1 /* $NetBSD: crypt.c,v 1.18 2001/03/01 14:37:35 wiz Exp $ */
4 * Copyright (c) 1989, 1993
5 * The Regents of the University of California. All rights reserved.
7 * This code is derived from software contributed to Berkeley by
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. All advertising materials mentioning features or use of this software
19 * must display the following acknowledgement:
20 * This product includes software developed by the University of
21 * California, Berkeley and its contributors.
22 * 4. Neither the name of the University nor the names of its contributors
23 * may be used to endorse or promote products derived from this software
24 * without specific prior written permission.
26 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
39 #if defined(LIBC_SCCS) && !defined(lint)
41 static char sccsid[] = "@(#)crypt.c 8.1.1.1 (Berkeley) 8/18/93";
43 __RCSID("$NetBSD: crypt.c,v 1.18 2001/03/01 14:37:35 wiz Exp $");
47 #include "pg_config.h"
50 #include <sys/types.h>
59 * UNIX password, and DES, encryption.
60 * By Tom Truscott, trt@rti.rti.org,
61 * from algorithms by Robert W. Baldwin and James Gillogly.
64 * "Mathematical Cryptology for Computer Scientists and Mathematicians,"
65 * by Wayne Patterson, 1987, ISBN 0-8476-7438-X.
67 * "Password Security: A Case History," R. Morris and Ken Thompson,
68 * Communications of the ACM, vol. 22, pp. 594-597, Nov. 1979.
70 * "DES will be Totally Insecure within Ten Years," M.E. Hellman,
71 * IEEE Spectrum, vol. 16, pp. 32-39, July 1979.
74 /* ===== Configuration ==================== */
77 * define "MUST_ALIGN" if your compiler cannot load/store
78 * long integers at arbitrary (e.g. odd) memory locations.
79 * (Either that or never pass unaligned addresses to des_cipher!)
81 /* #define MUST_ALIGN */
85 #error C_block structure assumes 8 bit characters
90 * define "B64" to be the declaration for a 64 bit integer.
91 * XXX this feature is currently unused, see "endian" comment below.
96 * define "LARGEDATA" to get faster permutations, by using about 72 kilobytes
97 * of lookup tables. This speeds up des_setkey() and des_cipher(), but has
98 * little effect on crypt().
100 /* #define LARGEDATA */
102 /* compile with "-DSTATIC=void" when profiling */
104 #define STATIC static void
108 * Define the "int32_t" type for integral type with a width of at least
113 /* ==================================== */
115 #define _PASSWORD_EFMT1 '_' /* extended encryption format */
118 * Cipher-block representation (Bob Baldwin):
120 * DES operates on groups of 64 bits, numbered 1..64 (sigh). One
121 * representation is to store one bit per byte in an array of bytes. Bit N of
122 * the NBS spec is stored as the LSB of the Nth byte (index N-1) in the array.
123 * Another representation stores the 64 bits in 8 bytes, with bits 1..8 in the
124 * first byte, 9..16 in the second, and so on. The DES spec apparently has
125 * bit 1 in the MSB of the first byte, but that is particularly noxious so we
126 * bit-reverse each byte so that bit 1 is the LSB of the first byte, bit 8 is
127 * the MSB of the first byte. Specifically, the 64-bit input data and key are
128 * converted to LSB format, and the output 64-bit block is converted back into
131 * DES operates internally on groups of 32 bits which are expanded to 48 bits
132 * by permutation E and shrunk back to 32 bits by the S boxes. To speed up
133 * the computation, the expansion is applied only once, the expanded
134 * representation is maintained during the encryption, and a compression
135 * permutation is applied only at the end. To speed up the S-box lookups,
136 * the 48 bits are maintained as eight 6 bit groups, one per byte, which
137 * directly feed the eight S-boxes. Within each byte, the 6 bits are the
138 * most significant ones. The low two bits of each byte are zero. (Thus,
139 * bit 1 of the 48 bit E expansion is stored as the "4"-valued bit of the
140 * first byte in the eight byte representation, bit 2 of the 48 bit value is
141 * the "8"-valued bit, and so on.) In fact, a combined "SPE"-box lookup is
142 * used, in which the output is the 64 bit result of an S-box lookup which
143 * has been permuted by P and expanded by E, and is ready for use in the next
144 * iteration. Two 32-bit wide tables, SPE[0] and SPE[1], are used for this
145 * lookup. Since each byte in the 48 bit path is a multiple of four, indexed
146 * lookup of SPE[0] and SPE[1] is simple and fast. The key schedule and
147 * "salt" are also converted to this 8*(6+2) format. The SPE table size is
150 * To speed up bit-parallel operations (such as XOR), the 8 byte
151 * representation is "union"ed with 32 bit values "i0" and "i1", and, on
152 * machines which support it, a 64 bit value "b64". This data structure,
153 * "C_block", has two problems. First, alignment restrictions must be
154 * honored. Second, the byte-order (e.g. little-endian or big-endian) of
155 * the architecture becomes visible.
157 * The byte-order problem is unfortunate, since on the one hand it is good
158 * to have a machine-independent C_block representation (bits 1..8 in the
159 * first byte, etc.), and on the other hand it is good for the LSB of the
160 * first byte to be the LSB of i0. We cannot have both these things, so we
161 * currently use the "little-endian" representation and avoid any multi-byte
162 * operations that depend on byte order. This largely precludes use of the
163 * 64-bit datatype since the relative order of i0 and i1 are unknown. It
164 * also inhibits grouping the SPE table to look up 12 bits at a time. (The
165 * 12 bits can be stored in a 16-bit field with 3 low-order zeroes and 1
166 * high-order zero, providing fast indexing into a 64-bit wide SPE.) On the
167 * other hand, 64-bit datatypes are currently rare, and a 12-bit SPE lookup
168 * requires a 128 kilobyte table, so perhaps this is not a big loss.
170 * Permutation representation (Jim Gillogly):
172 * A transformation is defined by its effect on each of the 8 bytes of the
173 * 64-bit input. For each byte we give a 64-bit output that has the bits in
174 * the input distributed appropriately. The transformation is then the OR
175 * of the 8 sets of 64-bits. This uses 8*256*8 = 16K bytes of storage for
176 * each transformation. Unless LARGEDATA is defined, however, a more compact
177 * table is used which looks up 16 4-bit "chunks" rather than 8 8-bit chunks.
178 * The smaller table uses 16*16*8 = 2K bytes for each transformation. This
179 * is slower but tolerable, particularly for password encryption in which
180 * the SPE transformation is iterated many times. The small tables total 9K
181 * bytes, the large tables total 72K bytes.
183 * The transformations used are:
184 * IE3264: MSB->LSB conversion, initial permutation, and expansion.
185 * This is done by collecting the 32 even-numbered bits and applying
186 * a 32->64 bit transformation, and then collecting the 32 odd-numbered
187 * bits and applying the same transformation. Since there are only
188 * 32 input bits, the IE3264 transformation table is half the size of
190 * CF6464: Compression, final permutation, and LSB->MSB conversion.
191 * This is done by two trivial 48->32 bit compressions to obtain
192 * a 64-bit block (the bit numbering is given in the "CIFP" table)
193 * followed by a 64->64 bit "cleanup" transformation. (It would
194 * be possible to group the bits in the 64-bit block so that 2
195 * identical 32->32 bit transformations could be used instead,
196 * saving a factor of 4 in space and possibly 2 in time, but
197 * byte-ordering and other complications rear their ugly head.
198 * Similar opportunities/problems arise in the key schedule
200 * PC1ROT: MSB->LSB, PC1 permutation, rotate, and PC2 permutation.
201 * This admittedly baroque 64->64 bit transformation is used to
202 * produce the first code (in 8*(6+2) format) of the key schedule.
203 * PC2ROT[0]: Inverse PC2 permutation, rotate, and PC2 permutation.
204 * It would be possible to define 15 more transformations, each
205 * with a different rotation, to generate the entire key schedule.
206 * To save space, however, we instead permute each code into the
207 * next by using a transformation that "undoes" the PC2 permutation,
208 * rotates the code, and then applies PC2. Unfortunately, PC2
209 * transforms 56 bits into 48 bits, dropping 8 bits, so PC2 is not
210 * invertible. We get around that problem by using a modified PC2
211 * which retains the 8 otherwise-lost bits in the unused low-order
212 * bits of each byte. The low-order bits are cleared when the
213 * codes are stored into the key schedule.
214 * PC2ROT[1]: Same as PC2ROT[0], but with two rotations.
215 * This is faster than applying PC2ROT[0] twice,
217 * The Bell Labs "salt" (Bob Baldwin):
219 * The salting is a simple permutation applied to the 48-bit result of E.
220 * Specifically, if bit i (1 <= i <= 24) of the salt is set then bits i and
221 * i+24 of the result are swapped. The salt is thus a 24 bit number, with
222 * 16777216 possible values. (The original salt was 12 bits and could not
223 * swap bits 13..24 with 36..48.)
225 * It is possible, but ugly, to warp the SPE table to account for the salt
226 * permutation. Fortunately, the conditional bit swapping requires only
227 * about four machine instructions and can be done on-the-fly with about an
228 * 8% performance penalty.
243 * Convert twenty-four-bit long in host-order
244 * to six bits (and 2 low-order zeroes) per char little-endian format.
246 #define TO_SIX_BIT(rslt, src) { \
248 cvt.b[0] = src; src >>= 6; \
249 cvt.b[1] = src; src >>= 6; \
250 cvt.b[2] = src; src >>= 6; \
252 rslt = (cvt.b32.i0 & 0x3f3f3f3fL) << 2; \
256 * These macros may someday permit efficient use of 64-bit integers.
258 #define ZERO(d,d0,d1) d0 = 0, d1 = 0
259 #define LOAD(d,d0,d1,bl) d0 = (bl).b32.i0, d1 = (bl).b32.i1
260 #define LOADREG(d,d0,d1,s,s0,s1) d0 = s0, d1 = s1
261 #define OR(d,d0,d1,bl) d0 |= (bl).b32.i0, d1 |= (bl).b32.i1
262 #define STORE(s,s0,s1,bl) (bl).b32.i0 = s0, (bl).b32.i1 = s1
263 #define DCL_BLOCK(d,d0,d1) int32_t d0, d1
265 #if defined(LARGEDATA)
266 /* Waste memory like crazy. Also, do permutations in line */
267 #define LGCHUNKBITS 3
268 #define CHUNKBITS (1<<LGCHUNKBITS)
269 #define PERM6464(d,d0,d1,cpp,p) \
270 LOAD(d,d0,d1,(p)[(0<<CHUNKBITS)+(cpp)[0]]); \
271 OR (d,d0,d1,(p)[(1<<CHUNKBITS)+(cpp)[1]]); \
272 OR (d,d0,d1,(p)[(2<<CHUNKBITS)+(cpp)[2]]); \
273 OR (d,d0,d1,(p)[(3<<CHUNKBITS)+(cpp)[3]]); \
274 OR (d,d0,d1,(p)[(4<<CHUNKBITS)+(cpp)[4]]); \
275 OR (d,d0,d1,(p)[(5<<CHUNKBITS)+(cpp)[5]]); \
276 OR (d,d0,d1,(p)[(6<<CHUNKBITS)+(cpp)[6]]); \
277 OR (d,d0,d1,(p)[(7<<CHUNKBITS)+(cpp)[7]]);
278 #define PERM3264(d,d0,d1,cpp,p) \
279 LOAD(d,d0,d1,(p)[(0<<CHUNKBITS)+(cpp)[0]]); \
280 OR (d,d0,d1,(p)[(1<<CHUNKBITS)+(cpp)[1]]); \
281 OR (d,d0,d1,(p)[(2<<CHUNKBITS)+(cpp)[2]]); \
282 OR (d,d0,d1,(p)[(3<<CHUNKBITS)+(cpp)[3]]);
285 #define LGCHUNKBITS 2
286 #define CHUNKBITS (1<<LGCHUNKBITS)
287 #define PERM6464(d,d0,d1,cpp,p) \
288 { C_block tblk; permute(cpp,&tblk,p,8); LOAD (d,d0,d1,tblk); }
289 #define PERM3264(d,d0,d1,cpp,p) \
290 { C_block tblk; permute(cpp,&tblk,p,4); LOAD (d,d0,d1,tblk); }
291 #endif /* LARGEDATA */
293 STATIC init_des(void);
294 STATIC init_perm(C_block [64/CHUNKBITS][1<<CHUNKBITS], unsigned char [64], int, int);
296 STATIC permute(unsigned char *, C_block *, C_block *, int);
299 STATIC prtab(char *, unsigned char *, int);
305 permute(cp, out, p, chars_in)
318 tp = &p[t&0xf]; OR(D,D0,D1,*tp); p += (1<<CHUNKBITS);
319 tp = &p[t>>4]; OR(D,D0,D1,*tp); p += (1<<CHUNKBITS);
320 } while (--chars_in > 0);
323 #endif /* LARGEDATA */
326 /* ===== (mostly) Standard DES Tables ==================== */
328 static unsigned char IP[] = { /* initial permutation */
329 58, 50, 42, 34, 26, 18, 10, 2,
330 60, 52, 44, 36, 28, 20, 12, 4,
331 62, 54, 46, 38, 30, 22, 14, 6,
332 64, 56, 48, 40, 32, 24, 16, 8,
333 57, 49, 41, 33, 25, 17, 9, 1,
334 59, 51, 43, 35, 27, 19, 11, 3,
335 61, 53, 45, 37, 29, 21, 13, 5,
336 63, 55, 47, 39, 31, 23, 15, 7,
339 /* The final permutation is the inverse of IP - no table is necessary */
341 static unsigned char ExpandTr[] = { /* expansion operation */
344 8, 9, 10, 11, 12, 13,
345 12, 13, 14, 15, 16, 17,
346 16, 17, 18, 19, 20, 21,
347 20, 21, 22, 23, 24, 25,
348 24, 25, 26, 27, 28, 29,
349 28, 29, 30, 31, 32, 1,
352 static unsigned char PC1[] = { /* permuted choice table 1 */
353 57, 49, 41, 33, 25, 17, 9,
354 1, 58, 50, 42, 34, 26, 18,
355 10, 2, 59, 51, 43, 35, 27,
356 19, 11, 3, 60, 52, 44, 36,
358 63, 55, 47, 39, 31, 23, 15,
359 7, 62, 54, 46, 38, 30, 22,
360 14, 6, 61, 53, 45, 37, 29,
361 21, 13, 5, 28, 20, 12, 4,
364 static unsigned char Rotates[] = { /* PC1 rotation schedule */
365 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1,
368 /* note: each "row" of PC2 is left-padded with bits that make it invertible */
369 static unsigned char PC2[] = { /* permuted choice table 2 */
370 9, 18, 14, 17, 11, 24, 1, 5,
371 22, 25, 3, 28, 15, 6, 21, 10,
372 35, 38, 23, 19, 12, 4, 26, 8,
373 43, 54, 16, 7, 27, 20, 13, 2,
375 0, 0, 41, 52, 31, 37, 47, 55,
376 0, 0, 30, 40, 51, 45, 33, 48,
377 0, 0, 44, 49, 39, 56, 34, 53,
378 0, 0, 46, 42, 50, 36, 29, 32,
381 static unsigned char S[8][64] = { /* 48->32 bit substitution tables */
383 { 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
384 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
385 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
386 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 },
388 { 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
389 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
390 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
391 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 },
393 { 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
394 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
395 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
396 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 },
398 { 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
399 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
400 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
401 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 },
403 { 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
404 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
405 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
406 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 },
408 { 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
409 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
410 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
411 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13 },
413 { 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
414 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
415 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
416 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 },
418 { 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
419 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
420 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
421 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 }
424 static unsigned char P32Tr[] = { /* 32-bit permutation function */
435 static unsigned char CIFP[] = { /* compressed/interleaved permutation */
436 1, 2, 3, 4, 17, 18, 19, 20,
437 5, 6, 7, 8, 21, 22, 23, 24,
438 9, 10, 11, 12, 25, 26, 27, 28,
439 13, 14, 15, 16, 29, 30, 31, 32,
441 33, 34, 35, 36, 49, 50, 51, 52,
442 37, 38, 39, 40, 53, 54, 55, 56,
443 41, 42, 43, 44, 57, 58, 59, 60,
444 45, 46, 47, 48, 61, 62, 63, 64,
447 static unsigned char itoa64[] = /* 0..63 => ascii-64 */
448 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
451 /* ===== Tables that are initialized at run time ==================== */
454 static unsigned char a64toi[128]; /* ascii-64 => 0..63 */
456 /* Initial key schedule permutation */
457 static C_block PC1ROT[64/CHUNKBITS][1<<CHUNKBITS];
459 /* Subsequent key schedule rotation permutations */
460 static C_block PC2ROT[2][64/CHUNKBITS][1<<CHUNKBITS];
462 /* Initial permutation/expansion table */
463 static C_block IE3264[32/CHUNKBITS][1<<CHUNKBITS];
465 /* Table that combines the S, P, and E operations. */
466 static int32_t SPE[2][8][64];
468 /* compressed/interleaved => final permutation table */
469 static C_block CF6464[64/CHUNKBITS][1<<CHUNKBITS];
472 /* ==================================== */
475 static C_block constdatablock; /* encryption constant */
477 static char cryptresult[1+4+4+11+1]; /* encrypted result */
479 extern char *__md5crypt(const char *, const char *); /* XXX */
480 extern char *__bcrypt(const char *, const char *); /* XXX */
484 * Return a pointer to static data consisting of the "setting"
485 * followed by an encryption produced by the "key" and "setting".
496 int num_iter, salt_size;
497 C_block keyblock, rsltblock;
500 /* Non-DES encryption schemes hook in here. */
501 if (setting[0] == _PASSWORD_NONDES) {
502 switch (setting[1]) {
504 return (__bcrypt(key, setting));
507 return (__md5crypt(key, setting));
512 for (i = 0; i < 8; i++) {
513 if ((t = 2*(unsigned char)(*key)) != 0)
517 if (des_setkey((char *)keyblock.b)) /* also initializes "a64toi" */
520 encp = &cryptresult[0];
522 case _PASSWORD_EFMT1:
524 * Involve the rest of the password 8 characters at a time.
527 if (des_cipher((char *)(void *)&keyblock,
528 (char *)(void *)&keyblock, 0L, 1))
530 for (i = 0; i < 8; i++) {
531 if ((t = 2*(unsigned char)(*key)) != 0)
535 if (des_setkey((char *)keyblock.b))
539 *encp++ = *setting++;
541 /* get iteration count */
543 for (i = 4; --i >= 0; ) {
544 if ((t = (unsigned char)setting[i]) == '\0')
547 num_iter = (num_iter<<6) | a64toi[t];
559 for (i = salt_size; --i >= 0; ) {
560 if ((t = (unsigned char)setting[i]) == '\0')
563 salt = (salt<<6) | a64toi[t];
566 if (des_cipher((char *)(void *)&constdatablock,
567 (char *)(void *)&rsltblock, salt, num_iter))
571 * Encode the 64 cipher bits as 11 ascii characters.
573 i = ((int32_t)((rsltblock.b[0]<<8) | rsltblock.b[1])<<8) |
575 encp[3] = itoa64[i&0x3f]; i >>= 6;
576 encp[2] = itoa64[i&0x3f]; i >>= 6;
577 encp[1] = itoa64[i&0x3f]; i >>= 6;
578 encp[0] = itoa64[i]; encp += 4;
579 i = ((int32_t)((rsltblock.b[3]<<8) | rsltblock.b[4])<<8) |
581 encp[3] = itoa64[i&0x3f]; i >>= 6;
582 encp[2] = itoa64[i&0x3f]; i >>= 6;
583 encp[1] = itoa64[i&0x3f]; i >>= 6;
584 encp[0] = itoa64[i]; encp += 4;
585 i = ((int32_t)((rsltblock.b[6])<<8) | rsltblock.b[7])<<2;
586 encp[2] = itoa64[i&0x3f]; i >>= 6;
587 encp[1] = itoa64[i&0x3f]; i >>= 6;
592 return (cryptresult);
597 * The Key Schedule, filled in by des_setkey() or setkey().
600 static C_block KS[KS_SIZE];
602 static volatile int des_ready = 0;
605 * Set up the key schedule from the key.
611 DCL_BLOCK(K, K0, K1);
618 PERM6464(K,K0,K1,(unsigned char *)key,(C_block *)PC1ROT);
619 key = (char *)&KS[0];
620 STORE(K&~0x03030303L, K0&~0x03030303L, K1, *(C_block *)key);
621 for (i = 1; i < 16; i++) {
622 key += sizeof(C_block);
623 STORE(K,K0,K1,*(C_block *)key);
624 ptabp = (C_block *)PC2ROT[Rotates[i]-1];
625 PERM6464(K,K0,K1,(unsigned char *)key,ptabp);
626 STORE(K&~0x03030303L, K0&~0x03030303L, K1, *(C_block *)key);
632 * Encrypt (or decrypt if num_iter < 0) the 8 chars at "in" with abs(num_iter)
633 * iterations of DES, using the given 24-bit salt and the pre-computed key
634 * schedule, and store the resulting 8 chars at "out" (in == out is permitted).
636 * NOTE: the performance of this routine is critically dependent on your
637 * compiler and machine architecture.
640 des_cipher(in, out, salt, num_iter)
646 /* variables that we want in registers, most important first */
650 int32_t L0, L1, R0, R1, k;
652 int ks_inc, loop_count;
656 TO_SIX_BIT(salt, L0); /* convert to 4*(6+2) format */
658 #if defined(__vax__) || defined(pdp11)
659 salt = ~salt; /* "x &~ y" is faster than "x & y". */
665 #if defined(MUST_ALIGN)
666 B.b[0] = in[0]; B.b[1] = in[1]; B.b[2] = in[2]; B.b[3] = in[3];
667 B.b[4] = in[4]; B.b[5] = in[5]; B.b[6] = in[6]; B.b[7] = in[7];
670 LOAD(L,L0,L1,*(C_block *)in);
672 LOADREG(R,R0,R1,L,L0,L1);
675 L0 = (L0 << 1) | L1; /* L0 is the even-numbered input bits */
677 R1 = (R1 >> 1) & 0x55555555L;
678 L1 = R0 | R1; /* L1 is the odd-numbered input bits */
680 PERM3264(L,L0,L1,B.b, (C_block *)IE3264); /* even bits */
681 PERM3264(R,R0,R1,B.b+4,(C_block *)IE3264); /* odd bits */
686 ks_inc = sizeof(*kp);
690 num_iter = -num_iter;
692 ks_inc = -(long)sizeof(*kp);
695 while (--num_iter >= 0) {
699 #define SPTAB(t, i) \
700 (*(int32_t *)((unsigned char *)t + i*(sizeof(int32_t)/4)))
702 /* use this if B.b[i] is evaluated just once ... */
703 #define DOXOR(x,y,i) x^=SPTAB(SPE[0][i],B.b[i]); y^=SPTAB(SPE[1][i],B.b[i]);
706 /* use this if your "long" int indexing is slow */
707 #define DOXOR(x,y,i) j=B.b[i]; x^=SPTAB(SPE[0][i],j); y^=SPTAB(SPE[1][i],j);
709 /* use this if "k" is allocated to a register ... */
710 #define DOXOR(x,y,i) k=B.b[i]; x^=SPTAB(SPE[0][i],k); y^=SPTAB(SPE[1][i],k);
714 #define CRUNCH(p0, p1, q0, q1) \
715 k = (q0 ^ q1) & SALT; \
716 B.b32.i0 = k ^ q0 ^ kp->b32.i0; \
717 B.b32.i1 = k ^ q1 ^ kp->b32.i1; \
718 kp = (C_block *)((char *)kp+ks_inc); \
729 CRUNCH(L0, L1, R0, R1);
730 CRUNCH(R0, R1, L0, L1);
731 } while (--loop_count != 0);
732 kp = (C_block *)((char *)kp-(ks_inc*KS_SIZE));
741 /* store the encrypted (or decrypted) result */
742 L0 = ((L0 >> 3) & 0x0f0f0f0fL) | ((L1 << 1) & 0xf0f0f0f0L);
743 L1 = ((R0 >> 3) & 0x0f0f0f0fL) | ((R1 << 1) & 0xf0f0f0f0L);
745 PERM6464(L,L0,L1,B.b, (C_block *)CF6464);
746 #if defined(MUST_ALIGN)
748 out[0] = B.b[0]; out[1] = B.b[1]; out[2] = B.b[2]; out[3] = B.b[3];
749 out[4] = B.b[4]; out[5] = B.b[5]; out[6] = B.b[6]; out[7] = B.b[7];
751 STORE(L,L0,L1,*(C_block *)out);
758 * Initialize various tables. This need only be done once. It could even be
759 * done at compile time, if the compiler were capable of that sort of thing.
767 static unsigned char perm[64], tmp32[32]; /* "static" for speed */
768 static volatile long init_start = 0;
770 if (InterlockedCompareExchange((PVOID *)&init_start,
771 (PVOID)1, (PVOID)0) == (PVOID)1)
779 * table that converts chars "./0-9A-Za-z"to integers 0-63.
781 for (i = 0; i < 64; i++)
782 a64toi[itoa64[i]] = i;
785 * PC1ROT - bit reverse, then PC1, then Rotate, then PC2.
787 for (i = 0; i < 64; i++)
789 for (i = 0; i < 64; i++) {
790 if ((k = PC2[i]) == 0)
793 if ((k%28) < Rotates[0]) k -= 28;
803 prtab("pc1tab", perm, 8);
805 init_perm(PC1ROT, perm, 8, 8);
808 * PC2ROT - PC2 inverse, then Rotate (once or twice), then PC2.
810 for (j = 0; j < 2; j++) {
811 unsigned char pc2inv[64];
812 for (i = 0; i < 64; i++)
813 perm[i] = pc2inv[i] = 0;
814 for (i = 0; i < 64; i++) {
815 if ((k = PC2[i]) == 0)
819 for (i = 0; i < 64; i++) {
820 if ((k = PC2[i]) == 0)
823 if ((k%28) <= j) k -= 28;
827 prtab("pc2tab", perm, 8);
829 init_perm(PC2ROT[j], perm, 8, 8);
833 * Bit reverse, then initial permutation, then expansion.
835 for (i = 0; i < 8; i++) {
836 for (j = 0; j < 8; j++) {
837 k = (j < 2)? 0: IP[ExpandTr[i*6+j-2]-1];
851 prtab("ietab", perm, 8);
853 init_perm(IE3264, perm, 4, 8);
856 * Compression, then final permutation, then bit reverse.
858 for (i = 0; i < 64; i++) {
868 prtab("cftab", perm, 8);
870 init_perm(CF6464, perm, 8, 8);
875 for (i = 0; i < 48; i++)
876 perm[i] = P32Tr[ExpandTr[i]-1];
877 for (tableno = 0; tableno < 8; tableno++) {
878 for (j = 0; j < 64; j++) {
879 k = (((j >> 0) &01) << 5)|
880 (((j >> 1) &01) << 3)|
881 (((j >> 2) &01) << 2)|
882 (((j >> 3) &01) << 1)|
883 (((j >> 4) &01) << 0)|
884 (((j >> 5) &01) << 4);
886 k = (((k >> 3)&01) << 0)|
887 (((k >> 2)&01) << 1)|
888 (((k >> 1)&01) << 2)|
889 (((k >> 0)&01) << 3);
890 for (i = 0; i < 32; i++)
892 for (i = 0; i < 4; i++)
893 tmp32[4 * tableno + i] = (k >> i) & 01;
895 for (i = 24; --i >= 0; )
896 k = (k<<1) | tmp32[perm[i]-1];
897 TO_SIX_BIT(SPE[0][tableno][j], k);
899 for (i = 24; --i >= 0; )
900 k = (k<<1) | tmp32[perm[i+24]-1];
901 TO_SIX_BIT(SPE[1][tableno][j], k);
909 * Initialize "perm" to represent transformation "p", which rearranges
910 * (perhaps with expansion and/or contraction) one packed array of bits
911 * (of size "chars_in" characters) into another array (of size "chars_out"
914 * "perm" must be all-zeroes on entry to this routine.
917 init_perm(perm, p, chars_in, chars_out)
918 C_block perm[64/CHUNKBITS][1<<CHUNKBITS];
920 int chars_in, chars_out;
924 for (k = 0; k < chars_out*8; k++) { /* each output bit position */
925 l = p[k] - 1; /* where this bit comes from */
927 continue; /* output bit is always 0 */
928 i = l>>LGCHUNKBITS; /* which chunk this bit comes from */
929 l = 1<<(l&(CHUNKBITS-1)); /* mask for this bit */
930 for (j = 0; j < (1<<CHUNKBITS); j++) { /* each chunk value */
932 perm[i][j].b[k>>3] |= 1<<(k&07);
938 * "setkey" routine (for backwards compatibility)
947 for (i = 0; i < 8; i++) {
949 for (j = 0; j < 8; j++) {
951 k |= (unsigned char)*key++;
955 return (des_setkey((char *)keyblock.b));
959 * "encrypt" routine (for backwards compatibility)
969 for (i = 0; i < 8; i++) {
971 for (j = 0; j < 8; j++) {
973 k |= (unsigned char)*block++;
977 if (des_cipher((char *)&cblock, (char *)&cblock, 0L, (flag ? -1: 1)))
979 for (i = 7; i >= 0; i--) {
981 for (j = 7; j >= 0; j--) {
991 prtab(s, t, num_rows)
998 (void)printf("%s:\n", s);
999 for (i = 0; i < num_rows; i++) {
1000 for (j = 0; j < 8; j++) {
1001 (void)printf("%3d", t[i*8+j]);
projects / postgresql / blob