25]
395 	   | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
396 	   | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
397 	   | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
398 	k1 = key_perm_maskr[0][rawkey0 >> 25]
399 	   | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
400 	   | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
401 	   | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
402 	   | key_perm_maskr[4][rawkey1 >> 25]
403 	   | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
404 	   | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
405 	   | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
406 	/*
407 	 *	Rotate subkeys and do compression permutation.
408 	 */
409 	shifts = 0;
410 	for (round = 0; round < 16; round++) {
411 		u_int32_t	t0, t1;
412 
413 		shifts += key_shifts[round];
414 
415 		t0 = (k0 << shifts) | (k0 >> (28 - shifts));
416 		t1 = (k1 << shifts) | (k1 >> (28 - shifts));
417 
418 		de_keysl[15 - round] =
419 		en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f]
420 				| comp_maskl[1][(t0 >> 14) & 0x7f]
421 				| comp_maskl[2][(t0 >> 7) & 0x7f]
422 				| comp_maskl[3][t0 & 0x7f]
423 				| comp_maskl[4][(t1 >> 21) & 0x7f]
424 				| comp_maskl[5][(t1 >> 14) & 0x7f]
425 				| comp_maskl[6][(t1 >> 7) & 0x7f]
426 				| comp_maskl[7][t1 & 0x7f];
427 
428 		de_keysr[15 - round] =
429 		en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f]
430 				| comp_maskr[1][(t0 >> 14) & 0x7f]
431 				| comp_maskr[2][(t0 >> 7) & 0x7f]
432 				| comp_maskr[3][t0 & 0x7f]
433 				| comp_maskr[4][(t1 >> 21) & 0x7f]
434 				| comp_maskr[5][(t1 >> 14) & 0x7f]
435 				| comp_maskr[6][(t1 >> 7) & 0x7f]
436 				| comp_maskr[7][t1 & 0x7f];
437 	}
438 	return(0);
439 }
440 
441 static int
442 do_des(l_in, r_in, l_out, r_out, count)
443 	u_int32_t l_in, r_in, *l_out, *r_out;
444 	int count;
445 {
446 	/*
447 	 *	l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
448 	 */
449 	u_int32_t	l, r, *kl, *kr, *kl1, *kr1;
450 	u_int32_t	f, r48l, r48r;
451 	int		round;
452 
453 	if (count == 0) {
454 		return(1);
455 	} else if (count > 0) {
456 		/*
457 		 * Encrypting
458 		 */
459 		kl1 = en_keysl;
460 		kr1 = en_keysr;
461 	} else {
462 		/*
463 		 * Decrypting
464 		 */
465 		count = -count;
466 		kl1 = de_keysl;
467 		kr1 = de_keysr;
468 	}
469 
470 	/*
471 	 *	Do initial permutation (IP).
472 	 */
473 	l = ip_maskl[0][l_in >> 24]
474 	  | ip_maskl[1][(l_in >> 16) & 0xff]
475 	  | ip_maskl[2][(l_in >> 8) & 0xff]
476 	  | ip_maskl[3][l_in & 0xff]
477 	  | ip_maskl[4][r_in >> 24]
478 	  | ip_maskl[5][(r_in >> 16) & 0xff]
479 	  | ip_maskl[6][(r_in >> 8) & 0xff]
480 	  | ip_maskl[7][r_in & 0xff];
481 	r = ip_maskr[0][l_in >> 24]
482 	  | ip_maskr[1][(l_in >> 16) & 0xff]
483 	  | ip_maskr[2][(l_in >> 8) & 0xff]
484 	  | ip_maskr[3][l_in & 0xff]
485 	  | ip_maskr[4][r_in >> 24]
486 	  | ip_maskr[5][(r_in >> 16) & 0xff]
487 	  | ip_maskr[6][(r_in >> 8) & 0xff]
488 	  | ip_maskr[7][r_in & 0xff];
489 
490 	while (count--) {
491 		/*
492 		 * Do each round.
493 		 */
494 		kl = kl1;
495 		kr = kr1;
496 		round = 16;
497 		while (round--) {
498 			/*
499 			 * Expand R to 48 bits (simulate the E-box).
500 			 */
501 			r48l	= ((r & 0x00000001) << 23)
502 				| ((r & 0xf8000000) >> 9)
503 				| ((r & 0x1f800000) >> 11)
504 				| ((r & 0x01f80000) >> 13)
505 				| ((r & 0x001f8000) >> 15);
506 
507 			r48r	= ((r & 0x0001f800) << 7)
508 				| ((r & 0x00001f80) << 5)
509 				| ((r & 0x000001f8) << 3)
510 				| ((r & 0x0000001f) << 1)
511 				| ((r & 0x80000000) >> 31);
512 			/*
513 			 * Do salting for crypt() and friends, and
514 			 * XOR with the permuted key.
515 			 */
516 			f = (r48l ^ r48r) & saltbits;
517 			r48l ^= f ^ *kl++;
518 			r48r ^= f ^ *kr++;
519 			/*
520 			 * Do sbox lookups (which shrink it back to 32 bits)
521 			 * and do the pbox permutation at the same time.
522 			 */
523 			f = psbox[0][m_sbox[0][r48l >> 12]]
524 			  | psbox[1][m_sbox[1][r48l & 0xfff]]
525 			  | psbox[2][m_sbox[2][r48r >> 12]]
526 			  | psbox[3][m_sbox[3][r48r & 0xfff]];
527 			/*
528 			 * Now that we've permuted things, complete f().
529 			 */
530 			f ^= l;
531 			l = r;
532 			r = f;
533 		}
534 		r = l;
535 		l = f;
536 	}
537 	/*
538 	 * Do final permutation (inverse of IP).
539 	 */
540 	*l_out	= fp_maskl[0][l >> 24]
541 		| fp_maskl[1][(l >> 16) & 0xff]
542 		| fp_maskl[2][(l >> 8) & 0xff]
543 		| fp_maskl[3][l & 0xff]
544 		| fp_maskl[4][r >> 24]
545 		| fp_maskl[5][(r >> 16) & 0xff]
546 		| fp_maskl[6][(r >> 8) & 0xff]
547 		| fp_maskl[7][r & 0xff];
548 	*r_out	= fp_maskr[0][l >> 24]
549 		| fp_maskr[1][(l >> 16) & 0xff]
550 		| fp_maskr[2][(l >> 8) & 0xff]
551 		| fp_maskr[3][l & 0xff]
552 		| fp_maskr[4][r >> 24]
553 		| fp_maskr[5][(r >> 16) & 0xff]
554 		| fp_maskr[6][(r >> 8) & 0xff]
555 		| fp_maskr[7][r & 0xff];
556 	return(0);
557 }
558 
559 static int
560 des_cipher(in, out, salt, count)
561 	const char *in;
562 	char *out;
563 	int32_t salt;
564 	int count;
565 {
566 	u_int32_t l_out, r_out, rawl, rawr;
567 	u_int32_t x[2];
568 	int	retval;
569 
570 	if (!des_initialised)
571 		des_init();
572 
573 	setup_salt(salt);
574 
575 #if 0
576 	rawl = ntohl(*((u_int32_t *) in)++);
577 	rawr = ntohl(*((u_int32_t *) in));
578 #else
579 	memcpy(x, in, sizeof x);
580 	rawl = ntohl(x[0]);
581 	rawr = ntohl(x[1]);
582 #endif
583 	retval = do_des(rawl, rawr, &l_out, &r_out, count);
584 
585 #if 0
586 	*((u_int32_t *) out)++ = htonl(l_out);
587 	*((u_int32_t *) out) = htonl(r_out);
588 #else
589 	x[0] = htonl(l_out);
590 	x[1] = htonl(r_out);
591 	memcpy(out, x, sizeof x);
592 #endif
593 	return(retval);
594 }
595 
596 char *
597 crypt(key, setting)
598 	const char *key;
599 	const char *setting;
600 {
601 	int		i;
602 	u_int32_t	count, salt, l, r0, r1, keybuf[2];
603 	u_char		*p, *q;
604 	static u_char	output[21];
605 	extern char	*md5crypt __P((const char *, const char *));
606 
607 	if (strncmp(setting, "$1$", sizeof("$1")) == 0)
608 		return (md5crypt(key, setting));
609 
610 	if (!des_initialised)
611 		des_init();
612 
613 	/*
614 	 * Copy the key, shifting each character up by one bit
615 	 * and padding with zeros.
616 	 */
617 	q = (u_char *) keybuf;
618 	while (q - (u_char *) keybuf - 8) {
619 		if (*q++ = *key << 1)
620 			key++;
621 	}
622 	if (des_setkey((u_char *) keybuf))
623 		return(NULL);
624 
625 	if (*setting == _PASSWORD_EFMT1) {
626 		/*
627 		 * "new"-style:
628 		 *	setting - underscore, 4 bytes of count, 4 bytes of salt
629 		 *	key - unlimited characters
630 		 */
631 		for (i = 1, count = 0; i < 5; i++)
632 			count |= ascii_to_bin(setting[i]) << (i - 1) * 6;
633 
634 		for (i = 5, salt = 0; i < 9; i++)
635 			salt |= ascii_to_bin(setting[i]) << (i - 5) * 6;
636 
637 		while (*key) {
638 			/*
639 			 * Encrypt the key with itself.
640 			 */
641 			if (des_cipher((u_char*)keybuf, (u_char*)keybuf, 0, 1))
642 				return(NULL);
643 			/*
644 			 * And XOR with the next 8 characters of the key.
645 			 */
646 			q = (u_char *) keybuf;
647 			while (q - (u_char *) keybuf - 8 && *key)
648 				*q++ ^= *key++ << 1;
649 
650 			if (des_setkey((u_char *) keybuf))
651 				return(NULL);
652 		}
653 		strncpy((char *)output, setting, 9);
654 
655 		/*
656 		 * Double check that we weren't given a short setting.
657 		 * If we were, the above code will probably have created
658 		 * wierd values for count and salt, but we don't really care.
659 		 * Just make sure the output string doesn't have an extra
660 		 * NUL in it.
661 		 */
662 		output[9] = '\0';
663 		p = output + strlen((const char *)output);
664 	} else {
665 		/*
666 		 * "old"-style:
667 		 *	setting - 2 bytes of salt
668 		 *	key - up to 8 characters
669 		 */
670 		count = 25;
671 
672 		salt = (ascii_to_bin(setting[1]) << 6)
673 		     |  ascii_to_bin(setting[0]);
674 
675 		output[0] = setting[0];
676 		/*
677 		 * If the encrypted password that the salt was extracted from
678 		 * is only 1 character long, the salt will be corrupted.  We
679 		 * need to ensure that the output string doesn't have an extra
680 		 * NUL in it!
681 		 */
682 		output[1] = setting[1] ? setting[1] : output[0];
683 
684 		p = output + 2;
685 	}
686 	setup_salt(salt);
687 	/*
688 	 * Do it.
689 	 */
690 	if (do_des(0, 0, &r0, &r1, count))
691 		return(NULL);
692 	/*
693 	 * Now encode the result...
694 	 */
695 	l = (r0 >> 8);
696 	*p++ = ascii64[(l >> 18) & 0x3f];
697 	*p++ = ascii64[(l >> 12) & 0x3f];
698 	*p++ = ascii64[(l >> 6) & 0x3f];
699 	*p++ = ascii64[l & 0x3f];
700 
701 	l = (r0 << 16) | ((r1 >> 16) & 0xffff);
702 	*p++ = ascii64[(l >> 18) & 0x3f];
703 	*p++ = ascii64[(l >> 12) & 0x3f];
704 	*p++ = ascii64[(l >> 6) & 0x3f];
705 	*p++ = ascii64[l & 0x3f];
706 
707 	l = r1 << 2;
708 	*p++ = ascii64[(l >> 12) & 0x3f];
709 	*p++ = ascii64[(l >> 6) & 0x3f];
710 	*p++ = ascii64[l & 0x3f];
711 	*p = 0;
712 
713 	return((char *)output);
714 }
715