summaryrefslogtreecommitdiff
path: root/src/lib/libc/crypt
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libc/crypt')
-rw-r--r--src/lib/libc/crypt/Makefile.inc15
-rw-r--r--src/lib/libc/crypt/arc4random.3110
-rw-r--r--src/lib/libc/crypt/arc4random.c173
-rw-r--r--src/lib/libc/crypt/bcrypt.c331
-rw-r--r--src/lib/libc/crypt/blowfish.3106
-rw-r--r--src/lib/libc/crypt/blowfish.c694
-rw-r--r--src/lib/libc/crypt/cast.c779
-rw-r--r--src/lib/libc/crypt/crypt.3320
-rw-r--r--src/lib/libc/crypt/crypt.c700
-rw-r--r--src/lib/libc/crypt/crypt2.c108
-rw-r--r--src/lib/libc/crypt/md5crypt.c153
-rw-r--r--src/lib/libc/crypt/skipjack.c258
12 files changed, 3747 insertions, 0 deletions
diff --git a/src/lib/libc/crypt/Makefile.inc b/src/lib/libc/crypt/Makefile.inc
new file mode 100644
index 0000000000..131e1d3f39
--- /dev/null
+++ b/src/lib/libc/crypt/Makefile.inc
@@ -0,0 +1,15 @@
1# $OpenBSD: Makefile.inc,v 1.15 2003/08/12 01:22:17 deraadt Exp $
2
3.PATH: ${LIBCSRCDIR}/arch/${MACHINE_ARCH}/crypt ${LIBCSRCDIR}/crypt
4
5SRCS+= cast.c crypt.c crypt2.c md5crypt.c arc4random.c blowfish.c
6SRCS+= bcrypt.c skipjack.c
7
8MAN+= crypt.3 blowfish.3 arc4random.3
9MLINKS+=crypt.3 encrypt.3 crypt.3 setkey.3 crypt.3 des_cipher.3
10MLINKS+=crypt.3 bcrypt_gensalt.3 crypt.3 bcrypt.3 crypt.3 md5crypt.3
11MLINKS+=crypt.3 des_setkey.3 blowfish.3 blf_key.3 blowfish.3 blf_enc.3
12MLINKS+=blowfish.3 blf_dec.3 blowfish.3 blf_ecb_encrypt.3
13MLINKS+=blowfish.3 blf_ecb_decrypt.3 blowfish.3 blf_cbc_encrypt.3
14MLINKS+=blowfish.3 blf_cbc_decrypt.3
15MLINKS+=arc4random.3 arc4random_stir.3 arc4random.3 arc4random_addrandom.3
diff --git a/src/lib/libc/crypt/arc4random.3 b/src/lib/libc/crypt/arc4random.3
new file mode 100644
index 0000000000..d8e0f8cda6
--- /dev/null
+++ b/src/lib/libc/crypt/arc4random.3
@@ -0,0 +1,110 @@
1.\" $OpenBSD: arc4random.3,v 1.17 2000/12/21 14:07:41 aaron Exp $
2.\"
3.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\" notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\" notice, this list of conditions and the following disclaimer in the
13.\" documentation and/or other materials provided with the distribution.
14.\" 3. All advertising materials mentioning features or use of this software
15.\" must display the following acknowledgement:
16.\" This product includes software developed by Niels Provos.
17.\" 4. The name of the author may not be used to endorse or promote products
18.\" derived from this software without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30.\"
31.\" Manual page, using -mandoc macros
32.\"
33.Dd April 15, 1997
34.Dt ARC4RANDOM 3
35.Os
36.Sh NAME
37.Nm arc4random ,
38.Nm arc4random_stir ,
39.Nm arc4random_addrandom
40.Nd arc4 random number generator
41.Sh SYNOPSIS
42.Fd #include <stdlib.h>
43.Ft u_int32_t
44.Fn arc4random "void"
45.Ft void
46.Fn arc4random_stir "void"
47.Ft void
48.Fn arc4random_addrandom "u_char *dat" "int datlen"
49.Sh DESCRIPTION
50The
51.Fn arc4random
52function provides a high quality 32-bit pseudo-random
53number very quickly.
54.Fn arc4random
55seeds itself on a regular basis from the kernel strong random number
56subsystem described in
57.Xr random 4 .
58On each call, an ARC4 generator is used to generate a new result.
59The
60.Fn arc4random
61function uses the ARC4 cipher key stream generator,
62which uses 8*8 8 bit S-Boxes.
63The S-Boxes can be in about (2**1700) states.
64.Pp
65.Fn arc4random
66fits into a middle ground not covered by other subsystems such as
67the strong, slow, and resource expensive random
68devices described in
69.Xr random 4
70versus the fast but poor quality interfaces described in
71.Xr rand 3 ,
72.Xr random 3 ,
73and
74.Xr drand48 3 .
75.Pp
76The
77.Fn arc4random_stir
78function reads data from
79.Pa /dev/arandom
80and uses it to permute the S-Boxes via
81.Fn arc4random_addrandom .
82.Pp
83There is no need to call
84.Fn arc4random_stir
85before using
86.Fn arc4random ,
87since
88.Fn arc4random
89automatically initializes itself.
90.Sh SEE ALSO
91.Xr rand 3 ,
92.Xr rand48 3 ,
93.Xr random 3
94.Sh HISTORY
95An algorithm called
96.Pa RC4
97was designed by RSA Data Security, Inc.
98It was considered a trade secret, but not trademarked.
99Because it was a trade secret, it obviously could not be patented.
100A clone of this was posted anonymously to USENET and confirmed to
101be equivalent by several sources who had access to the original cipher.
102Because of the trade secret situation, RSA Data Security, Inc. can do
103nothing about the release of the ARC4 algorithm.
104Since
105.Pa RC4
106used to be a trade secret, the cipher is now referred to as
107.Pa ARC4 .
108.Pp
109These functions first appeared in
110.Ox 2.1 .
diff --git a/src/lib/libc/crypt/arc4random.c b/src/lib/libc/crypt/arc4random.c
new file mode 100644
index 0000000000..5e3b2925a6
--- /dev/null
+++ b/src/lib/libc/crypt/arc4random.c
@@ -0,0 +1,173 @@
1/* $OpenBSD: arc4random.c,v 1.9 2003/08/16 19:07:40 tedu Exp $ */
2
3/*
4 * Arc4 random number generator for OpenBSD.
5 * Copyright 1996 David Mazieres <dm@lcs.mit.edu>.
6 *
7 * Modification and redistribution in source and binary forms is
8 * permitted provided that due credit is given to the author and the
9 * OpenBSD project by leaving this copyright notice intact.
10 */
11
12/*
13 * This code is derived from section 17.1 of Applied Cryptography,
14 * second edition, which describes a stream cipher allegedly
15 * compatible with RSA Labs "RC4" cipher (the actual description of
16 * which is a trade secret). The same algorithm is used as a stream
17 * cipher called "arcfour" in Tatu Ylonen's ssh package.
18 *
19 * Here the stream cipher has been modified always to include the time
20 * when initializing the state. That makes it impossible to
21 * regenerate the same random sequence twice, so this can't be used
22 * for encryption, but will generate good random numbers.
23 *
24 * RC4 is a registered trademark of RSA Laboratories.
25 */
26
27#include <fcntl.h>
28#include <stdlib.h>
29#include <unistd.h>
30#include <sys/types.h>
31#include <sys/param.h>
32#include <sys/time.h>
33#include <sys/sysctl.h>
34
35#ifdef __GNUC__
36#define inline __inline
37#else /* !__GNUC__ */
38#define inline
39#endif /* !__GNUC__ */
40
41struct arc4_stream {
42 u_int8_t i;
43 u_int8_t j;
44 u_int8_t s[256];
45};
46
47static int rs_initialized;
48static struct arc4_stream rs;
49static pid_t arc4_stir_pid;
50
51static inline void
52arc4_init(struct arc4_stream *as)
53{
54 int n;
55
56 for (n = 0; n < 256; n++)
57 as->s[n] = n;
58 as->i = 0;
59 as->j = 0;
60}
61
62static inline void
63arc4_addrandom(struct arc4_stream *as, u_char *dat, int datlen)
64{
65 int n;
66 u_int8_t si;
67
68 as->i--;
69 for (n = 0; n < 256; n++) {
70 as->i = (as->i + 1);
71 si = as->s[as->i];
72 as->j = (as->j + si + dat[n % datlen]);
73 as->s[as->i] = as->s[as->j];
74 as->s[as->j] = si;
75 }
76 as->j = as->i;
77}
78
79static void
80arc4_stir(struct arc4_stream *as)
81{
82 int i, mib[2];
83 size_t len;
84 struct {
85 struct timeval tv;
86 u_int rnd[(128 - sizeof(struct timeval)) / sizeof(u_int)];
87 } rdat;
88
89 gettimeofday(&rdat.tv, NULL);
90 mib[0] = CTL_KERN;
91 mib[1] = KERN_ARND;
92
93 for (i = 0; i < sizeof(rdat.rnd) / sizeof(u_int); i ++) {
94 len = sizeof(u_int);
95 if (sysctl(mib, 2, &rdat.rnd[i], &len, NULL, 0) == -1)
96 break;
97 }
98
99 arc4_stir_pid = getpid();
100 arc4_addrandom(as, (void *) &rdat, sizeof(rdat));
101}
102
103static inline u_int8_t
104arc4_getbyte(struct arc4_stream *as)
105{
106 u_int8_t si, sj;
107
108 as->i = (as->i + 1);
109 si = as->s[as->i];
110 as->j = (as->j + si);
111 sj = as->s[as->j];
112 as->s[as->i] = sj;
113 as->s[as->j] = si;
114 return (as->s[(si + sj) & 0xff]);
115}
116
117static inline u_int32_t
118arc4_getword(struct arc4_stream *as)
119{
120 u_int32_t val;
121 val = arc4_getbyte(as) << 24;
122 val |= arc4_getbyte(as) << 16;
123 val |= arc4_getbyte(as) << 8;
124 val |= arc4_getbyte(as);
125 return val;
126}
127
128void
129arc4random_stir(void)
130{
131 if (!rs_initialized) {
132 arc4_init(&rs);
133 rs_initialized = 1;
134 }
135 arc4_stir(&rs);
136}
137
138void
139arc4random_addrandom(u_char *dat, int datlen)
140{
141 if (!rs_initialized)
142 arc4random_stir();
143 arc4_addrandom(&rs, dat, datlen);
144}
145
146u_int32_t
147arc4random(void)
148{
149 if (!rs_initialized || arc4_stir_pid != getpid())
150 arc4random_stir();
151 return arc4_getword(&rs);
152}
153
154#if 0
155/*-------- Test code for i386 --------*/
156#include <stdio.h>
157#include <machine/pctr.h>
158int
159main(int argc, char **argv)
160{
161 const int iter = 1000000;
162 int i;
163 pctrval v;
164
165 v = rdtsc();
166 for (i = 0; i < iter; i++)
167 arc4random();
168 v = rdtsc() - v;
169 v /= iter;
170
171 printf("%qd cycles\n", v);
172}
173#endif
diff --git a/src/lib/libc/crypt/bcrypt.c b/src/lib/libc/crypt/bcrypt.c
new file mode 100644
index 0000000000..95251db1cd
--- /dev/null
+++ b/src/lib/libc/crypt/bcrypt.c
@@ -0,0 +1,331 @@
1/* $OpenBSD: bcrypt.c,v 1.18 2003/08/07 00:28:45 deraadt Exp $ */
2
3/*
4 * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. All advertising materials mentioning features or use of this software
16 * must display the following acknowledgement:
17 * This product includes software developed by Niels Provos.
18 * 4. The name of the author may not be used to endorse or promote products
19 * derived from this software without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33/* This password hashing algorithm was designed by David Mazieres
34 * <dm@lcs.mit.edu> and works as follows:
35 *
36 * 1. state := InitState ()
37 * 2. state := ExpandKey (state, salt, password) 3.
38 * REPEAT rounds:
39 * state := ExpandKey (state, 0, salt)
40 * state := ExpandKey(state, 0, password)
41 * 4. ctext := "OrpheanBeholderScryDoubt"
42 * 5. REPEAT 64:
43 * ctext := Encrypt_ECB (state, ctext);
44 * 6. RETURN Concatenate (salt, ctext);
45 *
46 */
47
48#if 0
49#include <stdio.h>
50#endif
51
52#include <stdio.h>
53#include <stdlib.h>
54#include <sys/types.h>
55#include <string.h>
56#include <pwd.h>
57#include <blf.h>
58
59/* This implementation is adaptable to current computing power.
60 * You can have up to 2^31 rounds which should be enough for some
61 * time to come.
62 */
63
64#define BCRYPT_VERSION '2'
65#define BCRYPT_MAXSALT 16 /* Precomputation is just so nice */
66#define BCRYPT_BLOCKS 6 /* Ciphertext blocks */
67#define BCRYPT_MINROUNDS 16 /* we have log2(rounds) in salt */
68
69char *bcrypt_gensalt(u_int8_t);
70
71static void encode_salt(char *, u_int8_t *, u_int16_t, u_int8_t);
72static void encode_base64(u_int8_t *, u_int8_t *, u_int16_t);
73static void decode_base64(u_int8_t *, u_int16_t, u_int8_t *);
74
75static char encrypted[_PASSWORD_LEN];
76static char gsalt[BCRYPT_MAXSALT * 4 / 3 + 1];
77static char error[] = ":";
78
79const static u_int8_t Base64Code[] =
80"./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
81
82const static u_int8_t index_64[128] = {
83 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
84 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
85 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
86 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
87 255, 255, 255, 255, 255, 255, 0, 1, 54, 55,
88 56, 57, 58, 59, 60, 61, 62, 63, 255, 255,
89 255, 255, 255, 255, 255, 2, 3, 4, 5, 6,
90 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
91 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27,
92 255, 255, 255, 255, 255, 255, 28, 29, 30,
93 31, 32, 33, 34, 35, 36, 37, 38, 39, 40,
94 41, 42, 43, 44, 45, 46, 47, 48, 49, 50,
95 51, 52, 53, 255, 255, 255, 255, 255
96};
97#define CHAR64(c) ( (c) > 127 ? 255 : index_64[(c)])
98
99static void
100decode_base64(u_int8_t *buffer, u_int16_t len, u_int8_t *data)
101{
102 u_int8_t *bp = buffer;
103 u_int8_t *p = data;
104 u_int8_t c1, c2, c3, c4;
105 while (bp < buffer + len) {
106 c1 = CHAR64(*p);
107 c2 = CHAR64(*(p + 1));
108
109 /* Invalid data */
110 if (c1 == 255 || c2 == 255)
111 break;
112
113 *bp++ = (c1 << 2) | ((c2 & 0x30) >> 4);
114 if (bp >= buffer + len)
115 break;
116
117 c3 = CHAR64(*(p + 2));
118 if (c3 == 255)
119 break;
120
121 *bp++ = ((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2);
122 if (bp >= buffer + len)
123 break;
124
125 c4 = CHAR64(*(p + 3));
126 if (c4 == 255)
127 break;
128 *bp++ = ((c3 & 0x03) << 6) | c4;
129
130 p += 4;
131 }
132}
133
134static void
135encode_salt(char *salt, u_int8_t *csalt, u_int16_t clen, u_int8_t logr)
136{
137 salt[0] = '$';
138 salt[1] = BCRYPT_VERSION;
139 salt[2] = 'a';
140 salt[3] = '$';
141
142 snprintf(salt + 4, 4, "%2.2u$", logr);
143
144 encode_base64((u_int8_t *) salt + 7, csalt, clen);
145}
146/* Generates a salt for this version of crypt.
147 Since versions may change. Keeping this here
148 seems sensible.
149 */
150
151char *
152bcrypt_gensalt(u_int8_t log_rounds)
153{
154 u_int8_t csalt[BCRYPT_MAXSALT];
155 u_int16_t i;
156 u_int32_t seed = 0;
157
158 for (i = 0; i < BCRYPT_MAXSALT; i++) {
159 if (i % 4 == 0)
160 seed = arc4random();
161 csalt[i] = seed & 0xff;
162 seed = seed >> 8;
163 }
164
165 if (log_rounds < 4)
166 log_rounds = 4;
167
168 encode_salt(gsalt, csalt, BCRYPT_MAXSALT, log_rounds);
169 return gsalt;
170}
171/* We handle $Vers$log2(NumRounds)$salt+passwd$
172 i.e. $2$04$iwouldntknowwhattosayetKdJ6iFtacBqJdKe6aW7ou */
173
174char *
175bcrypt(const char *key, const char *salt)
176{
177 blf_ctx state;
178 u_int32_t rounds, i, k;
179 u_int16_t j;
180 u_int8_t key_len, salt_len, logr, minor;
181 u_int8_t ciphertext[4 * BCRYPT_BLOCKS] = "OrpheanBeholderScryDoubt";
182 u_int8_t csalt[BCRYPT_MAXSALT];
183 u_int32_t cdata[BCRYPT_BLOCKS];
184
185 /* Discard "$" identifier */
186 salt++;
187
188 if (*salt > BCRYPT_VERSION) {
189 /* How do I handle errors ? Return ':' */
190 return error;
191 }
192
193 /* Check for minor versions */
194 if (salt[1] != '$') {
195 switch (salt[1]) {
196 case 'a':
197 /* 'ab' should not yield the same as 'abab' */
198 minor = salt[1];
199 salt++;
200 break;
201 default:
202 return error;
203 }
204 } else
205 minor = 0;
206
207 /* Discard version + "$" identifier */
208 salt += 2;
209
210 if (salt[2] != '$')
211 /* Out of sync with passwd entry */
212 return error;
213
214 /* Computer power doesn't increase linear, 2^x should be fine */
215 if ((rounds = (u_int32_t) 1 << (logr = atoi(salt))) < BCRYPT_MINROUNDS)
216 return error;
217
218 /* Discard num rounds + "$" identifier */
219 salt += 3;
220
221 if (strlen(salt) * 3 / 4 < BCRYPT_MAXSALT)
222 return error;
223
224 /* We dont want the base64 salt but the raw data */
225 decode_base64(csalt, BCRYPT_MAXSALT, (u_int8_t *) salt);
226 salt_len = BCRYPT_MAXSALT;
227 key_len = strlen(key) + (minor >= 'a' ? 1 : 0);
228
229 /* Setting up S-Boxes and Subkeys */
230 Blowfish_initstate(&state);
231 Blowfish_expandstate(&state, csalt, salt_len,
232 (u_int8_t *) key, key_len);
233 for (k = 0; k < rounds; k++) {
234 Blowfish_expand0state(&state, (u_int8_t *) key, key_len);
235 Blowfish_expand0state(&state, csalt, salt_len);
236 }
237
238 /* This can be precomputed later */
239 j = 0;
240 for (i = 0; i < BCRYPT_BLOCKS; i++)
241 cdata[i] = Blowfish_stream2word(ciphertext, 4 * BCRYPT_BLOCKS, &j);
242
243 /* Now do the encryption */
244 for (k = 0; k < 64; k++)
245 blf_enc(&state, cdata, BCRYPT_BLOCKS / 2);
246
247 for (i = 0; i < BCRYPT_BLOCKS; i++) {
248 ciphertext[4 * i + 3] = cdata[i] & 0xff;
249 cdata[i] = cdata[i] >> 8;
250 ciphertext[4 * i + 2] = cdata[i] & 0xff;
251 cdata[i] = cdata[i] >> 8;
252 ciphertext[4 * i + 1] = cdata[i] & 0xff;
253 cdata[i] = cdata[i] >> 8;
254 ciphertext[4 * i + 0] = cdata[i] & 0xff;
255 }
256
257
258 i = 0;
259 encrypted[i++] = '$';
260 encrypted[i++] = BCRYPT_VERSION;
261 if (minor)
262 encrypted[i++] = minor;
263 encrypted[i++] = '$';
264
265 snprintf(encrypted + i, 4, "%2.2u$", logr);
266
267 encode_base64((u_int8_t *) encrypted + i + 3, csalt, BCRYPT_MAXSALT);
268 encode_base64((u_int8_t *) encrypted + strlen(encrypted), ciphertext,
269 4 * BCRYPT_BLOCKS - 1);
270 return encrypted;
271}
272
273static void
274encode_base64(u_int8_t *buffer, u_int8_t *data, u_int16_t len)
275{
276 u_int8_t *bp = buffer;
277 u_int8_t *p = data;
278 u_int8_t c1, c2;
279 while (p < data + len) {
280 c1 = *p++;
281 *bp++ = Base64Code[(c1 >> 2)];
282 c1 = (c1 & 0x03) << 4;
283 if (p >= data + len) {
284 *bp++ = Base64Code[c1];
285 break;
286 }
287 c2 = *p++;
288 c1 |= (c2 >> 4) & 0x0f;
289 *bp++ = Base64Code[c1];
290 c1 = (c2 & 0x0f) << 2;
291 if (p >= data + len) {
292 *bp++ = Base64Code[c1];
293 break;
294 }
295 c2 = *p++;
296 c1 |= (c2 >> 6) & 0x03;
297 *bp++ = Base64Code[c1];
298 *bp++ = Base64Code[c2 & 0x3f];
299 }
300 *bp = '\0';
301}
302#if 0
303void
304main()
305{
306 char blubber[73];
307 char salt[100];
308 char *p;
309 salt[0] = '$';
310 salt[1] = BCRYPT_VERSION;
311 salt[2] = '$';
312
313 snprintf(salt + 3, 4, "%2.2u$", 5);
314
315 printf("24 bytes of salt: ");
316 fgets(salt + 6, 94, stdin);
317 salt[99] = 0;
318 printf("72 bytes of password: ");
319 fpurge(stdin);
320 fgets(blubber, 73, stdin);
321 blubber[72] = 0;
322
323 p = crypt(blubber, salt);
324 printf("Passwd entry: %s\n\n", p);
325
326 p = bcrypt_gensalt(5);
327 printf("Generated salt: %s\n", p);
328 p = crypt(blubber, p);
329 printf("Passwd entry: %s\n", p);
330}
331#endif
diff --git a/src/lib/libc/crypt/blowfish.3 b/src/lib/libc/crypt/blowfish.3
new file mode 100644
index 0000000000..44f7eb2bbf
--- /dev/null
+++ b/src/lib/libc/crypt/blowfish.3
@@ -0,0 +1,106 @@
1.\" $OpenBSD: blowfish.3,v 1.12 2003/08/28 12:35:00 jmc Exp $
2.\"
3.\" Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\" notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\" notice, this list of conditions and the following disclaimer in the
13.\" documentation and/or other materials provided with the distribution.
14.\" 3. All advertising materials mentioning features or use of this software
15.\" must display the following acknowledgement:
16.\" This product includes software developed by Niels Provos.
17.\" 4. The name of the author may not be used to endorse or promote products
18.\" derived from this software without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
21.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
22.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
23.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
24.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
25.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
26.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
27.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30.\"
31.\" Manual page, using -mandoc macros
32.\"
33.Dd February 13, 1997
34.Dt BLOWFISH 3
35.Os
36.Sh NAME
37.Nm blf_key ,
38.Nm blf_enc ,
39.Nm blf_dec
40.Nd Blowfish encryption
41.Sh SYNOPSIS
42.Fd #include <blf.h>
43.Ft void
44.Fn blf_key "blf_ctx *state" "const u_int8_t *key" "u_int16_t keylen"
45.Ft void
46.Fn blf_enc "blf_ctx *state" "u_int32_t *data" "u_int16_t datalen"
47.Ft void
48.Fn blf_dec "blf_ctx *state" "u_int32_t *data" "u_int16_t datalen"
49.Ft void
50.Fn blf_ecb_encrypt "blf_ctx *state" "u_int8_t *data" "u_int32_t datalen"
51.Ft void
52.Fn blf_ecb_decrypt "blf_ctx *state" "u_int8_t *data" "u_int32_t datalen"
53.Ft void
54.Fn blf_cbc_encrypt "blf_ctx *state" "u_int8_t *iv" "u_int8_t *data" "u_int32_t datalen"
55.Ft void
56.Fn blf_cbc_decrypt "blf_ctx *state" "u_int8_t *iv" "u_int8_t *data" "u_int32_t datalen"
57.Sh DESCRIPTION
58.Pa Blowfish
59is a fast unpatented block cipher designed by Bruce Schneier.
60It basically consists of a 16 times iterated Feistel network.
61The block size is 64 bit and the maximum key size is 448 bit.
62.Pp
63The
64.Fn blf_key
65function initializes the 4 8bit S-boxes and the 18 Subkeys with
66the hexadecimal digits of Pi.
67The key is used for further randomization.
68The first argument to
69.Fn blf_enc
70is the initialized state derived from
71.Fn blf_key .
72The stream of 32-bit words is encrypted in Electronic Codebook
73Mode (ECB) and
74.Pa datalen
75must be even.
76.Fn blf_dec
77is used for decrypting Blowfish encrypted blocks.
78.Pp
79The functions
80.Fn blf_ecb_encrypt
81and
82.Fn blf_ecb_decrypt
83are used for encrypting and decrypting octet streams in ECB mode.
84The functions
85.Fn blf_cbc_encrypt
86and
87.Fn blf_cbc_decrypt
88are used for encrypting and decrypting octet streams in
89Cipherblock Chaining Mode (CBC).
90.Pp
91The functions
92.Fn Blowfish_initstate ,
93.Fn Blowfish_expand0state ,
94.Fn Blowfish_expandstate ,
95.Fn Blowfish_encipher
96and
97.Fn Blowfish_decipher
98are used for customization of the
99.Pa Blowfish
100cipher, e.g., for the blowfish password hashing function.
101.Sh SEE ALSO
102.Xr passwd 1 ,
103.Xr crypt 3 ,
104.Xr passwd 5
105.Sh AUTHORS
106.An Niels Provos Aq provos@physnet.uni-hamburg.de
diff --git a/src/lib/libc/crypt/blowfish.c b/src/lib/libc/crypt/blowfish.c
new file mode 100644
index 0000000000..12226b5215
--- /dev/null
+++ b/src/lib/libc/crypt/blowfish.c
@@ -0,0 +1,694 @@
1/* $OpenBSD: blowfish.c,v 1.17 2003/04/09 21:46:02 markus Exp $ */
2/*
3 * Blowfish block cipher for OpenBSD
4 * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
5 * All rights reserved.
6 *
7 * Implementation advice by David Mazieres <dm@lcs.mit.edu>.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. All advertising materials mentioning features or use of this software
18 * must display the following acknowledgement:
19 * This product includes software developed by Niels Provos.
20 * 4. The name of the author may not be used to endorse or promote products
21 * derived from this software without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
24 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
26 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
28 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 */
34
35/*
36 * This code is derived from section 14.3 and the given source
37 * in section V of Applied Cryptography, second edition.
38 * Blowfish is an unpatented fast block cipher designed by
39 * Bruce Schneier.
40 */
41
42#if 0
43#include <stdio.h> /* used for debugging */
44#include <string.h>
45#endif
46
47#include <sys/types.h>
48#include <blf.h>
49
50#undef inline
51#ifdef __GNUC__
52#define inline __inline
53#else /* !__GNUC__ */
54#define inline
55#endif /* !__GNUC__ */
56
57/* Function for Feistel Networks */
58
59#define F(s, x) ((((s)[ (((x)>>24)&0xFF)] \
60 + (s)[0x100 + (((x)>>16)&0xFF)]) \
61 ^ (s)[0x200 + (((x)>> 8)&0xFF)]) \
62 + (s)[0x300 + ( (x) &0xFF)])
63
64#define BLFRND(s,p,i,j,n) (i ^= F(s,j) ^ (p)[n])
65
66void
67Blowfish_encipher(c, xl, xr)
68 blf_ctx *c;
69 u_int32_t *xl;
70 u_int32_t *xr;
71{
72 u_int32_t Xl;
73 u_int32_t Xr;
74 u_int32_t *s = c->S[0];
75 u_int32_t *p = c->P;
76
77 Xl = *xl;
78 Xr = *xr;
79
80 Xl ^= p[0];
81 BLFRND(s, p, Xr, Xl, 1); BLFRND(s, p, Xl, Xr, 2);
82 BLFRND(s, p, Xr, Xl, 3); BLFRND(s, p, Xl, Xr, 4);
83 BLFRND(s, p, Xr, Xl, 5); BLFRND(s, p, Xl, Xr, 6);
84 BLFRND(s, p, Xr, Xl, 7); BLFRND(s, p, Xl, Xr, 8);
85 BLFRND(s, p, Xr, Xl, 9); BLFRND(s, p, Xl, Xr, 10);
86 BLFRND(s, p, Xr, Xl, 11); BLFRND(s, p, Xl, Xr, 12);
87 BLFRND(s, p, Xr, Xl, 13); BLFRND(s, p, Xl, Xr, 14);
88 BLFRND(s, p, Xr, Xl, 15); BLFRND(s, p, Xl, Xr, 16);
89
90 *xl = Xr ^ p[17];
91 *xr = Xl;
92}
93
94void
95Blowfish_decipher(c, xl, xr)
96 blf_ctx *c;
97 u_int32_t *xl;
98 u_int32_t *xr;
99{
100 u_int32_t Xl;
101 u_int32_t Xr;
102 u_int32_t *s = c->S[0];
103 u_int32_t *p = c->P;
104
105 Xl = *xl;
106 Xr = *xr;
107
108 Xl ^= p[17];
109 BLFRND(s, p, Xr, Xl, 16); BLFRND(s, p, Xl, Xr, 15);
110 BLFRND(s, p, Xr, Xl, 14); BLFRND(s, p, Xl, Xr, 13);
111 BLFRND(s, p, Xr, Xl, 12); BLFRND(s, p, Xl, Xr, 11);
112 BLFRND(s, p, Xr, Xl, 10); BLFRND(s, p, Xl, Xr, 9);
113 BLFRND(s, p, Xr, Xl, 8); BLFRND(s, p, Xl, Xr, 7);
114 BLFRND(s, p, Xr, Xl, 6); BLFRND(s, p, Xl, Xr, 5);
115 BLFRND(s, p, Xr, Xl, 4); BLFRND(s, p, Xl, Xr, 3);
116 BLFRND(s, p, Xr, Xl, 2); BLFRND(s, p, Xl, Xr, 1);
117
118 *xl = Xr ^ p[0];
119 *xr = Xl;
120}
121
122void
123Blowfish_initstate(c)
124 blf_ctx *c;
125{
126
127/* P-box and S-box tables initialized with digits of Pi */
128
129 static const blf_ctx initstate =
130
131 { {
132 {
133 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
134 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
135 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
136 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e,
137 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee,
138 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
139 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef,
140 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e,
141 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
142 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440,
143 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce,
144 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
145 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e,
146 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677,
147 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
148 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032,
149 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88,
150 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
151 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e,
152 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0,
153 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
154 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98,
155 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88,
156 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
157 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6,
158 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d,
159 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
160 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7,
161 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba,
162 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
163 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f,
164 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09,
165 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
166 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb,
167 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279,
168 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
169 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab,
170 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82,
171 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
172 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573,
173 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0,
174 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
175 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790,
176 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8,
177 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
178 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0,
179 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7,
180 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
181 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad,
182 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1,
183 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
184 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9,
185 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477,
186 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
187 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49,
188 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af,
189 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
190 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5,
191 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41,
192 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
193 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
194 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
195 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
196 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a},
197 {
198 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
199 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
200 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
201 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e,
202 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6,
203 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
204 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e,
205 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1,
206 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
207 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8,
208 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff,
209 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
210 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701,
211 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7,
212 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
213 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331,
214 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf,
215 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
216 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e,
217 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87,
218 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
219 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2,
220 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16,
221 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
222 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b,
223 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509,
224 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
225 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3,
226 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f,
227 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
228 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4,
229 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960,
230 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
231 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28,
232 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802,
233 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
234 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510,
235 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf,
236 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
237 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e,
238 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50,
239 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
240 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8,
241 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281,
242 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
243 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696,
244 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128,
245 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
246 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0,
247 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0,
248 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
249 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250,
250 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3,
251 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
252 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00,
253 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061,
254 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
255 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e,
256 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735,
257 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
258 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
259 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
260 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
261 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7},
262 {
263 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
264 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
265 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
266 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840,
267 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45,
268 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
269 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a,
270 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb,
271 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
272 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6,
273 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42,
274 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
275 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2,
276 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb,
277 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
278 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b,
279 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33,
280 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
281 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3,
282 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc,
283 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
284 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564,
285 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b,
286 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
287 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922,
288 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728,
289 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
290 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e,
291 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37,
292 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
293 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804,
294 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b,
295 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
296 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb,
297 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d,
298 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
299 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350,
300 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9,
301 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
302 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe,
303 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d,
304 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
305 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f,
306 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61,
307 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
308 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9,
309 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2,
310 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
311 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e,
312 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633,
313 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
314 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169,
315 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52,
316 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
317 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5,
318 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62,
319 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
320 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76,
321 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24,
322 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
323 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
324 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
325 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
326 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0},
327 {
328 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
329 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
330 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
331 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4,
332 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8,
333 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
334 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304,
335 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22,
336 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
337 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6,
338 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9,
339 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
340 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593,
341 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51,
342 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
343 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c,
344 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b,
345 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
346 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c,
347 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd,
348 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
349 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319,
350 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb,
351 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
352 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991,
353 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32,
354 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
355 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166,
356 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae,
357 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
358 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5,
359 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47,
360 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
361 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d,
362 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84,
363 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
364 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8,
365 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd,
366 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
367 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7,
368 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38,
369 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
370 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c,
371 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525,
372 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
373 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442,
374 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964,
375 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
376 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8,
377 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d,
378 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
379 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299,
380 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02,
381 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
382 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614,
383 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a,
384 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
385 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b,
386 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0,
387 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
388 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
389 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
390 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
391 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6}
392 },
393 {
394 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
395 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
396 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
397 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
398 0x9216d5d9, 0x8979fb1b
399 } };
400
401 *c = initstate;
402
403}
404
405u_int32_t
406Blowfish_stream2word(const u_int8_t *data, u_int16_t databytes, u_int16_t *current)
407{
408 u_int8_t i;
409 u_int16_t j;
410 u_int32_t temp;
411
412 temp = 0x00000000;
413 j = *current;
414
415 for (i = 0; i < 4; i++, j++) {
416 if (j >= databytes)
417 j = 0;
418 temp = (temp << 8) | data[j];
419 }
420
421 *current = j;
422 return temp;
423}
424
425void
426Blowfish_expand0state(blf_ctx *c, const u_int8_t *key, u_int16_t keybytes)
427{
428 u_int16_t i;
429 u_int16_t j;
430 u_int16_t k;
431 u_int32_t temp;
432 u_int32_t datal;
433 u_int32_t datar;
434
435 j = 0;
436 for (i = 0; i < BLF_N + 2; i++) {
437 /* Extract 4 int8 to 1 int32 from keystream */
438 temp = Blowfish_stream2word(key, keybytes, &j);
439 c->P[i] = c->P[i] ^ temp;
440 }
441
442 j = 0;
443 datal = 0x00000000;
444 datar = 0x00000000;
445 for (i = 0; i < BLF_N + 2; i += 2) {
446 Blowfish_encipher(c, &datal, &datar);
447
448 c->P[i] = datal;
449 c->P[i + 1] = datar;
450 }
451
452 for (i = 0; i < 4; i++) {
453 for (k = 0; k < 256; k += 2) {
454 Blowfish_encipher(c, &datal, &datar);
455
456 c->S[i][k] = datal;
457 c->S[i][k + 1] = datar;
458 }
459 }
460}
461
462
463void
464Blowfish_expandstate(blf_ctx *c, const u_int8_t *data, u_int16_t databytes,
465 const u_int8_t *key, u_int16_t keybytes)
466{
467 u_int16_t i;
468 u_int16_t j;
469 u_int16_t k;
470 u_int32_t temp;
471 u_int32_t datal;
472 u_int32_t datar;
473
474 j = 0;
475 for (i = 0; i < BLF_N + 2; i++) {
476 /* Extract 4 int8 to 1 int32 from keystream */
477 temp = Blowfish_stream2word(key, keybytes, &j);
478 c->P[i] = c->P[i] ^ temp;
479 }
480
481 j = 0;
482 datal = 0x00000000;
483 datar = 0x00000000;
484 for (i = 0; i < BLF_N + 2; i += 2) {
485 datal ^= Blowfish_stream2word(data, databytes, &j);
486 datar ^= Blowfish_stream2word(data, databytes, &j);
487 Blowfish_encipher(c, &datal, &datar);
488
489 c->P[i] = datal;
490 c->P[i + 1] = datar;
491 }
492
493 for (i = 0; i < 4; i++) {
494 for (k = 0; k < 256; k += 2) {
495 datal ^= Blowfish_stream2word(data, databytes, &j);
496 datar ^= Blowfish_stream2word(data, databytes, &j);
497 Blowfish_encipher(c, &datal, &datar);
498
499 c->S[i][k] = datal;
500 c->S[i][k + 1] = datar;
501 }
502 }
503
504}
505
506void
507blf_key(blf_ctx *c, const u_int8_t *k, u_int16_t len)
508{
509 /* Initialize S-boxes and subkeys with Pi */
510 Blowfish_initstate(c);
511
512 /* Transform S-boxes and subkeys with key */
513 Blowfish_expand0state(c, k, len);
514}
515
516void
517blf_enc(blf_ctx *c, u_int32_t *data, u_int16_t blocks)
518{
519 u_int32_t *d;
520 u_int16_t i;
521
522 d = data;
523 for (i = 0; i < blocks; i++) {
524 Blowfish_encipher(c, d, d + 1);
525 d += 2;
526 }
527}
528
529void
530blf_dec(blf_ctx *c, u_int32_t *data, u_int16_t blocks)
531{
532 u_int32_t *d;
533 u_int16_t i;
534
535 d = data;
536 for (i = 0; i < blocks; i++) {
537 Blowfish_decipher(c, d, d + 1);
538 d += 2;
539 }
540}
541
542void
543blf_ecb_encrypt(blf_ctx *c, u_int8_t *data, u_int32_t len)
544{
545 u_int32_t l, r;
546 u_int32_t i;
547
548 for (i = 0; i < len; i += 8) {
549 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
550 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
551 Blowfish_encipher(c, &l, &r);
552 data[0] = l >> 24 & 0xff;
553 data[1] = l >> 16 & 0xff;
554 data[2] = l >> 8 & 0xff;
555 data[3] = l & 0xff;
556 data[4] = r >> 24 & 0xff;
557 data[5] = r >> 16 & 0xff;
558 data[6] = r >> 8 & 0xff;
559 data[7] = r & 0xff;
560 data += 8;
561 }
562}
563
564void
565blf_ecb_decrypt(blf_ctx *c, u_int8_t *data, u_int32_t len)
566{
567 u_int32_t l, r;
568 u_int32_t i;
569
570 for (i = 0; i < len; i += 8) {
571 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
572 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
573 Blowfish_decipher(c, &l, &r);
574 data[0] = l >> 24 & 0xff;
575 data[1] = l >> 16 & 0xff;
576 data[2] = l >> 8 & 0xff;
577 data[3] = l & 0xff;
578 data[4] = r >> 24 & 0xff;
579 data[5] = r >> 16 & 0xff;
580 data[6] = r >> 8 & 0xff;
581 data[7] = r & 0xff;
582 data += 8;
583 }
584}
585
586void
587blf_cbc_encrypt(blf_ctx *c, u_int8_t *iv, u_int8_t *data, u_int32_t len)
588{
589 u_int32_t l, r;
590 u_int32_t i, j;
591
592 for (i = 0; i < len; i += 8) {
593 for (j = 0; j < 8; j++)
594 data[j] ^= iv[j];
595 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
596 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
597 Blowfish_encipher(c, &l, &r);
598 data[0] = l >> 24 & 0xff;
599 data[1] = l >> 16 & 0xff;
600 data[2] = l >> 8 & 0xff;
601 data[3] = l & 0xff;
602 data[4] = r >> 24 & 0xff;
603 data[5] = r >> 16 & 0xff;
604 data[6] = r >> 8 & 0xff;
605 data[7] = r & 0xff;
606 iv = data;
607 data += 8;
608 }
609}
610
611void
612blf_cbc_decrypt(blf_ctx *c, u_int8_t *iva, u_int8_t *data, u_int32_t len)
613{
614 u_int32_t l, r;
615 u_int8_t *iv;
616 u_int32_t i, j;
617
618 iv = data + len - 16;
619 data = data + len - 8;
620 for (i = len - 8; i >= 8; i -= 8) {
621 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
622 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
623 Blowfish_decipher(c, &l, &r);
624 data[0] = l >> 24 & 0xff;
625 data[1] = l >> 16 & 0xff;
626 data[2] = l >> 8 & 0xff;
627 data[3] = l & 0xff;
628 data[4] = r >> 24 & 0xff;
629 data[5] = r >> 16 & 0xff;
630 data[6] = r >> 8 & 0xff;
631 data[7] = r & 0xff;
632 for (j = 0; j < 8; j++)
633 data[j] ^= iv[j];
634 iv -= 8;
635 data -= 8;
636 }
637 l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3];
638 r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7];
639 Blowfish_decipher(c, &l, &r);
640 data[0] = l >> 24 & 0xff;
641 data[1] = l >> 16 & 0xff;
642 data[2] = l >> 8 & 0xff;
643 data[3] = l & 0xff;
644 data[4] = r >> 24 & 0xff;
645 data[5] = r >> 16 & 0xff;
646 data[6] = r >> 8 & 0xff;
647 data[7] = r & 0xff;
648 for (j = 0; j < 8; j++)
649 data[j] ^= iva[j];
650}
651
652#if 0
653void
654report(u_int32_t data[], u_int16_t len)
655{
656 u_int16_t i;
657 for (i = 0; i < len; i += 2)
658 printf("Block %0hd: %08lx %08lx.\n",
659 i / 2, data[i], data[i + 1]);
660}
661void
662main(void)
663{
664
665 blf_ctx c;
666 char key[] = "AAAAA";
667 char key2[] = "abcdefghijklmnopqrstuvwxyz";
668
669 u_int32_t data[10];
670 u_int32_t data2[] =
671 {0x424c4f57l, 0x46495348l};
672
673 u_int16_t i;
674
675 /* First test */
676 for (i = 0; i < 10; i++)
677 data[i] = i;
678
679 blf_key(&c, (u_int8_t *) key, 5);
680 blf_enc(&c, data, 5);
681 blf_dec(&c, data, 1);
682 blf_dec(&c, data + 2, 4);
683 printf("Should read as 0 - 9.\n");
684 report(data, 10);
685
686 /* Second test */
687 blf_key(&c, (u_int8_t *) key2, strlen(key2));
688 blf_enc(&c, data2, 1);
689 printf("\nShould read as: 0x324ed0fe 0xf413a203.\n");
690 report(data2, 2);
691 blf_dec(&c, data2, 1);
692 report(data2, 2);
693}
694#endif
diff --git a/src/lib/libc/crypt/cast.c b/src/lib/libc/crypt/cast.c
new file mode 100644
index 0000000000..264138f03e
--- /dev/null
+++ b/src/lib/libc/crypt/cast.c
@@ -0,0 +1,779 @@
1/* $OpenBSD: cast.c,v 1.2 1998/07/21 22:42:03 provos Exp $ */
2/*
3 * CAST-128 in C
4 * Written by Steve Reid <sreid@sea-to-sky.net>
5 * 100% Public Domain - no warranty
6 * Released 1997.10.11
7 */
8
9#include <sys/types.h>
10
11#include <cast.h>
12
13/* CAST S-Boxes */
14
15static const u_int32_t cast_sbox1[256] = {
16 0x30FB40D4, 0x9FA0FF0B, 0x6BECCD2F, 0x3F258C7A,
17 0x1E213F2F, 0x9C004DD3, 0x6003E540, 0xCF9FC949,
18 0xBFD4AF27, 0x88BBBDB5, 0xE2034090, 0x98D09675,
19 0x6E63A0E0, 0x15C361D2, 0xC2E7661D, 0x22D4FF8E,
20 0x28683B6F, 0xC07FD059, 0xFF2379C8, 0x775F50E2,
21 0x43C340D3, 0xDF2F8656, 0x887CA41A, 0xA2D2BD2D,
22 0xA1C9E0D6, 0x346C4819, 0x61B76D87, 0x22540F2F,
23 0x2ABE32E1, 0xAA54166B, 0x22568E3A, 0xA2D341D0,
24 0x66DB40C8, 0xA784392F, 0x004DFF2F, 0x2DB9D2DE,
25 0x97943FAC, 0x4A97C1D8, 0x527644B7, 0xB5F437A7,
26 0xB82CBAEF, 0xD751D159, 0x6FF7F0ED, 0x5A097A1F,
27 0x827B68D0, 0x90ECF52E, 0x22B0C054, 0xBC8E5935,
28 0x4B6D2F7F, 0x50BB64A2, 0xD2664910, 0xBEE5812D,
29 0xB7332290, 0xE93B159F, 0xB48EE411, 0x4BFF345D,
30 0xFD45C240, 0xAD31973F, 0xC4F6D02E, 0x55FC8165,
31 0xD5B1CAAD, 0xA1AC2DAE, 0xA2D4B76D, 0xC19B0C50,
32 0x882240F2, 0x0C6E4F38, 0xA4E4BFD7, 0x4F5BA272,
33 0x564C1D2F, 0xC59C5319, 0xB949E354, 0xB04669FE,
34 0xB1B6AB8A, 0xC71358DD, 0x6385C545, 0x110F935D,
35 0x57538AD5, 0x6A390493, 0xE63D37E0, 0x2A54F6B3,
36 0x3A787D5F, 0x6276A0B5, 0x19A6FCDF, 0x7A42206A,
37 0x29F9D4D5, 0xF61B1891, 0xBB72275E, 0xAA508167,
38 0x38901091, 0xC6B505EB, 0x84C7CB8C, 0x2AD75A0F,
39 0x874A1427, 0xA2D1936B, 0x2AD286AF, 0xAA56D291,
40 0xD7894360, 0x425C750D, 0x93B39E26, 0x187184C9,
41 0x6C00B32D, 0x73E2BB14, 0xA0BEBC3C, 0x54623779,
42 0x64459EAB, 0x3F328B82, 0x7718CF82, 0x59A2CEA6,
43 0x04EE002E, 0x89FE78E6, 0x3FAB0950, 0x325FF6C2,
44 0x81383F05, 0x6963C5C8, 0x76CB5AD6, 0xD49974C9,
45 0xCA180DCF, 0x380782D5, 0xC7FA5CF6, 0x8AC31511,
46 0x35E79E13, 0x47DA91D0, 0xF40F9086, 0xA7E2419E,
47 0x31366241, 0x051EF495, 0xAA573B04, 0x4A805D8D,
48 0x548300D0, 0x00322A3C, 0xBF64CDDF, 0xBA57A68E,
49 0x75C6372B, 0x50AFD341, 0xA7C13275, 0x915A0BF5,
50 0x6B54BFAB, 0x2B0B1426, 0xAB4CC9D7, 0x449CCD82,
51 0xF7FBF265, 0xAB85C5F3, 0x1B55DB94, 0xAAD4E324,
52 0xCFA4BD3F, 0x2DEAA3E2, 0x9E204D02, 0xC8BD25AC,
53 0xEADF55B3, 0xD5BD9E98, 0xE31231B2, 0x2AD5AD6C,
54 0x954329DE, 0xADBE4528, 0xD8710F69, 0xAA51C90F,
55 0xAA786BF6, 0x22513F1E, 0xAA51A79B, 0x2AD344CC,
56 0x7B5A41F0, 0xD37CFBAD, 0x1B069505, 0x41ECE491,
57 0xB4C332E6, 0x032268D4, 0xC9600ACC, 0xCE387E6D,
58 0xBF6BB16C, 0x6A70FB78, 0x0D03D9C9, 0xD4DF39DE,
59 0xE01063DA, 0x4736F464, 0x5AD328D8, 0xB347CC96,
60 0x75BB0FC3, 0x98511BFB, 0x4FFBCC35, 0xB58BCF6A,
61 0xE11F0ABC, 0xBFC5FE4A, 0xA70AEC10, 0xAC39570A,
62 0x3F04442F, 0x6188B153, 0xE0397A2E, 0x5727CB79,
63 0x9CEB418F, 0x1CACD68D, 0x2AD37C96, 0x0175CB9D,
64 0xC69DFF09, 0xC75B65F0, 0xD9DB40D8, 0xEC0E7779,
65 0x4744EAD4, 0xB11C3274, 0xDD24CB9E, 0x7E1C54BD,
66 0xF01144F9, 0xD2240EB1, 0x9675B3FD, 0xA3AC3755,
67 0xD47C27AF, 0x51C85F4D, 0x56907596, 0xA5BB15E6,
68 0x580304F0, 0xCA042CF1, 0x011A37EA, 0x8DBFAADB,
69 0x35BA3E4A, 0x3526FFA0, 0xC37B4D09, 0xBC306ED9,
70 0x98A52666, 0x5648F725, 0xFF5E569D, 0x0CED63D0,
71 0x7C63B2CF, 0x700B45E1, 0xD5EA50F1, 0x85A92872,
72 0xAF1FBDA7, 0xD4234870, 0xA7870BF3, 0x2D3B4D79,
73 0x42E04198, 0x0CD0EDE7, 0x26470DB8, 0xF881814C,
74 0x474D6AD7, 0x7C0C5E5C, 0xD1231959, 0x381B7298,
75 0xF5D2F4DB, 0xAB838653, 0x6E2F1E23, 0x83719C9E,
76 0xBD91E046, 0x9A56456E, 0xDC39200C, 0x20C8C571,
77 0x962BDA1C, 0xE1E696FF, 0xB141AB08, 0x7CCA89B9,
78 0x1A69E783, 0x02CC4843, 0xA2F7C579, 0x429EF47D,
79 0x427B169C, 0x5AC9F049, 0xDD8F0F00, 0x5C8165BF
80};
81
82static const u_int32_t cast_sbox2[256] = {
83 0x1F201094, 0xEF0BA75B, 0x69E3CF7E, 0x393F4380,
84 0xFE61CF7A, 0xEEC5207A, 0x55889C94, 0x72FC0651,
85 0xADA7EF79, 0x4E1D7235, 0xD55A63CE, 0xDE0436BA,
86 0x99C430EF, 0x5F0C0794, 0x18DCDB7D, 0xA1D6EFF3,
87 0xA0B52F7B, 0x59E83605, 0xEE15B094, 0xE9FFD909,
88 0xDC440086, 0xEF944459, 0xBA83CCB3, 0xE0C3CDFB,
89 0xD1DA4181, 0x3B092AB1, 0xF997F1C1, 0xA5E6CF7B,
90 0x01420DDB, 0xE4E7EF5B, 0x25A1FF41, 0xE180F806,
91 0x1FC41080, 0x179BEE7A, 0xD37AC6A9, 0xFE5830A4,
92 0x98DE8B7F, 0x77E83F4E, 0x79929269, 0x24FA9F7B,
93 0xE113C85B, 0xACC40083, 0xD7503525, 0xF7EA615F,
94 0x62143154, 0x0D554B63, 0x5D681121, 0xC866C359,
95 0x3D63CF73, 0xCEE234C0, 0xD4D87E87, 0x5C672B21,
96 0x071F6181, 0x39F7627F, 0x361E3084, 0xE4EB573B,
97 0x602F64A4, 0xD63ACD9C, 0x1BBC4635, 0x9E81032D,
98 0x2701F50C, 0x99847AB4, 0xA0E3DF79, 0xBA6CF38C,
99 0x10843094, 0x2537A95E, 0xF46F6FFE, 0xA1FF3B1F,
100 0x208CFB6A, 0x8F458C74, 0xD9E0A227, 0x4EC73A34,
101 0xFC884F69, 0x3E4DE8DF, 0xEF0E0088, 0x3559648D,
102 0x8A45388C, 0x1D804366, 0x721D9BFD, 0xA58684BB,
103 0xE8256333, 0x844E8212, 0x128D8098, 0xFED33FB4,
104 0xCE280AE1, 0x27E19BA5, 0xD5A6C252, 0xE49754BD,
105 0xC5D655DD, 0xEB667064, 0x77840B4D, 0xA1B6A801,
106 0x84DB26A9, 0xE0B56714, 0x21F043B7, 0xE5D05860,
107 0x54F03084, 0x066FF472, 0xA31AA153, 0xDADC4755,
108 0xB5625DBF, 0x68561BE6, 0x83CA6B94, 0x2D6ED23B,
109 0xECCF01DB, 0xA6D3D0BA, 0xB6803D5C, 0xAF77A709,
110 0x33B4A34C, 0x397BC8D6, 0x5EE22B95, 0x5F0E5304,
111 0x81ED6F61, 0x20E74364, 0xB45E1378, 0xDE18639B,
112 0x881CA122, 0xB96726D1, 0x8049A7E8, 0x22B7DA7B,
113 0x5E552D25, 0x5272D237, 0x79D2951C, 0xC60D894C,
114 0x488CB402, 0x1BA4FE5B, 0xA4B09F6B, 0x1CA815CF,
115 0xA20C3005, 0x8871DF63, 0xB9DE2FCB, 0x0CC6C9E9,
116 0x0BEEFF53, 0xE3214517, 0xB4542835, 0x9F63293C,
117 0xEE41E729, 0x6E1D2D7C, 0x50045286, 0x1E6685F3,
118 0xF33401C6, 0x30A22C95, 0x31A70850, 0x60930F13,
119 0x73F98417, 0xA1269859, 0xEC645C44, 0x52C877A9,
120 0xCDFF33A6, 0xA02B1741, 0x7CBAD9A2, 0x2180036F,
121 0x50D99C08, 0xCB3F4861, 0xC26BD765, 0x64A3F6AB,
122 0x80342676, 0x25A75E7B, 0xE4E6D1FC, 0x20C710E6,
123 0xCDF0B680, 0x17844D3B, 0x31EEF84D, 0x7E0824E4,
124 0x2CCB49EB, 0x846A3BAE, 0x8FF77888, 0xEE5D60F6,
125 0x7AF75673, 0x2FDD5CDB, 0xA11631C1, 0x30F66F43,
126 0xB3FAEC54, 0x157FD7FA, 0xEF8579CC, 0xD152DE58,
127 0xDB2FFD5E, 0x8F32CE19, 0x306AF97A, 0x02F03EF8,
128 0x99319AD5, 0xC242FA0F, 0xA7E3EBB0, 0xC68E4906,
129 0xB8DA230C, 0x80823028, 0xDCDEF3C8, 0xD35FB171,
130 0x088A1BC8, 0xBEC0C560, 0x61A3C9E8, 0xBCA8F54D,
131 0xC72FEFFA, 0x22822E99, 0x82C570B4, 0xD8D94E89,
132 0x8B1C34BC, 0x301E16E6, 0x273BE979, 0xB0FFEAA6,
133 0x61D9B8C6, 0x00B24869, 0xB7FFCE3F, 0x08DC283B,
134 0x43DAF65A, 0xF7E19798, 0x7619B72F, 0x8F1C9BA4,
135 0xDC8637A0, 0x16A7D3B1, 0x9FC393B7, 0xA7136EEB,
136 0xC6BCC63E, 0x1A513742, 0xEF6828BC, 0x520365D6,
137 0x2D6A77AB, 0x3527ED4B, 0x821FD216, 0x095C6E2E,
138 0xDB92F2FB, 0x5EEA29CB, 0x145892F5, 0x91584F7F,
139 0x5483697B, 0x2667A8CC, 0x85196048, 0x8C4BACEA,
140 0x833860D4, 0x0D23E0F9, 0x6C387E8A, 0x0AE6D249,
141 0xB284600C, 0xD835731D, 0xDCB1C647, 0xAC4C56EA,
142 0x3EBD81B3, 0x230EABB0, 0x6438BC87, 0xF0B5B1FA,
143 0x8F5EA2B3, 0xFC184642, 0x0A036B7A, 0x4FB089BD,
144 0x649DA589, 0xA345415E, 0x5C038323, 0x3E5D3BB9,
145 0x43D79572, 0x7E6DD07C, 0x06DFDF1E, 0x6C6CC4EF,
146 0x7160A539, 0x73BFBE70, 0x83877605, 0x4523ECF1
147};
148
149static const u_int32_t cast_sbox3[256] = {
150 0x8DEFC240, 0x25FA5D9F, 0xEB903DBF, 0xE810C907,
151 0x47607FFF, 0x369FE44B, 0x8C1FC644, 0xAECECA90,
152 0xBEB1F9BF, 0xEEFBCAEA, 0xE8CF1950, 0x51DF07AE,
153 0x920E8806, 0xF0AD0548, 0xE13C8D83, 0x927010D5,
154 0x11107D9F, 0x07647DB9, 0xB2E3E4D4, 0x3D4F285E,
155 0xB9AFA820, 0xFADE82E0, 0xA067268B, 0x8272792E,
156 0x553FB2C0, 0x489AE22B, 0xD4EF9794, 0x125E3FBC,
157 0x21FFFCEE, 0x825B1BFD, 0x9255C5ED, 0x1257A240,
158 0x4E1A8302, 0xBAE07FFF, 0x528246E7, 0x8E57140E,
159 0x3373F7BF, 0x8C9F8188, 0xA6FC4EE8, 0xC982B5A5,
160 0xA8C01DB7, 0x579FC264, 0x67094F31, 0xF2BD3F5F,
161 0x40FFF7C1, 0x1FB78DFC, 0x8E6BD2C1, 0x437BE59B,
162 0x99B03DBF, 0xB5DBC64B, 0x638DC0E6, 0x55819D99,
163 0xA197C81C, 0x4A012D6E, 0xC5884A28, 0xCCC36F71,
164 0xB843C213, 0x6C0743F1, 0x8309893C, 0x0FEDDD5F,
165 0x2F7FE850, 0xD7C07F7E, 0x02507FBF, 0x5AFB9A04,
166 0xA747D2D0, 0x1651192E, 0xAF70BF3E, 0x58C31380,
167 0x5F98302E, 0x727CC3C4, 0x0A0FB402, 0x0F7FEF82,
168 0x8C96FDAD, 0x5D2C2AAE, 0x8EE99A49, 0x50DA88B8,
169 0x8427F4A0, 0x1EAC5790, 0x796FB449, 0x8252DC15,
170 0xEFBD7D9B, 0xA672597D, 0xADA840D8, 0x45F54504,
171 0xFA5D7403, 0xE83EC305, 0x4F91751A, 0x925669C2,
172 0x23EFE941, 0xA903F12E, 0x60270DF2, 0x0276E4B6,
173 0x94FD6574, 0x927985B2, 0x8276DBCB, 0x02778176,
174 0xF8AF918D, 0x4E48F79E, 0x8F616DDF, 0xE29D840E,
175 0x842F7D83, 0x340CE5C8, 0x96BBB682, 0x93B4B148,
176 0xEF303CAB, 0x984FAF28, 0x779FAF9B, 0x92DC560D,
177 0x224D1E20, 0x8437AA88, 0x7D29DC96, 0x2756D3DC,
178 0x8B907CEE, 0xB51FD240, 0xE7C07CE3, 0xE566B4A1,
179 0xC3E9615E, 0x3CF8209D, 0x6094D1E3, 0xCD9CA341,
180 0x5C76460E, 0x00EA983B, 0xD4D67881, 0xFD47572C,
181 0xF76CEDD9, 0xBDA8229C, 0x127DADAA, 0x438A074E,
182 0x1F97C090, 0x081BDB8A, 0x93A07EBE, 0xB938CA15,
183 0x97B03CFF, 0x3DC2C0F8, 0x8D1AB2EC, 0x64380E51,
184 0x68CC7BFB, 0xD90F2788, 0x12490181, 0x5DE5FFD4,
185 0xDD7EF86A, 0x76A2E214, 0xB9A40368, 0x925D958F,
186 0x4B39FFFA, 0xBA39AEE9, 0xA4FFD30B, 0xFAF7933B,
187 0x6D498623, 0x193CBCFA, 0x27627545, 0x825CF47A,
188 0x61BD8BA0, 0xD11E42D1, 0xCEAD04F4, 0x127EA392,
189 0x10428DB7, 0x8272A972, 0x9270C4A8, 0x127DE50B,
190 0x285BA1C8, 0x3C62F44F, 0x35C0EAA5, 0xE805D231,
191 0x428929FB, 0xB4FCDF82, 0x4FB66A53, 0x0E7DC15B,
192 0x1F081FAB, 0x108618AE, 0xFCFD086D, 0xF9FF2889,
193 0x694BCC11, 0x236A5CAE, 0x12DECA4D, 0x2C3F8CC5,
194 0xD2D02DFE, 0xF8EF5896, 0xE4CF52DA, 0x95155B67,
195 0x494A488C, 0xB9B6A80C, 0x5C8F82BC, 0x89D36B45,
196 0x3A609437, 0xEC00C9A9, 0x44715253, 0x0A874B49,
197 0xD773BC40, 0x7C34671C, 0x02717EF6, 0x4FEB5536,
198 0xA2D02FFF, 0xD2BF60C4, 0xD43F03C0, 0x50B4EF6D,
199 0x07478CD1, 0x006E1888, 0xA2E53F55, 0xB9E6D4BC,
200 0xA2048016, 0x97573833, 0xD7207D67, 0xDE0F8F3D,
201 0x72F87B33, 0xABCC4F33, 0x7688C55D, 0x7B00A6B0,
202 0x947B0001, 0x570075D2, 0xF9BB88F8, 0x8942019E,
203 0x4264A5FF, 0x856302E0, 0x72DBD92B, 0xEE971B69,
204 0x6EA22FDE, 0x5F08AE2B, 0xAF7A616D, 0xE5C98767,
205 0xCF1FEBD2, 0x61EFC8C2, 0xF1AC2571, 0xCC8239C2,
206 0x67214CB8, 0xB1E583D1, 0xB7DC3E62, 0x7F10BDCE,
207 0xF90A5C38, 0x0FF0443D, 0x606E6DC6, 0x60543A49,
208 0x5727C148, 0x2BE98A1D, 0x8AB41738, 0x20E1BE24,
209 0xAF96DA0F, 0x68458425, 0x99833BE5, 0x600D457D,
210 0x282F9350, 0x8334B362, 0xD91D1120, 0x2B6D8DA0,
211 0x642B1E31, 0x9C305A00, 0x52BCE688, 0x1B03588A,
212 0xF7BAEFD5, 0x4142ED9C, 0xA4315C11, 0x83323EC5,
213 0xDFEF4636, 0xA133C501, 0xE9D3531C, 0xEE353783
214};
215
216static const u_int32_t cast_sbox4[256] = {
217 0x9DB30420, 0x1FB6E9DE, 0xA7BE7BEF, 0xD273A298,
218 0x4A4F7BDB, 0x64AD8C57, 0x85510443, 0xFA020ED1,
219 0x7E287AFF, 0xE60FB663, 0x095F35A1, 0x79EBF120,
220 0xFD059D43, 0x6497B7B1, 0xF3641F63, 0x241E4ADF,
221 0x28147F5F, 0x4FA2B8CD, 0xC9430040, 0x0CC32220,
222 0xFDD30B30, 0xC0A5374F, 0x1D2D00D9, 0x24147B15,
223 0xEE4D111A, 0x0FCA5167, 0x71FF904C, 0x2D195FFE,
224 0x1A05645F, 0x0C13FEFE, 0x081B08CA, 0x05170121,
225 0x80530100, 0xE83E5EFE, 0xAC9AF4F8, 0x7FE72701,
226 0xD2B8EE5F, 0x06DF4261, 0xBB9E9B8A, 0x7293EA25,
227 0xCE84FFDF, 0xF5718801, 0x3DD64B04, 0xA26F263B,
228 0x7ED48400, 0x547EEBE6, 0x446D4CA0, 0x6CF3D6F5,
229 0x2649ABDF, 0xAEA0C7F5, 0x36338CC1, 0x503F7E93,
230 0xD3772061, 0x11B638E1, 0x72500E03, 0xF80EB2BB,
231 0xABE0502E, 0xEC8D77DE, 0x57971E81, 0xE14F6746,
232 0xC9335400, 0x6920318F, 0x081DBB99, 0xFFC304A5,
233 0x4D351805, 0x7F3D5CE3, 0xA6C866C6, 0x5D5BCCA9,
234 0xDAEC6FEA, 0x9F926F91, 0x9F46222F, 0x3991467D,
235 0xA5BF6D8E, 0x1143C44F, 0x43958302, 0xD0214EEB,
236 0x022083B8, 0x3FB6180C, 0x18F8931E, 0x281658E6,
237 0x26486E3E, 0x8BD78A70, 0x7477E4C1, 0xB506E07C,
238 0xF32D0A25, 0x79098B02, 0xE4EABB81, 0x28123B23,
239 0x69DEAD38, 0x1574CA16, 0xDF871B62, 0x211C40B7,
240 0xA51A9EF9, 0x0014377B, 0x041E8AC8, 0x09114003,
241 0xBD59E4D2, 0xE3D156D5, 0x4FE876D5, 0x2F91A340,
242 0x557BE8DE, 0x00EAE4A7, 0x0CE5C2EC, 0x4DB4BBA6,
243 0xE756BDFF, 0xDD3369AC, 0xEC17B035, 0x06572327,
244 0x99AFC8B0, 0x56C8C391, 0x6B65811C, 0x5E146119,
245 0x6E85CB75, 0xBE07C002, 0xC2325577, 0x893FF4EC,
246 0x5BBFC92D, 0xD0EC3B25, 0xB7801AB7, 0x8D6D3B24,
247 0x20C763EF, 0xC366A5FC, 0x9C382880, 0x0ACE3205,
248 0xAAC9548A, 0xECA1D7C7, 0x041AFA32, 0x1D16625A,
249 0x6701902C, 0x9B757A54, 0x31D477F7, 0x9126B031,
250 0x36CC6FDB, 0xC70B8B46, 0xD9E66A48, 0x56E55A79,
251 0x026A4CEB, 0x52437EFF, 0x2F8F76B4, 0x0DF980A5,
252 0x8674CDE3, 0xEDDA04EB, 0x17A9BE04, 0x2C18F4DF,
253 0xB7747F9D, 0xAB2AF7B4, 0xEFC34D20, 0x2E096B7C,
254 0x1741A254, 0xE5B6A035, 0x213D42F6, 0x2C1C7C26,
255 0x61C2F50F, 0x6552DAF9, 0xD2C231F8, 0x25130F69,
256 0xD8167FA2, 0x0418F2C8, 0x001A96A6, 0x0D1526AB,
257 0x63315C21, 0x5E0A72EC, 0x49BAFEFD, 0x187908D9,
258 0x8D0DBD86, 0x311170A7, 0x3E9B640C, 0xCC3E10D7,
259 0xD5CAD3B6, 0x0CAEC388, 0xF73001E1, 0x6C728AFF,
260 0x71EAE2A1, 0x1F9AF36E, 0xCFCBD12F, 0xC1DE8417,
261 0xAC07BE6B, 0xCB44A1D8, 0x8B9B0F56, 0x013988C3,
262 0xB1C52FCA, 0xB4BE31CD, 0xD8782806, 0x12A3A4E2,
263 0x6F7DE532, 0x58FD7EB6, 0xD01EE900, 0x24ADFFC2,
264 0xF4990FC5, 0x9711AAC5, 0x001D7B95, 0x82E5E7D2,
265 0x109873F6, 0x00613096, 0xC32D9521, 0xADA121FF,
266 0x29908415, 0x7FBB977F, 0xAF9EB3DB, 0x29C9ED2A,
267 0x5CE2A465, 0xA730F32C, 0xD0AA3FE8, 0x8A5CC091,
268 0xD49E2CE7, 0x0CE454A9, 0xD60ACD86, 0x015F1919,
269 0x77079103, 0xDEA03AF6, 0x78A8565E, 0xDEE356DF,
270 0x21F05CBE, 0x8B75E387, 0xB3C50651, 0xB8A5C3EF,
271 0xD8EEB6D2, 0xE523BE77, 0xC2154529, 0x2F69EFDF,
272 0xAFE67AFB, 0xF470C4B2, 0xF3E0EB5B, 0xD6CC9876,
273 0x39E4460C, 0x1FDA8538, 0x1987832F, 0xCA007367,
274 0xA99144F8, 0x296B299E, 0x492FC295, 0x9266BEAB,
275 0xB5676E69, 0x9BD3DDDA, 0xDF7E052F, 0xDB25701C,
276 0x1B5E51EE, 0xF65324E6, 0x6AFCE36C, 0x0316CC04,
277 0x8644213E, 0xB7DC59D0, 0x7965291F, 0xCCD6FD43,
278 0x41823979, 0x932BCDF6, 0xB657C34D, 0x4EDFD282,
279 0x7AE5290C, 0x3CB9536B, 0x851E20FE, 0x9833557E,
280 0x13ECF0B0, 0xD3FFB372, 0x3F85C5C1, 0x0AEF7ED2
281};
282
283static const u_int32_t cast_sbox5[256] = {
284 0x7EC90C04, 0x2C6E74B9, 0x9B0E66DF, 0xA6337911,
285 0xB86A7FFF, 0x1DD358F5, 0x44DD9D44, 0x1731167F,
286 0x08FBF1FA, 0xE7F511CC, 0xD2051B00, 0x735ABA00,
287 0x2AB722D8, 0x386381CB, 0xACF6243A, 0x69BEFD7A,
288 0xE6A2E77F, 0xF0C720CD, 0xC4494816, 0xCCF5C180,
289 0x38851640, 0x15B0A848, 0xE68B18CB, 0x4CAADEFF,
290 0x5F480A01, 0x0412B2AA, 0x259814FC, 0x41D0EFE2,
291 0x4E40B48D, 0x248EB6FB, 0x8DBA1CFE, 0x41A99B02,
292 0x1A550A04, 0xBA8F65CB, 0x7251F4E7, 0x95A51725,
293 0xC106ECD7, 0x97A5980A, 0xC539B9AA, 0x4D79FE6A,
294 0xF2F3F763, 0x68AF8040, 0xED0C9E56, 0x11B4958B,
295 0xE1EB5A88, 0x8709E6B0, 0xD7E07156, 0x4E29FEA7,
296 0x6366E52D, 0x02D1C000, 0xC4AC8E05, 0x9377F571,
297 0x0C05372A, 0x578535F2, 0x2261BE02, 0xD642A0C9,
298 0xDF13A280, 0x74B55BD2, 0x682199C0, 0xD421E5EC,
299 0x53FB3CE8, 0xC8ADEDB3, 0x28A87FC9, 0x3D959981,
300 0x5C1FF900, 0xFE38D399, 0x0C4EFF0B, 0x062407EA,
301 0xAA2F4FB1, 0x4FB96976, 0x90C79505, 0xB0A8A774,
302 0xEF55A1FF, 0xE59CA2C2, 0xA6B62D27, 0xE66A4263,
303 0xDF65001F, 0x0EC50966, 0xDFDD55BC, 0x29DE0655,
304 0x911E739A, 0x17AF8975, 0x32C7911C, 0x89F89468,
305 0x0D01E980, 0x524755F4, 0x03B63CC9, 0x0CC844B2,
306 0xBCF3F0AA, 0x87AC36E9, 0xE53A7426, 0x01B3D82B,
307 0x1A9E7449, 0x64EE2D7E, 0xCDDBB1DA, 0x01C94910,
308 0xB868BF80, 0x0D26F3FD, 0x9342EDE7, 0x04A5C284,
309 0x636737B6, 0x50F5B616, 0xF24766E3, 0x8ECA36C1,
310 0x136E05DB, 0xFEF18391, 0xFB887A37, 0xD6E7F7D4,
311 0xC7FB7DC9, 0x3063FCDF, 0xB6F589DE, 0xEC2941DA,
312 0x26E46695, 0xB7566419, 0xF654EFC5, 0xD08D58B7,
313 0x48925401, 0xC1BACB7F, 0xE5FF550F, 0xB6083049,
314 0x5BB5D0E8, 0x87D72E5A, 0xAB6A6EE1, 0x223A66CE,
315 0xC62BF3CD, 0x9E0885F9, 0x68CB3E47, 0x086C010F,
316 0xA21DE820, 0xD18B69DE, 0xF3F65777, 0xFA02C3F6,
317 0x407EDAC3, 0xCBB3D550, 0x1793084D, 0xB0D70EBA,
318 0x0AB378D5, 0xD951FB0C, 0xDED7DA56, 0x4124BBE4,
319 0x94CA0B56, 0x0F5755D1, 0xE0E1E56E, 0x6184B5BE,
320 0x580A249F, 0x94F74BC0, 0xE327888E, 0x9F7B5561,
321 0xC3DC0280, 0x05687715, 0x646C6BD7, 0x44904DB3,
322 0x66B4F0A3, 0xC0F1648A, 0x697ED5AF, 0x49E92FF6,
323 0x309E374F, 0x2CB6356A, 0x85808573, 0x4991F840,
324 0x76F0AE02, 0x083BE84D, 0x28421C9A, 0x44489406,
325 0x736E4CB8, 0xC1092910, 0x8BC95FC6, 0x7D869CF4,
326 0x134F616F, 0x2E77118D, 0xB31B2BE1, 0xAA90B472,
327 0x3CA5D717, 0x7D161BBA, 0x9CAD9010, 0xAF462BA2,
328 0x9FE459D2, 0x45D34559, 0xD9F2DA13, 0xDBC65487,
329 0xF3E4F94E, 0x176D486F, 0x097C13EA, 0x631DA5C7,
330 0x445F7382, 0x175683F4, 0xCDC66A97, 0x70BE0288,
331 0xB3CDCF72, 0x6E5DD2F3, 0x20936079, 0x459B80A5,
332 0xBE60E2DB, 0xA9C23101, 0xEBA5315C, 0x224E42F2,
333 0x1C5C1572, 0xF6721B2C, 0x1AD2FFF3, 0x8C25404E,
334 0x324ED72F, 0x4067B7FD, 0x0523138E, 0x5CA3BC78,
335 0xDC0FD66E, 0x75922283, 0x784D6B17, 0x58EBB16E,
336 0x44094F85, 0x3F481D87, 0xFCFEAE7B, 0x77B5FF76,
337 0x8C2302BF, 0xAAF47556, 0x5F46B02A, 0x2B092801,
338 0x3D38F5F7, 0x0CA81F36, 0x52AF4A8A, 0x66D5E7C0,
339 0xDF3B0874, 0x95055110, 0x1B5AD7A8, 0xF61ED5AD,
340 0x6CF6E479, 0x20758184, 0xD0CEFA65, 0x88F7BE58,
341 0x4A046826, 0x0FF6F8F3, 0xA09C7F70, 0x5346ABA0,
342 0x5CE96C28, 0xE176EDA3, 0x6BAC307F, 0x376829D2,
343 0x85360FA9, 0x17E3FE2A, 0x24B79767, 0xF5A96B20,
344 0xD6CD2595, 0x68FF1EBF, 0x7555442C, 0xF19F06BE,
345 0xF9E0659A, 0xEEB9491D, 0x34010718, 0xBB30CAB8,
346 0xE822FE15, 0x88570983, 0x750E6249, 0xDA627E55,
347 0x5E76FFA8, 0xB1534546, 0x6D47DE08, 0xEFE9E7D4
348};
349
350static const u_int32_t cast_sbox6[256] = {
351 0xF6FA8F9D, 0x2CAC6CE1, 0x4CA34867, 0xE2337F7C,
352 0x95DB08E7, 0x016843B4, 0xECED5CBC, 0x325553AC,
353 0xBF9F0960, 0xDFA1E2ED, 0x83F0579D, 0x63ED86B9,
354 0x1AB6A6B8, 0xDE5EBE39, 0xF38FF732, 0x8989B138,
355 0x33F14961, 0xC01937BD, 0xF506C6DA, 0xE4625E7E,
356 0xA308EA99, 0x4E23E33C, 0x79CBD7CC, 0x48A14367,
357 0xA3149619, 0xFEC94BD5, 0xA114174A, 0xEAA01866,
358 0xA084DB2D, 0x09A8486F, 0xA888614A, 0x2900AF98,
359 0x01665991, 0xE1992863, 0xC8F30C60, 0x2E78EF3C,
360 0xD0D51932, 0xCF0FEC14, 0xF7CA07D2, 0xD0A82072,
361 0xFD41197E, 0x9305A6B0, 0xE86BE3DA, 0x74BED3CD,
362 0x372DA53C, 0x4C7F4448, 0xDAB5D440, 0x6DBA0EC3,
363 0x083919A7, 0x9FBAEED9, 0x49DBCFB0, 0x4E670C53,
364 0x5C3D9C01, 0x64BDB941, 0x2C0E636A, 0xBA7DD9CD,
365 0xEA6F7388, 0xE70BC762, 0x35F29ADB, 0x5C4CDD8D,
366 0xF0D48D8C, 0xB88153E2, 0x08A19866, 0x1AE2EAC8,
367 0x284CAF89, 0xAA928223, 0x9334BE53, 0x3B3A21BF,
368 0x16434BE3, 0x9AEA3906, 0xEFE8C36E, 0xF890CDD9,
369 0x80226DAE, 0xC340A4A3, 0xDF7E9C09, 0xA694A807,
370 0x5B7C5ECC, 0x221DB3A6, 0x9A69A02F, 0x68818A54,
371 0xCEB2296F, 0x53C0843A, 0xFE893655, 0x25BFE68A,
372 0xB4628ABC, 0xCF222EBF, 0x25AC6F48, 0xA9A99387,
373 0x53BDDB65, 0xE76FFBE7, 0xE967FD78, 0x0BA93563,
374 0x8E342BC1, 0xE8A11BE9, 0x4980740D, 0xC8087DFC,
375 0x8DE4BF99, 0xA11101A0, 0x7FD37975, 0xDA5A26C0,
376 0xE81F994F, 0x9528CD89, 0xFD339FED, 0xB87834BF,
377 0x5F04456D, 0x22258698, 0xC9C4C83B, 0x2DC156BE,
378 0x4F628DAA, 0x57F55EC5, 0xE2220ABE, 0xD2916EBF,
379 0x4EC75B95, 0x24F2C3C0, 0x42D15D99, 0xCD0D7FA0,
380 0x7B6E27FF, 0xA8DC8AF0, 0x7345C106, 0xF41E232F,
381 0x35162386, 0xE6EA8926, 0x3333B094, 0x157EC6F2,
382 0x372B74AF, 0x692573E4, 0xE9A9D848, 0xF3160289,
383 0x3A62EF1D, 0xA787E238, 0xF3A5F676, 0x74364853,
384 0x20951063, 0x4576698D, 0xB6FAD407, 0x592AF950,
385 0x36F73523, 0x4CFB6E87, 0x7DA4CEC0, 0x6C152DAA,
386 0xCB0396A8, 0xC50DFE5D, 0xFCD707AB, 0x0921C42F,
387 0x89DFF0BB, 0x5FE2BE78, 0x448F4F33, 0x754613C9,
388 0x2B05D08D, 0x48B9D585, 0xDC049441, 0xC8098F9B,
389 0x7DEDE786, 0xC39A3373, 0x42410005, 0x6A091751,
390 0x0EF3C8A6, 0x890072D6, 0x28207682, 0xA9A9F7BE,
391 0xBF32679D, 0xD45B5B75, 0xB353FD00, 0xCBB0E358,
392 0x830F220A, 0x1F8FB214, 0xD372CF08, 0xCC3C4A13,
393 0x8CF63166, 0x061C87BE, 0x88C98F88, 0x6062E397,
394 0x47CF8E7A, 0xB6C85283, 0x3CC2ACFB, 0x3FC06976,
395 0x4E8F0252, 0x64D8314D, 0xDA3870E3, 0x1E665459,
396 0xC10908F0, 0x513021A5, 0x6C5B68B7, 0x822F8AA0,
397 0x3007CD3E, 0x74719EEF, 0xDC872681, 0x073340D4,
398 0x7E432FD9, 0x0C5EC241, 0x8809286C, 0xF592D891,
399 0x08A930F6, 0x957EF305, 0xB7FBFFBD, 0xC266E96F,
400 0x6FE4AC98, 0xB173ECC0, 0xBC60B42A, 0x953498DA,
401 0xFBA1AE12, 0x2D4BD736, 0x0F25FAAB, 0xA4F3FCEB,
402 0xE2969123, 0x257F0C3D, 0x9348AF49, 0x361400BC,
403 0xE8816F4A, 0x3814F200, 0xA3F94043, 0x9C7A54C2,
404 0xBC704F57, 0xDA41E7F9, 0xC25AD33A, 0x54F4A084,
405 0xB17F5505, 0x59357CBE, 0xEDBD15C8, 0x7F97C5AB,
406 0xBA5AC7B5, 0xB6F6DEAF, 0x3A479C3A, 0x5302DA25,
407 0x653D7E6A, 0x54268D49, 0x51A477EA, 0x5017D55B,
408 0xD7D25D88, 0x44136C76, 0x0404A8C8, 0xB8E5A121,
409 0xB81A928A, 0x60ED5869, 0x97C55B96, 0xEAEC991B,
410 0x29935913, 0x01FDB7F1, 0x088E8DFA, 0x9AB6F6F5,
411 0x3B4CBF9F, 0x4A5DE3AB, 0xE6051D35, 0xA0E1D855,
412 0xD36B4CF1, 0xF544EDEB, 0xB0E93524, 0xBEBB8FBD,
413 0xA2D762CF, 0x49C92F54, 0x38B5F331, 0x7128A454,
414 0x48392905, 0xA65B1DB8, 0x851C97BD, 0xD675CF2F
415};
416
417static const u_int32_t cast_sbox7[256] = {
418 0x85E04019, 0x332BF567, 0x662DBFFF, 0xCFC65693,
419 0x2A8D7F6F, 0xAB9BC912, 0xDE6008A1, 0x2028DA1F,
420 0x0227BCE7, 0x4D642916, 0x18FAC300, 0x50F18B82,
421 0x2CB2CB11, 0xB232E75C, 0x4B3695F2, 0xB28707DE,
422 0xA05FBCF6, 0xCD4181E9, 0xE150210C, 0xE24EF1BD,
423 0xB168C381, 0xFDE4E789, 0x5C79B0D8, 0x1E8BFD43,
424 0x4D495001, 0x38BE4341, 0x913CEE1D, 0x92A79C3F,
425 0x089766BE, 0xBAEEADF4, 0x1286BECF, 0xB6EACB19,
426 0x2660C200, 0x7565BDE4, 0x64241F7A, 0x8248DCA9,
427 0xC3B3AD66, 0x28136086, 0x0BD8DFA8, 0x356D1CF2,
428 0x107789BE, 0xB3B2E9CE, 0x0502AA8F, 0x0BC0351E,
429 0x166BF52A, 0xEB12FF82, 0xE3486911, 0xD34D7516,
430 0x4E7B3AFF, 0x5F43671B, 0x9CF6E037, 0x4981AC83,
431 0x334266CE, 0x8C9341B7, 0xD0D854C0, 0xCB3A6C88,
432 0x47BC2829, 0x4725BA37, 0xA66AD22B, 0x7AD61F1E,
433 0x0C5CBAFA, 0x4437F107, 0xB6E79962, 0x42D2D816,
434 0x0A961288, 0xE1A5C06E, 0x13749E67, 0x72FC081A,
435 0xB1D139F7, 0xF9583745, 0xCF19DF58, 0xBEC3F756,
436 0xC06EBA30, 0x07211B24, 0x45C28829, 0xC95E317F,
437 0xBC8EC511, 0x38BC46E9, 0xC6E6FA14, 0xBAE8584A,
438 0xAD4EBC46, 0x468F508B, 0x7829435F, 0xF124183B,
439 0x821DBA9F, 0xAFF60FF4, 0xEA2C4E6D, 0x16E39264,
440 0x92544A8B, 0x009B4FC3, 0xABA68CED, 0x9AC96F78,
441 0x06A5B79A, 0xB2856E6E, 0x1AEC3CA9, 0xBE838688,
442 0x0E0804E9, 0x55F1BE56, 0xE7E5363B, 0xB3A1F25D,
443 0xF7DEBB85, 0x61FE033C, 0x16746233, 0x3C034C28,
444 0xDA6D0C74, 0x79AAC56C, 0x3CE4E1AD, 0x51F0C802,
445 0x98F8F35A, 0x1626A49F, 0xEED82B29, 0x1D382FE3,
446 0x0C4FB99A, 0xBB325778, 0x3EC6D97B, 0x6E77A6A9,
447 0xCB658B5C, 0xD45230C7, 0x2BD1408B, 0x60C03EB7,
448 0xB9068D78, 0xA33754F4, 0xF430C87D, 0xC8A71302,
449 0xB96D8C32, 0xEBD4E7BE, 0xBE8B9D2D, 0x7979FB06,
450 0xE7225308, 0x8B75CF77, 0x11EF8DA4, 0xE083C858,
451 0x8D6B786F, 0x5A6317A6, 0xFA5CF7A0, 0x5DDA0033,
452 0xF28EBFB0, 0xF5B9C310, 0xA0EAC280, 0x08B9767A,
453 0xA3D9D2B0, 0x79D34217, 0x021A718D, 0x9AC6336A,
454 0x2711FD60, 0x438050E3, 0x069908A8, 0x3D7FEDC4,
455 0x826D2BEF, 0x4EEB8476, 0x488DCF25, 0x36C9D566,
456 0x28E74E41, 0xC2610ACA, 0x3D49A9CF, 0xBAE3B9DF,
457 0xB65F8DE6, 0x92AEAF64, 0x3AC7D5E6, 0x9EA80509,
458 0xF22B017D, 0xA4173F70, 0xDD1E16C3, 0x15E0D7F9,
459 0x50B1B887, 0x2B9F4FD5, 0x625ABA82, 0x6A017962,
460 0x2EC01B9C, 0x15488AA9, 0xD716E740, 0x40055A2C,
461 0x93D29A22, 0xE32DBF9A, 0x058745B9, 0x3453DC1E,
462 0xD699296E, 0x496CFF6F, 0x1C9F4986, 0xDFE2ED07,
463 0xB87242D1, 0x19DE7EAE, 0x053E561A, 0x15AD6F8C,
464 0x66626C1C, 0x7154C24C, 0xEA082B2A, 0x93EB2939,
465 0x17DCB0F0, 0x58D4F2AE, 0x9EA294FB, 0x52CF564C,
466 0x9883FE66, 0x2EC40581, 0x763953C3, 0x01D6692E,
467 0xD3A0C108, 0xA1E7160E, 0xE4F2DFA6, 0x693ED285,
468 0x74904698, 0x4C2B0EDD, 0x4F757656, 0x5D393378,
469 0xA132234F, 0x3D321C5D, 0xC3F5E194, 0x4B269301,
470 0xC79F022F, 0x3C997E7E, 0x5E4F9504, 0x3FFAFBBD,
471 0x76F7AD0E, 0x296693F4, 0x3D1FCE6F, 0xC61E45BE,
472 0xD3B5AB34, 0xF72BF9B7, 0x1B0434C0, 0x4E72B567,
473 0x5592A33D, 0xB5229301, 0xCFD2A87F, 0x60AEB767,
474 0x1814386B, 0x30BCC33D, 0x38A0C07D, 0xFD1606F2,
475 0xC363519B, 0x589DD390, 0x5479F8E6, 0x1CB8D647,
476 0x97FD61A9, 0xEA7759F4, 0x2D57539D, 0x569A58CF,
477 0xE84E63AD, 0x462E1B78, 0x6580F87E, 0xF3817914,
478 0x91DA55F4, 0x40A230F3, 0xD1988F35, 0xB6E318D2,
479 0x3FFA50BC, 0x3D40F021, 0xC3C0BDAE, 0x4958C24C,
480 0x518F36B2, 0x84B1D370, 0x0FEDCE83, 0x878DDADA,
481 0xF2A279C7, 0x94E01BE8, 0x90716F4B, 0x954B8AA3
482};
483
484static const u_int32_t cast_sbox8[256] = {
485 0xE216300D, 0xBBDDFFFC, 0xA7EBDABD, 0x35648095,
486 0x7789F8B7, 0xE6C1121B, 0x0E241600, 0x052CE8B5,
487 0x11A9CFB0, 0xE5952F11, 0xECE7990A, 0x9386D174,
488 0x2A42931C, 0x76E38111, 0xB12DEF3A, 0x37DDDDFC,
489 0xDE9ADEB1, 0x0A0CC32C, 0xBE197029, 0x84A00940,
490 0xBB243A0F, 0xB4D137CF, 0xB44E79F0, 0x049EEDFD,
491 0x0B15A15D, 0x480D3168, 0x8BBBDE5A, 0x669DED42,
492 0xC7ECE831, 0x3F8F95E7, 0x72DF191B, 0x7580330D,
493 0x94074251, 0x5C7DCDFA, 0xABBE6D63, 0xAA402164,
494 0xB301D40A, 0x02E7D1CA, 0x53571DAE, 0x7A3182A2,
495 0x12A8DDEC, 0xFDAA335D, 0x176F43E8, 0x71FB46D4,
496 0x38129022, 0xCE949AD4, 0xB84769AD, 0x965BD862,
497 0x82F3D055, 0x66FB9767, 0x15B80B4E, 0x1D5B47A0,
498 0x4CFDE06F, 0xC28EC4B8, 0x57E8726E, 0x647A78FC,
499 0x99865D44, 0x608BD593, 0x6C200E03, 0x39DC5FF6,
500 0x5D0B00A3, 0xAE63AFF2, 0x7E8BD632, 0x70108C0C,
501 0xBBD35049, 0x2998DF04, 0x980CF42A, 0x9B6DF491,
502 0x9E7EDD53, 0x06918548, 0x58CB7E07, 0x3B74EF2E,
503 0x522FFFB1, 0xD24708CC, 0x1C7E27CD, 0xA4EB215B,
504 0x3CF1D2E2, 0x19B47A38, 0x424F7618, 0x35856039,
505 0x9D17DEE7, 0x27EB35E6, 0xC9AFF67B, 0x36BAF5B8,
506 0x09C467CD, 0xC18910B1, 0xE11DBF7B, 0x06CD1AF8,
507 0x7170C608, 0x2D5E3354, 0xD4DE495A, 0x64C6D006,
508 0xBCC0C62C, 0x3DD00DB3, 0x708F8F34, 0x77D51B42,
509 0x264F620F, 0x24B8D2BF, 0x15C1B79E, 0x46A52564,
510 0xF8D7E54E, 0x3E378160, 0x7895CDA5, 0x859C15A5,
511 0xE6459788, 0xC37BC75F, 0xDB07BA0C, 0x0676A3AB,
512 0x7F229B1E, 0x31842E7B, 0x24259FD7, 0xF8BEF472,
513 0x835FFCB8, 0x6DF4C1F2, 0x96F5B195, 0xFD0AF0FC,
514 0xB0FE134C, 0xE2506D3D, 0x4F9B12EA, 0xF215F225,
515 0xA223736F, 0x9FB4C428, 0x25D04979, 0x34C713F8,
516 0xC4618187, 0xEA7A6E98, 0x7CD16EFC, 0x1436876C,
517 0xF1544107, 0xBEDEEE14, 0x56E9AF27, 0xA04AA441,
518 0x3CF7C899, 0x92ECBAE6, 0xDD67016D, 0x151682EB,
519 0xA842EEDF, 0xFDBA60B4, 0xF1907B75, 0x20E3030F,
520 0x24D8C29E, 0xE139673B, 0xEFA63FB8, 0x71873054,
521 0xB6F2CF3B, 0x9F326442, 0xCB15A4CC, 0xB01A4504,
522 0xF1E47D8D, 0x844A1BE5, 0xBAE7DFDC, 0x42CBDA70,
523 0xCD7DAE0A, 0x57E85B7A, 0xD53F5AF6, 0x20CF4D8C,
524 0xCEA4D428, 0x79D130A4, 0x3486EBFB, 0x33D3CDDC,
525 0x77853B53, 0x37EFFCB5, 0xC5068778, 0xE580B3E6,
526 0x4E68B8F4, 0xC5C8B37E, 0x0D809EA2, 0x398FEB7C,
527 0x132A4F94, 0x43B7950E, 0x2FEE7D1C, 0x223613BD,
528 0xDD06CAA2, 0x37DF932B, 0xC4248289, 0xACF3EBC3,
529 0x5715F6B7, 0xEF3478DD, 0xF267616F, 0xC148CBE4,
530 0x9052815E, 0x5E410FAB, 0xB48A2465, 0x2EDA7FA4,
531 0xE87B40E4, 0xE98EA084, 0x5889E9E1, 0xEFD390FC,
532 0xDD07D35B, 0xDB485694, 0x38D7E5B2, 0x57720101,
533 0x730EDEBC, 0x5B643113, 0x94917E4F, 0x503C2FBA,
534 0x646F1282, 0x7523D24A, 0xE0779695, 0xF9C17A8F,
535 0x7A5B2121, 0xD187B896, 0x29263A4D, 0xBA510CDF,
536 0x81F47C9F, 0xAD1163ED, 0xEA7B5965, 0x1A00726E,
537 0x11403092, 0x00DA6D77, 0x4A0CDD61, 0xAD1F4603,
538 0x605BDFB0, 0x9EEDC364, 0x22EBE6A8, 0xCEE7D28A,
539 0xA0E736A0, 0x5564A6B9, 0x10853209, 0xC7EB8F37,
540 0x2DE705CA, 0x8951570F, 0xDF09822B, 0xBD691A6C,
541 0xAA12E4F2, 0x87451C0F, 0xE0F6A27A, 0x3ADA4819,
542 0x4CF1764F, 0x0D771C2B, 0x67CDB156, 0x350D8384,
543 0x5938FA0F, 0x42399EF3, 0x36997B07, 0x0E84093D,
544 0x4AA93E61, 0x8360D87B, 0x1FA98B0C, 0x1149382C,
545 0xE97625A5, 0x0614D1B7, 0x0E25244B, 0x0C768347,
546 0x589E8D82, 0x0D2059D1, 0xA466BB1E, 0xF8DA0A82,
547 0x04F19130, 0xBA6E4EC0, 0x99265164, 0x1EE7230D,
548 0x50B2AD80, 0xEAEE6801, 0x8DB2A283, 0xEA8BF59E
549};
550
551/* Macros to access 8-bit bytes out of a 32-bit word */
552#define U8a(x) ( (u_int8_t) (x>>24) )
553#define U8b(x) ( (u_int8_t) ((x>>16)&255) )
554#define U8c(x) ( (u_int8_t) ((x>>8)&255) )
555#define U8d(x) ( (u_int8_t) ((x)&255) )
556
557/* Circular left shift */
558#define ROL(x, n) ( ((x)<<(n)) | ((x)>>(32-(n))) )
559
560/* CAST-128 uses three different round functions */
561#define F1(l, r, i) \
562 t = ROL(key->xkey[i] + r, key->xkey[i+16]); \
563 l ^= ((cast_sbox1[U8a(t)] ^ cast_sbox2[U8b(t)]) - \
564 cast_sbox3[U8c(t)]) + cast_sbox4[U8d(t)];
565#define F2(l, r, i) \
566 t = ROL(key->xkey[i] ^ r, key->xkey[i+16]); \
567 l ^= ((cast_sbox1[U8a(t)] - cast_sbox2[U8b(t)]) + \
568 cast_sbox3[U8c(t)]) ^ cast_sbox4[U8d(t)];
569#define F3(l, r, i) \
570 t = ROL(key->xkey[i] - r, key->xkey[i+16]); \
571 l ^= ((cast_sbox1[U8a(t)] + cast_sbox2[U8b(t)]) ^ \
572 cast_sbox3[U8c(t)]) - cast_sbox4[U8d(t)];
573
574
575/***** Encryption Function *****/
576
577void cast_encrypt(cast_key* key, u_int8_t* inblock, u_int8_t* outblock)
578{
579u_int32_t t, l, r;
580
581 /* Get inblock into l,r */
582 l = ((u_int32_t)inblock[0] << 24) | ((u_int32_t)inblock[1] << 16) |
583 ((u_int32_t)inblock[2] << 8) | (u_int32_t)inblock[3];
584 r = ((u_int32_t)inblock[4] << 24) | ((u_int32_t)inblock[5] << 16) |
585 ((u_int32_t)inblock[6] << 8) | (u_int32_t)inblock[7];
586 /* Do the work */
587 F1(l, r, 0);
588 F2(r, l, 1);
589 F3(l, r, 2);
590 F1(r, l, 3);
591 F2(l, r, 4);
592 F3(r, l, 5);
593 F1(l, r, 6);
594 F2(r, l, 7);
595 F3(l, r, 8);
596 F1(r, l, 9);
597 F2(l, r, 10);
598 F3(r, l, 11);
599 /* Only do full 16 rounds if key length > 80 bits */
600 if (key->rounds > 12) {
601 F1(l, r, 12);
602 F2(r, l, 13);
603 F3(l, r, 14);
604 F1(r, l, 15);
605 }
606 /* Put l,r into outblock */
607 outblock[0] = U8a(r);
608 outblock[1] = U8b(r);
609 outblock[2] = U8c(r);
610 outblock[3] = U8d(r);
611 outblock[4] = U8a(l);
612 outblock[5] = U8b(l);
613 outblock[6] = U8c(l);
614 outblock[7] = U8d(l);
615 /* Wipe clean */
616 t = l = r = 0;
617}
618
619
620/***** Decryption Function *****/
621
622void cast_decrypt(cast_key* key, u_int8_t* inblock, u_int8_t* outblock)
623{
624u_int32_t t, l, r;
625
626 /* Get inblock into l,r */
627 r = ((u_int32_t)inblock[0] << 24) | ((u_int32_t)inblock[1] << 16) |
628 ((u_int32_t)inblock[2] << 8) | (u_int32_t)inblock[3];
629 l = ((u_int32_t)inblock[4] << 24) | ((u_int32_t)inblock[5] << 16) |
630 ((u_int32_t)inblock[6] << 8) | (u_int32_t)inblock[7];
631 /* Do the work */
632 /* Only do full 16 rounds if key length > 80 bits */
633 if (key->rounds > 12) {
634 F1(r, l, 15);
635 F3(l, r, 14);
636 F2(r, l, 13);
637 F1(l, r, 12);
638 }
639 F3(r, l, 11);
640 F2(l, r, 10);
641 F1(r, l, 9);
642 F3(l, r, 8);
643 F2(r, l, 7);
644 F1(l, r, 6);
645 F3(r, l, 5);
646 F2(l, r, 4);
647 F1(r, l, 3);
648 F3(l, r, 2);
649 F2(r, l, 1);
650 F1(l, r, 0);
651 /* Put l,r into outblock */
652 outblock[0] = U8a(l);
653 outblock[1] = U8b(l);
654 outblock[2] = U8c(l);
655 outblock[3] = U8d(l);
656 outblock[4] = U8a(r);
657 outblock[5] = U8b(r);
658 outblock[6] = U8c(r);
659 outblock[7] = U8d(r);
660 /* Wipe clean */
661 t = l = r = 0;
662}
663
664
665/***** Key Schedual *****/
666
667void cast_setkey(cast_key* key, u_int8_t* rawkey, int keybytes)
668{
669u_int32_t t[4], z[4], x[4];
670int i;
671
672 /* Set number of rounds to 12 or 16, depending on key length */
673 key->rounds = (keybytes <= 10 ? 12 : 16);
674
675 /* Copy key to workspace x */
676 for (i = 0; i < 4; i++) {
677 x[i] = 0;
678 if ((i*4+0) < keybytes) x[i] = (u_int32_t)rawkey[i*4+0] << 24;
679 if ((i*4+1) < keybytes) x[i] |= (u_int32_t)rawkey[i*4+1] << 16;
680 if ((i*4+2) < keybytes) x[i] |= (u_int32_t)rawkey[i*4+2] << 8;
681 if ((i*4+3) < keybytes) x[i] |= (u_int32_t)rawkey[i*4+3];
682 }
683 /* Generate 32 subkeys, four at a time */
684 for (i = 0; i < 32; i+=4) {
685 switch (i & 4) {
686 case 0:
687 t[0] = z[0] = x[0] ^ cast_sbox5[U8b(x[3])] ^
688 cast_sbox6[U8d(x[3])] ^ cast_sbox7[U8a(x[3])] ^
689 cast_sbox8[U8c(x[3])] ^ cast_sbox7[U8a(x[2])];
690 t[1] = z[1] = x[2] ^ cast_sbox5[U8a(z[0])] ^
691 cast_sbox6[U8c(z[0])] ^ cast_sbox7[U8b(z[0])] ^
692 cast_sbox8[U8d(z[0])] ^ cast_sbox8[U8c(x[2])];
693 t[2] = z[2] = x[3] ^ cast_sbox5[U8d(z[1])] ^
694 cast_sbox6[U8c(z[1])] ^ cast_sbox7[U8b(z[1])] ^
695 cast_sbox8[U8a(z[1])] ^ cast_sbox5[U8b(x[2])];
696 t[3] = z[3] = x[1] ^ cast_sbox5[U8c(z[2])] ^
697 cast_sbox6[U8b(z[2])] ^ cast_sbox7[U8d(z[2])] ^
698 cast_sbox8[U8a(z[2])] ^ cast_sbox6[U8d(x[2])];
699 break;
700 case 4:
701 t[0] = x[0] = z[2] ^ cast_sbox5[U8b(z[1])] ^
702 cast_sbox6[U8d(z[1])] ^ cast_sbox7[U8a(z[1])] ^
703 cast_sbox8[U8c(z[1])] ^ cast_sbox7[U8a(z[0])];
704 t[1] = x[1] = z[0] ^ cast_sbox5[U8a(x[0])] ^
705 cast_sbox6[U8c(x[0])] ^ cast_sbox7[U8b(x[0])] ^
706 cast_sbox8[U8d(x[0])] ^ cast_sbox8[U8c(z[0])];
707 t[2] = x[2] = z[1] ^ cast_sbox5[U8d(x[1])] ^
708 cast_sbox6[U8c(x[1])] ^ cast_sbox7[U8b(x[1])] ^
709 cast_sbox8[U8a(x[1])] ^ cast_sbox5[U8b(z[0])];
710 t[3] = x[3] = z[3] ^ cast_sbox5[U8c(x[2])] ^
711 cast_sbox6[U8b(x[2])] ^ cast_sbox7[U8d(x[2])] ^
712 cast_sbox8[U8a(x[2])] ^ cast_sbox6[U8d(z[0])];
713 break;
714 }
715 switch (i & 12) {
716 case 0:
717 case 12:
718 key->xkey[i+0] = cast_sbox5[U8a(t[2])] ^ cast_sbox6[U8b(t[2])] ^
719 cast_sbox7[U8d(t[1])] ^ cast_sbox8[U8c(t[1])];
720 key->xkey[i+1] = cast_sbox5[U8c(t[2])] ^ cast_sbox6[U8d(t[2])] ^
721 cast_sbox7[U8b(t[1])] ^ cast_sbox8[U8a(t[1])];
722 key->xkey[i+2] = cast_sbox5[U8a(t[3])] ^ cast_sbox6[U8b(t[3])] ^
723 cast_sbox7[U8d(t[0])] ^ cast_sbox8[U8c(t[0])];
724 key->xkey[i+3] = cast_sbox5[U8c(t[3])] ^ cast_sbox6[U8d(t[3])] ^
725 cast_sbox7[U8b(t[0])] ^ cast_sbox8[U8a(t[0])];
726 break;
727 case 4:
728 case 8:
729 key->xkey[i+0] = cast_sbox5[U8d(t[0])] ^ cast_sbox6[U8c(t[0])] ^
730 cast_sbox7[U8a(t[3])] ^ cast_sbox8[U8b(t[3])];
731 key->xkey[i+1] = cast_sbox5[U8b(t[0])] ^ cast_sbox6[U8a(t[0])] ^
732 cast_sbox7[U8c(t[3])] ^ cast_sbox8[U8d(t[3])];
733 key->xkey[i+2] = cast_sbox5[U8d(t[1])] ^ cast_sbox6[U8c(t[1])] ^
734 cast_sbox7[U8a(t[2])] ^ cast_sbox8[U8b(t[2])];
735 key->xkey[i+3] = cast_sbox5[U8b(t[1])] ^ cast_sbox6[U8a(t[1])] ^
736 cast_sbox7[U8c(t[2])] ^ cast_sbox8[U8d(t[2])];
737 break;
738 }
739 switch (i & 12) {
740 case 0:
741 key->xkey[i+0] ^= cast_sbox5[U8c(z[0])];
742 key->xkey[i+1] ^= cast_sbox6[U8c(z[1])];
743 key->xkey[i+2] ^= cast_sbox7[U8b(z[2])];
744 key->xkey[i+3] ^= cast_sbox8[U8a(z[3])];
745 break;
746 case 4:
747 key->xkey[i+0] ^= cast_sbox5[U8a(x[2])];
748 key->xkey[i+1] ^= cast_sbox6[U8b(x[3])];
749 key->xkey[i+2] ^= cast_sbox7[U8d(x[0])];
750 key->xkey[i+3] ^= cast_sbox8[U8d(x[1])];
751 break;
752 case 8:
753 key->xkey[i+0] ^= cast_sbox5[U8b(z[2])];
754 key->xkey[i+1] ^= cast_sbox6[U8a(z[3])];
755 key->xkey[i+2] ^= cast_sbox7[U8c(z[0])];
756 key->xkey[i+3] ^= cast_sbox8[U8c(z[1])];
757 break;
758 case 12:
759 key->xkey[i+0] ^= cast_sbox5[U8d(x[0])];
760 key->xkey[i+1] ^= cast_sbox6[U8d(x[1])];
761 key->xkey[i+2] ^= cast_sbox7[U8a(x[2])];
762 key->xkey[i+3] ^= cast_sbox8[U8b(x[3])];
763 break;
764 }
765 if (i >= 16) {
766 key->xkey[i+0] &= 31;
767 key->xkey[i+1] &= 31;
768 key->xkey[i+2] &= 31;
769 key->xkey[i+3] &= 31;
770 }
771 }
772 /* Wipe clean */
773 for (i = 0; i < 4; i++) {
774 t[i] = x[i] = z[i] = 0;
775 }
776}
777
778/* Made in Canada */
779
diff --git a/src/lib/libc/crypt/crypt.3 b/src/lib/libc/crypt/crypt.3
new file mode 100644
index 0000000000..32109dfac3
--- /dev/null
+++ b/src/lib/libc/crypt/crypt.3
@@ -0,0 +1,320 @@
1.\" $OpenBSD: crypt.3,v 1.21 2003/08/07 00:32:12 deraadt Exp $
2.\"
3.\" FreeSec: libcrypt
4.\"
5.\" Copyright (c) 1994 David Burren
6.\" All rights reserved.
7.\"
8.\" Redistribution and use in source and binary forms, with or without
9.\" modification, are permitted provided that the following conditions
10.\" are met:
11.\" 1. Redistributions of source code must retain the above copyright
12.\" notice, this list of conditions and the following disclaimer.
13.\" 2. Redistributions in binary form must reproduce the above copyright
14.\" notice, this list of conditions and the following disclaimer in the
15.\" documentation and/or other materials provided with the distribution.
16.\" 4. Neither the name of the author nor the names of other contributors
17.\" may be used to endorse or promote products derived from this software
18.\" without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\" Manual page, using -mandoc macros
33.\"
34.Dd March 9, 1994
35.Dt CRYPT 3
36.Os
37.Sh NAME
38.Nm crypt ,
39.Nm setkey ,
40.Nm encrypt ,
41.Nm des_setkey ,
42.Nm des_cipher
43.Nd DES encryption
44.Sh SYNOPSIS
45.Fd #include <unistd.h>
46.Ft char *
47.Fn crypt "const char *key" "const char *setting"
48.Ft int
49.Fn setkey "char *key"
50.Ft int
51.Fn encrypt "char *block" "int flag"
52.Ft int
53.Fn des_setkey "const char *key"
54.Ft int
55.Fn des_cipher "const char *in" "char *out" "int32_t salt" "int count"
56.Ft char *
57.Fn bcrypt_gensalt "u_int8_t log_rounds"
58.Ft char *
59.Fn bcrypt "const char *key" "const char *salt"
60.Ft char *
61.Fn md5crypt "const char *key" "const char *salt"
62.Sh DESCRIPTION
63The
64.Fn crypt
65function performs password encryption based on the
66.Tn NBS
67Data Encryption Standard (DES).
68Additional code has been added to deter key search attempts and to use
69stronger hashing algorithms.
70.Pp
71The first argument to
72.Fn crypt
73is a
74.Dv null Ns -terminated
75string, typically a user's typed password.
76The second is in one of three forms:
77if it begins with an underscore
78.Pq Ql _
79then an extended format is used
80in interpreting both the key and the setting, as outlined below.
81If it begins
82with a string character
83.Pq Ql $
84and a number then a different algorithm is used depending on the number.
85At the moment a
86.Ql $1
87chooses MD5 hashing and a
88.Ql $2
89chooses Blowfish hashing; see below for more information.
90.Ss Extended crypt
91The
92.Ar key
93is divided into groups of 8 characters (the last group is null-padded)
94and the low-order 7 bits of each character (56 bits per group) are
95used to form the DES key as follows:
96the first group of 56 bits becomes the initial DES key.
97For each additional group, the XOR of the encryption of the current DES
98key with itself and the group bits becomes the next DES key.
99.Pp
100The setting is a 9-character array consisting of an underscore followed
101by 4 bytes of iteration count and 4 bytes of salt.
102These are encoded as printable characters, 6 bits per character,
103least significant character first.
104The values 0 to 63 are encoded as
105.Dq \&./0-9A-Za-z .
106This allows 24 bits for both
107.Fa count
108and
109.Fa salt .
110.Ss "MD5" crypt
111For
112.Tn MD5
113crypt the version number,
114.Fa salt
115and the hashed password are separated by the
116.Ql $
117character.
118The maximum length of a password is limited by
119the length counter of the MD5 context, which is about
1202**64.
121A valid MD5 password entry looks like this:
122.Pp
123.Dq $1$caeiHQwX$hsKqOjrFRRN6K32OWkCBf1 .
124.Pp
125The whole MD5 password string is passed as
126.Fa setting
127for interpretation.
128.Ss "Blowfish" crypt
129The
130.Tn Blowfish
131version of crypt has 128 bits of
132.Fa salt
133in order to make building dictionaries of common passwords space consuming.
134The initial state of the
135.Tn Blowfish
136cipher is expanded using the
137.Fa salt
138and the
139.Fa password
140repeating the process a variable number of rounds, which is encoded in
141the password string.
142The maximum password length is 72.
143The final Blowfish password entry is created by encrypting the string
144.Pp
145.Dq OrpheanBeholderScryDoubt
146.Pp
147with the
148.Tn Blowfish
149state 64 times.
150.Pp
151The version number, the logarithm of the number of rounds and
152the concatenation of salt and hashed password are separated by the
153.Ql $
154character.
155An encoded
156.Sq 8
157would specify 256 rounds.
158A valid Blowfish password looks like this:
159.Pp
160.Dq $2a$12$eIAq8PR8sIUnJ1HaohxX2O9x9Qlm2vK97LJ5dsXdmB.eXF42qjchC .
161.Pp
162The whole Blowfish password string is passed as
163.Fa setting
164for interpretation.
165.Ss "Traditional" crypt
166The first 8 bytes of the key are null-padded, and the low-order 7 bits of
167each character is used to form the 56-bit
168.Tn DES
169key.
170.Pp
171The setting is a 2-character array of the ASCII-encoded salt.
172Thus only 12 bits of
173.Fa salt
174are used.
175.Fa count
176is set to 25.
177.Ss DES Algorithm
178The
179.Fa salt
180introduces disorder in the
181.Tn DES
182algorithm in one of 16777216 or 4096 possible ways
183(i.e., with 24 or 12 bits: if bit
184.Em i
185of the
186.Ar salt
187is set, then bits
188.Em i
189and
190.Em i+24
191are swapped in the
192.Tn DES
193E-box output).
194.Pp
195The DES key is used to encrypt a 64-bit constant using
196.Ar count
197iterations of
198.Tn DES .
199The value returned is a
200.Dv null Ns -terminated
201string, 20 or 13 bytes (plus null) in length, consisting of the
202.Ar setting
203followed by the encoded 64-bit encryption.
204.Pp
205The functions
206.Fn encrypt ,
207.Fn setkey ,
208.Fn des_setkey ,
209and
210.Fn des_cipher
211provide access to the
212.Tn DES
213algorithm itself.
214.Fn setkey
215is passed a 64-byte array of binary values (numeric 0 or 1).
216A 56-bit key is extracted from this array by dividing the
217array into groups of 8, and ignoring the last bit in each group.
218That bit is reserved for a byte parity check by DES, but is ignored
219by these functions.
220.Pp
221The
222.Fa block
223argument to
224.Fn encrypt
225is also a 64-byte array of binary values.
226If the value of
227.Fa flag
228is 0,
229.Fa block
230is encrypted otherwise it is decrypted.
231The result is returned in the original array
232.Fa block
233after using the key specified by
234.Fn setkey
235to process it.
236.Pp
237The argument to
238.Fn des_setkey
239is a character array of length 8.
240The least significant bit (the parity bit) in each character is ignored,
241and the remaining bits are concatenated to form a 56-bit key.
242The function
243.Fn des_cipher
244encrypts (or decrypts if
245.Fa count
246is negative) the 64-bits stored in the 8 characters at
247.Fa in
248using
249.Xr abs 3
250of
251.Fa count
252iterations of
253.Tn DES
254and stores the 64-bit result in the 8 characters at
255.Fa out
256(which may be the same as
257.Fa in ) .
258The
259.Fa salt
260specifies perturbations to the
261.Tn DES
262E-box output as described above.
263.Pp
264The function
265.Fn crypt
266returns a pointer to the encrypted value on success, and
267.Dv NULL
268on failure.
269The functions
270.Fn setkey ,
271.Fn encrypt ,
272.Fn des_setkey ,
273and
274.Fn des_cipher
275return 0 on success and 1 on failure.
276.Pp
277The
278.Fn crypt ,
279.Fn setkey ,
280and
281.Fn des_setkey
282functions all manipulate the same key space.
283.Sh SEE ALSO
284.Xr login 1 ,
285.Xr passwd 1 ,
286.Xr blowfish 3 ,
287.Xr getpass 3 ,
288.Xr md5 3 ,
289.Xr passwd 5
290.Sh HISTORY
291A rotor-based
292.Fn crypt
293function appeared in
294.At v3 .
295The current style
296.Fn crypt
297first appeared in
298.At v7 .
299.Pp
300This library (FreeSec 1.0) was developed outside the United States of America
301as an unencumbered replacement for the U.S.-only libcrypt encryption
302library.
303Programs linked against the
304.Fn crypt
305interface may be exported from the U.S.A. only if they use
306.Fn crypt
307solely for authentication purposes and avoid use of
308the other programmer interfaces listed above.
309Special care has been taken
310in the library so that programs which only use the
311.Fn crypt
312interface do not pull in the other components.
313.Sh AUTHORS
314.An David Burren Aq davidb@werj.com.au
315.Sh BUGS
316The
317.Fn crypt
318function returns a pointer to static data, and subsequent calls to
319.Fn crypt
320will modify the same object.
diff --git a/src/lib/libc/crypt/crypt.c b/src/lib/libc/crypt/crypt.c
new file mode 100644
index 0000000000..e0f5e8364a
--- /dev/null
+++ b/src/lib/libc/crypt/crypt.c
@@ -0,0 +1,700 @@
1/* $OpenBSD: crypt.c,v 1.18 2003/08/12 01:22:17 deraadt Exp $ */
2
3/*
4 * FreeSec: libcrypt
5 *
6 * Copyright (c) 1994 David Burren
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 4. Neither the name of the author nor the names of other contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 *
33 *
34 * This is an original implementation of the DES and the crypt(3) interfaces
35 * by David Burren <davidb@werj.com.au>.
36 *
37 * An excellent reference on the underlying algorithm (and related
38 * algorithms) is:
39 *
40 * B. Schneier, Applied Cryptography: protocols, algorithms,
41 * and source code in C, John Wiley & Sons, 1994.
42 *
43 * Note that in that book's description of DES the lookups for the initial,
44 * pbox, and final permutations are inverted (this has been brought to the
45 * attention of the author). A list of errata for this book has been
46 * posted to the sci.crypt newsgroup by the author and is available for FTP.
47 */
48
49#if defined(LIBC_SCCS) && !defined(lint)
50static char rcsid[] = "$OpenBSD: crypt.c,v 1.18 2003/08/12 01:22:17 deraadt Exp $";
51#endif /* LIBC_SCCS and not lint */
52
53#include <sys/types.h>
54#include <sys/param.h>
55#include <pwd.h>
56#include <unistd.h>
57#include <string.h>
58
59#ifdef DEBUG
60# include <stdio.h>
61#endif
62
63static const u_char IP[64] = {
64 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
65 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
66 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
67 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7
68};
69
70static u_char inv_key_perm[64];
71static u_char u_key_perm[56];
72static u_char const key_perm[56] = {
73 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18,
74 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36,
75 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22,
76 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4
77};
78
79static const u_char key_shifts[16] = {
80 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
81};
82
83static u_char inv_comp_perm[56];
84static const u_char comp_perm[48] = {
85 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10,
86 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2,
87 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
88 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
89};
90
91/*
92 * No E box is used, as it's replaced by some ANDs, shifts, and ORs.
93 */
94
95static u_char u_sbox[8][64];
96static const u_char sbox[8][64] = {
97 {
98 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
99 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
100 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
101 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13
102 },
103 {
104 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
105 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
106 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
107 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9
108 },
109 {
110 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
111 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
112 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
113 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12
114 },
115 {
116 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
117 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
118 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
119 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14
120 },
121 {
122 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
123 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
124 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
125 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3
126 },
127 {
128 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
129 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
130 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
131 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13
132 },
133 {
134 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
135 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
136 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
137 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12
138 },
139 {
140 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
141 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
142 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
143 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11
144 }
145};
146
147static u_char un_pbox[32];
148static const u_char pbox[32] = {
149 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
150 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
151};
152
153const u_int32_t _des_bits32[32] =
154{
155 0x80000000, 0x40000000, 0x20000000, 0x10000000,
156 0x08000000, 0x04000000, 0x02000000, 0x01000000,
157 0x00800000, 0x00400000, 0x00200000, 0x00100000,
158 0x00080000, 0x00040000, 0x00020000, 0x00010000,
159 0x00008000, 0x00004000, 0x00002000, 0x00001000,
160 0x00000800, 0x00000400, 0x00000200, 0x00000100,
161 0x00000080, 0x00000040, 0x00000020, 0x00000010,
162 0x00000008, 0x00000004, 0x00000002, 0x00000001
163};
164
165const u_char _des_bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
166
167static u_int32_t saltbits;
168static int32_t old_salt;
169static const u_int32_t *bits28, *bits24;
170static u_char init_perm[64], final_perm[64];
171static u_int32_t en_keysl[16], en_keysr[16];
172static u_int32_t de_keysl[16], de_keysr[16];
173int _des_initialised = 0;
174static u_char m_sbox[4][4096];
175static u_int32_t psbox[4][256];
176static u_int32_t ip_maskl[8][256], ip_maskr[8][256];
177static u_int32_t fp_maskl[8][256], fp_maskr[8][256];
178static u_int32_t key_perm_maskl[8][128], key_perm_maskr[8][128];
179static u_int32_t comp_maskl[8][128], comp_maskr[8][128];
180static u_int32_t old_rawkey0, old_rawkey1;
181
182static u_char ascii64[] =
183 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
184/* 0000000000111111111122222222223333333333444444444455555555556666 */
185/* 0123456789012345678901234567890123456789012345678901234567890123 */
186
187static __inline int
188ascii_to_bin(char ch)
189{
190 if (ch > 'z')
191 return(0);
192 if (ch >= 'a')
193 return(ch - 'a' + 38);
194 if (ch > 'Z')
195 return(0);
196 if (ch >= 'A')
197 return(ch - 'A' + 12);
198 if (ch > '9')
199 return(0);
200 if (ch >= '.')
201 return(ch - '.');
202 return(0);
203}
204
205void
206_des_init(void)
207{
208 int i, j, b, k, inbit, obit;
209 u_int32_t *p, *il, *ir, *fl, *fr;
210
211 old_rawkey0 = old_rawkey1 = 0;
212 saltbits = 0;
213 old_salt = 0;
214 bits24 = (bits28 = _des_bits32 + 4) + 4;
215
216 /*
217 * Invert the S-boxes, reordering the input bits.
218 */
219 for (i = 0; i < 8; i++)
220 for (j = 0; j < 64; j++) {
221 b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf);
222 u_sbox[i][j] = sbox[i][b];
223 }
224
225 /*
226 * Convert the inverted S-boxes into 4 arrays of 8 bits.
227 * Each will handle 12 bits of the S-box input.
228 */
229 for (b = 0; b < 4; b++)
230 for (i = 0; i < 64; i++)
231 for (j = 0; j < 64; j++)
232 m_sbox[b][(i << 6) | j] =
233 (u_sbox[(b << 1)][i] << 4) |
234 u_sbox[(b << 1) + 1][j];
235
236 /*
237 * Set up the initial & final permutations into a useful form, and
238 * initialise the inverted key permutation.
239 */
240 for (i = 0; i < 64; i++) {
241 init_perm[final_perm[i] = IP[i] - 1] = i;
242 inv_key_perm[i] = 255;
243 }
244
245 /*
246 * Invert the key permutation and initialise the inverted key
247 * compression permutation.
248 */
249 for (i = 0; i < 56; i++) {
250 u_key_perm[i] = key_perm[i] - 1;
251 inv_key_perm[key_perm[i] - 1] = i;
252 inv_comp_perm[i] = 255;
253 }
254
255 /*
256 * Invert the key compression permutation.
257 */
258 for (i = 0; i < 48; i++) {
259 inv_comp_perm[comp_perm[i] - 1] = i;
260 }
261
262 /*
263 * Set up the OR-mask arrays for the initial and final permutations,
264 * and for the key initial and compression permutations.
265 */
266 for (k = 0; k < 8; k++) {
267 for (i = 0; i < 256; i++) {
268 *(il = &ip_maskl[k][i]) = 0;
269 *(ir = &ip_maskr[k][i]) = 0;
270 *(fl = &fp_maskl[k][i]) = 0;
271 *(fr = &fp_maskr[k][i]) = 0;
272 for (j = 0; j < 8; j++) {
273 inbit = 8 * k + j;
274 if (i & _des_bits8[j]) {
275 if ((obit = init_perm[inbit]) < 32)
276 *il |= _des_bits32[obit];
277 else
278 *ir |= _des_bits32[obit-32];
279 if ((obit = final_perm[inbit]) < 32)
280 *fl |= _des_bits32[obit];
281 else
282 *fr |= _des_bits32[obit - 32];
283 }
284 }
285 }
286 for (i = 0; i < 128; i++) {
287 *(il = &key_perm_maskl[k][i]) = 0;
288 *(ir = &key_perm_maskr[k][i]) = 0;
289 for (j = 0; j < 7; j++) {
290 inbit = 8 * k + j;
291 if (i & _des_bits8[j + 1]) {
292 if ((obit = inv_key_perm[inbit]) == 255)
293 continue;
294 if (obit < 28)
295 *il |= bits28[obit];
296 else
297 *ir |= bits28[obit - 28];
298 }
299 }
300 *(il = &comp_maskl[k][i]) = 0;
301 *(ir = &comp_maskr[k][i]) = 0;
302 for (j = 0; j < 7; j++) {
303 inbit = 7 * k + j;
304 if (i & _des_bits8[j + 1]) {
305 if ((obit=inv_comp_perm[inbit]) == 255)
306 continue;
307 if (obit < 24)
308 *il |= bits24[obit];
309 else
310 *ir |= bits24[obit - 24];
311 }
312 }
313 }
314 }
315
316 /*
317 * Invert the P-box permutation, and convert into OR-masks for
318 * handling the output of the S-box arrays setup above.
319 */
320 for (i = 0; i < 32; i++)
321 un_pbox[pbox[i] - 1] = i;
322
323 for (b = 0; b < 4; b++)
324 for (i = 0; i < 256; i++) {
325 *(p = &psbox[b][i]) = 0;
326 for (j = 0; j < 8; j++) {
327 if (i & _des_bits8[j])
328 *p |= _des_bits32[un_pbox[8 * b + j]];
329 }
330 }
331
332 _des_initialised = 1;
333}
334
335void
336_des_setup_salt(int32_t salt)
337{
338 u_int32_t obit, saltbit;
339 int i;
340
341 if (salt == old_salt)
342 return;
343 old_salt = salt;
344
345 saltbits = 0;
346 saltbit = 1;
347 obit = 0x800000;
348 for (i = 0; i < 24; i++) {
349 if (salt & saltbit)
350 saltbits |= obit;
351 saltbit <<= 1;
352 obit >>= 1;
353 }
354}
355
356int
357des_setkey(const char *key)
358{
359 u_int32_t k0, k1, rawkey0, rawkey1;
360 int shifts, round;
361
362 if (!_des_initialised)
363 _des_init();
364
365 rawkey0 = ntohl(*(u_int32_t *) key);
366 rawkey1 = ntohl(*(u_int32_t *) (key + 4));
367
368 if ((rawkey0 | rawkey1)
369 && rawkey0 == old_rawkey0
370 && rawkey1 == old_rawkey1) {
371 /*
372 * Already setup for this key.
373 * This optimisation fails on a zero key (which is weak and
374 * has bad parity anyway) in order to simplify the starting
375 * conditions.
376 */
377 return(0);
378 }
379 old_rawkey0 = rawkey0;
380 old_rawkey1 = rawkey1;
381
382 /*
383 * Do key permutation and split into two 28-bit subkeys.
384 */
385 k0 = key_perm_maskl[0][rawkey0 >> 25]
386 | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
387 | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
388 | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
389 | key_perm_maskl[4][rawkey1 >> 25]
390 | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
391 | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
392 | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
393 k1 = key_perm_maskr[0][rawkey0 >> 25]
394 | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
395 | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
396 | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
397 | key_perm_maskr[4][rawkey1 >> 25]
398 | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
399 | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
400 | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
401 /*
402 * Rotate subkeys and do compression permutation.
403 */
404 shifts = 0;
405 for (round = 0; round < 16; round++) {
406 u_int32_t t0, t1;
407
408 shifts += key_shifts[round];
409
410 t0 = (k0 << shifts) | (k0 >> (28 - shifts));
411 t1 = (k1 << shifts) | (k1 >> (28 - shifts));
412
413 de_keysl[15 - round] =
414 en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f]
415 | comp_maskl[1][(t0 >> 14) & 0x7f]
416 | comp_maskl[2][(t0 >> 7) & 0x7f]
417 | comp_maskl[3][t0 & 0x7f]
418 | comp_maskl[4][(t1 >> 21) & 0x7f]
419 | comp_maskl[5][(t1 >> 14) & 0x7f]
420 | comp_maskl[6][(t1 >> 7) & 0x7f]
421 | comp_maskl[7][t1 & 0x7f];
422
423 de_keysr[15 - round] =
424 en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f]
425 | comp_maskr[1][(t0 >> 14) & 0x7f]
426 | comp_maskr[2][(t0 >> 7) & 0x7f]
427 | comp_maskr[3][t0 & 0x7f]
428 | comp_maskr[4][(t1 >> 21) & 0x7f]
429 | comp_maskr[5][(t1 >> 14) & 0x7f]
430 | comp_maskr[6][(t1 >> 7) & 0x7f]
431 | comp_maskr[7][t1 & 0x7f];
432 }
433 return(0);
434}
435
436int
437_des_do_des(u_int32_t l_in, u_int32_t r_in, u_int32_t *l_out, u_int32_t *r_out,
438 int count)
439{
440 /*
441 * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
442 */
443 u_int32_t l, r, *kl, *kr, *kl1, *kr1;
444 u_int32_t f, r48l, r48r;
445 int round;
446
447 if (count == 0) {
448 return(1);
449 } else if (count > 0) {
450 /*
451 * Encrypting
452 */
453 kl1 = en_keysl;
454 kr1 = en_keysr;
455 } else {
456 /*
457 * Decrypting
458 */
459 count = -count;
460 kl1 = de_keysl;
461 kr1 = de_keysr;
462 }
463
464 /*
465 * Do initial permutation (IP).
466 */
467 l = ip_maskl[0][l_in >> 24]
468 | ip_maskl[1][(l_in >> 16) & 0xff]
469 | ip_maskl[2][(l_in >> 8) & 0xff]
470 | ip_maskl[3][l_in & 0xff]
471 | ip_maskl[4][r_in >> 24]
472 | ip_maskl[5][(r_in >> 16) & 0xff]
473 | ip_maskl[6][(r_in >> 8) & 0xff]
474 | ip_maskl[7][r_in & 0xff];
475 r = ip_maskr[0][l_in >> 24]
476 | ip_maskr[1][(l_in >> 16) & 0xff]
477 | ip_maskr[2][(l_in >> 8) & 0xff]
478 | ip_maskr[3][l_in & 0xff]
479 | ip_maskr[4][r_in >> 24]
480 | ip_maskr[5][(r_in >> 16) & 0xff]
481 | ip_maskr[6][(r_in >> 8) & 0xff]
482 | ip_maskr[7][r_in & 0xff];
483
484 while (count--) {
485 /*
486 * Do each round.
487 */
488 kl = kl1;
489 kr = kr1;
490 round = 16;
491 while (round--) {
492 /*
493 * Expand R to 48 bits (simulate the E-box).
494 */
495 r48l = ((r & 0x00000001) << 23)
496 | ((r & 0xf8000000) >> 9)
497 | ((r & 0x1f800000) >> 11)
498 | ((r & 0x01f80000) >> 13)
499 | ((r & 0x001f8000) >> 15);
500
501 r48r = ((r & 0x0001f800) << 7)
502 | ((r & 0x00001f80) << 5)
503 | ((r & 0x000001f8) << 3)
504 | ((r & 0x0000001f) << 1)
505 | ((r & 0x80000000) >> 31);
506 /*
507 * Do salting for crypt() and friends, and
508 * XOR with the permuted key.
509 */
510 f = (r48l ^ r48r) & saltbits;
511 r48l ^= f ^ *kl++;
512 r48r ^= f ^ *kr++;
513 /*
514 * Do sbox lookups (which shrink it back to 32 bits)
515 * and do the pbox permutation at the same time.
516 */
517 f = psbox[0][m_sbox[0][r48l >> 12]]
518 | psbox[1][m_sbox[1][r48l & 0xfff]]
519 | psbox[2][m_sbox[2][r48r >> 12]]
520 | psbox[3][m_sbox[3][r48r & 0xfff]];
521 /*
522 * Now that we've permuted things, complete f().
523 */
524 f ^= l;
525 l = r;
526 r = f;
527 }
528 r = l;
529 l = f;
530 }
531 /*
532 * Do final permutation (inverse of IP).
533 */
534 *l_out = fp_maskl[0][l >> 24]
535 | fp_maskl[1][(l >> 16) & 0xff]
536 | fp_maskl[2][(l >> 8) & 0xff]
537 | fp_maskl[3][l & 0xff]
538 | fp_maskl[4][r >> 24]
539 | fp_maskl[5][(r >> 16) & 0xff]
540 | fp_maskl[6][(r >> 8) & 0xff]
541 | fp_maskl[7][r & 0xff];
542 *r_out = fp_maskr[0][l >> 24]
543 | fp_maskr[1][(l >> 16) & 0xff]
544 | fp_maskr[2][(l >> 8) & 0xff]
545 | fp_maskr[3][l & 0xff]
546 | fp_maskr[4][r >> 24]
547 | fp_maskr[5][(r >> 16) & 0xff]
548 | fp_maskr[6][(r >> 8) & 0xff]
549 | fp_maskr[7][r & 0xff];
550 return(0);
551}
552
553int
554des_cipher(const char *in, char *out, int32_t salt, int count)
555{
556 u_int32_t l_out, r_out, rawl, rawr;
557 u_int32_t x[2];
558 int retval;
559
560 if (!_des_initialised)
561 _des_init();
562
563 _des_setup_salt(salt);
564
565 memcpy(x, in, sizeof x);
566 rawl = ntohl(x[0]);
567 rawr = ntohl(x[1]);
568 retval = _des_do_des(rawl, rawr, &l_out, &r_out, count);
569
570 x[0] = htonl(l_out);
571 x[1] = htonl(r_out);
572 memcpy(out, x, sizeof x);
573 return(retval);
574}
575
576char *
577crypt(const char *key, const char *setting)
578{
579 int i;
580 u_int32_t count, salt, l, r0, r1, keybuf[2];
581 u_char *p, *q;
582 static u_char output[21];
583 extern char *md5crypt(const char *, const char *);
584 extern char *bcrypt(const char *, const char *);
585
586 if (setting[0] == '$') {
587 switch (setting[1]) {
588 case '1':
589 return (md5crypt(key, setting));
590 default:
591 return bcrypt(key, setting);
592 }
593 }
594
595 if (!_des_initialised)
596 _des_init();
597
598 /*
599 * Copy the key, shifting each character up by one bit
600 * and padding with zeros.
601 */
602 q = (u_char *) keybuf;
603 while ((q - (u_char *) keybuf) < sizeof(keybuf)) {
604 if ((*q++ = *key << 1))
605 key++;
606 }
607 if (des_setkey((u_char *) keybuf))
608 return(NULL);
609
610 if (*setting == _PASSWORD_EFMT1) {
611 /*
612 * "new"-style:
613 * setting - underscore, 4 bytes of count, 4 bytes of salt
614 * key - unlimited characters
615 */
616 for (i = 1, count = 0; i < 5; i++)
617 count |= ascii_to_bin(setting[i]) << (i - 1) * 6;
618
619 for (i = 5, salt = 0; i < 9; i++)
620 salt |= ascii_to_bin(setting[i]) << (i - 5) * 6;
621
622 while (*key) {
623 /*
624 * Encrypt the key with itself.
625 */
626 if (des_cipher((u_char*)keybuf, (u_char*)keybuf, 0, 1))
627 return(NULL);
628 /*
629 * And XOR with the next 8 characters of the key.
630 */
631 q = (u_char *) keybuf;
632 while (((q - (u_char *) keybuf) < sizeof(keybuf)) &&
633 *key)
634 *q++ ^= *key++ << 1;
635
636 if (des_setkey((u_char *) keybuf))
637 return(NULL);
638 }
639 strlcpy((char *)output, setting, 10);
640
641 /*
642 * Double check that we weren't given a short setting.
643 * If we were, the above code will probably have created
644 * weird values for count and salt, but we don't really care.
645 * Just make sure the output string doesn't have an extra
646 * NUL in it.
647 */
648 p = output + strlen((const char *)output);
649 } else {
650 /*
651 * "old"-style:
652 * setting - 2 bytes of salt
653 * key - up to 8 characters
654 */
655 count = 25;
656
657 salt = (ascii_to_bin(setting[1]) << 6)
658 | ascii_to_bin(setting[0]);
659
660 output[0] = setting[0];
661 /*
662 * If the encrypted password that the salt was extracted from
663 * is only 1 character long, the salt will be corrupted. We
664 * need to ensure that the output string doesn't have an extra
665 * NUL in it!
666 */
667 output[1] = setting[1] ? setting[1] : output[0];
668
669 p = output + 2;
670 }
671 _des_setup_salt(salt);
672
673 /*
674 * Do it.
675 */
676 if (_des_do_des(0, 0, &r0, &r1, count))
677 return(NULL);
678 /*
679 * Now encode the result...
680 */
681 l = (r0 >> 8);
682 *p++ = ascii64[(l >> 18) & 0x3f];
683 *p++ = ascii64[(l >> 12) & 0x3f];
684 *p++ = ascii64[(l >> 6) & 0x3f];
685 *p++ = ascii64[l & 0x3f];
686
687 l = (r0 << 16) | ((r1 >> 16) & 0xffff);
688 *p++ = ascii64[(l >> 18) & 0x3f];
689 *p++ = ascii64[(l >> 12) & 0x3f];
690 *p++ = ascii64[(l >> 6) & 0x3f];
691 *p++ = ascii64[l & 0x3f];
692
693 l = r1 << 2;
694 *p++ = ascii64[(l >> 12) & 0x3f];
695 *p++ = ascii64[(l >> 6) & 0x3f];
696 *p++ = ascii64[l & 0x3f];
697 *p = 0;
698
699 return((char *)output);
700}
diff --git a/src/lib/libc/crypt/crypt2.c b/src/lib/libc/crypt/crypt2.c
new file mode 100644
index 0000000000..0c93c12044
--- /dev/null
+++ b/src/lib/libc/crypt/crypt2.c
@@ -0,0 +1,108 @@
1/* $OpenBSD: crypt2.c,v 1.1 2003/08/12 01:22:17 deraadt Exp $ */
2
3/*
4 * FreeSec: libcrypt
5 *
6 * Copyright (c) 1994 David Burren
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 4. Neither the name of the author nor the names of other contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 *
33 *
34 * This is an original implementation of the DES and the crypt(3) interfaces
35 * by David Burren <davidb@werj.com.au>.
36 *
37 * An excellent reference on the underlying algorithm (and related
38 * algorithms) is:
39 *
40 * B. Schneier, Applied Cryptography: protocols, algorithms,
41 * and source code in C, John Wiley & Sons, 1994.
42 *
43 * Note that in that book's description of DES the lookups for the initial,
44 * pbox, and final permutations are inverted (this has been brought to the
45 * attention of the author). A list of errata for this book has been
46 * posted to the sci.crypt newsgroup by the author and is available for FTP.
47 */
48
49#if defined(LIBC_SCCS) && !defined(lint)
50static char rcsid[] = "$OpenBSD: crypt2.c,v 1.1 2003/08/12 01:22:17 deraadt Exp $";
51#endif /* LIBC_SCCS and not lint */
52
53#include <sys/types.h>
54#include <sys/param.h>
55#include <pwd.h>
56#include <unistd.h>
57#include <string.h>
58
59#ifdef DEBUG
60# include <stdio.h>
61#endif
62
63extern const u_char _des_bits8[8];
64extern const u_int32_t _des_bits32[32];
65extern int _des_initialised;
66
67int
68setkey(const char *key)
69{
70 int i, j;
71 u_int32_t packed_keys[2];
72 u_char *p;
73
74 p = (u_char *) packed_keys;
75
76 for (i = 0; i < 8; i++) {
77 p[i] = 0;
78 for (j = 0; j < 8; j++)
79 if (*key++ & 1)
80 p[i] |= _des_bits8[j];
81 }
82 return(des_setkey(p));
83}
84
85int
86encrypt(char *block, int flag)
87{
88 u_int32_t io[2];
89 u_char *p;
90 int i, j, retval;
91
92 if (!_des_initialised)
93 _des_init();
94
95 _des_setup_salt(0);
96 p = (u_char *)block;
97 for (i = 0; i < 2; i++) {
98 io[i] = 0L;
99 for (j = 0; j < 32; j++)
100 if (*p++ & 1)
101 io[i] |= _des_bits32[j];
102 }
103 retval = _des_do_des(io[0], io[1], io, io + 1, flag ? -1 : 1);
104 for (i = 0; i < 2; i++)
105 for (j = 0; j < 32; j++)
106 block[(i << 5) | j] = (io[i] & _des_bits32[j]) ? 1 : 0;
107 return(retval);
108}
diff --git a/src/lib/libc/crypt/md5crypt.c b/src/lib/libc/crypt/md5crypt.c
new file mode 100644
index 0000000000..97717e68d5
--- /dev/null
+++ b/src/lib/libc/crypt/md5crypt.c
@@ -0,0 +1,153 @@
1/* $OpenBSD: md5crypt.c,v 1.13 2003/08/07 00:30:21 deraadt Exp $ */
2
3/*
4 * ----------------------------------------------------------------------------
5 * "THE BEER-WARE LICENSE" (Revision 42):
6 * <phk@login.dknet.dk> wrote this file. As long as you retain this notice you
7 * can do whatever you want with this stuff. If we meet some day, and you think
8 * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
9 * ----------------------------------------------------------------------------
10 *
11 * $FreeBSD: crypt.c,v 1.5 1996/10/14 08:34:02 phk Exp $
12 *
13 */
14
15#if defined(LIBC_SCCS) && !defined(lint)
16static char rcsid[] = "$OpenBSD: md5crypt.c,v 1.13 2003/08/07 00:30:21 deraadt Exp $";
17#endif /* LIBC_SCCS and not lint */
18
19#include <unistd.h>
20#include <stdio.h>
21#include <string.h>
22#include <md5.h>
23#include <string.h>
24
25static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */
26 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
27
28static void to64(char *, u_int32_t, int);
29
30static void
31to64(char *s, u_int32_t v, int n)
32{
33 while (--n >= 0) {
34 *s++ = itoa64[v&0x3f];
35 v >>= 6;
36 }
37}
38
39/*
40 * UNIX password
41 *
42 * Use MD5 for what it is best at...
43 */
44
45char *md5crypt(const char *pw, const char *salt);
46
47char *
48md5crypt(const char *pw, const char *salt)
49{
50 /*
51 * This string is magic for this algorithm. Having
52 * it this way, we can get get better later on
53 */
54 static unsigned char *magic = (unsigned char *)"$1$";
55
56 static char passwd[120], *p;
57 static const unsigned char *sp,*ep;
58 unsigned char final[16];
59 int sl,pl,i;
60 MD5_CTX ctx,ctx1;
61 u_int32_t l;
62
63 /* Refine the Salt first */
64 sp = (const unsigned char *)salt;
65
66 /* If it starts with the magic string, then skip that */
67 if(!strncmp((const char *)sp,(const char *)magic,strlen((const char *)magic)))
68 sp += strlen((const char *)magic);
69
70 /* It stops at the first '$', max 8 chars */
71 for(ep=sp;*ep && *ep != '$' && ep < (sp+8);ep++)
72 continue;
73
74 /* get the length of the true salt */
75 sl = ep - sp;
76
77 MD5Init(&ctx);
78
79 /* The password first, since that is what is most unknown */
80 MD5Update(&ctx,(const unsigned char *)pw,strlen(pw));
81
82 /* Then our magic string */
83 MD5Update(&ctx,magic,strlen((const char *)magic));
84
85 /* Then the raw salt */
86 MD5Update(&ctx,sp,sl);
87
88 /* Then just as many characters of the MD5(pw,salt,pw) */
89 MD5Init(&ctx1);
90 MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw));
91 MD5Update(&ctx1,sp,sl);
92 MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw));
93 MD5Final(final,&ctx1);
94 for(pl = strlen(pw); pl > 0; pl -= 16)
95 MD5Update(&ctx,final,pl>16 ? 16 : pl);
96
97 /* Don't leave anything around in vm they could use. */
98 memset(final,0,sizeof final);
99
100 /* Then something really weird... */
101 for (i = strlen(pw); i ; i >>= 1)
102 if(i&1)
103 MD5Update(&ctx, final, 1);
104 else
105 MD5Update(&ctx, (const unsigned char *)pw, 1);
106
107 /* Now make the output string */
108 snprintf(passwd, sizeof(passwd), "%s%.*s$", (char *)magic,
109 sl, (const char *)sp);
110
111 MD5Final(final,&ctx);
112
113 /*
114 * and now, just to make sure things don't run too fast
115 * On a 60 Mhz Pentium this takes 34 msec, so you would
116 * need 30 seconds to build a 1000 entry dictionary...
117 */
118 for(i=0;i<1000;i++) {
119 MD5Init(&ctx1);
120 if(i & 1)
121 MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw));
122 else
123 MD5Update(&ctx1,final,16);
124
125 if(i % 3)
126 MD5Update(&ctx1,sp,sl);
127
128 if(i % 7)
129 MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw));
130
131 if(i & 1)
132 MD5Update(&ctx1,final,16);
133 else
134 MD5Update(&ctx1,(const unsigned char *)pw,strlen(pw));
135 MD5Final(final,&ctx1);
136 }
137
138 p = passwd + strlen(passwd);
139
140 l = (final[ 0]<<16) | (final[ 6]<<8) | final[12]; to64(p,l,4); p += 4;
141 l = (final[ 1]<<16) | (final[ 7]<<8) | final[13]; to64(p,l,4); p += 4;
142 l = (final[ 2]<<16) | (final[ 8]<<8) | final[14]; to64(p,l,4); p += 4;
143 l = (final[ 3]<<16) | (final[ 9]<<8) | final[15]; to64(p,l,4); p += 4;
144 l = (final[ 4]<<16) | (final[10]<<8) | final[ 5]; to64(p,l,4); p += 4;
145 l = final[11] ; to64(p,l,2); p += 2;
146 *p = '\0';
147
148 /* Don't leave anything around in vm they could use. */
149 memset(final, 0, sizeof final);
150
151 return passwd;
152}
153
diff --git a/src/lib/libc/crypt/skipjack.c b/src/lib/libc/crypt/skipjack.c
new file mode 100644
index 0000000000..e700f40c39
--- /dev/null
+++ b/src/lib/libc/crypt/skipjack.c
@@ -0,0 +1,258 @@
1/*
2 * Further optimized test implementation of SKIPJACK algorithm
3 * Mark Tillotson <markt@chaos.org.uk>, 25 June 98
4 * Optimizations suit RISC (lots of registers) machine best.
5 *
6 * based on unoptimized implementation of
7 * Panu Rissanen <bande@lut.fi> 960624
8 *
9 * SKIPJACK and KEA Algorithm Specifications
10 * Version 2.0
11 * 29 May 1998
12*/
13
14#include <sys/param.h>
15#include <skipjack.h>
16#include <stdlib.h>
17
18static const u_int8_t ftable[0x100] =
19{
20 0xa3, 0xd7, 0x09, 0x83, 0xf8, 0x48, 0xf6, 0xf4,
21 0xb3, 0x21, 0x15, 0x78, 0x99, 0xb1, 0xaf, 0xf9,
22 0xe7, 0x2d, 0x4d, 0x8a, 0xce, 0x4c, 0xca, 0x2e,
23 0x52, 0x95, 0xd9, 0x1e, 0x4e, 0x38, 0x44, 0x28,
24 0x0a, 0xdf, 0x02, 0xa0, 0x17, 0xf1, 0x60, 0x68,
25 0x12, 0xb7, 0x7a, 0xc3, 0xe9, 0xfa, 0x3d, 0x53,
26 0x96, 0x84, 0x6b, 0xba, 0xf2, 0x63, 0x9a, 0x19,
27 0x7c, 0xae, 0xe5, 0xf5, 0xf7, 0x16, 0x6a, 0xa2,
28 0x39, 0xb6, 0x7b, 0x0f, 0xc1, 0x93, 0x81, 0x1b,
29 0xee, 0xb4, 0x1a, 0xea, 0xd0, 0x91, 0x2f, 0xb8,
30 0x55, 0xb9, 0xda, 0x85, 0x3f, 0x41, 0xbf, 0xe0,
31 0x5a, 0x58, 0x80, 0x5f, 0x66, 0x0b, 0xd8, 0x90,
32 0x35, 0xd5, 0xc0, 0xa7, 0x33, 0x06, 0x65, 0x69,
33 0x45, 0x00, 0x94, 0x56, 0x6d, 0x98, 0x9b, 0x76,
34 0x97, 0xfc, 0xb2, 0xc2, 0xb0, 0xfe, 0xdb, 0x20,
35 0xe1, 0xeb, 0xd6, 0xe4, 0xdd, 0x47, 0x4a, 0x1d,
36 0x42, 0xed, 0x9e, 0x6e, 0x49, 0x3c, 0xcd, 0x43,
37 0x27, 0xd2, 0x07, 0xd4, 0xde, 0xc7, 0x67, 0x18,
38 0x89, 0xcb, 0x30, 0x1f, 0x8d, 0xc6, 0x8f, 0xaa,
39 0xc8, 0x74, 0xdc, 0xc9, 0x5d, 0x5c, 0x31, 0xa4,
40 0x70, 0x88, 0x61, 0x2c, 0x9f, 0x0d, 0x2b, 0x87,
41 0x50, 0x82, 0x54, 0x64, 0x26, 0x7d, 0x03, 0x40,
42 0x34, 0x4b, 0x1c, 0x73, 0xd1, 0xc4, 0xfd, 0x3b,
43 0xcc, 0xfb, 0x7f, 0xab, 0xe6, 0x3e, 0x5b, 0xa5,
44 0xad, 0x04, 0x23, 0x9c, 0x14, 0x51, 0x22, 0xf0,
45 0x29, 0x79, 0x71, 0x7e, 0xff, 0x8c, 0x0e, 0xe2,
46 0x0c, 0xef, 0xbc, 0x72, 0x75, 0x6f, 0x37, 0xa1,
47 0xec, 0xd3, 0x8e, 0x62, 0x8b, 0x86, 0x10, 0xe8,
48 0x08, 0x77, 0x11, 0xbe, 0x92, 0x4f, 0x24, 0xc5,
49 0x32, 0x36, 0x9d, 0xcf, 0xf3, 0xa6, 0xbb, 0xac,
50 0x5e, 0x6c, 0xa9, 0x13, 0x57, 0x25, 0xb5, 0xe3,
51 0xbd, 0xa8, 0x3a, 0x01, 0x05, 0x59, 0x2a, 0x46
52};
53
54/*
55 * For each key byte generate a table to represent the function
56 * ftable [in ^ keybyte]
57 *
58 * These tables used to save an XOR in each stage of the G-function
59 * the tables are hopefully pointed to by register allocated variables
60 * k0, k1..k9
61 */
62void
63subkey_table_gen (u_int8_t *key, u_int8_t **key_tables)
64{
65 int i, k;
66
67 for (k = 0; k < 10; k++) {
68 u_int8_t key_byte = key[k];
69 u_int8_t * table = (u_int8_t *) malloc(0x100);
70 /* XXX */
71
72 key_tables[k] = table;
73 for (i = 0; i < 0x100; i++)
74 table[i] = ftable[i ^ key_byte];
75 }
76}
77
78
79#define g(k0, k1, k2, k3, ih, il, oh, ol) \
80{ \
81 oh = k##k0 [il] ^ ih; \
82 ol = k##k1 [oh] ^ il; \
83 oh = k##k2 [ol] ^ oh; \
84 ol = k##k3 [oh] ^ ol; \
85}
86
87#define g0(ih, il, oh, ol) g(0, 1, 2, 3, ih, il, oh, ol)
88#define g4(ih, il, oh, ol) g(4, 5, 6, 7, ih, il, oh, ol)
89#define g8(ih, il, oh, ol) g(8, 9, 0, 1, ih, il, oh, ol)
90#define g2(ih, il, oh, ol) g(2, 3, 4, 5, ih, il, oh, ol)
91#define g6(ih, il, oh, ol) g(6, 7, 8, 9, ih, il, oh, ol)
92
93
94#define g_inv(k0, k1, k2, k3, ih, il, oh, ol) \
95{ \
96 ol = k##k3 [ih] ^ il; \
97 oh = k##k2 [ol] ^ ih; \
98 ol = k##k1 [oh] ^ ol; \
99 oh = k##k0 [ol] ^ oh; \
100}
101
102
103#define g0_inv(ih, il, oh, ol) g_inv(0, 1, 2, 3, ih, il, oh, ol)
104#define g4_inv(ih, il, oh, ol) g_inv(4, 5, 6, 7, ih, il, oh, ol)
105#define g8_inv(ih, il, oh, ol) g_inv(8, 9, 0, 1, ih, il, oh, ol)
106#define g2_inv(ih, il, oh, ol) g_inv(2, 3, 4, 5, ih, il, oh, ol)
107#define g6_inv(ih, il, oh, ol) g_inv(6, 7, 8, 9, ih, il, oh, ol)
108
109/* optimized version of Skipjack algorithm
110 *
111 * the appropriate g-function is inlined for each round
112 *
113 * the data movement is minimized by rotating the names of the
114 * variables w1..w4, not their contents (saves 3 moves per round)
115 *
116 * the loops are completely unrolled (needed to staticize choice of g)
117 *
118 * compiles to about 470 instructions on a Sparc (gcc -O)
119 * which is about 58 instructions per byte, 14 per round.
120 * gcc seems to leave in some unnecessary and with 0xFF operations
121 * but only in the latter part of the functions. Perhaps it
122 * runs out of resources to properly optimize long inlined function?
123 * in theory should get about 11 instructions per round, not 14
124 */
125
126void
127skipjack_forwards(u_int8_t *plain, u_int8_t *cipher, u_int8_t **key_tables)
128{
129 u_int8_t wh1 = plain[0]; u_int8_t wl1 = plain[1];
130 u_int8_t wh2 = plain[2]; u_int8_t wl2 = plain[3];
131 u_int8_t wh3 = plain[4]; u_int8_t wl3 = plain[5];
132 u_int8_t wh4 = plain[6]; u_int8_t wl4 = plain[7];
133
134 u_int8_t * k0 = key_tables [0];
135 u_int8_t * k1 = key_tables [1];
136 u_int8_t * k2 = key_tables [2];
137 u_int8_t * k3 = key_tables [3];
138 u_int8_t * k4 = key_tables [4];
139 u_int8_t * k5 = key_tables [5];
140 u_int8_t * k6 = key_tables [6];
141 u_int8_t * k7 = key_tables [7];
142 u_int8_t * k8 = key_tables [8];
143 u_int8_t * k9 = key_tables [9];
144
145 /* first 8 rounds */
146 g0 (wh1,wl1, wh1,wl1); wl4 ^= wl1 ^ 1; wh4 ^= wh1;
147 g4 (wh4,wl4, wh4,wl4); wl3 ^= wl4 ^ 2; wh3 ^= wh4;
148 g8 (wh3,wl3, wh3,wl3); wl2 ^= wl3 ^ 3; wh2 ^= wh3;
149 g2 (wh2,wl2, wh2,wl2); wl1 ^= wl2 ^ 4; wh1 ^= wh2;
150 g6 (wh1,wl1, wh1,wl1); wl4 ^= wl1 ^ 5; wh4 ^= wh1;
151 g0 (wh4,wl4, wh4,wl4); wl3 ^= wl4 ^ 6; wh3 ^= wh4;
152 g4 (wh3,wl3, wh3,wl3); wl2 ^= wl3 ^ 7; wh2 ^= wh3;
153 g8 (wh2,wl2, wh2,wl2); wl1 ^= wl2 ^ 8; wh1 ^= wh2;
154
155 /* second 8 rounds */
156 wh2 ^= wh1; wl2 ^= wl1 ^ 9 ; g2 (wh1,wl1, wh1,wl1);
157 wh1 ^= wh4; wl1 ^= wl4 ^ 10; g6 (wh4,wl4, wh4,wl4);
158 wh4 ^= wh3; wl4 ^= wl3 ^ 11; g0 (wh3,wl3, wh3,wl3);
159 wh3 ^= wh2; wl3 ^= wl2 ^ 12; g4 (wh2,wl2, wh2,wl2);
160 wh2 ^= wh1; wl2 ^= wl1 ^ 13; g8 (wh1,wl1, wh1,wl1);
161 wh1 ^= wh4; wl1 ^= wl4 ^ 14; g2 (wh4,wl4, wh4,wl4);
162 wh4 ^= wh3; wl4 ^= wl3 ^ 15; g6 (wh3,wl3, wh3,wl3);
163 wh3 ^= wh2; wl3 ^= wl2 ^ 16; g0 (wh2,wl2, wh2,wl2);
164
165 /* third 8 rounds */
166 g4 (wh1,wl1, wh1,wl1); wl4 ^= wl1 ^ 17; wh4 ^= wh1;
167 g8 (wh4,wl4, wh4,wl4); wl3 ^= wl4 ^ 18; wh3 ^= wh4;
168 g2 (wh3,wl3, wh3,wl3); wl2 ^= wl3 ^ 19; wh2 ^= wh3;
169 g6 (wh2,wl2, wh2,wl2); wl1 ^= wl2 ^ 20; wh1 ^= wh2;
170 g0 (wh1,wl1, wh1,wl1); wl4 ^= wl1 ^ 21; wh4 ^= wh1;
171 g4 (wh4,wl4, wh4,wl4); wl3 ^= wl4 ^ 22; wh3 ^= wh4;
172 g8 (wh3,wl3, wh3,wl3); wl2 ^= wl3 ^ 23; wh2 ^= wh3;
173 g2 (wh2,wl2, wh2,wl2); wl1 ^= wl2 ^ 24; wh1 ^= wh2;
174
175 /* last 8 rounds */
176 wh2 ^= wh1; wl2 ^= wl1 ^ 25; g6 (wh1,wl1, wh1,wl1);
177 wh1 ^= wh4; wl1 ^= wl4 ^ 26; g0 (wh4,wl4, wh4,wl4);
178 wh4 ^= wh3; wl4 ^= wl3 ^ 27; g4 (wh3,wl3, wh3,wl3);
179 wh3 ^= wh2; wl3 ^= wl2 ^ 28; g8 (wh2,wl2, wh2,wl2);
180 wh2 ^= wh1; wl2 ^= wl1 ^ 29; g2 (wh1,wl1, wh1,wl1);
181 wh1 ^= wh4; wl1 ^= wl4 ^ 30; g6 (wh4,wl4, wh4,wl4);
182 wh4 ^= wh3; wl4 ^= wl3 ^ 31; g0 (wh3,wl3, wh3,wl3);
183 wh3 ^= wh2; wl3 ^= wl2 ^ 32; g4 (wh2,wl2, wh2,wl2);
184
185 /* pack into byte vector */
186 cipher [0] = wh1; cipher [1] = wl1;
187 cipher [2] = wh2; cipher [3] = wl2;
188 cipher [4] = wh3; cipher [5] = wl3;
189 cipher [6] = wh4; cipher [7] = wl4;
190}
191
192
193void
194skipjack_backwards (u_int8_t *cipher, u_int8_t *plain, u_int8_t **key_tables)
195{
196 /* setup 4 16-bit portions */
197 u_int8_t wh1 = cipher[0]; u_int8_t wl1 = cipher[1];
198 u_int8_t wh2 = cipher[2]; u_int8_t wl2 = cipher[3];
199 u_int8_t wh3 = cipher[4]; u_int8_t wl3 = cipher[5];
200 u_int8_t wh4 = cipher[6]; u_int8_t wl4 = cipher[7];
201
202 u_int8_t * k0 = key_tables [0];
203 u_int8_t * k1 = key_tables [1];
204 u_int8_t * k2 = key_tables [2];
205 u_int8_t * k3 = key_tables [3];
206 u_int8_t * k4 = key_tables [4];
207 u_int8_t * k5 = key_tables [5];
208 u_int8_t * k6 = key_tables [6];
209 u_int8_t * k7 = key_tables [7];
210 u_int8_t * k8 = key_tables [8];
211 u_int8_t * k9 = key_tables [9];
212
213 /* first 8 rounds */
214 g4_inv (wh2,wl2, wh2,wl2); wl3 ^= wl2 ^ 32; wh3 ^= wh2;
215 g0_inv (wh3,wl3, wh3,wl3); wl4 ^= wl3 ^ 31; wh4 ^= wh3;
216 g6_inv (wh4,wl4, wh4,wl4); wl1 ^= wl4 ^ 30; wh1 ^= wh4;
217 g2_inv (wh1,wl1, wh1,wl1); wl2 ^= wl1 ^ 29; wh2 ^= wh1;
218 g8_inv (wh2,wl2, wh2,wl2); wl3 ^= wl2 ^ 28; wh3 ^= wh2;
219 g4_inv (wh3,wl3, wh3,wl3); wl4 ^= wl3 ^ 27; wh4 ^= wh3;
220 g0_inv (wh4,wl4, wh4,wl4); wl1 ^= wl4 ^ 26; wh1 ^= wh4;
221 g6_inv (wh1,wl1, wh1,wl1); wl2 ^= wl1 ^ 25; wh2 ^= wh1;
222
223 /* second 8 rounds */
224 wh1 ^= wh2; wl1 ^= wl2 ^ 24; g2_inv (wh2,wl2, wh2,wl2);
225 wh2 ^= wh3; wl2 ^= wl3 ^ 23; g8_inv (wh3,wl3, wh3,wl3);
226 wh3 ^= wh4; wl3 ^= wl4 ^ 22; g4_inv (wh4,wl4, wh4,wl4);
227 wh4 ^= wh1; wl4 ^= wl1 ^ 21; g0_inv (wh1,wl1, wh1,wl1);
228 wh1 ^= wh2; wl1 ^= wl2 ^ 20; g6_inv (wh2,wl2, wh2,wl2);
229 wh2 ^= wh3; wl2 ^= wl3 ^ 19; g2_inv (wh3,wl3, wh3,wl3);
230 wh3 ^= wh4; wl3 ^= wl4 ^ 18; g8_inv (wh4,wl4, wh4,wl4);
231 wh4 ^= wh1; wl4 ^= wl1 ^ 17; g4_inv (wh1,wl1, wh1,wl1);
232
233 /* third 8 rounds */
234 g0_inv (wh2,wl2, wh2,wl2); wl3 ^= wl2 ^ 16; wh3 ^= wh2;
235 g6_inv (wh3,wl3, wh3,wl3); wl4 ^= wl3 ^ 15; wh4 ^= wh3;
236 g2_inv (wh4,wl4, wh4,wl4); wl1 ^= wl4 ^ 14; wh1 ^= wh4;
237 g8_inv (wh1,wl1, wh1,wl1); wl2 ^= wl1 ^ 13; wh2 ^= wh1;
238 g4_inv (wh2,wl2, wh2,wl2); wl3 ^= wl2 ^ 12; wh3 ^= wh2;
239 g0_inv (wh3,wl3, wh3,wl3); wl4 ^= wl3 ^ 11; wh4 ^= wh3;
240 g6_inv (wh4,wl4, wh4,wl4); wl1 ^= wl4 ^ 10; wh1 ^= wh4;
241 g2_inv (wh1,wl1, wh1,wl1); wl2 ^= wl1 ^ 9; wh2 ^= wh1;
242
243 /* last 8 rounds */
244 wh1 ^= wh2; wl1 ^= wl2 ^ 8; g8_inv (wh2,wl2, wh2,wl2);
245 wh2 ^= wh3; wl2 ^= wl3 ^ 7; g4_inv (wh3,wl3, wh3,wl3);
246 wh3 ^= wh4; wl3 ^= wl4 ^ 6; g0_inv (wh4,wl4, wh4,wl4);
247 wh4 ^= wh1; wl4 ^= wl1 ^ 5; g6_inv (wh1,wl1, wh1,wl1);
248 wh1 ^= wh2; wl1 ^= wl2 ^ 4; g2_inv (wh2,wl2, wh2,wl2);
249 wh2 ^= wh3; wl2 ^= wl3 ^ 3; g8_inv (wh3,wl3, wh3,wl3);
250 wh3 ^= wh4; wl3 ^= wl4 ^ 2; g4_inv (wh4,wl4, wh4,wl4);
251 wh4 ^= wh1; wl4 ^= wl1 ^ 1; g0_inv (wh1,wl1, wh1,wl1);
252
253 /* pack into byte vector */
254 plain [0] = wh1; plain [1] = wl1;
255 plain [2] = wh2; plain [3] = wl2;
256 plain [4] = wh3; plain [5] = wl3;
257 plain [6] = wh4; plain [7] = wl4;
258}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-27 14:05:53 +0000