1 /* $NetBSD: crypt.c,v 1.18 2001/03/01 14:37:35 wiz Exp $ */
4 * Copyright (c) 1989, 1993
5 * The Regents of the University of California. All rights reserved.
7 * This code is derived from software contributed to Berkeley by
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. All advertising materials mentioning features or use of this software
19 * must display the following acknowledgement:
20 * This product includes software developed by the University of
21 * California, Berkeley and its contributors.
22 * 4. Neither the name of the University nor the names of its contributors
23 * may be used to endorse or promote products derived from this software
24 * without specific prior written permission.
26 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
39 #if defined(LIBC_SCCS) && !defined(lint)
41 static char sccsid[] = "@(#)crypt.c 8.1.1.1 (Berkeley) 8/18/93";
44 __RCSID("$NetBSD: crypt.c,v 1.18 2001/03/01 14:37:35 wiz Exp $");
51 #include <sys/types.h>
59 static int des_setkey(const char *key);
60 static int des_cipher(const char *in, char *out, long salt, int num_iter);
63 * UNIX password, and DES, encryption.
64 * By Tom Truscott, trt@rti.rti.org,
65 * from algorithms by Robert W. Baldwin and James Gillogly.
68 * "Mathematical Cryptology for Computer Scientists and Mathematicians,"
69 * by Wayne Patterson, 1987, ISBN 0-8476-7438-X.
71 * "Password Security: A Case History," R. Morris and Ken Thompson,
72 * Communications of the ACM, vol. 22, pp. 594-597, Nov. 1979.
74 * "DES will be Totally Insecure within Ten Years," M.E. Hellman,
75 * IEEE Spectrum, vol. 16, pp. 32-39, July 1979.
78 /* ===== Configuration ==================== */
81 * define "MUST_ALIGN" if your compiler cannot load/store
82 * long integers at arbitrary (e.g. odd) memory locations.
83 * (Either that or never pass unaligned addresses to des_cipher!)
85 /* #define MUST_ALIGN */
89 #error C_block structure assumes 8 bit characters
94 * define "B64" to be the declaration for a 64 bit integer.
95 * XXX this feature is currently unused, see "endian" comment below.
100 * define "LARGEDATA" to get faster permutations, by using about 72 kilobytes
101 * of lookup tables. This speeds up des_setkey() and des_cipher(), but has
102 * little effect on crypt().
104 /* #define LARGEDATA */
106 /* compile with "-DSTATIC=void" when profiling */
108 #define STATIC static void
112 * Define the "int32_t" type for integral type with a width of at least
117 /* ==================================== */
119 #define _PASSWORD_EFMT1 '_' /* extended encryption format */
122 * Cipher-block representation (Bob Baldwin):
124 * DES operates on groups of 64 bits, numbered 1..64 (sigh). One
125 * representation is to store one bit per byte in an array of bytes. Bit N of
126 * the NBS spec is stored as the LSB of the Nth byte (index N-1) in the array.
127 * Another representation stores the 64 bits in 8 bytes, with bits 1..8 in the
128 * first byte, 9..16 in the second, and so on. The DES spec apparently has
129 * bit 1 in the MSB of the first byte, but that is particularly noxious so we
130 * bit-reverse each byte so that bit 1 is the LSB of the first byte, bit 8 is
131 * the MSB of the first byte. Specifically, the 64-bit input data and key are
132 * converted to LSB format, and the output 64-bit block is converted back into
135 * DES operates internally on groups of 32 bits which are expanded to 48 bits
136 * by permutation E and shrunk back to 32 bits by the S boxes. To speed up
137 * the computation, the expansion is applied only once, the expanded
138 * representation is maintained during the encryption, and a compression
139 * permutation is applied only at the end. To speed up the S-box lookups,
140 * the 48 bits are maintained as eight 6 bit groups, one per byte, which
141 * directly feed the eight S-boxes. Within each byte, the 6 bits are the
142 * most significant ones. The low two bits of each byte are zero. (Thus,
143 * bit 1 of the 48 bit E expansion is stored as the "4"-valued bit of the
144 * first byte in the eight byte representation, bit 2 of the 48 bit value is
145 * the "8"-valued bit, and so on.) In fact, a combined "SPE"-box lookup is
146 * used, in which the output is the 64 bit result of an S-box lookup which
147 * has been permuted by P and expanded by E, and is ready for use in the next
148 * iteration. Two 32-bit wide tables, SPE[0] and SPE[1], are used for this
149 * lookup. Since each byte in the 48 bit path is a multiple of four, indexed
150 * lookup of SPE[0] and SPE[1] is simple and fast. The key schedule and
151 * "salt" are also converted to this 8*(6+2) format. The SPE table size is
154 * To speed up bit-parallel operations (such as XOR), the 8 byte
155 * representation is "union"ed with 32 bit values "i0" and "i1", and, on
156 * machines which support it, a 64 bit value "b64". This data structure,
157 * "C_block", has two problems. First, alignment restrictions must be
158 * honored. Second, the byte-order (e.g. little-endian or big-endian) of
159 * the architecture becomes visible.
161 * The byte-order problem is unfortunate, since on the one hand it is good
162 * to have a machine-independent C_block representation (bits 1..8 in the
163 * first byte, etc.), and on the other hand it is good for the LSB of the
164 * first byte to be the LSB of i0. We cannot have both these things, so we
165 * currently use the "little-endian" representation and avoid any multi-byte
166 * operations that depend on byte order. This largely precludes use of the
167 * 64-bit datatype since the relative order of i0 and i1 are unknown. It
168 * also inhibits grouping the SPE table to look up 12 bits at a time. (The
169 * 12 bits can be stored in a 16-bit field with 3 low-order zeroes and 1
170 * high-order zero, providing fast indexing into a 64-bit wide SPE.) On the
171 * other hand, 64-bit datatypes are currently rare, and a 12-bit SPE lookup
172 * requires a 128 kilobyte table, so perhaps this is not a big loss.
174 * Permutation representation (Jim Gillogly):
176 * A transformation is defined by its effect on each of the 8 bytes of the
177 * 64-bit input. For each byte we give a 64-bit output that has the bits in
178 * the input distributed appropriately. The transformation is then the OR
179 * of the 8 sets of 64-bits. This uses 8*256*8 = 16K bytes of storage for
180 * each transformation. Unless LARGEDATA is defined, however, a more compact
181 * table is used which looks up 16 4-bit "chunks" rather than 8 8-bit chunks.
182 * The smaller table uses 16*16*8 = 2K bytes for each transformation. This
183 * is slower but tolerable, particularly for password encryption in which
184 * the SPE transformation is iterated many times. The small tables total 9K
185 * bytes, the large tables total 72K bytes.
187 * The transformations used are:
188 * IE3264: MSB->LSB conversion, initial permutation, and expansion.
189 * This is done by collecting the 32 even-numbered bits and applying
190 * a 32->64 bit transformation, and then collecting the 32 odd-numbered
191 * bits and applying the same transformation. Since there are only
192 * 32 input bits, the IE3264 transformation table is half the size of
194 * CF6464: Compression, final permutation, and LSB->MSB conversion.
195 * This is done by two trivial 48->32 bit compressions to obtain
196 * a 64-bit block (the bit numbering is given in the "CIFP" table)
197 * followed by a 64->64 bit "cleanup" transformation. (It would
198 * be possible to group the bits in the 64-bit block so that 2
199 * identical 32->32 bit transformations could be used instead,
200 * saving a factor of 4 in space and possibly 2 in time, but
201 * byte-ordering and other complications rear their ugly head.
202 * Similar opportunities/problems arise in the key schedule
204 * PC1ROT: MSB->LSB, PC1 permutation, rotate, and PC2 permutation.
205 * This admittedly baroque 64->64 bit transformation is used to
206 * produce the first code (in 8*(6+2) format) of the key schedule.
207 * PC2ROT[0]: Inverse PC2 permutation, rotate, and PC2 permutation.
208 * It would be possible to define 15 more transformations, each
209 * with a different rotation, to generate the entire key schedule.
210 * To save space, however, we instead permute each code into the
211 * next by using a transformation that "undoes" the PC2 permutation,
212 * rotates the code, and then applies PC2. Unfortunately, PC2
213 * transforms 56 bits into 48 bits, dropping 8 bits, so PC2 is not
214 * invertible. We get around that problem by using a modified PC2
215 * which retains the 8 otherwise-lost bits in the unused low-order
216 * bits of each byte. The low-order bits are cleared when the
217 * codes are stored into the key schedule.
218 * PC2ROT[1]: Same as PC2ROT[0], but with two rotations.
219 * This is faster than applying PC2ROT[0] twice,
221 * The Bell Labs "salt" (Bob Baldwin):
223 * The salting is a simple permutation applied to the 48-bit result of E.
224 * Specifically, if bit i (1 <= i <= 24) of the salt is set then bits i and
225 * i+24 of the result are swapped. The salt is thus a 24 bit number, with
226 * 16777216 possible values. (The original salt was 12 bits and could not
227 * swap bits 13..24 with 36..48.)
229 * It is possible, but ugly, to warp the SPE table to account for the salt
230 * permutation. Fortunately, the conditional bit swapping requires only
231 * about four machine instructions and can be done on-the-fly with about an
232 * 8% performance penalty.
249 * Convert twenty-four-bit long in host-order
250 * to six bits (and 2 low-order zeroes) per char little-endian format.
252 #define TO_SIX_BIT(rslt, src) { \
254 cvt.b[0] = src; src >>= 6; \
255 cvt.b[1] = src; src >>= 6; \
256 cvt.b[2] = src; src >>= 6; \
258 rslt = (cvt.b32.i0 & 0x3f3f3f3fL) << 2; \
262 * These macros may someday permit efficient use of 64-bit integers.
264 #define ZERO(d,d0,d1) d0 = 0, d1 = 0
265 #define LOAD(d,d0,d1,bl) d0 = (bl).b32.i0, d1 = (bl).b32.i1
266 #define LOADREG(d,d0,d1,s,s0,s1) d0 = s0, d1 = s1
267 #define OR(d,d0,d1,bl) d0 |= (bl).b32.i0, d1 |= (bl).b32.i1
268 #define STORE(s,s0,s1,bl) (bl).b32.i0 = s0, (bl).b32.i1 = s1
269 #define DCL_BLOCK(d,d0,d1) int32_t d0, d1
271 #if defined(LARGEDATA)
272 /* Waste memory like crazy. Also, do permutations in line */
273 #define LGCHUNKBITS 3
274 #define CHUNKBITS (1<<LGCHUNKBITS)
275 #define PERM6464(d,d0,d1,cpp,p) \
276 LOAD(d,d0,d1,(p)[(0<<CHUNKBITS)+(cpp)[0]]); \
277 OR (d,d0,d1,(p)[(1<<CHUNKBITS)+(cpp)[1]]); \
278 OR (d,d0,d1,(p)[(2<<CHUNKBITS)+(cpp)[2]]); \
279 OR (d,d0,d1,(p)[(3<<CHUNKBITS)+(cpp)[3]]); \
280 OR (d,d0,d1,(p)[(4<<CHUNKBITS)+(cpp)[4]]); \
281 OR (d,d0,d1,(p)[(5<<CHUNKBITS)+(cpp)[5]]); \
282 OR (d,d0,d1,(p)[(6<<CHUNKBITS)+(cpp)[6]]); \
283 OR (d,d0,d1,(p)[(7<<CHUNKBITS)+(cpp)[7]]);
284 #define PERM3264(d,d0,d1,cpp,p) \
285 LOAD(d,d0,d1,(p)[(0<<CHUNKBITS)+(cpp)[0]]); \
286 OR (d,d0,d1,(p)[(1<<CHUNKBITS)+(cpp)[1]]); \
287 OR (d,d0,d1,(p)[(2<<CHUNKBITS)+(cpp)[2]]); \
288 OR (d,d0,d1,(p)[(3<<CHUNKBITS)+(cpp)[3]]);
291 #define LGCHUNKBITS 2
292 #define CHUNKBITS (1<<LGCHUNKBITS)
293 #define PERM6464(d,d0,d1,cpp,p) \
294 { C_block tblk; permute(cpp,&tblk,p,8); LOAD (d,d0,d1,tblk); }
295 #define PERM3264(d,d0,d1,cpp,p) \
296 { C_block tblk; permute(cpp,&tblk,p,4); LOAD (d,d0,d1,tblk); }
297 #endif /* LARGEDATA */
299 STATIC init_des(void);
300 STATIC init_perm(C_block[64 / CHUNKBITS][1 << CHUNKBITS], unsigned char[64], int, int);
303 STATIC permute(unsigned char *, C_block *, C_block *, int);
306 STATIC prtab(char *, unsigned char *, int);
312 permute(cp, out, p, chars_in)
318 DCL_BLOCK(D, D0, D1);
328 p += (1 << CHUNKBITS);
331 p += (1 << CHUNKBITS);
332 } while (--chars_in > 0);
333 STORE(D, D0, D1, *out);
335 #endif /* LARGEDATA */
338 /* ===== (mostly) Standard DES Tables ==================== */
340 static unsigned char IP[] = { /* initial permutation */
341 58, 50, 42, 34, 26, 18, 10, 2,
342 60, 52, 44, 36, 28, 20, 12, 4,
343 62, 54, 46, 38, 30, 22, 14, 6,
344 64, 56, 48, 40, 32, 24, 16, 8,
345 57, 49, 41, 33, 25, 17, 9, 1,
346 59, 51, 43, 35, 27, 19, 11, 3,
347 61, 53, 45, 37, 29, 21, 13, 5,
348 63, 55, 47, 39, 31, 23, 15, 7,
351 /* The final permutation is the inverse of IP - no table is necessary */
353 static unsigned char ExpandTr[] = { /* expansion operation */
356 8, 9, 10, 11, 12, 13,
357 12, 13, 14, 15, 16, 17,
358 16, 17, 18, 19, 20, 21,
359 20, 21, 22, 23, 24, 25,
360 24, 25, 26, 27, 28, 29,
361 28, 29, 30, 31, 32, 1,
364 static unsigned char PC1[] = { /* permuted choice table 1 */
365 57, 49, 41, 33, 25, 17, 9,
366 1, 58, 50, 42, 34, 26, 18,
367 10, 2, 59, 51, 43, 35, 27,
368 19, 11, 3, 60, 52, 44, 36,
370 63, 55, 47, 39, 31, 23, 15,
371 7, 62, 54, 46, 38, 30, 22,
372 14, 6, 61, 53, 45, 37, 29,
373 21, 13, 5, 28, 20, 12, 4,
376 static unsigned char Rotates[] = { /* PC1 rotation schedule */
377 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1,
380 /* note: each "row" of PC2 is left-padded with bits that make it invertible */
381 static unsigned char PC2[] = { /* permuted choice table 2 */
382 9, 18, 14, 17, 11, 24, 1, 5,
383 22, 25, 3, 28, 15, 6, 21, 10,
384 35, 38, 23, 19, 12, 4, 26, 8,
385 43, 54, 16, 7, 27, 20, 13, 2,
387 0, 0, 41, 52, 31, 37, 47, 55,
388 0, 0, 30, 40, 51, 45, 33, 48,
389 0, 0, 44, 49, 39, 56, 34, 53,
390 0, 0, 46, 42, 50, 36, 29, 32,
393 static unsigned char S[8][64] = { /* 48->32 bit substitution tables */
395 {14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
396 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
397 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
398 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13},
400 {15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
401 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
402 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
403 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9},
405 {10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
406 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
407 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
408 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12},
410 {7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
411 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
412 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
413 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14},
415 {2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
416 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
417 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
418 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3},
420 {12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
421 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
422 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
423 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13},
425 {4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
426 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
427 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
428 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12},
430 {13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
431 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
432 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
433 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}
436 static unsigned char P32Tr[] = { /* 32-bit permutation function */
447 static unsigned char CIFP[] = { /* compressed/interleaved permutation */
448 1, 2, 3, 4, 17, 18, 19, 20,
449 5, 6, 7, 8, 21, 22, 23, 24,
450 9, 10, 11, 12, 25, 26, 27, 28,
451 13, 14, 15, 16, 29, 30, 31, 32,
453 33, 34, 35, 36, 49, 50, 51, 52,
454 37, 38, 39, 40, 53, 54, 55, 56,
455 41, 42, 43, 44, 57, 58, 59, 60,
456 45, 46, 47, 48, 61, 62, 63, 64,
459 static unsigned char itoa64[] = /* 0..63 => ascii-64 */
460 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
463 /* ===== Tables that are initialized at run time ==================== */
466 static unsigned char a64toi[128]; /* ascii-64 => 0..63 */
468 /* Initial key schedule permutation */
469 static C_block PC1ROT[64 / CHUNKBITS][1 << CHUNKBITS];
471 /* Subsequent key schedule rotation permutations */
472 static C_block PC2ROT[2][64 / CHUNKBITS][1 << CHUNKBITS];
474 /* Initial permutation/expansion table */
475 static C_block IE3264[32 / CHUNKBITS][1 << CHUNKBITS];
477 /* Table that combines the S, P, and E operations. */
478 static int32_t SPE[2][8][64];
480 /* compressed/interleaved => final permutation table */
481 static C_block CF6464[64 / CHUNKBITS][1 << CHUNKBITS];
484 /* ==================================== */
487 static C_block constdatablock; /* encryption constant */
488 static char cryptresult[1 + 4 + 4 + 11 + 1]; /* encrypted result */
490 extern char *__md5crypt(const char *, const char *); /* XXX */
491 extern char *__bcrypt(const char *, const char *); /* XXX */
495 * Return a pointer to static data consisting of the "setting"
496 * followed by an encryption produced by the "key" and "setting".
513 /* Non-DES encryption schemes hook in here. */
514 if (setting[0] == _PASSWORD_NONDES)
519 return (__bcrypt(key, setting));
522 return (__md5crypt(key, setting));
527 for (i = 0; i < 8; i++)
529 if ((t = 2 * (unsigned char) (*key)) != 0)
533 if (des_setkey((char *) keyblock.b)) /* also initializes
537 encp = &cryptresult[0];
540 case _PASSWORD_EFMT1:
543 * Involve the rest of the password 8 characters at a time.
547 if (des_cipher((char *) (void *) &keyblock,
548 (char *) (void *) &keyblock, 0L, 1))
550 for (i = 0; i < 8; i++)
552 if ((t = 2 * (unsigned char) (*key)) != 0)
556 if (des_setkey((char *) keyblock.b))
560 *encp++ = *setting++;
562 /* get iteration count */
564 for (i = 4; --i >= 0;)
566 if ((t = (unsigned char) setting[i]) == '\0')
569 num_iter = (num_iter << 6) | a64toi[t];
581 for (i = salt_size; --i >= 0;)
583 if ((t = (unsigned char) setting[i]) == '\0')
586 salt = (salt << 6) | a64toi[t];
589 if (des_cipher((char *) (void *) &constdatablock,
590 (char *) (void *) &rsltblock, salt, num_iter))
594 * Encode the 64 cipher bits as 11 ascii characters.
596 i = ((int32_t) ((rsltblock.b[0] << 8) | rsltblock.b[1]) << 8) |
598 encp[3] = itoa64[i & 0x3f];
600 encp[2] = itoa64[i & 0x3f];
602 encp[1] = itoa64[i & 0x3f];
606 i = ((int32_t) ((rsltblock.b[3] << 8) | rsltblock.b[4]) << 8) |
608 encp[3] = itoa64[i & 0x3f];
610 encp[2] = itoa64[i & 0x3f];
612 encp[1] = itoa64[i & 0x3f];
616 i = ((int32_t) ((rsltblock.b[6]) << 8) | rsltblock.b[7]) << 2;
617 encp[2] = itoa64[i & 0x3f];
619 encp[1] = itoa64[i & 0x3f];
625 return (cryptresult);
630 * The Key Schedule, filled in by des_setkey() or setkey().
633 static C_block KS[KS_SIZE];
635 static volatile int des_ready = 0;
638 * Set up the key schedule from the key.
644 DCL_BLOCK(K, K0, K1);
651 PERM6464(K, K0, K1, (unsigned char *) key, (C_block *) PC1ROT);
652 key = (char *) &KS[0];
653 STORE(K & ~0x03030303L, K0 & ~0x03030303L, K1, *(C_block *) key);
654 for (i = 1; i < 16; i++)
656 key += sizeof(C_block);
657 STORE(K, K0, K1, *(C_block *) key);
658 ptabp = (C_block *) PC2ROT[Rotates[i] - 1];
659 PERM6464(K, K0, K1, (unsigned char *) key, ptabp);
660 STORE(K & ~0x03030303L, K0 & ~0x03030303L, K1, *(C_block *) key);
666 * Encrypt (or decrypt if num_iter < 0) the 8 chars at "in" with abs(num_iter)
667 * iterations of DES, using the given 24-bit salt and the pre-computed key
668 * schedule, and store the resulting 8 chars at "out" (in == out is permitted).
670 * NOTE: the performance of this routine is critically dependent on your
671 * compiler and machine architecture.
674 des_cipher(in, out, salt, num_iter)
680 /* variables that we want in registers, most important first */
695 TO_SIX_BIT(salt, L0); /* convert to 4*(6+2) format */
697 #if defined(__vax__) || defined(pdp11)
698 salt = ~salt; /* "x &~ y" is faster than "x & y". */
704 #if defined(MUST_ALIGN)
715 LOAD(L, L0, L1, *(C_block *) in);
717 LOADREG(R, R0, R1, L, L0, L1);
720 L0 = (L0 << 1) | L1; /* L0 is the even-numbered input bits */
722 R1 = (R1 >> 1) & 0x55555555L;
723 L1 = R0 | R1; /* L1 is the odd-numbered input bits */
725 PERM3264(L, L0, L1, B.b, (C_block *) IE3264); /* even bits */
726 PERM3264(R, R0, R1, B.b + 4, (C_block *) IE3264); /* odd bits */
731 ks_inc = sizeof(*kp);
735 num_iter = -num_iter;
736 kp = &KS[KS_SIZE - 1];
737 ks_inc = -(long) sizeof(*kp);
740 while (--num_iter >= 0)
746 #define SPTAB(t, i) \
747 (*(int32_t *)((unsigned char *)t + i*(sizeof(int32_t)/4)))
749 /* use this if B.b[i] is evaluated just once ... */
750 #define DOXOR(x,y,i) x^=SPTAB(SPE[0][i],B.b[i]); y^=SPTAB(SPE[1][i],B.b[i]);
753 /* use this if your "long" int indexing is slow */
754 #define DOXOR(x,y,i) j=B.b[i]; x^=SPTAB(SPE[0][i],j); y^=SPTAB(SPE[1][i],j);
756 /* use this if "k" is allocated to a register ... */
757 #define DOXOR(x,y,i) k=B.b[i]; x^=SPTAB(SPE[0][i],k); y^=SPTAB(SPE[1][i],k);
761 #define CRUNCH(p0, p1, q0, q1) \
762 k = (q0 ^ q1) & SALT; \
763 B.b32.i0 = k ^ q0 ^ kp->b32.i0; \
764 B.b32.i1 = k ^ q1 ^ kp->b32.i1; \
765 kp = (C_block *)((char *)kp+ks_inc); \
776 CRUNCH(L0, L1, R0, R1);
777 CRUNCH(R0, R1, L0, L1);
778 } while (--loop_count != 0);
779 kp = (C_block *) ((char *) kp - (ks_inc * KS_SIZE));
791 /* store the encrypted (or decrypted) result */
792 L0 = ((L0 >> 3) & 0x0f0f0f0fL) | ((L1 << 1) & 0xf0f0f0f0L);
793 L1 = ((R0 >> 3) & 0x0f0f0f0fL) | ((R1 << 1) & 0xf0f0f0f0L);
795 PERM6464(L, L0, L1, B.b, (C_block *) CF6464);
796 #if defined(MUST_ALIGN)
807 STORE(L, L0, L1, *(C_block *) out);
814 * Initialize various tables. This need only be done once. It could even be
815 * done at compile time, if the compiler were capable of that sort of thing.
824 static unsigned char perm[64],
825 tmp32[32]; /* "static" for speed */
826 /* static volatile long init_start = 0; not used */
829 * table that converts chars "./0-9A-Za-z"to integers 0-63.
831 for (i = 0; i < 64; i++)
832 a64toi[itoa64[i]] = i;
835 * PC1ROT - bit reverse, then PC1, then Rotate, then PC2.
837 for (i = 0; i < 64; i++)
839 for (i = 0; i < 64; i++)
841 if ((k = PC2[i]) == 0)
844 if ((k % 28) < Rotates[0])
850 k = (k | 07) - (k & 07);
856 prtab("pc1tab", perm, 8);
858 init_perm(PC1ROT, perm, 8, 8);
861 * PC2ROT - PC2 inverse, then Rotate (once or twice), then PC2.
863 for (j = 0; j < 2; j++)
865 unsigned char pc2inv[64];
867 for (i = 0; i < 64; i++)
868 perm[i] = pc2inv[i] = 0;
869 for (i = 0; i < 64; i++)
871 if ((k = PC2[i]) == 0)
873 pc2inv[k - 1] = i + 1;
875 for (i = 0; i < 64; i++)
877 if ((k = PC2[i]) == 0)
885 prtab("pc2tab", perm, 8);
887 init_perm(PC2ROT[j], perm, 8, 8);
891 * Bit reverse, then initial permutation, then expansion.
893 for (i = 0; i < 8; i++)
895 for (j = 0; j < 8; j++)
897 k = (j < 2) ? 0 : IP[ExpandTr[i * 6 + j - 2] - 1];
905 k = (k | 07) - (k & 07);
912 prtab("ietab", perm, 8);
914 init_perm(IE3264, perm, 4, 8);
917 * Compression, then final permutation, then bit reverse.
919 for (i = 0; i < 64; i++)
925 k = (k | 07) - (k & 07);
931 prtab("cftab", perm, 8);
933 init_perm(CF6464, perm, 8, 8);
938 for (i = 0; i < 48; i++)
939 perm[i] = P32Tr[ExpandTr[i] - 1];
940 for (tableno = 0; tableno < 8; tableno++)
942 for (j = 0; j < 64; j++)
944 k = (((j >> 0) & 01) << 5) |
945 (((j >> 1) & 01) << 3) |
946 (((j >> 2) & 01) << 2) |
947 (((j >> 3) & 01) << 1) |
948 (((j >> 4) & 01) << 0) |
949 (((j >> 5) & 01) << 4);
951 k = (((k >> 3) & 01) << 0) |
952 (((k >> 2) & 01) << 1) |
953 (((k >> 1) & 01) << 2) |
954 (((k >> 0) & 01) << 3);
955 for (i = 0; i < 32; i++)
957 for (i = 0; i < 4; i++)
958 tmp32[4 * tableno + i] = (k >> i) & 01;
960 for (i = 24; --i >= 0;)
961 k = (k << 1) | tmp32[perm[i] - 1];
962 TO_SIX_BIT(SPE[0][tableno][j], k);
964 for (i = 24; --i >= 0;)
965 k = (k << 1) | tmp32[perm[i + 24] - 1];
966 TO_SIX_BIT(SPE[1][tableno][j], k);
974 * Initialize "perm" to represent transformation "p", which rearranges
975 * (perhaps with expansion and/or contraction) one packed array of bits
976 * (of size "chars_in" characters) into another array (of size "chars_out"
979 * "perm" must be all-zeroes on entry to this routine.
982 init_perm(perm, p, chars_in, chars_out)
983 C_block perm[64 / CHUNKBITS][1 << CHUNKBITS];
993 for (k = 0; k < chars_out * 8; k++)
994 { /* each output bit position */
995 l = p[k] - 1; /* where this bit comes from */
997 continue; /* output bit is always 0 */
998 i = l >> LGCHUNKBITS; /* which chunk this bit comes from */
999 l = 1 << (l & (CHUNKBITS - 1)); /* mask for this bit */
1000 for (j = 0; j < (1 << CHUNKBITS); j++)
1001 { /* each chunk value */
1003 perm[i][j].b[k >> 3] |= 1 << (k & 07);
1009 * "setkey" routine (for backwards compatibility)
1021 for (i = 0; i < 8; i++)
1024 for (j = 0; j < 8; j++)
1027 k |= (unsigned char) *key++;
1031 return (des_setkey((char *) keyblock.b));
1035 * "encrypt" routine (for backwards compatibility)
1038 encrypt(block, flag)
1047 for (i = 0; i < 8; i++)
1050 for (j = 0; j < 8; j++)
1053 k |= (unsigned char) *block++;
1057 if (des_cipher((char *) &cblock, (char *) &cblock, 0L, (flag ? -1 : 1)))
1059 for (i = 7; i >= 0; i--)
1062 for (j = 7; j >= 0; j--)
1074 prtab(s, t, num_rows)
1082 (void) printf("%s:\n", s);
1083 for (i = 0; i < num_rows; i++)
1085 for (j = 0; j < 8; j++)
1086 (void) printf("%3d", t[i * 8 + j]);
1087 (void) printf("\n");
1089 (void) printf("\n");
projects / postgresql / blob