summaryrefslogtreecommitdiff
path: root/src/lib/libc/crypt
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libc/crypt')
-rw-r--r--src/lib/libc/crypt/Makefile.inc16
-rw-r--r--src/lib/libc/crypt/arc4random.3138
-rw-r--r--src/lib/libc/crypt/arc4random.c259
-rw-r--r--src/lib/libc/crypt/bcrypt.c338
-rw-r--r--src/lib/libc/crypt/blowfish.3106
-rw-r--r--src/lib/libc/crypt/blowfish.c685
-rw-r--r--src/lib/libc/crypt/cast.c790
-rw-r--r--src/lib/libc/crypt/crypt.3324
-rw-r--r--src/lib/libc/crypt/crypt.c696
-rw-r--r--src/lib/libc/crypt/crypt2.c104
-rw-r--r--src/lib/libc/crypt/md5crypt.c149
-rw-r--r--src/lib/libc/crypt/skipjack.c260
12 files changed, 3865 insertions, 0 deletions
diff --git a/src/lib/libc/crypt/Makefile.inc b/src/lib/libc/crypt/Makefile.inc
new file mode 100644
index 0000000000..d961f36b52
--- /dev/null
+++ b/src/lib/libc/crypt/Makefile.inc
@@ -0,0 +1,16 @@
1# $OpenBSD: Makefile.inc,v 1.16 2008/03/16 22:08:12 deraadt Exp $
2
3.PATH: ${LIBCSRCDIR}/arch/${MACHINE_ARCH}/crypt ${LIBCSRCDIR}/crypt
4
5SRCS+= cast.c crypt.c crypt2.c md5crypt.c arc4random.c blowfish.c
6SRCS+= bcrypt.c skipjack.c
7
8MAN+= crypt.3 blowfish.3 arc4random.3
9MLINKS+=crypt.3 encrypt.3 crypt.3 setkey.3 crypt.3 des_cipher.3
10MLINKS+=crypt.3 bcrypt_gensalt.3 crypt.3 bcrypt.3 crypt.3 md5crypt.3
11MLINKS+=crypt.3 des_setkey.3 blowfish.3 blf_key.3 blowfish.3 blf_enc.3
12MLINKS+=blowfish.3 blf_dec.3 blowfish.3 blf_ecb_encrypt.3
13MLINKS+=blowfish.3 blf_ecb_decrypt.3 blowfish.3 blf_cbc_encrypt.3
14MLINKS+=blowfish.3 blf_cbc_decrypt.3
15MLINKS+=arc4random.3 arc4random_stir.3 arc4random.3 arc4random_addrandom.3
16MLINKS+=arc4random.3 arc4random_buf.3 arc4random.3 arc4random_uniform.3
diff --git a/src/lib/libc/crypt/arc4random.3 b/src/lib/libc/crypt/arc4random.3
new file mode 100644
index 0000000000..d9f07ade6e
--- /dev/null
+++ b/src/lib/libc/crypt/arc4random.3
@@ -0,0 +1,138 @@
1.\" $OpenBSD: arc4random.3,v 1.27 2008/12/23 18:31:02 deraadt Exp $
2.\"
3.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\" notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\" notice, this list of conditions and the following disclaimer in the
13.\" documentation and/or other materials provided with the distribution.
14.\" 3. All advertising materials mentioning features or use of this software
15.\" must display the following acknowledgement:
16.\" This product includes software developed by Niels Provos.
17.\" 4. The name of the author may not be used to endorse or promote products
18.\" derived from this software without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30.\"
31.\" Manual page, using -mandoc macros
32.\"
33.Dd $Mdocdate: December 23 2008 $
34.Dt ARC4RANDOM 3
35.Os
36.Sh NAME
37.Nm arc4random ,
38.Nm arc4random_buf ,
39.Nm arc4random_uniform ,
40.Nm arc4random_stir ,
41.Nm arc4random_addrandom
42.Nd arc4 random number generator
43.Sh SYNOPSIS
44.Fd #include <stdlib.h>
45.Ft u_int32_t
46.Fn arc4random "void"
47.Ft void
48.Fn arc4random_buf "void *buf" "size_t nbytes"
49.Ft u_int32_t
50.Fn arc4random_uniform "u_int32_t upper_bound"
51.Ft void
52.Fn arc4random_stir "void"
53.Ft void
54.Fn arc4random_addrandom "u_char *dat" "int datlen"
55.Sh DESCRIPTION
56The
57.Fn arc4random
58function provides a high quality 32-bit pseudo-random
59number very quickly.
60.Fn arc4random
61seeds itself on a regular basis from the kernel strong random number
62subsystem described in
63.Xr random 4 .
64On each call, an ARC4 generator is used to generate a new result.
65The
66.Fn arc4random
67function uses the ARC4 cipher key stream generator,
68which uses 8*8 8-bit S-Boxes.
69The S-Boxes can be in about (2**1700) states.
70.Pp
71.Fn arc4random
72fits into a middle ground not covered by other subsystems such as
73the strong, slow, and resource expensive random
74devices described in
75.Xr random 4
76versus the fast but poor quality interfaces described in
77.Xr rand 3 ,
78.Xr random 3 ,
79and
80.Xr drand48 3 .
81.Pp
82.Fn arc4random_buf
83fills the region
84.Fa buf
85of length
86.Fa nbytes
87with ARC4-derived random data.
88.Pp
89.Fn arc4random_uniform
90will return a uniformly distributed random number less than
91.Fa upper_bound .
92.Fn arc4random_uniform
93is recommended over constructions like
94.Dq Li arc4random() % upper_bound
95as it avoids "modulo bias" when the upper bound is not a power of two.
96.Pp
97The
98.Fn arc4random_stir
99function reads data using
100.Xr sysctl 3
101from
102.Va kern.arandom
103and uses it to permute the S-Boxes via
104.Fn arc4random_addrandom .
105.Pp
106There is no need to call
107.Fn arc4random_stir
108before using
109.Fn arc4random ,
110since
111.Fn arc4random
112automatically initializes itself.
113.Sh RETURN VALUES
114These functions are always successful, and no return value is
115reserved to indicate an error.
116.Sh SEE ALSO
117.Xr rand 3 ,
118.Xr rand48 3 ,
119.Xr random 3
120.Sh HISTORY
121An algorithm called
122.Pa RC4
123was designed by RSA Data Security, Inc.
124It was considered a trade secret.
125Because it was a trade secret, it obviously could not be patented.
126A clone of this was posted anonymously to USENET and confirmed to
127be equivalent by several sources who had access to the original cipher.
128Because of the trade secret situation, RSA Data Security, Inc. could
129do nothing about the release of the
130.Ql Alleged RC4
131algorithm.
132Since
133.Pa RC4
134was trademarked, the cipher is now referred to as
135.Pa ARC4 .
136.Pp
137These functions first appeared in
138.Ox 2.1 .
diff --git a/src/lib/libc/crypt/arc4random.c b/src/lib/libc/crypt/arc4random.c
new file mode 100644
index 0000000000..e921e4b7c7
--- /dev/null
+++ b/src/lib/libc/crypt/arc4random.c
@@ -0,0 +1,259 @@
1/* $OpenBSD: arc4random.c,v 1.20 2008/10/03 18:46:04 otto Exp $ */
2
3/*
4 * Copyright (c) 1996, David Mazieres <dm@uun.org>
5 * Copyright (c) 2008, Damien Miller <djm@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20/*
21 * Arc4 random number generator for OpenBSD.
22 *
23 * This code is derived from section 17.1 of Applied Cryptography,
24 * second edition, which describes a stream cipher allegedly
25 * compatible with RSA Labs "RC4" cipher (the actual description of
26 * which is a trade secret). The same algorithm is used as a stream
27 * cipher called "arcfour" in Tatu Ylonen's ssh package.
28 *
29 * Here the stream cipher has been modified always to include the time
30 * when initializing the state. That makes it impossible to
31 * regenerate the same random sequence twice, so this can't be used
32 * for encryption, but will generate good random numbers.
33 *
34 * RC4 is a registered trademark of RSA Laboratories.
35 */
36
37#include <fcntl.h>
38#include <limits.h>
39#include <stdlib.h>
40#include <unistd.h>
41#include <sys/types.h>
42#include <sys/param.h>
43#include <sys/time.h>
44#include <sys/sysctl.h>
45#include "thread_private.h"
46
47#ifdef __GNUC__
48#define inline __inline
49#else /* !__GNUC__ */
50#define inline
51#endif /* !__GNUC__ */
52
53struct arc4_stream {
54 u_int8_t i;
55 u_int8_t j;
56 u_int8_t s[256];
57};
58
59static int rs_initialized;
60static struct arc4_stream rs;
61static pid_t arc4_stir_pid;
62static int arc4_count;
63
64static inline u_int8_t arc4_getbyte(void);
65
66static inline void
67arc4_init(void)
68{
69 int n;
70
71 for (n = 0; n < 256; n++)
72 rs.s[n] = n;
73 rs.i = 0;
74 rs.j = 0;
75}
76
77static inline void
78arc4_addrandom(u_char *dat, int datlen)
79{
80 int n;
81 u_int8_t si;
82
83 rs.i--;
84 for (n = 0; n < 256; n++) {
85 rs.i = (rs.i + 1);
86 si = rs.s[rs.i];
87 rs.j = (rs.j + si + dat[n % datlen]);
88 rs.s[rs.i] = rs.s[rs.j];
89 rs.s[rs.j] = si;
90 }
91 rs.j = rs.i;
92}
93
94static void
95arc4_stir(void)
96{
97 int i, mib[2];
98 size_t len;
99 u_char rnd[128];
100
101 if (!rs_initialized) {
102 arc4_init();
103 rs_initialized = 1;
104 }
105
106 mib[0] = CTL_KERN;
107 mib[1] = KERN_ARND;
108
109 len = sizeof(rnd);
110 sysctl(mib, 2, rnd, &len, NULL, 0);
111
112 arc4_stir_pid = getpid();
113 arc4_addrandom(rnd, sizeof(rnd));
114
115 /*
116 * Discard early keystream, as per recommendations in:
117 * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
118 */
119 for (i = 0; i < 256; i++)
120 (void)arc4_getbyte();
121 arc4_count = 1600000;
122}
123
124static inline u_int8_t
125arc4_getbyte(void)
126{
127 u_int8_t si, sj;
128
129 rs.i = (rs.i + 1);
130 si = rs.s[rs.i];
131 rs.j = (rs.j + si);
132 sj = rs.s[rs.j];
133 rs.s[rs.i] = sj;
134 rs.s[rs.j] = si;
135 return (rs.s[(si + sj) & 0xff]);
136}
137
138static inline u_int32_t
139arc4_getword(void)
140{
141 u_int32_t val;
142 val = arc4_getbyte() << 24;
143 val |= arc4_getbyte() << 16;
144 val |= arc4_getbyte() << 8;
145 val |= arc4_getbyte();
146 return val;
147}
148
149void
150arc4random_stir(void)
151{
152 _ARC4_LOCK();
153 arc4_stir();
154 _ARC4_UNLOCK();
155}
156
157void
158arc4random_addrandom(u_char *dat, int datlen)
159{
160 _ARC4_LOCK();
161 if (!rs_initialized)
162 arc4_stir();
163 arc4_addrandom(dat, datlen);
164 _ARC4_UNLOCK();
165}
166
167u_int32_t
168arc4random(void)
169{
170 u_int32_t val;
171 _ARC4_LOCK();
172 arc4_count -= 4;
173 if (arc4_count <= 0 || !rs_initialized || arc4_stir_pid != getpid())
174 arc4_stir();
175 val = arc4_getword();
176 _ARC4_UNLOCK();
177 return val;
178}
179
180void
181arc4random_buf(void *_buf, size_t n)
182{
183 u_char *buf = (u_char *)_buf;
184 _ARC4_LOCK();
185 if (!rs_initialized || arc4_stir_pid != getpid())
186 arc4_stir();
187 while (n--) {
188 if (--arc4_count <= 0)
189 arc4_stir();
190 buf[n] = arc4_getbyte();
191 }
192 _ARC4_UNLOCK();
193}
194
195/*
196 * Calculate a uniformly distributed random number less than upper_bound
197 * avoiding "modulo bias".
198 *
199 * Uniformity is achieved by generating new random numbers until the one
200 * returned is outside the range [0, 2**32 % upper_bound). This
201 * guarantees the selected random number will be inside
202 * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound)
203 * after reduction modulo upper_bound.
204 */
205u_int32_t
206arc4random_uniform(u_int32_t upper_bound)
207{
208 u_int32_t r, min;
209
210 if (upper_bound < 2)
211 return 0;
212
213#if (ULONG_MAX > 0xffffffffUL)
214 min = 0x100000000UL % upper_bound;
215#else
216 /* Calculate (2**32 % upper_bound) avoiding 64-bit math */
217 if (upper_bound > 0x80000000)
218 min = 1 + ~upper_bound; /* 2**32 - upper_bound */
219 else {
220 /* (2**32 - (x * 2)) % x == 2**32 % x when x <= 2**31 */
221 min = ((0xffffffff - (upper_bound * 2)) + 1) % upper_bound;
222 }
223#endif
224
225 /*
226 * This could theoretically loop forever but each retry has
227 * p > 0.5 (worst case, usually far better) of selecting a
228 * number inside the range we need, so it should rarely need
229 * to re-roll.
230 */
231 for (;;) {
232 r = arc4random();
233 if (r >= min)
234 break;
235 }
236
237 return r % upper_bound;
238}
239
240#if 0
241/*-------- Test code for i386 --------*/
242#include <stdio.h>
243#include <machine/pctr.h>
244int
245main(int argc, char **argv)
246{
247 const int iter = 1000000;
248 int i;
249 pctrval v;
250
251 v = rdtsc();
252 for (i = 0; i < iter; i++)
253 arc4random();
254 v = rdtsc() - v;
255 v /= iter;
256
257 printf("%qd cycles\n", v);
258}
259#endif
diff --git a/src/lib/libc/crypt/bcrypt.c b/src/lib/libc/crypt/bcrypt.c
new file mode 100644
index 0000000000..207e76ea46
--- /dev/null
+++ b/src/lib/libc/crypt/bcrypt.c
@@ -0,0 +1,338 @@
1/* $OpenBSD: bcrypt.c,v 1.24 2008/04/02 19:54:05 millert Exp $ */
2
3/*
4 * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. All advertising materials mentioning features or use of this software
16 * must display the following acknowledgement:
17 * This product includes software developed by Niels Provos.
18 * 4. The name of the author may not be used to endorse or promote products
19 * derived from this software without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33/* This password hashing algorithm was designed by David Mazieres
34 * <dm@lcs.mit.edu> and works as follows:
35 *
36 * 1. state := InitState ()
37 * 2. state := ExpandKey (state, salt, password) 3.
38 * REPEAT rounds:
39 * state := ExpandKey (state, 0, salt)
40 * state := ExpandKey(state, 0, password)
41 * 4. ctext := "OrpheanBeholderScryDoubt"
42 * 5. REPEAT 64:
43 * ctext := Encrypt_ECB (state, ctext);
44 * 6. RETURN Concatenate (salt, ctext);
45 *
46 */
47
48#include <stdio.h>
49#include <stdlib.h>
50#include <sys/types.h>
51#include <string.h>
52#include <pwd.h>
53#include <blf.h>
54
55/* This implementation is adaptable to current computing power.
56 * You can have up to 2^31 rounds which should be enough for some
57 * time to come.
58 */
59
60#define BCRYPT_VERSION '2'
61#define BCRYPT_MAXSALT 16 /* Precomputation is just so nice */
62#define BCRYPT_BLOCKS 6 /* Ciphertext blocks */
63#define BCRYPT_MINROUNDS 16 /* we have log2(rounds) in salt */
64
65char *bcrypt_gensalt(u_int8_t);
66
67static void encode_salt(char *, u_int8_t *, u_int16_t, u_int8_t);
68static void encode_base64(u_int8_t *, u_int8_t *, u_int16_t);
69static void decode_base64(u_int8_t *, u_int16_t, u_int8_t *);
70
71static char encrypted[_PASSWORD_LEN];
72static char gsalt[7 + (BCRYPT_MAXSALT * 4 + 2) / 3 + 1];
73static char error[] = ":";
74
75const static u_int8_t Base64Code[] =
76"./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
77
78const static u_int8_t index_64[128] = {
79 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
80 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
81 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
82 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
83 255, 255, 255, 255, 255, 255, 0, 1, 54, 55,
84 56, 57, 58, 59, 60, 61, 62, 63, 255, 255,
85 255, 255, 255, 255, 255, 2, 3, 4, 5, 6,
86 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
87 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27,
88 255, 255, 255, 255, 255, 255, 28, 29, 30,
89 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
90 41, 42, 43, 44, 45, 46, 47, 48, 49, 50,
91 51, 52, 53, 255, 255, 255, 255, 255
92};
93#define CHAR64(c) ( (c) > 127 ? 255 : index_64[(c)])
94
95static void
96decode_base64(u_int8_t *buffer, u_int16_t len, u_int8_t *data)
97{
98 u_int8_t *bp = buffer;
99 u_int8_t *p = data;
100 u_int8_t c1, c2, c3, c4;
101 while (bp < buffer + len) {
102 c1 = CHAR64(*p);
103 c2 = CHAR64(*(p + 1));
104
105 /* Invalid data */
106 if (c1 == 255 || c2 == 255)
107 break;
108
109 *bp++ = (c1 << 2) | ((c2 & 0x30) >> 4);
110 if (bp >= buffer + len)
111 break;
112
113 c3 = CHAR64(*(p + 2));
114 if (c3 == 255)
115 break;
116
117 *bp++ = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2);
118 if (bp >= buffer + len)
119 break;
120
121 c4 = CHAR64(*(p + 3));
122 if (c4 == 255)
123 break;
124 *bp++ = ((c3 & 0x03) << 6) | c4;
125
126 p += 4;
127 }
128}
129
130static void
131encode_salt(char *salt, u_int8_t *csalt, u_int16_t clen, u_int8_t logr)
132{
133 salt[0] = '$';
134 salt[1] = BCRYPT_VERSION;
135 salt[2] = 'a';
136 salt[3] = '$';
137
138 snprintf(salt + 4, 4, "%2.2u$", logr);
139
140 encode_base64((u_int8_t *) salt + 7, csalt, clen);
141}
142/* Generates a salt for this version of crypt.
143 Since versions may change. Keeping this here
144 seems sensible.
145 */
146
147char *
148bcrypt_gensalt(u_int8_t log_rounds)
149{
150 u_int8_t csalt[BCRYPT_MAXSALT];
151 u_int16_t i;
152 u_int32_t seed = 0;
153
154 for (i = 0; i < BCRYPT_MAXSALT; i++) {
155 if (i % 4 == 0)
156 seed = arc4random();
157 csalt[i] = seed & 0xff;
158 seed = seed >> 8;
159 }
160
161 if (log_rounds < 4)
162 log_rounds = 4;
163 else if (log_rounds > 31)
164 log_rounds = 31;
165
166 encode_salt(gsalt, csalt, BCRYPT_MAXSALT, log_rounds);
167 return gsalt;
168}
169/* We handle $Vers$log2(NumRounds)$salt+passwd$
170 i.e. $2$04$iwouldntknowwhattosayetKdJ6iFtacBqJdKe6aW7ou */
171
172char *
173bcrypt(const char *key, const char *salt)
174{
175 blf_ctx state;
176 u_int32_t rounds, i, k;
177 u_int16_t j;
178 u_int8_t key_len, salt_len, logr, minor;
179 u_int8_t ciphertext[4 * BCRYPT_BLOCKS] = "OrpheanBeholderScryDoubt";
180 u_int8_t csalt[BCRYPT_MAXSALT];
181 u_int32_t cdata[BCRYPT_BLOCKS];
182 int n;
183
184 /* Discard "$" identifier */
185 salt++;
186
187 if (*salt > BCRYPT_VERSION) {
188 /* How do I handle errors ? Return ':' */
189 return error;
190 }
191
192 /* Check for minor versions */
193 if (salt[1] != '$') {
194 switch (salt[1]) {
195 case 'a':
196 /* 'ab' should not yield the same as 'abab' */
197 minor = salt[1];
198 salt++;
199 break;
200 default:
201 return error;
202 }
203 } else
204 minor = 0;
205
206 /* Discard version + "$" identifier */
207 salt += 2;
208
209 if (salt[2] != '$')
210 /* Out of sync with passwd entry */
211 return error;
212
213 /* Computer power doesn't increase linear, 2^x should be fine */
214 n = atoi(salt);
215 if (n > 31 || n < 0)
216 return error;
217 logr = (u_int8_t)n;
218 if ((rounds = (u_int32_t) 1 << logr) < BCRYPT_MINROUNDS)
219 return error;
220
221 /* Discard num rounds + "$" identifier */
222 salt += 3;
223
224 if (strlen(salt) * 3 / 4 < BCRYPT_MAXSALT)
225 return error;
226
227 /* We dont want the base64 salt but the raw data */
228 decode_base64(csalt, BCRYPT_MAXSALT, (u_int8_t *) salt);
229 salt_len = BCRYPT_MAXSALT;
230 key_len = strlen(key) + (minor >= 'a' ? 1 : 0);
231
232 /* Setting up S-Boxes and Subkeys */
233 Blowfish_initstate(&state);
234 Blowfish_expandstate(&state, csalt, salt_len,
235 (u_int8_t *) key, key_len);
236 for (k = 0; k < rounds; k++) {
237 Blowfish_expand0state(&state, (u_int8_t *) key, key_len);
238 Blowfish_expand0state(&state, csalt, salt_len);
239 }
240
241 /* This can be precomputed later */
242 j = 0;
243 for (i = 0; i < BCRYPT_BLOCKS; i++)
244 cdata[i] = Blowfish_stream2word(ciphertext, 4 * BCRYPT_BLOCKS, &j);
245
246 /* Now do the encryption */
247 for (k = 0; k < 64; k++)
248 blf_enc(&state, cdata, BCRYPT_BLOCKS / 2);
249
250 for (i = 0; i < BCRYPT_BLOCKS; i++) {
251 ciphertext[4 * i + 3] = cdata[i] & 0xff;
252 cdata[i] = cdata[i] >> 8;
253 ciphertext[4 * i + 2] = cdata[i] & 0xff;
254 cdata[i] = cdata[i] >> 8;
255 ciphertext[4 * i + 1] = cdata[i] & 0xff;
256 cdata[i] = cdata[i] >> 8;
257 ciphertext[4 * i + 0] = cdata[i] & 0xff;
258 }
259
260
261 i = 0;
262 encrypted[i++] = '$';
263 encrypted[i++] = BCRYPT_VERSION;
264 if (minor)
265 encrypted[i++] = minor;
266 encrypted[i++] = '$';
267
268 snprintf(encrypted + i, 4, "%2.2u$", logr);
269
270 encode_base64((u_int8_t *) encrypted + i + 3, csalt, BCRYPT_MAXSALT);
271 encode_base64((u_int8_t *) encrypted + strlen(encrypted), ciphertext,
272 4 * BCRYPT_BLOCKS - 1);
273 memset(&state, 0, sizeof(state));
274 memset(ciphertext, 0, sizeof(ciphertext));
275 memset(csalt, 0, sizeof(csalt));
276 memset(cdata, 0, sizeof(cdata));
277 return encrypted;
278}
279
280static void
281encode_base64(u_int8_t *buffer, u_int8_t *data, u_int16_t len)
282{
283 u_int8_t *bp = buffer;
284 u_int8_t *p = data;
285 u_int8_t c1, c2;
286 while (p < data + len) {
287 c1 = *p++;
288 *bp++ = Base64Code[(c1 >> 2)];
289 c1 = (c1 & 0x03) << 4;
290 if (p >= data + len) {
291 *bp++ = Base64Code[c1];
292 break;
293 }
294 c2 = *p++;
295 c1 |= (c2 >> 4) & 0x0f;
296 *bp++ = Base64Code[c1];
297 c1 = (c2 & 0x0f) << 2;
298 if (p >= data + len) {
299 *bp++ = Base64Code[c1];
300 break;
301 }
302 c2 = *p++;
303 c1 |= (c2 >> 6) & 0x03;
304 *bp++ = Base64Code[c1];
305 *bp++ = Base64Code[c2 & 0x3f];
306 }
307 *bp = '\0';
308}
309#if 0
310void
311main()
312{
313 char blubber[73];
314 char salt[100];
315 char *p;
316 salt[0] = '$';
317 salt[1] = BCRYPT_VERSION;
318 salt[2] = '$';
319
320 snprintf(salt + 3, 4, "%2.2u$", 5);
321
322 printf("24 bytes of salt: ");
323 fgets(salt + 6, sizeof(salt) - 6, stdin);
324 salt[99] = 0;
325 printf("72 bytes of password: ");
326 fpurge(stdin);
327 fgets(blubber, sizeof(blubber), stdin);
328 blubber[72] = 0;
329
330 p = crypt(blubber, salt);
331 printf("Passwd entry: %s\n\n", p);
332
333 p = bcrypt_gensalt(5);
334 printf("Generated salt: %s\n", p);
335 p = crypt(blubber, p);
336 printf("Passwd entry: %s\n", p);
337}
338#endif
diff --git a/src/lib/libc/crypt/blowfish.3 b/src/lib/libc/crypt/blowfish.3
new file mode 100644
index 0000000000..4defaecc34
--- /dev/null
+++ b/src/lib/libc/crypt/blowfish.3
@@ -0,0 +1,106 @@
1.\" $OpenBSD: blowfish.3,v 1.20 2007/05/31 19:19:27 jmc Exp $
2.\"
3.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\" notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\" notice, this list of conditions and the following disclaimer in the
13.\" documentation and/or other materials provided with the distribution.
14.\" 3. All advertising materials mentioning features or use of this software
15.\" must display the following acknowledgement:
16.\" This product includes software developed by Niels Provos.
17.\" 4. The name of the author may not be used to endorse or promote products
18.\" derived from this software without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30.\"
31.\" Manual page, using -mandoc macros
32.\"
33.Dd $Mdocdate: May 31 2007 $
34.Dt BLOWFISH 3
35.Os
36.Sh NAME
37.Nm blf_key ,
38.Nm blf_enc ,
39.Nm blf_dec ,
40.Nm blf_ecb_encrypt ,
41.Nm blf_ecb_decrypt ,
42.Nm blf_cbc_encrypt ,
43.Nm blf_cbc_decrypt
44.Nd Blowfish encryption
45.Sh SYNOPSIS
46.Fd #include <blf.h>
47.Ft void
48.Fn blf_key "blf_ctx *state" "const u_int8_t *key" "u_int16_t keylen"
49.Ft void
50.Fn blf_enc "blf_ctx *state" "u_int32_t *data" "u_int16_t blocks"
51.Ft void
52.Fn blf_dec "blf_ctx *state" "u_int32_t *data" "u_int16_t blocks"
53.Ft void
54.Fn blf_ecb_encrypt "blf_ctx *state" "u_int8_t *data" "u_int32_t datalen"
55.Ft void
56.Fn blf_ecb_decrypt "blf_ctx *state" "u_int8_t *data" "u_int32_t datalen"
57.Ft void
58.Fn blf_cbc_encrypt "blf_ctx *state" "u_int8_t *iv" "u_int8_t *data" "u_int32_t datalen"
59.Ft void
60.Fn blf_cbc_decrypt "blf_ctx *state" "u_int8_t *iv" "u_int8_t *data" "u_int32_t datalen"
61.Sh DESCRIPTION
62.Em Blowfish
63is a fast unpatented block cipher designed by Bruce Schneier.
64It basically consists of a 16-round Feistel network.
65The block size is 64 bits and the maximum key size is 448 bits.
66.Pp
67The
68.Fn blf_key
69function initializes the 4 8-bit S-boxes and the 18 Subkeys with
70the hexadecimal digits of Pi.
71The key is used for further randomization.
72The first argument to
73.Fn blf_enc
74is the initialized state derived from
75.Fn blf_key .
76The stream of 32-bit words is encrypted in Electronic Codebook
77Mode (ECB) and
78.Fa blocks
79is the number of 64-bit blocks in the stream.
80.Fn blf_dec
81is used for decrypting Blowfish encrypted blocks.
82.Pp
83The functions
84.Fn blf_ecb_encrypt
85and
86.Fn blf_ecb_decrypt
87are used for encrypting and decrypting octet streams in ECB mode.
88The functions
89.Fn blf_cbc_encrypt
90and
91.Fn blf_cbc_decrypt
92are used for encrypting and decrypting octet streams in
93Cipherblock Chaining Mode (CBC).
94For these functions
95.Fa datalen
96specifies the number of octets of data to encrypt or decrypt.
97It must be a multiple of 8 (64-bit block).
98The initialisation vector
99.Fa iv
100points to an 8-byte buffer.
101.Sh SEE ALSO
102.Xr passwd 1 ,
103.Xr crypt 3 ,
104.Xr passwd 5
105.Sh AUTHORS
106.An Niels Provos Aq provos@physnet.uni-hamburg.de
diff --git a/src/lib/libc/crypt/blowfish.c b/src/lib/libc/crypt/blowfish.c
new file mode 100644
index 0000000000..c337df8a0a
--- /dev/null
+++ b/src/lib/libc/crypt/blowfish.c
@@ -0,0 +1,685 @@
1/* $OpenBSD: blowfish.c,v 1.18 2004/11/02 17:23:26 hshoexer Exp $ */
2/*
3 * Blowfish block cipher for OpenBSD
4 * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
5 * All rights reserved.
6 *
7 * Implementation advice by David Mazieres <dm@lcs.mit.edu>.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. All advertising materials mentioning features or use of this software
18 * must display the following acknowledgement:
19 * This product includes software developed by Niels Provos.
20 * 4. The name of the author may not be used to endorse or promote products
21 * derived from this software without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
24 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
26 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
28 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 */
34
35/*
36 * This code is derived from section 14.3 and the given source
37 * in section V of Applied Cryptography, second edition.
38 * Blowfish is an unpatented fast block cipher designed by
39 * Bruce Schneier.
40 */
41
42#if 0
43#include <stdio.h> /* used for debugging */
44#include <string.h>
45#endif
46
47#include <sys/types.h>
48#include <blf.h>
49
50#undef inline
51#ifdef __GNUC__
52#define inline __inline
53#else /* !__GNUC__ */
54#define inline
55#endif /* !__GNUC__ */
56
57/* Function for Feistel Networks */
58
59#define F(s, x) ((((s)[ (((x)>>24)&0xFF)] \
60 + (s)[0x100 + (((x)>>16)&0xFF)]) \
61 ^ (s)[0x200 + (((x)>> 8)&0xFF)]) \
62 + (s)[0x300 + ( (x) &0xFF)])
63
64#define BLFRND(s,p,i,j,n) (i ^= F(s,j) ^ (p)[n])
65
66void
67Blowfish_encipher(blf_ctx *c, u_int32_t *xl, u_int32_t *xr)
68{
69 u_int32_t Xl;
70 u_int32_t Xr;
71 u_int32_t *s = c->S[0];
72 u_int32_t *p = c->P;
73
74 Xl = *xl;
75 Xr = *xr;
76
77 Xl ^= p[0];
78 BLFRND(s, p, Xr, Xl, 1); BLFRND(s, p, Xl, Xr, 2);
79 BLFRND(s, p, Xr, Xl, 3); BLFRND(s, p, Xl, Xr, 4);
80 BLFRND(s, p, Xr, Xl, 5); BLFRND(s, p, Xl, Xr, 6);
81 BLFRND(s, p, Xr, Xl, 7); BLFRND(s, p, Xl, Xr, 8);
82 BLFRND(s, p, Xr, Xl, 9); BLFRND(s, p, Xl, Xr, 10);
83 BLFRND(s, p, Xr, Xl, 11); BLFRND(s, p, Xl, Xr, 12);
84 BLFRND(s, p, Xr, Xl, 13); BLFRND(s, p, Xl, Xr, 14);
85 BLFRND(s, p, Xr, Xl, 15); BLFRND(s, p, Xl, Xr, 16);
86
87 *xl = Xr ^ p[17];
88 *xr = Xl;
89}
90
91void
92Blowfish_decipher(blf_ctx *c, u_int32_t *xl, u_int32_t *xr)
93{
94 u_int32_t Xl;
95 u_int32_t Xr;
96 u_int32_t *s = c->S[0];
97 u_int32_t *p = c->P;
98
99 Xl = *xl;
100 Xr = *xr;
101
102 Xl ^= p[17];
103 BLFRND(s, p, Xr, Xl, 16); BLFRND(s, p, Xl, Xr, 15);
104 BLFRND(s, p, Xr, Xl, 14); BLFRND(s, p, Xl, Xr, 13);
105 BLFRND(s, p, Xr, Xl, 12); BLFRND(s, p, Xl, Xr, 11);
106 BLFRND(s, p, Xr, Xl, 10); BLFRND(s, p, Xl, Xr, 9);
107 BLFRND(s, p, Xr, Xl, 8); BLFRND(s, p, Xl, Xr, 7);
108 BLFRND(s, p, Xr, Xl, 6); BLFRND(s, p, Xl, Xr, 5);
109 BLFRND(s, p, Xr, Xl, 4); BLFRND(s, p, Xl, Xr, 3);
110 BLFRND(s, p, Xr, Xl, 2); BLFRND(s, p, Xl, Xr, 1);
111
112 *xl = Xr ^ p[0];
113 *xr = Xl;
114}
115
116void
117Blowfish_initstate(blf_ctx *c)
118{
119 /* P-box and S-box tables initialized with digits of Pi */
120
121 static const blf_ctx initstate =
122 { {
123 {
124 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
125 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
126 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
127 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e,
128 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee,
129 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
130 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef,
131 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e,
132 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
133 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440,
134 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce,
135 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
136 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e,
137 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677,
138 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
139 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032,
140 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88,
141 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
142 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e,
143 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0,
144 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
145 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98,
146 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88,
147 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
148 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6,
149 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d,
150 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
151 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7,
152 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba,
153 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
154 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f,
155 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09,
156 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
157 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb,
158 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279,
159 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
160 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab,
161 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82,
162 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
163 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573,
164 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0,
165 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
166 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790,
167 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8,
168 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
169 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0,
170 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7,
171 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
172 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad,
173 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1,
174 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
175 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9,
176 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477,
177 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
178 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49,
179 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af,
180 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
181 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5,
182 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41,
183 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
184 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
185 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
186 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
187 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a},
188 {
189 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
190 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
191 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
192 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e,
193 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6,
194 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
195 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e,
196 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1,
197 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
198 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8,
199 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff,
200 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
201 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701,
202 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7,
203 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
204 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331,
205 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf,
206 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
207 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e,
208 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87,
209 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
210 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2,
211 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16,
212 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
213 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b,
214 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509,
215 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
216 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3,
217 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f,
218 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
219 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4,
220 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960,
221 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
222 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28,
223 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802,
224 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
225 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510,
226 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf,
227 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
228 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e,
229 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50,
230 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
231 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8,
232 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281,
233 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
234 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696,
235 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128,
236 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
237 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0,
238 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0,
239 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
240 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250,
241 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3,
242 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
243 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00,
244 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061,
245 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
246 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e,
247 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735,
248 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
249 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
250 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
251 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
252 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7},
253 {
254 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
255 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
256 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
257 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840,
258 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45,
259 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
260 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a,
261 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb,
262 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
263 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6,
264 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42,
265 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
266 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2,
267 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb,
268 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
269 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b,
270 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33,
271 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
272 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3,
273 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc,
274 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
275 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564,
276 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b,
277 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
278 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922,
279 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728,
280 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
281 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e,
282 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37,
283 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
284 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804,
285 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b,
286 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
287 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb,
288 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d,
289 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
290 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350,
291 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9,
292 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
293 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe,
294 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d,
295 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
296 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f,
297 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61,
298 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
299 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9,
300 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2,
301 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
302 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e,
303 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633,
304 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
305 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169,
306 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52,
307 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
308 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5,
309 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62,
310 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
311 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76,
312 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24,
313 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
314 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
315 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
316 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
317 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0},
318 {
319 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
320 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
321 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
322 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4,
323 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8,
324 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
325 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304,
326 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22,
327 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
328 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6,
329 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9,
330 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
331 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593,
332 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51,
333 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
334 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c,
335 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b,
336 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
337 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c,
338 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd,
339 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
340 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319,
341 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb,
342 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
343 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991,
344 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32,
345 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
346 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166,
347 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae,
348 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
349 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5,
350 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47,
351 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
352 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d,
353 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84,
354 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
355 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8,
356 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd,
357 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
358 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7,
359 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38,
360 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
361 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c,
362 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525,
363 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
364 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442,
365 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964,
366 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
367 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8,
368 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d,
369 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
370 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299,
371 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02,
372 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
373 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614,
374 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a,
375 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
376 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b,
377 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0,
378 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
379 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
380 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
381 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
382 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6}
383 },
384 {
385 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
386 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
387 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
388 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
389 0x9216d5d9, 0x8979fb1b
390 } };
391
392 *c = initstate;
393}
394
395u_int32_t
396Blowfish_stream2word(const u_int8_t *data, u_int16_t databytes,
397 u_int16_t *current)
398{
399 u_int8_t i;
400 u_int16_t j;
401 u_int32_t temp;
402
403 temp = 0x00000000;
404 j = *current;
405
406 for (i = 0; i < 4; i++, j++) {
407 if (j >= databytes)
408 j = 0;
409 temp = (temp << 8) | data[j];
410 }
411
412 *current = j;
413 return temp;
414}
415
416void
417Blowfish_expand0state(blf_ctx *c, const u_int8_t *key, u_int16_t keybytes)
418{
419 u_int16_t i;
420 u_int16_t j;
421 u_int16_t k;
422 u_int32_t temp;
423 u_int32_t datal;
424 u_int32_t datar;
425
426 j = 0;
427 for (i = 0; i < BLF_N + 2; i++) {
428 /* Extract 4 int8 to 1 int32 from keystream */
429 temp = Blowfish_stream2word(key, keybytes, &j);
430 c->P[i] = c->P[i] ^ temp;
431 }
432
433 j = 0;
434 datal = 0x00000000;
435 datar = 0x00000000;
436 for (i = 0; i < BLF_N + 2; i += 2) {
437 Blowfish_encipher(c, &datal, &datar);
438
439 c->P[i] = datal;
440 c->P[i + 1] = datar;
441 }
442
443 for (i = 0; i < 4; i++) {
444 for (k = 0; k < 256; k += 2) {
445 Blowfish_encipher(c, &datal, &datar);
446
447 c->S[i][k] = datal;
448 c->S[i][k + 1] = datar;
449 }
450 }
451}
452
453
454void
455Blowfish_expandstate(blf_ctx *c, const u_int8_t *data, u_int16_t databytes,
456 const u_int8_t *key, u_int16_t keybytes)
457{
458 u_int16_t i;
459 u_int16_t j;
460 u_int16_t k;
461 u_int32_t temp;
462 u_int32_t datal;
463 u_int32_t datar;
464
465 j = 0;
466 for (i = 0; i < BLF_N + 2; i++) {
467 /* Extract 4 int8 to 1 int32 from keystream */
468 temp = Blowfish_stream2word(key, keybytes, &j);
469 c->P[i] = c->P[i] ^ temp;
470 }
471
472 j = 0;
473 datal = 0x00000000;
474 datar = 0x00000000;
475 for (i = 0; i < BLF_N + 2; i += 2) {
476 datal ^= Blowfish_stream2word(data, databytes, &j);
477 datar ^= Blowfish_stream2word(data, databytes, &j);
478 Blowfish_encipher(c, &datal, &datar);
479
480 c->P[i] = datal;
481 c->P[i + 1] = datar;
482 }
483
484 for (i = 0; i < 4; i++) {
485 for (k = 0; k < 256; k += 2) {
486 datal ^= Blowfish_stream2word(data, databytes, &j);
487 datar ^= Blowfish_stream2word(data, databytes, &j);
488 Blowfish_encipher(c, &datal, &datar);
489
490 c->S[i][k] = datal;
491 c->S[i][k + 1] = datar;
492 }
493 }
494
495}
496
497void
498blf_key(blf_ctx *c, const u_int8_t *k, u_int16_t len)
499{
500 /* Initialize S-boxes and subkeys with Pi */
501 Blowfish_initstate(c);
502
503 /* Transform S-boxes and subkeys with key */
504 Blowfish_expand0state(c, k, len);
505}
506
507void
508blf_enc(blf_ctx *c, u_int32_t *data, u_int16_t blocks)
509{
510 u_int32_t *d;
511 u_int16_t i;
512
513 d = data;
514 for (i = 0; i < blocks; i++) {
515 Blowfish_encipher(c, d, d + 1);
516 d += 2;
517 }
518}
519
520void
521blf_dec(blf_ctx *c, u_int32_t *data, u_int16_t blocks)
522{
523 u_int32_t *d;
524 u_int16_t i;
525
526 d = data;
527 for (i = 0; i < blocks; i++) {
528 Blowfish_decipher(c, d, d + 1);
529 d += 2;
530 }
531}
532
533void
534blf_ecb_encrypt(blf_ctx *c, u_int8_t *data, u_int32_t len)
535{
536 u_int32_t l, r;
537 u_int32_t i;
538
539 for (i = 0; i < len; i += 8) {
540 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
541 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
542 Blowfish_encipher(c, &l, &r);
543 data[0] = l >> 24 & 0xff;
544 data[1] = l >> 16 & 0xff;
545 data[2] = l >> 8 & 0xff;
546 data[3] = l & 0xff;
547 data[4] = r >> 24 & 0xff;
548 data[5] = r >> 16 & 0xff;
549 data[6] = r >> 8 & 0xff;
550 data[7] = r & 0xff;
551 data += 8;
552 }
553}
554
555void
556blf_ecb_decrypt(blf_ctx *c, u_int8_t *data, u_int32_t len)
557{
558 u_int32_t l, r;
559 u_int32_t i;
560
561 for (i = 0; i < len; i += 8) {
562 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
563 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
564 Blowfish_decipher(c, &l, &r);
565 data[0] = l >> 24 & 0xff;
566 data[1] = l >> 16 & 0xff;
567 data[2] = l >> 8 & 0xff;
568 data[3] = l & 0xff;
569 data[4] = r >> 24 & 0xff;
570 data[5] = r >> 16 & 0xff;
571 data[6] = r >> 8 & 0xff;
572 data[7] = r & 0xff;
573 data += 8;
574 }
575}
576
577void
578blf_cbc_encrypt(blf_ctx *c, u_int8_t *iv, u_int8_t *data, u_int32_t len)
579{
580 u_int32_t l, r;
581 u_int32_t i, j;
582
583 for (i = 0; i < len; i += 8) {
584 for (j = 0; j < 8; j++)
585 data[j] ^= iv[j];
586 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
587 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
588 Blowfish_encipher(c, &l, &r);
589 data[0] = l >> 24 & 0xff;
590 data[1] = l >> 16 & 0xff;
591 data[2] = l >> 8 & 0xff;
592 data[3] = l & 0xff;
593 data[4] = r >> 24 & 0xff;
594 data[5] = r >> 16 & 0xff;
595 data[6] = r >> 8 & 0xff;
596 data[7] = r & 0xff;
597 iv = data;
598 data += 8;
599 }
600}
601
602void
603blf_cbc_decrypt(blf_ctx *c, u_int8_t *iva, u_int8_t *data, u_int32_t len)
604{
605 u_int32_t l, r;
606 u_int8_t *iv;
607 u_int32_t i, j;
608
609 iv = data + len - 16;
610 data = data + len - 8;
611 for (i = len - 8; i >= 8; i -= 8) {
612 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
613 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
614 Blowfish_decipher(c, &l, &r);
615 data[0] = l >> 24 & 0xff;
616 data[1] = l >> 16 & 0xff;
617 data[2] = l >> 8 & 0xff;
618 data[3] = l & 0xff;
619 data[4] = r >> 24 & 0xff;
620 data[5] = r >> 16 & 0xff;
621 data[6] = r >> 8 & 0xff;
622 data[7] = r & 0xff;
623 for (j = 0; j < 8; j++)
624 data[j] ^= iv[j];
625 iv -= 8;
626 data -= 8;
627 }
628 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
629 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
630 Blowfish_decipher(c, &l, &r);
631 data[0] = l >> 24 & 0xff;
632 data[1] = l >> 16 & 0xff;
633 data[2] = l >> 8 & 0xff;
634 data[3] = l & 0xff;
635 data[4] = r >> 24 & 0xff;
636 data[5] = r >> 16 & 0xff;
637 data[6] = r >> 8 & 0xff;
638 data[7] = r & 0xff;
639 for (j = 0; j < 8; j++)
640 data[j] ^= iva[j];
641}
642
643#if 0
644void
645report(u_int32_t data[], u_int16_t len)
646{
647 u_int16_t i;
648 for (i = 0; i < len; i += 2)
649 printf("Block %0hd: %08lx %08lx.\n",
650 i / 2, data[i], data[i + 1]);
651}
652void
653main(void)
654{
655
656 blf_ctx c;
657 char key[] = "AAAAA";
658 char key2[] = "abcdefghijklmnopqrstuvwxyz";
659
660 u_int32_t data[10];
661 u_int32_t data2[] =
662 {0x424c4f57l, 0x46495348l};
663
664 u_int16_t i;
665
666 /* First test */
667 for (i = 0; i < 10; i++)
668 data[i] = i;
669
670 blf_key(&c, (u_int8_t *) key, 5);
671 blf_enc(&c, data, 5);
672 blf_dec(&c, data, 1);
673 blf_dec(&c, data + 2, 4);
674 printf("Should read as 0 - 9.\n");
675 report(data, 10);
676
677 /* Second test */
678 blf_key(&c, (u_int8_t *) key2, strlen(key2));
679 blf_enc(&c, data2, 1);
680 printf("\nShould read as: 0x324ed0fe 0xf413a203.\n");
681 report(data2, 2);
682 blf_dec(&c, data2, 1);
683 report(data2, 2);
684}
685#endif
diff --git a/src/lib/libc/crypt/cast.c b/src/lib/libc/crypt/cast.c
new file mode 100644
index 0000000000..ea026638d6
--- /dev/null
+++ b/src/lib/libc/crypt/cast.c
@@ -0,0 +1,790 @@
1/* $OpenBSD: cast.c,v 1.3 2004/11/03 10:38:50 hshoexer Exp $ */
2/*
3 * CAST-128 in C
4 * Written by Steve Reid <sreid@sea-to-sky.net>
5 * 100% Public Domain - no warranty
6 * Released 1997.10.11
7 */
8
9#include <sys/types.h>
10
11#include <cast.h>
12
13/* CAST S-Boxes */
14
15static const u_int32_t cast_sbox1[256] = {
16 0x30FB40D4, 0x9FA0FF0B, 0x6BECCD2F, 0x3F258C7A,
17 0x1E213F2F, 0x9C004DD3, 0x6003E540, 0xCF9FC949,
18 0xBFD4AF27, 0x88BBBDB5, 0xE2034090, 0x98D09675,
19 0x6E63A0E0, 0x15C361D2, 0xC2E7661D, 0x22D4FF8E,
20 0x28683B6F, 0xC07FD059, 0xFF2379C8, 0x775F50E2,
21 0x43C340D3, 0xDF2F8656, 0x887CA41A, 0xA2D2BD2D,
22 0xA1C9E0D6, 0x346C4819, 0x61B76D87, 0x22540F2F,
23 0x2ABE32E1, 0xAA54166B, 0x22568E3A, 0xA2D341D0,
24 0x66DB40C8, 0xA784392F, 0x004DFF2F, 0x2DB9D2DE,
25 0x97943FAC, 0x4A97C1D8, 0x527644B7, 0xB5F437A7,
26 0xB82CBAEF, 0xD751D159, 0x6FF7F0ED, 0x5A097A1F,
27 0x827B68D0, 0x90ECF52E, 0x22B0C054, 0xBC8E5935,
28 0x4B6D2F7F, 0x50BB64A2, 0xD2664910, 0xBEE5812D,
29 0xB7332290, 0xE93B159F, 0xB48EE411, 0x4BFF345D,
30 0xFD45C240, 0xAD31973F, 0xC4F6D02E, 0x55FC8165,
31 0xD5B1CAAD, 0xA1AC2DAE, 0xA2D4B76D, 0xC19B0C50,
32 0x882240F2, 0x0C6E4F38, 0xA4E4BFD7, 0x4F5BA272,
33 0x564C1D2F, 0xC59C5319, 0xB949E354, 0xB04669FE,
34 0xB1B6AB8A, 0xC71358DD, 0x6385C545, 0x110F935D,
35 0x57538AD5, 0x6A390493, 0xE63D37E0, 0x2A54F6B3,
36 0x3A787D5F, 0x6276A0B5, 0x19A6FCDF, 0x7A42206A,
37 0x29F9D4D5, 0xF61B1891, 0xBB72275E, 0xAA508167,
38 0x38901091, 0xC6B505EB, 0x84C7CB8C, 0x2AD75A0F,
39 0x874A1427, 0xA2D1936B, 0x2AD286AF, 0xAA56D291,
40 0xD7894360, 0x425C750D, 0x93B39E26, 0x187184C9,
41 0x6C00B32D, 0x73E2BB14, 0xA0BEBC3C, 0x54623779,
42 0x64459EAB, 0x3F328B82, 0x7718CF82, 0x59A2CEA6,
43 0x04EE002E, 0x89FE78E6, 0x3FAB0950, 0x325FF6C2,
44 0x81383F05, 0x6963C5C8, 0x76CB5AD6, 0xD49974C9,
45 0xCA180DCF, 0x380782D5, 0xC7FA5CF6, 0x8AC31511,
46 0x35E79E13, 0x47DA91D0, 0xF40F9086, 0xA7E2419E,
47 0x31366241, 0x051EF495, 0xAA573B04, 0x4A805D8D,
48 0x548300D0, 0x00322A3C, 0xBF64CDDF, 0xBA57A68E,
49 0x75C6372B, 0x50AFD341, 0xA7C13275, 0x915A0BF5,
50 0x6B54BFAB, 0x2B0B1426, 0xAB4CC9D7, 0x449CCD82,
51 0xF7FBF265, 0xAB85C5F3, 0x1B55DB94, 0xAAD4E324,
52 0xCFA4BD3F, 0x2DEAA3E2, 0x9E204D02, 0xC8BD25AC,
53 0xEADF55B3, 0xD5BD9E98, 0xE31231B2, 0x2AD5AD6C,
54 0x954329DE, 0xADBE4528, 0xD8710F69, 0xAA51C90F,
55 0xAA786BF6, 0x22513F1E, 0xAA51A79B, 0x2AD344CC,
56 0x7B5A41F0, 0xD37CFBAD, 0x1B069505, 0x41ECE491,
57 0xB4C332E6, 0x032268D4, 0xC9600ACC, 0xCE387E6D,
58 0xBF6BB16C, 0x6A70FB78, 0x0D03D9C9, 0xD4DF39DE,
59 0xE01063DA, 0x4736F464, 0x5AD328D8, 0xB347CC96,
60 0x75BB0FC3, 0x98511BFB, 0x4FFBCC35, 0xB58BCF6A,
61 0xE11F0ABC, 0xBFC5FE4A, 0xA70AEC10, 0xAC39570A,
62 0x3F04442F, 0x6188B153, 0xE0397A2E, 0x5727CB79,
63 0x9CEB418F, 0x1CACD68D, 0x2AD37C96, 0x0175CB9D,
64 0xC69DFF09, 0xC75B65F0, 0xD9DB40D8, 0xEC0E7779,
65 0x4744EAD4, 0xB11C3274, 0xDD24CB9E, 0x7E1C54BD,
66 0xF01144F9, 0xD2240EB1, 0x9675B3FD, 0xA3AC3755,
67 0xD47C27AF, 0x51C85F4D, 0x56907596, 0xA5BB15E6,
68 0x580304F0, 0xCA042CF1, 0x011A37EA, 0x8DBFAADB,
69 0x35BA3E4A, 0x3526FFA0, 0xC37B4D09, 0xBC306ED9,
70 0x98A52666, 0x5648F725, 0xFF5E569D, 0x0CED63D0,
71 0x7C63B2CF, 0x700B45E1, 0xD5EA50F1, 0x85A92872,
72 0xAF1FBDA7, 0xD4234870, 0xA7870BF3, 0x2D3B4D79,
73 0x42E04198, 0x0CD0EDE7, 0x26470DB8, 0xF881814C,
74 0x474D6AD7, 0x7C0C5E5C, 0xD1231959, 0x381B7298,
75 0xF5D2F4DB, 0xAB838653, 0x6E2F1E23, 0x83719C9E,
76 0xBD91E046, 0x9A56456E, 0xDC39200C, 0x20C8C571,
77 0x962BDA1C, 0xE1E696FF, 0xB141AB08, 0x7CCA89B9,
78 0x1A69E783, 0x02CC4843, 0xA2F7C579, 0x429EF47D,
79 0x427B169C, 0x5AC9F049, 0xDD8F0F00, 0x5C8165BF
80};
81
82static const u_int32_t cast_sbox2[256] = {
83 0x1F201094, 0xEF0BA75B, 0x69E3CF7E, 0x393F4380,
84 0xFE61CF7A, 0xEEC5207A, 0x55889C94, 0x72FC0651,
85 0xADA7EF79, 0x4E1D7235, 0xD55A63CE, 0xDE0436BA,
86 0x99C430EF, 0x5F0C0794, 0x18DCDB7D, 0xA1D6EFF3,
87 0xA0B52F7B, 0x59E83605, 0xEE15B094, 0xE9FFD909,
88 0xDC440086, 0xEF944459, 0xBA83CCB3, 0xE0C3CDFB,
89 0xD1DA4181, 0x3B092AB1, 0xF997F1C1, 0xA5E6CF7B,
90 0x01420DDB, 0xE4E7EF5B, 0x25A1FF41, 0xE180F806,
91 0x1FC41080, 0x179BEE7A, 0xD37AC6A9, 0xFE5830A4,
92 0x98DE8B7F, 0x77E83F4E, 0x79929269, 0x24FA9F7B,
93 0xE113C85B, 0xACC40083, 0xD7503525, 0xF7EA615F,
94 0x62143154, 0x0D554B63, 0x5D681121, 0xC866C359,
95 0x3D63CF73, 0xCEE234C0, 0xD4D87E87, 0x5C672B21,
96 0x071F6181, 0x39F7627F, 0x361E3084, 0xE4EB573B,
97 0x602F64A4, 0xD63ACD9C, 0x1BBC4635, 0x9E81032D,
98 0x2701F50C, 0x99847AB4, 0xA0E3DF79, 0xBA6CF38C,
99 0x10843094, 0x2537A95E, 0xF46F6FFE, 0xA1FF3B1F,
100 0x208CFB6A, 0x8F458C74, 0xD9E0A227, 0x4EC73A34,
101 0xFC884F69, 0x3E4DE8DF, 0xEF0E0088, 0x3559648D,
102 0x8A45388C, 0x1D804366, 0x721D9BFD, 0xA58684BB,
103 0xE8256333, 0x844E8212, 0x128D8098, 0xFED33FB4,
104 0xCE280AE1, 0x27E19BA5, 0xD5A6C252, 0xE49754BD,
105 0xC5D655DD, 0xEB667064, 0x77840B4D, 0xA1B6A801,
106 0x84DB26A9, 0xE0B56714, 0x21F043B7, 0xE5D05860,
107 0x54F03084, 0x066FF472, 0xA31AA153, 0xDADC4755,
108 0xB5625DBF, 0x68561BE6, 0x83CA6B94, 0x2D6ED23B,
109 0xECCF01DB, 0xA6D3D0BA, 0xB6803D5C, 0xAF77A709,
110 0x33B4A34C, 0x397BC8D6, 0x5EE22B95, 0x5F0E5304,
111 0x81ED6F61, 0x20E74364, 0xB45E1378, 0xDE18639B,
112 0x881CA122, 0xB96726D1, 0x8049A7E8, 0x22B7DA7B,
113 0x5E552D25, 0x5272D237, 0x79D2951C, 0xC60D894C,
114 0x488CB402, 0x1BA4FE5B, 0xA4B09F6B, 0x1CA815CF,
115 0xA20C3005, 0x8871DF63, 0xB9DE2FCB, 0x0CC6C9E9,
116 0x0BEEFF53, 0xE3214517, 0xB4542835, 0x9F63293C,
117 0xEE41E729, 0x6E1D2D7C, 0x50045286, 0x1E6685F3,
118 0xF33401C6, 0x30A22C95, 0x31A70850, 0x60930F13,
119 0x73F98417, 0xA1269859, 0xEC645C44, 0x52C877A9,
120 0xCDFF33A6, 0xA02B1741, 0x7CBAD9A2, 0x2180036F,
121 0x50D99C08, 0xCB3F4861, 0xC26BD765, 0x64A3F6AB,
122 0x80342676, 0x25A75E7B, 0xE4E6D1FC, 0x20C710E6,
123 0xCDF0B680, 0x17844D3B, 0x31EEF84D, 0x7E0824E4,
124 0x2CCB49EB, 0x846A3BAE, 0x8FF77888, 0xEE5D60F6,
125 0x7AF75673, 0x2FDD5CDB, 0xA11631C1, 0x30F66F43,
126 0xB3FAEC54, 0x157FD7FA, 0xEF8579CC, 0xD152DE58,
127 0xDB2FFD5E, 0x8F32CE19, 0x306AF97A, 0x02F03EF8,
128 0x99319AD5, 0xC242FA0F, 0xA7E3EBB0, 0xC68E4906,
129 0xB8DA230C, 0x80823028, 0xDCDEF3C8, 0xD35FB171,
130 0x088A1BC8, 0xBEC0C560, 0x61A3C9E8, 0xBCA8F54D,
131 0xC72FEFFA, 0x22822E99, 0x82C570B4, 0xD8D94E89,
132 0x8B1C34BC, 0x301E16E6, 0x273BE979, 0xB0FFEAA6,
133 0x61D9B8C6, 0x00B24869, 0xB7FFCE3F, 0x08DC283B,
134 0x43DAF65A, 0xF7E19798, 0x7619B72F, 0x8F1C9BA4,
135 0xDC8637A0, 0x16A7D3B1, 0x9FC393B7, 0xA7136EEB,
136 0xC6BCC63E, 0x1A513742, 0xEF6828BC, 0x520365D6,
137 0x2D6A77AB, 0x3527ED4B, 0x821FD216, 0x095C6E2E,
138 0xDB92F2FB, 0x5EEA29CB, 0x145892F5, 0x91584F7F,
139 0x5483697B, 0x2667A8CC, 0x85196048, 0x8C4BACEA,
140 0x833860D4, 0x0D23E0F9, 0x6C387E8A, 0x0AE6D249,
141 0xB284600C, 0xD835731D, 0xDCB1C647, 0xAC4C56EA,
142 0x3EBD81B3, 0x230EABB0, 0x6438BC87, 0xF0B5B1FA,
143 0x8F5EA2B3, 0xFC184642, 0x0A036B7A, 0x4FB089BD,
144 0x649DA589, 0xA345415E, 0x5C038323, 0x3E5D3BB9,
145 0x43D79572, 0x7E6DD07C, 0x06DFDF1E, 0x6C6CC4EF,
146 0x7160A539, 0x73BFBE70, 0x83877605, 0x4523ECF1
147};
148
149static const u_int32_t cast_sbox3[256] = {
150 0x8DEFC240, 0x25FA5D9F, 0xEB903DBF, 0xE810C907,
151 0x47607FFF, 0x369FE44B, 0x8C1FC644, 0xAECECA90,
152 0xBEB1F9BF, 0xEEFBCAEA, 0xE8CF1950, 0x51DF07AE,
153 0x920E8806, 0xF0AD0548, 0xE13C8D83, 0x927010D5,
154 0x11107D9F, 0x07647DB9, 0xB2E3E4D4, 0x3D4F285E,
155 0xB9AFA820, 0xFADE82E0, 0xA067268B, 0x8272792E,
156 0x553FB2C0, 0x489AE22B, 0xD4EF9794, 0x125E3FBC,
157 0x21FFFCEE, 0x825B1BFD, 0x9255C5ED, 0x1257A240,
158 0x4E1A8302, 0xBAE07FFF, 0x528246E7, 0x8E57140E,
159 0x3373F7BF, 0x8C9F8188, 0xA6FC4EE8, 0xC982B5A5,
160 0xA8C01DB7, 0x579FC264, 0x67094F31, 0xF2BD3F5F,
161 0x40FFF7C1, 0x1FB78DFC, 0x8E6BD2C1, 0x437BE59B,
162 0x99B03DBF, 0xB5DBC64B, 0x638DC0E6, 0x55819D99,
163 0xA197C81C, 0x4A012D6E, 0xC5884A28, 0xCCC36F71,
164 0xB843C213, 0x6C0743F1, 0x8309893C, 0x0FEDDD5F,
165 0x2F7FE850, 0xD7C07F7E, 0x02507FBF, 0x5AFB9A04,
166 0xA747D2D0, 0x1651192E, 0xAF70BF3E, 0x58C31380,
167 0x5F98302E, 0x727CC3C4, 0x0A0FB402, 0x0F7FEF82,
168 0x8C96FDAD, 0x5D2C2AAE, 0x8EE99A49, 0x50DA88B8,
169 0x8427F4A0, 0x1EAC5790, 0x796FB449, 0x8252DC15,
170 0xEFBD7D9B, 0xA672597D, 0xADA840D8, 0x45F54504,
171 0xFA5D7403, 0xE83EC305, 0x4F91751A, 0x925669C2,
172 0x23EFE941, 0xA903F12E, 0x60270DF2, 0x0276E4B6,
173 0x94FD6574, 0x927985B2, 0x8276DBCB, 0x02778176,
174 0xF8AF918D, 0x4E48F79E, 0x8F616DDF, 0xE29D840E,
175 0x842F7D83, 0x340CE5C8, 0x96BBB682, 0x93B4B148,
176 0xEF303CAB, 0x984FAF28, 0x779FAF9B, 0x92DC560D,
177 0x224D1E20, 0x8437AA88, 0x7D29DC96, 0x2756D3DC,
178 0x8B907CEE, 0xB51FD240, 0xE7C07CE3, 0xE566B4A1,
179 0xC3E9615E, 0x3CF8209D, 0x6094D1E3, 0xCD9CA341,
180 0x5C76460E, 0x00EA983B, 0xD4D67881, 0xFD47572C,
181 0xF76CEDD9, 0xBDA8229C, 0x127DADAA, 0x438A074E,
182 0x1F97C090, 0x081BDB8A, 0x93A07EBE, 0xB938CA15,
183 0x97B03CFF, 0x3DC2C0F8, 0x8D1AB2EC, 0x64380E51,
184 0x68CC7BFB, 0xD90F2788, 0x12490181, 0x5DE5FFD4,
185 0xDD7EF86A, 0x76A2E214, 0xB9A40368, 0x925D958F,
186 0x4B39FFFA, 0xBA39AEE9, 0xA4FFD30B, 0xFAF7933B,
187 0x6D498623, 0x193CBCFA, 0x27627545, 0x825CF47A,
188 0x61BD8BA0, 0xD11E42D1, 0xCEAD04F4, 0x127EA392,
189 0x10428DB7, 0x8272A972, 0x9270C4A8, 0x127DE50B,
190 0x285BA1C8, 0x3C62F44F, 0x35C0EAA5, 0xE805D231,
191 0x428929FB, 0xB4FCDF82, 0x4FB66A53, 0x0E7DC15B,
192 0x1F081FAB, 0x108618AE, 0xFCFD086D, 0xF9FF2889,
193 0x694BCC11, 0x236A5CAE, 0x12DECA4D, 0x2C3F8CC5,
194 0xD2D02DFE, 0xF8EF5896, 0xE4CF52DA, 0x95155B67,
195 0x494A488C, 0xB9B6A80C, 0x5C8F82BC, 0x89D36B45,
196 0x3A609437, 0xEC00C9A9, 0x44715253, 0x0A874B49,
197 0xD773BC40, 0x7C34671C, 0x02717EF6, 0x4FEB5536,
198 0xA2D02FFF, 0xD2BF60C4, 0xD43F03C0, 0x50B4EF6D,
199 0x07478CD1, 0x006E1888, 0xA2E53F55, 0xB9E6D4BC,
200 0xA2048016, 0x97573833, 0xD7207D67, 0xDE0F8F3D,
201 0x72F87B33, 0xABCC4F33, 0x7688C55D, 0x7B00A6B0,
202 0x947B0001, 0x570075D2, 0xF9BB88F8, 0x8942019E,
203 0x4264A5FF, 0x856302E0, 0x72DBD92B, 0xEE971B69,
204 0x6EA22FDE, 0x5F08AE2B, 0xAF7A616D, 0xE5C98767,
205 0xCF1FEBD2, 0x61EFC8C2, 0xF1AC2571, 0xCC8239C2,
206 0x67214CB8, 0xB1E583D1, 0xB7DC3E62, 0x7F10BDCE,
207 0xF90A5C38, 0x0FF0443D, 0x606E6DC6, 0x60543A49,
208 0x5727C148, 0x2BE98A1D, 0x8AB41738, 0x20E1BE24,
209 0xAF96DA0F, 0x68458425, 0x99833BE5, 0x600D457D,
210 0x282F9350, 0x8334B362, 0xD91D1120, 0x2B6D8DA0,
211 0x642B1E31, 0x9C305A00, 0x52BCE688, 0x1B03588A,
212 0xF7BAEFD5, 0x4142ED9C, 0xA4315C11, 0x83323EC5,
213 0xDFEF4636, 0xA133C501, 0xE9D3531C, 0xEE353783
214};
215
216static const u_int32_t cast_sbox4[256] = {
217 0x9DB30420, 0x1FB6E9DE, 0xA7BE7BEF, 0xD273A298,
218 0x4A4F7BDB, 0x64AD8C57, 0x85510443, 0xFA020ED1,
219 0x7E287AFF, 0xE60FB663, 0x095F35A1, 0x79EBF120,
220 0xFD059D43, 0x6497B7B1, 0xF3641F63, 0x241E4ADF,
221 0x28147F5F, 0x4FA2B8CD, 0xC9430040, 0x0CC32220,
222 0xFDD30B30, 0xC0A5374F, 0x1D2D00D9, 0x24147B15,
223 0xEE4D111A, 0x0FCA5167, 0x71FF904C, 0x2D195FFE,
224 0x1A05645F, 0x0C13FEFE, 0x081B08CA, 0x05170121,
225 0x80530100, 0xE83E5EFE, 0xAC9AF4F8, 0x7FE72701,
226 0xD2B8EE5F, 0x06DF4261, 0xBB9E9B8A, 0x7293EA25,
227 0xCE84FFDF, 0xF5718801, 0x3DD64B04, 0xA26F263B,
228 0x7ED48400, 0x547EEBE6, 0x446D4CA0, 0x6CF3D6F5,
229 0x2649ABDF, 0xAEA0C7F5, 0x36338CC1, 0x503F7E93,
230 0xD3772061, 0x11B638E1, 0x72500E03, 0xF80EB2BB,
231 0xABE0502E, 0xEC8D77DE, 0x57971E81, 0xE14F6746,
232 0xC9335400, 0x6920318F, 0x081DBB99, 0xFFC304A5,
233 0x4D351805, 0x7F3D5CE3, 0xA6C866C6, 0x5D5BCCA9,
234 0xDAEC6FEA, 0x9F926F91, 0x9F46222F, 0x3991467D,
235 0xA5BF6D8E, 0x1143C44F, 0x43958302, 0xD0214EEB,
236 0x022083B8, 0x3FB6180C, 0x18F8931E, 0x281658E6,
237 0x26486E3E, 0x8BD78A70, 0x7477E4C1, 0xB506E07C,
238 0xF32D0A25, 0x79098B02, 0xE4EABB81, 0x28123B23,
239 0x69DEAD38, 0x1574CA16, 0xDF871B62, 0x211C40B7,
240 0xA51A9EF9, 0x0014377B, 0x041E8AC8, 0x09114003,
241 0xBD59E4D2, 0xE3D156D5, 0x4FE876D5, 0x2F91A340,
242 0x557BE8DE, 0x00EAE4A7, 0x0CE5C2EC, 0x4DB4BBA6,
243 0xE756BDFF, 0xDD3369AC, 0xEC17B035, 0x06572327,
244 0x99AFC8B0, 0x56C8C391, 0x6B65811C, 0x5E146119,
245 0x6E85CB75, 0xBE07C002, 0xC2325577, 0x893FF4EC,
246 0x5BBFC92D, 0xD0EC3B25, 0xB7801AB7, 0x8D6D3B24,
247 0x20C763EF, 0xC366A5FC, 0x9C382880, 0x0ACE3205,
248 0xAAC9548A, 0xECA1D7C7, 0x041AFA32, 0x1D16625A,
249 0x6701902C, 0x9B757A54, 0x31D477F7, 0x9126B031,
250 0x36CC6FDB, 0xC70B8B46, 0xD9E66A48, 0x56E55A79,
251 0x026A4CEB, 0x52437EFF, 0x2F8F76B4, 0x0DF980A5,
252 0x8674CDE3, 0xEDDA04EB, 0x17A9BE04, 0x2C18F4DF,
253 0xB7747F9D, 0xAB2AF7B4, 0xEFC34D20, 0x2E096B7C,
254 0x1741A254, 0xE5B6A035, 0x213D42F6, 0x2C1C7C26,
255 0x61C2F50F, 0x6552DAF9, 0xD2C231F8, 0x25130F69,
256 0xD8167FA2, 0x0418F2C8, 0x001A96A6, 0x0D1526AB,
257 0x63315C21, 0x5E0A72EC, 0x49BAFEFD, 0x187908D9,
258 0x8D0DBD86, 0x311170A7, 0x3E9B640C, 0xCC3E10D7,
259 0xD5CAD3B6, 0x0CAEC388, 0xF73001E1, 0x6C728AFF,
260 0x71EAE2A1, 0x1F9AF36E, 0xCFCBD12F, 0xC1DE8417,
261 0xAC07BE6B, 0xCB44A1D8, 0x8B9B0F56, 0x013988C3,
262 0xB1C52FCA, 0xB4BE31CD, 0xD8782806, 0x12A3A4E2,
263 0x6F7DE532, 0x58FD7EB6, 0xD01EE900, 0x24ADFFC2,
264 0xF4990FC5, 0x9711AAC5, 0x001D7B95, 0x82E5E7D2,
265 0x109873F6, 0x00613096, 0xC32D9521, 0xADA121FF,
266 0x29908415, 0x7FBB977F, 0xAF9EB3DB, 0x29C9ED2A,
267 0x5CE2A465, 0xA730F32C, 0xD0AA3FE8, 0x8A5CC091,
268 0xD49E2CE7, 0x0CE454A9, 0xD60ACD86, 0x015F1919,
269 0x77079103, 0xDEA03AF6, 0x78A8565E, 0xDEE356DF,
270 0x21F05CBE, 0x8B75E387, 0xB3C50651, 0xB8A5C3EF,
271 0xD8EEB6D2, 0xE523BE77, 0xC2154529, 0x2F69EFDF,
272 0xAFE67AFB, 0xF470C4B2, 0xF3E0EB5B, 0xD6CC9876,
273 0x39E4460C, 0x1FDA8538, 0x1987832F, 0xCA007367,
274 0xA99144F8, 0x296B299E, 0x492FC295, 0x9266BEAB,
275 0xB5676E69, 0x9BD3DDDA, 0xDF7E052F, 0xDB25701C,
276 0x1B5E51EE, 0xF65324E6, 0x6AFCE36C, 0x0316CC04,
277 0x8644213E, 0xB7DC59D0, 0x7965291F, 0xCCD6FD43,
278 0x41823979, 0x932BCDF6, 0xB657C34D, 0x4EDFD282,
279 0x7AE5290C, 0x3CB9536B, 0x851E20FE, 0x9833557E,
280 0x13ECF0B0, 0xD3FFB372, 0x3F85C5C1, 0x0AEF7ED2
281};
282
283static const u_int32_t cast_sbox5[256] = {
284 0x7EC90C04, 0x2C6E74B9, 0x9B0E66DF, 0xA6337911,
285 0xB86A7FFF, 0x1DD358F5, 0x44DD9D44, 0x1731167F,
286 0x08FBF1FA, 0xE7F511CC, 0xD2051B00, 0x735ABA00,
287 0x2AB722D8, 0x386381CB, 0xACF6243A, 0x69BEFD7A,
288 0xE6A2E77F, 0xF0C720CD, 0xC4494816, 0xCCF5C180,
289 0x38851640, 0x15B0A848, 0xE68B18CB, 0x4CAADEFF,
290 0x5F480A01, 0x0412B2AA, 0x259814FC, 0x41D0EFE2,
291 0x4E40B48D, 0x248EB6FB, 0x8DBA1CFE, 0x41A99B02,
292 0x1A550A04, 0xBA8F65CB, 0x7251F4E7, 0x95A51725,
293 0xC106ECD7, 0x97A5980A, 0xC539B9AA, 0x4D79FE6A,
294 0xF2F3F763, 0x68AF8040, 0xED0C9E56, 0x11B4958B,
295 0xE1EB5A88, 0x8709E6B0, 0xD7E07156, 0x4E29FEA7,
296 0x6366E52D, 0x02D1C000, 0xC4AC8E05, 0x9377F571,
297 0x0C05372A, 0x578535F2, 0x2261BE02, 0xD642A0C9,
298 0xDF13A280, 0x74B55BD2, 0x682199C0, 0xD421E5EC,
299 0x53FB3CE8, 0xC8ADEDB3, 0x28A87FC9, 0x3D959981,
300 0x5C1FF900, 0xFE38D399, 0x0C4EFF0B, 0x062407EA,
301 0xAA2F4FB1, 0x4FB96976, 0x90C79505, 0xB0A8A774,
302 0xEF55A1FF, 0xE59CA2C2, 0xA6B62D27, 0xE66A4263,
303 0xDF65001F, 0x0EC50966, 0xDFDD55BC, 0x29DE0655,
304 0x911E739A, 0x17AF8975, 0x32C7911C, 0x89F89468,
305 0x0D01E980, 0x524755F4, 0x03B63CC9, 0x0CC844B2,
306 0xBCF3F0AA, 0x87AC36E9, 0xE53A7426, 0x01B3D82B,
307 0x1A9E7449, 0x64EE2D7E, 0xCDDBB1DA, 0x01C94910,
308 0xB868BF80, 0x0D26F3FD, 0x9342EDE7, 0x04A5C284,
309 0x636737B6, 0x50F5B616, 0xF24766E3, 0x8ECA36C1,
310 0x136E05DB, 0xFEF18391, 0xFB887A37, 0xD6E7F7D4,
311 0xC7FB7DC9, 0x3063FCDF, 0xB6F589DE, 0xEC2941DA,
312 0x26E46695, 0xB7566419, 0xF654EFC5, 0xD08D58B7,
313 0x48925401, 0xC1BACB7F, 0xE5FF550F, 0xB6083049,
314 0x5BB5D0E8, 0x87D72E5A, 0xAB6A6EE1, 0x223A66CE,
315 0xC62BF3CD, 0x9E0885F9, 0x68CB3E47, 0x086C010F,
316 0xA21DE820, 0xD18B69DE, 0xF3F65777, 0xFA02C3F6,
317 0x407EDAC3, 0xCBB3D550, 0x1793084D, 0xB0D70EBA,
318 0x0AB378D5, 0xD951FB0C, 0xDED7DA56, 0x4124BBE4,
319 0x94CA0B56, 0x0F5755D1, 0xE0E1E56E, 0x6184B5BE,
320 0x580A249F, 0x94F74BC0, 0xE327888E, 0x9F7B5561,
321 0xC3DC0280, 0x05687715, 0x646C6BD7, 0x44904DB3,
322 0x66B4F0A3, 0xC0F1648A, 0x697ED5AF, 0x49E92FF6,
323 0x309E374F, 0x2CB6356A, 0x85808573, 0x4991F840,
324 0x76F0AE02, 0x083BE84D, 0x28421C9A, 0x44489406,
325 0x736E4CB8, 0xC1092910, 0x8BC95FC6, 0x7D869CF4,
326 0x134F616F, 0x2E77118D, 0xB31B2BE1, 0xAA90B472,
327 0x3CA5D717, 0x7D161BBA, 0x9CAD9010, 0xAF462BA2,
328 0x9FE459D2, 0x45D34559, 0xD9F2DA13, 0xDBC65487,
329 0xF3E4F94E, 0x176D486F, 0x097C13EA, 0x631DA5C7,
330 0x445F7382, 0x175683F4, 0xCDC66A97, 0x70BE0288,
331 0xB3CDCF72, 0x6E5DD2F3, 0x20936079, 0x459B80A5,
332 0xBE60E2DB, 0xA9C23101, 0xEBA5315C, 0x224E42F2,
333 0x1C5C1572, 0xF6721B2C, 0x1AD2FFF3, 0x8C25404E,
334 0x324ED72F, 0x4067B7FD, 0x0523138E, 0x5CA3BC78,
335 0xDC0FD66E, 0x75922283, 0x784D6B17, 0x58EBB16E,
336 0x44094F85, 0x3F481D87, 0xFCFEAE7B, 0x77B5FF76,
337 0x8C2302BF, 0xAAF47556, 0x5F46B02A, 0x2B092801,
338 0x3D38F5F7, 0x0CA81F36, 0x52AF4A8A, 0x66D5E7C0,
339 0xDF3B0874, 0x95055110, 0x1B5AD7A8, 0xF61ED5AD,
340 0x6CF6E479, 0x20758184, 0xD0CEFA65, 0x88F7BE58,
341 0x4A046826, 0x0FF6F8F3, 0xA09C7F70, 0x5346ABA0,
342 0x5CE96C28, 0xE176EDA3, 0x6BAC307F, 0x376829D2,
343 0x85360FA9, 0x17E3FE2A, 0x24B79767, 0xF5A96B20,
344 0xD6CD2595, 0x68FF1EBF, 0x7555442C, 0xF19F06BE,
345 0xF9E0659A, 0xEEB9491D, 0x34010718, 0xBB30CAB8,
346 0xE822FE15, 0x88570983, 0x750E6249, 0xDA627E55,
347 0x5E76FFA8, 0xB1534546, 0x6D47DE08, 0xEFE9E7D4
348};
349
350static const u_int32_t cast_sbox6[256] = {
351 0xF6FA8F9D, 0x2CAC6CE1, 0x4CA34867, 0xE2337F7C,
352 0x95DB08E7, 0x016843B4, 0xECED5CBC, 0x325553AC,
353 0xBF9F0960, 0xDFA1E2ED, 0x83F0579D, 0x63ED86B9,
354 0x1AB6A6B8, 0xDE5EBE39, 0xF38FF732, 0x8989B138,
355 0x33F14961, 0xC01937BD, 0xF506C6DA, 0xE4625E7E,
356 0xA308EA99, 0x4E23E33C, 0x79CBD7CC, 0x48A14367,
357 0xA3149619, 0xFEC94BD5, 0xA114174A, 0xEAA01866,
358 0xA084DB2D, 0x09A8486F, 0xA888614A, 0x2900AF98,
359 0x01665991, 0xE1992863, 0xC8F30C60, 0x2E78EF3C,
360 0xD0D51932, 0xCF0FEC14, 0xF7CA07D2, 0xD0A82072,
361 0xFD41197E, 0x9305A6B0, 0xE86BE3DA, 0x74BED3CD,
362 0x372DA53C, 0x4C7F4448, 0xDAB5D440, 0x6DBA0EC3,
363 0x083919A7, 0x9FBAEED9, 0x49DBCFB0, 0x4E670C53,
364 0x5C3D9C01, 0x64BDB941, 0x2C0E636A, 0xBA7DD9CD,
365 0xEA6F7388, 0xE70BC762, 0x35F29ADB, 0x5C4CDD8D,
366 0xF0D48D8C, 0xB88153E2, 0x08A19866, 0x1AE2EAC8,
367 0x284CAF89, 0xAA928223, 0x9334BE53, 0x3B3A21BF,
368 0x16434BE3, 0x9AEA3906, 0xEFE8C36E, 0xF890CDD9,
369 0x80226DAE, 0xC340A4A3, 0xDF7E9C09, 0xA694A807,
370 0x5B7C5ECC, 0x221DB3A6, 0x9A69A02F, 0x68818A54,
371 0xCEB2296F, 0x53C0843A, 0xFE893655, 0x25BFE68A,
372 0xB4628ABC, 0xCF222EBF, 0x25AC6F48, 0xA9A99387,
373 0x53BDDB65, 0xE76FFBE7, 0xE967FD78, 0x0BA93563,
374 0x8E342BC1, 0xE8A11BE9, 0x4980740D, 0xC8087DFC,
375 0x8DE4BF99, 0xA11101A0, 0x7FD37975, 0xDA5A26C0,
376 0xE81F994F, 0x9528CD89, 0xFD339FED, 0xB87834BF,
377 0x5F04456D, 0x22258698, 0xC9C4C83B, 0x2DC156BE,
378 0x4F628DAA, 0x57F55EC5, 0xE2220ABE, 0xD2916EBF,
379 0x4EC75B95, 0x24F2C3C0, 0x42D15D99, 0xCD0D7FA0,
380 0x7B6E27FF, 0xA8DC8AF0, 0x7345C106, 0xF41E232F,
381 0x35162386, 0xE6EA8926, 0x3333B094, 0x157EC6F2,
382 0x372B74AF, 0x692573E4, 0xE9A9D848, 0xF3160289,
383 0x3A62EF1D, 0xA787E238, 0xF3A5F676, 0x74364853,
384 0x20951063, 0x4576698D, 0xB6FAD407, 0x592AF950,
385 0x36F73523, 0x4CFB6E87, 0x7DA4CEC0, 0x6C152DAA,
386 0xCB0396A8, 0xC50DFE5D, 0xFCD707AB, 0x0921C42F,
387 0x89DFF0BB, 0x5FE2BE78, 0x448F4F33, 0x754613C9,
388 0x2B05D08D, 0x48B9D585, 0xDC049441, 0xC8098F9B,
389 0x7DEDE786, 0xC39A3373, 0x42410005, 0x6A091751,
390 0x0EF3C8A6, 0x890072D6, 0x28207682, 0xA9A9F7BE,
391 0xBF32679D, 0xD45B5B75, 0xB353FD00, 0xCBB0E358,
392 0x830F220A, 0x1F8FB214, 0xD372CF08, 0xCC3C4A13,
393 0x8CF63166, 0x061C87BE, 0x88C98F88, 0x6062E397,
394 0x47CF8E7A, 0xB6C85283, 0x3CC2ACFB, 0x3FC06976,
395 0x4E8F0252, 0x64D8314D, 0xDA3870E3, 0x1E665459,
396 0xC10908F0, 0x513021A5, 0x6C5B68B7, 0x822F8AA0,
397 0x3007CD3E, 0x74719EEF, 0xDC872681, 0x073340D4,
398 0x7E432FD9, 0x0C5EC241, 0x8809286C, 0xF592D891,
399 0x08A930F6, 0x957EF305, 0xB7FBFFBD, 0xC266E96F,
400 0x6FE4AC98, 0xB173ECC0, 0xBC60B42A, 0x953498DA,
401 0xFBA1AE12, 0x2D4BD736, 0x0F25FAAB, 0xA4F3FCEB,
402 0xE2969123, 0x257F0C3D, 0x9348AF49, 0x361400BC,
403 0xE8816F4A, 0x3814F200, 0xA3F94043, 0x9C7A54C2,
404 0xBC704F57, 0xDA41E7F9, 0xC25AD33A, 0x54F4A084,
405 0xB17F5505, 0x59357CBE, 0xEDBD15C8, 0x7F97C5AB,
406 0xBA5AC7B5, 0xB6F6DEAF, 0x3A479C3A, 0x5302DA25,
407 0x653D7E6A, 0x54268D49, 0x51A477EA, 0x5017D55B,
408 0xD7D25D88, 0x44136C76, 0x0404A8C8, 0xB8E5A121,
409 0xB81A928A, 0x60ED5869, 0x97C55B96, 0xEAEC991B,
410 0x29935913, 0x01FDB7F1, 0x088E8DFA, 0x9AB6F6F5,
411 0x3B4CBF9F, 0x4A5DE3AB, 0xE6051D35, 0xA0E1D855,
412 0xD36B4CF1, 0xF544EDEB, 0xB0E93524, 0xBEBB8FBD,
413 0xA2D762CF, 0x49C92F54, 0x38B5F331, 0x7128A454,
414 0x48392905, 0xA65B1DB8, 0x851C97BD, 0xD675CF2F
415};
416
417static const u_int32_t cast_sbox7[256] = {
418 0x85E04019, 0x332BF567, 0x662DBFFF, 0xCFC65693,
419 0x2A8D7F6F, 0xAB9BC912, 0xDE6008A1, 0x2028DA1F,
420 0x0227BCE7, 0x4D642916, 0x18FAC300, 0x50F18B82,
421 0x2CB2CB11, 0xB232E75C, 0x4B3695F2, 0xB28707DE,
422 0xA05FBCF6, 0xCD4181E9, 0xE150210C, 0xE24EF1BD,
423 0xB168C381, 0xFDE4E789, 0x5C79B0D8, 0x1E8BFD43,
424 0x4D495001, 0x38BE4341, 0x913CEE1D, 0x92A79C3F,
425 0x089766BE, 0xBAEEADF4, 0x1286BECF, 0xB6EACB19,
426 0x2660C200, 0x7565BDE4, 0x64241F7A, 0x8248DCA9,
427 0xC3B3AD66, 0x28136086, 0x0BD8DFA8, 0x356D1CF2,
428 0x107789BE, 0xB3B2E9CE, 0x0502AA8F, 0x0BC0351E,
429 0x166BF52A, 0xEB12FF82, 0xE3486911, 0xD34D7516,
430 0x4E7B3AFF, 0x5F43671B, 0x9CF6E037, 0x4981AC83,
431 0x334266CE, 0x8C9341B7, 0xD0D854C0, 0xCB3A6C88,
432 0x47BC2829, 0x4725BA37, 0xA66AD22B, 0x7AD61F1E,
433 0x0C5CBAFA, 0x4437F107, 0xB6E79962, 0x42D2D816,
434 0x0A961288, 0xE1A5C06E, 0x13749E67, 0x72FC081A,
435 0xB1D139F7, 0xF9583745, 0xCF19DF58, 0xBEC3F756,
436 0xC06EBA30, 0x07211B24, 0x45C28829, 0xC95E317F,
437 0xBC8EC511, 0x38BC46E9, 0xC6E6FA14, 0xBAE8584A,
438 0xAD4EBC46, 0x468F508B, 0x7829435F, 0xF124183B,
439 0x821DBA9F, 0xAFF60FF4, 0xEA2C4E6D, 0x16E39264,
440 0x92544A8B, 0x009B4FC3, 0xABA68CED, 0x9AC96F78,
441 0x06A5B79A, 0xB2856E6E, 0x1AEC3CA9, 0xBE838688,
442 0x0E0804E9, 0x55F1BE56, 0xE7E5363B, 0xB3A1F25D,
443 0xF7DEBB85, 0x61FE033C, 0x16746233, 0x3C034C28,
444 0xDA6D0C74, 0x79AAC56C, 0x3CE4E1AD, 0x51F0C802,
445 0x98F8F35A, 0x1626A49F, 0xEED82B29, 0x1D382FE3,
446 0x0C4FB99A, 0xBB325778, 0x3EC6D97B, 0x6E77A6A9,
447 0xCB658B5C, 0xD45230C7, 0x2BD1408B, 0x60C03EB7,
448 0xB9068D78, 0xA33754F4, 0xF430C87D, 0xC8A71302,
449 0xB96D8C32, 0xEBD4E7BE, 0xBE8B9D2D, 0x7979FB06,
450 0xE7225308, 0x8B75CF77, 0x11EF8DA4, 0xE083C858,
451 0x8D6B786F, 0x5A6317A6, 0xFA5CF7A0, 0x5DDA0033,
452 0xF28EBFB0, 0xF5B9C310, 0xA0EAC280, 0x08B9767A,
453 0xA3D9D2B0, 0x79D34217, 0x021A718D, 0x9AC6336A,
454 0x2711FD60, 0x438050E3, 0x069908A8, 0x3D7FEDC4,
455 0x826D2BEF, 0x4EEB8476, 0x488DCF25, 0x36C9D566,
456 0x28E74E41, 0xC2610ACA, 0x3D49A9CF, 0xBAE3B9DF,
457 0xB65F8DE6, 0x92AEAF64, 0x3AC7D5E6, 0x9EA80509,
458 0xF22B017D, 0xA4173F70, 0xDD1E16C3, 0x15E0D7F9,
459 0x50B1B887, 0x2B9F4FD5, 0x625ABA82, 0x6A017962,
460 0x2EC01B9C, 0x15488AA9, 0xD716E740, 0x40055A2C,
461 0x93D29A22, 0xE32DBF9A, 0x058745B9, 0x3453DC1E,
462 0xD699296E, 0x496CFF6F, 0x1C9F4986, 0xDFE2ED07,
463 0xB87242D1, 0x19DE7EAE, 0x053E561A, 0x15AD6F8C,
464 0x66626C1C, 0x7154C24C, 0xEA082B2A, 0x93EB2939,
465 0x17DCB0F0, 0x58D4F2AE, 0x9EA294FB, 0x52CF564C,
466 0x9883FE66, 0x2EC40581, 0x763953C3, 0x01D6692E,
467 0xD3A0C108, 0xA1E7160E, 0xE4F2DFA6, 0x693ED285,
468 0x74904698, 0x4C2B0EDD, 0x4F757656, 0x5D393378,
469 0xA132234F, 0x3D321C5D, 0xC3F5E194, 0x4B269301,
470 0xC79F022F, 0x3C997E7E, 0x5E4F9504, 0x3FFAFBBD,
471 0x76F7AD0E, 0x296693F4, 0x3D1FCE6F, 0xC61E45BE,
472 0xD3B5AB34, 0xF72BF9B7, 0x1B0434C0, 0x4E72B567,
473 0x5592A33D, 0xB5229301, 0xCFD2A87F, 0x60AEB767,
474 0x1814386B, 0x30BCC33D, 0x38A0C07D, 0xFD1606F2,
475 0xC363519B, 0x589DD390, 0x5479F8E6, 0x1CB8D647,
476 0x97FD61A9, 0xEA7759F4, 0x2D57539D, 0x569A58CF,
477 0xE84E63AD, 0x462E1B78, 0x6580F87E, 0xF3817914,
478 0x91DA55F4, 0x40A230F3, 0xD1988F35, 0xB6E318D2,
479 0x3FFA50BC, 0x3D40F021, 0xC3C0BDAE, 0x4958C24C,
480 0x518F36B2, 0x84B1D370, 0x0FEDCE83, 0x878DDADA,
481 0xF2A279C7, 0x94E01BE8, 0x90716F4B, 0x954B8AA3
482};
483
484static const u_int32_t cast_sbox8[256] = {
485 0xE216300D, 0xBBDDFFFC, 0xA7EBDABD, 0x35648095,
486 0x7789F8B7, 0xE6C1121B, 0x0E241600, 0x052CE8B5,
487 0x11A9CFB0, 0xE5952F11, 0xECE7990A, 0x9386D174,
488 0x2A42931C, 0x76E38111, 0xB12DEF3A, 0x37DDDDFC,
489 0xDE9ADEB1, 0x0A0CC32C, 0xBE197029, 0x84A00940,
490 0xBB243A0F, 0xB4D137CF, 0xB44E79F0, 0x049EEDFD,
491 0x0B15A15D, 0x480D3168, 0x8BBBDE5A, 0x669DED42,
492 0xC7ECE831, 0x3F8F95E7, 0x72DF191B, 0x7580330D,
493 0x94074251, 0x5C7DCDFA, 0xABBE6D63, 0xAA402164,
494 0xB301D40A, 0x02E7D1CA, 0x53571DAE, 0x7A3182A2,
495 0x12A8DDEC, 0xFDAA335D, 0x176F43E8, 0x71FB46D4,
496 0x38129022, 0xCE949AD4, 0xB84769AD, 0x965BD862,
497 0x82F3D055, 0x66FB9767, 0x15B80B4E, 0x1D5B47A0,
498 0x4CFDE06F, 0xC28EC4B8, 0x57E8726E, 0x647A78FC,
499 0x99865D44, 0x608BD593, 0x6C200E03, 0x39DC5FF6,
500 0x5D0B00A3, 0xAE63AFF2, 0x7E8BD632, 0x70108C0C,
501 0xBBD35049, 0x2998DF04, 0x980CF42A, 0x9B6DF491,
502 0x9E7EDD53, 0x06918548, 0x58CB7E07, 0x3B74EF2E,
503 0x522FFFB1, 0xD24708CC, 0x1C7E27CD, 0xA4EB215B,
504 0x3CF1D2E2, 0x19B47A38, 0x424F7618, 0x35856039,
505 0x9D17DEE7, 0x27EB35E6, 0xC9AFF67B, 0x36BAF5B8,
506 0x09C467CD, 0xC18910B1, 0xE11DBF7B, 0x06CD1AF8,
507 0x7170C608, 0x2D5E3354, 0xD4DE495A, 0x64C6D006,
508 0xBCC0C62C, 0x3DD00DB3, 0x708F8F34, 0x77D51B42,
509 0x264F620F, 0x24B8D2BF, 0x15C1B79E, 0x46A52564,
510 0xF8D7E54E, 0x3E378160, 0x7895CDA5, 0x859C15A5,
511 0xE6459788, 0xC37BC75F, 0xDB07BA0C, 0x0676A3AB,
512 0x7F229B1E, 0x31842E7B, 0x24259FD7, 0xF8BEF472,
513 0x835FFCB8, 0x6DF4C1F2, 0x96F5B195, 0xFD0AF0FC,
514 0xB0FE134C, 0xE2506D3D, 0x4F9B12EA, 0xF215F225,
515 0xA223736F, 0x9FB4C428, 0x25D04979, 0x34C713F8,
516 0xC4618187, 0xEA7A6E98, 0x7CD16EFC, 0x1436876C,
517 0xF1544107, 0xBEDEEE14, 0x56E9AF27, 0xA04AA441,
518 0x3CF7C899, 0x92ECBAE6, 0xDD67016D, 0x151682EB,
519 0xA842EEDF, 0xFDBA60B4, 0xF1907B75, 0x20E3030F,
520 0x24D8C29E, 0xE139673B, 0xEFA63FB8, 0x71873054,
521 0xB6F2CF3B, 0x9F326442, 0xCB15A4CC, 0xB01A4504,
522 0xF1E47D8D, 0x844A1BE5, 0xBAE7DFDC, 0x42CBDA70,
523 0xCD7DAE0A, 0x57E85B7A, 0xD53F5AF6, 0x20CF4D8C,
524 0xCEA4D428, 0x79D130A4, 0x3486EBFB, 0x33D3CDDC,
525 0x77853B53, 0x37EFFCB5, 0xC5068778, 0xE580B3E6,
526 0x4E68B8F4, 0xC5C8B37E, 0x0D809EA2, 0x398FEB7C,
527 0x132A4F94, 0x43B7950E, 0x2FEE7D1C, 0x223613BD,
528 0xDD06CAA2, 0x37DF932B, 0xC4248289, 0xACF3EBC3,
529 0x5715F6B7, 0xEF3478DD, 0xF267616F, 0xC148CBE4,
530 0x9052815E, 0x5E410FAB, 0xB48A2465, 0x2EDA7FA4,
531 0xE87B40E4, 0xE98EA084, 0x5889E9E1, 0xEFD390FC,
532 0xDD07D35B, 0xDB485694, 0x38D7E5B2, 0x57720101,
533 0x730EDEBC, 0x5B643113, 0x94917E4F, 0x503C2FBA,
534 0x646F1282, 0x7523D24A, 0xE0779695, 0xF9C17A8F,
535 0x7A5B2121, 0xD187B896, 0x29263A4D, 0xBA510CDF,
536 0x81F47C9F, 0xAD1163ED, 0xEA7B5965, 0x1A00726E,
537 0x11403092, 0x00DA6D77, 0x4A0CDD61, 0xAD1F4603,
538 0x605BDFB0, 0x9EEDC364, 0x22EBE6A8, 0xCEE7D28A,
539 0xA0E736A0, 0x5564A6B9, 0x10853209, 0xC7EB8F37,
540 0x2DE705CA, 0x8951570F, 0xDF09822B, 0xBD691A6C,
541 0xAA12E4F2, 0x87451C0F, 0xE0F6A27A, 0x3ADA4819,
542 0x4CF1764F, 0x0D771C2B, 0x67CDB156, 0x350D8384,
543 0x5938FA0F, 0x42399EF3, 0x36997B07, 0x0E84093D,
544 0x4AA93E61, 0x8360D87B, 0x1FA98B0C, 0x1149382C,
545 0xE97625A5, 0x0614D1B7, 0x0E25244B, 0x0C768347,
546 0x589E8D82, 0x0D2059D1, 0xA466BB1E, 0xF8DA0A82,
547 0x04F19130, 0xBA6E4EC0, 0x99265164, 0x1EE7230D,
548 0x50B2AD80, 0xEAEE6801, 0x8DB2A283, 0xEA8BF59E
549};
550
551/* Macros to access 8-bit bytes out of a 32-bit word */
552#define U8a(x) ( (u_int8_t) (x>>24) )
553#define U8b(x) ( (u_int8_t) ((x>>16)&255) )
554#define U8c(x) ( (u_int8_t) ((x>>8)&255) )
555#define U8d(x) ( (u_int8_t) ((x)&255) )
556
557/* Circular left shift */
558#define ROL(x, n) ( ((x)<<(n)) | ((x)>>(32-(n))) )
559
560/* CAST-128 uses three different round functions */
561#define F1(l, r, i) \
562 t = ROL(key->xkey[i] + r, key->xkey[i+16]); \
563 l ^= ((cast_sbox1[U8a(t)] ^ cast_sbox2[U8b(t)]) - \
564 cast_sbox3[U8c(t)]) + cast_sbox4[U8d(t)];
565#define F2(l, r, i) \
566 t = ROL(key->xkey[i] ^ r, key->xkey[i+16]); \
567 l ^= ((cast_sbox1[U8a(t)] - cast_sbox2[U8b(t)]) + \
568 cast_sbox3[U8c(t)]) ^ cast_sbox4[U8d(t)];
569#define F3(l, r, i) \
570 t = ROL(key->xkey[i] - r, key->xkey[i+16]); \
571 l ^= ((cast_sbox1[U8a(t)] + cast_sbox2[U8b(t)]) ^ \
572 cast_sbox3[U8c(t)]) - cast_sbox4[U8d(t)];
573
574
575/***** Encryption Function *****/
576
577void
578cast_encrypt(cast_key* key, u_int8_t* inblock, u_int8_t* outblock)
579{
580 u_int32_t t, l, r;
581
582 /* Get inblock into l,r */
583 l = ((u_int32_t)inblock[0] << 24) | ((u_int32_t)inblock[1] << 16) |
584 ((u_int32_t)inblock[2] << 8) | (u_int32_t)inblock[3];
585 r = ((u_int32_t)inblock[4] << 24) | ((u_int32_t)inblock[5] << 16) |
586 ((u_int32_t)inblock[6] << 8) | (u_int32_t)inblock[7];
587 /* Do the work */
588 F1(l, r, 0);
589 F2(r, l, 1);
590 F3(l, r, 2);
591 F1(r, l, 3);
592 F2(l, r, 4);
593 F3(r, l, 5);
594 F1(l, r, 6);
595 F2(r, l, 7);
596 F3(l, r, 8);
597 F1(r, l, 9);
598 F2(l, r, 10);
599 F3(r, l, 11);
600 /* Only do full 16 rounds if key length > 80 bits */
601 if (key->rounds > 12) {
602 F1(l, r, 12);
603 F2(r, l, 13);
604 F3(l, r, 14);
605 F1(r, l, 15);
606 }
607 /* Put l,r into outblock */
608 outblock[0] = U8a(r);
609 outblock[1] = U8b(r);
610 outblock[2] = U8c(r);
611 outblock[3] = U8d(r);
612 outblock[4] = U8a(l);
613 outblock[5] = U8b(l);
614 outblock[6] = U8c(l);
615 outblock[7] = U8d(l);
616 /* Wipe clean */
617 t = l = r = 0;
618}
619
620
621/***** Decryption Function *****/
622
623void
624cast_decrypt(cast_key* key, u_int8_t* inblock, u_int8_t* outblock)
625{
626 u_int32_t t, l, r;
627
628 /* Get inblock into l,r */
629 r = ((u_int32_t)inblock[0] << 24) | ((u_int32_t)inblock[1] << 16) |
630 ((u_int32_t)inblock[2] << 8) | (u_int32_t)inblock[3];
631 l = ((u_int32_t)inblock[4] << 24) | ((u_int32_t)inblock[5] << 16) |
632 ((u_int32_t)inblock[6] << 8) | (u_int32_t)inblock[7];
633 /* Do the work */
634 /* Only do full 16 rounds if key length > 80 bits */
635 if (key->rounds > 12) {
636 F1(r, l, 15);
637 F3(l, r, 14);
638 F2(r, l, 13);
639 F1(l, r, 12);
640 }
641 F3(r, l, 11);
642 F2(l, r, 10);
643 F1(r, l, 9);
644 F3(l, r, 8);
645 F2(r, l, 7);
646 F1(l, r, 6);
647 F3(r, l, 5);
648 F2(l, r, 4);
649 F1(r, l, 3);
650 F3(l, r, 2);
651 F2(r, l, 1);
652 F1(l, r, 0);
653 /* Put l,r into outblock */
654 outblock[0] = U8a(l);
655 outblock[1] = U8b(l);
656 outblock[2] = U8c(l);
657 outblock[3] = U8d(l);
658 outblock[4] = U8a(r);
659 outblock[5] = U8b(r);
660 outblock[6] = U8c(r);
661 outblock[7] = U8d(r);
662 /* Wipe clean */
663 t = l = r = 0;
664}
665
666
667/***** Key Schedual *****/
668
669void
670cast_setkey(cast_key* key, u_int8_t* rawkey, int keybytes)
671{
672 u_int32_t t[4], z[4], x[4];
673 int i;
674
675 /* Set number of rounds to 12 or 16, depending on key length */
676 key->rounds = (keybytes <= 10 ? 12 : 16);
677
678 /* Copy key to workspace x */
679 for (i = 0; i < 4; i++) {
680 x[i] = 0;
681 if ((i*4+0) < keybytes) x[i] = (u_int32_t)rawkey[i*4+0] << 24;
682 if ((i*4+1) < keybytes) x[i] |= (u_int32_t)rawkey[i*4+1] << 16;
683 if ((i*4+2) < keybytes) x[i] |= (u_int32_t)rawkey[i*4+2] << 8;
684 if ((i*4+3) < keybytes) x[i] |= (u_int32_t)rawkey[i*4+3];
685 }
686 /* Generate 32 subkeys, four at a time */
687 for (i = 0; i < 32; i+=4) {
688 switch (i & 4) {
689 case 0:
690 t[0] = z[0] = x[0] ^ cast_sbox5[U8b(x[3])] ^
691 cast_sbox6[U8d(x[3])] ^ cast_sbox7[U8a(x[3])] ^
692 cast_sbox8[U8c(x[3])] ^ cast_sbox7[U8a(x[2])];
693 t[1] = z[1] = x[2] ^ cast_sbox5[U8a(z[0])] ^
694 cast_sbox6[U8c(z[0])] ^ cast_sbox7[U8b(z[0])] ^
695 cast_sbox8[U8d(z[0])] ^ cast_sbox8[U8c(x[2])];
696 t[2] = z[2] = x[3] ^ cast_sbox5[U8d(z[1])] ^
697 cast_sbox6[U8c(z[1])] ^ cast_sbox7[U8b(z[1])] ^
698 cast_sbox8[U8a(z[1])] ^ cast_sbox5[U8b(x[2])];
699 t[3] = z[3] = x[1] ^ cast_sbox5[U8c(z[2])] ^
700 cast_sbox6[U8b(z[2])] ^ cast_sbox7[U8d(z[2])] ^
701 cast_sbox8[U8a(z[2])] ^ cast_sbox6[U8d(x[2])];
702 break;
703 case 4:
704 t[0] = x[0] = z[2] ^ cast_sbox5[U8b(z[1])] ^
705 cast_sbox6[U8d(z[1])] ^ cast_sbox7[U8a(z[1])] ^
706 cast_sbox8[U8c(z[1])] ^ cast_sbox7[U8a(z[0])];
707 t[1] = x[1] = z[0] ^ cast_sbox5[U8a(x[0])] ^
708 cast_sbox6[U8c(x[0])] ^ cast_sbox7[U8b(x[0])] ^
709 cast_sbox8[U8d(x[0])] ^ cast_sbox8[U8c(z[0])];
710 t[2] = x[2] = z[1] ^ cast_sbox5[U8d(x[1])] ^
711 cast_sbox6[U8c(x[1])] ^ cast_sbox7[U8b(x[1])] ^
712 cast_sbox8[U8a(x[1])] ^ cast_sbox5[U8b(z[0])];
713 t[3] = x[3] = z[3] ^ cast_sbox5[U8c(x[2])] ^
714 cast_sbox6[U8b(x[2])] ^ cast_sbox7[U8d(x[2])] ^
715 cast_sbox8[U8a(x[2])] ^ cast_sbox6[U8d(z[0])];
716 break;
717 }
718 switch (i & 12) {
719 case 0:
720 case 12:
721 key->xkey[i+0] = cast_sbox5[U8a(t[2])] ^
722 cast_sbox6[U8b(t[2])] ^ cast_sbox7[U8d(t[1])] ^
723 cast_sbox8[U8c(t[1])];
724 key->xkey[i+1] = cast_sbox5[U8c(t[2])] ^
725 cast_sbox6[U8d(t[2])] ^ cast_sbox7[U8b(t[1])] ^
726 cast_sbox8[U8a(t[1])];
727 key->xkey[i+2] = cast_sbox5[U8a(t[3])] ^
728 cast_sbox6[U8b(t[3])] ^ cast_sbox7[U8d(t[0])] ^
729 cast_sbox8[U8c(t[0])];
730 key->xkey[i+3] = cast_sbox5[U8c(t[3])] ^
731 cast_sbox6[U8d(t[3])] ^ cast_sbox7[U8b(t[0])] ^
732 cast_sbox8[U8a(t[0])];
733 break;
734 case 4:
735 case 8:
736 key->xkey[i+0] = cast_sbox5[U8d(t[0])] ^
737 cast_sbox6[U8c(t[0])] ^ cast_sbox7[U8a(t[3])] ^
738 cast_sbox8[U8b(t[3])];
739 key->xkey[i+1] = cast_sbox5[U8b(t[0])] ^
740 cast_sbox6[U8a(t[0])] ^ cast_sbox7[U8c(t[3])] ^
741 cast_sbox8[U8d(t[3])];
742 key->xkey[i+2] = cast_sbox5[U8d(t[1])] ^
743 cast_sbox6[U8c(t[1])] ^ cast_sbox7[U8a(t[2])] ^
744 cast_sbox8[U8b(t[2])];
745 key->xkey[i+3] = cast_sbox5[U8b(t[1])] ^
746 cast_sbox6[U8a(t[1])] ^ cast_sbox7[U8c(t[2])] ^
747 cast_sbox8[U8d(t[2])];
748 break;
749 }
750 switch (i & 12) {
751 case 0:
752 key->xkey[i+0] ^= cast_sbox5[U8c(z[0])];
753 key->xkey[i+1] ^= cast_sbox6[U8c(z[1])];
754 key->xkey[i+2] ^= cast_sbox7[U8b(z[2])];
755 key->xkey[i+3] ^= cast_sbox8[U8a(z[3])];
756 break;
757 case 4:
758 key->xkey[i+0] ^= cast_sbox5[U8a(x[2])];
759 key->xkey[i+1] ^= cast_sbox6[U8b(x[3])];
760 key->xkey[i+2] ^= cast_sbox7[U8d(x[0])];
761 key->xkey[i+3] ^= cast_sbox8[U8d(x[1])];
762 break;
763 case 8:
764 key->xkey[i+0] ^= cast_sbox5[U8b(z[2])];
765 key->xkey[i+1] ^= cast_sbox6[U8a(z[3])];
766 key->xkey[i+2] ^= cast_sbox7[U8c(z[0])];
767 key->xkey[i+3] ^= cast_sbox8[U8c(z[1])];
768 break;
769 case 12:
770 key->xkey[i+0] ^= cast_sbox5[U8d(x[0])];
771 key->xkey[i+1] ^= cast_sbox6[U8d(x[1])];
772 key->xkey[i+2] ^= cast_sbox7[U8a(x[2])];
773 key->xkey[i+3] ^= cast_sbox8[U8b(x[3])];
774 break;
775 }
776 if (i >= 16) {
777 key->xkey[i+0] &= 31;
778 key->xkey[i+1] &= 31;
779 key->xkey[i+2] &= 31;
780 key->xkey[i+3] &= 31;
781 }
782 }
783 /* Wipe clean */
784 for (i = 0; i < 4; i++) {
785 t[i] = x[i] = z[i] = 0;
786 }
787}
788
789/* Made in Canada */
790
diff --git a/src/lib/libc/crypt/crypt.3 b/src/lib/libc/crypt/crypt.3
new file mode 100644
index 0000000000..b58894d9ad
--- /dev/null
+++ b/src/lib/libc/crypt/crypt.3
@@ -0,0 +1,324 @@
1.\" $OpenBSD: crypt.3,v 1.27 2007/10/08 11:55:27 pyr Exp $
2.\"
3.\" FreeSec: libcrypt
4.\"
5.\" Copyright (c) 1994 David Burren
6.\" All rights reserved.
7.\"
8.\" Redistribution and use in source and binary forms, with or without
9.\" modification, are permitted provided that the following conditions
10.\" are met:
11.\" 1. Redistributions of source code must retain the above copyright
12.\" notice, this list of conditions and the following disclaimer.
13.\" 2. Redistributions in binary form must reproduce the above copyright
14.\" notice, this list of conditions and the following disclaimer in the
15.\" documentation and/or other materials provided with the distribution.
16.\" 4. Neither the name of the author nor the names of other contributors
17.\" may be used to endorse or promote products derived from this software
18.\" without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\" Manual page, using -mandoc macros
33.\"
34.Dd $Mdocdate: October 8 2007 $
35.Dt CRYPT 3
36.Os
37.Sh NAME
38.Nm crypt ,
39.Nm setkey ,
40.Nm encrypt ,
41.Nm des_setkey ,
42.Nm des_cipher ,
43.Nm bcrypt_gensalt ,
44.Nm bcrypt ,
45.Nm md5crypt
46.Nd DES encryption
47.Sh SYNOPSIS
48.Fd #include <pwd.h>
49.Fd #include <unistd.h>
50.Ft char *
51.Fn crypt "const char *key" "const char *setting"
52.Ft int
53.Fn setkey "const char *key"
54.Ft int
55.Fn encrypt "char *block" "int flag"
56.Ft int
57.Fn des_setkey "const char *key"
58.Ft int
59.Fn des_cipher "const char *in" "char *out" "int32_t salt" "int count"
60.Ft char *
61.Fn bcrypt_gensalt "u_int8_t log_rounds"
62.Ft char *
63.Fn bcrypt "const char *key" "const char *salt"
64.Ft char *
65.Fn md5crypt "const char *key" "const char *salt"
66.Sh DESCRIPTION
67The
68.Fn crypt
69function performs password encryption based on the
70.Tn NBS
71Data Encryption Standard (DES).
72Additional code has been added to deter key search attempts and to use
73stronger hashing algorithms.
74.Pp
75The first argument to
76.Fn crypt
77is a
78.Dv NUL Ns -terminated
79string, typically a user's typed password.
80The second is in one of three forms:
81if it begins with an underscore
82.Pq Ql _
83then an extended format is used
84in interpreting both the key and the setting, as outlined below.
85If it begins
86with a string character
87.Pq Ql $
88and a number then a different algorithm is used depending on the number.
89At the moment a
90.Ql $1
91chooses MD5 hashing and a
92.Ql $2
93chooses Blowfish hashing; see below for more information.
94.Ss Extended crypt
95The
96.Ar key
97is divided into groups of 8 characters (the last group is null-padded)
98and the low-order 7 bits of each character (56 bits per group) are
99used to form the DES key as follows:
100the first group of 56 bits becomes the initial DES key.
101For each additional group, the XOR of the encryption of the current DES
102key with itself and the group bits becomes the next DES key.
103.Pp
104The setting is a 9-character array consisting of an underscore followed
105by 4 bytes of iteration count and 4 bytes of salt.
106These are encoded as printable characters, 6 bits per character,
107least significant character first.
108The values 0 to 63 are encoded as
109.Dq \&./0-9A-Za-z .
110This allows 24 bits for both
111.Fa count
112and
113.Fa salt .
114.Ss "MD5" crypt
115For
116.Tn MD5
117crypt the version number,
118.Fa salt
119and the hashed password are separated by the
120.Ql $
121character.
122The maximum length of a password is limited by
123the length counter of the MD5 context, which is about
1242**64.
125A valid MD5 password entry looks like this:
126.Pp
127.Dq $1$caeiHQwX$hsKqOjrFRRN6K32OWkCBf1 .
128.Pp
129The whole MD5 password string is passed as
130.Fa setting
131for interpretation.
132.Ss "Blowfish" crypt
133The
134.Tn Blowfish
135version of crypt has 128 bits of
136.Fa salt
137in order to make building dictionaries of common passwords space consuming.
138The initial state of the
139.Tn Blowfish
140cipher is expanded using the
141.Fa salt
142and the
143.Fa password
144repeating the process a variable number of rounds, which is encoded in
145the password string.
146The maximum password length is 72.
147The final Blowfish password entry is created by encrypting the string
148.Pp
149.Dq OrpheanBeholderScryDoubt
150.Pp
151with the
152.Tn Blowfish
153state 64 times.
154.Pp
155The version number, the logarithm of the number of rounds and
156the concatenation of salt and hashed password are separated by the
157.Ql $
158character.
159An encoded
160.Sq 8
161would specify 256 rounds.
162A valid Blowfish password looks like this:
163.Pp
164.Dq $2a$12$eIAq8PR8sIUnJ1HaohxX2O9x9Qlm2vK97LJ5dsXdmB.eXF42qjchC .
165.Pp
166The whole Blowfish password string is passed as
167.Fa setting
168for interpretation.
169.Ss "Traditional" crypt
170The first 8 bytes of the key are null-padded, and the low-order 7 bits of
171each character is used to form the 56-bit
172.Tn DES
173key.
174.Pp
175The setting is a 2-character array of the ASCII-encoded salt.
176Thus only 12 bits of
177.Fa salt
178are used.
179.Fa count
180is set to 25.
181.Ss DES Algorithm
182The
183.Fa salt
184introduces disorder in the
185.Tn DES
186algorithm in one of 16777216 or 4096 possible ways
187(i.e., with 24 or 12 bits: if bit
188.Em i
189of the
190.Ar salt
191is set, then bits
192.Em i
193and
194.Em i+24
195are swapped in the
196.Tn DES
197E-box output).
198.Pp
199The DES key is used to encrypt a 64-bit constant using
200.Ar count
201iterations of
202.Tn DES .
203The value returned is a
204.Dv NUL Ns -terminated
205string, 20 or 13 bytes (plus NUL) in length, consisting of the
206.Ar setting
207followed by the encoded 64-bit encryption.
208.Pp
209The functions
210.Fn encrypt ,
211.Fn setkey ,
212.Fn des_setkey ,
213and
214.Fn des_cipher
215provide access to the
216.Tn DES
217algorithm itself.
218.Fn setkey
219is passed a 64-byte array of binary values (numeric 0 or 1).
220A 56-bit key is extracted from this array by dividing the
221array into groups of 8, and ignoring the last bit in each group.
222That bit is reserved for a byte parity check by DES, but is ignored
223by these functions.
224.Pp
225The
226.Fa block
227argument to
228.Fn encrypt
229is also a 64-byte array of binary values.
230If the value of
231.Fa flag
232is 0,
233.Fa block
234is encrypted otherwise it is decrypted.
235The result is returned in the original array
236.Fa block
237after using the key specified by
238.Fn setkey
239to process it.
240.Pp
241The argument to
242.Fn des_setkey
243is a character array of length 8.
244The least significant bit (the parity bit) in each character is ignored,
245and the remaining bits are concatenated to form a 56-bit key.
246The function
247.Fn des_cipher
248encrypts (or decrypts if
249.Fa count
250is negative) the 64-bits stored in the 8 characters at
251.Fa in
252using
253.Xr abs 3
254of
255.Fa count
256iterations of
257.Tn DES
258and stores the 64-bit result in the 8 characters at
259.Fa out
260(which may be the same as
261.Fa in ) .
262The
263.Fa salt
264specifies perturbations to the
265.Tn DES
266E-box output as described above.
267.Pp
268The
269.Fn crypt ,
270.Fn setkey ,
271and
272.Fn des_setkey
273functions all manipulate the same key space.
274.Sh RETURN VALUES
275The function
276.Fn crypt
277returns a pointer to the encrypted value on success, and
278.Dv NULL
279on failure.
280The functions
281.Fn setkey ,
282.Fn encrypt ,
283.Fn des_setkey ,
284and
285.Fn des_cipher
286return 0 on success and 1 on failure.
287.Sh SEE ALSO
288.Xr login 1 ,
289.Xr passwd 1 ,
290.Xr blowfish 3 ,
291.Xr getpass 3 ,
292.Xr md5 3 ,
293.Xr passwd 5
294.Sh HISTORY
295A rotor-based
296.Fn crypt
297function appeared in
298.At v3 .
299The current style
300.Fn crypt
301first appeared in
302.At v7 .
303.Pp
304This library (FreeSec 1.0) was developed outside the United States of America
305as an unencumbered replacement for the U.S.-only libcrypt encryption
306library.
307Programs linked against the
308.Fn crypt
309interface may be exported from the U.S.A. only if they use
310.Fn crypt
311solely for authentication purposes and avoid use of
312the other programmer interfaces listed above.
313Special care has been taken
314in the library so that programs which only use the
315.Fn crypt
316interface do not pull in the other components.
317.Sh AUTHORS
318.An David Burren Aq davidb@werj.com.au
319.Sh BUGS
320The
321.Fn crypt
322function returns a pointer to static data, and subsequent calls to
323.Fn crypt
324will modify the same object.
diff --git a/src/lib/libc/crypt/crypt.c b/src/lib/libc/crypt/crypt.c
new file mode 100644
index 0000000000..15a784532d
--- /dev/null
+++ b/src/lib/libc/crypt/crypt.c
@@ -0,0 +1,696 @@
1/* $OpenBSD: crypt.c,v 1.20 2005/08/08 08:05:33 espie Exp $ */
2
3/*
4 * FreeSec: libcrypt
5 *
6 * Copyright (c) 1994 David Burren
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 4. Neither the name of the author nor the names of other contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 *
33 *
34 * This is an original implementation of the DES and the crypt(3) interfaces
35 * by David Burren <davidb@werj.com.au>.
36 *
37 * An excellent reference on the underlying algorithm (and related
38 * algorithms) is:
39 *
40 * B. Schneier, Applied Cryptography: protocols, algorithms,
41 * and source code in C, John Wiley & Sons, 1994.
42 *
43 * Note that in that book's description of DES the lookups for the initial,
44 * pbox, and final permutations are inverted (this has been brought to the
45 * attention of the author). A list of errata for this book has been
46 * posted to the sci.crypt newsgroup by the author and is available for FTP.
47 */
48
49#include <sys/types.h>
50#include <sys/param.h>
51#include <pwd.h>
52#include <unistd.h>
53#include <string.h>
54
55#ifdef DEBUG
56# include <stdio.h>
57#endif
58
59static const u_char IP[64] = {
60 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
61 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
62 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
63 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7
64};
65
66static u_char inv_key_perm[64];
67static u_char u_key_perm[56];
68static u_char const key_perm[56] = {
69 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18,
70 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36,
71 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22,
72 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4
73};
74
75static const u_char key_shifts[16] = {
76 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
77};
78
79static u_char inv_comp_perm[56];
80static const u_char comp_perm[48] = {
81 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10,
82 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2,
83 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
84 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
85};
86
87/*
88 * No E box is used, as it's replaced by some ANDs, shifts, and ORs.
89 */
90
91static u_char u_sbox[8][64];
92static const u_char sbox[8][64] = {
93 {
94 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
95 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
96 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
97 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13
98 },
99 {
100 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
101 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
102 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
103 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9
104 },
105 {
106 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
107 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
108 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
109 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12
110 },
111 {
112 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
113 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
114 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
115 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14
116 },
117 {
118 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
119 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
120 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
121 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3
122 },
123 {
124 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
125 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
126 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
127 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13
128 },
129 {
130 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
131 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
132 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
133 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12
134 },
135 {
136 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
137 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
138 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
139 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11
140 }
141};
142
143static u_char un_pbox[32];
144static const u_char pbox[32] = {
145 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
146 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
147};
148
149const u_int32_t _des_bits32[32] =
150{
151 0x80000000, 0x40000000, 0x20000000, 0x10000000,
152 0x08000000, 0x04000000, 0x02000000, 0x01000000,
153 0x00800000, 0x00400000, 0x00200000, 0x00100000,
154 0x00080000, 0x00040000, 0x00020000, 0x00010000,
155 0x00008000, 0x00004000, 0x00002000, 0x00001000,
156 0x00000800, 0x00000400, 0x00000200, 0x00000100,
157 0x00000080, 0x00000040, 0x00000020, 0x00000010,
158 0x00000008, 0x00000004, 0x00000002, 0x00000001
159};
160
161const u_char _des_bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
162
163static u_int32_t saltbits;
164static int32_t old_salt;
165static const u_int32_t *bits28, *bits24;
166static u_char init_perm[64], final_perm[64];
167static u_int32_t en_keysl[16], en_keysr[16];
168static u_int32_t de_keysl[16], de_keysr[16];
169int _des_initialised = 0;
170static u_char m_sbox[4][4096];
171static u_int32_t psbox[4][256];
172static u_int32_t ip_maskl[8][256], ip_maskr[8][256];
173static u_int32_t fp_maskl[8][256], fp_maskr[8][256];
174static u_int32_t key_perm_maskl[8][128], key_perm_maskr[8][128];
175static u_int32_t comp_maskl[8][128], comp_maskr[8][128];
176static u_int32_t old_rawkey0, old_rawkey1;
177
178static u_char ascii64[] =
179 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
180/* 0000000000111111111122222222223333333333444444444455555555556666 */
181/* 0123456789012345678901234567890123456789012345678901234567890123 */
182
183static __inline int
184ascii_to_bin(char ch)
185{
186 if (ch > 'z')
187 return(0);
188 if (ch >= 'a')
189 return(ch - 'a' + 38);
190 if (ch > 'Z')
191 return(0);
192 if (ch >= 'A')
193 return(ch - 'A' + 12);
194 if (ch > '9')
195 return(0);
196 if (ch >= '.')
197 return(ch - '.');
198 return(0);
199}
200
201void
202_des_init(void)
203{
204 int i, j, b, k, inbit, obit;
205 u_int32_t *p, *il, *ir, *fl, *fr;
206
207 old_rawkey0 = old_rawkey1 = 0;
208 saltbits = 0;
209 old_salt = 0;
210 bits24 = (bits28 = _des_bits32 + 4) + 4;
211
212 /*
213 * Invert the S-boxes, reordering the input bits.
214 */
215 for (i = 0; i < 8; i++)
216 for (j = 0; j < 64; j++) {
217 b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf);
218 u_sbox[i][j] = sbox[i][b];
219 }
220
221 /*
222 * Convert the inverted S-boxes into 4 arrays of 8 bits.
223 * Each will handle 12 bits of the S-box input.
224 */
225 for (b = 0; b < 4; b++)
226 for (i = 0; i < 64; i++)
227 for (j = 0; j < 64; j++)
228 m_sbox[b][(i << 6) | j] =
229 (u_sbox[(b << 1)][i] << 4) |
230 u_sbox[(b << 1) + 1][j];
231
232 /*
233 * Set up the initial & final permutations into a useful form, and
234 * initialise the inverted key permutation.
235 */
236 for (i = 0; i < 64; i++) {
237 init_perm[final_perm[i] = IP[i] - 1] = i;
238 inv_key_perm[i] = 255;
239 }
240
241 /*
242 * Invert the key permutation and initialise the inverted key
243 * compression permutation.
244 */
245 for (i = 0; i < 56; i++) {
246 u_key_perm[i] = key_perm[i] - 1;
247 inv_key_perm[key_perm[i] - 1] = i;
248 inv_comp_perm[i] = 255;
249 }
250
251 /*
252 * Invert the key compression permutation.
253 */
254 for (i = 0; i < 48; i++) {
255 inv_comp_perm[comp_perm[i] - 1] = i;
256 }
257
258 /*
259 * Set up the OR-mask arrays for the initial and final permutations,
260 * and for the key initial and compression permutations.
261 */
262 for (k = 0; k < 8; k++) {
263 for (i = 0; i < 256; i++) {
264 *(il = &ip_maskl[k][i]) = 0;
265 *(ir = &ip_maskr[k][i]) = 0;
266 *(fl = &fp_maskl[k][i]) = 0;
267 *(fr = &fp_maskr[k][i]) = 0;
268 for (j = 0; j < 8; j++) {
269 inbit = 8 * k + j;
270 if (i & _des_bits8[j]) {
271 if ((obit = init_perm[inbit]) < 32)
272 *il |= _des_bits32[obit];
273 else
274 *ir |= _des_bits32[obit-32];
275 if ((obit = final_perm[inbit]) < 32)
276 *fl |= _des_bits32[obit];
277 else
278 *fr |= _des_bits32[obit - 32];
279 }
280 }
281 }
282 for (i = 0; i < 128; i++) {
283 *(il = &key_perm_maskl[k][i]) = 0;
284 *(ir = &key_perm_maskr[k][i]) = 0;
285 for (j = 0; j < 7; j++) {
286 inbit = 8 * k + j;
287 if (i & _des_bits8[j + 1]) {
288 if ((obit = inv_key_perm[inbit]) == 255)
289 continue;
290 if (obit < 28)
291 *il |= bits28[obit];
292 else
293 *ir |= bits28[obit - 28];
294 }
295 }
296 *(il = &comp_maskl[k][i]) = 0;
297 *(ir = &comp_maskr[k][i]) = 0;
298 for (j = 0; j < 7; j++) {
299 inbit = 7 * k + j;
300 if (i & _des_bits8[j + 1]) {
301 if ((obit=inv_comp_perm[inbit]) == 255)
302 continue;
303 if (obit < 24)
304 *il |= bits24[obit];
305 else
306 *ir |= bits24[obit - 24];
307 }
308 }
309 }
310 }
311
312 /*
313 * Invert the P-box permutation, and convert into OR-masks for
314 * handling the output of the S-box arrays setup above.
315 */
316 for (i = 0; i < 32; i++)
317 un_pbox[pbox[i] - 1] = i;
318
319 for (b = 0; b < 4; b++)
320 for (i = 0; i < 256; i++) {
321 *(p = &psbox[b][i]) = 0;
322 for (j = 0; j < 8; j++) {
323 if (i & _des_bits8[j])
324 *p |= _des_bits32[un_pbox[8 * b + j]];
325 }
326 }
327
328 _des_initialised = 1;
329}
330
331void
332_des_setup_salt(int32_t salt)
333{
334 u_int32_t obit, saltbit;
335 int i;
336
337 if (salt == old_salt)
338 return;
339 old_salt = salt;
340
341 saltbits = 0;
342 saltbit = 1;
343 obit = 0x800000;
344 for (i = 0; i < 24; i++) {
345 if (salt & saltbit)
346 saltbits |= obit;
347 saltbit <<= 1;
348 obit >>= 1;
349 }
350}
351
352int
353des_setkey(const char *key)
354{
355 u_int32_t k0, k1, rawkey0, rawkey1;
356 int shifts, round;
357
358 if (!_des_initialised)
359 _des_init();
360
361 rawkey0 = ntohl(*(u_int32_t *) key);
362 rawkey1 = ntohl(*(u_int32_t *) (key + 4));
363
364 if ((rawkey0 | rawkey1)
365 && rawkey0 == old_rawkey0
366 && rawkey1 == old_rawkey1) {
367 /*
368 * Already setup for this key.
369 * This optimisation fails on a zero key (which is weak and
370 * has bad parity anyway) in order to simplify the starting
371 * conditions.
372 */
373 return(0);
374 }
375 old_rawkey0 = rawkey0;
376 old_rawkey1 = rawkey1;
377
378 /*
379 * Do key permutation and split into two 28-bit subkeys.
380 */
381 k0 = key_perm_maskl[0][rawkey0 >> 25]
382 | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
383 | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
384 | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
385 | key_perm_maskl[4][rawkey1 >> 25]
386 | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
387 | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
388 | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
389 k1 = key_perm_maskr[0][rawkey0 >> 25]
390 | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
391 | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
392 | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
393 | key_perm_maskr[4][rawkey1 >> 25]
394 | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
395 | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
396 | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
397 /*
398 * Rotate subkeys and do compression permutation.
399 */
400 shifts = 0;
401 for (round = 0; round < 16; round++) {
402 u_int32_t t0, t1;
403
404 shifts += key_shifts[round];
405
406 t0 = (k0 << shifts) | (k0 >> (28 - shifts));
407 t1 = (k1 << shifts) | (k1 >> (28 - shifts));
408
409 de_keysl[15 - round] =
410 en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f]
411 | comp_maskl[1][(t0 >> 14) & 0x7f]
412 | comp_maskl[2][(t0 >> 7) & 0x7f]
413 | comp_maskl[3][t0 & 0x7f]
414 | comp_maskl[4][(t1 >> 21) & 0x7f]
415 | comp_maskl[5][(t1 >> 14) & 0x7f]
416 | comp_maskl[6][(t1 >> 7) & 0x7f]
417 | comp_maskl[7][t1 & 0x7f];
418
419 de_keysr[15 - round] =
420 en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f]
421 | comp_maskr[1][(t0 >> 14) & 0x7f]
422 | comp_maskr[2][(t0 >> 7) & 0x7f]
423 | comp_maskr[3][t0 & 0x7f]
424 | comp_maskr[4][(t1 >> 21) & 0x7f]
425 | comp_maskr[5][(t1 >> 14) & 0x7f]
426 | comp_maskr[6][(t1 >> 7) & 0x7f]
427 | comp_maskr[7][t1 & 0x7f];
428 }
429 return(0);
430}
431
432int
433_des_do_des(u_int32_t l_in, u_int32_t r_in, u_int32_t *l_out, u_int32_t *r_out,
434 int count)
435{
436 /*
437 * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
438 */
439 u_int32_t l, r, *kl, *kr, *kl1, *kr1;
440 u_int32_t f, r48l, r48r;
441 int round;
442
443 if (count == 0) {
444 return(1);
445 } else if (count > 0) {
446 /*
447 * Encrypting
448 */
449 kl1 = en_keysl;
450 kr1 = en_keysr;
451 } else {
452 /*
453 * Decrypting
454 */
455 count = -count;
456 kl1 = de_keysl;
457 kr1 = de_keysr;
458 }
459
460 /*
461 * Do initial permutation (IP).
462 */
463 l = ip_maskl[0][l_in >> 24]
464 | ip_maskl[1][(l_in >> 16) & 0xff]
465 | ip_maskl[2][(l_in >> 8) & 0xff]
466 | ip_maskl[3][l_in & 0xff]
467 | ip_maskl[4][r_in >> 24]
468 | ip_maskl[5][(r_in >> 16) & 0xff]
469 | ip_maskl[6][(r_in >> 8) & 0xff]
470 | ip_maskl[7][r_in & 0xff];
471 r = ip_maskr[0][l_in >> 24]
472 | ip_maskr[1][(l_in >> 16) & 0xff]
473 | ip_maskr[2][(l_in >> 8) & 0xff]
474 | ip_maskr[3][l_in & 0xff]
475 | ip_maskr[4][r_in >> 24]
476 | ip_maskr[5][(r_in >> 16) & 0xff]
477 | ip_maskr[6][(r_in >> 8) & 0xff]
478 | ip_maskr[7][r_in & 0xff];
479
480 while (count--) {
481 /*
482 * Do each round.
483 */
484 kl = kl1;
485 kr = kr1;
486 round = 16;
487 while (round--) {
488 /*
489 * Expand R to 48 bits (simulate the E-box).
490 */
491 r48l = ((r & 0x00000001) << 23)
492 | ((r & 0xf8000000) >> 9)
493 | ((r & 0x1f800000) >> 11)
494 | ((r & 0x01f80000) >> 13)
495 | ((r & 0x001f8000) >> 15);
496
497 r48r = ((r & 0x0001f800) << 7)
498 | ((r & 0x00001f80) << 5)
499 | ((r & 0x000001f8) << 3)
500 | ((r & 0x0000001f) << 1)
501 | ((r & 0x80000000) >> 31);
502 /*
503 * Do salting for crypt() and friends, and
504 * XOR with the permuted key.
505 */
506 f = (r48l ^ r48r) & saltbits;
507 r48l ^= f ^ *kl++;
508 r48r ^= f ^ *kr++;
509 /*
510 * Do sbox lookups (which shrink it back to 32 bits)
511 * and do the pbox permutation at the same time.
512 */
513 f = psbox[0][m_sbox[0][r48l >> 12]]
514 | psbox[1][m_sbox[1][r48l & 0xfff]]
515 | psbox[2][m_sbox[2][r48r >> 12]]
516 | psbox[3][m_sbox[3][r48r & 0xfff]];
517 /*
518 * Now that we've permuted things, complete f().
519 */
520 f ^= l;
521 l = r;
522 r = f;
523 }
524 r = l;
525 l = f;
526 }
527 /*
528 * Do final permutation (inverse of IP).
529 */
530 *l_out = fp_maskl[0][l >> 24]
531 | fp_maskl[1][(l >> 16) & 0xff]
532 | fp_maskl[2][(l >> 8) & 0xff]
533 | fp_maskl[3][l & 0xff]
534 | fp_maskl[4][r >> 24]
535 | fp_maskl[5][(r >> 16) & 0xff]
536 | fp_maskl[6][(r >> 8) & 0xff]
537 | fp_maskl[7][r & 0xff];
538 *r_out = fp_maskr[0][l >> 24]
539 | fp_maskr[1][(l >> 16) & 0xff]
540 | fp_maskr[2][(l >> 8) & 0xff]
541 | fp_maskr[3][l & 0xff]
542 | fp_maskr[4][r >> 24]
543 | fp_maskr[5][(r >> 16) & 0xff]
544 | fp_maskr[6][(r >> 8) & 0xff]
545 | fp_maskr[7][r & 0xff];
546 return(0);
547}
548
549int
550des_cipher(const char *in, char *out, int32_t salt, int count)
551{
552 u_int32_t l_out, r_out, rawl, rawr;
553 u_int32_t x[2];
554 int retval;
555
556 if (!_des_initialised)
557 _des_init();
558
559 _des_setup_salt(salt);
560
561 memcpy(x, in, sizeof x);
562 rawl = ntohl(x[0]);
563 rawr = ntohl(x[1]);
564 retval = _des_do_des(rawl, rawr, &l_out, &r_out, count);
565
566 x[0] = htonl(l_out);
567 x[1] = htonl(r_out);
568 memcpy(out, x, sizeof x);
569 return(retval);
570}
571
572char *
573crypt(const char *key, const char *setting)
574{
575 int i;
576 u_int32_t count, salt, l, r0, r1, keybuf[2];
577 u_char *p, *q;
578 static u_char output[21];
579 extern char *md5crypt(const char *, const char *);
580 extern char *bcrypt(const char *, const char *);
581
582 if (setting[0] == '$') {
583 switch (setting[1]) {
584 case '1':
585 return (md5crypt(key, setting));
586 default:
587 return bcrypt(key, setting);
588 }
589 }
590
591 if (!_des_initialised)
592 _des_init();
593
594 /*
595 * Copy the key, shifting each character up by one bit
596 * and padding with zeros.
597 */
598 q = (u_char *) keybuf;
599 while ((q - (u_char *) keybuf) < sizeof(keybuf)) {
600 if ((*q++ = *key << 1))
601 key++;
602 }
603 if (des_setkey((char *) keybuf))
604 return(NULL);
605
606 if (*setting == _PASSWORD_EFMT1) {
607 /*
608 * "new"-style:
609 * setting - underscore, 4 bytes of count, 4 bytes of salt
610 * key - unlimited characters
611 */
612 for (i = 1, count = 0; i < 5; i++)
613 count |= ascii_to_bin(setting[i]) << (i - 1) * 6;
614
615 for (i = 5, salt = 0; i < 9; i++)
616 salt |= ascii_to_bin(setting[i]) << (i - 5) * 6;
617
618 while (*key) {
619 /*
620 * Encrypt the key with itself.
621 */
622 if (des_cipher((char *)keybuf, (char *)keybuf, 0, 1))
623 return(NULL);
624 /*
625 * And XOR with the next 8 characters of the key.
626 */
627 q = (u_char *) keybuf;
628 while (((q - (u_char *) keybuf) < sizeof(keybuf)) &&
629 *key)
630 *q++ ^= *key++ << 1;
631
632 if (des_setkey((char *) keybuf))
633 return(NULL);
634 }
635 strlcpy((char *)output, setting, 10);
636
637 /*
638 * Double check that we weren't given a short setting.
639 * If we were, the above code will probably have created
640 * weird values for count and salt, but we don't really care.
641 * Just make sure the output string doesn't have an extra
642 * NUL in it.
643 */
644 p = output + strlen((const char *)output);
645 } else {
646 /*
647 * "old"-style:
648 * setting - 2 bytes of salt
649 * key - up to 8 characters
650 */
651 count = 25;
652
653 salt = (ascii_to_bin(setting[1]) << 6)
654 | ascii_to_bin(setting[0]);
655
656 output[0] = setting[0];
657 /*
658 * If the encrypted password that the salt was extracted from
659 * is only 1 character long, the salt will be corrupted. We
660 * need to ensure that the output string doesn't have an extra
661 * NUL in it!
662 */
663 output[1] = setting[1] ? setting[1] : output[0];
664
665 p = output + 2;
666 }
667 _des_setup_salt(salt);
668
669 /*
670 * Do it.
671 */
672 if (_des_do_des(0, 0, &r0, &r1, count))
673 return(NULL);
674 /*
675 * Now encode the result...
676 */
677 l = (r0 >> 8);
678 *p++ = ascii64[(l >> 18) & 0x3f];
679 *p++ = ascii64[(l >> 12) & 0x3f];
680 *p++ = ascii64[(l >> 6) & 0x3f];
681 *p++ = ascii64[l & 0x3f];
682
683 l = (r0 << 16) | ((r1 >> 16) & 0xffff);
684 *p++ = ascii64[(l >> 18) & 0x3f];
685 *p++ = ascii64[(l >> 12) & 0x3f];
686 *p++ = ascii64[(l >> 6) & 0x3f];
687 *p++ = ascii64[l & 0x3f];
688
689 l = r1 << 2;
690 *p++ = ascii64[(l >> 12) & 0x3f];
691 *p++ = ascii64[(l >> 6) & 0x3f];
692 *p++ = ascii64[l & 0x3f];
693 *p = 0;
694
695 return((char *)output);
696}
diff --git a/src/lib/libc/crypt/crypt2.c b/src/lib/libc/crypt/crypt2.c
new file mode 100644
index 0000000000..63a297e510
--- /dev/null
+++ b/src/lib/libc/crypt/crypt2.c
@@ -0,0 +1,104 @@
1/* $OpenBSD: crypt2.c,v 1.3 2005/08/08 08:05:33 espie Exp $ */
2
3/*
4 * FreeSec: libcrypt
5 *
6 * Copyright (c) 1994 David Burren
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 4. Neither the name of the author nor the names of other contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 *
33 *
34 * This is an original implementation of the DES and the crypt(3) interfaces
35 * by David Burren <davidb@werj.com.au>.
36 *
37 * An excellent reference on the underlying algorithm (and related
38 * algorithms) is:
39 *
40 * B. Schneier, Applied Cryptography: protocols, algorithms,
41 * and source code in C, John Wiley & Sons, 1994.
42 *
43 * Note that in that book's description of DES the lookups for the initial,
44 * pbox, and final permutations are inverted (this has been brought to the
45 * attention of the author). A list of errata for this book has been
46 * posted to the sci.crypt newsgroup by the author and is available for FTP.
47 */
48
49#include <sys/types.h>
50#include <sys/param.h>
51#include <pwd.h>
52#include <unistd.h>
53#include <string.h>
54
55#ifdef DEBUG
56# include <stdio.h>
57#endif
58
59extern const u_char _des_bits8[8];
60extern const u_int32_t _des_bits32[32];
61extern int _des_initialised;
62
63int
64setkey(const char *key)
65{
66 int i, j;
67 u_int32_t packed_keys[2];
68 u_char *p;
69
70 p = (u_char *) packed_keys;
71
72 for (i = 0; i < 8; i++) {
73 p[i] = 0;
74 for (j = 0; j < 8; j++)
75 if (*key++ & 1)
76 p[i] |= _des_bits8[j];
77 }
78 return(des_setkey((char *)p));
79}
80
81int
82encrypt(char *block, int flag)
83{
84 u_int32_t io[2];
85 u_char *p;
86 int i, j, retval;
87
88 if (!_des_initialised)
89 _des_init();
90
91 _des_setup_salt(0);
92 p = (u_char *)block;
93 for (i = 0; i < 2; i++) {
94 io[i] = 0L;
95 for (j = 0; j < 32; j++)
96 if (*p++ & 1)
97 io[i] |= _des_bits32[j];
98 }
99 retval = _des_do_des(io[0], io[1], io, io + 1, flag ? -1 : 1);
100 for (i = 0; i < 2; i++)
101 for (j = 0; j < 32; j++)
102 block[(i << 5) | j] = (io[i] & _des_bits32[j]) ? 1 : 0;
103 return(retval);
104}
diff --git a/src/lib/libc/crypt/md5crypt.c b/src/lib/libc/crypt/md5crypt.c
new file mode 100644
index 0000000000..fe1393cf7c
--- /dev/null
+++ b/src/lib/libc/crypt/md5crypt.c
@@ -0,0 +1,149 @@
1/* $OpenBSD: md5crypt.c,v 1.14 2005/08/08 08:05:33 espie Exp $ */
2
3/*
4 * ----------------------------------------------------------------------------
5 * "THE BEER-WARE LICENSE" (Revision 42):
6 * <phk@login.dknet.dk> wrote this file. As long as you retain this notice you
7 * can do whatever you want with this stuff. If we meet some day, and you think
8 * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
9 * ----------------------------------------------------------------------------
10 *
11 * $FreeBSD: crypt.c,v 1.5 1996/10/14 08:34:02 phk Exp $
12 *
13 */
14
15#include <unistd.h>
16#include <stdio.h>
17#include <string.h>
18#include <md5.h>
19#include <string.h>
20
21static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */
22 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
23
24static void to64(char *, u_int32_t, int);
25
26static void
27to64(char *s, u_int32_t v, int n)
28{
29 while (--n >= 0) {
30 *s++ = itoa64[v&0x3f];
31 v >>= 6;
32 }
33}
34
35/*
36 * UNIX password
37 *
38 * Use MD5 for what it is best at...
39 */
40
41char *md5crypt(const char *pw, const char *salt);
42
43char *
44md5crypt(const char *pw, const char *salt)
45{
46 /*
47 * This string is magic for this algorithm. Having
48 * it this way, we can get get better later on
49 */
50 static unsigned char *magic = (unsigned char *)"$1$";
51
52 static char passwd[120], *p;
53 static const unsigned char *sp,*ep;
54 unsigned char final[16];
55 int sl,pl,i;
56 MD5_CTX ctx,ctx1;
57 u_int32_t l;
58
59 /* Refine the Salt first */
60 sp = (const unsigned char *)salt;
61
62 /* If it starts with the magic string, then skip that */
63 if(!strncmp((const char *)sp,(const char *)magic,strlen((const char *)magic)))
64 sp += strlen((const char *)magic);
65
66 /* It stops at the first '$', max 8 chars */
67 for(ep=sp;*ep && *ep != '$' && ep < (sp+8);ep++)
68 continue;
69
70 /* get the length of the true salt */
71 sl = ep - sp;
72
73 MD5Init(&ctx);
74
75 /* The password first, since that is what is most unknown */
76 MD5Update(&ctx,(const unsigned char *)pw,strlen(pw));
77
78 /* Then our magic string */
79 MD5Update(&ctx,magic,strlen((const char *)magic));
80
81 /* Then the raw salt */
82 MD5Update(&ctx,sp,sl);
83
84 /* Then just as many characters of the MD5(pw,salt,pw) */
85 MD5Init(&ctx1);
86 MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw));
87 MD5Update(&ctx1,sp,sl);
88 MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw));
89 MD5Final(final,&ctx1);
90 for(pl = strlen(pw); pl > 0; pl -= 16)
91 MD5Update(&ctx,final,pl>16 ? 16 : pl);
92
93 /* Don't leave anything around in vm they could use. */
94 memset(final,0,sizeof final);
95
96 /* Then something really weird... */
97 for (i = strlen(pw); i ; i >>= 1)
98 if(i&1)
99 MD5Update(&ctx, final, 1);
100 else
101 MD5Update(&ctx, (const unsigned char *)pw, 1);
102
103 /* Now make the output string */
104 snprintf(passwd, sizeof(passwd), "%s%.*s$", (char *)magic,
105 sl, (const char *)sp);
106
107 MD5Final(final,&ctx);
108
109 /*
110 * and now, just to make sure things don't run too fast
111 * On a 60 Mhz Pentium this takes 34 msec, so you would
112 * need 30 seconds to build a 1000 entry dictionary...
113 */
114 for(i=0;i<1000;i++) {
115 MD5Init(&ctx1);
116 if(i & 1)
117 MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw));
118 else
119 MD5Update(&ctx1,final,16);
120
121 if(i % 3)
122 MD5Update(&ctx1,sp,sl);
123
124 if(i % 7)
125 MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw));
126
127 if(i & 1)
128 MD5Update(&ctx1,final,16);
129 else
130 MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw));
131 MD5Final(final,&ctx1);
132 }
133
134 p = passwd + strlen(passwd);
135
136 l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p,l,4); p += 4;
137 l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p,l,4); p += 4;
138 l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p,l,4); p += 4;
139 l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p,l,4); p += 4;
140 l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p,l,4); p += 4;
141 l = final[11] ; to64(p,l,2); p += 2;
142 *p = '\0';
143
144 /* Don't leave anything around in vm they could use. */
145 memset(final, 0, sizeof final);
146
147 return passwd;
148}
149
diff --git a/src/lib/libc/crypt/skipjack.c b/src/lib/libc/crypt/skipjack.c
new file mode 100644
index 0000000000..2212b984bb
--- /dev/null
+++ b/src/lib/libc/crypt/skipjack.c
@@ -0,0 +1,260 @@
1/* $OpenBSD: skipjack.c,v 1.3 2004/10/01 04:08:45 jsg Exp $ */
2
3/*
4 * Further optimized test implementation of SKIPJACK algorithm
5 * Mark Tillotson <markt@chaos.org.uk>, 25 June 98
6 * Optimizations suit RISC (lots of registers) machine best.
7 *
8 * based on unoptimized implementation of
9 * Panu Rissanen <bande@lut.fi> 960624
10 *
11 * SKIPJACK and KEA Algorithm Specifications
12 * Version 2.0
13 * 29 May 1998
14*/
15
16#include <sys/param.h>
17#include <skipjack.h>
18#include <stdlib.h>
19
20static const u_int8_t ftable[0x100] =
21{
22 0xa3, 0xd7, 0x09, 0x83, 0xf8, 0x48, 0xf6, 0xf4,
23 0xb3, 0x21, 0x15, 0x78, 0x99, 0xb1, 0xaf, 0xf9,
24 0xe7, 0x2d, 0x4d, 0x8a, 0xce, 0x4c, 0xca, 0x2e,
25 0x52, 0x95, 0xd9, 0x1e, 0x4e, 0x38, 0x44, 0x28,
26 0x0a, 0xdf, 0x02, 0xa0, 0x17, 0xf1, 0x60, 0x68,
27 0x12, 0xb7, 0x7a, 0xc3, 0xe9, 0xfa, 0x3d, 0x53,
28 0x96, 0x84, 0x6b, 0xba, 0xf2, 0x63, 0x9a, 0x19,
29 0x7c, 0xae, 0xe5, 0xf5, 0xf7, 0x16, 0x6a, 0xa2,
30 0x39, 0xb6, 0x7b, 0x0f, 0xc1, 0x93, 0x81, 0x1b,
31 0xee, 0xb4, 0x1a, 0xea, 0xd0, 0x91, 0x2f, 0xb8,
32 0x55, 0xb9, 0xda, 0x85, 0x3f, 0x41, 0xbf, 0xe0,
33 0x5a, 0x58, 0x80, 0x5f, 0x66, 0x0b, 0xd8, 0x90,
34 0x35, 0xd5, 0xc0, 0xa7, 0x33, 0x06, 0x65, 0x69,
35 0x45, 0x00, 0x94, 0x56, 0x6d, 0x98, 0x9b, 0x76,
36 0x97, 0xfc, 0xb2, 0xc2, 0xb0, 0xfe, 0xdb, 0x20,
37 0xe1, 0xeb, 0xd6, 0xe4, 0xdd, 0x47, 0x4a, 0x1d,
38 0x42, 0xed, 0x9e, 0x6e, 0x49, 0x3c, 0xcd, 0x43,
39 0x27, 0xd2, 0x07, 0xd4, 0xde, 0xc7, 0x67, 0x18,
40 0x89, 0xcb, 0x30, 0x1f, 0x8d, 0xc6, 0x8f, 0xaa,
41 0xc8, 0x74, 0xdc, 0xc9, 0x5d, 0x5c, 0x31, 0xa4,
42 0x70, 0x88, 0x61, 0x2c, 0x9f, 0x0d, 0x2b, 0x87,
43 0x50, 0x82, 0x54, 0x64, 0x26, 0x7d, 0x03, 0x40,
44 0x34, 0x4b, 0x1c, 0x73, 0xd1, 0xc4, 0xfd, 0x3b,
45 0xcc, 0xfb, 0x7f, 0xab, 0xe6, 0x3e, 0x5b, 0xa5,
46 0xad, 0x04, 0x23, 0x9c, 0x14, 0x51, 0x22, 0xf0,
47 0x29, 0x79, 0x71, 0x7e, 0xff, 0x8c, 0x0e, 0xe2,
48 0x0c, 0xef, 0xbc, 0x72, 0x75, 0x6f, 0x37, 0xa1,
49 0xec, 0xd3, 0x8e, 0x62, 0x8b, 0x86, 0x10, 0xe8,
50 0x08, 0x77, 0x11, 0xbe, 0x92, 0x4f, 0x24, 0xc5,
51 0x32, 0x36, 0x9d, 0xcf, 0xf3, 0xa6, 0xbb, 0xac,
52 0x5e, 0x6c, 0xa9, 0x13, 0x57, 0x25, 0xb5, 0xe3,
53 0xbd, 0xa8, 0x3a, 0x01, 0x05, 0x59, 0x2a, 0x46
54};
55
56/*
57 * For each key byte generate a table to represent the function
58 * ftable [in ^ keybyte]
59 *
60 * These tables used to save an XOR in each stage of the G-function
61 * the tables are hopefully pointed to by register allocated variables
62 * k0, k1..k9
63 */
64void
65subkey_table_gen (u_int8_t *key, u_int8_t **key_tables)
66{
67 int i, k;
68
69 for (k = 0; k < 10; k++) {
70 u_int8_t key_byte = key[k];
71 u_int8_t * table = (u_int8_t *) malloc(0x100);
72 /* XXX */
73
74 key_tables[k] = table;
75 for (i = 0; i < 0x100; i++)
76 table[i] = ftable[i ^ key_byte];
77 }
78}
79
80
81#define g(k0, k1, k2, k3, ih, il, oh, ol) \
82{ \
83 oh = k##k0 [il] ^ ih; \
84 ol = k##k1 [oh] ^ il; \
85 oh = k##k2 [ol] ^ oh; \
86 ol = k##k3 [oh] ^ ol; \
87}
88
89#define g0(ih, il, oh, ol) g(0, 1, 2, 3, ih, il, oh, ol)
90#define g4(ih, il, oh, ol) g(4, 5, 6, 7, ih, il, oh, ol)
91#define g8(ih, il, oh, ol) g(8, 9, 0, 1, ih, il, oh, ol)
92#define g2(ih, il, oh, ol) g(2, 3, 4, 5, ih, il, oh, ol)
93#define g6(ih, il, oh, ol) g(6, 7, 8, 9, ih, il, oh, ol)
94
95
96#define g_inv(k0, k1, k2, k3, ih, il, oh, ol) \
97{ \
98 ol = k##k3 [ih] ^ il; \
99 oh = k##k2 [ol] ^ ih; \
100 ol = k##k1 [oh] ^ ol; \
101 oh = k##k0 [ol] ^ oh; \
102}
103
104
105#define g0_inv(ih, il, oh, ol) g_inv(0, 1, 2, 3, ih, il, oh, ol)
106#define g4_inv(ih, il, oh, ol) g_inv(4, 5, 6, 7, ih, il, oh, ol)
107#define g8_inv(ih, il, oh, ol) g_inv(8, 9, 0, 1, ih, il, oh, ol)
108#define g2_inv(ih, il, oh, ol) g_inv(2, 3, 4, 5, ih, il, oh, ol)
109#define g6_inv(ih, il, oh, ol) g_inv(6, 7, 8, 9, ih, il, oh, ol)
110
111/* optimized version of Skipjack algorithm
112 *
113 * the appropriate g-function is inlined for each round
114 *
115 * the data movement is minimized by rotating the names of the
116 * variables w1..w4, not their contents (saves 3 moves per round)
117 *
118 * the loops are completely unrolled (needed to staticize choice of g)
119 *
120 * compiles to about 470 instructions on a Sparc (gcc -O)
121 * which is about 58 instructions per byte, 14 per round.
122 * gcc seems to leave in some unnecessary and with 0xFF operations
123 * but only in the latter part of the functions. Perhaps it
124 * runs out of resources to properly optimize long inlined function?
125 * in theory should get about 11 instructions per round, not 14
126 */
127
128void
129skipjack_forwards(u_int8_t *plain, u_int8_t *cipher, u_int8_t **key_tables)
130{
131 u_int8_t wh1 = plain[0]; u_int8_t wl1 = plain[1];
132 u_int8_t wh2 = plain[2]; u_int8_t wl2 = plain[3];
133 u_int8_t wh3 = plain[4]; u_int8_t wl3 = plain[5];
134 u_int8_t wh4 = plain[6]; u_int8_t wl4 = plain[7];
135
136 u_int8_t * k0 = key_tables [0];
137 u_int8_t * k1 = key_tables [1];
138 u_int8_t * k2 = key_tables [2];
139 u_int8_t * k3 = key_tables [3];
140 u_int8_t * k4 = key_tables [4];
141 u_int8_t * k5 = key_tables [5];
142 u_int8_t * k6 = key_tables [6];
143 u_int8_t * k7 = key_tables [7];
144 u_int8_t * k8 = key_tables [8];
145 u_int8_t * k9 = key_tables [9];
146
147 /* first 8 rounds */
148 g0 (wh1,wl1, wh1,wl1); wl4 ^= wl1 ^ 1; wh4 ^= wh1;
149 g4 (wh4,wl4, wh4,wl4); wl3 ^= wl4 ^ 2; wh3 ^= wh4;
150 g8 (wh3,wl3, wh3,wl3); wl2 ^= wl3 ^ 3; wh2 ^= wh3;
151 g2 (wh2,wl2, wh2,wl2); wl1 ^= wl2 ^ 4; wh1 ^= wh2;
152 g6 (wh1,wl1, wh1,wl1); wl4 ^= wl1 ^ 5; wh4 ^= wh1;
153 g0 (wh4,wl4, wh4,wl4); wl3 ^= wl4 ^ 6; wh3 ^= wh4;
154 g4 (wh3,wl3, wh3,wl3); wl2 ^= wl3 ^ 7; wh2 ^= wh3;
155 g8 (wh2,wl2, wh2,wl2); wl1 ^= wl2 ^ 8; wh1 ^= wh2;
156
157 /* second 8 rounds */
158 wh2 ^= wh1; wl2 ^= wl1 ^ 9 ; g2 (wh1,wl1, wh1,wl1);
159 wh1 ^= wh4; wl1 ^= wl4 ^ 10; g6 (wh4,wl4, wh4,wl4);
160 wh4 ^= wh3; wl4 ^= wl3 ^ 11; g0 (wh3,wl3, wh3,wl3);
161 wh3 ^= wh2; wl3 ^= wl2 ^ 12; g4 (wh2,wl2, wh2,wl2);
162 wh2 ^= wh1; wl2 ^= wl1 ^ 13; g8 (wh1,wl1, wh1,wl1);
163 wh1 ^= wh4; wl1 ^= wl4 ^ 14; g2 (wh4,wl4, wh4,wl4);
164 wh4 ^= wh3; wl4 ^= wl3 ^ 15; g6 (wh3,wl3, wh3,wl3);
165 wh3 ^= wh2; wl3 ^= wl2 ^ 16; g0 (wh2,wl2, wh2,wl2);
166
167 /* third 8 rounds */
168 g4 (wh1,wl1, wh1,wl1); wl4 ^= wl1 ^ 17; wh4 ^= wh1;
169 g8 (wh4,wl4, wh4,wl4); wl3 ^= wl4 ^ 18; wh3 ^= wh4;
170 g2 (wh3,wl3, wh3,wl3); wl2 ^= wl3 ^ 19; wh2 ^= wh3;
171 g6 (wh2,wl2, wh2,wl2); wl1 ^= wl2 ^ 20; wh1 ^= wh2;
172 g0 (wh1,wl1, wh1,wl1); wl4 ^= wl1 ^ 21; wh4 ^= wh1;
173 g4 (wh4,wl4, wh4,wl4); wl3 ^= wl4 ^ 22; wh3 ^= wh4;
174 g8 (wh3,wl3, wh3,wl3); wl2 ^= wl3 ^ 23; wh2 ^= wh3;
175 g2 (wh2,wl2, wh2,wl2); wl1 ^= wl2 ^ 24; wh1 ^= wh2;
176
177 /* last 8 rounds */
178 wh2 ^= wh1; wl2 ^= wl1 ^ 25; g6 (wh1,wl1, wh1,wl1);
179 wh1 ^= wh4; wl1 ^= wl4 ^ 26; g0 (wh4,wl4, wh4,wl4);
180 wh4 ^= wh3; wl4 ^= wl3 ^ 27; g4 (wh3,wl3, wh3,wl3);
181 wh3 ^= wh2; wl3 ^= wl2 ^ 28; g8 (wh2,wl2, wh2,wl2);
182 wh2 ^= wh1; wl2 ^= wl1 ^ 29; g2 (wh1,wl1, wh1,wl1);
183 wh1 ^= wh4; wl1 ^= wl4 ^ 30; g6 (wh4,wl4, wh4,wl4);
184 wh4 ^= wh3; wl4 ^= wl3 ^ 31; g0 (wh3,wl3, wh3,wl3);
185 wh3 ^= wh2; wl3 ^= wl2 ^ 32; g4 (wh2,wl2, wh2,wl2);
186
187 /* pack into byte vector */
188 cipher [0] = wh1; cipher [1] = wl1;
189 cipher [2] = wh2; cipher [3] = wl2;
190 cipher [4] = wh3; cipher [5] = wl3;
191 cipher [6] = wh4; cipher [7] = wl4;
192}
193
194
195void
196skipjack_backwards (u_int8_t *cipher, u_int8_t *plain, u_int8_t **key_tables)
197{
198 /* setup 4 16-bit portions */
199 u_int8_t wh1 = cipher[0]; u_int8_t wl1 = cipher[1];
200 u_int8_t wh2 = cipher[2]; u_int8_t wl2 = cipher[3];
201 u_int8_t wh3 = cipher[4]; u_int8_t wl3 = cipher[5];
202 u_int8_t wh4 = cipher[6]; u_int8_t wl4 = cipher[7];
203
204 u_int8_t * k0 = key_tables [0];
205 u_int8_t * k1 = key_tables [1];
206 u_int8_t * k2 = key_tables [2];
207 u_int8_t * k3 = key_tables [3];
208 u_int8_t * k4 = key_tables [4];
209 u_int8_t * k5 = key_tables [5];
210 u_int8_t * k6 = key_tables [6];
211 u_int8_t * k7 = key_tables [7];
212 u_int8_t * k8 = key_tables [8];
213 u_int8_t * k9 = key_tables [9];
214
215 /* first 8 rounds */
216 g4_inv (wh2,wl2, wh2,wl2); wl3 ^= wl2 ^ 32; wh3 ^= wh2;
217 g0_inv (wh3,wl3, wh3,wl3); wl4 ^= wl3 ^ 31; wh4 ^= wh3;
218 g6_inv (wh4,wl4, wh4,wl4); wl1 ^= wl4 ^ 30; wh1 ^= wh4;
219 g2_inv (wh1,wl1, wh1,wl1); wl2 ^= wl1 ^ 29; wh2 ^= wh1;
220 g8_inv (wh2,wl2, wh2,wl2); wl3 ^= wl2 ^ 28; wh3 ^= wh2;
221 g4_inv (wh3,wl3, wh3,wl3); wl4 ^= wl3 ^ 27; wh4 ^= wh3;
222 g0_inv (wh4,wl4, wh4,wl4); wl1 ^= wl4 ^ 26; wh1 ^= wh4;
223 g6_inv (wh1,wl1, wh1,wl1); wl2 ^= wl1 ^ 25; wh2 ^= wh1;
224
225 /* second 8 rounds */
226 wh1 ^= wh2; wl1 ^= wl2 ^ 24; g2_inv (wh2,wl2, wh2,wl2);
227 wh2 ^= wh3; wl2 ^= wl3 ^ 23; g8_inv (wh3,wl3, wh3,wl3);
228 wh3 ^= wh4; wl3 ^= wl4 ^ 22; g4_inv (wh4,wl4, wh4,wl4);
229 wh4 ^= wh1; wl4 ^= wl1 ^ 21; g0_inv (wh1,wl1, wh1,wl1);
230 wh1 ^= wh2; wl1 ^= wl2 ^ 20; g6_inv (wh2,wl2, wh2,wl2);
231 wh2 ^= wh3; wl2 ^= wl3 ^ 19; g2_inv (wh3,wl3, wh3,wl3);
232 wh3 ^= wh4; wl3 ^= wl4 ^ 18; g8_inv (wh4,wl4, wh4,wl4);
233 wh4 ^= wh1; wl4 ^= wl1 ^ 17; g4_inv (wh1,wl1, wh1,wl1);
234
235 /* third 8 rounds */
236 g0_inv (wh2,wl2, wh2,wl2); wl3 ^= wl2 ^ 16; wh3 ^= wh2;
237 g6_inv (wh3,wl3, wh3,wl3); wl4 ^= wl3 ^ 15; wh4 ^= wh3;
238 g2_inv (wh4,wl4, wh4,wl4); wl1 ^= wl4 ^ 14; wh1 ^= wh4;
239 g8_inv (wh1,wl1, wh1,wl1); wl2 ^= wl1 ^ 13; wh2 ^= wh1;
240 g4_inv (wh2,wl2, wh2,wl2); wl3 ^= wl2 ^ 12; wh3 ^= wh2;
241 g0_inv (wh3,wl3, wh3,wl3); wl4 ^= wl3 ^ 11; wh4 ^= wh3;
242 g6_inv (wh4,wl4, wh4,wl4); wl1 ^= wl4 ^ 10; wh1 ^= wh4;
243 g2_inv (wh1,wl1, wh1,wl1); wl2 ^= wl1 ^ 9; wh2 ^= wh1;
244
245 /* last 8 rounds */
246 wh1 ^= wh2; wl1 ^= wl2 ^ 8; g8_inv (wh2,wl2, wh2,wl2);
247 wh2 ^= wh3; wl2 ^= wl3 ^ 7; g4_inv (wh3,wl3, wh3,wl3);
248 wh3 ^= wh4; wl3 ^= wl4 ^ 6; g0_inv (wh4,wl4, wh4,wl4);
249 wh4 ^= wh1; wl4 ^= wl1 ^ 5; g6_inv (wh1,wl1, wh1,wl1);
250 wh1 ^= wh2; wl1 ^= wl2 ^ 4; g2_inv (wh2,wl2, wh2,wl2);
251 wh2 ^= wh3; wl2 ^= wl3 ^ 3; g8_inv (wh3,wl3, wh3,wl3);
252 wh3 ^= wh4; wl3 ^= wl4 ^ 2; g4_inv (wh4,wl4, wh4,wl4);
253 wh4 ^= wh1; wl4 ^= wl1 ^ 1; g0_inv (wh1,wl1, wh1,wl1);
254
255 /* pack into byte vector */
256 plain [0] = wh1; plain [1] = wl1;
257 plain [2] = wh2; plain [3] = wl2;
258 plain [4] = wh3; plain [5] = wl3;
259 plain [6] = wh4; plain [7] = wl4;
260}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-18 07:50:11 +0000