xref: /freebsd/secure/lib/libcrypt/crypt-des.c (revision 22cf89c938886d14f5796fc49f9f020c23ea8eaf)
1 /*
2  * FreeSec: libcrypt for NetBSD
3  *
4  * Copyright (c) 1994 David Burren
5  * All rights reserved.
6  *
7  * Adapted for FreeBSD-2.0 by Geoffrey M. Rehmet
8  *	this file should now *only* export crypt(), in order to make
9  *	binaries of libcrypt exportable from the USA
10  *
11  * Adapted for FreeBSD-4.0 by Mark R V Murray
12  *	this file should now *only* export crypt_des(), in order to make
13  *	a module that can be optionally included in libcrypt.
14  *
15  * Redistribution and use in source and binary forms, with or without
16  * modification, are permitted provided that the following conditions
17  * are met:
18  * 1. Redistributions of source code must retain the above copyright
19  *    notice, this list of conditions and the following disclaimer.
20  * 2. Redistributions in binary form must reproduce the above copyright
21  *    notice, this list of conditions and the following disclaimer in the
22  *    documentation and/or other materials provided with the distribution.
23  * 3. Neither the name of the author nor the names of other contributors
24  *    may be used to endorse or promote products derived from this software
25  *    without specific prior written permission.
26  *
27  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
28  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
31  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37  * SUCH DAMAGE.
38  *
39  * This is an original implementation of the DES and the crypt(3) interfaces
40  * by David Burren <davidb@werj.com.au>.
41  *
42  * An excellent reference on the underlying algorithm (and related
43  * algorithms) is:
44  *
45  *	B. Schneier, Applied Cryptography: protocols, algorithms,
46  *	and source code in C, John Wiley & Sons, 1994.
47  *
48  * Note that in that book's description of DES the lookups for the initial,
49  * pbox, and final permutations are inverted (this has been brought to the
50  * attention of the author).  A list of errata for this book has been
51  * posted to the sci.crypt newsgroup by the author and is available for FTP.
52  *
53  * ARCHITECTURE ASSUMPTIONS:
54  *	It is assumed that the 8-byte arrays passed by reference can be
55  *	addressed as arrays of u_int32_t's (ie. the CPU is not picky about
56  *	alignment).
57  */
58 
59 #include <sys/cdefs.h>
60 #include <sys/types.h>
61 #include <sys/param.h>
62 #include <arpa/inet.h>
63 #include <pwd.h>
64 #include <string.h>
65 #include "crypt.h"
66 
67 /* We can't always assume gcc */
68 #if	defined(__GNUC__) && !defined(lint)
69 #define INLINE inline
70 #else
71 #define INLINE
72 #endif
73 
74 
75 static const u_char	IP[64] = {
76 	58, 50, 42, 34, 26, 18, 10,  2, 60, 52, 44, 36, 28, 20, 12,  4,
77 	62, 54, 46, 38, 30, 22, 14,  6, 64, 56, 48, 40, 32, 24, 16,  8,
78 	57, 49, 41, 33, 25, 17,  9,  1, 59, 51, 43, 35, 27, 19, 11,  3,
79 	61, 53, 45, 37, 29, 21, 13,  5, 63, 55, 47, 39, 31, 23, 15,  7
80 };
81 
82 static __thread u_char	inv_key_perm[64];
83 static const u_char	key_perm[56] = {
84 	57, 49, 41, 33, 25, 17,  9,  1, 58, 50, 42, 34, 26, 18,
85 	10,  2, 59, 51, 43, 35, 27, 19, 11,  3, 60, 52, 44, 36,
86 	63, 55, 47, 39, 31, 23, 15,  7, 62, 54, 46, 38, 30, 22,
87 	14,  6, 61, 53, 45, 37, 29, 21, 13,  5, 28, 20, 12,  4
88 };
89 
90 static const u_char	key_shifts[16] = {
91 	1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
92 };
93 
94 static __thread u_char	inv_comp_perm[56];
95 static const u_char	comp_perm[48] = {
96 	14, 17, 11, 24,  1,  5,  3, 28, 15,  6, 21, 10,
97 	23, 19, 12,  4, 26,  8, 16,  7, 27, 20, 13,  2,
98 	41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
99 	44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
100 };
101 
102 /*
103  *	No E box is used, as it's replaced by some ANDs, shifts, and ORs.
104  */
105 
106 static __thread u_char	u_sbox[8][64];
107 static const u_char	sbox[8][64] = {
108 	{
109 		14,  4, 13,  1,  2, 15, 11,  8,  3, 10,  6, 12,  5,  9,  0,  7,
110 		 0, 15,  7,  4, 14,  2, 13,  1, 10,  6, 12, 11,  9,  5,  3,  8,
111 		 4,  1, 14,  8, 13,  6,  2, 11, 15, 12,  9,  7,  3, 10,  5,  0,
112 		15, 12,  8,  2,  4,  9,  1,  7,  5, 11,  3, 14, 10,  0,  6, 13
113 	},
114 	{
115 		15,  1,  8, 14,  6, 11,  3,  4,  9,  7,  2, 13, 12,  0,  5, 10,
116 		 3, 13,  4,  7, 15,  2,  8, 14, 12,  0,  1, 10,  6,  9, 11,  5,
117 		 0, 14,  7, 11, 10,  4, 13,  1,  5,  8, 12,  6,  9,  3,  2, 15,
118 		13,  8, 10,  1,  3, 15,  4,  2, 11,  6,  7, 12,  0,  5, 14,  9
119 	},
120 	{
121 		10,  0,  9, 14,  6,  3, 15,  5,  1, 13, 12,  7, 11,  4,  2,  8,
122 		13,  7,  0,  9,  3,  4,  6, 10,  2,  8,  5, 14, 12, 11, 15,  1,
123 		13,  6,  4,  9,  8, 15,  3,  0, 11,  1,  2, 12,  5, 10, 14,  7,
124 		 1, 10, 13,  0,  6,  9,  8,  7,  4, 15, 14,  3, 11,  5,  2, 12
125 	},
126 	{
127 		 7, 13, 14,  3,  0,  6,  9, 10,  1,  2,  8,  5, 11, 12,  4, 15,
128 		13,  8, 11,  5,  6, 15,  0,  3,  4,  7,  2, 12,  1, 10, 14,  9,
129 		10,  6,  9,  0, 12, 11,  7, 13, 15,  1,  3, 14,  5,  2,  8,  4,
130 		 3, 15,  0,  6, 10,  1, 13,  8,  9,  4,  5, 11, 12,  7,  2, 14
131 	},
132 	{
133 		 2, 12,  4,  1,  7, 10, 11,  6,  8,  5,  3, 15, 13,  0, 14,  9,
134 		14, 11,  2, 12,  4,  7, 13,  1,  5,  0, 15, 10,  3,  9,  8,  6,
135 		 4,  2,  1, 11, 10, 13,  7,  8, 15,  9, 12,  5,  6,  3,  0, 14,
136 		11,  8, 12,  7,  1, 14,  2, 13,  6, 15,  0,  9, 10,  4,  5,  3
137 	},
138 	{
139 		12,  1, 10, 15,  9,  2,  6,  8,  0, 13,  3,  4, 14,  7,  5, 11,
140 		10, 15,  4,  2,  7, 12,  9,  5,  6,  1, 13, 14,  0, 11,  3,  8,
141 		 9, 14, 15,  5,  2,  8, 12,  3,  7,  0,  4, 10,  1, 13, 11,  6,
142 		 4,  3,  2, 12,  9,  5, 15, 10, 11, 14,  1,  7,  6,  0,  8, 13
143 	},
144 	{
145 		 4, 11,  2, 14, 15,  0,  8, 13,  3, 12,  9,  7,  5, 10,  6,  1,
146 		13,  0, 11,  7,  4,  9,  1, 10, 14,  3,  5, 12,  2, 15,  8,  6,
147 		 1,  4, 11, 13, 12,  3,  7, 14, 10, 15,  6,  8,  0,  5,  9,  2,
148 		 6, 11, 13,  8,  1,  4, 10,  7,  9,  5,  0, 15, 14,  2,  3, 12
149 	},
150 	{
151 		13,  2,  8,  4,  6, 15, 11,  1, 10,  9,  3, 14,  5,  0, 12,  7,
152 		 1, 15, 13,  8, 10,  3,  7,  4, 12,  5,  6, 11,  0, 14,  9,  2,
153 		 7, 11,  4,  1,  9, 12, 14,  2,  0,  6, 10, 13, 15,  3,  5,  8,
154 		 2,  1, 14,  7,  4, 10,  8, 13, 15, 12,  9,  0,  3,  5,  6, 11
155 	}
156 };
157 
158 static __thread u_char	un_pbox[32];
159 static const u_char	pbox[32] = {
160 	16,  7, 20, 21, 29, 12, 28, 17,  1, 15, 23, 26,  5, 18, 31, 10,
161 	 2,  8, 24, 14, 32, 27,  3,  9, 19, 13, 30,  6, 22, 11,  4, 25
162 };
163 
164 static const u_int32_t	bits32[32] =
165 {
166 	0x80000000, 0x40000000, 0x20000000, 0x10000000,
167 	0x08000000, 0x04000000, 0x02000000, 0x01000000,
168 	0x00800000, 0x00400000, 0x00200000, 0x00100000,
169 	0x00080000, 0x00040000, 0x00020000, 0x00010000,
170 	0x00008000, 0x00004000, 0x00002000, 0x00001000,
171 	0x00000800, 0x00000400, 0x00000200, 0x00000100,
172 	0x00000080, 0x00000040, 0x00000020, 0x00000010,
173 	0x00000008, 0x00000004, 0x00000002, 0x00000001
174 };
175 
176 static const u_char	bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
177 
178 static __thread u_int32_t	saltbits;
179 static __thread u_int32_t	old_salt;
180 static __thread const u_int32_t	*bits28, *bits24;
181 static __thread u_char		init_perm[64], final_perm[64];
182 static __thread u_int32_t	en_keysl[16], en_keysr[16];
183 static __thread u_int32_t	de_keysl[16], de_keysr[16];
184 static __thread int		des_initialised = 0;
185 static __thread u_char		m_sbox[4][4096];
186 static __thread u_int32_t	psbox[4][256];
187 static __thread u_int32_t	ip_maskl[8][256], ip_maskr[8][256];
188 static __thread u_int32_t	fp_maskl[8][256], fp_maskr[8][256];
189 static __thread u_int32_t	key_perm_maskl[8][128], key_perm_maskr[8][128];
190 static __thread u_int32_t	comp_maskl[8][128], comp_maskr[8][128];
191 static __thread u_int32_t	old_rawkey0, old_rawkey1;
192 
193 static const u_char	ascii64[] =
194 	 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
195 /*	  0000000000111111111122222222223333333333444444444455555555556666 */
196 /*	  0123456789012345678901234567890123456789012345678901234567890123 */
197 
198 static INLINE int
199 ascii_to_bin(char ch)
200 {
201 	if (ch > 'z')
202 		return(0);
203 	if (ch >= 'a')
204 		return(ch - 'a' + 38);
205 	if (ch > 'Z')
206 		return(0);
207 	if (ch >= 'A')
208 		return(ch - 'A' + 12);
209 	if (ch > '9')
210 		return(0);
211 	if (ch >= '.')
212 		return(ch - '.');
213 	return(0);
214 }
215 
216 static void
217 des_init(void)
218 {
219 	int	i, j, b, k, inbit, obit;
220 	u_int32_t	*p, *il, *ir, *fl, *fr;
221 
222 	old_rawkey0 = old_rawkey1 = 0L;
223 	saltbits = 0L;
224 	old_salt = 0L;
225 	bits24 = (bits28 = bits32 + 4) + 4;
226 
227 	/*
228 	 * Invert the S-boxes, reordering the input bits.
229 	 */
230 	for (i = 0; i < 8; i++)
231 		for (j = 0; j < 64; j++) {
232 			b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf);
233 			u_sbox[i][j] = sbox[i][b];
234 		}
235 
236 	/*
237 	 * Convert the inverted S-boxes into 4 arrays of 8 bits.
238 	 * Each will handle 12 bits of the S-box input.
239 	 */
240 	for (b = 0; b < 4; b++)
241 		for (i = 0; i < 64; i++)
242 			for (j = 0; j < 64; j++)
243 				m_sbox[b][(i << 6) | j] =
244 					(u_char)((u_sbox[(b << 1)][i] << 4) |
245 					u_sbox[(b << 1) + 1][j]);
246 
247 	/*
248 	 * Set up the initial & final permutations into a useful form, and
249 	 * initialise the inverted key permutation.
250 	 */
251 	for (i = 0; i < 64; i++) {
252 		init_perm[final_perm[i] = IP[i] - 1] = (u_char)i;
253 		inv_key_perm[i] = 255;
254 	}
255 
256 	/*
257 	 * Invert the key permutation and initialise the inverted key
258 	 * compression permutation.
259 	 */
260 	for (i = 0; i < 56; i++) {
261 		inv_key_perm[key_perm[i] - 1] = (u_char)i;
262 		inv_comp_perm[i] = 255;
263 	}
264 
265 	/*
266 	 * Invert the key compression permutation.
267 	 */
268 	for (i = 0; i < 48; i++) {
269 		inv_comp_perm[comp_perm[i] - 1] = (u_char)i;
270 	}
271 
272 	/*
273 	 * Set up the OR-mask arrays for the initial and final permutations,
274 	 * and for the key initial and compression permutations.
275 	 */
276 	for (k = 0; k < 8; k++) {
277 		for (i = 0; i < 256; i++) {
278 			*(il = &ip_maskl[k][i]) = 0L;
279 			*(ir = &ip_maskr[k][i]) = 0L;
280 			*(fl = &fp_maskl[k][i]) = 0L;
281 			*(fr = &fp_maskr[k][i]) = 0L;
282 			for (j = 0; j < 8; j++) {
283 				inbit = 8 * k + j;
284 				if (i & bits8[j]) {
285 					if ((obit = init_perm[inbit]) < 32)
286 						*il |= bits32[obit];
287 					else
288 						*ir |= bits32[obit-32];
289 					if ((obit = final_perm[inbit]) < 32)
290 						*fl |= bits32[obit];
291 					else
292 						*fr |= bits32[obit - 32];
293 				}
294 			}
295 		}
296 		for (i = 0; i < 128; i++) {
297 			*(il = &key_perm_maskl[k][i]) = 0L;
298 			*(ir = &key_perm_maskr[k][i]) = 0L;
299 			for (j = 0; j < 7; j++) {
300 				inbit = 8 * k + j;
301 				if (i & bits8[j + 1]) {
302 					if ((obit = inv_key_perm[inbit]) == 255)
303 						continue;
304 					if (obit < 28)
305 						*il |= bits28[obit];
306 					else
307 						*ir |= bits28[obit - 28];
308 				}
309 			}
310 			*(il = &comp_maskl[k][i]) = 0L;
311 			*(ir = &comp_maskr[k][i]) = 0L;
312 			for (j = 0; j < 7; j++) {
313 				inbit = 7 * k + j;
314 				if (i & bits8[j + 1]) {
315 					if ((obit=inv_comp_perm[inbit]) == 255)
316 						continue;
317 					if (obit < 24)
318 						*il |= bits24[obit];
319 					else
320 						*ir |= bits24[obit - 24];
321 				}
322 			}
323 		}
324 	}
325 
326 	/*
327 	 * Invert the P-box permutation, and convert into OR-masks for
328 	 * handling the output of the S-box arrays setup above.
329 	 */
330 	for (i = 0; i < 32; i++)
331 		un_pbox[pbox[i] - 1] = (u_char)i;
332 
333 	for (b = 0; b < 4; b++)
334 		for (i = 0; i < 256; i++) {
335 			*(p = &psbox[b][i]) = 0L;
336 			for (j = 0; j < 8; j++) {
337 				if (i & bits8[j])
338 					*p |= bits32[un_pbox[8 * b + j]];
339 			}
340 		}
341 
342 	des_initialised = 1;
343 }
344 
345 static void
346 setup_salt(u_int32_t salt)
347 {
348 	u_int32_t	obit, saltbit;
349 	int		i;
350 
351 	if (salt == old_salt)
352 		return;
353 	old_salt = salt;
354 
355 	saltbits = 0L;
356 	saltbit = 1;
357 	obit = 0x800000;
358 	for (i = 0; i < 24; i++) {
359 		if (salt & saltbit)
360 			saltbits |= obit;
361 		saltbit <<= 1;
362 		obit >>= 1;
363 	}
364 }
365 
366 static int
367 des_setkey(const char *key)
368 {
369 	u_int32_t	k0, k1, rawkey0, rawkey1;
370 	int		shifts, round;
371 
372 	if (!des_initialised)
373 		des_init();
374 
375 	rawkey0 = ntohl(*(const u_int32_t *) key);
376 	rawkey1 = ntohl(*(const u_int32_t *) (key + 4));
377 
378 	if ((rawkey0 | rawkey1)
379 	    && rawkey0 == old_rawkey0
380 	    && rawkey1 == old_rawkey1) {
381 		/*
382 		 * Already setup for this key.
383 		 * This optimisation fails on a zero key (which is weak and
384 		 * has bad parity anyway) in order to simplify the starting
385 		 * conditions.
386 		 */
387 		return(0);
388 	}
389 	old_rawkey0 = rawkey0;
390 	old_rawkey1 = rawkey1;
391 
392 	/*
393 	 *	Do key permutation and split into two 28-bit subkeys.
394 	 */
395 	k0 = key_perm_maskl[0][rawkey0 >> 25]
396 	   | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
397 	   | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
398 	   | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
399 	   | key_perm_maskl[4][rawkey1 >> 25]
400 	   | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
401 	   | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
402 	   | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
403 	k1 = key_perm_maskr[0][rawkey0 >> 25]
404 	   | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
405 	   | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
406 	   | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
407 	   | key_perm_maskr[4][rawkey1 >> 25]
408 	   | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
409 	   | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
410 	   | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
411 	/*
412 	 *	Rotate subkeys and do compression permutation.
413 	 */
414 	shifts = 0;
415 	for (round = 0; round < 16; round++) {
416 		u_int32_t	t0, t1;
417 
418 		shifts += key_shifts[round];
419 
420 		t0 = (k0 << shifts) | (k0 >> (28 - shifts));
421 		t1 = (k1 << shifts) | (k1 >> (28 - shifts));
422 
423 		de_keysl[15 - round] =
424 		en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f]
425 				| comp_maskl[1][(t0 >> 14) & 0x7f]
426 				| comp_maskl[2][(t0 >> 7) & 0x7f]
427 				| comp_maskl[3][t0 & 0x7f]
428 				| comp_maskl[4][(t1 >> 21) & 0x7f]
429 				| comp_maskl[5][(t1 >> 14) & 0x7f]
430 				| comp_maskl[6][(t1 >> 7) & 0x7f]
431 				| comp_maskl[7][t1 & 0x7f];
432 
433 		de_keysr[15 - round] =
434 		en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f]
435 				| comp_maskr[1][(t0 >> 14) & 0x7f]
436 				| comp_maskr[2][(t0 >> 7) & 0x7f]
437 				| comp_maskr[3][t0 & 0x7f]
438 				| comp_maskr[4][(t1 >> 21) & 0x7f]
439 				| comp_maskr[5][(t1 >> 14) & 0x7f]
440 				| comp_maskr[6][(t1 >> 7) & 0x7f]
441 				| comp_maskr[7][t1 & 0x7f];
442 	}
443 	return(0);
444 }
445 
446 static int
447 do_des(	u_int32_t l_in, u_int32_t r_in, u_int32_t *l_out, u_int32_t *r_out, int count)
448 {
449 	/*
450 	 *	l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
451 	 */
452 	u_int32_t	l, r, *kl, *kr, *kl1, *kr1;
453 	u_int32_t	f, r48l, r48r;
454 	int		round;
455 
456 	if (count == 0) {
457 		return(1);
458 	} else if (count > 0) {
459 		/*
460 		 * Encrypting
461 		 */
462 		kl1 = en_keysl;
463 		kr1 = en_keysr;
464 	} else {
465 		/*
466 		 * Decrypting
467 		 */
468 		count = -count;
469 		kl1 = de_keysl;
470 		kr1 = de_keysr;
471 	}
472 
473 	/*
474 	 *	Do initial permutation (IP).
475 	 */
476 	l = ip_maskl[0][l_in >> 24]
477 	  | ip_maskl[1][(l_in >> 16) & 0xff]
478 	  | ip_maskl[2][(l_in >> 8) & 0xff]
479 	  | ip_maskl[3][l_in & 0xff]
480 	  | ip_maskl[4][r_in >> 24]
481 	  | ip_maskl[5][(r_in >> 16) & 0xff]
482 	  | ip_maskl[6][(r_in >> 8) & 0xff]
483 	  | ip_maskl[7][r_in & 0xff];
484 	r = ip_maskr[0][l_in >> 24]
485 	  | ip_maskr[1][(l_in >> 16) & 0xff]
486 	  | ip_maskr[2][(l_in >> 8) & 0xff]
487 	  | ip_maskr[3][l_in & 0xff]
488 	  | ip_maskr[4][r_in >> 24]
489 	  | ip_maskr[5][(r_in >> 16) & 0xff]
490 	  | ip_maskr[6][(r_in >> 8) & 0xff]
491 	  | ip_maskr[7][r_in & 0xff];
492 
493 	while (count--) {
494 		/*
495 		 * Do each round.
496 		 */
497 		kl = kl1;
498 		kr = kr1;
499 		round = 16;
500 		while (round--) {
501 			/*
502 			 * Expand R to 48 bits (simulate the E-box).
503 			 */
504 			r48l	= ((r & 0x00000001) << 23)
505 				| ((r & 0xf8000000) >> 9)
506 				| ((r & 0x1f800000) >> 11)
507 				| ((r & 0x01f80000) >> 13)
508 				| ((r & 0x001f8000) >> 15);
509 
510 			r48r	= ((r & 0x0001f800) << 7)
511 				| ((r & 0x00001f80) << 5)
512 				| ((r & 0x000001f8) << 3)
513 				| ((r & 0x0000001f) << 1)
514 				| ((r & 0x80000000) >> 31);
515 			/*
516 			 * Do salting for crypt() and friends, and
517 			 * XOR with the permuted key.
518 			 */
519 			f = (r48l ^ r48r) & saltbits;
520 			r48l ^= f ^ *kl++;
521 			r48r ^= f ^ *kr++;
522 			/*
523 			 * Do sbox lookups (which shrink it back to 32 bits)
524 			 * and do the pbox permutation at the same time.
525 			 */
526 			f = psbox[0][m_sbox[0][r48l >> 12]]
527 			  | psbox[1][m_sbox[1][r48l & 0xfff]]
528 			  | psbox[2][m_sbox[2][r48r >> 12]]
529 			  | psbox[3][m_sbox[3][r48r & 0xfff]];
530 			/*
531 			 * Now that we've permuted things, complete f().
532 			 */
533 			f ^= l;
534 			l = r;
535 			r = f;
536 		}
537 		r = l;
538 		l = f;
539 	}
540 	/*
541 	 * Do final permutation (inverse of IP).
542 	 */
543 	*l_out	= fp_maskl[0][l >> 24]
544 		| fp_maskl[1][(l >> 16) & 0xff]
545 		| fp_maskl[2][(l >> 8) & 0xff]
546 		| fp_maskl[3][l & 0xff]
547 		| fp_maskl[4][r >> 24]
548 		| fp_maskl[5][(r >> 16) & 0xff]
549 		| fp_maskl[6][(r >> 8) & 0xff]
550 		| fp_maskl[7][r & 0xff];
551 	*r_out	= fp_maskr[0][l >> 24]
552 		| fp_maskr[1][(l >> 16) & 0xff]
553 		| fp_maskr[2][(l >> 8) & 0xff]
554 		| fp_maskr[3][l & 0xff]
555 		| fp_maskr[4][r >> 24]
556 		| fp_maskr[5][(r >> 16) & 0xff]
557 		| fp_maskr[6][(r >> 8) & 0xff]
558 		| fp_maskr[7][r & 0xff];
559 	return(0);
560 }
561 
562 static int
563 des_cipher(const char *in, char *out, u_long salt, int count)
564 {
565 	u_int32_t	l_out, r_out, rawl, rawr;
566 	int		retval;
567 	union {
568 		u_int32_t	*ui32;
569 		const char	*c;
570 	} trans;
571 
572 	if (!des_initialised)
573 		des_init();
574 
575 	setup_salt(salt);
576 
577 	trans.c = in;
578 	rawl = ntohl(*trans.ui32++);
579 	rawr = ntohl(*trans.ui32);
580 
581 	retval = do_des(rawl, rawr, &l_out, &r_out, count);
582 
583 	trans.c = out;
584 	*trans.ui32++ = htonl(l_out);
585 	*trans.ui32 = htonl(r_out);
586 	return(retval);
587 }
588 
589 int
590 crypt_des(const char *key, const char *setting, char *buffer)
591 {
592 	int		i;
593 	u_int32_t	count, salt, l, r0, r1, keybuf[2];
594 	u_char		*q;
595 
596 	if (!des_initialised)
597 		des_init();
598 
599 	/*
600 	 * Copy the key, shifting each character up by one bit
601 	 * and padding with zeros.
602 	 */
603 	q = (u_char *)keybuf;
604 	while (q - (u_char *)keybuf - 8) {
605 		*q++ = *key << 1;
606 		if (*key != '\0')
607 			key++;
608 	}
609 	if (des_setkey((char *)keybuf))
610 		return (-1);
611 
612 	if (*setting == _PASSWORD_EFMT1) {
613 		/*
614 		 * "new"-style:
615 		 *	setting - underscore, 4 bytes of count, 4 bytes of salt
616 		 *	key - unlimited characters
617 		 */
618 		for (i = 1, count = 0L; i < 5; i++)
619 			count |= ascii_to_bin(setting[i]) << ((i - 1) * 6);
620 
621 		for (i = 5, salt = 0L; i < 9; i++)
622 			salt |= ascii_to_bin(setting[i]) << ((i - 5) * 6);
623 
624 		while (*key) {
625 			/*
626 			 * Encrypt the key with itself.
627 			 */
628 			if (des_cipher((char *)keybuf, (char *)keybuf, 0L, 1))
629 				return (-1);
630 			/*
631 			 * And XOR with the next 8 characters of the key.
632 			 */
633 			q = (u_char *)keybuf;
634 			while (q - (u_char *)keybuf - 8 && *key)
635 				*q++ ^= *key++ << 1;
636 
637 			if (des_setkey((char *)keybuf))
638 				return (-1);
639 		}
640 		buffer = stpncpy(buffer, setting, 9);
641 	} else {
642 		/*
643 		 * "old"-style:
644 		 *	setting - 2 bytes of salt
645 		 *	key - up to 8 characters
646 		 */
647 		count = 25;
648 
649 		salt = (ascii_to_bin(setting[1]) << 6)
650 		     |  ascii_to_bin(setting[0]);
651 
652 		*buffer++ = setting[0];
653 		/*
654 		 * If the encrypted password that the salt was extracted from
655 		 * is only 1 character long, the salt will be corrupted.  We
656 		 * need to ensure that the output string doesn't have an extra
657 		 * NUL in it!
658 		 */
659 		*buffer++ = setting[1] ? setting[1] : setting[0];
660 	}
661 	setup_salt(salt);
662 	/*
663 	 * Do it.
664 	 */
665 	if (do_des(0L, 0L, &r0, &r1, (int)count))
666 		return (-1);
667 	/*
668 	 * Now encode the result...
669 	 */
670 	l = (r0 >> 8);
671 	*buffer++ = ascii64[(l >> 18) & 0x3f];
672 	*buffer++ = ascii64[(l >> 12) & 0x3f];
673 	*buffer++ = ascii64[(l >> 6) & 0x3f];
674 	*buffer++ = ascii64[l & 0x3f];
675 
676 	l = (r0 << 16) | ((r1 >> 16) & 0xffff);
677 	*buffer++ = ascii64[(l >> 18) & 0x3f];
678 	*buffer++ = ascii64[(l >> 12) & 0x3f];
679 	*buffer++ = ascii64[(l >> 6) & 0x3f];
680 	*buffer++ = ascii64[l & 0x3f];
681 
682 	l = r1 << 2;
683 	*buffer++ = ascii64[(l >> 12) & 0x3f];
684 	*buffer++ = ascii64[(l >> 6) & 0x3f];
685 	*buffer++ = ascii64[l & 0x3f];
686 	*buffer = '\0';
687 
688 	return (0);
689 }
690