xref: /freebsd/secure/lib/libcrypt/crypt-des.c (revision 0fca6ea1d4eea4c934cfff25ac9ee8ad6fe95583)
1 /*
2  * FreeSec: libcrypt for NetBSD
3  *
4  * Copyright (c) 1994 David Burren
5  * All rights reserved.
6  *
7  * Adapted for FreeBSD-2.0 by Geoffrey M. Rehmet
8  *	this file should now *only* export crypt(), in order to make
9  *	binaries of libcrypt exportable from the USA
10  *
11  * Adapted for FreeBSD-4.0 by Mark R V Murray
12  *	this file should now *only* export crypt_des(), in order to make
13  *	a module that can be optionally included in libcrypt.
14  *
15  * Redistribution and use in source and binary forms, with or without
16  * modification, are permitted provided that the following conditions
17  * are met:
18  * 1. Redistributions of source code must retain the above copyright
19  *    notice, this list of conditions and the following disclaimer.
20  * 2. Redistributions in binary form must reproduce the above copyright
21  *    notice, this list of conditions and the following disclaimer in the
22  *    documentation and/or other materials provided with the distribution.
23  * 3. Neither the name of the author nor the names of other contributors
24  *    may be used to endorse or promote products derived from this software
25  *    without specific prior written permission.
26  *
27  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
28  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
31  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37  * SUCH DAMAGE.
38  *
39  * This is an original implementation of the DES and the crypt(3) interfaces
40  * by David Burren <davidb@werj.com.au>.
41  *
42  * An excellent reference on the underlying algorithm (and related
43  * algorithms) is:
44  *
45  *	B. Schneier, Applied Cryptography: protocols, algorithms,
46  *	and source code in C, John Wiley & Sons, 1994.
47  *
48  * Note that in that book's description of DES the lookups for the initial,
49  * pbox, and final permutations are inverted (this has been brought to the
50  * attention of the author).  A list of errata for this book has been
51  * posted to the sci.crypt newsgroup by the author and is available for FTP.
52  *
53  * ARCHITECTURE ASSUMPTIONS:
54  *	It is assumed that the 8-byte arrays passed by reference can be
55  *	addressed as arrays of u_int32_t's (ie. the CPU is not picky about
56  *	alignment).
57  */
58 
59 #include <sys/types.h>
60 #include <sys/param.h>
61 #include <arpa/inet.h>
62 #include <pwd.h>
63 #include <string.h>
64 #include "crypt.h"
65 
66 /* We can't always assume gcc */
67 #if	defined(__GNUC__) && !defined(lint)
68 #define INLINE inline
69 #else
70 #define INLINE
71 #endif
72 
73 
74 static const u_char	IP[64] = {
75 	58, 50, 42, 34, 26, 18, 10,  2, 60, 52, 44, 36, 28, 20, 12,  4,
76 	62, 54, 46, 38, 30, 22, 14,  6, 64, 56, 48, 40, 32, 24, 16,  8,
77 	57, 49, 41, 33, 25, 17,  9,  1, 59, 51, 43, 35, 27, 19, 11,  3,
78 	61, 53, 45, 37, 29, 21, 13,  5, 63, 55, 47, 39, 31, 23, 15,  7
79 };
80 
81 static __thread u_char	inv_key_perm[64];
82 static const u_char	key_perm[56] = {
83 	57, 49, 41, 33, 25, 17,  9,  1, 58, 50, 42, 34, 26, 18,
84 	10,  2, 59, 51, 43, 35, 27, 19, 11,  3, 60, 52, 44, 36,
85 	63, 55, 47, 39, 31, 23, 15,  7, 62, 54, 46, 38, 30, 22,
86 	14,  6, 61, 53, 45, 37, 29, 21, 13,  5, 28, 20, 12,  4
87 };
88 
89 static const u_char	key_shifts[16] = {
90 	1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
91 };
92 
93 static __thread u_char	inv_comp_perm[56];
94 static const u_char	comp_perm[48] = {
95 	14, 17, 11, 24,  1,  5,  3, 28, 15,  6, 21, 10,
96 	23, 19, 12,  4, 26,  8, 16,  7, 27, 20, 13,  2,
97 	41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
98 	44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
99 };
100 
101 /*
102  *	No E box is used, as it's replaced by some ANDs, shifts, and ORs.
103  */
104 
105 static __thread u_char	u_sbox[8][64];
106 static const u_char	sbox[8][64] = {
107 	{
108 		14,  4, 13,  1,  2, 15, 11,  8,  3, 10,  6, 12,  5,  9,  0,  7,
109 		 0, 15,  7,  4, 14,  2, 13,  1, 10,  6, 12, 11,  9,  5,  3,  8,
110 		 4,  1, 14,  8, 13,  6,  2, 11, 15, 12,  9,  7,  3, 10,  5,  0,
111 		15, 12,  8,  2,  4,  9,  1,  7,  5, 11,  3, 14, 10,  0,  6, 13
112 	},
113 	{
114 		15,  1,  8, 14,  6, 11,  3,  4,  9,  7,  2, 13, 12,  0,  5, 10,
115 		 3, 13,  4,  7, 15,  2,  8, 14, 12,  0,  1, 10,  6,  9, 11,  5,
116 		 0, 14,  7, 11, 10,  4, 13,  1,  5,  8, 12,  6,  9,  3,  2, 15,
117 		13,  8, 10,  1,  3, 15,  4,  2, 11,  6,  7, 12,  0,  5, 14,  9
118 	},
119 	{
120 		10,  0,  9, 14,  6,  3, 15,  5,  1, 13, 12,  7, 11,  4,  2,  8,
121 		13,  7,  0,  9,  3,  4,  6, 10,  2,  8,  5, 14, 12, 11, 15,  1,
122 		13,  6,  4,  9,  8, 15,  3,  0, 11,  1,  2, 12,  5, 10, 14,  7,
123 		 1, 10, 13,  0,  6,  9,  8,  7,  4, 15, 14,  3, 11,  5,  2, 12
124 	},
125 	{
126 		 7, 13, 14,  3,  0,  6,  9, 10,  1,  2,  8,  5, 11, 12,  4, 15,
127 		13,  8, 11,  5,  6, 15,  0,  3,  4,  7,  2, 12,  1, 10, 14,  9,
128 		10,  6,  9,  0, 12, 11,  7, 13, 15,  1,  3, 14,  5,  2,  8,  4,
129 		 3, 15,  0,  6, 10,  1, 13,  8,  9,  4,  5, 11, 12,  7,  2, 14
130 	},
131 	{
132 		 2, 12,  4,  1,  7, 10, 11,  6,  8,  5,  3, 15, 13,  0, 14,  9,
133 		14, 11,  2, 12,  4,  7, 13,  1,  5,  0, 15, 10,  3,  9,  8,  6,
134 		 4,  2,  1, 11, 10, 13,  7,  8, 15,  9, 12,  5,  6,  3,  0, 14,
135 		11,  8, 12,  7,  1, 14,  2, 13,  6, 15,  0,  9, 10,  4,  5,  3
136 	},
137 	{
138 		12,  1, 10, 15,  9,  2,  6,  8,  0, 13,  3,  4, 14,  7,  5, 11,
139 		10, 15,  4,  2,  7, 12,  9,  5,  6,  1, 13, 14,  0, 11,  3,  8,
140 		 9, 14, 15,  5,  2,  8, 12,  3,  7,  0,  4, 10,  1, 13, 11,  6,
141 		 4,  3,  2, 12,  9,  5, 15, 10, 11, 14,  1,  7,  6,  0,  8, 13
142 	},
143 	{
144 		 4, 11,  2, 14, 15,  0,  8, 13,  3, 12,  9,  7,  5, 10,  6,  1,
145 		13,  0, 11,  7,  4,  9,  1, 10, 14,  3,  5, 12,  2, 15,  8,  6,
146 		 1,  4, 11, 13, 12,  3,  7, 14, 10, 15,  6,  8,  0,  5,  9,  2,
147 		 6, 11, 13,  8,  1,  4, 10,  7,  9,  5,  0, 15, 14,  2,  3, 12
148 	},
149 	{
150 		13,  2,  8,  4,  6, 15, 11,  1, 10,  9,  3, 14,  5,  0, 12,  7,
151 		 1, 15, 13,  8, 10,  3,  7,  4, 12,  5,  6, 11,  0, 14,  9,  2,
152 		 7, 11,  4,  1,  9, 12, 14,  2,  0,  6, 10, 13, 15,  3,  5,  8,
153 		 2,  1, 14,  7,  4, 10,  8, 13, 15, 12,  9,  0,  3,  5,  6, 11
154 	}
155 };
156 
157 static __thread u_char	un_pbox[32];
158 static const u_char	pbox[32] = {
159 	16,  7, 20, 21, 29, 12, 28, 17,  1, 15, 23, 26,  5, 18, 31, 10,
160 	 2,  8, 24, 14, 32, 27,  3,  9, 19, 13, 30,  6, 22, 11,  4, 25
161 };
162 
163 static const u_int32_t	bits32[32] =
164 {
165 	0x80000000, 0x40000000, 0x20000000, 0x10000000,
166 	0x08000000, 0x04000000, 0x02000000, 0x01000000,
167 	0x00800000, 0x00400000, 0x00200000, 0x00100000,
168 	0x00080000, 0x00040000, 0x00020000, 0x00010000,
169 	0x00008000, 0x00004000, 0x00002000, 0x00001000,
170 	0x00000800, 0x00000400, 0x00000200, 0x00000100,
171 	0x00000080, 0x00000040, 0x00000020, 0x00000010,
172 	0x00000008, 0x00000004, 0x00000002, 0x00000001
173 };
174 
175 static const u_char	bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
176 
177 static __thread u_int32_t	saltbits;
178 static __thread u_int32_t	old_salt;
179 static __thread const u_int32_t	*bits28, *bits24;
180 static __thread u_char		init_perm[64], final_perm[64];
181 static __thread u_int32_t	en_keysl[16], en_keysr[16];
182 static __thread u_int32_t	de_keysl[16], de_keysr[16];
183 static __thread int		des_initialised = 0;
184 static __thread u_char		m_sbox[4][4096];
185 static __thread u_int32_t	psbox[4][256];
186 static __thread u_int32_t	ip_maskl[8][256], ip_maskr[8][256];
187 static __thread u_int32_t	fp_maskl[8][256], fp_maskr[8][256];
188 static __thread u_int32_t	key_perm_maskl[8][128], key_perm_maskr[8][128];
189 static __thread u_int32_t	comp_maskl[8][128], comp_maskr[8][128];
190 static __thread u_int32_t	old_rawkey0, old_rawkey1;
191 
192 static const u_char	ascii64[] =
193 	 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
194 /*	  0000000000111111111122222222223333333333444444444455555555556666 */
195 /*	  0123456789012345678901234567890123456789012345678901234567890123 */
196 
197 static INLINE int
198 ascii_to_bin(char ch)
199 {
200 	if (ch > 'z')
201 		return(0);
202 	if (ch >= 'a')
203 		return(ch - 'a' + 38);
204 	if (ch > 'Z')
205 		return(0);
206 	if (ch >= 'A')
207 		return(ch - 'A' + 12);
208 	if (ch > '9')
209 		return(0);
210 	if (ch >= '.')
211 		return(ch - '.');
212 	return(0);
213 }
214 
215 static void
216 des_init(void)
217 {
218 	int	i, j, b, k, inbit, obit;
219 	u_int32_t	*p, *il, *ir, *fl, *fr;
220 
221 	old_rawkey0 = old_rawkey1 = 0L;
222 	saltbits = 0L;
223 	old_salt = 0L;
224 	bits24 = (bits28 = bits32 + 4) + 4;
225 
226 	/*
227 	 * Invert the S-boxes, reordering the input bits.
228 	 */
229 	for (i = 0; i < 8; i++)
230 		for (j = 0; j < 64; j++) {
231 			b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf);
232 			u_sbox[i][j] = sbox[i][b];
233 		}
234 
235 	/*
236 	 * Convert the inverted S-boxes into 4 arrays of 8 bits.
237 	 * Each will handle 12 bits of the S-box input.
238 	 */
239 	for (b = 0; b < 4; b++)
240 		for (i = 0; i < 64; i++)
241 			for (j = 0; j < 64; j++)
242 				m_sbox[b][(i << 6) | j] =
243 					(u_char)((u_sbox[(b << 1)][i] << 4) |
244 					u_sbox[(b << 1) + 1][j]);
245 
246 	/*
247 	 * Set up the initial & final permutations into a useful form, and
248 	 * initialise the inverted key permutation.
249 	 */
250 	for (i = 0; i < 64; i++) {
251 		init_perm[final_perm[i] = IP[i] - 1] = (u_char)i;
252 		inv_key_perm[i] = 255;
253 	}
254 
255 	/*
256 	 * Invert the key permutation and initialise the inverted key
257 	 * compression permutation.
258 	 */
259 	for (i = 0; i < 56; i++) {
260 		inv_key_perm[key_perm[i] - 1] = (u_char)i;
261 		inv_comp_perm[i] = 255;
262 	}
263 
264 	/*
265 	 * Invert the key compression permutation.
266 	 */
267 	for (i = 0; i < 48; i++) {
268 		inv_comp_perm[comp_perm[i] - 1] = (u_char)i;
269 	}
270 
271 	/*
272 	 * Set up the OR-mask arrays for the initial and final permutations,
273 	 * and for the key initial and compression permutations.
274 	 */
275 	for (k = 0; k < 8; k++) {
276 		for (i = 0; i < 256; i++) {
277 			*(il = &ip_maskl[k][i]) = 0L;
278 			*(ir = &ip_maskr[k][i]) = 0L;
279 			*(fl = &fp_maskl[k][i]) = 0L;
280 			*(fr = &fp_maskr[k][i]) = 0L;
281 			for (j = 0; j < 8; j++) {
282 				inbit = 8 * k + j;
283 				if (i & bits8[j]) {
284 					if ((obit = init_perm[inbit]) < 32)
285 						*il |= bits32[obit];
286 					else
287 						*ir |= bits32[obit-32];
288 					if ((obit = final_perm[inbit]) < 32)
289 						*fl |= bits32[obit];
290 					else
291 						*fr |= bits32[obit - 32];
292 				}
293 			}
294 		}
295 		for (i = 0; i < 128; i++) {
296 			*(il = &key_perm_maskl[k][i]) = 0L;
297 			*(ir = &key_perm_maskr[k][i]) = 0L;
298 			for (j = 0; j < 7; j++) {
299 				inbit = 8 * k + j;
300 				if (i & bits8[j + 1]) {
301 					if ((obit = inv_key_perm[inbit]) == 255)
302 						continue;
303 					if (obit < 28)
304 						*il |= bits28[obit];
305 					else
306 						*ir |= bits28[obit - 28];
307 				}
308 			}
309 			*(il = &comp_maskl[k][i]) = 0L;
310 			*(ir = &comp_maskr[k][i]) = 0L;
311 			for (j = 0; j < 7; j++) {
312 				inbit = 7 * k + j;
313 				if (i & bits8[j + 1]) {
314 					if ((obit=inv_comp_perm[inbit]) == 255)
315 						continue;
316 					if (obit < 24)
317 						*il |= bits24[obit];
318 					else
319 						*ir |= bits24[obit - 24];
320 				}
321 			}
322 		}
323 	}
324 
325 	/*
326 	 * Invert the P-box permutation, and convert into OR-masks for
327 	 * handling the output of the S-box arrays setup above.
328 	 */
329 	for (i = 0; i < 32; i++)
330 		un_pbox[pbox[i] - 1] = (u_char)i;
331 
332 	for (b = 0; b < 4; b++)
333 		for (i = 0; i < 256; i++) {
334 			*(p = &psbox[b][i]) = 0L;
335 			for (j = 0; j < 8; j++) {
336 				if (i & bits8[j])
337 					*p |= bits32[un_pbox[8 * b + j]];
338 			}
339 		}
340 
341 	des_initialised = 1;
342 }
343 
344 static void
345 setup_salt(u_int32_t salt)
346 {
347 	u_int32_t	obit, saltbit;
348 	int		i;
349 
350 	if (salt == old_salt)
351 		return;
352 	old_salt = salt;
353 
354 	saltbits = 0L;
355 	saltbit = 1;
356 	obit = 0x800000;
357 	for (i = 0; i < 24; i++) {
358 		if (salt & saltbit)
359 			saltbits |= obit;
360 		saltbit <<= 1;
361 		obit >>= 1;
362 	}
363 }
364 
365 static int
366 des_setkey(const char *key)
367 {
368 	u_int32_t	k0, k1, rawkey0, rawkey1;
369 	int		shifts, round;
370 
371 	if (!des_initialised)
372 		des_init();
373 
374 	rawkey0 = ntohl(*(const u_int32_t *) key);
375 	rawkey1 = ntohl(*(const u_int32_t *) (key + 4));
376 
377 	if ((rawkey0 | rawkey1)
378 	    && rawkey0 == old_rawkey0
379 	    && rawkey1 == old_rawkey1) {
380 		/*
381 		 * Already setup for this key.
382 		 * This optimisation fails on a zero key (which is weak and
383 		 * has bad parity anyway) in order to simplify the starting
384 		 * conditions.
385 		 */
386 		return(0);
387 	}
388 	old_rawkey0 = rawkey0;
389 	old_rawkey1 = rawkey1;
390 
391 	/*
392 	 *	Do key permutation and split into two 28-bit subkeys.
393 	 */
394 	k0 = key_perm_maskl[0][rawkey0 >> 25]
395 	   | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
396 	   | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
397 	   | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
398 	   | key_perm_maskl[4][rawkey1 >> 25]
399 	   | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
400 	   | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
401 	   | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
402 	k1 = key_perm_maskr[0][rawkey0 >> 25]
403 	   | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
404 	   | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
405 	   | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
406 	   | key_perm_maskr[4][rawkey1 >> 25]
407 	   | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
408 	   | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
409 	   | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
410 	/*
411 	 *	Rotate subkeys and do compression permutation.
412 	 */
413 	shifts = 0;
414 	for (round = 0; round < 16; round++) {
415 		u_int32_t	t0, t1;
416 
417 		shifts += key_shifts[round];
418 
419 		t0 = (k0 << shifts) | (k0 >> (28 - shifts));
420 		t1 = (k1 << shifts) | (k1 >> (28 - shifts));
421 
422 		de_keysl[15 - round] =
423 		en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f]
424 				| comp_maskl[1][(t0 >> 14) & 0x7f]
425 				| comp_maskl[2][(t0 >> 7) & 0x7f]
426 				| comp_maskl[3][t0 & 0x7f]
427 				| comp_maskl[4][(t1 >> 21) & 0x7f]
428 				| comp_maskl[5][(t1 >> 14) & 0x7f]
429 				| comp_maskl[6][(t1 >> 7) & 0x7f]
430 				| comp_maskl[7][t1 & 0x7f];
431 
432 		de_keysr[15 - round] =
433 		en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f]
434 				| comp_maskr[1][(t0 >> 14) & 0x7f]
435 				| comp_maskr[2][(t0 >> 7) & 0x7f]
436 				| comp_maskr[3][t0 & 0x7f]
437 				| comp_maskr[4][(t1 >> 21) & 0x7f]
438 				| comp_maskr[5][(t1 >> 14) & 0x7f]
439 				| comp_maskr[6][(t1 >> 7) & 0x7f]
440 				| comp_maskr[7][t1 & 0x7f];
441 	}
442 	return(0);
443 }
444 
445 static int
446 do_des(	u_int32_t l_in, u_int32_t r_in, u_int32_t *l_out, u_int32_t *r_out, int count)
447 {
448 	/*
449 	 *	l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
450 	 */
451 	u_int32_t	l, r, *kl, *kr, *kl1, *kr1;
452 	u_int32_t	f, r48l, r48r;
453 	int		round;
454 
455 	if (count == 0) {
456 		return(1);
457 	} else if (count > 0) {
458 		/*
459 		 * Encrypting
460 		 */
461 		kl1 = en_keysl;
462 		kr1 = en_keysr;
463 	} else {
464 		/*
465 		 * Decrypting
466 		 */
467 		count = -count;
468 		kl1 = de_keysl;
469 		kr1 = de_keysr;
470 	}
471 
472 	/*
473 	 *	Do initial permutation (IP).
474 	 */
475 	l = ip_maskl[0][l_in >> 24]
476 	  | ip_maskl[1][(l_in >> 16) & 0xff]
477 	  | ip_maskl[2][(l_in >> 8) & 0xff]
478 	  | ip_maskl[3][l_in & 0xff]
479 	  | ip_maskl[4][r_in >> 24]
480 	  | ip_maskl[5][(r_in >> 16) & 0xff]
481 	  | ip_maskl[6][(r_in >> 8) & 0xff]
482 	  | ip_maskl[7][r_in & 0xff];
483 	r = ip_maskr[0][l_in >> 24]
484 	  | ip_maskr[1][(l_in >> 16) & 0xff]
485 	  | ip_maskr[2][(l_in >> 8) & 0xff]
486 	  | ip_maskr[3][l_in & 0xff]
487 	  | ip_maskr[4][r_in >> 24]
488 	  | ip_maskr[5][(r_in >> 16) & 0xff]
489 	  | ip_maskr[6][(r_in >> 8) & 0xff]
490 	  | ip_maskr[7][r_in & 0xff];
491 
492 	while (count--) {
493 		/*
494 		 * Do each round.
495 		 */
496 		kl = kl1;
497 		kr = kr1;
498 		round = 16;
499 		while (round--) {
500 			/*
501 			 * Expand R to 48 bits (simulate the E-box).
502 			 */
503 			r48l	= ((r & 0x00000001) << 23)
504 				| ((r & 0xf8000000) >> 9)
505 				| ((r & 0x1f800000) >> 11)
506 				| ((r & 0x01f80000) >> 13)
507 				| ((r & 0x001f8000) >> 15);
508 
509 			r48r	= ((r & 0x0001f800) << 7)
510 				| ((r & 0x00001f80) << 5)
511 				| ((r & 0x000001f8) << 3)
512 				| ((r & 0x0000001f) << 1)
513 				| ((r & 0x80000000) >> 31);
514 			/*
515 			 * Do salting for crypt() and friends, and
516 			 * XOR with the permuted key.
517 			 */
518 			f = (r48l ^ r48r) & saltbits;
519 			r48l ^= f ^ *kl++;
520 			r48r ^= f ^ *kr++;
521 			/*
522 			 * Do sbox lookups (which shrink it back to 32 bits)
523 			 * and do the pbox permutation at the same time.
524 			 */
525 			f = psbox[0][m_sbox[0][r48l >> 12]]
526 			  | psbox[1][m_sbox[1][r48l & 0xfff]]
527 			  | psbox[2][m_sbox[2][r48r >> 12]]
528 			  | psbox[3][m_sbox[3][r48r & 0xfff]];
529 			/*
530 			 * Now that we've permuted things, complete f().
531 			 */
532 			f ^= l;
533 			l = r;
534 			r = f;
535 		}
536 		r = l;
537 		l = f;
538 	}
539 	/*
540 	 * Do final permutation (inverse of IP).
541 	 */
542 	*l_out	= fp_maskl[0][l >> 24]
543 		| fp_maskl[1][(l >> 16) & 0xff]
544 		| fp_maskl[2][(l >> 8) & 0xff]
545 		| fp_maskl[3][l & 0xff]
546 		| fp_maskl[4][r >> 24]
547 		| fp_maskl[5][(r >> 16) & 0xff]
548 		| fp_maskl[6][(r >> 8) & 0xff]
549 		| fp_maskl[7][r & 0xff];
550 	*r_out	= fp_maskr[0][l >> 24]
551 		| fp_maskr[1][(l >> 16) & 0xff]
552 		| fp_maskr[2][(l >> 8) & 0xff]
553 		| fp_maskr[3][l & 0xff]
554 		| fp_maskr[4][r >> 24]
555 		| fp_maskr[5][(r >> 16) & 0xff]
556 		| fp_maskr[6][(r >> 8) & 0xff]
557 		| fp_maskr[7][r & 0xff];
558 	return(0);
559 }
560 
561 static int
562 des_cipher(const char *in, char *out, u_long salt, int count)
563 {
564 	u_int32_t	l_out, r_out, rawl, rawr;
565 	int		retval;
566 	union {
567 		u_int32_t	*ui32;
568 		const char	*c;
569 	} trans;
570 
571 	if (!des_initialised)
572 		des_init();
573 
574 	setup_salt(salt);
575 
576 	trans.c = in;
577 	rawl = ntohl(*trans.ui32++);
578 	rawr = ntohl(*trans.ui32);
579 
580 	retval = do_des(rawl, rawr, &l_out, &r_out, count);
581 
582 	trans.c = out;
583 	*trans.ui32++ = htonl(l_out);
584 	*trans.ui32 = htonl(r_out);
585 	return(retval);
586 }
587 
588 int
589 crypt_des(const char *key, const char *setting, char *buffer)
590 {
591 	int		i;
592 	u_int32_t	count, salt, l, r0, r1, keybuf[2];
593 	u_char		*q;
594 
595 	if (!des_initialised)
596 		des_init();
597 
598 	/*
599 	 * Copy the key, shifting each character up by one bit
600 	 * and padding with zeros.
601 	 */
602 	q = (u_char *)keybuf;
603 	while (q - (u_char *)keybuf - 8) {
604 		*q++ = *key << 1;
605 		if (*key != '\0')
606 			key++;
607 	}
608 	if (des_setkey((char *)keybuf))
609 		return (-1);
610 
611 	if (*setting == _PASSWORD_EFMT1) {
612 		/*
613 		 * "new"-style:
614 		 *	setting - underscore, 4 bytes of count, 4 bytes of salt
615 		 *	key - unlimited characters
616 		 */
617 		for (i = 1, count = 0L; i < 5; i++)
618 			count |= ascii_to_bin(setting[i]) << ((i - 1) * 6);
619 
620 		for (i = 5, salt = 0L; i < 9; i++)
621 			salt |= ascii_to_bin(setting[i]) << ((i - 5) * 6);
622 
623 		while (*key) {
624 			/*
625 			 * Encrypt the key with itself.
626 			 */
627 			if (des_cipher((char *)keybuf, (char *)keybuf, 0L, 1))
628 				return (-1);
629 			/*
630 			 * And XOR with the next 8 characters of the key.
631 			 */
632 			q = (u_char *)keybuf;
633 			while (q - (u_char *)keybuf - 8 && *key)
634 				*q++ ^= *key++ << 1;
635 
636 			if (des_setkey((char *)keybuf))
637 				return (-1);
638 		}
639 		buffer = stpncpy(buffer, setting, 9);
640 	} else {
641 		/*
642 		 * "old"-style:
643 		 *	setting - 2 bytes of salt
644 		 *	key - up to 8 characters
645 		 */
646 		count = 25;
647 
648 		salt = (ascii_to_bin(setting[1]) << 6)
649 		     |  ascii_to_bin(setting[0]);
650 
651 		*buffer++ = setting[0];
652 		/*
653 		 * If the encrypted password that the salt was extracted from
654 		 * is only 1 character long, the salt will be corrupted.  We
655 		 * need to ensure that the output string doesn't have an extra
656 		 * NUL in it!
657 		 */
658 		*buffer++ = setting[1] ? setting[1] : setting[0];
659 	}
660 	setup_salt(salt);
661 	/*
662 	 * Do it.
663 	 */
664 	if (do_des(0L, 0L, &r0, &r1, (int)count))
665 		return (-1);
666 	/*
667 	 * Now encode the result...
668 	 */
669 	l = (r0 >> 8);
670 	*buffer++ = ascii64[(l >> 18) & 0x3f];
671 	*buffer++ = ascii64[(l >> 12) & 0x3f];
672 	*buffer++ = ascii64[(l >> 6) & 0x3f];
673 	*buffer++ = ascii64[l & 0x3f];
674 
675 	l = (r0 << 16) | ((r1 >> 16) & 0xffff);
676 	*buffer++ = ascii64[(l >> 18) & 0x3f];
677 	*buffer++ = ascii64[(l >> 12) & 0x3f];
678 	*buffer++ = ascii64[(l >> 6) & 0x3f];
679 	*buffer++ = ascii64[l & 0x3f];
680 
681 	l = r1 << 2;
682 	*buffer++ = ascii64[(l >> 12) & 0x3f];
683 	*buffer++ = ascii64[(l >> 6) & 0x3f];
684 	*buffer++ = ascii64[l & 0x3f];
685 	*buffer = '\0';
686 
687 	return (0);
688 }
689