2 * FreeSec: libcrypt for NetBSD
4 * Copyright (c) 1994 David Burren
7 * Adapted for FreeBSD-2.0 by Geoffrey M. Rehmet
8 * this file should now *only* export crypt(), in order to make
9 * binaries of libcrypt exportable from the USA
11 * Adapted for FreeBSD-4.0 by Mark R V Murray
12 * this file should now *only* export crypt_des(), in order to make
13 * a module that can be optionally included in libcrypt.
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 * 3. Neither the name of the author nor the names of other contributors
24 * may be used to endorse or promote products derived from this software
25 * without specific prior written permission.
27 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
39 * This is an original implementation of the DES and the crypt(3) interfaces
40 * by David Burren <davidb@werj.com.au>.
42 * An excellent reference on the underlying algorithm (and related
45 * B. Schneier, Applied Cryptography: protocols, algorithms,
46 * and source code in C, John Wiley & Sons, 1994.
48 * Note that in that book's description of DES the lookups for the initial,
49 * pbox, and final permutations are inverted (this has been brought to the
50 * attention of the author). A list of errata for this book has been
51 * posted to the sci.crypt newsgroup by the author and is available for FTP.
53 * ARCHITECTURE ASSUMPTIONS:
54 * It is assumed that the 8-byte arrays passed by reference can be
55 * addressed as arrays of uint32_t's (ie. the CPU is not picky about
60 static const uint8_t IP[64] = {
61 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
62 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
63 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
64 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7
67 static const uint8_t key_perm[56] = {
68 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18,
69 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36,
70 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22,
71 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4
74 static const uint8_t key_shifts[16] = {
75 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
78 static const uint8_t comp_perm[48] = {
79 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10,
80 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2,
81 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
82 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
86 * No E box is used, as it's replaced by some ANDs, shifts, and ORs.
89 static const uint8_t sbox[8][64] = {
91 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
92 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
93 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
94 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13
97 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
98 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
99 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
100 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9
103 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
104 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
105 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
106 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12
109 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
110 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
111 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
112 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14
115 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
116 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
117 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
118 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3
121 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
122 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
123 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
124 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13
127 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
128 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
129 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
130 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12
133 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
134 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
135 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
136 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11
140 static const uint8_t pbox[32] = {
141 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
142 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
145 static const uint32_t bits32[32] =
147 0x80000000, 0x40000000, 0x20000000, 0x10000000,
148 0x08000000, 0x04000000, 0x02000000, 0x01000000,
149 0x00800000, 0x00400000, 0x00200000, 0x00100000,
150 0x00080000, 0x00040000, 0x00020000, 0x00010000,
151 0x00008000, 0x00004000, 0x00002000, 0x00001000,
152 0x00000800, 0x00000400, 0x00000200, 0x00000100,
153 0x00000080, 0x00000040, 0x00000020, 0x00000010,
154 0x00000008, 0x00000004, 0x00000002, 0x00000001
157 static const uint8_t bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
161 ascii_to_bin(char ch)
166 return (ch - 'a' + 38);
170 return (ch - 'A' + 12);
179 /* Static stuff that stays resident and doesn't change after
180 * being initialized, and therefore doesn't need to be made
182 struct const_des_ctx {
183 uint8_t init_perm[64], final_perm[64]; /* referenced 2 times each */
184 uint8_t m_sbox[4][4096]; /* 5 times */
187 #define init_perm (C.init_perm )
188 #define final_perm (C.final_perm)
189 #define m_sbox (C.m_sbox )
191 static struct const_des_ctx*
195 uint8_t u_sbox[8][64];
196 struct const_des_ctx *cctx;
198 cctx = xmalloc(sizeof(*cctx));
201 * Invert the S-boxes, reordering the input bits.
203 for (i = 0; i < 8; i++) {
204 for (j = 0; j < 64; j++) {
205 b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf);
206 u_sbox[i][j] = sbox[i][b];
211 * Convert the inverted S-boxes into 4 arrays of 8 bits.
212 * Each will handle 12 bits of the S-box input.
214 for (b = 0; b < 4; b++)
215 for (i = 0; i < 64; i++)
216 for (j = 0; j < 64; j++)
217 m_sbox[b][(i << 6) | j] =
218 (uint8_t)((u_sbox[(b << 1)][i] << 4) |
219 u_sbox[(b << 1) + 1][j]);
222 * Set up the initial & final permutations into a useful form.
224 for (i = 0; i < 64; i++) {
225 final_perm[i] = IP[i] - 1;
226 init_perm[final_perm[i]] = (uint8_t)i;
234 const struct const_des_ctx *const_ctx;
235 uint32_t saltbits; /* referenced 5 times */
236 uint32_t old_salt; /* 3 times */
237 uint32_t old_rawkey0, old_rawkey1; /* 3 times each */
238 uint8_t un_pbox[32]; /* 2 times */
239 uint8_t inv_comp_perm[56]; /* 3 times */
240 uint8_t inv_key_perm[64]; /* 3 times */
241 uint32_t en_keysl[16], en_keysr[16]; /* 2 times each */
242 uint32_t de_keysl[16], de_keysr[16]; /* 2 times each */
243 uint32_t ip_maskl[8][256], ip_maskr[8][256]; /* 9 times each */
244 uint32_t fp_maskl[8][256], fp_maskr[8][256]; /* 9 times each */
245 uint32_t key_perm_maskl[8][128], key_perm_maskr[8][128]; /* 9 times */
246 uint32_t comp_maskl[8][128], comp_maskr[8][128]; /* 9 times each */
247 uint32_t psbox[4][256]; /* 5 times */
250 #define const_ctx (D.const_ctx )
251 #define saltbits (D.saltbits )
252 #define old_salt (D.old_salt )
253 #define old_rawkey0 (D.old_rawkey0 )
254 #define old_rawkey1 (D.old_rawkey1 )
255 #define un_pbox (D.un_pbox )
256 #define inv_comp_perm (D.inv_comp_perm )
257 #define inv_key_perm (D.inv_key_perm )
258 #define en_keysl (D.en_keysl )
259 #define en_keysr (D.en_keysr )
260 #define de_keysl (D.de_keysl )
261 #define de_keysr (D.de_keysr )
262 #define ip_maskl (D.ip_maskl )
263 #define ip_maskr (D.ip_maskr )
264 #define fp_maskl (D.fp_maskl )
265 #define fp_maskr (D.fp_maskr )
266 #define key_perm_maskl (D.key_perm_maskl )
267 #define key_perm_maskr (D.key_perm_maskr )
268 #define comp_maskl (D.comp_maskl )
269 #define comp_maskr (D.comp_maskr )
270 #define psbox (D.psbox )
272 static struct des_ctx*
273 des_init(struct des_ctx *ctx, const struct const_des_ctx *cctx)
275 int i, j, b, k, inbit, obit;
276 uint32_t *p, *il, *ir, *fl, *fr;
277 const uint32_t *bits28, *bits24;
280 ctx = xmalloc(sizeof(*ctx));
283 old_rawkey0 = old_rawkey1 = 0L;
290 * Initialise the inverted key permutation.
292 for (i = 0; i < 64; i++) {
293 inv_key_perm[i] = 255;
297 * Invert the key permutation and initialise the inverted key
298 * compression permutation.
300 for (i = 0; i < 56; i++) {
301 inv_key_perm[key_perm[i] - 1] = (uint8_t)i;
302 inv_comp_perm[i] = 255;
306 * Invert the key compression permutation.
308 for (i = 0; i < 48; i++) {
309 inv_comp_perm[comp_perm[i] - 1] = (uint8_t)i;
313 * Set up the OR-mask arrays for the initial and final permutations,
314 * and for the key initial and compression permutations.
316 for (k = 0; k < 8; k++) {
317 for (i = 0; i < 256; i++) {
318 il = &ip_maskl[k][i];
319 ir = &ip_maskr[k][i];
320 fl = &fp_maskl[k][i];
321 fr = &fp_maskr[k][i];
326 for (j = 0; j < 8; j++) {
329 obit = init_perm[inbit];
333 *ir |= bits32[obit - 32];
334 obit = final_perm[inbit];
338 *fr |= bits32[obit - 32];
342 for (i = 0; i < 128; i++) {
343 il = &key_perm_maskl[k][i];
344 ir = &key_perm_maskr[k][i];
347 for (j = 0; j < 7; j++) {
349 if (i & bits8[j + 1]) {
350 obit = inv_key_perm[inbit];
356 *ir |= bits28[obit - 28];
359 il = &comp_maskl[k][i];
360 ir = &comp_maskr[k][i];
363 for (j = 0; j < 7; j++) {
365 if (i & bits8[j + 1]) {
366 obit = inv_comp_perm[inbit];
372 *ir |= bits24[obit - 24];
379 * Invert the P-box permutation, and convert into OR-masks for
380 * handling the output of the S-box arrays setup above.
382 for (i = 0; i < 32; i++)
383 un_pbox[pbox[i] - 1] = (uint8_t)i;
385 for (b = 0; b < 4; b++) {
386 for (i = 0; i < 256; i++) {
389 for (j = 0; j < 8; j++) {
391 *p |= bits32[un_pbox[8 * b + j]];
401 setup_salt(struct des_ctx *ctx, uint32_t salt)
403 uint32_t obit, saltbit;
406 if (salt == old_salt)
413 for (i = 0; i < 24; i++) {
422 des_setkey(struct des_ctx *ctx, const char *key)
424 uint32_t k0, k1, rawkey0, rawkey1;
427 rawkey0 = ntohl(*(const uint32_t *) key);
428 rawkey1 = ntohl(*(const uint32_t *) (key + 4));
430 if ((rawkey0 | rawkey1)
431 && rawkey0 == old_rawkey0
432 && rawkey1 == old_rawkey1
435 * Already setup for this key.
436 * This optimisation fails on a zero key (which is weak and
437 * has bad parity anyway) in order to simplify the starting
442 old_rawkey0 = rawkey0;
443 old_rawkey1 = rawkey1;
446 * Do key permutation and split into two 28-bit subkeys.
448 k0 = key_perm_maskl[0][rawkey0 >> 25]
449 | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
450 | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
451 | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
452 | key_perm_maskl[4][rawkey1 >> 25]
453 | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
454 | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
455 | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
456 k1 = key_perm_maskr[0][rawkey0 >> 25]
457 | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
458 | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
459 | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
460 | key_perm_maskr[4][rawkey1 >> 25]
461 | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
462 | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
463 | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
465 * Rotate subkeys and do compression permutation.
468 for (round = 0; round < 16; round++) {
471 shifts += key_shifts[round];
473 t0 = (k0 << shifts) | (k0 >> (28 - shifts));
474 t1 = (k1 << shifts) | (k1 >> (28 - shifts));
476 de_keysl[15 - round] =
477 en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f]
478 | comp_maskl[1][(t0 >> 14) & 0x7f]
479 | comp_maskl[2][(t0 >> 7) & 0x7f]
480 | comp_maskl[3][t0 & 0x7f]
481 | comp_maskl[4][(t1 >> 21) & 0x7f]
482 | comp_maskl[5][(t1 >> 14) & 0x7f]
483 | comp_maskl[6][(t1 >> 7) & 0x7f]
484 | comp_maskl[7][t1 & 0x7f];
486 de_keysr[15 - round] =
487 en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f]
488 | comp_maskr[1][(t0 >> 14) & 0x7f]
489 | comp_maskr[2][(t0 >> 7) & 0x7f]
490 | comp_maskr[3][t0 & 0x7f]
491 | comp_maskr[4][(t1 >> 21) & 0x7f]
492 | comp_maskr[5][(t1 >> 14) & 0x7f]
493 | comp_maskr[6][(t1 >> 7) & 0x7f]
494 | comp_maskr[7][t1 & 0x7f];
500 do_des(struct des_ctx *ctx, uint32_t l_in, uint32_t r_in, uint32_t *l_out, uint32_t *r_out, int count)
502 const struct const_des_ctx *cctx = const_ctx;
504 * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
506 uint32_t l, r, *kl, *kr, *kl1, *kr1;
507 uint32_t f = f; /* silence gcc */
518 * Do initial permutation (IP).
520 l = ip_maskl[0][l_in >> 24]
521 | ip_maskl[1][(l_in >> 16) & 0xff]
522 | ip_maskl[2][(l_in >> 8) & 0xff]
523 | ip_maskl[3][l_in & 0xff]
524 | ip_maskl[4][r_in >> 24]
525 | ip_maskl[5][(r_in >> 16) & 0xff]
526 | ip_maskl[6][(r_in >> 8) & 0xff]
527 | ip_maskl[7][r_in & 0xff];
528 r = ip_maskr[0][l_in >> 24]
529 | ip_maskr[1][(l_in >> 16) & 0xff]
530 | ip_maskr[2][(l_in >> 8) & 0xff]
531 | ip_maskr[3][l_in & 0xff]
532 | ip_maskr[4][r_in >> 24]
533 | ip_maskr[5][(r_in >> 16) & 0xff]
534 | ip_maskr[6][(r_in >> 8) & 0xff]
535 | ip_maskr[7][r_in & 0xff];
546 * Expand R to 48 bits (simulate the E-box).
548 r48l = ((r & 0x00000001) << 23)
549 | ((r & 0xf8000000) >> 9)
550 | ((r & 0x1f800000) >> 11)
551 | ((r & 0x01f80000) >> 13)
552 | ((r & 0x001f8000) >> 15);
554 r48r = ((r & 0x0001f800) << 7)
555 | ((r & 0x00001f80) << 5)
556 | ((r & 0x000001f8) << 3)
557 | ((r & 0x0000001f) << 1)
558 | ((r & 0x80000000) >> 31);
560 * Do salting for crypt() and friends, and
561 * XOR with the permuted key.
563 f = (r48l ^ r48r) & saltbits;
567 * Do sbox lookups (which shrink it back to 32 bits)
568 * and do the pbox permutation at the same time.
570 f = psbox[0][m_sbox[0][r48l >> 12]]
571 | psbox[1][m_sbox[1][r48l & 0xfff]]
572 | psbox[2][m_sbox[2][r48r >> 12]]
573 | psbox[3][m_sbox[3][r48r & 0xfff]];
575 * Now that we've permuted things, complete f().
585 * Do final permutation (inverse of IP).
587 *l_out = fp_maskl[0][l >> 24]
588 | fp_maskl[1][(l >> 16) & 0xff]
589 | fp_maskl[2][(l >> 8) & 0xff]
590 | fp_maskl[3][l & 0xff]
591 | fp_maskl[4][r >> 24]
592 | fp_maskl[5][(r >> 16) & 0xff]
593 | fp_maskl[6][(r >> 8) & 0xff]
594 | fp_maskl[7][r & 0xff];
595 *r_out = fp_maskr[0][l >> 24]
596 | fp_maskr[1][(l >> 16) & 0xff]
597 | fp_maskr[2][(l >> 8) & 0xff]
598 | fp_maskr[3][l & 0xff]
599 | fp_maskr[4][r >> 24]
600 | fp_maskr[5][(r >> 16) & 0xff]
601 | fp_maskr[6][(r >> 8) & 0xff]
602 | fp_maskr[7][r & 0xff];
605 #define DES_OUT_BUFSIZE 21
609 des_crypt(struct des_ctx *ctx, char output[21], const unsigned char *key, const unsigned char *setting)
611 uint32_t salt, l, r0, r1, keybuf[2];
615 * Copy the key, shifting each character up by one bit
616 * and padding with zeros.
618 q = (uint8_t *)keybuf;
619 while (q - (uint8_t *)keybuf != 8) {
625 des_setkey(ctx, (char *)keybuf);
628 * setting - 2 bytes of salt
629 * key - up to 8 characters
631 salt = (ascii_to_bin(setting[1]) << 6)
632 | ascii_to_bin(setting[0]);
634 output[0] = setting[0];
636 * If the encrypted password that the salt was extracted from
637 * is only 1 character long, the salt will be corrupted. We
638 * need to ensure that the output string doesn't have an extra
641 output[1] = setting[1] ? setting[1] : output[0];
643 p = (uint8_t *)output + 2;
645 setup_salt(ctx, salt);
649 do_des(ctx, 0L, 0L, &r0, &r1, 25 /* count */);
652 * Now encode the result...
655 *p++ = ascii64[(l >> 18) & 0x3f];
656 *p++ = ascii64[(l >> 12) & 0x3f];
657 *p++ = ascii64[(l >> 6) & 0x3f];
658 *p++ = ascii64[l & 0x3f];
660 l = ((r0 << 16) | (r1 >> 16));
661 *p++ = ascii64[(l >> 18) & 0x3f];
662 *p++ = ascii64[(l >> 12) & 0x3f];
663 *p++ = ascii64[(l >> 6) & 0x3f];
664 *p++ = ascii64[l & 0x3f];
667 *p++ = ascii64[(l >> 12) & 0x3f];
668 *p++ = ascii64[(l >> 6) & 0x3f];
669 *p++ = ascii64[l & 0x3f];
696 #undef key_perm_maskl
697 #undef key_perm_maskr
projects / oweals / busybox.git / blob