xref: /freebsd/secure/lib/libcrypt/crypt-des.c (revision 884a2a699669ec61e2366e3e358342dbc94be24a)
1 /*
2  * FreeSec: libcrypt for NetBSD
3  *
4  * Copyright (c) 1994 David Burren
5  * All rights reserved.
6  *
7  * Adapted for FreeBSD-2.0 by Geoffrey M. Rehmet
8  *	this file should now *only* export crypt(), in order to make
9  *	binaries of libcrypt exportable from the USA
10  *
11  * Adapted for FreeBSD-4.0 by Mark R V Murray
12  *	this file should now *only* export crypt_des(), in order to make
13  *	a module that can be optionally included in libcrypt.
14  *
15  * Redistribution and use in source and binary forms, with or without
16  * modification, are permitted provided that the following conditions
17  * are met:
18  * 1. Redistributions of source code must retain the above copyright
19  *    notice, this list of conditions and the following disclaimer.
20  * 2. Redistributions in binary form must reproduce the above copyright
21  *    notice, this list of conditions and the following disclaimer in the
22  *    documentation and/or other materials provided with the distribution.
23  * 3. Neither the name of the author nor the names of other contributors
24  *    may be used to endorse or promote products derived from this software
25  *    without specific prior written permission.
26  *
27  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
28  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
31  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37  * SUCH DAMAGE.
38  *
39  * This is an original implementation of the DES and the crypt(3) interfaces
40  * by David Burren <davidb@werj.com.au>.
41  *
42  * An excellent reference on the underlying algorithm (and related
43  * algorithms) is:
44  *
45  *	B. Schneier, Applied Cryptography: protocols, algorithms,
46  *	and source code in C, John Wiley & Sons, 1994.
47  *
48  * Note that in that book's description of DES the lookups for the initial,
49  * pbox, and final permutations are inverted (this has been brought to the
50  * attention of the author).  A list of errata for this book has been
51  * posted to the sci.crypt newsgroup by the author and is available for FTP.
52  *
53  * ARCHITECTURE ASSUMPTIONS:
54  *	It is assumed that the 8-byte arrays passed by reference can be
55  *	addressed as arrays of u_int32_t's (ie. the CPU is not picky about
56  *	alignment).
57  */
58 
59 #include <sys/cdefs.h>
60 __FBSDID("$FreeBSD$");
61 
62 #include <sys/types.h>
63 #include <sys/param.h>
64 #include <arpa/inet.h>
65 #include <pwd.h>
66 #include <string.h>
67 #include "crypt.h"
68 
69 /* We can't always assume gcc */
70 #if	defined(__GNUC__) && !defined(lint)
71 #define INLINE inline
72 #else
73 #define INLINE
74 #endif
75 
76 
77 static u_char	IP[64] = {
78 	58, 50, 42, 34, 26, 18, 10,  2, 60, 52, 44, 36, 28, 20, 12,  4,
79 	62, 54, 46, 38, 30, 22, 14,  6, 64, 56, 48, 40, 32, 24, 16,  8,
80 	57, 49, 41, 33, 25, 17,  9,  1, 59, 51, 43, 35, 27, 19, 11,  3,
81 	61, 53, 45, 37, 29, 21, 13,  5, 63, 55, 47, 39, 31, 23, 15,  7
82 };
83 
84 static u_char	inv_key_perm[64];
85 static u_char	key_perm[56] = {
86 	57, 49, 41, 33, 25, 17,  9,  1, 58, 50, 42, 34, 26, 18,
87 	10,  2, 59, 51, 43, 35, 27, 19, 11,  3, 60, 52, 44, 36,
88 	63, 55, 47, 39, 31, 23, 15,  7, 62, 54, 46, 38, 30, 22,
89 	14,  6, 61, 53, 45, 37, 29, 21, 13,  5, 28, 20, 12,  4
90 };
91 
92 static u_char	key_shifts[16] = {
93 	1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
94 };
95 
96 static u_char	inv_comp_perm[56];
97 static u_char	comp_perm[48] = {
98 	14, 17, 11, 24,  1,  5,  3, 28, 15,  6, 21, 10,
99 	23, 19, 12,  4, 26,  8, 16,  7, 27, 20, 13,  2,
100 	41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
101 	44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
102 };
103 
104 /*
105  *	No E box is used, as it's replaced by some ANDs, shifts, and ORs.
106  */
107 
108 static u_char	u_sbox[8][64];
109 static u_char	sbox[8][64] = {
110 	{
111 		14,  4, 13,  1,  2, 15, 11,  8,  3, 10,  6, 12,  5,  9,  0,  7,
112 		 0, 15,  7,  4, 14,  2, 13,  1, 10,  6, 12, 11,  9,  5,  3,  8,
113 		 4,  1, 14,  8, 13,  6,  2, 11, 15, 12,  9,  7,  3, 10,  5,  0,
114 		15, 12,  8,  2,  4,  9,  1,  7,  5, 11,  3, 14, 10,  0,  6, 13
115 	},
116 	{
117 		15,  1,  8, 14,  6, 11,  3,  4,  9,  7,  2, 13, 12,  0,  5, 10,
118 		 3, 13,  4,  7, 15,  2,  8, 14, 12,  0,  1, 10,  6,  9, 11,  5,
119 		 0, 14,  7, 11, 10,  4, 13,  1,  5,  8, 12,  6,  9,  3,  2, 15,
120 		13,  8, 10,  1,  3, 15,  4,  2, 11,  6,  7, 12,  0,  5, 14,  9
121 	},
122 	{
123 		10,  0,  9, 14,  6,  3, 15,  5,  1, 13, 12,  7, 11,  4,  2,  8,
124 		13,  7,  0,  9,  3,  4,  6, 10,  2,  8,  5, 14, 12, 11, 15,  1,
125 		13,  6,  4,  9,  8, 15,  3,  0, 11,  1,  2, 12,  5, 10, 14,  7,
126 		 1, 10, 13,  0,  6,  9,  8,  7,  4, 15, 14,  3, 11,  5,  2, 12
127 	},
128 	{
129 		 7, 13, 14,  3,  0,  6,  9, 10,  1,  2,  8,  5, 11, 12,  4, 15,
130 		13,  8, 11,  5,  6, 15,  0,  3,  4,  7,  2, 12,  1, 10, 14,  9,
131 		10,  6,  9,  0, 12, 11,  7, 13, 15,  1,  3, 14,  5,  2,  8,  4,
132 		 3, 15,  0,  6, 10,  1, 13,  8,  9,  4,  5, 11, 12,  7,  2, 14
133 	},
134 	{
135 		 2, 12,  4,  1,  7, 10, 11,  6,  8,  5,  3, 15, 13,  0, 14,  9,
136 		14, 11,  2, 12,  4,  7, 13,  1,  5,  0, 15, 10,  3,  9,  8,  6,
137 		 4,  2,  1, 11, 10, 13,  7,  8, 15,  9, 12,  5,  6,  3,  0, 14,
138 		11,  8, 12,  7,  1, 14,  2, 13,  6, 15,  0,  9, 10,  4,  5,  3
139 	},
140 	{
141 		12,  1, 10, 15,  9,  2,  6,  8,  0, 13,  3,  4, 14,  7,  5, 11,
142 		10, 15,  4,  2,  7, 12,  9,  5,  6,  1, 13, 14,  0, 11,  3,  8,
143 		 9, 14, 15,  5,  2,  8, 12,  3,  7,  0,  4, 10,  1, 13, 11,  6,
144 		 4,  3,  2, 12,  9,  5, 15, 10, 11, 14,  1,  7,  6,  0,  8, 13
145 	},
146 	{
147 		 4, 11,  2, 14, 15,  0,  8, 13,  3, 12,  9,  7,  5, 10,  6,  1,
148 		13,  0, 11,  7,  4,  9,  1, 10, 14,  3,  5, 12,  2, 15,  8,  6,
149 		 1,  4, 11, 13, 12,  3,  7, 14, 10, 15,  6,  8,  0,  5,  9,  2,
150 		 6, 11, 13,  8,  1,  4, 10,  7,  9,  5,  0, 15, 14,  2,  3, 12
151 	},
152 	{
153 		13,  2,  8,  4,  6, 15, 11,  1, 10,  9,  3, 14,  5,  0, 12,  7,
154 		 1, 15, 13,  8, 10,  3,  7,  4, 12,  5,  6, 11,  0, 14,  9,  2,
155 		 7, 11,  4,  1,  9, 12, 14,  2,  0,  6, 10, 13, 15,  3,  5,  8,
156 		 2,  1, 14,  7,  4, 10,  8, 13, 15, 12,  9,  0,  3,  5,  6, 11
157 	}
158 };
159 
160 static u_char	un_pbox[32];
161 static u_char	pbox[32] = {
162 	16,  7, 20, 21, 29, 12, 28, 17,  1, 15, 23, 26,  5, 18, 31, 10,
163 	 2,  8, 24, 14, 32, 27,  3,  9, 19, 13, 30,  6, 22, 11,  4, 25
164 };
165 
166 static u_int32_t	bits32[32] =
167 {
168 	0x80000000, 0x40000000, 0x20000000, 0x10000000,
169 	0x08000000, 0x04000000, 0x02000000, 0x01000000,
170 	0x00800000, 0x00400000, 0x00200000, 0x00100000,
171 	0x00080000, 0x00040000, 0x00020000, 0x00010000,
172 	0x00008000, 0x00004000, 0x00002000, 0x00001000,
173 	0x00000800, 0x00000400, 0x00000200, 0x00000100,
174 	0x00000080, 0x00000040, 0x00000020, 0x00000010,
175 	0x00000008, 0x00000004, 0x00000002, 0x00000001
176 };
177 
178 static u_char	bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
179 
180 static u_int32_t	saltbits;
181 static u_int32_t	old_salt;
182 static u_int32_t	*bits28, *bits24;
183 static u_char		init_perm[64], final_perm[64];
184 static u_int32_t	en_keysl[16], en_keysr[16];
185 static u_int32_t	de_keysl[16], de_keysr[16];
186 static int		des_initialised = 0;
187 static u_char		m_sbox[4][4096];
188 static u_int32_t	psbox[4][256];
189 static u_int32_t	ip_maskl[8][256], ip_maskr[8][256];
190 static u_int32_t	fp_maskl[8][256], fp_maskr[8][256];
191 static u_int32_t	key_perm_maskl[8][128], key_perm_maskr[8][128];
192 static u_int32_t	comp_maskl[8][128], comp_maskr[8][128];
193 static u_int32_t	old_rawkey0, old_rawkey1;
194 
195 static u_char	ascii64[] =
196 	 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
197 /*	  0000000000111111111122222222223333333333444444444455555555556666 */
198 /*	  0123456789012345678901234567890123456789012345678901234567890123 */
199 
200 static INLINE int
201 ascii_to_bin(char ch)
202 {
203 	if (ch > 'z')
204 		return(0);
205 	if (ch >= 'a')
206 		return(ch - 'a' + 38);
207 	if (ch > 'Z')
208 		return(0);
209 	if (ch >= 'A')
210 		return(ch - 'A' + 12);
211 	if (ch > '9')
212 		return(0);
213 	if (ch >= '.')
214 		return(ch - '.');
215 	return(0);
216 }
217 
218 static void
219 des_init(void)
220 {
221 	int	i, j, b, k, inbit, obit;
222 	u_int32_t	*p, *il, *ir, *fl, *fr;
223 
224 	old_rawkey0 = old_rawkey1 = 0L;
225 	saltbits = 0L;
226 	old_salt = 0L;
227 	bits24 = (bits28 = bits32 + 4) + 4;
228 
229 	/*
230 	 * Invert the S-boxes, reordering the input bits.
231 	 */
232 	for (i = 0; i < 8; i++)
233 		for (j = 0; j < 64; j++) {
234 			b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf);
235 			u_sbox[i][j] = sbox[i][b];
236 		}
237 
238 	/*
239 	 * Convert the inverted S-boxes into 4 arrays of 8 bits.
240 	 * Each will handle 12 bits of the S-box input.
241 	 */
242 	for (b = 0; b < 4; b++)
243 		for (i = 0; i < 64; i++)
244 			for (j = 0; j < 64; j++)
245 				m_sbox[b][(i << 6) | j] =
246 					(u_char)((u_sbox[(b << 1)][i] << 4) |
247 					u_sbox[(b << 1) + 1][j]);
248 
249 	/*
250 	 * Set up the initial & final permutations into a useful form, and
251 	 * initialise the inverted key permutation.
252 	 */
253 	for (i = 0; i < 64; i++) {
254 		init_perm[final_perm[i] = IP[i] - 1] = (u_char)i;
255 		inv_key_perm[i] = 255;
256 	}
257 
258 	/*
259 	 * Invert the key permutation and initialise the inverted key
260 	 * compression permutation.
261 	 */
262 	for (i = 0; i < 56; i++) {
263 		inv_key_perm[key_perm[i] - 1] = (u_char)i;
264 		inv_comp_perm[i] = 255;
265 	}
266 
267 	/*
268 	 * Invert the key compression permutation.
269 	 */
270 	for (i = 0; i < 48; i++) {
271 		inv_comp_perm[comp_perm[i] - 1] = (u_char)i;
272 	}
273 
274 	/*
275 	 * Set up the OR-mask arrays for the initial and final permutations,
276 	 * and for the key initial and compression permutations.
277 	 */
278 	for (k = 0; k < 8; k++) {
279 		for (i = 0; i < 256; i++) {
280 			*(il = &ip_maskl[k][i]) = 0L;
281 			*(ir = &ip_maskr[k][i]) = 0L;
282 			*(fl = &fp_maskl[k][i]) = 0L;
283 			*(fr = &fp_maskr[k][i]) = 0L;
284 			for (j = 0; j < 8; j++) {
285 				inbit = 8 * k + j;
286 				if (i & bits8[j]) {
287 					if ((obit = init_perm[inbit]) < 32)
288 						*il |= bits32[obit];
289 					else
290 						*ir |= bits32[obit-32];
291 					if ((obit = final_perm[inbit]) < 32)
292 						*fl |= bits32[obit];
293 					else
294 						*fr |= bits32[obit - 32];
295 				}
296 			}
297 		}
298 		for (i = 0; i < 128; i++) {
299 			*(il = &key_perm_maskl[k][i]) = 0L;
300 			*(ir = &key_perm_maskr[k][i]) = 0L;
301 			for (j = 0; j < 7; j++) {
302 				inbit = 8 * k + j;
303 				if (i & bits8[j + 1]) {
304 					if ((obit = inv_key_perm[inbit]) == 255)
305 						continue;
306 					if (obit < 28)
307 						*il |= bits28[obit];
308 					else
309 						*ir |= bits28[obit - 28];
310 				}
311 			}
312 			*(il = &comp_maskl[k][i]) = 0L;
313 			*(ir = &comp_maskr[k][i]) = 0L;
314 			for (j = 0; j < 7; j++) {
315 				inbit = 7 * k + j;
316 				if (i & bits8[j + 1]) {
317 					if ((obit=inv_comp_perm[inbit]) == 255)
318 						continue;
319 					if (obit < 24)
320 						*il |= bits24[obit];
321 					else
322 						*ir |= bits24[obit - 24];
323 				}
324 			}
325 		}
326 	}
327 
328 	/*
329 	 * Invert the P-box permutation, and convert into OR-masks for
330 	 * handling the output of the S-box arrays setup above.
331 	 */
332 	for (i = 0; i < 32; i++)
333 		un_pbox[pbox[i] - 1] = (u_char)i;
334 
335 	for (b = 0; b < 4; b++)
336 		for (i = 0; i < 256; i++) {
337 			*(p = &psbox[b][i]) = 0L;
338 			for (j = 0; j < 8; j++) {
339 				if (i & bits8[j])
340 					*p |= bits32[un_pbox[8 * b + j]];
341 			}
342 		}
343 
344 	des_initialised = 1;
345 }
346 
347 static void
348 setup_salt(u_int32_t salt)
349 {
350 	u_int32_t	obit, saltbit;
351 	int		i;
352 
353 	if (salt == old_salt)
354 		return;
355 	old_salt = salt;
356 
357 	saltbits = 0L;
358 	saltbit = 1;
359 	obit = 0x800000;
360 	for (i = 0; i < 24; i++) {
361 		if (salt & saltbit)
362 			saltbits |= obit;
363 		saltbit <<= 1;
364 		obit >>= 1;
365 	}
366 }
367 
368 static int
369 des_setkey(const char *key)
370 {
371 	u_int32_t	k0, k1, rawkey0, rawkey1;
372 	int		shifts, round;
373 
374 	if (!des_initialised)
375 		des_init();
376 
377 	rawkey0 = ntohl(*(const u_int32_t *) key);
378 	rawkey1 = ntohl(*(const u_int32_t *) (key + 4));
379 
380 	if ((rawkey0 | rawkey1)
381 	    && rawkey0 == old_rawkey0
382 	    && rawkey1 == old_rawkey1) {
383 		/*
384 		 * Already setup for this key.
385 		 * This optimisation fails on a zero key (which is weak and
386 		 * has bad parity anyway) in order to simplify the starting
387 		 * conditions.
388 		 */
389 		return(0);
390 	}
391 	old_rawkey0 = rawkey0;
392 	old_rawkey1 = rawkey1;
393 
394 	/*
395 	 *	Do key permutation and split into two 28-bit subkeys.
396 	 */
397 	k0 = key_perm_maskl[0][rawkey0 >> 25]
398 	   | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
399 	   | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
400 	   | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
401 	   | key_perm_maskl[4][rawkey1 >> 25]
402 	   | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
403 	   | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
404 	   | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
405 	k1 = key_perm_maskr[0][rawkey0 >> 25]
406 	   | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
407 	   | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
408 	   | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
409 	   | key_perm_maskr[4][rawkey1 >> 25]
410 	   | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
411 	   | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
412 	   | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
413 	/*
414 	 *	Rotate subkeys and do compression permutation.
415 	 */
416 	shifts = 0;
417 	for (round = 0; round < 16; round++) {
418 		u_int32_t	t0, t1;
419 
420 		shifts += key_shifts[round];
421 
422 		t0 = (k0 << shifts) | (k0 >> (28 - shifts));
423 		t1 = (k1 << shifts) | (k1 >> (28 - shifts));
424 
425 		de_keysl[15 - round] =
426 		en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f]
427 				| comp_maskl[1][(t0 >> 14) & 0x7f]
428 				| comp_maskl[2][(t0 >> 7) & 0x7f]
429 				| comp_maskl[3][t0 & 0x7f]
430 				| comp_maskl[4][(t1 >> 21) & 0x7f]
431 				| comp_maskl[5][(t1 >> 14) & 0x7f]
432 				| comp_maskl[6][(t1 >> 7) & 0x7f]
433 				| comp_maskl[7][t1 & 0x7f];
434 
435 		de_keysr[15 - round] =
436 		en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f]
437 				| comp_maskr[1][(t0 >> 14) & 0x7f]
438 				| comp_maskr[2][(t0 >> 7) & 0x7f]
439 				| comp_maskr[3][t0 & 0x7f]
440 				| comp_maskr[4][(t1 >> 21) & 0x7f]
441 				| comp_maskr[5][(t1 >> 14) & 0x7f]
442 				| comp_maskr[6][(t1 >> 7) & 0x7f]
443 				| comp_maskr[7][t1 & 0x7f];
444 	}
445 	return(0);
446 }
447 
448 static int
449 do_des(	u_int32_t l_in, u_int32_t r_in, u_int32_t *l_out, u_int32_t *r_out, int count)
450 {
451 	/*
452 	 *	l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
453 	 */
454 	u_int32_t	l, r, *kl, *kr, *kl1, *kr1;
455 	u_int32_t	f, r48l, r48r;
456 	int		round;
457 
458 	if (count == 0) {
459 		return(1);
460 	} else if (count > 0) {
461 		/*
462 		 * Encrypting
463 		 */
464 		kl1 = en_keysl;
465 		kr1 = en_keysr;
466 	} else {
467 		/*
468 		 * Decrypting
469 		 */
470 		count = -count;
471 		kl1 = de_keysl;
472 		kr1 = de_keysr;
473 	}
474 
475 	/*
476 	 *	Do initial permutation (IP).
477 	 */
478 	l = ip_maskl[0][l_in >> 24]
479 	  | ip_maskl[1][(l_in >> 16) & 0xff]
480 	  | ip_maskl[2][(l_in >> 8) & 0xff]
481 	  | ip_maskl[3][l_in & 0xff]
482 	  | ip_maskl[4][r_in >> 24]
483 	  | ip_maskl[5][(r_in >> 16) & 0xff]
484 	  | ip_maskl[6][(r_in >> 8) & 0xff]
485 	  | ip_maskl[7][r_in & 0xff];
486 	r = ip_maskr[0][l_in >> 24]
487 	  | ip_maskr[1][(l_in >> 16) & 0xff]
488 	  | ip_maskr[2][(l_in >> 8) & 0xff]
489 	  | ip_maskr[3][l_in & 0xff]
490 	  | ip_maskr[4][r_in >> 24]
491 	  | ip_maskr[5][(r_in >> 16) & 0xff]
492 	  | ip_maskr[6][(r_in >> 8) & 0xff]
493 	  | ip_maskr[7][r_in & 0xff];
494 
495 	while (count--) {
496 		/*
497 		 * Do each round.
498 		 */
499 		kl = kl1;
500 		kr = kr1;
501 		round = 16;
502 		while (round--) {
503 			/*
504 			 * Expand R to 48 bits (simulate the E-box).
505 			 */
506 			r48l	= ((r & 0x00000001) << 23)
507 				| ((r & 0xf8000000) >> 9)
508 				| ((r & 0x1f800000) >> 11)
509 				| ((r & 0x01f80000) >> 13)
510 				| ((r & 0x001f8000) >> 15);
511 
512 			r48r	= ((r & 0x0001f800) << 7)
513 				| ((r & 0x00001f80) << 5)
514 				| ((r & 0x000001f8) << 3)
515 				| ((r & 0x0000001f) << 1)
516 				| ((r & 0x80000000) >> 31);
517 			/*
518 			 * Do salting for crypt() and friends, and
519 			 * XOR with the permuted key.
520 			 */
521 			f = (r48l ^ r48r) & saltbits;
522 			r48l ^= f ^ *kl++;
523 			r48r ^= f ^ *kr++;
524 			/*
525 			 * Do sbox lookups (which shrink it back to 32 bits)
526 			 * and do the pbox permutation at the same time.
527 			 */
528 			f = psbox[0][m_sbox[0][r48l >> 12]]
529 			  | psbox[1][m_sbox[1][r48l & 0xfff]]
530 			  | psbox[2][m_sbox[2][r48r >> 12]]
531 			  | psbox[3][m_sbox[3][r48r & 0xfff]];
532 			/*
533 			 * Now that we've permuted things, complete f().
534 			 */
535 			f ^= l;
536 			l = r;
537 			r = f;
538 		}
539 		r = l;
540 		l = f;
541 	}
542 	/*
543 	 * Do final permutation (inverse of IP).
544 	 */
545 	*l_out	= fp_maskl[0][l >> 24]
546 		| fp_maskl[1][(l >> 16) & 0xff]
547 		| fp_maskl[2][(l >> 8) & 0xff]
548 		| fp_maskl[3][l & 0xff]
549 		| fp_maskl[4][r >> 24]
550 		| fp_maskl[5][(r >> 16) & 0xff]
551 		| fp_maskl[6][(r >> 8) & 0xff]
552 		| fp_maskl[7][r & 0xff];
553 	*r_out	= fp_maskr[0][l >> 24]
554 		| fp_maskr[1][(l >> 16) & 0xff]
555 		| fp_maskr[2][(l >> 8) & 0xff]
556 		| fp_maskr[3][l & 0xff]
557 		| fp_maskr[4][r >> 24]
558 		| fp_maskr[5][(r >> 16) & 0xff]
559 		| fp_maskr[6][(r >> 8) & 0xff]
560 		| fp_maskr[7][r & 0xff];
561 	return(0);
562 }
563 
564 static int
565 des_cipher(const char *in, char *out, u_long salt, int count)
566 {
567 	u_int32_t	l_out, r_out, rawl, rawr;
568 	int		retval;
569 	union {
570 		u_int32_t	*ui32;
571 		const char	*c;
572 	} trans;
573 
574 	if (!des_initialised)
575 		des_init();
576 
577 	setup_salt(salt);
578 
579 	trans.c = in;
580 	rawl = ntohl(*trans.ui32++);
581 	rawr = ntohl(*trans.ui32);
582 
583 	retval = do_des(rawl, rawr, &l_out, &r_out, count);
584 
585 	trans.c = out;
586 	*trans.ui32++ = htonl(l_out);
587 	*trans.ui32 = htonl(r_out);
588 	return(retval);
589 }
590 
591 char *
592 crypt_des(const char *key, const char *setting)
593 {
594 	int		i;
595 	u_int32_t	count, salt, l, r0, r1, keybuf[2];
596 	u_char		*p, *q;
597 	static char	output[21];
598 
599 	if (!des_initialised)
600 		des_init();
601 
602 	/*
603 	 * Copy the key, shifting each character up by one bit
604 	 * and padding with zeros.
605 	 */
606 	q = (u_char *)keybuf;
607 	while (q - (u_char *)keybuf - 8) {
608 		*q++ = *key << 1;
609 		if (*(q - 1))
610 			key++;
611 	}
612 	if (des_setkey((char *)keybuf))
613 		return(NULL);
614 
615 	if (*setting == _PASSWORD_EFMT1) {
616 		/*
617 		 * "new"-style:
618 		 *	setting - underscore, 4 bytes of count, 4 bytes of salt
619 		 *	key - unlimited characters
620 		 */
621 		for (i = 1, count = 0L; i < 5; i++)
622 			count |= ascii_to_bin(setting[i]) << ((i - 1) * 6);
623 
624 		for (i = 5, salt = 0L; i < 9; i++)
625 			salt |= ascii_to_bin(setting[i]) << ((i - 5) * 6);
626 
627 		while (*key) {
628 			/*
629 			 * Encrypt the key with itself.
630 			 */
631 			if (des_cipher((char *)keybuf, (char *)keybuf, 0L, 1))
632 				return(NULL);
633 			/*
634 			 * And XOR with the next 8 characters of the key.
635 			 */
636 			q = (u_char *)keybuf;
637 			while (q - (u_char *)keybuf - 8 && *key)
638 				*q++ ^= *key++ << 1;
639 
640 			if (des_setkey((char *)keybuf))
641 				return(NULL);
642 		}
643 		strncpy(output, setting, 9);
644 
645 		/*
646 		 * Double check that we weren't given a short setting.
647 		 * If we were, the above code will probably have created
648 		 * wierd values for count and salt, but we don't really care.
649 		 * Just make sure the output string doesn't have an extra
650 		 * NUL in it.
651 		 */
652 		output[9] = '\0';
653 		p = (u_char *)output + strlen(output);
654 	} else {
655 		/*
656 		 * "old"-style:
657 		 *	setting - 2 bytes of salt
658 		 *	key - up to 8 characters
659 		 */
660 		count = 25;
661 
662 		salt = (ascii_to_bin(setting[1]) << 6)
663 		     |  ascii_to_bin(setting[0]);
664 
665 		output[0] = setting[0];
666 		/*
667 		 * If the encrypted password that the salt was extracted from
668 		 * is only 1 character long, the salt will be corrupted.  We
669 		 * need to ensure that the output string doesn't have an extra
670 		 * NUL in it!
671 		 */
672 		output[1] = setting[1] ? setting[1] : output[0];
673 
674 		p = (u_char *)output + 2;
675 	}
676 	setup_salt(salt);
677 	/*
678 	 * Do it.
679 	 */
680 	if (do_des(0L, 0L, &r0, &r1, (int)count))
681 		return(NULL);
682 	/*
683 	 * Now encode the result...
684 	 */
685 	l = (r0 >> 8);
686 	*p++ = ascii64[(l >> 18) & 0x3f];
687 	*p++ = ascii64[(l >> 12) & 0x3f];
688 	*p++ = ascii64[(l >> 6) & 0x3f];
689 	*p++ = ascii64[l & 0x3f];
690 
691 	l = (r0 << 16) | ((r1 >> 16) & 0xffff);
692 	*p++ = ascii64[(l >> 18) & 0x3f];
693 	*p++ = ascii64[(l >> 12) & 0x3f];
694 	*p++ = ascii64[(l >> 6) & 0x3f];
695 	*p++ = ascii64[l & 0x3f];
696 
697 	l = r1 << 2;
698 	*p++ = ascii64[(l >> 12) & 0x3f];
699 	*p++ = ascii64[(l >> 6) & 0x3f];
700 	*p++ = ascii64[l & 0x3f];
701 	*p = 0;
702 
703 	return(output);
704 }
705