2 * FreeSec: libcrypt for NetBSD
4 * Copyright (c) 1994 David Burren
7 * Adapted for FreeBSD-2.0 by Geoffrey M. Rehmet
8 * this file should now *only* export crypt(), in order to make
9 * binaries of libcrypt exportable from the USA
11 * Adapted for FreeBSD-4.0 by Mark R V Murray
12 * this file should now *only* export crypt_des(), in order to make
13 * a module that can be optionally included in libcrypt.
15 * Redistribution and use in source and binary forms, with or without
16 * modification, are permitted provided that the following conditions
18 * 1. Redistributions of source code must retain the above copyright
19 * notice, this list of conditions and the following disclaimer.
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in the
22 * documentation and/or other materials provided with the distribution.
23 * 3. Neither the name of the author nor the names of other contributors
24 * may be used to endorse or promote products derived from this software
25 * without specific prior written permission.
27 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ''AS IS'' AND
28 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
31 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
39 * This is an original implementation of the DES and the crypt(3) interfaces
40 * by David Burren <davidb@werj.com.au>.
42 * An excellent reference on the underlying algorithm (and related
45 * B. Schneier, Applied Cryptography: protocols, algorithms,
46 * and source code in C, John Wiley & Sons, 1994.
48 * Note that in that book's description of DES the lookups for the initial,
49 * pbox, and final permutations are inverted (this has been brought to the
50 * attention of the author). A list of errata for this book has been
51 * posted to the sci.crypt newsgroup by the author and is available for FTP.
53 * ARCHITECTURE ASSUMPTIONS:
54 * It is assumed that the 8-byte arrays passed by reference can be
55 * addressed as arrays of uint32_t's (ie. the CPU is not picky about
60 /* Parts busybox doesn't need or had optimized */
61 #define USE_PRECOMPUTED_u_sbox 1
62 #define USE_REPETITIVE_SPEEDUP 0
68 static const uint8_t IP[64] = {
69 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
70 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
71 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
72 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7
75 static const uint8_t key_perm[56] = {
76 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18,
77 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36,
78 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22,
79 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4
82 static const uint8_t key_shifts[16] = {
83 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
86 static const uint8_t comp_perm[48] = {
87 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10,
88 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2,
89 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
90 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
94 * No E box is used, as it's replaced by some ANDs, shifts, and ORs.
96 #if !USE_PRECOMPUTED_u_sbox
97 static const uint8_t sbox[8][64] = {
98 { 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
99 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
100 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
101 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13
103 { 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
104 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
105 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
106 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9
108 { 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
109 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
110 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
111 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12
113 { 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
114 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
115 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
116 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14
118 { 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
119 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
120 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
121 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3
123 { 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
124 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
125 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
126 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13
128 { 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
129 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
130 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
131 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12
133 { 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
134 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
135 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
136 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11
139 #else /* precomputed, with half-bytes packed into one byte */
140 static const uint8_t u_sbox[8][32] = {
141 { 0x0e, 0xf4, 0x7d, 0x41, 0xe2, 0x2f, 0xdb, 0x18,
142 0xa3, 0x6a, 0xc6, 0xbc, 0x95, 0x59, 0x30, 0x87,
143 0xf4, 0xc1, 0x8e, 0x28, 0x4d, 0x96, 0x12, 0x7b,
144 0x5f, 0xbc, 0x39, 0xe7, 0xa3, 0x0a, 0x65, 0xd0,
146 { 0x3f, 0xd1, 0x48, 0x7e, 0xf6, 0x2b, 0x83, 0xe4,
147 0xc9, 0x07, 0x12, 0xad, 0x6c, 0x90, 0xb5, 0x5a,
148 0xd0, 0x8e, 0xa7, 0x1b, 0x3a, 0xf4, 0x4d, 0x21,
149 0xb5, 0x68, 0x7c, 0xc6, 0x09, 0x53, 0xe2, 0x9f,
151 { 0xda, 0x70, 0x09, 0x9e, 0x36, 0x43, 0x6f, 0xa5,
152 0x21, 0x8d, 0x5c, 0xe7, 0xcb, 0xb4, 0xf2, 0x18,
153 0x1d, 0xa6, 0xd4, 0x09, 0x68, 0x9f, 0x83, 0x70,
154 0x4b, 0xf1, 0xe2, 0x3c, 0xb5, 0x5a, 0x2e, 0xc7,
156 { 0xd7, 0x8d, 0xbe, 0x53, 0x60, 0xf6, 0x09, 0x3a,
157 0x41, 0x72, 0x28, 0xc5, 0x1b, 0xac, 0xe4, 0x9f,
158 0x3a, 0xf6, 0x09, 0x60, 0xac, 0x1b, 0xd7, 0x8d,
159 0x9f, 0x41, 0x53, 0xbe, 0xc5, 0x72, 0x28, 0xe4,
161 { 0xe2, 0xbc, 0x24, 0xc1, 0x47, 0x7a, 0xdb, 0x16,
162 0x58, 0x05, 0xf3, 0xaf, 0x3d, 0x90, 0x8e, 0x69,
163 0xb4, 0x82, 0xc1, 0x7b, 0x1a, 0xed, 0x27, 0xd8,
164 0x6f, 0xf9, 0x0c, 0x95, 0xa6, 0x43, 0x50, 0x3e,
166 { 0xac, 0xf1, 0x4a, 0x2f, 0x79, 0xc2, 0x96, 0x58,
167 0x60, 0x1d, 0xd3, 0xe4, 0x0e, 0xb7, 0x35, 0x8b,
168 0x49, 0x3e, 0x2f, 0xc5, 0x92, 0x58, 0xfc, 0xa3,
169 0xb7, 0xe0, 0x14, 0x7a, 0x61, 0x0d, 0x8b, 0xd6,
171 { 0xd4, 0x0b, 0xb2, 0x7e, 0x4f, 0x90, 0x18, 0xad,
172 0xe3, 0x3c, 0x59, 0xc7, 0x25, 0xfa, 0x86, 0x61,
173 0x61, 0xb4, 0xdb, 0x8d, 0x1c, 0x43, 0xa7, 0x7e,
174 0x9a, 0x5f, 0x06, 0xf8, 0xe0, 0x25, 0x39, 0xc2,
176 { 0x1d, 0xf2, 0xd8, 0x84, 0xa6, 0x3f, 0x7b, 0x41,
177 0xca, 0x59, 0x63, 0xbe, 0x05, 0xe0, 0x9c, 0x27,
178 0x27, 0x1b, 0xe4, 0x71, 0x49, 0xac, 0x8e, 0xd2,
179 0xf0, 0xc6, 0x9a, 0x0d, 0x3f, 0x53, 0x65, 0xb8,
184 static const uint8_t pbox[32] = {
185 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
186 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
189 static const uint32_t bits32[32] =
191 0x80000000, 0x40000000, 0x20000000, 0x10000000,
192 0x08000000, 0x04000000, 0x02000000, 0x01000000,
193 0x00800000, 0x00400000, 0x00200000, 0x00100000,
194 0x00080000, 0x00040000, 0x00020000, 0x00010000,
195 0x00008000, 0x00004000, 0x00002000, 0x00001000,
196 0x00000800, 0x00000400, 0x00000200, 0x00000100,
197 0x00000080, 0x00000040, 0x00000020, 0x00000010,
198 0x00000008, 0x00000004, 0x00000002, 0x00000001
201 static const uint8_t bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
205 ascii_to_bin(char ch)
210 return (ch - 'a' + 38);
214 return (ch - 'A' + 12);
223 /* Static stuff that stays resident and doesn't change after
224 * being initialized, and therefore doesn't need to be made
226 struct const_des_ctx {
228 uint8_t init_perm[64]; /* referenced 2 times */
230 uint8_t final_perm[64]; /* 2 times */
231 uint8_t m_sbox[4][4096]; /* 5 times */
234 #define init_perm (C.init_perm )
235 #define final_perm (C.final_perm)
236 #define m_sbox (C.m_sbox )
238 static struct const_des_ctx*
242 struct const_des_ctx *cctx;
244 #if !USE_PRECOMPUTED_u_sbox
245 uint8_t u_sbox[8][64];
247 cctx = xmalloc(sizeof(*cctx));
249 /* Invert the S-boxes, reordering the input bits. */
250 for (i = 0; i < 8; i++) {
251 for (j = 0; j < 64; j++) {
252 b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf);
253 u_sbox[i][j] = sbox[i][b];
256 for (i = 0; i < 8; i++) {
257 fprintf(stderr, "\t{\t");
258 for (j = 0; j < 64; j+=2)
259 fprintf(stderr, " 0x%02x,", u_sbox[i][j] + u_sbox[i][j+1]*16);
260 fprintf(stderr, "\n\t},\n");
263 * Convert the inverted S-boxes into 4 arrays of 8 bits.
264 * Each will handle 12 bits of the S-box input.
266 for (b = 0; b < 4; b++)
267 for (i = 0; i < 64; i++)
268 for (j = 0; j < 64; j++)
269 m_sbox[b][(i << 6) | j] =
270 (uint8_t)((u_sbox[(b << 1)][i] << 4) |
271 u_sbox[(b << 1) + 1][j]);
273 cctx = xmalloc(sizeof(*cctx));
276 * Convert the inverted S-boxes into 4 arrays of 8 bits.
277 * Each will handle 12 bits of the S-box input.
279 for (b = 0; b < 4; b++)
280 for (i = 0; i < 64; i++)
281 for (j = 0; j < 64; j++) {
283 hi = u_sbox[(b << 1)][i / 2];
286 lo = u_sbox[(b << 1) + 1][j / 2];
289 m_sbox[b][(i << 6) | j] = (hi & 0xf0) | (lo & 0x0f);
294 * Set up the initial & final permutations into a useful form.
296 for (i = 0; i < 64; i++) {
297 final_perm[i] = IP[i] - 1;
299 init_perm[final_perm[i]] = (uint8_t)i;
308 const struct const_des_ctx *const_ctx;
309 uint32_t saltbits; /* referenced 5 times */
310 #if USE_REPETITIVE_SPEEDUP
311 uint32_t old_salt; /* 3 times */
312 uint32_t old_rawkey0, old_rawkey1; /* 3 times each */
314 uint8_t un_pbox[32]; /* 2 times */
315 uint8_t inv_comp_perm[56]; /* 3 times */
316 uint8_t inv_key_perm[64]; /* 3 times */
317 uint32_t en_keysl[16], en_keysr[16]; /* 2 times each */
319 uint32_t de_keysl[16], de_keysr[16]; /* 2 times each */
322 uint32_t ip_maskl[8][256], ip_maskr[8][256]; /* 9 times each */
324 uint32_t fp_maskl[8][256], fp_maskr[8][256]; /* 9 times each */
325 uint32_t key_perm_maskl[8][128], key_perm_maskr[8][128]; /* 9 times */
326 uint32_t comp_maskl[8][128], comp_maskr[8][128]; /* 9 times each */
327 uint32_t psbox[4][256]; /* 5 times */
330 #define const_ctx (D.const_ctx )
331 #define saltbits (D.saltbits )
332 #define old_salt (D.old_salt )
333 #define old_rawkey0 (D.old_rawkey0 )
334 #define old_rawkey1 (D.old_rawkey1 )
335 #define un_pbox (D.un_pbox )
336 #define inv_comp_perm (D.inv_comp_perm )
337 #define inv_key_perm (D.inv_key_perm )
338 #define en_keysl (D.en_keysl )
339 #define en_keysr (D.en_keysr )
340 #define de_keysl (D.de_keysl )
341 #define de_keysr (D.de_keysr )
342 #define ip_maskl (D.ip_maskl )
343 #define ip_maskr (D.ip_maskr )
344 #define fp_maskl (D.fp_maskl )
345 #define fp_maskr (D.fp_maskr )
346 #define key_perm_maskl (D.key_perm_maskl )
347 #define key_perm_maskr (D.key_perm_maskr )
348 #define comp_maskl (D.comp_maskl )
349 #define comp_maskr (D.comp_maskr )
350 #define psbox (D.psbox )
352 static struct des_ctx*
353 des_init(struct des_ctx *ctx, const struct const_des_ctx *cctx)
355 int i, j, b, k, inbit, obit;
357 const uint32_t *bits28, *bits24;
360 ctx = xmalloc(sizeof(*ctx));
363 #if USE_REPETITIVE_SPEEDUP
364 old_rawkey0 = old_rawkey1 = 0;
371 /* Initialise the inverted key permutation. */
372 for (i = 0; i < 64; i++) {
373 inv_key_perm[i] = 255;
377 * Invert the key permutation and initialise the inverted key
378 * compression permutation.
380 for (i = 0; i < 56; i++) {
381 inv_key_perm[key_perm[i] - 1] = (uint8_t)i;
382 inv_comp_perm[i] = 255;
385 /* Invert the key compression permutation. */
386 for (i = 0; i < 48; i++) {
387 inv_comp_perm[comp_perm[i] - 1] = (uint8_t)i;
391 * Set up the OR-mask arrays for the initial and final permutations,
392 * and for the key initial and compression permutations.
394 for (k = 0; k < 8; k++) {
397 for (i = 0; i < 256; i++) {
404 for (j = 0; j < 8; j++) {
408 obit = init_perm[inbit];
412 ir |= bits32[obit - 32];
414 obit = final_perm[inbit];
418 fr |= bits32[obit - 32];
428 for (i = 0; i < 128; i++) {
431 for (j = 0; j < 7; j++) {
433 if (i & bits8[j + 1]) {
434 obit = inv_key_perm[inbit];
440 ir |= bits28[obit - 28];
443 key_perm_maskl[k][i] = il;
444 key_perm_maskr[k][i] = ir;
447 for (j = 0; j < 7; j++) {
449 if (i & bits8[j + 1]) {
450 obit = inv_comp_perm[inbit];
456 ir |= bits24[obit - 24];
459 comp_maskl[k][i] = il;
460 comp_maskr[k][i] = ir;
465 * Invert the P-box permutation, and convert into OR-masks for
466 * handling the output of the S-box arrays setup above.
468 for (i = 0; i < 32; i++)
469 un_pbox[pbox[i] - 1] = (uint8_t)i;
471 for (b = 0; b < 4; b++) {
472 for (i = 0; i < 256; i++) {
474 for (j = 0; j < 8; j++) {
476 p |= bits32[un_pbox[8 * b + j]];
487 setup_salt(struct des_ctx *ctx, uint32_t salt)
489 uint32_t obit, saltbit;
492 #if USE_REPETITIVE_SPEEDUP
493 if (salt == old_salt)
501 for (i = 0; i < 24; i++) {
510 des_setkey(struct des_ctx *ctx, const char *key)
512 uint32_t k0, k1, rawkey0, rawkey1;
515 rawkey0 = ntohl(*(const uint32_t *) key);
516 rawkey1 = ntohl(*(const uint32_t *) (key + 4));
518 #if USE_REPETITIVE_SPEEDUP
519 if ((rawkey0 | rawkey1)
520 && rawkey0 == old_rawkey0
521 && rawkey1 == old_rawkey1
524 * Already setup for this key.
525 * This optimisation fails on a zero key (which is weak and
526 * has bad parity anyway) in order to simplify the starting
531 old_rawkey0 = rawkey0;
532 old_rawkey1 = rawkey1;
536 * Do key permutation and split into two 28-bit subkeys.
538 k0 = key_perm_maskl[0][rawkey0 >> 25]
539 | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
540 | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
541 | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
542 | key_perm_maskl[4][rawkey1 >> 25]
543 | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
544 | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
545 | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
546 k1 = key_perm_maskr[0][rawkey0 >> 25]
547 | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
548 | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
549 | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
550 | key_perm_maskr[4][rawkey1 >> 25]
551 | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
552 | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
553 | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
555 * Rotate subkeys and do compression permutation.
558 for (round = 0; round < 16; round++) {
561 shifts += key_shifts[round];
563 t0 = (k0 << shifts) | (k0 >> (28 - shifts));
564 t1 = (k1 << shifts) | (k1 >> (28 - shifts));
567 de_keysl[15 - round] =
569 en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f]
570 | comp_maskl[1][(t0 >> 14) & 0x7f]
571 | comp_maskl[2][(t0 >> 7) & 0x7f]
572 | comp_maskl[3][t0 & 0x7f]
573 | comp_maskl[4][(t1 >> 21) & 0x7f]
574 | comp_maskl[5][(t1 >> 14) & 0x7f]
575 | comp_maskl[6][(t1 >> 7) & 0x7f]
576 | comp_maskl[7][t1 & 0x7f];
579 de_keysr[15 - round] =
581 en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f]
582 | comp_maskr[1][(t0 >> 14) & 0x7f]
583 | comp_maskr[2][(t0 >> 7) & 0x7f]
584 | comp_maskr[3][t0 & 0x7f]
585 | comp_maskr[4][(t1 >> 21) & 0x7f]
586 | comp_maskr[5][(t1 >> 14) & 0x7f]
587 | comp_maskr[6][(t1 >> 7) & 0x7f]
588 | comp_maskr[7][t1 & 0x7f];
594 do_des(struct des_ctx *ctx, /*uint32_t l_in, uint32_t r_in,*/ uint32_t *l_out, uint32_t *r_out, int count)
596 const struct const_des_ctx *cctx = const_ctx;
598 * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
600 uint32_t l, r, *kl, *kr;
601 uint32_t f = f; /* silence gcc */
605 /* Do initial permutation (IP). */
609 l = ip_maskl[0][l_in >> 24]
610 | ip_maskl[1][(l_in >> 16) & 0xff]
611 | ip_maskl[2][(l_in >> 8) & 0xff]
612 | ip_maskl[3][l_in & 0xff]
613 | ip_maskl[4][r_in >> 24]
614 | ip_maskl[5][(r_in >> 16) & 0xff]
615 | ip_maskl[6][(r_in >> 8) & 0xff]
616 | ip_maskl[7][r_in & 0xff];
617 r = ip_maskr[0][l_in >> 24]
618 | ip_maskr[1][(l_in >> 16) & 0xff]
619 | ip_maskr[2][(l_in >> 8) & 0xff]
620 | ip_maskr[3][l_in & 0xff]
621 | ip_maskr[4][r_in >> 24]
622 | ip_maskr[5][(r_in >> 16) & 0xff]
623 | ip_maskr[6][(r_in >> 8) & 0xff]
624 | ip_maskr[7][r_in & 0xff];
625 #elif 0 /* -65 bytes (using the fact that l_in == r_in == 0) */
627 for (round = 0; round < 8; round++) {
628 l |= ip_maskl[round][0];
629 r |= ip_maskr[round][0];
631 bb_error_msg("l:%x r:%x", l, r); /* reports 0, 0 always! */
632 #else /* using the fact that ip_maskX[] is constant (written to by des_init) */
642 /* Expand R to 48 bits (simulate the E-box). */
643 r48l = ((r & 0x00000001) << 23)
644 | ((r & 0xf8000000) >> 9)
645 | ((r & 0x1f800000) >> 11)
646 | ((r & 0x01f80000) >> 13)
647 | ((r & 0x001f8000) >> 15);
649 r48r = ((r & 0x0001f800) << 7)
650 | ((r & 0x00001f80) << 5)
651 | ((r & 0x000001f8) << 3)
652 | ((r & 0x0000001f) << 1)
653 | ((r & 0x80000000) >> 31);
655 * Do salting for crypt() and friends, and
656 * XOR with the permuted key.
658 f = (r48l ^ r48r) & saltbits;
662 * Do sbox lookups (which shrink it back to 32 bits)
663 * and do the pbox permutation at the same time.
665 f = psbox[0][m_sbox[0][r48l >> 12]]
666 | psbox[1][m_sbox[1][r48l & 0xfff]]
667 | psbox[2][m_sbox[2][r48r >> 12]]
668 | psbox[3][m_sbox[3][r48r & 0xfff]];
669 /* Now that we've permuted things, complete f(). */
678 /* Do final permutation (inverse of IP). */
679 *l_out = fp_maskl[0][l >> 24]
680 | fp_maskl[1][(l >> 16) & 0xff]
681 | fp_maskl[2][(l >> 8) & 0xff]
682 | fp_maskl[3][l & 0xff]
683 | fp_maskl[4][r >> 24]
684 | fp_maskl[5][(r >> 16) & 0xff]
685 | fp_maskl[6][(r >> 8) & 0xff]
686 | fp_maskl[7][r & 0xff];
687 *r_out = fp_maskr[0][l >> 24]
688 | fp_maskr[1][(l >> 16) & 0xff]
689 | fp_maskr[2][(l >> 8) & 0xff]
690 | fp_maskr[3][l & 0xff]
691 | fp_maskr[4][r >> 24]
692 | fp_maskr[5][(r >> 16) & 0xff]
693 | fp_maskr[6][(r >> 8) & 0xff]
694 | fp_maskr[7][r & 0xff];
697 #define DES_OUT_BUFSIZE 21
700 to64_msb_first(char *s, unsigned v)
703 *s++ = ascii64[(v >> 18) & 0x3f]; /* bits 23..18 */
704 *s++ = ascii64[(v >> 12) & 0x3f]; /* bits 17..12 */
705 *s++ = ascii64[(v >> 6) & 0x3f]; /* bits 11..6 */
706 *s = ascii64[v & 0x3f]; /* bits 5..0 */
708 *s++ = i64c(v >> 18); /* bits 23..18 */
709 *s++ = i64c(v >> 12); /* bits 17..12 */
710 *s++ = i64c(v >> 6); /* bits 11..6 */
711 *s = i64c(v); /* bits 5..0 */
716 des_crypt(struct des_ctx *ctx, char output[DES_OUT_BUFSIZE],
717 const unsigned char *key, const unsigned char *setting)
719 uint32_t salt, r0, r1, keybuf[2];
723 * Copy the key, shifting each character up by one bit
724 * and padding with zeros.
726 q = (uint8_t *)keybuf;
727 while (q - (uint8_t *)keybuf != 8) {
733 des_setkey(ctx, (char *)keybuf);
736 * setting - 2 bytes of salt
737 * key - up to 8 characters
739 salt = (ascii_to_bin(setting[1]) << 6)
740 | ascii_to_bin(setting[0]);
742 output[0] = setting[0];
744 * If the encrypted password that the salt was extracted from
745 * is only 1 character long, the salt will be corrupted. We
746 * need to ensure that the output string doesn't have an extra
749 output[1] = setting[1] ? setting[1] : output[0];
751 setup_salt(ctx, salt);
753 do_des(ctx, /*0, 0,*/ &r0, &r1, 25 /* count */);
755 /* Now encode the result. */
758 uint32_t l = (r0 >> 8);
759 q = (uint8_t *)output + 2;
760 *q++ = ascii64[(l >> 18) & 0x3f]; /* bits 31..26 of r0 */
761 *q++ = ascii64[(l >> 12) & 0x3f]; /* bits 25..20 of r0 */
762 *q++ = ascii64[(l >> 6) & 0x3f]; /* bits 19..14 of r0 */
763 *q++ = ascii64[l & 0x3f]; /* bits 13..8 of r0 */
764 l = ((r0 << 16) | (r1 >> 16));
765 *q++ = ascii64[(l >> 18) & 0x3f]; /* bits 7..2 of r0 */
766 *q++ = ascii64[(l >> 12) & 0x3f]; /* bits 1..2 of r0 and 31..28 of r1 */
767 *q++ = ascii64[(l >> 6) & 0x3f]; /* bits 27..22 of r1 */
768 *q++ = ascii64[l & 0x3f]; /* bits 21..16 of r1 */
770 *q++ = ascii64[(l >> 12) & 0x3f]; /* bits 15..10 of r1 */
771 *q++ = ascii64[(l >> 6) & 0x3f]; /* bits 9..4 of r1 */
772 *q++ = ascii64[l & 0x3f]; /* bits 3..0 of r1 + 00 */
776 /* Each call takes low-order 24 bits and stores 4 chars */
777 /* bits 31..8 of r0 */
778 to64_msb_first(output + 2, (r0 >> 8));
779 /* bits 7..0 of r0 and 31..16 of r1 */
780 to64_msb_first(output + 6, (r0 << 16) | (r1 >> 16));
781 /* bits 15..0 of r1 and two zero bits (plus extra zero byte) */
782 to64_msb_first(output + 10, (r1 << 8));
783 /* extra zero byte is encoded as '.', fixing it */
790 #undef USE_PRECOMPUTED_u_sbox
791 #undef USE_REPETITIVE_SPEEDUP
816 #undef key_perm_maskl
817 #undef key_perm_maskr
projects / oweals / busybox.git / blob