crypt.c revision 1.7
1 /* $NetBSD: crypt.c,v 1.7 1997/10/09 10:28:43 lukem Exp $ */ 2 3 /* 4 * Copyright (c) 1989, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * This code is derived from software contributed to Berkeley by 8 * Tom Truscott. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. All advertising materials mentioning features or use of this software 19 * must display the following acknowledgement: 20 * This product includes software developed by the University of 21 * California, Berkeley and its contributors. 22 * 4. Neither the name of the University nor the names of its contributors 23 * may be used to endorse or promote products derived from this software 24 * without specific prior written permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 */ 38 39 #include <sys/cdefs.h> 40 #if !defined(lint) 41 #if 0 42 static char sccsid[] = "@(#)crypt.c 8.1.1.1 (Berkeley) 8/18/93"; 43 #else 44 __RCSID("$NetBSD: crypt.c,v 1.7 1997/10/09 10:28:43 lukem Exp $"); 45 #endif 46 #endif /* not lint */ 47 48 #include <limits.h> 49 #include <pwd.h> 50 #include <unistd.h> 51 52 /* 53 * UNIX password, and DES, encryption. 54 * By Tom Truscott, trt (at) rti.rti.org, 55 * from algorithms by Robert W. Baldwin and James Gillogly. 56 * 57 * References: 58 * "Mathematical Cryptology for Computer Scientists and Mathematicians," 59 * by Wayne Patterson, 1987, ISBN 0-8476-7438-X. 60 * 61 * "Password Security: A Case History," R. Morris and Ken Thompson, 62 * Communications of the ACM, vol. 22, pp. 594-597, Nov. 1979. 63 * 64 * "DES will be Totally Insecure within Ten Years," M.E. Hellman, 65 * IEEE Spectrum, vol. 16, pp. 32-39, July 1979. 66 */ 67 68 /* ===== Configuration ==================== */ 69 70 /* 71 * define "MUST_ALIGN" if your compiler cannot load/store 72 * long integers at arbitrary (e.g. odd) memory locations. 73 * (Either that or never pass unaligned addresses to des_cipher!) 74 */ 75 #if !defined(vax) 76 #define MUST_ALIGN 77 #endif 78 79 #ifdef CHAR_BITS 80 #if CHAR_BITS != 8 81 #error C_block structure assumes 8 bit characters 82 #endif 83 #endif 84 85 /* 86 * define "B64" to be the declaration for a 64 bit integer. 87 * XXX this feature is currently unused, see "endian" comment below. 88 */ 89 #if defined(cray) 90 #define B64 long 91 #endif 92 #if defined(convex) 93 #define B64 long long 94 #endif 95 96 /* 97 * define "LARGEDATA" to get faster permutations, by using about 72 kilobytes 98 * of lookup tables. This speeds up des_setkey() and des_cipher(), but has 99 * little effect on crypt(). 100 */ 101 #if defined(notdef) 102 #define LARGEDATA 103 #endif 104 105 /* compile with "-DSTATIC=void" when profiling */ 106 #ifndef STATIC 107 #define STATIC static void 108 #endif 109 110 /* ==================================== */ 111 112 /* 113 * Cipher-block representation (Bob Baldwin): 114 * 115 * DES operates on groups of 64 bits, numbered 1..64 (sigh). One 116 * representation is to store one bit per byte in an array of bytes. Bit N of 117 * the NBS spec is stored as the LSB of the Nth byte (index N-1) in the array. 118 * Another representation stores the 64 bits in 8 bytes, with bits 1..8 in the 119 * first byte, 9..16 in the second, and so on. The DES spec apparently has 120 * bit 1 in the MSB of the first byte, but that is particularly noxious so we 121 * bit-reverse each byte so that bit 1 is the LSB of the first byte, bit 8 is 122 * the MSB of the first byte. Specifically, the 64-bit input data and key are 123 * converted to LSB format, and the output 64-bit block is converted back into 124 * MSB format. 125 * 126 * DES operates internally on groups of 32 bits which are expanded to 48 bits 127 * by permutation E and shrunk back to 32 bits by the S boxes. To speed up 128 * the computation, the expansion is applied only once, the expanded 129 * representation is maintained during the encryption, and a compression 130 * permutation is applied only at the end. To speed up the S-box lookups, 131 * the 48 bits are maintained as eight 6 bit groups, one per byte, which 132 * directly feed the eight S-boxes. Within each byte, the 6 bits are the 133 * most significant ones. The low two bits of each byte are zero. (Thus, 134 * bit 1 of the 48 bit E expansion is stored as the "4"-valued bit of the 135 * first byte in the eight byte representation, bit 2 of the 48 bit value is 136 * the "8"-valued bit, and so on.) In fact, a combined "SPE"-box lookup is 137 * used, in which the output is the 64 bit result of an S-box lookup which 138 * has been permuted by P and expanded by E, and is ready for use in the next 139 * iteration. Two 32-bit wide tables, SPE[0] and SPE[1], are used for this 140 * lookup. Since each byte in the 48 bit path is a multiple of four, indexed 141 * lookup of SPE[0] and SPE[1] is simple and fast. The key schedule and 142 * "salt" are also converted to this 8*(6+2) format. The SPE table size is 143 * 8*64*8 = 4K bytes. 144 * 145 * To speed up bit-parallel operations (such as XOR), the 8 byte 146 * representation is "union"ed with 32 bit values "i0" and "i1", and, on 147 * machines which support it, a 64 bit value "b64". This data structure, 148 * "C_block", has two problems. First, alignment restrictions must be 149 * honored. Second, the byte-order (e.g. little-endian or big-endian) of 150 * the architecture becomes visible. 151 * 152 * The byte-order problem is unfortunate, since on the one hand it is good 153 * to have a machine-independent C_block representation (bits 1..8 in the 154 * first byte, etc.), and on the other hand it is good for the LSB of the 155 * first byte to be the LSB of i0. We cannot have both these things, so we 156 * currently use the "little-endian" representation and avoid any multi-byte 157 * operations that depend on byte order. This largely precludes use of the 158 * 64-bit datatype since the relative order of i0 and i1 are unknown. It 159 * also inhibits grouping the SPE table to look up 12 bits at a time. (The 160 * 12 bits can be stored in a 16-bit field with 3 low-order zeroes and 1 161 * high-order zero, providing fast indexing into a 64-bit wide SPE.) On the 162 * other hand, 64-bit datatypes are currently rare, and a 12-bit SPE lookup 163 * requires a 128 kilobyte table, so perhaps this is not a big loss. 164 * 165 * Permutation representation (Jim Gillogly): 166 * 167 * A transformation is defined by its effect on each of the 8 bytes of the 168 * 64-bit input. For each byte we give a 64-bit output that has the bits in 169 * the input distributed appropriately. The transformation is then the OR 170 * of the 8 sets of 64-bits. This uses 8*256*8 = 16K bytes of storage for 171 * each transformation. Unless LARGEDATA is defined, however, a more compact 172 * table is used which looks up 16 4-bit "chunks" rather than 8 8-bit chunks. 173 * The smaller table uses 16*16*8 = 2K bytes for each transformation. This 174 * is slower but tolerable, particularly for password encryption in which 175 * the SPE transformation is iterated many times. The small tables total 9K 176 * bytes, the large tables total 72K bytes. 177 * 178 * The transformations used are: 179 * IE3264: MSB->LSB conversion, initial permutation, and expansion. 180 * This is done by collecting the 32 even-numbered bits and applying 181 * a 32->64 bit transformation, and then collecting the 32 odd-numbered 182 * bits and applying the same transformation. Since there are only 183 * 32 input bits, the IE3264 transformation table is half the size of 184 * the usual table. 185 * CF6464: Compression, final permutation, and LSB->MSB conversion. 186 * This is done by two trivial 48->32 bit compressions to obtain 187 * a 64-bit block (the bit numbering is given in the "CIFP" table) 188 * followed by a 64->64 bit "cleanup" transformation. (It would 189 * be possible to group the bits in the 64-bit block so that 2 190 * identical 32->32 bit transformations could be used instead, 191 * saving a factor of 4 in space and possibly 2 in time, but 192 * byte-ordering and other complications rear their ugly head. 193 * Similar opportunities/problems arise in the key schedule 194 * transforms.) 195 * PC1ROT: MSB->LSB, PC1 permutation, rotate, and PC2 permutation. 196 * This admittedly baroque 64->64 bit transformation is used to 197 * produce the first code (in 8*(6+2) format) of the key schedule. 198 * PC2ROT[0]: Inverse PC2 permutation, rotate, and PC2 permutation. 199 * It would be possible to define 15 more transformations, each 200 * with a different rotation, to generate the entire key schedule. 201 * To save space, however, we instead permute each code into the 202 * next by using a transformation that "undoes" the PC2 permutation, 203 * rotates the code, and then applies PC2. Unfortunately, PC2 204 * transforms 56 bits into 48 bits, dropping 8 bits, so PC2 is not 205 * invertible. We get around that problem by using a modified PC2 206 * which retains the 8 otherwise-lost bits in the unused low-order 207 * bits of each byte. The low-order bits are cleared when the 208 * codes are stored into the key schedule. 209 * PC2ROT[1]: Same as PC2ROT[0], but with two rotations. 210 * This is faster than applying PC2ROT[0] twice, 211 * 212 * The Bell Labs "salt" (Bob Baldwin): 213 * 214 * The salting is a simple permutation applied to the 48-bit result of E. 215 * Specifically, if bit i (1 <= i <= 24) of the salt is set then bits i and 216 * i+24 of the result are swapped. The salt is thus a 24 bit number, with 217 * 16777216 possible values. (The original salt was 12 bits and could not 218 * swap bits 13..24 with 36..48.) 219 * 220 * It is possible, but ugly, to warp the SPE table to account for the salt 221 * permutation. Fortunately, the conditional bit swapping requires only 222 * about four machine instructions and can be done on-the-fly with about an 223 * 8% performance penalty. 224 */ 225 226 typedef union { 227 unsigned char b[8]; 228 struct { 229 int32_t i0; 230 int32_t i1; 231 } b32; 232 #if defined(B64) 233 B64 b64; 234 #endif 235 } C_block; 236 237 /* 238 * Convert twenty-four-bit long in host-order 239 * to six bits (and 2 low-order zeroes) per char little-endian format. 240 */ 241 #define TO_SIX_BIT(rslt, src) { \ 242 C_block cvt; \ 243 cvt.b[0] = src; src >>= 6; \ 244 cvt.b[1] = src; src >>= 6; \ 245 cvt.b[2] = src; src >>= 6; \ 246 cvt.b[3] = src; \ 247 rslt = (cvt.b32.i0 & 0x3f3f3f3fL) << 2; \ 248 } 249 250 /* 251 * These macros may someday permit efficient use of 64-bit integers. 252 */ 253 #define ZERO(d,d0,d1) d0 = 0, d1 = 0 254 #define LOAD(d,d0,d1,bl) d0 = (bl).b32.i0, d1 = (bl).b32.i1 255 #define LOADREG(d,d0,d1,s,s0,s1) d0 = s0, d1 = s1 256 #define OR(d,d0,d1,bl) d0 |= (bl).b32.i0, d1 |= (bl).b32.i1 257 #define STORE(s,s0,s1,bl) (bl).b32.i0 = s0, (bl).b32.i1 = s1 258 #define DCL_BLOCK(d,d0,d1) int32_t d0, d1 259 260 #if defined(LARGEDATA) 261 /* Waste memory like crazy. Also, do permutations in line */ 262 #define LGCHUNKBITS 3 263 #define CHUNKBITS (1<<LGCHUNKBITS) 264 #define PERM6464(d,d0,d1,cpp,p) \ 265 LOAD(d,d0,d1,(p)[(0<<CHUNKBITS)+(cpp)[0]]); \ 266 OR (d,d0,d1,(p)[(1<<CHUNKBITS)+(cpp)[1]]); \ 267 OR (d,d0,d1,(p)[(2<<CHUNKBITS)+(cpp)[2]]); \ 268 OR (d,d0,d1,(p)[(3<<CHUNKBITS)+(cpp)[3]]); \ 269 OR (d,d0,d1,(p)[(4<<CHUNKBITS)+(cpp)[4]]); \ 270 OR (d,d0,d1,(p)[(5<<CHUNKBITS)+(cpp)[5]]); \ 271 OR (d,d0,d1,(p)[(6<<CHUNKBITS)+(cpp)[6]]); \ 272 OR (d,d0,d1,(p)[(7<<CHUNKBITS)+(cpp)[7]]); 273 #define PERM3264(d,d0,d1,cpp,p) \ 274 LOAD(d,d0,d1,(p)[(0<<CHUNKBITS)+(cpp)[0]]); \ 275 OR (d,d0,d1,(p)[(1<<CHUNKBITS)+(cpp)[1]]); \ 276 OR (d,d0,d1,(p)[(2<<CHUNKBITS)+(cpp)[2]]); \ 277 OR (d,d0,d1,(p)[(3<<CHUNKBITS)+(cpp)[3]]); 278 #else 279 /* "small data" */ 280 #define LGCHUNKBITS 2 281 #define CHUNKBITS (1<<LGCHUNKBITS) 282 #define PERM6464(d,d0,d1,cpp,p) \ 283 { C_block tblk; permute(cpp,&tblk,p,8); LOAD (d,d0,d1,tblk); } 284 #define PERM3264(d,d0,d1,cpp,p) \ 285 { C_block tblk; permute(cpp,&tblk,p,4); LOAD (d,d0,d1,tblk); } 286 287 288 STATIC init_des __P((void)); 289 STATIC init_perm __P((C_block [][], unsigned char [], int, int)); 290 STATIC permute __P((unsigned char *, C_block *, C_block *, int)); 291 #ifdef DEBUG 292 STATIC prtab __P((char *, unsigned char *, int)); 293 #endif 294 295 296 STATIC 297 permute(cp, out, p, chars_in) 298 unsigned char *cp; 299 C_block *out; 300 C_block *p; 301 int chars_in; 302 { 303 DCL_BLOCK(D,D0,D1); 304 C_block *tp; 305 int t; 306 307 ZERO(D,D0,D1); 308 do { 309 t = *cp++; 310 tp = &p[t&0xf]; OR(D,D0,D1,*tp); p += (1<<CHUNKBITS); 311 tp = &p[t>>4]; OR(D,D0,D1,*tp); p += (1<<CHUNKBITS); 312 } while (--chars_in > 0); 313 STORE(D,D0,D1,*out); 314 } 315 #endif /* LARGEDATA */ 316 317 318 /* ===== (mostly) Standard DES Tables ==================== */ 319 320 static unsigned char IP[] = { /* initial permutation */ 321 58, 50, 42, 34, 26, 18, 10, 2, 322 60, 52, 44, 36, 28, 20, 12, 4, 323 62, 54, 46, 38, 30, 22, 14, 6, 324 64, 56, 48, 40, 32, 24, 16, 8, 325 57, 49, 41, 33, 25, 17, 9, 1, 326 59, 51, 43, 35, 27, 19, 11, 3, 327 61, 53, 45, 37, 29, 21, 13, 5, 328 63, 55, 47, 39, 31, 23, 15, 7, 329 }; 330 331 /* The final permutation is the inverse of IP - no table is necessary */ 332 333 static unsigned char ExpandTr[] = { /* expansion operation */ 334 32, 1, 2, 3, 4, 5, 335 4, 5, 6, 7, 8, 9, 336 8, 9, 10, 11, 12, 13, 337 12, 13, 14, 15, 16, 17, 338 16, 17, 18, 19, 20, 21, 339 20, 21, 22, 23, 24, 25, 340 24, 25, 26, 27, 28, 29, 341 28, 29, 30, 31, 32, 1, 342 }; 343 344 static unsigned char PC1[] = { /* permuted choice table 1 */ 345 57, 49, 41, 33, 25, 17, 9, 346 1, 58, 50, 42, 34, 26, 18, 347 10, 2, 59, 51, 43, 35, 27, 348 19, 11, 3, 60, 52, 44, 36, 349 350 63, 55, 47, 39, 31, 23, 15, 351 7, 62, 54, 46, 38, 30, 22, 352 14, 6, 61, 53, 45, 37, 29, 353 21, 13, 5, 28, 20, 12, 4, 354 }; 355 356 static unsigned char Rotates[] = { /* PC1 rotation schedule */ 357 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1, 358 }; 359 360 /* note: each "row" of PC2 is left-padded with bits that make it invertible */ 361 static unsigned char PC2[] = { /* permuted choice table 2 */ 362 9, 18, 14, 17, 11, 24, 1, 5, 363 22, 25, 3, 28, 15, 6, 21, 10, 364 35, 38, 23, 19, 12, 4, 26, 8, 365 43, 54, 16, 7, 27, 20, 13, 2, 366 367 0, 0, 41, 52, 31, 37, 47, 55, 368 0, 0, 30, 40, 51, 45, 33, 48, 369 0, 0, 44, 49, 39, 56, 34, 53, 370 0, 0, 46, 42, 50, 36, 29, 32, 371 }; 372 373 static unsigned char S[8][64] = { /* 48->32 bit substitution tables */ 374 /* S[1] */ 375 { 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 376 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 377 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, 378 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 }, 379 /* S[2] */ 380 { 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, 381 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, 382 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, 383 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 }, 384 /* S[3] */ 385 { 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, 386 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, 387 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, 388 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 }, 389 /* S[4] */ 390 { 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, 391 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, 392 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, 393 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 }, 394 /* S[5] */ 395 { 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, 396 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, 397 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, 398 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 }, 399 /* S[6] */ 400 { 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, 401 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, 402 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, 403 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13 }, 404 /* S[7] */ 405 { 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, 406 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, 407 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, 408 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 }, 409 /* S[8] */ 410 { 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, 411 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, 412 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, 413 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 } 414 }; 415 416 static unsigned char P32Tr[] = { /* 32-bit permutation function */ 417 16, 7, 20, 21, 418 29, 12, 28, 17, 419 1, 15, 23, 26, 420 5, 18, 31, 10, 421 2, 8, 24, 14, 422 32, 27, 3, 9, 423 19, 13, 30, 6, 424 22, 11, 4, 25, 425 }; 426 427 static unsigned char CIFP[] = { /* compressed/interleaved permutation */ 428 1, 2, 3, 4, 17, 18, 19, 20, 429 5, 6, 7, 8, 21, 22, 23, 24, 430 9, 10, 11, 12, 25, 26, 27, 28, 431 13, 14, 15, 16, 29, 30, 31, 32, 432 433 33, 34, 35, 36, 49, 50, 51, 52, 434 37, 38, 39, 40, 53, 54, 55, 56, 435 41, 42, 43, 44, 57, 58, 59, 60, 436 45, 46, 47, 48, 61, 62, 63, 64, 437 }; 438 439 static unsigned char itoa64[] = /* 0..63 => ascii-64 */ 440 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 441 442 443 /* ===== Tables that are initialized at run time ==================== */ 444 445 446 static unsigned char a64toi[128]; /* ascii-64 => 0..63 */ 447 448 /* Initial key schedule permutation */ 449 static C_block PC1ROT[64/CHUNKBITS][1<<CHUNKBITS]; 450 451 /* Subsequent key schedule rotation permutations */ 452 static C_block PC2ROT[2][64/CHUNKBITS][1<<CHUNKBITS]; 453 454 /* Initial permutation/expansion table */ 455 static C_block IE3264[32/CHUNKBITS][1<<CHUNKBITS]; 456 457 /* Table that combines the S, P, and E operations. */ 458 static int32_t SPE[2][8][64]; 459 460 /* compressed/interleaved => final permutation table */ 461 static C_block CF6464[64/CHUNKBITS][1<<CHUNKBITS]; 462 463 464 /* ==================================== */ 465 466 467 static C_block constdatablock; /* encryption constant */ 468 static char cryptresult[1+4+4+11+1]; /* encrypted result */ 469 470 /* 471 * Return a pointer to static data consisting of the "setting" 472 * followed by an encryption produced by the "key" and "setting". 473 */ 474 char * 475 crypt(key, setting) 476 const char *key; 477 const char *setting; 478 { 479 char *encp; 480 int32_t i; 481 int t; 482 int32_t salt; 483 int num_iter, salt_size; 484 C_block keyblock, rsltblock; 485 486 for (i = 0; i < 8; i++) { 487 if ((t = 2*(unsigned char)(*key)) != 0) 488 key++; 489 keyblock.b[i] = t; 490 } 491 if (des_setkey((char *)keyblock.b)) /* also initializes "a64toi" */ 492 return (NULL); 493 494 encp = &cryptresult[0]; 495 switch (*setting) { 496 case _PASSWORD_EFMT1: 497 /* 498 * Involve the rest of the password 8 characters at a time. 499 */ 500 while (*key) { 501 if (des_cipher((char *)&keyblock, 502 (char *)&keyblock, 0L, 1)) 503 return (NULL); 504 for (i = 0; i < 8; i++) { 505 if ((t = 2*(unsigned char)(*key)) != 0) 506 key++; 507 keyblock.b[i] ^= t; 508 } 509 if (des_setkey((char *)keyblock.b)) 510 return (NULL); 511 } 512 513 *encp++ = *setting++; 514 515 /* get iteration count */ 516 num_iter = 0; 517 for (i = 4; --i >= 0; ) { 518 if ((t = (unsigned char)setting[i]) == '\0') 519 t = '.'; 520 encp[i] = t; 521 num_iter = (num_iter<<6) | a64toi[t]; 522 } 523 setting += 4; 524 encp += 4; 525 salt_size = 4; 526 break; 527 default: 528 num_iter = 25; 529 salt_size = 2; 530 } 531 532 salt = 0; 533 for (i = salt_size; --i >= 0; ) { 534 if ((t = (unsigned char)setting[i]) == '\0') 535 t = '.'; 536 encp[i] = t; 537 salt = (salt<<6) | a64toi[t]; 538 } 539 encp += salt_size; 540 if (des_cipher((char *)&constdatablock, (char *)&rsltblock, 541 salt, num_iter)) 542 return (NULL); 543 544 /* 545 * Encode the 64 cipher bits as 11 ascii characters. 546 */ 547 i = ((int32_t)((rsltblock.b[0]<<8) | rsltblock.b[1])<<8) | 548 rsltblock.b[2]; 549 encp[3] = itoa64[i&0x3f]; i >>= 6; 550 encp[2] = itoa64[i&0x3f]; i >>= 6; 551 encp[1] = itoa64[i&0x3f]; i >>= 6; 552 encp[0] = itoa64[i]; encp += 4; 553 i = ((int32_t)((rsltblock.b[3]<<8) | rsltblock.b[4])<<8) | 554 rsltblock.b[5]; 555 encp[3] = itoa64[i&0x3f]; i >>= 6; 556 encp[2] = itoa64[i&0x3f]; i >>= 6; 557 encp[1] = itoa64[i&0x3f]; i >>= 6; 558 encp[0] = itoa64[i]; encp += 4; 559 i = ((int32_t)((rsltblock.b[6])<<8) | rsltblock.b[7])<<2; 560 encp[2] = itoa64[i&0x3f]; i >>= 6; 561 encp[1] = itoa64[i&0x3f]; i >>= 6; 562 encp[0] = itoa64[i]; 563 564 encp[3] = 0; 565 566 return (cryptresult); 567 } 568 569 570 /* 571 * The Key Schedule, filled in by des_setkey() or setkey(). 572 */ 573 #define KS_SIZE 16 574 static C_block KS[KS_SIZE]; 575 576 /* 577 * Set up the key schedule from the key. 578 */ 579 int 580 des_setkey(key) 581 const char *key; 582 { 583 DCL_BLOCK(K, K0, K1); 584 C_block *ptabp; 585 int i; 586 static int des_ready = 0; 587 588 if (!des_ready) { 589 init_des(); 590 des_ready = 1; 591 } 592 593 PERM6464(K,K0,K1,(unsigned char *)key,(C_block *)PC1ROT); 594 key = (char *)&KS[0]; 595 STORE(K&~0x03030303L, K0&~0x03030303L, K1, *(C_block *)key); 596 for (i = 1; i < 16; i++) { 597 key += sizeof(C_block); 598 STORE(K,K0,K1,*(C_block *)key); 599 ptabp = (C_block *)PC2ROT[Rotates[i]-1]; 600 PERM6464(K,K0,K1,(unsigned char *)key,ptabp); 601 STORE(K&~0x03030303L, K0&~0x03030303L, K1, *(C_block *)key); 602 } 603 return (0); 604 } 605 606 /* 607 * Encrypt (or decrypt if num_iter < 0) the 8 chars at "in" with abs(num_iter) 608 * iterations of DES, using the the given 24-bit salt and the pre-computed key 609 * schedule, and store the resulting 8 chars at "out" (in == out is permitted). 610 * 611 * NOTE: the performance of this routine is critically dependent on your 612 * compiler and machine architecture. 613 */ 614 int 615 des_cipher(in, out, salt, num_iter) 616 const char *in; 617 char *out; 618 long salt; 619 int num_iter; 620 { 621 /* variables that we want in registers, most important first */ 622 #if defined(pdp11) 623 register int j; 624 #endif 625 register int32_t L0, L1, R0, R1, k; 626 register C_block *kp; 627 register int ks_inc, loop_count; 628 C_block B; 629 630 L0 = salt; 631 TO_SIX_BIT(salt, L0); /* convert to 4*(6+2) format */ 632 633 #if defined(vax) || defined(pdp11) 634 salt = ~salt; /* "x &~ y" is faster than "x & y". */ 635 #define SALT (~salt) 636 #else 637 #define SALT salt 638 #endif 639 640 #if defined(MUST_ALIGN) 641 B.b[0] = in[0]; B.b[1] = in[1]; B.b[2] = in[2]; B.b[3] = in[3]; 642 B.b[4] = in[4]; B.b[5] = in[5]; B.b[6] = in[6]; B.b[7] = in[7]; 643 LOAD(L,L0,L1,B); 644 #else 645 LOAD(L,L0,L1,*(C_block *)in); 646 #endif 647 LOADREG(R,R0,R1,L,L0,L1); 648 L0 &= 0x55555555L; 649 L1 &= 0x55555555L; 650 L0 = (L0 << 1) | L1; /* L0 is the even-numbered input bits */ 651 R0 &= 0xaaaaaaaaL; 652 R1 = (R1 >> 1) & 0x55555555L; 653 L1 = R0 | R1; /* L1 is the odd-numbered input bits */ 654 STORE(L,L0,L1,B); 655 PERM3264(L,L0,L1,B.b, (C_block *)IE3264); /* even bits */ 656 PERM3264(R,R0,R1,B.b+4,(C_block *)IE3264); /* odd bits */ 657 658 if (num_iter >= 0) 659 { /* encryption */ 660 kp = &KS[0]; 661 ks_inc = sizeof(*kp); 662 } 663 else 664 { /* decryption */ 665 return (1); /* always fail */ 666 } 667 668 while (--num_iter >= 0) { 669 loop_count = 8; 670 do { 671 672 #define SPTAB(t, i) \ 673 (*(int32_t *)((unsigned char *)t + i*(sizeof(int32_t)/4))) 674 #if defined(gould) 675 /* use this if B.b[i] is evaluated just once ... */ 676 #define DOXOR(x,y,i) x^=SPTAB(SPE[0][i],B.b[i]); y^=SPTAB(SPE[1][i],B.b[i]); 677 #else 678 #if defined(pdp11) 679 /* use this if your "long" int indexing is slow */ 680 #define DOXOR(x,y,i) j=B.b[i]; x^=SPTAB(SPE[0][i],j); y^=SPTAB(SPE[1][i],j); 681 #else 682 /* use this if "k" is allocated to a register ... */ 683 #define DOXOR(x,y,i) k=B.b[i]; x^=SPTAB(SPE[0][i],k); y^=SPTAB(SPE[1][i],k); 684 #endif 685 #endif 686 687 #define CRUNCH(p0, p1, q0, q1) \ 688 k = (q0 ^ q1) & SALT; \ 689 B.b32.i0 = k ^ q0 ^ kp->b32.i0; \ 690 B.b32.i1 = k ^ q1 ^ kp->b32.i1; \ 691 kp = (C_block *)((char *)kp+ks_inc); \ 692 \ 693 DOXOR(p0, p1, 0); \ 694 DOXOR(p0, p1, 1); \ 695 DOXOR(p0, p1, 2); \ 696 DOXOR(p0, p1, 3); \ 697 DOXOR(p0, p1, 4); \ 698 DOXOR(p0, p1, 5); \ 699 DOXOR(p0, p1, 6); \ 700 DOXOR(p0, p1, 7); 701 702 CRUNCH(L0, L1, R0, R1); 703 CRUNCH(R0, R1, L0, L1); 704 } while (--loop_count != 0); 705 kp = (C_block *)((char *)kp-(ks_inc*KS_SIZE)); 706 707 708 /* swap L and R */ 709 L0 ^= R0; L1 ^= R1; 710 R0 ^= L0; R1 ^= L1; 711 L0 ^= R0; L1 ^= R1; 712 } 713 714 /* store the encrypted (or decrypted) result */ 715 L0 = ((L0 >> 3) & 0x0f0f0f0fL) | ((L1 << 1) & 0xf0f0f0f0L); 716 L1 = ((R0 >> 3) & 0x0f0f0f0fL) | ((R1 << 1) & 0xf0f0f0f0L); 717 STORE(L,L0,L1,B); 718 PERM6464(L,L0,L1,B.b, (C_block *)CF6464); 719 #if defined(MUST_ALIGN) 720 STORE(L,L0,L1,B); 721 out[0] = B.b[0]; out[1] = B.b[1]; out[2] = B.b[2]; out[3] = B.b[3]; 722 out[4] = B.b[4]; out[5] = B.b[5]; out[6] = B.b[6]; out[7] = B.b[7]; 723 #else 724 STORE(L,L0,L1,*(C_block *)out); 725 #endif 726 return (0); 727 } 728 729 730 /* 731 * Initialize various tables. This need only be done once. It could even be 732 * done at compile time, if the compiler were capable of that sort of thing. 733 */ 734 STATIC 735 init_des() 736 { 737 int i, j; 738 int32_t k; 739 int tableno; 740 static unsigned char perm[64], tmp32[32]; /* "static" for speed */ 741 742 /* 743 * table that converts chars "./0-9A-Za-z"to integers 0-63. 744 */ 745 for (i = 0; i < 64; i++) 746 a64toi[itoa64[i]] = i; 747 748 /* 749 * PC1ROT - bit reverse, then PC1, then Rotate, then PC2. 750 */ 751 for (i = 0; i < 64; i++) 752 perm[i] = 0; 753 for (i = 0; i < 64; i++) { 754 if ((k = PC2[i]) == 0) 755 continue; 756 k += Rotates[0]-1; 757 if ((k%28) < Rotates[0]) k -= 28; 758 k = PC1[k]; 759 if (k > 0) { 760 k--; 761 k = (k|07) - (k&07); 762 k++; 763 } 764 perm[i] = k; 765 } 766 #ifdef DEBUG 767 prtab("pc1tab", perm, 8); 768 #endif 769 init_perm(PC1ROT, perm, 8, 8); 770 771 /* 772 * PC2ROT - PC2 inverse, then Rotate (once or twice), then PC2. 773 */ 774 for (j = 0; j < 2; j++) { 775 unsigned char pc2inv[64]; 776 for (i = 0; i < 64; i++) 777 perm[i] = pc2inv[i] = 0; 778 for (i = 0; i < 64; i++) { 779 if ((k = PC2[i]) == 0) 780 continue; 781 pc2inv[k-1] = i+1; 782 } 783 for (i = 0; i < 64; i++) { 784 if ((k = PC2[i]) == 0) 785 continue; 786 k += j; 787 if ((k%28) <= j) k -= 28; 788 perm[i] = pc2inv[k]; 789 } 790 #ifdef DEBUG 791 prtab("pc2tab", perm, 8); 792 #endif 793 init_perm(PC2ROT[j], perm, 8, 8); 794 } 795 796 /* 797 * Bit reverse, then initial permutation, then expansion. 798 */ 799 for (i = 0; i < 8; i++) { 800 for (j = 0; j < 8; j++) { 801 k = (j < 2)? 0: IP[ExpandTr[i*6+j-2]-1]; 802 if (k > 32) 803 k -= 32; 804 else if (k > 0) 805 k--; 806 if (k > 0) { 807 k--; 808 k = (k|07) - (k&07); 809 k++; 810 } 811 perm[i*8+j] = k; 812 } 813 } 814 #ifdef DEBUG 815 prtab("ietab", perm, 8); 816 #endif 817 init_perm(IE3264, perm, 4, 8); 818 819 /* 820 * Compression, then final permutation, then bit reverse. 821 */ 822 for (i = 0; i < 64; i++) { 823 k = IP[CIFP[i]-1]; 824 if (k > 0) { 825 k--; 826 k = (k|07) - (k&07); 827 k++; 828 } 829 perm[k-1] = i+1; 830 } 831 #ifdef DEBUG 832 prtab("cftab", perm, 8); 833 #endif 834 init_perm(CF6464, perm, 8, 8); 835 836 /* 837 * SPE table 838 */ 839 for (i = 0; i < 48; i++) 840 perm[i] = P32Tr[ExpandTr[i]-1]; 841 for (tableno = 0; tableno < 8; tableno++) { 842 for (j = 0; j < 64; j++) { 843 k = (((j >> 0) &01) << 5)| 844 (((j >> 1) &01) << 3)| 845 (((j >> 2) &01) << 2)| 846 (((j >> 3) &01) << 1)| 847 (((j >> 4) &01) << 0)| 848 (((j >> 5) &01) << 4); 849 k = S[tableno][k]; 850 k = (((k >> 3)&01) << 0)| 851 (((k >> 2)&01) << 1)| 852 (((k >> 1)&01) << 2)| 853 (((k >> 0)&01) << 3); 854 for (i = 0; i < 32; i++) 855 tmp32[i] = 0; 856 for (i = 0; i < 4; i++) 857 tmp32[4 * tableno + i] = (k >> i) & 01; 858 k = 0; 859 for (i = 24; --i >= 0; ) 860 k = (k<<1) | tmp32[perm[i]-1]; 861 TO_SIX_BIT(SPE[0][tableno][j], k); 862 k = 0; 863 for (i = 24; --i >= 0; ) 864 k = (k<<1) | tmp32[perm[i+24]-1]; 865 TO_SIX_BIT(SPE[1][tableno][j], k); 866 } 867 } 868 } 869 870 /* 871 * Initialize "perm" to represent transformation "p", which rearranges 872 * (perhaps with expansion and/or contraction) one packed array of bits 873 * (of size "chars_in" characters) into another array (of size "chars_out" 874 * characters). 875 * 876 * "perm" must be all-zeroes on entry to this routine. 877 */ 878 STATIC 879 init_perm(perm, p, chars_in, chars_out) 880 C_block perm[64/CHUNKBITS][1<<CHUNKBITS]; 881 unsigned char p[64]; 882 int chars_in, chars_out; 883 { 884 int i, j, k, l; 885 886 for (k = 0; k < chars_out*8; k++) { /* each output bit position */ 887 l = p[k] - 1; /* where this bit comes from */ 888 if (l < 0) 889 continue; /* output bit is always 0 */ 890 i = l>>LGCHUNKBITS; /* which chunk this bit comes from */ 891 l = 1<<(l&(CHUNKBITS-1)); /* mask for this bit */ 892 for (j = 0; j < (1<<CHUNKBITS); j++) { /* each chunk value */ 893 if ((j & l) != 0) 894 perm[i][j].b[k>>3] |= 1<<(k&07); 895 } 896 } 897 } 898 899 /* 900 * "setkey" routine (for backwards compatibility) 901 */ 902 int 903 setkey(key) 904 const char *key; 905 { 906 int i, j, k; 907 C_block keyblock; 908 909 for (i = 0; i < 8; i++) { 910 k = 0; 911 for (j = 0; j < 8; j++) { 912 k <<= 1; 913 k |= (unsigned char)*key++; 914 } 915 keyblock.b[i] = k; 916 } 917 return (des_setkey((char *)keyblock.b)); 918 } 919 920 /* 921 * "encrypt" routine (for backwards compatibility) 922 */ 923 int 924 encrypt(block, flag) 925 char *block; 926 int flag; 927 { 928 int i, j, k; 929 C_block cblock; 930 931 for (i = 0; i < 8; i++) { 932 k = 0; 933 for (j = 0; j < 8; j++) { 934 k <<= 1; 935 k |= (unsigned char)*block++; 936 } 937 cblock.b[i] = k; 938 } 939 if (des_cipher((char *)&cblock, (char *)&cblock, 0L, (flag ? -1: 1))) 940 return (1); 941 for (i = 7; i >= 0; i--) { 942 k = cblock.b[i]; 943 for (j = 7; j >= 0; j--) { 944 *--block = k&01; 945 k >>= 1; 946 } 947 } 948 return (0); 949 } 950 951 #ifdef DEBUG 952 STATIC 953 prtab(s, t, num_rows) 954 char *s; 955 unsigned char *t; 956 int num_rows; 957 { 958 int i, j; 959 960 (void)printf("%s:\n", s); 961 for (i = 0; i < num_rows; i++) { 962 for (j = 0; j < 8; j++) { 963 (void)printf("%3d", t[i*8+j]); 964 } 965 (void)printf("\n"); 966 } 967 (void)printf("\n"); 968 } 969 #endif 970
Indexes created Mon Sep 22 05:09:51 GMT 2025