projects / unix-history / blame
? search:
summary | tags | clone url | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
date and time created 91/05/17 17:16:06 by sellgren
[unix-history] / usr / src / lib / libc / gen / crypt.c
CommitLineData
7d129e3b
KB		 1/*
2 * Copyright (c) 1989 The Regents of the University of California.
3 * All rights reserved.
4 *
5 * This code is derived from software contributed to Berkeley by
6 * Tom Truscott.
7 *
21f0033d 8 * %sccs.include.redist.c%
7d129e3b
KB		 9 */
10
2ce81398 11#if defined(LIBC_SCCS) && !defined(lint)
21f0033d 12static char sccsid[] = "@(#)crypt.c 5.8 (Berkeley) %G%";
7d129e3b 13#endif /* LIBC_SCCS and not lint */
b8f253e8 14
c5980113 15#include <unistd.h>
872a5938 16#include <pwd.h>
c5980113 17
98bd1891 18/*
7d129e3b
KB		 19 * UNIX password, and DES, encryption.
20 * By Tom Truscott, trt@rti.rti.org,
21 * from algorithms by Robert W. Baldwin and James Gillogly.
22 *
23 * References:
24 * "Mathematical Cryptology for Computer Scientists and Mathematicians,"
25 * by Wayne Patterson, 1987, ISBN 0-8476-7438-X.
26 *
27 * "Password Security: A Case History," R. Morris and Ken Thompson,
28 * Communications of the ACM, vol. 22, pp. 594-597, Nov. 1979.
29 *
30 * "DES will be Totally Insecure within Ten Years," M.E. Hellman,
31 * IEEE Spectrum, vol. 16, pp. 32-39, July 1979.
98bd1891
BJ		 32 */
33
7d129e3b 34/* ===== Configuration ==================== */
98bd1891
BJ		 35
36/*
7d129e3b
KB		 37 * define "MUST_ALIGN" if your compiler cannot load/store
38 * long integers at arbitrary (e.g. odd) memory locations.
39 * (Either that or never pass unaligned addresses to des_cipher!)
98bd1891 40 */
7d129e3b
KB		 41#if !defined(vax)
42#define MUST_ALIGN
43#endif
98bd1891
BJ		 44
45/*
7d129e3b
KB		 46 * define "LONG_IS_32_BITS" only if sizeof(long)==4.
47 * This avoids use of bit fields (your compiler may be sloppy with them).
98bd1891 48 */
7d129e3b
KB		 49#if !defined(cray)
50#define LONG_IS_32_BITS
51#endif
98bd1891
BJ		 52
53/*
7d129e3b
KB		 54 * define "B64" to be the declaration for a 64 bit integer.
55 * XXX this feature is currently unused, see "endian" comment below.
56 */
57#if defined(cray)
58#define B64 long
59#endif
60#if defined(convex)
61#define B64 long long
62#endif
98bd1891
BJ		 63
64/*
7d129e3b
KB		 65 * define "LARGEDATA" to get faster permutations, by using about 72 kilobytes
66 * of lookup tables. This speeds up des_setkey() and des_cipher(), but has
96248f11 67 * little effect on crypt().
98bd1891 68 */
7d129e3b
KB		 69#if defined(notdef)
70#define LARGEDATA
71#endif
98bd1891 72
96248f11
KB		 73/* compile with "-DSTATIC=int" when profiling */
74#ifndef STATIC
7d129e3b 75#define STATIC static
96248f11
KB		 76#endif
77STATIC init_des(), init_perm(), permute();
7d129e3b
KB		 78#ifdef DEBUG
79STATIC prtab();
80#endif
81
82/* ==================================== */
98bd1891
BJ		 83
84/*
7d129e3b
KB		 85 * Cipher-block representation (Bob Baldwin):
86 *
87 * DES operates on groups of 64 bits, numbered 1..64 (sigh). One
88 * representation is to store one bit per byte in an array of bytes. Bit N of
89 * the NBS spec is stored as the LSB of the Nth byte (index N-1) in the array.
90 * Another representation stores the 64 bits in 8 bytes, with bits 1..8 in the
91 * first byte, 9..16 in the second, and so on. The DES spec apparently has
92 * bit 1 in the MSB of the first byte, but that is particularly noxious so we
93 * bit-reverse each byte so that bit 1 is the LSB of the first byte, bit 8 is
94 * the MSB of the first byte. Specifically, the 64-bit input data and key are
95 * converted to LSB format, and the output 64-bit block is converted back into
96 * MSB format.
97 *
98 * DES operates internally on groups of 32 bits which are expanded to 48 bits
99 * by permutation E and shrunk back to 32 bits by the S boxes. To speed up
100 * the computation, the expansion is applied only once, the expanded
101 * representation is maintained during the encryption, and a compression
102 * permutation is applied only at the end. To speed up the S-box lookups,
103 * the 48 bits are maintained as eight 6 bit groups, one per byte, which
104 * directly feed the eight S-boxes. Within each byte, the 6 bits are the
105 * most significant ones. The low two bits of each byte are zero. (Thus,
106 * bit 1 of the 48 bit E expansion is stored as the "4"-valued bit of the
107 * first byte in the eight byte representation, bit 2 of the 48 bit value is
96248f11 108 * the "8"-valued bit, and so on.) In fact, a combined "SPE"-box lookup is
7d129e3b
KB		 109 * used, in which the output is the 64 bit result of an S-box lookup which
110 * has been permuted by P and expanded by E, and is ready for use in the next
111 * iteration. Two 32-bit wide tables, SPE[0] and SPE[1], are used for this
112 * lookup. Since each byte in the 48 bit path is a multiple of four, indexed
113 * lookup of SPE[0] and SPE[1] is simple and fast. The key schedule and
114 * "salt" are also converted to this 8*(6+2) format. The SPE table size is
115 * 8*64*8 = 4K bytes.
116 *
117 * To speed up bit-parallel operations (such as XOR), the 8 byte
118 * representation is "union"ed with 32 bit values "i0" and "i1", and, on
119 * machines which support it, a 64 bit value "b64". This data structure,
120 * "C_block", has two problems. First, alignment restrictions must be
121 * honored. Second, the byte-order (e.g. little-endian or big-endian) of
122 * the architecture becomes visible.
123 *
124 * The byte-order problem is unfortunate, since on the one hand it is good
125 * to have a machine-independent C_block representation (bits 1..8 in the
126 * first byte, etc.), and on the other hand it is good for the LSB of the
127 * first byte to be the LSB of i0. We cannot have both these things, so we
128 * currently use the "little-endian" representation and avoid any multi-byte
129 * operations that depend on byte order. This largely precludes use of the
130 * 64-bit datatype since the relative order of i0 and i1 are unknown. It
131 * also inhibits grouping the SPE table to look up 12 bits at a time. (The
132 * 12 bits can be stored in a 16-bit field with 3 low-order zeroes and 1
96248f11 133 * high-order zero, providing fast indexing into a 64-bit wide SPE.) On the
7d129e3b
KB		 134 * other hand, 64-bit datatypes are currently rare, and a 12-bit SPE lookup
135 * requires a 128 kilobyte table, so perhaps this is not a big loss.
136 *
137 * Permutation representation (Jim Gillogly):
138 *
139 * A transformation is defined by its effect on each of the 8 bytes of the
140 * 64-bit input. For each byte we give a 64-bit output that has the bits in
141 * the input distributed appropriately. The transformation is then the OR
142 * of the 8 sets of 64-bits. This uses 8*256*8 = 16K bytes of storage for
143 * each transformation. Unless LARGEDATA is defined, however, a more compact
144 * table is used which looks up 16 4-bit "chunks" rather than 8 8-bit chunks.
145 * The smaller table uses 16*16*8 = 2K bytes for each transformation. This
146 * is slower but tolerable, particularly for password encryption in which
147 * the SPE transformation is iterated many times. The small tables total 9K
148 * bytes, the large tables total 72K bytes.
149 *
150 * The transformations used are:
151 * IE3264: MSB->LSB conversion, initial permutation, and expansion.
152 * This is done by collecting the 32 even-numbered bits and applying
153 * a 32->64 bit transformation, and then collecting the 32 odd-numbered
154 * bits and applying the same transformation. Since there are only
155 * 32 input bits, the IE3264 transformation table is half the size of
156 * the usual table.
157 * CF6464: Compression, final permutation, and LSB->MSB conversion.
158 * This is done by two trivial 48->32 bit compressions to obtain
159 * a 64-bit block (the bit numbering is given in the "CIFP" table)
160 * followed by a 64->64 bit "cleanup" transformation. (It would
161 * be possible to group the bits in the 64-bit block so that 2
162 * identical 32->32 bit transformations could be used instead,
163 * saving a factor of 4 in space and possibly 2 in time, but
164 * byte-ordering and other complications rear their ugly head.
165 * Similar opportunities/problems arise in the key schedule
166 * transforms.)
167 * PC1ROT: MSB->LSB, PC1 permutation, rotate, and PC2 permutation.
168 * This admittedly baroque 64->64 bit transformation is used to
169 * produce the first code (in 8*(6+2) format) of the key schedule.
170 * PC2ROT[0]: Inverse PC2 permutation, rotate, and PC2 permutation.
171 * It would be possible to define 15 more transformations, each
172 * with a different rotation, to generate the entire key schedule.
173 * To save space, however, we instead permute each code into the
174 * next by using a transformation that "undoes" the PC2 permutation,
175 * rotates the code, and then applies PC2. Unfortunately, PC2
176 * transforms 56 bits into 48 bits, dropping 8 bits, so PC2 is not
177 * invertible. We get around that problem by using a modified PC2
178 * which retains the 8 otherwise-lost bits in the unused low-order
179 * bits of each byte. The low-order bits are cleared when the
180 * codes are stored into the key schedule.
181 * PC2ROT[1]: Same as PC2ROT[0], but with two rotations.
182 * This is faster than applying PC2ROT[0] twice,
183 *
184 * The Bell Labs "salt" (Bob Baldwin):
185 *
186 * The salting is a simple permutation applied to the 48-bit result of E.
187 * Specifically, if bit i (1 <= i <= 24) of the salt is set then bits i and
188 * i+24 of the result are swapped. The salt is thus a 24 bit number, with
189 * 16777216 possible values. (The original salt was 12 bits and could not
190 * swap bits 13..24 with 36..48.)
191 *
96248f11
KB		 192 * It is possible, but ugly, to warp the SPE table to account for the salt
193 * permutation. Fortunately, the conditional bit swapping requires only
194 * about four machine instructions and can be done on-the-fly with about an
195 * 8% performance penalty.
98bd1891 196 */
96248f11 197
7d129e3b
KB		 198typedef union {
199 unsigned char b[8];
200 struct {
201#if defined(LONG_IS_32_BITS)
202 /* long is often faster than a 32-bit bit field */
203 long i0;
204 long i1;
205#else
206 long i0: 32;
207 long i1: 32;
208#endif
209 } b32;
210#if defined(B64)
211 B64 b64;
212#endif
213} C_block;
98bd1891 214
98bd1891 215/*
7d129e3b
KB		 216 * Convert twenty-four-bit long in host-order
217 * to six bits (and 2 low-order zeroes) per char little-endian format.
98bd1891 218 */
7d129e3b
KB		 219#define TO_SIX_BIT(rslt, src) { \
220 C_block cvt; \
221 cvt.b[0] = src; src >>= 6; \
222 cvt.b[1] = src; src >>= 6; \
223 cvt.b[2] = src; src >>= 6; \
224 cvt.b[3] = src; \
225 rslt = (cvt.b32.i0 & 0x3f3f3f3fL) << 2; \
226 }
98bd1891 227
99401500 228/*
7d129e3b 229 * These macros may someday permit efficient use of 64-bit integers.
99401500 230 */
7d129e3b
KB		 231#define ZERO(d,d0,d1) d0 = 0, d1 = 0
232#define LOAD(d,d0,d1,bl) d0 = (bl).b32.i0, d1 = (bl).b32.i1
233#define LOADREG(d,d0,d1,s,s0,s1) d0 = s0, d1 = s1
234#define OR(d,d0,d1,bl) d0 |= (bl).b32.i0, d1 |= (bl).b32.i1
235#define STORE(s,s0,s1,bl) (bl).b32.i0 = s0, (bl).b32.i1 = s1
236#define DCL_BLOCK(d,d0,d1) long d0, d1
237
238#if defined(LARGEDATA)
239 /* Waste memory like crazy. Also, do permutations in line */
240#define LGCHUNKBITS 3
241#define CHUNKBITS (1<<LGCHUNKBITS)
242#define PERM6464(d,d0,d1,cpp,p) \
243 LOAD(d,d0,d1,(p)[(0<<CHUNKBITS)+(cpp)[0]]); \
244 OR (d,d0,d1,(p)[(1<<CHUNKBITS)+(cpp)[1]]); \
245 OR (d,d0,d1,(p)[(2<<CHUNKBITS)+(cpp)[2]]); \
246 OR (d,d0,d1,(p)[(3<<CHUNKBITS)+(cpp)[3]]); \
247 OR (d,d0,d1,(p)[(4<<CHUNKBITS)+(cpp)[4]]); \
248 OR (d,d0,d1,(p)[(5<<CHUNKBITS)+(cpp)[5]]); \
249 OR (d,d0,d1,(p)[(6<<CHUNKBITS)+(cpp)[6]]); \
250 OR (d,d0,d1,(p)[(7<<CHUNKBITS)+(cpp)[7]]);
251#define PERM3264(d,d0,d1,cpp,p) \
252 LOAD(d,d0,d1,(p)[(0<<CHUNKBITS)+(cpp)[0]]); \
253 OR (d,d0,d1,(p)[(1<<CHUNKBITS)+(cpp)[1]]); \
254 OR (d,d0,d1,(p)[(2<<CHUNKBITS)+(cpp)[2]]); \
255 OR (d,d0,d1,(p)[(3<<CHUNKBITS)+(cpp)[3]]);
256#else
257 /* "small data" */
258#define LGCHUNKBITS 2
259#define CHUNKBITS (1<<LGCHUNKBITS)
260#define PERM6464(d,d0,d1,cpp,p) \
261 { C_block tblk; permute(cpp,&tblk,p,8); LOAD (d,d0,d1,tblk); }
262#define PERM3264(d,d0,d1,cpp,p) \
263 { C_block tblk; permute(cpp,&tblk,p,4); LOAD (d,d0,d1,tblk); }
264
265STATIC
266permute(cp, out, p, chars_in)
267 unsigned char *cp;
268 C_block *out;
269 register C_block *p;
270 int chars_in;
271{
272 register DCL_BLOCK(D,D0,D1);
273 register C_block *tp;
274 register int t;
275
276 ZERO(D,D0,D1);
277 do {
278 t = *cp++;
279 tp = &p[t&0xf]; OR(D,D0,D1,*tp); p += (1<<CHUNKBITS);
280 tp = &p[t>>4]; OR(D,D0,D1,*tp); p += (1<<CHUNKBITS);
281 } while (--chars_in > 0);
282 STORE(D,D0,D1,*out);
283}
284#endif /* LARGEDATA */
285
286
287/* ===== (mostly) Standard DES Tables ==================== */
288
289static unsigned char IP[] = { /* initial permutation */
290 58, 50, 42, 34, 26, 18, 10, 2,
291 60, 52, 44, 36, 28, 20, 12, 4,
292 62, 54, 46, 38, 30, 22, 14, 6,
293 64, 56, 48, 40, 32, 24, 16, 8,
294 57, 49, 41, 33, 25, 17, 9, 1,
295 59, 51, 43, 35, 27, 19, 11, 3,
296 61, 53, 45, 37, 29, 21, 13, 5,
297 63, 55, 47, 39, 31, 23, 15, 7,
298};
299
300/* The final permutation is the inverse of IP - no table is necessary */
301
302static unsigned char ExpandTr[] = { /* expansion operation */
303 32, 1, 2, 3, 4, 5,
304 4, 5, 6, 7, 8, 9,
305 8, 9, 10, 11, 12, 13,
306 12, 13, 14, 15, 16, 17,
307 16, 17, 18, 19, 20, 21,
308 20, 21, 22, 23, 24, 25,
309 24, 25, 26, 27, 28, 29,
310 28, 29, 30, 31, 32, 1,
311};
312
313static unsigned char PC1[] = { /* permuted choice table (key) */
314 57, 49, 41, 33, 25, 17, 9,
315 1, 58, 50, 42, 34, 26, 18,
316 10, 2, 59, 51, 43, 35, 27,
317 19, 11, 3, 60, 52, 44, 36,
318
319 63, 55, 47, 39, 31, 23, 15,
320 7, 62, 54, 46, 38, 30, 22,
321 14, 6, 61, 53, 45, 37, 29,
322 21, 13, 5, 28, 20, 12, 4,
323};
324
325static unsigned char Rotates[] = { /* number of rotations of PC1 */
326 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1,
327};
328
329/* note: each "row" of PC2 is left-padded with bits that make it invertible */
330static unsigned char PC2[] = { /* permuted choice key (table) */
331 9, 18, 14, 17, 11, 24, 1, 5,
332 22, 25, 3, 28, 15, 6, 21, 10,
333 35, 38, 23, 19, 12, 4, 26, 8,
334 43, 54, 16, 7, 27, 20, 13, 2,
335
336 0, 0, 41, 52, 31, 37, 47, 55,
337 0, 0, 30, 40, 51, 45, 33, 48,
338 0, 0, 44, 49, 39, 56, 34, 53,
339 0, 0, 46, 42, 50, 36, 29, 32,
340};
341
342static unsigned char S[8][64] = { /* 48->32 bit substitution tables */
343 /* S[1] */
344 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
345 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
346 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
347 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13,
348 /* S[2] */
349 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
350 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
351 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
352 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9,
353 /* S[3] */
354 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
355 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
356 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
357 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12,
358 /* S[4] */
359 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
360 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
361 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
362 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14,
363 /* S[5] */
364 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
365 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
366 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
367 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3,
368 /* S[6] */
369 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
370 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
371 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
372 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13,
373 /* S[7] */
374 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
375 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
376 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
377 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12,
378 /* S[8] */
379 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
380 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
381 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
382 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11,
383};
384
385static unsigned char P32Tr[] = { /* 32-bit permutation function */
386 16, 7, 20, 21,
387 29, 12, 28, 17,
388 1, 15, 23, 26,
389 5, 18, 31, 10,
390 2, 8, 24, 14,
391 32, 27, 3, 9,
392 19, 13, 30, 6,
393 22, 11, 4, 25,
99401500
RC		 394};
395
7d129e3b
KB		 396static unsigned char CIFP[] = { /* compressed/interleaved permutation */
397 1, 2, 3, 4, 17, 18, 19, 20,
398 5, 6, 7, 8, 21, 22, 23, 24,
399 9, 10, 11, 12, 25, 26, 27, 28,
400 13, 14, 15, 16, 29, 30, 31, 32,
401
402 33, 34, 35, 36, 49, 50, 51, 52,
403 37, 38, 39, 40, 53, 54, 55, 56,
404 41, 42, 43, 44, 57, 58, 59, 60,
405 45, 46, 47, 48, 61, 62, 63, 64,
406};
407
408static unsigned char itoa64[] = /* 0..63 => ascii-64 */
409 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
410
411
412/* ===== Tables that are initialized at run time ==================== */
413
414
415static unsigned char a64toi[128]; /* ascii-64 => 0..63 */
416
417/* Initial key schedule permutation */
418static C_block PC1ROT[64/CHUNKBITS][1<<CHUNKBITS];
419
420/* Subsequent key schedule rotation permutations */
421static C_block PC2ROT[2][64/CHUNKBITS][1<<CHUNKBITS];
422
423/* Initial permutation/expansion table */
424static C_block IE3264[32/CHUNKBITS][1<<CHUNKBITS];
425
426/* Table that combines the S, P, and E operations. */
427static long SPE[2][8][64];
428
429/* compressed/interleaved => final permutation table */
430static C_block CF6464[64/CHUNKBITS][1<<CHUNKBITS];
431
432
433/* ==================================== */
434
435
436static C_block constdatablock; /* encryption constant */
437static char cryptresult[1+4+4+11+1]; /* encrypted result */
438
98bd1891 439/*
96248f11
KB		 440 * Return a pointer to static data consisting of the "setting"
441 * followed by an encryption produced by the "key" and "setting".
98bd1891 442 */
7d129e3b
KB		 443char *
444crypt(key, setting)
445 register const char *key;
446 register const char *setting;
98bd1891 447{
7d129e3b
KB		 448 register char *encp;
449 register long i;
96248f11 450 register int t;
7d129e3b
KB		 451 long salt;
452 int num_iter, salt_size, key_size;
453 C_block keyblock, rsltblock;
454
96248f11
KB		 455 for (i = 0; i < 8; i++) {
456 if ((t = 2*(unsigned char)(*key)) != 0)
7d129e3b 457 key++;
96248f11
KB		 458 keyblock.b[i] = t;
459 }
7d129e3b
KB		 460 des_setkey((char *)keyblock.b); /* also initializes "a64toi" */
461
462 encp = &cryptresult[0];
872a5938
KB		 463 switch (*setting) {
464 case _PASSWORD_EFMT1:
7d129e3b
KB		 465 *encp++ = *setting++;
466
467 /* get iteration count */
468 num_iter = 0;
469 for (i = 4; --i >= 0; ) {
96248f11
KB		 470 if ((t = (unsigned char)setting[i]) == '\0')
471 t = '.';
472 encp[i] = t;
473 num_iter = (num_iter<<6) | a64toi[t];
7d129e3b
KB		 474 }
475 setting += 4;
476 encp += 4;
477 salt_size = 4;
478 key_size = 128;
872a5938
KB		 479 break;
480 default:
481 num_iter = 25;
482 salt_size = 2;
483 key_size = 8;
7d129e3b 484 }
98bd1891 485
7d129e3b
KB		 486 salt = 0;
487 for (i = salt_size; --i >= 0; ) {
96248f11
KB		 488 if ((t = (unsigned char)setting[i]) == '\0')
489 t = '.';
490 encp[i] = t;
491 salt = (salt<<6) | a64toi[t];
98bd1891 492 }
7d129e3b
KB		 493 encp += salt_size;
494 des_cipher((char *)&constdatablock, (char *)&rsltblock, salt, num_iter);
495
98bd1891 496 /*
7d129e3b 497 * encrypt the remainder of the password 8 characters at a time.
98bd1891 498 */
7d129e3b
KB		 499 while ((key_size -= 8) > 0 && *key) {
500 C_block xdatablock;
501
96248f11
KB		 502 for (i = 0; i < 8; i++) {
503 if ((t = 2*(unsigned char)(*key)) != 0)
7d129e3b 504 key++;
96248f11
KB		 505 keyblock.b[i] = t;
506 if (t == 0)
7d129e3b 507 break; /* pad out with previous key */
96248f11 508 }
7d129e3b
KB		 509 des_setkey((char *)keyblock.b);
510 des_cipher((char *)&constdatablock, (char *)&xdatablock, 0L, 1);
511 rsltblock.b32.i0 ^= xdatablock.b32.i0;
512 rsltblock.b32.i1 ^= xdatablock.b32.i1;
98bd1891 513 }
98bd1891 514
7d129e3b
KB		 515 /*
516 * Encode the 64 cipher bits as 11 ascii characters.
517 */
518 i = ((long)((rsltblock.b[0]<<8) | rsltblock.b[1])<<8) | rsltblock.b[2];
519 encp[3] = itoa64[i&0x3f]; i >>= 6;
520 encp[2] = itoa64[i&0x3f]; i >>= 6;
521 encp[1] = itoa64[i&0x3f]; i >>= 6;
522 encp[0] = itoa64[i]; encp += 4;
523 i = ((long)((rsltblock.b[3]<<8) | rsltblock.b[4])<<8) | rsltblock.b[5];
524 encp[3] = itoa64[i&0x3f]; i >>= 6;
525 encp[2] = itoa64[i&0x3f]; i >>= 6;
526 encp[1] = itoa64[i&0x3f]; i >>= 6;
527 encp[0] = itoa64[i]; encp += 4;
528 i = ((long)((rsltblock.b[6])<<8) | rsltblock.b[7])<<2;
529 encp[2] = itoa64[i&0x3f]; i >>= 6;
530 encp[1] = itoa64[i&0x3f]; i >>= 6;
531 encp[0] = itoa64[i];
532
533 encp[3] = 0;
96248f11 534
7d129e3b 535 return(cryptresult);
99401500 536}
98bd1891 537
98bd1891
BJ		 538
539/*
7d129e3b 540 * The Key Schedule, filled in by des_setkey() or setkey().
98bd1891 541 */
7d129e3b
KB		 542#define KS_SIZE 16
543static C_block KS[KS_SIZE];
98bd1891
BJ		 544
545/*
7d129e3b 546 * Set up the key schedule from the key.
98bd1891 547 */
7d129e3b
KB		 548void
549des_setkey(key)
550 register const char *key;
551{
552 register DCL_BLOCK(K, K0, K1);
553 register C_block *ptabp;
554 register int i;
555 static int des_ready = 0;
556
557 if (!des_ready) {
558 init_des();
559 des_ready = 1;
560 }
561
562 PERM6464(K,K0,K1,(unsigned char *)key,(C_block *)PC1ROT);
563 key = (char *)&KS[0];
564 STORE(K&0xfcfcfcfcL, K0&0xfcfcfcfcL, K1, *(C_block *)key);
565 for (i = 1; i < 16; i++) {
566 key += sizeof(C_block);
567 STORE(K,K0,K1,*(C_block *)key);
568 ptabp = (C_block *)PC2ROT[Rotates[i]-1];
569 PERM6464(K,K0,K1,(unsigned char *)key,ptabp);
570 STORE(K&0xfcfcfcfcL, K0&0xfcfcfcfcL, K1, *(C_block *)key);
571 }
572}
98bd1891
BJ		 573
574/*
7d129e3b
KB		 575 * Encrypt (or decrypt if num_iter < 0) the 8 chars at "in" with abs(num_iter)
576 * iterations of DES, using the the given 24-bit salt and the pre-computed key
577 * schedule, and store the resulting 8 chars at "out" (in == out is permitted).
578 *
579 * NOTE: the performance of this routine is critically dependent on your
580 * compiler and machine architecture.
98bd1891 581 */
7d129e3b
KB		 582void
583des_cipher(in, out, salt, num_iter)
584 const char *in;
585 char *out;
96248f11 586 long salt;
7d129e3b
KB		 587 int num_iter;
588{
589 /* variables that we want in registers, most important first */
590#if defined(pdp11)
591 register int j;
592#endif
593 register long L0, L1, R0, R1, k;
594 register C_block *kp;
595 register int ks_inc, loop_count;
596 C_block B;
597
598 L0 = salt;
599 TO_SIX_BIT(salt, L0); /* convert to 8*(6+2) format */
600
601#if defined(vax) || defined(pdp11)
602 salt = ~salt; /* "x &~ y" is faster than "x & y". */
603#define SALT (~salt)
604#else
605#define SALT salt
606#endif
607
608#if defined(MUST_ALIGN)
609 B.b[0] = in[0]; B.b[1] = in[1]; B.b[2] = in[2]; B.b[3] = in[3];
610 B.b[4] = in[4]; B.b[5] = in[5]; B.b[6] = in[6]; B.b[7] = in[7];
611 LOAD(L,L0,L1,B);
612#else
613 LOAD(L,L0,L1,*(C_block *)in);
614#endif
615 LOADREG(R,R0,R1,L,L0,L1);
616 L0 &= 0x55555555L;
617 L1 &= 0x55555555L;
618 L0 = (L0 << 1) | L1; /* L0 is the even-numbered input bits */
619 R0 &= 0xaaaaaaaaL;
620 R1 = (R1 >> 1) & 0x55555555L;
621 L1 = R0 | R1; /* L1 is the odd-numbered input bits */
622 STORE(L,L0,L1,B);
623 PERM3264(L,L0,L1,B.b, (C_block *)IE3264); /* even bits */
624 PERM3264(R,R0,R1,B.b+4,(C_block *)IE3264); /* odd bits */
625
626 if (num_iter >= 0)
627 { /* encryption */
628 kp = &KS[0];
629 ks_inc = sizeof(*kp);
630 }
631 else
632 { /* decryption */
633 num_iter = -num_iter;
634 kp = &KS[KS_SIZE-1];
635 ks_inc = -sizeof(*kp);
636 }
637
638 while (--num_iter >= 0) {
639 loop_count = 8;
640 do {
641
642#define BTAB(i) (((unsigned char *)&B.b[0])[i])
643#define SPTAB(t, i) (*(long *)((unsigned char *)t \
644 + i*(sizeof(long)/4)))
645#if defined(gould)
646 /* use this if BTAB(i) is evaluated just once ... */
647#define DOXOR(a,b,i) a^=SPTAB(SPE[0][i],BTAB(i));b^=SPTAB(SPE[1][i],BTAB(i));
648#else
649#if defined(pdp11)
650 /* use this if your "long" int indexing is slow */
651#define DOXOR(a,b,i) j=BTAB(i); a^=SPTAB(SPE[0][i],j); b^=SPTAB(SPE[1][i],j);
652#else
653 /* use this if "k" is allocated to a register ... */
654#define DOXOR(a,b,i) k=BTAB(i); a^=SPTAB(SPE[0][i],k); b^=SPTAB(SPE[1][i],k);
655#endif
656#endif
657
658#define CRUNCH(L0, L1, R0, R1) \
659 k = (R0 ^ R1) & SALT; \
660 B.b32.i0 = k ^ R0 ^ kp->b32.i0; \
661 B.b32.i1 = k ^ R1 ^ kp->b32.i1; \
662 kp = (C_block *)((char *)kp+ks_inc); \
663 \
664 DOXOR(L0, L1, 0); \
665 DOXOR(L0, L1, 1); \
666 DOXOR(L0, L1, 2); \
667 DOXOR(L0, L1, 3); \
668 DOXOR(L0, L1, 4); \
669 DOXOR(L0, L1, 5); \
670 DOXOR(L0, L1, 6); \
671 DOXOR(L0, L1, 7);
672
673 CRUNCH(L0, L1, R0, R1);
674 CRUNCH(R0, R1, L0, L1);
675 } while (--loop_count != 0);
676 kp = (C_block *)((char *)kp-(ks_inc*KS_SIZE));
677
678
679 /* swap L and R */
680 L0 ^= R0; L1 ^= R1;
681 R0 ^= L0; R1 ^= L1;
682 L0 ^= R0; L1 ^= R1;
683 }
684
685 /* store the encrypted (or decrypted) result */
686 L0 = ((L0 >> 3) & 0x0f0f0f0fL) | ((L1 << 1) & 0xf0f0f0f0L);
687 L1 = ((R0 >> 3) & 0x0f0f0f0fL) | ((R1 << 1) & 0xf0f0f0f0L);
688 STORE(L,L0,L1,B);
689 PERM6464(L,L0,L1,B.b, (C_block *)CF6464);
690#if defined(MUST_ALIGN)
691 STORE(L,L0,L1,B);
692 out[0] = B.b[0]; out[1] = B.b[1]; out[2] = B.b[2]; out[3] = B.b[3];
693 out[4] = B.b[4]; out[5] = B.b[5]; out[6] = B.b[6]; out[7] = B.b[7];
694#else
695 STORE(L,L0,L1,*(C_block *)out);
696#endif
697}
698
98bd1891
BJ		 699
700/*
7d129e3b
KB		 701 * Initialize various tables. This need only be done once. It could even be
702 * done at compile time, if the compiler were capable of that sort of thing.
98bd1891 703 */
7d129e3b
KB		 704STATIC
705init_des()
98bd1891 706{
7d129e3b
KB		 707 register int i, j;
708 register long k;
709 register int tableno;
710 static unsigned char perm[64], tmp32[32]; /* "static" for speed */
98bd1891
BJ		 711
712 /*
7d129e3b 713 * table that converts chars "./0-9A-Za-z"to integers 0-63.
98bd1891 714 */
7d129e3b
KB		 715 for (i = 0; i < 64; i++)
716 a64toi[itoa64[i]] = i;
717
98bd1891 718 /*
7d129e3b 719 * PC1ROT - bit reverse, then PC1, then Rotate, then PC2.
98bd1891 720 */
7d129e3b
KB		 721 for (i = 0; i < 64; i++)
722 perm[i] = 0;
723 for (i = 0; i < 64; i++) {
724 if ((k = PC2[i]) == 0)
725 continue;
726 k += Rotates[0]-1;
727 if ((k%28) < Rotates[0]) k -= 28;
728 k = PC1[k];
729 if (k > 0) {
730 k--;
731 k = (k|07) - (k&07);
732 k++;
98bd1891 733 }
7d129e3b 734 perm[i] = k;
98bd1891 735 }
7d129e3b
KB		 736#ifdef DEBUG
737 prtab("pc1tab", perm, 8);
738#endif
96248f11 739 init_perm(PC1ROT, perm, 8, 8);
7d129e3b
KB		 740
741 /*
742 * PC2ROT - PC2 inverse, then Rotate (once or twice), then PC2.
743 */
744 for (j = 0; j < 2; j++) {
745 unsigned char pc2inv[64];
746 for (i = 0; i < 64; i++)
747 perm[i] = pc2inv[i] = 0;
748 for (i = 0; i < 64; i++) {
749 if ((k = PC2[i]) == 0)
750 continue;
751 pc2inv[k-1] = i+1;
752 }
753 for (i = 0; i < 64; i++) {
754 if ((k = PC2[i]) == 0)
755 continue;
756 k += j;
757 if ((k%28) <= j) k -= 28;
758 perm[i] = pc2inv[k];
759 }
760#ifdef DEBUG
761 prtab("pc2tab", perm, 8);
762#endif
96248f11 763 init_perm(PC2ROT[j], perm, 8, 8);
7d129e3b
KB		 764 }
765
766 /*
767 * Bit reverse, then initial permutation, then expansion.
768 */
769 for (i = 0; i < 8; i++) {
770 for (j = 0; j < 8; j++) {
771 k = (j < 2)? 0: IP[ExpandTr[i*6+j-2]-1];
772 if (k > 32)
773 k -= 32;
774 else if (k > 0)
775 k--;
776 if (k > 0) {
777 k--;
778 k = (k|07) - (k&07);
779 k++;
780 }
781 perm[i*8+j] = k;
782 }
783 }
784#ifdef DEBUG
785 prtab("ietab", perm, 8);
786#endif
96248f11 787 init_perm(IE3264, perm, 4, 8);
7d129e3b 788
98bd1891 789 /*
7d129e3b 790 * Compression, then final permutation, then bit reverse.
98bd1891 791 */
7d129e3b
KB		 792 for (i = 0; i < 64; i++) {
793 k = IP[CIFP[i]-1];
794 if (k > 0) {
795 k--;
796 k = (k|07) - (k&07);
797 k++;
798 }
799 perm[k-1] = i+1;
98bd1891 800 }
7d129e3b
KB		 801#ifdef DEBUG
802 prtab("cftab", perm, 8);
803#endif
96248f11 804 init_perm(CF6464, perm, 8, 8);
7d129e3b 805
98bd1891 806 /*
7d129e3b 807 * SPE table
98bd1891 808 */
7d129e3b
KB		 809 for (i = 0; i < 48; i++)
810 perm[i] = P32Tr[ExpandTr[i]-1];
811 for (tableno = 0; tableno < 8; tableno++) {
812 for (j = 0; j < 64; j++) {
813 k = (((j >> 0) &01) << 5)|
814 (((j >> 1) &01) << 3)|
815 (((j >> 2) &01) << 2)|
816 (((j >> 3) &01) << 1)|
817 (((j >> 4) &01) << 0)|
818 (((j >> 5) &01) << 4);
819 k = S[tableno][k];
820 k = (((k >> 3)&01) << 0)|
821 (((k >> 2)&01) << 1)|
822 (((k >> 1)&01) << 2)|
823 (((k >> 0)&01) << 3);
824 for (i = 0; i < 32; i++)
825 tmp32[i] = 0;
826 for (i = 0; i < 4; i++)
827 tmp32[4 * tableno + i] = (k >> i) & 01;
828 k = 0;
829 for (i = 24; --i >= 0; )
830 k = (k<<1) | tmp32[perm[i]-1];
831 TO_SIX_BIT(SPE[0][tableno][j], k);
832 k = 0;
833 for (i = 24; --i >= 0; )
834 k = (k<<1) | tmp32[perm[i+24]-1];
835 TO_SIX_BIT(SPE[1][tableno][j], k);
836 }
837 }
98bd1891
BJ		 838}
839
7d129e3b 840/*
96248f11
KB		 841 * Initialize "perm" to represent transformation "p", which rearranges
842 * (perhaps with expansion and/or contraction) one packed array of bits
843 * (of size "chars_in" characters) into another array (of size "chars_out"
844 * characters).
845 *
7d129e3b
KB		 846 * "perm" must be all-zeroes on entry to this routine.
847 */
848STATIC
96248f11 849init_perm(perm, p, chars_in, chars_out)
7d129e3b
KB		 850 C_block perm[64/CHUNKBITS][1<<CHUNKBITS];
851 unsigned char p[64];
852 int chars_in, chars_out;
98bd1891 853{
7d129e3b
KB		 854 register int i, j, k, l;
855
856 for (k = 0; k < chars_out*8; k++) { /* each output bit position */
857 l = p[k] - 1; /* where this bit comes from */
858 if (l < 0)
859 continue; /* output bit is always 0 */
860 i = l>>LGCHUNKBITS; /* which chunk this bit comes from */
861 l = 1<<(l&(CHUNKBITS-1)); /* mask for this bit */
862 for (j = 0; j < (1<<CHUNKBITS); j++) { /* each chunk value */
863 if ((j & l) != 0)
864 perm[i][j].b[k>>3] |= 1<<(k&07);
865 }
98bd1891 866 }
7d129e3b
KB		 867}
868
869/*
870 * "setkey" routine (for backwards compatibility)
871 */
872void
873setkey(key)
874 register const char *key;
875{
876 register int i, j, k;
877 C_block keyblock;
878
879 for (i = 0; i < 8; i++) {
880 k = 0;
881 for (j = 0; j < 8; j++) {
882 k <<= 1;
883 k |= (unsigned char)*key++;
98bd1891 884 }
7d129e3b
KB		 885 keyblock.b[i] = k;
886 }
887 des_setkey((char *)keyblock.b);
888}
889
890/*
891 * "encrypt" routine (for backwards compatibility)
892 */
893void
894encrypt(block, flag)
895 register char *block;
896 int flag;
897{
898 register int i, j, k;
899 C_block cblock;
900
901 for (i = 0; i < 8; i++) {
902 k = 0;
903 for (j = 0; j < 8; j++) {
904 k <<= 1;
905 k |= (unsigned char)*block++;
906 }
907 cblock.b[i] = k;
908 }
909 des_cipher((char *)&cblock, (char *)&cblock, 0L, (flag? -1: 1));
910 for (i = 7; i >= 0; i--) {
911 k = cblock.b[i];
912 for (j = 7; j >= 0; j--) {
913 *--block = k&01;
914 k >>= 1;
915 }
916 }
917}
918
919#ifdef DEBUG
920STATIC
921prtab(s, t, num_rows)
922 char *s;
923 unsigned char *t;
924 int num_rows;
925{
926 register int i, j;
927
872a5938 928 (void)printf("%s:\n", s);
7d129e3b
KB		 929 for (i = 0; i < num_rows; i++) {
930 for (j = 0; j < 8; j++) {
872a5938 931 (void)printf("%3d", t[i*8+j]);
7d129e3b 932 }
872a5938 933 (void)printf("\n");
98bd1891 934 }
872a5938 935 (void)printf("\n");
98bd1891 936}
7d129e3b 937#endif
Continuous source code history from original PDP-7 UNIX to FreeBSD 2, the first fully unencumbered FreeBSD release.