summaryrefslogtreecommitdiff
path: root/src/lib/libc/crypt
diff options
context:
space:
mode:
authortedu <>2015-04-06 20:49:41 +0000
committertedu <>2015-04-06 20:49:41 +0000
commit5bc886238be15ae40e7b95f920d80bf191b2ae70 (patch)
tree170d8b968a1dd9fe1c63ae235ab3fc93e874d5c2 /src/lib/libc/crypt
parent624f175c4f67570150d01364c1e08bdbeeb38eb9 (diff)
downloadopenbsd-5bc886238be15ae40e7b95f920d80bf191b2ae70.tar.gz
openbsd-5bc886238be15ae40e7b95f920d80bf191b2ae70.tar.bz2
openbsd-5bc886238be15ae40e7b95f920d80bf191b2ae70.zip
bludgeon DES support out of crypt. long live the bcrypt.
Diffstat (limited to 'src/lib/libc/crypt')
-rw-r--r--src/lib/libc/crypt/crypt.387
-rw-r--r--src/lib/libc/crypt/crypt.c683
2 files changed, 9 insertions, 761 deletions
diff --git a/src/lib/libc/crypt/crypt.3 b/src/lib/libc/crypt/crypt.3
index f6373c5125..c8ebf9861d 100644
--- a/src/lib/libc/crypt/crypt.3
+++ b/src/lib/libc/crypt/crypt.3
@@ -1,4 +1,4 @@
1.\" $OpenBSD: crypt.3,v 1.44 2014/12/08 20:46:04 tedu Exp $ 1.\" $OpenBSD: crypt.3,v 1.45 2015/04/06 20:49:41 tedu Exp $
2.\" 2.\"
3.\" FreeSec: libcrypt 3.\" FreeSec: libcrypt
4.\" 4.\"
@@ -31,7 +31,7 @@
31.\" 31.\"
32.\" Manual page, using -mandoc macros 32.\" Manual page, using -mandoc macros
33.\" 33.\"
34.Dd $Mdocdate: December 8 2014 $ 34.Dd $Mdocdate: April 6 2015 $
35.Dt CRYPT 3 35.Dt CRYPT 3
36.Os 36.Os
37.Sh NAME 37.Sh NAME
@@ -58,8 +58,7 @@ and
58.Pp 58.Pp
59The 59The
60.Fn crypt 60.Fn crypt
61function performs password hashing based on the 61function performs password hashing.
62NBS Data Encryption Standard (DES).
63Additional code has been added to deter key search attempts and to use 62Additional code has been added to deter key search attempts and to use
64stronger hashing algorithms. 63stronger hashing algorithms.
65.Pp 64.Pp
@@ -71,15 +70,7 @@ string
71typically a user's typed password. 70typically a user's typed password.
72The second, 71The second,
73.Fa setting , 72.Fa setting ,
74is in one of three forms: 73currently supports a single form.
75if it begins with an underscore
76.Pq Ql _
77then an extended format is used
78in interpreting both the
79.Fa key
80and the
81.Fa setting ,
82as outlined below.
83If it begins 74If it begins
84with a string character 75with a string character
85.Pq Ql $ 76.Pq Ql $
@@ -87,28 +78,6 @@ and a number then a different algorithm is used depending on the number.
87At the moment 78At the moment
88.Ql $2 79.Ql $2
89chooses Blowfish hashing; see below for more information. 80chooses Blowfish hashing; see below for more information.
90.Ss Extended crypt
91The
92.Fa key
93is divided into groups of 8 characters (the last group is null-padded)
94and the low-order 7 bits of each character (56 bits per group) are
95used to form the DES key as follows:
96the first group of 56 bits becomes the initial DES key.
97For each additional group, the XOR of the encryption of the current DES
98key with itself and the group bits becomes the next DES key.
99.Pp
100The
101.Fa setting
102is a 9-character array consisting of an underscore followed
103by 4 bytes of iteration count and 4 bytes of salt.
104These are encoded as printable characters, 6 bits per character,
105least significant character first.
106The values 0 to 63 are encoded as
107.Dq \&./0-9A-Za-z .
108This allows 24 bits for both
109.Fa count
110and
111.Fa salt .
112.Ss Blowfish crypt 81.Ss Blowfish crypt
113The Blowfish version of crypt has 128 bits of 82The Blowfish version of crypt has 128 bits of
114.Fa salt 83.Fa salt
@@ -141,42 +110,6 @@ A valid Blowfish password looks like this:
141The whole Blowfish password string is passed as 110The whole Blowfish password string is passed as
142.Fa setting 111.Fa setting
143for interpretation. 112for interpretation.
144.Ss Traditional crypt
145The first 8 bytes of the
146.Fa key
147are null-padded, and the low-order 7 bits of
148each character is used to form the 56-bit DES key.
149.Pp
150The
151.Fa setting
152is a 2-character array of the ASCII-encoded salt.
153Thus only 12 bits of
154.Fa salt
155are used.
156.Fa count
157is set to 25.
158.Ss DES Algorithm
159The
160.Fa salt
161introduces disorder in the DES
162algorithm in one of 16777216 or 4096 possible ways
163(i.e., with 24 or 12 bits: if bit
164.Em i
165of the
166.Fa salt
167is set, then bits
168.Em i
169and
170.Em i+24
171are swapped in the DES E-box output).
172.Pp
173The DES key is used to encrypt a 64-bit constant using
174.Fa count
175iterations of DES.
176The value returned is a NUL-terminated
177string, 20 or 13 bytes (plus NUL) in length, consisting of the
178.Fa setting
179followed by the encoded 64-bit encryption.
180.Sh RETURN VALUES 113.Sh RETURN VALUES
181The function 114The function
182.Fn crypt 115.Fn crypt
@@ -196,20 +129,16 @@ A rotor-based
196.Fn crypt 129.Fn crypt
197function appeared in 130function appeared in
198.At v3 . 131.At v3 .
199The current style 132A DES-based
200.Fn crypt 133.Fn crypt
201first appeared in 134first appeared in
202.At v7 . 135.At v7 .
203.Sh AUTHORS 136.Fn bcrypt
204.An David Burren Aq Mt davidb@werj.com.au 137first appeared in
205wrote the original DES functions. 138.Ox 2.1 .
206.Sh BUGS 139.Sh BUGS
207The 140The
208.Fn crypt 141.Fn crypt
209function returns a pointer to static data, and subsequent calls to 142function returns a pointer to static data, and subsequent calls to
210.Fn crypt 143.Fn crypt
211will modify the same object. 144will modify the same object.
212.Pp
213With DES hashing, passwords containing the byte 0x80 use less key entropy
214than other passwords.
215This is an implementation bug, not a bug in the DES cipher.
diff --git a/src/lib/libc/crypt/crypt.c b/src/lib/libc/crypt/crypt.c
index 7d21d4fbc3..c61f360a59 100644
--- a/src/lib/libc/crypt/crypt.c
+++ b/src/lib/libc/crypt/crypt.c
@@ -1,686 +1,10 @@
1/* $OpenBSD: crypt.c,v 1.26 2015/01/16 16:48:51 deraadt Exp $ */ 1/* $OpenBSD: crypt.c,v 1.27 2015/04/06 20:49:41 tedu Exp $ */
2 2
3/*
4 * FreeSec: libcrypt
5 *
6 * Copyright (c) 1994 David Burren
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 4. Neither the name of the author nor the names of other contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 *
33 *
34 * This is an original implementation of the DES and the crypt(3) interfaces
35 * by David Burren <davidb@werj.com.au>.
36 *
37 * An excellent reference on the underlying algorithm (and related
38 * algorithms) is:
39 *
40 * B. Schneier, Applied Cryptography: protocols, algorithms,
41 * and source code in C, John Wiley & Sons, 1994.
42 *
43 * Note that in that book's description of DES the lookups for the initial,
44 * pbox, and final permutations are inverted (this has been brought to the
45 * attention of the author). A list of errata for this book has been
46 * posted to the sci.crypt newsgroup by the author and is available for FTP.
47 */
48
49#include <sys/types.h>
50#include <pwd.h> 3#include <pwd.h>
51#include <unistd.h>
52#include <string.h>
53
54#ifdef DEBUG
55# include <stdio.h>
56#endif
57
58static const u_char IP[64] = {
59 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
60 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
61 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
62 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7
63};
64
65static u_char inv_key_perm[64];
66static u_char u_key_perm[56];
67static u_char const key_perm[56] = {
68 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18,
69 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36,
70 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22,
71 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4
72};
73
74static const u_char key_shifts[16] = {
75 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
76};
77
78static u_char inv_comp_perm[56];
79static const u_char comp_perm[48] = {
80 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10,
81 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2,
82 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
83 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
84};
85
86/*
87 * No E box is used, as it's replaced by some ANDs, shifts, and ORs.
88 */
89
90static u_char u_sbox[8][64];
91static const u_char sbox[8][64] = {
92 {
93 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
94 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
95 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
96 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13
97 },
98 {
99 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
100 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
101 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
102 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9
103 },
104 {
105 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
106 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
107 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
108 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12
109 },
110 {
111 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
112 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
113 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
114 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14
115 },
116 {
117 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
118 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
119 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
120 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3
121 },
122 {
123 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
124 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
125 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
126 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13
127 },
128 {
129 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
130 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
131 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
132 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12
133 },
134 {
135 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
136 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
137 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
138 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11
139 }
140};
141
142static u_char un_pbox[32];
143static const u_char pbox[32] = {
144 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
145 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
146};
147
148const u_int32_t _des_bits32[32] =
149{
150 0x80000000, 0x40000000, 0x20000000, 0x10000000,
151 0x08000000, 0x04000000, 0x02000000, 0x01000000,
152 0x00800000, 0x00400000, 0x00200000, 0x00100000,
153 0x00080000, 0x00040000, 0x00020000, 0x00010000,
154 0x00008000, 0x00004000, 0x00002000, 0x00001000,
155 0x00000800, 0x00000400, 0x00000200, 0x00000100,
156 0x00000080, 0x00000040, 0x00000020, 0x00000010,
157 0x00000008, 0x00000004, 0x00000002, 0x00000001
158};
159
160static const u_char _des_bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
161
162static const u_int32_t *bits28, *bits24;
163static u_char init_perm[64], final_perm[64];
164static u_int32_t en_keysl[16], en_keysr[16];
165static u_int32_t de_keysl[16], de_keysr[16];
166int _des_initialised = 0;
167static u_char m_sbox[4][4096];
168static u_int32_t psbox[4][256];
169static u_int32_t ip_maskl[8][256], ip_maskr[8][256];
170static u_int32_t fp_maskl[8][256], fp_maskr[8][256];
171static u_int32_t key_perm_maskl[8][128], key_perm_maskr[8][128];
172static u_int32_t comp_maskl[8][128], comp_maskr[8][128];
173static u_int32_t old_rawkey0, old_rawkey1;
174
175static u_char ascii64[] =
176 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
177/* 0000000000111111111122222222223333333333444444444455555555556666 */
178/* 0123456789012345678901234567890123456789012345678901234567890123 */
179
180static __inline int
181ascii_to_bin(char ch)
182{
183 if (ch > 'z')
184 return(0);
185 if (ch >= 'a')
186 return(ch - 'a' + 38);
187 if (ch > 'Z')
188 return(0);
189 if (ch >= 'A')
190 return(ch - 'A' + 12);
191 if (ch > '9')
192 return(0);
193 if (ch >= '.')
194 return(ch - '.');
195 return(0);
196}
197
198static void
199_des_init(void)
200{
201 int i, j, b, k, inbit, obit;
202 u_int32_t *p, *il, *ir, *fl, *fr;
203
204 old_rawkey0 = old_rawkey1 = 0;
205 bits24 = (bits28 = _des_bits32 + 4) + 4;
206
207 /*
208 * Invert the S-boxes, reordering the input bits.
209 */
210 for (i = 0; i < 8; i++)
211 for (j = 0; j < 64; j++) {
212 b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf);
213 u_sbox[i][j] = sbox[i][b];
214 }
215
216 /*
217 * Convert the inverted S-boxes into 4 arrays of 8 bits.
218 * Each will handle 12 bits of the S-box input.
219 */
220 for (b = 0; b < 4; b++)
221 for (i = 0; i < 64; i++)
222 for (j = 0; j < 64; j++)
223 m_sbox[b][(i << 6) | j] =
224 (u_sbox[(b << 1)][i] << 4) |
225 u_sbox[(b << 1) + 1][j];
226
227 /*
228 * Set up the initial & final permutations into a useful form, and
229 * initialise the inverted key permutation.
230 */
231 for (i = 0; i < 64; i++) {
232 init_perm[final_perm[i] = IP[i] - 1] = i;
233 inv_key_perm[i] = 255;
234 }
235
236 /*
237 * Invert the key permutation and initialise the inverted key
238 * compression permutation.
239 */
240 for (i = 0; i < 56; i++) {
241 u_key_perm[i] = key_perm[i] - 1;
242 inv_key_perm[key_perm[i] - 1] = i;
243 inv_comp_perm[i] = 255;
244 }
245
246 /*
247 * Invert the key compression permutation.
248 */
249 for (i = 0; i < 48; i++) {
250 inv_comp_perm[comp_perm[i] - 1] = i;
251 }
252
253 /*
254 * Set up the OR-mask arrays for the initial and final permutations,
255 * and for the key initial and compression permutations.
256 */
257 for (k = 0; k < 8; k++) {
258 for (i = 0; i < 256; i++) {
259 *(il = &ip_maskl[k][i]) = 0;
260 *(ir = &ip_maskr[k][i]) = 0;
261 *(fl = &fp_maskl[k][i]) = 0;
262 *(fr = &fp_maskr[k][i]) = 0;
263 for (j = 0; j < 8; j++) {
264 inbit = 8 * k + j;
265 if (i & _des_bits8[j]) {
266 if ((obit = init_perm[inbit]) < 32)
267 *il |= _des_bits32[obit];
268 else
269 *ir |= _des_bits32[obit-32];
270 if ((obit = final_perm[inbit]) < 32)
271 *fl |= _des_bits32[obit];
272 else
273 *fr |= _des_bits32[obit - 32];
274 }
275 }
276 }
277 for (i = 0; i < 128; i++) {
278 *(il = &key_perm_maskl[k][i]) = 0;
279 *(ir = &key_perm_maskr[k][i]) = 0;
280 for (j = 0; j < 7; j++) {
281 inbit = 8 * k + j;
282 if (i & _des_bits8[j + 1]) {
283 if ((obit = inv_key_perm[inbit]) == 255)
284 continue;
285 if (obit < 28)
286 *il |= bits28[obit];
287 else
288 *ir |= bits28[obit - 28];
289 }
290 }
291 *(il = &comp_maskl[k][i]) = 0;
292 *(ir = &comp_maskr[k][i]) = 0;
293 for (j = 0; j < 7; j++) {
294 inbit = 7 * k + j;
295 if (i & _des_bits8[j + 1]) {
296 if ((obit=inv_comp_perm[inbit]) == 255)
297 continue;
298 if (obit < 24)
299 *il |= bits24[obit];
300 else
301 *ir |= bits24[obit - 24];
302 }
303 }
304 }
305 }
306
307 /*
308 * Invert the P-box permutation, and convert into OR-masks for
309 * handling the output of the S-box arrays setup above.
310 */
311 for (i = 0; i < 32; i++)
312 un_pbox[pbox[i] - 1] = i;
313
314 for (b = 0; b < 4; b++)
315 for (i = 0; i < 256; i++) {
316 *(p = &psbox[b][i]) = 0;
317 for (j = 0; j < 8; j++) {
318 if (i & _des_bits8[j])
319 *p |= _des_bits32[un_pbox[8 * b + j]];
320 }
321 }
322
323 _des_initialised = 1;
324}
325
326static u_int32_t
327_des_setup_salt(int32_t salt)
328{
329 u_int32_t obit, saltbit, saltbits;
330 int i;
331
332 saltbits = 0;
333 saltbit = 1;
334 obit = 0x800000;
335 for (i = 0; i < 24; i++) {
336 if (salt & saltbit)
337 saltbits |= obit;
338 saltbit <<= 1;
339 obit >>= 1;
340 }
341 return saltbits;
342}
343
344static int
345des_setkey(const char *key)
346{
347 u_int32_t k0, k1, rawkey0, rawkey1;
348 int shifts, round;
349
350 if (!_des_initialised)
351 _des_init();
352
353 rawkey0 = ntohl(*(u_int32_t *) key);
354 rawkey1 = ntohl(*(u_int32_t *) (key + 4));
355
356 if ((rawkey0 | rawkey1)
357 && rawkey0 == old_rawkey0
358 && rawkey1 == old_rawkey1) {
359 /*
360 * Already setup for this key.
361 * This optimisation fails on a zero key (which is weak and
362 * has bad parity anyway) in order to simplify the starting
363 * conditions.
364 */
365 return(0);
366 }
367 old_rawkey0 = rawkey0;
368 old_rawkey1 = rawkey1;
369
370 /*
371 * Do key permutation and split into two 28-bit subkeys.
372 */
373 k0 = key_perm_maskl[0][rawkey0 >> 25]
374 | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
375 | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
376 | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
377 | key_perm_maskl[4][rawkey1 >> 25]
378 | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
379 | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
380 | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
381 k1 = key_perm_maskr[0][rawkey0 >> 25]
382 | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
383 | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
384 | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
385 | key_perm_maskr[4][rawkey1 >> 25]
386 | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
387 | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
388 | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
389 /*
390 * Rotate subkeys and do compression permutation.
391 */
392 shifts = 0;
393 for (round = 0; round < 16; round++) {
394 u_int32_t t0, t1;
395
396 shifts += key_shifts[round];
397
398 t0 = (k0 << shifts) | (k0 >> (28 - shifts));
399 t1 = (k1 << shifts) | (k1 >> (28 - shifts));
400
401 de_keysl[15 - round] =
402 en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f]
403 | comp_maskl[1][(t0 >> 14) & 0x7f]
404 | comp_maskl[2][(t0 >> 7) & 0x7f]
405 | comp_maskl[3][t0 & 0x7f]
406 | comp_maskl[4][(t1 >> 21) & 0x7f]
407 | comp_maskl[5][(t1 >> 14) & 0x7f]
408 | comp_maskl[6][(t1 >> 7) & 0x7f]
409 | comp_maskl[7][t1 & 0x7f];
410
411 de_keysr[15 - round] =
412 en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f]
413 | comp_maskr[1][(t0 >> 14) & 0x7f]
414 | comp_maskr[2][(t0 >> 7) & 0x7f]
415 | comp_maskr[3][t0 & 0x7f]
416 | comp_maskr[4][(t1 >> 21) & 0x7f]
417 | comp_maskr[5][(t1 >> 14) & 0x7f]
418 | comp_maskr[6][(t1 >> 7) & 0x7f]
419 | comp_maskr[7][t1 & 0x7f];
420 }
421 return(0);
422}
423
424static int
425_des_do_des(u_int32_t l_in, u_int32_t r_in, u_int32_t *l_out, u_int32_t *r_out,
426 int count, u_int32_t saltbits)
427{
428 /*
429 * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
430 */
431 u_int32_t l, r, *kl, *kr, *kl1, *kr1;
432 u_int32_t f, r48l, r48r;
433 int round;
434
435 if (count == 0) {
436 return(1);
437 } else if (count > 0) {
438 /*
439 * Encrypting
440 */
441 kl1 = en_keysl;
442 kr1 = en_keysr;
443 } else {
444 /*
445 * Decrypting
446 */
447 count = -count;
448 kl1 = de_keysl;
449 kr1 = de_keysr;
450 }
451
452 /*
453 * Do initial permutation (IP).
454 */
455 l = ip_maskl[0][l_in >> 24]
456 | ip_maskl[1][(l_in >> 16) & 0xff]
457 | ip_maskl[2][(l_in >> 8) & 0xff]
458 | ip_maskl[3][l_in & 0xff]
459 | ip_maskl[4][r_in >> 24]
460 | ip_maskl[5][(r_in >> 16) & 0xff]
461 | ip_maskl[6][(r_in >> 8) & 0xff]
462 | ip_maskl[7][r_in & 0xff];
463 r = ip_maskr[0][l_in >> 24]
464 | ip_maskr[1][(l_in >> 16) & 0xff]
465 | ip_maskr[2][(l_in >> 8) & 0xff]
466 | ip_maskr[3][l_in & 0xff]
467 | ip_maskr[4][r_in >> 24]
468 | ip_maskr[5][(r_in >> 16) & 0xff]
469 | ip_maskr[6][(r_in >> 8) & 0xff]
470 | ip_maskr[7][r_in & 0xff];
471
472 while (count--) {
473 /*
474 * Do each round.
475 */
476 kl = kl1;
477 kr = kr1;
478 round = 16;
479 while (round--) {
480 /*
481 * Expand R to 48 bits (simulate the E-box).
482 */
483 r48l = ((r & 0x00000001) << 23)
484 | ((r & 0xf8000000) >> 9)
485 | ((r & 0x1f800000) >> 11)
486 | ((r & 0x01f80000) >> 13)
487 | ((r & 0x001f8000) >> 15);
488
489 r48r = ((r & 0x0001f800) << 7)
490 | ((r & 0x00001f80) << 5)
491 | ((r & 0x000001f8) << 3)
492 | ((r & 0x0000001f) << 1)
493 | ((r & 0x80000000) >> 31);
494 /*
495 * Do salting for crypt() and friends, and
496 * XOR with the permuted key.
497 */
498 f = (r48l ^ r48r) & saltbits;
499 r48l ^= f ^ *kl++;
500 r48r ^= f ^ *kr++;
501 /*
502 * Do sbox lookups (which shrink it back to 32 bits)
503 * and do the pbox permutation at the same time.
504 */
505 f = psbox[0][m_sbox[0][r48l >> 12]]
506 | psbox[1][m_sbox[1][r48l & 0xfff]]
507 | psbox[2][m_sbox[2][r48r >> 12]]
508 | psbox[3][m_sbox[3][r48r & 0xfff]];
509 /*
510 * Now that we've permuted things, complete f().
511 */
512 f ^= l;
513 l = r;
514 r = f;
515 }
516 r = l;
517 l = f;
518 }
519 /*
520 * Do final permutation (inverse of IP).
521 */
522 *l_out = fp_maskl[0][l >> 24]
523 | fp_maskl[1][(l >> 16) & 0xff]
524 | fp_maskl[2][(l >> 8) & 0xff]
525 | fp_maskl[3][l & 0xff]
526 | fp_maskl[4][r >> 24]
527 | fp_maskl[5][(r >> 16) & 0xff]
528 | fp_maskl[6][(r >> 8) & 0xff]
529 | fp_maskl[7][r & 0xff];
530 *r_out = fp_maskr[0][l >> 24]
531 | fp_maskr[1][(l >> 16) & 0xff]
532 | fp_maskr[2][(l >> 8) & 0xff]
533 | fp_maskr[3][l & 0xff]
534 | fp_maskr[4][r >> 24]
535 | fp_maskr[5][(r >> 16) & 0xff]
536 | fp_maskr[6][(r >> 8) & 0xff]
537 | fp_maskr[7][r & 0xff];
538 return(0);
539}
540
541static int
542des_cipher(const char *in, char *out, int32_t salt, int count)
543{
544 u_int32_t l_out, r_out, rawl, rawr, saltbits;
545 u_int32_t x[2];
546 int retval;
547
548 if (!_des_initialised)
549 _des_init();
550
551 saltbits = _des_setup_salt(salt);
552
553 memcpy(x, in, sizeof x);
554 rawl = ntohl(x[0]);
555 rawr = ntohl(x[1]);
556 retval = _des_do_des(rawl, rawr, &l_out, &r_out, count, saltbits);
557
558 x[0] = htonl(l_out);
559 x[1] = htonl(r_out);
560 memcpy(out, x, sizeof x);
561 return(retval);
562}
563
564static int
565crypt_hashpass(const char *key, const char *setting, char *output)
566{
567 int i;
568 u_int32_t count, salt, l, r0, r1, saltbits, keybuf[2];
569 u_char *p, *q;
570
571 if (!_des_initialised)
572 _des_init();
573
574 /*
575 * Copy the key, shifting each character up by one bit
576 * and padding with zeros.
577 */
578 q = (u_char *) keybuf;
579 while ((q - (u_char *) keybuf) < sizeof(keybuf)) {
580 if ((*q++ = *key << 1))
581 key++;
582 }
583 if (des_setkey((char *) keybuf))
584 return(-1);
585
586 if (*setting == _PASSWORD_EFMT1) {
587 /*
588 * "new"-style:
589 * setting - underscore, 4 bytes of count, 4 bytes of salt
590 * key - unlimited characters
591 */
592 for (i = 1, count = 0; i < 5; i++)
593 count |= ascii_to_bin(setting[i]) << (i - 1) * 6;
594
595 for (i = 5, salt = 0; i < 9; i++)
596 salt |= ascii_to_bin(setting[i]) << (i - 5) * 6;
597
598 while (*key) {
599 /*
600 * Encrypt the key with itself.
601 */
602 if (des_cipher((char *)keybuf, (char *)keybuf, 0, 1))
603 return(-1);
604 /*
605 * And XOR with the next 8 characters of the key.
606 */
607 q = (u_char *) keybuf;
608 while (((q - (u_char *) keybuf) < sizeof(keybuf)) &&
609 *key)
610 *q++ ^= *key++ << 1;
611
612 if (des_setkey((char *) keybuf))
613 return(-1);
614 }
615 strlcpy((char *)output, setting, 10);
616
617 /*
618 * Double check that we weren't given a short setting.
619 * If we were, the above code will probably have created
620 * weird values for count and salt, but we don't really care.
621 * Just make sure the output string doesn't have an extra
622 * NUL in it.
623 */
624 p = output + strlen((const char *)output);
625 } else {
626 /*
627 * "old"-style:
628 * setting - 2 bytes of salt
629 * key - up to 8 characters
630 */
631 count = 25;
632
633 salt = (ascii_to_bin(setting[1]) << 6)
634 | ascii_to_bin(setting[0]);
635
636 output[0] = setting[0];
637 /*
638 * If the encrypted password that the salt was extracted from
639 * is only 1 character long, the salt will be corrupted. We
640 * need to ensure that the output string doesn't have an extra
641 * NUL in it!
642 */
643 output[1] = setting[1] ? setting[1] : output[0];
644
645 p = output + 2;
646 }
647 saltbits = _des_setup_salt(salt);
648
649 /*
650 * Do it.
651 */
652 if (_des_do_des(0, 0, &r0, &r1, count, saltbits))
653 return(-1);
654 /*
655 * Now encode the result...
656 */
657 l = (r0 >> 8);
658 *p++ = ascii64[(l >> 18) & 0x3f];
659 *p++ = ascii64[(l >> 12) & 0x3f];
660 *p++ = ascii64[(l >> 6) & 0x3f];
661 *p++ = ascii64[l & 0x3f];
662
663 l = (r0 << 16) | ((r1 >> 16) & 0xffff);
664 *p++ = ascii64[(l >> 18) & 0x3f];
665 *p++ = ascii64[(l >> 12) & 0x3f];
666 *p++ = ascii64[(l >> 6) & 0x3f];
667 *p++ = ascii64[l & 0x3f];
668
669 l = r1 << 2;
670 *p++ = ascii64[(l >> 12) & 0x3f];
671 *p++ = ascii64[(l >> 6) & 0x3f];
672 *p++ = ascii64[l & 0x3f];
673 *p = 0;
674
675 return(0);
676}
677 4
678char * 5char *
679crypt(const char *key, const char *setting) 6crypt(const char *key, const char *setting)
680{ 7{
681 static u_char goutput[21];
682 extern char *bcrypt(const char *, const char *);
683
684 if (setting[0] == '$') { 8 if (setting[0] == '$') {
685 switch (setting[1]) { 9 switch (setting[1]) {
686 case '2': 10 case '2':
@@ -689,9 +13,4 @@ crypt(const char *key, const char *setting)
689 return (NULL); 13 return (NULL);
690 } 14 }
691 } 15 }
692
693 memset(goutput, 0, sizeof(goutput));
694 if (crypt_hashpass(key, setting, goutput) != 0)
695 return (NULL);
696 return goutput;
697} 16}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-17 21:22:45 +0000