1 /* $OpenBSD: crypt.c,v 1.18 2003/08/12 01:22:17 deraadt Exp $ */ 2 3 /* 4 * FreeSec: libcrypt 5 * 6 * Copyright (c) 1994 David Burren 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 4. Neither the name of the author nor the names of other contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 * 33 * 34 * This is an original implementation of the DES and the crypt(3) interfaces 35 * by David Burren <davidb@werj.com.au>. 36 * 37 * An excellent reference on the underlying algorithm (and related 38 * algorithms) is: 39 * 40 * B. Schneier, Applied Cryptography: protocols, algorithms, 41 * and source code in C, John Wiley & Sons, 1994. 42 * 43 * Note that in that book's description of DES the lookups for the initial, 44 * pbox, and final permutations are inverted (this has been brought to the 45 * attention of the author). A list of errata for this book has been 46 * posted to the sci.crypt newsgroup by the author and is available for FTP. 47 */ 48 49 #if defined(LIBC_SCCS) && !defined(lint) 50 static char rcsid[] = "$OpenBSD: crypt.c,v 1.18 2003/08/12 01:22:17 deraadt Exp $"; 51 #endif /* LIBC_SCCS and not lint */ 52 53 #include <sys/types.h> 54 #include <sys/param.h> 55 #include <pwd.h> 56 #include <unistd.h> 57 #include <string.h> 58 59 #ifdef DEBUG 60 # include <stdio.h> 61 #endif 62 63 static const u_char IP[64] = { 64 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4, 65 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8, 66 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3, 67 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7 68 }; 69 70 static u_char inv_key_perm[64]; 71 static u_char u_key_perm[56]; 72 static u_char const key_perm[56] = { 73 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, 74 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36, 75 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22, 76 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4 77 }; 78 79 static const u_char key_shifts[16] = { 80 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1 81 }; 82 83 static u_char inv_comp_perm[56]; 84 static const u_char comp_perm[48] = { 85 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10, 86 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2, 87 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48, 88 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32 89 }; 90 91 /* 92 * No E box is used, as it's replaced by some ANDs, shifts, and ORs. 93 */ 94 95 static u_char u_sbox[8][64]; 96 static const u_char sbox[8][64] = { 97 { 98 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 99 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 100 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, 101 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 102 }, 103 { 104 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, 105 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, 106 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, 107 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 108 }, 109 { 110 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, 111 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, 112 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, 113 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 114 }, 115 { 116 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, 117 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, 118 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, 119 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 120 }, 121 { 122 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, 123 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, 124 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, 125 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 126 }, 127 { 128 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, 129 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, 130 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, 131 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13 132 }, 133 { 134 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, 135 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, 136 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, 137 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 138 }, 139 { 140 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, 141 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, 142 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, 143 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 144 } 145 }; 146 147 static u_char un_pbox[32]; 148 static const u_char pbox[32] = { 149 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10, 150 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25 151 }; 152 153 const u_int32_t _des_bits32[32] = 154 { 155 0x80000000, 0x40000000, 0x20000000, 0x10000000, 156 0x08000000, 0x04000000, 0x02000000, 0x01000000, 157 0x00800000, 0x00400000, 0x00200000, 0x00100000, 158 0x00080000, 0x00040000, 0x00020000, 0x00010000, 159 0x00008000, 0x00004000, 0x00002000, 0x00001000, 160 0x00000800, 0x00000400, 0x00000200, 0x00000100, 161 0x00000080, 0x00000040, 0x00000020, 0x00000010, 162 0x00000008, 0x00000004, 0x00000002, 0x00000001 163 }; 164 165 const u_char _des_bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 }; 166 167 static u_int32_t saltbits; 168 static int32_t old_salt; 169 static const u_int32_t *bits28, *bits24; 170 static u_char init_perm[64], final_perm[64]; 171 static u_int32_t en_keysl[16], en_keysr[16]; 172 static u_int32_t de_keysl[16], de_keysr[16]; 173 int _des_initialised = 0; 174 static u_char m_sbox[4][4096]; 175 static u_int32_t psbox[4][256]; 176 static u_int32_t ip_maskl[8][256], ip_maskr[8][256]; 177 static u_int32_t fp_maskl[8][256], fp_maskr[8][256]; 178 static u_int32_t key_perm_maskl[8][128], key_perm_maskr[8][128]; 179 static u_int32_t comp_maskl[8][128], comp_maskr[8][128]; 180 static u_int32_t old_rawkey0, old_rawkey1; 181 182 static u_char ascii64[] = 183 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 184 /* 0000000000111111111122222222223333333333444444444455555555556666 */ 185 /* 0123456789012345678901234567890123456789012345678901234567890123 */ 186 187 static __inline int 188 ascii_to_bin(char ch) 189 { 190 if (ch > 'z') 191 return(0); 192 if (ch >= 'a') 193 return(ch - 'a' + 38); 194 if (ch > 'Z') 195 return(0); 196 if (ch >= 'A') 197 return(ch - 'A' + 12); 198 if (ch > '9') 199 return(0); 200 if (ch >= '.') 201 return(ch - '.'); 202 return(0); 203 } 204 205 void 206 _des_init(void) 207 { 208 int i, j, b, k, inbit, obit; 209 u_int32_t *p, *il, *ir, *fl, *fr; 210 211 old_rawkey0 = old_rawkey1 = 0; 212 saltbits = 0; 213 old_salt = 0; 214 bits24 = (bits28 = _des_bits32 + 4) + 4; 215 216 /* 217 * Invert the S-boxes, reordering the input bits. 218 */ 219 for (i = 0; i < 8; i++) 220 for (j = 0; j < 64; j++) { 221 b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf); 222 u_sbox[i][j] = sbox[i][b]; 223 } 224 225 /* 226 * Convert the inverted S-boxes into 4 arrays of 8 bits. 227 * Each will handle 12 bits of the S-box input. 228 */ 229 for (b = 0; b < 4; b++) 230 for (i = 0; i < 64; i++) 231 for (j = 0; j < 64; j++) 232 m_sbox[b][(i << 6) | j] = 233 (u_sbox[(b << 1)][i] << 4) | 234 u_sbox[(b << 1) + 1][j]; 235 236 /* 237 * Set up the initial & final permutations into a useful form, and 238 * initialise the inverted key permutation. 239 */ 240 for (i = 0; i < 64; i++) { 241 init_perm[final_perm[i] = IP[i] - 1] = i; 242 inv_key_perm[i] = 255; 243 } 244 245 /* 246 * Invert the key permutation and initialise the inverted key 247 * compression permutation. 248 */ 249 for (i = 0; i < 56; i++) { 250 u_key_perm[i] = key_perm[i] - 1; 251 inv_key_perm[key_perm[i] - 1] = i; 252 inv_comp_perm[i] = 255; 253 } 254 255 /* 256 * Invert the key compression permutation. 257 */ 258 for (i = 0; i < 48; i++) { 259 inv_comp_perm[comp_perm[i] - 1] = i; 260 } 261 262 /* 263 * Set up the OR-mask arrays for the initial and final permutations, 264 * and for the key initial and compression permutations. 265 */ 266 for (k = 0; k < 8; k++) { 267 for (i = 0; i < 256; i++) { 268 *(il = &ip_maskl[k][i]) = 0; 269 *(ir = &ip_maskr[k][i]) = 0; 270 *(fl = &fp_maskl[k][i]) = 0; 271 *(fr = &fp_maskr[k][i]) = 0; 272 for (j = 0; j < 8; j++) { 273 inbit = 8 * k + j; 274 if (i & _des_bits8[j]) { 275 if ((obit = init_perm[inbit]) < 32) 276 *il |= _des_bits32[obit]; 277 else 278 *ir |= _des_bits32[obit-32]; 279 if ((obit = final_perm[inbit]) < 32) 280 *fl |= _des_bits32[obit]; 281 else 282 *fr |= _des_bits32[obit - 32]; 283 } 284 } 285 } 286 for (i = 0; i < 128; i++) { 287 *(il = &key_perm_maskl[k][i]) = 0; 288 *(ir = &key_perm_maskr[k][i]) = 0; 289 for (j = 0; j < 7; j++) { 290 inbit = 8 * k + j; 291 if (i & _des_bits8[j + 1]) { 292 if ((obit = inv_key_perm[inbit]) == 255) 293 continue; 294 if (obit < 28) 295 *il |= bits28[obit]; 296 else 297 *ir |= bits28[obit - 28]; 298 } 299 } 300 *(il = &comp_maskl[k][i]) = 0; 301 *(ir = &comp_maskr[k][i]) = 0; 302 for (j = 0; j < 7; j++) { 303 inbit = 7 * k + j; 304 if (i & _des_bits8[j + 1]) { 305 if ((obit=inv_comp_perm[inbit]) == 255) 306 continue; 307 if (obit < 24) 308 *il |= bits24[obit]; 309 else 310 *ir |= bits24[obit - 24]; 311 } 312 } 313 } 314 } 315 316 /* 317 * Invert the P-box permutation, and convert into OR-masks for 318 * handling the output of the S-box arrays setup above. 319 */ 320 for (i = 0; i < 32; i++) 321 un_pbox[pbox[i] - 1] = i; 322 323 for (b = 0; b < 4; b++) 324 for (i = 0; i < 256; i++) { 325 *(p = &psbox[b][i]) = 0; 326 for (j = 0; j < 8; j++) { 327 if (i & _des_bits8[j]) 328 *p |= _des_bits32[un_pbox[8 * b + j]]; 329 } 330 } 331 332 _des_initialised = 1; 333 } 334 335 void 336 _des_setup_salt(int32_t salt) 337 { 338 u_int32_t obit, saltbit; 339 int i; 340 341 if (salt == old_salt) 342 return; 343 old_salt = salt; 344 345 saltbits = 0; 346 saltbit = 1; 347 obit = 0x800000; 348 for (i = 0; i < 24; i++) { 349 if (salt & saltbit) 350 saltbits |= obit; 351 saltbit <<= 1; 352 obit >>= 1; 353 } 354 } 355 356 int 357 des_setkey(const char *key) 358 { 359 u_int32_t k0, k1, rawkey0, rawkey1; 360 int shifts, round; 361 362 if (!_des_initialised) 363 _des_init(); 364 365 rawkey0 = ntohl(*(u_int32_t *) key); 366 rawkey1 = ntohl(*(u_int32_t *) (key + 4)); 367 368 if ((rawkey0 | rawkey1) 369 && rawkey0 == old_rawkey0 370 && rawkey1 == old_rawkey1) { 371 /* 372 * Already setup for this key. 373 * This optimisation fails on a zero key (which is weak and 374 * has bad parity anyway) in order to simplify the starting 375 * conditions. 376 */ 377 return(0); 378 } 379 old_rawkey0 = rawkey0; 380 old_rawkey1 = rawkey1; 381 382 /* 383 * Do key permutation and split into two 28-bit subkeys. 384 */ 385 k0 = key_perm_maskl[0][rawkey0 >> 25] 386 | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f] 387 | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f] 388 | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f] 389 | key_perm_maskl[4][rawkey1 >> 25] 390 | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f] 391 | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f] 392 | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f]; 393 k1 = key_perm_maskr[0][rawkey0 >> 25] 394 | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f] 395 | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f] 396 | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f] 397 | key_perm_maskr[4][rawkey1 >> 25] 398 | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f] 399 | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f] 400 | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f]; 401 /* 402 * Rotate subkeys and do compression permutation. 403 */ 404 shifts = 0; 405 for (round = 0; round < 16; round++) { 406 u_int32_t t0, t1; 407 408 shifts += key_shifts[round]; 409 410 t0 = (k0 << shifts) | (k0 >> (28 - shifts)); 411 t1 = (k1 << shifts) | (k1 >> (28 - shifts)); 412 413 de_keysl[15 - round] = 414 en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f] 415 | comp_maskl[1][(t0 >> 14) & 0x7f] 416 | comp_maskl[2][(t0 >> 7) & 0x7f] 417 | comp_maskl[3][t0 & 0x7f] 418 | comp_maskl[4][(t1 >> 21) & 0x7f] 419 | comp_maskl[5][(t1 >> 14) & 0x7f] 420 | comp_maskl[6][(t1 >> 7) & 0x7f] 421 | comp_maskl[7][t1 & 0x7f]; 422 423 de_keysr[15 - round] = 424 en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f] 425 | comp_maskr[1][(t0 >> 14) & 0x7f] 426 | comp_maskr[2][(t0 >> 7) & 0x7f] 427 | comp_maskr[3][t0 & 0x7f] 428 | comp_maskr[4][(t1 >> 21) & 0x7f] 429 | comp_maskr[5][(t1 >> 14) & 0x7f] 430 | comp_maskr[6][(t1 >> 7) & 0x7f] 431 | comp_maskr[7][t1 & 0x7f]; 432 } 433 return(0); 434 } 435 436 int 437 _des_do_des(u_int32_t l_in, u_int32_t r_in, u_int32_t *l_out, u_int32_t *r_out, 438 int count) 439 { 440 /* 441 * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format. 442 */ 443 u_int32_t l, r, *kl, *kr, *kl1, *kr1; 444 u_int32_t f, r48l, r48r; 445 int round; 446 447 if (count == 0) { 448 return(1); 449 } else if (count > 0) { 450 /* 451 * Encrypting 452 */ 453 kl1 = en_keysl; 454 kr1 = en_keysr; 455 } else { 456 /* 457 * Decrypting 458 */ 459 count = -count; 460 kl1 = de_keysl; 461 kr1 = de_keysr; 462 } 463 464 /* 465 * Do initial permutation (IP). 466 */ 467 l = ip_maskl[0][l_in >> 24] 468 | ip_maskl[1][(l_in >> 16) & 0xff] 469 | ip_maskl[2][(l_in >> 8) & 0xff] 470 | ip_maskl[3][l_in & 0xff] 471 | ip_maskl[4][r_in >> 24] 472 | ip_maskl[5][(r_in >> 16) & 0xff] 473 | ip_maskl[6][(r_in >> 8) & 0xff] 474 | ip_maskl[7][r_in & 0xff]; 475 r = ip_maskr[0][l_in >> 24] 476 | ip_maskr[1][(l_in >> 16) & 0xff] 477 | ip_maskr[2][(l_in >> 8) & 0xff] 478 | ip_maskr[3][l_in & 0xff] 479 | ip_maskr[4][r_in >> 24] 480 | ip_maskr[5][(r_in >> 16) & 0xff] 481 | ip_maskr[6][(r_in >> 8) & 0xff] 482 | ip_maskr[7][r_in & 0xff]; 483 484 while (count--) { 485 /* 486 * Do each round. 487 */ 488 kl = kl1; 489 kr = kr1; 490 round = 16; 491 while (round--) { 492 /* 493 * Expand R to 48 bits (simulate the E-box). 494 */ 495 r48l = ((r & 0x00000001) << 23) 496 | ((r & 0xf8000000) >> 9) 497 | ((r & 0x1f800000) >> 11) 498 | ((r & 0x01f80000) >> 13) 499 | ((r & 0x001f8000) >> 15); 500 501 r48r = ((r & 0x0001f800) << 7) 502 | ((r & 0x00001f80) << 5) 503 | ((r & 0x000001f8) << 3) 504 | ((r & 0x0000001f) << 1) 505 | ((r & 0x80000000) >> 31); 506 /* 507 * Do salting for crypt() and friends, and 508 * XOR with the permuted key. 509 */ 510 f = (r48l ^ r48r) & saltbits; 511 r48l ^= f ^ *kl++; 512 r48r ^= f ^ *kr++; 513 /* 514 * Do sbox lookups (which shrink it back to 32 bits) 515 * and do the pbox permutation at the same time. 516 */ 517 f = psbox[0][m_sbox[0][r48l >> 12]] 518 | psbox[1][m_sbox[1][r48l & 0xfff]] 519 | psbox[2][m_sbox[2][r48r >> 12]] 520 | psbox[3][m_sbox[3][r48r & 0xfff]]; 521 /* 522 * Now that we've permuted things, complete f(). 523 */ 524 f ^= l; 525 l = r; 526 r = f; 527 } 528 r = l; 529 l = f; 530 } 531 /* 532 * Do final permutation (inverse of IP). 533 */ 534 *l_out = fp_maskl[0][l >> 24] 535 | fp_maskl[1][(l >> 16) & 0xff] 536 | fp_maskl[2][(l >> 8) & 0xff] 537 | fp_maskl[3][l & 0xff] 538 | fp_maskl[4][r >> 24] 539 | fp_maskl[5][(r >> 16) & 0xff] 540 | fp_maskl[6][(r >> 8) & 0xff] 541 | fp_maskl[7][r & 0xff]; 542 *r_out = fp_maskr[0][l >> 24] 543 | fp_maskr[1][(l >> 16) & 0xff] 544 | fp_maskr[2][(l >> 8) & 0xff] 545 | fp_maskr[3][l & 0xff] 546 | fp_maskr[4][r >> 24] 547 | fp_maskr[5][(r >> 16) & 0xff] 548 | fp_maskr[6][(r >> 8) & 0xff] 549 | fp_maskr[7][r & 0xff]; 550 return(0); 551 } 552 553 int 554 des_cipher(const char *in, char *out, int32_t salt, int count) 555 { 556 u_int32_t l_out, r_out, rawl, rawr; 557 u_int32_t x[2]; 558 int retval; 559 560 if (!_des_initialised) 561 _des_init(); 562 563 _des_setup_salt(salt); 564 565 memcpy(x, in, sizeof x); 566 rawl = ntohl(x[0]); 567 rawr = ntohl(x[1]); 568 retval = _des_do_des(rawl, rawr, &l_out, &r_out, count); 569 570 x[0] = htonl(l_out); 571 x[1] = htonl(r_out); 572 memcpy(out, x, sizeof x); 573 return(retval); 574 } 575 576 char * 577 crypt(const char *key, const char *setting) 578 { 579 int i; 580 u_int32_t count, salt, l, r0, r1, keybuf[2]; 581 u_char *p, *q; 582 static u_char output[21]; 583 extern char *md5crypt(const char *, const char *); 584 extern char *bcrypt(const char *, const char *); 585 586 if (setting[0] == '$') { 587 switch (setting[1]) { 588 case '1': 589 return (md5crypt(key, setting)); 590 default: 591 return bcrypt(key, setting); 592 } 593 } 594 595 if (!_des_initialised) 596 _des_init(); 597 598 /* 599 * Copy the key, shifting each character up by one bit 600 * and padding with zeros. 601 */ 602 q = (u_char *) keybuf; 603 while ((q - (u_char *) keybuf) < sizeof(keybuf)) { 604 if ((*q++ = *key << 1)) 605 key++; 606 } 607 if (des_setkey((u_char *) keybuf)) 608 return(NULL); 609 610 if (*setting == _PASSWORD_EFMT1) { 611 /* 612 * "new"-style: 613 * setting - underscore, 4 bytes of count, 4 bytes of salt 614 * key - unlimited characters 615 */ 616 for (i = 1, count = 0; i < 5; i++) 617 count |= ascii_to_bin(setting[i]) << (i - 1) * 6; 618 619 for (i = 5, salt = 0; i < 9; i++) 620 salt |= ascii_to_bin(setting[i]) << (i - 5) * 6; 621 622 while (*key) { 623 /* 624 * Encrypt the key with itself. 625 */ 626 if (des_cipher((u_char*)keybuf, (u_char*)keybuf, 0, 1)) 627 return(NULL); 628 /* 629 * And XOR with the next 8 characters of the key. 630 */ 631 q = (u_char *) keybuf; 632 while (((q - (u_char *) keybuf) < sizeof(keybuf)) && 633 *key) 634 *q++ ^= *key++ << 1; 635 636 if (des_setkey((u_char *) keybuf)) 637 return(NULL); 638 } 639 strlcpy((char *)output, setting, 10); 640 641 /* 642 * Double check that we weren't given a short setting. 643 * If we were, the above code will probably have created 644 * weird values for count and salt, but we don't really care. 645 * Just make sure the output string doesn't have an extra 646 * NUL in it. 647 */ 648 p = output + strlen((const char *)output); 649 } else { 650 /* 651 * "old"-style: 652 * setting - 2 bytes of salt 653 * key - up to 8 characters 654 */ 655 count = 25; 656 657 salt = (ascii_to_bin(setting[1]) << 6) 658 | ascii_to_bin(setting[0]); 659 660 output[0] = setting[0]; 661 /* 662 * If the encrypted password that the salt was extracted from 663 * is only 1 character long, the salt will be corrupted. We 664 * need to ensure that the output string doesn't have an extra 665 * NUL in it! 666 */ 667 output[1] = setting[1] ? setting[1] : output[0]; 668 669 p = output + 2; 670 } 671 _des_setup_salt(salt); 672 673 /* 674 * Do it. 675 */ 676 if (_des_do_des(0, 0, &r0, &r1, count)) 677 return(NULL); 678 /* 679 * Now encode the result... 680 */ 681 l = (r0 >> 8); 682 *p++ = ascii64[(l >> 18) & 0x3f]; 683 *p++ = ascii64[(l >> 12) & 0x3f]; 684 *p++ = ascii64[(l >> 6) & 0x3f]; 685 *p++ = ascii64[l & 0x3f]; 686 687 l = (r0 << 16) | ((r1 >> 16) & 0xffff); 688 *p++ = ascii64[(l >> 18) & 0x3f]; 689 *p++ = ascii64[(l >> 12) & 0x3f]; 690 *p++ = ascii64[(l >> 6) & 0x3f]; 691 *p++ = ascii64[l & 0x3f]; 692 693 l = r1 << 2; 694 *p++ = ascii64[(l >> 12) & 0x3f]; 695 *p++ = ascii64[(l >> 6) & 0x3f]; 696 *p++ = ascii64[l & 0x3f]; 697 *p = 0; 698 699 return((char *)output); 700 } 701