xref: /freebsd/secure/lib/libcrypt/crypt-des.c (revision 994297b01b98816bea1abf45ae4bac1bc69ee7a0)
1 /*
2  * FreeSec: libcrypt for NetBSD
3  *
4  * Copyright (c) 1994 David Burren
5  * All rights reserved.
6  *
7  * Adapted for FreeBSD-2.0 by Geoffrey M. Rehmet
8  *	this file should now *only* export crypt(), in order to make
9  *	binaries of libcrypt exportable from the USA
10  *
11  * Adapted for FreeBSD-4.0 by Mark R V Murray
12  *	this file should now *only* export crypt_des(), in order to make
13  *	a module that can be optionally included in libcrypt.
14  *
15  * Redistribution and use in source and binary forms, with or without
16  * modification, are permitted provided that the following conditions
17  * are met:
18  * 1. Redistributions of source code must retain the above copyright
19  *    notice, this list of conditions and the following disclaimer.
20  * 2. Redistributions in binary form must reproduce the above copyright
21  *    notice, this list of conditions and the following disclaimer in the
22  *    documentation and/or other materials provided with the distribution.
23  * 3. Neither the name of the author nor the names of other contributors
24  *    may be used to endorse or promote products derived from this software
25  *    without specific prior written permission.
26  *
27  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
28  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
29  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
30  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
31  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
33  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
34  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
35  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
36  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37  * SUCH DAMAGE.
38  *
39  * This is an original implementation of the DES and the crypt(3) interfaces
40  * by David Burren <davidb@werj.com.au>.
41  *
42  * An excellent reference on the underlying algorithm (and related
43  * algorithms) is:
44  *
45  *	B. Schneier, Applied Cryptography: protocols, algorithms,
46  *	and source code in C, John Wiley & Sons, 1994.
47  *
48  * Note that in that book's description of DES the lookups for the initial,
49  * pbox, and final permutations are inverted (this has been brought to the
50  * attention of the author).  A list of errata for this book has been
51  * posted to the sci.crypt newsgroup by the author and is available for FTP.
52  *
53  * ARCHITECTURE ASSUMPTIONS:
54  *	It is assumed that the 8-byte arrays passed by reference can be
55  *	addressed as arrays of u_int32_t's (ie. the CPU is not picky about
56  *	alignment).
57  */
58 
59 #include <sys/cdefs.h>
60 __FBSDID("$FreeBSD$");
61 
62 #include <sys/types.h>
63 #include <sys/param.h>
64 #include <arpa/inet.h>
65 #include <pwd.h>
66 #include <string.h>
67 #include "crypt.h"
68 
69 /* We can't always assume gcc */
70 #if	defined(__GNUC__) && !defined(lint)
71 #define INLINE inline
72 #else
73 #define INLINE
74 #endif
75 
76 
77 static const u_char	IP[64] = {
78 	58, 50, 42, 34, 26, 18, 10,  2, 60, 52, 44, 36, 28, 20, 12,  4,
79 	62, 54, 46, 38, 30, 22, 14,  6, 64, 56, 48, 40, 32, 24, 16,  8,
80 	57, 49, 41, 33, 25, 17,  9,  1, 59, 51, 43, 35, 27, 19, 11,  3,
81 	61, 53, 45, 37, 29, 21, 13,  5, 63, 55, 47, 39, 31, 23, 15,  7
82 };
83 
84 static __thread u_char	inv_key_perm[64];
85 static const u_char	key_perm[56] = {
86 	57, 49, 41, 33, 25, 17,  9,  1, 58, 50, 42, 34, 26, 18,
87 	10,  2, 59, 51, 43, 35, 27, 19, 11,  3, 60, 52, 44, 36,
88 	63, 55, 47, 39, 31, 23, 15,  7, 62, 54, 46, 38, 30, 22,
89 	14,  6, 61, 53, 45, 37, 29, 21, 13,  5, 28, 20, 12,  4
90 };
91 
92 static const u_char	key_shifts[16] = {
93 	1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
94 };
95 
96 static __thread u_char	inv_comp_perm[56];
97 static const u_char	comp_perm[48] = {
98 	14, 17, 11, 24,  1,  5,  3, 28, 15,  6, 21, 10,
99 	23, 19, 12,  4, 26,  8, 16,  7, 27, 20, 13,  2,
100 	41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
101 	44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
102 };
103 
104 /*
105  *	No E box is used, as it's replaced by some ANDs, shifts, and ORs.
106  */
107 
108 static __thread u_char	u_sbox[8][64];
109 static const u_char	sbox[8][64] = {
110 	{
111 		14,  4, 13,  1,  2, 15, 11,  8,  3, 10,  6, 12,  5,  9,  0,  7,
112 		 0, 15,  7,  4, 14,  2, 13,  1, 10,  6, 12, 11,  9,  5,  3,  8,
113 		 4,  1, 14,  8, 13,  6,  2, 11, 15, 12,  9,  7,  3, 10,  5,  0,
114 		15, 12,  8,  2,  4,  9,  1,  7,  5, 11,  3, 14, 10,  0,  6, 13
115 	},
116 	{
117 		15,  1,  8, 14,  6, 11,  3,  4,  9,  7,  2, 13, 12,  0,  5, 10,
118 		 3, 13,  4,  7, 15,  2,  8, 14, 12,  0,  1, 10,  6,  9, 11,  5,
119 		 0, 14,  7, 11, 10,  4, 13,  1,  5,  8, 12,  6,  9,  3,  2, 15,
120 		13,  8, 10,  1,  3, 15,  4,  2, 11,  6,  7, 12,  0,  5, 14,  9
121 	},
122 	{
123 		10,  0,  9, 14,  6,  3, 15,  5,  1, 13, 12,  7, 11,  4,  2,  8,
124 		13,  7,  0,  9,  3,  4,  6, 10,  2,  8,  5, 14, 12, 11, 15,  1,
125 		13,  6,  4,  9,  8, 15,  3,  0, 11,  1,  2, 12,  5, 10, 14,  7,
126 		 1, 10, 13,  0,  6,  9,  8,  7,  4, 15, 14,  3, 11,  5,  2, 12
127 	},
128 	{
129 		 7, 13, 14,  3,  0,  6,  9, 10,  1,  2,  8,  5, 11, 12,  4, 15,
130 		13,  8, 11,  5,  6, 15,  0,  3,  4,  7,  2, 12,  1, 10, 14,  9,
131 		10,  6,  9,  0, 12, 11,  7, 13, 15,  1,  3, 14,  5,  2,  8,  4,
132 		 3, 15,  0,  6, 10,  1, 13,  8,  9,  4,  5, 11, 12,  7,  2, 14
133 	},
134 	{
135 		 2, 12,  4,  1,  7, 10, 11,  6,  8,  5,  3, 15, 13,  0, 14,  9,
136 		14, 11,  2, 12,  4,  7, 13,  1,  5,  0, 15, 10,  3,  9,  8,  6,
137 		 4,  2,  1, 11, 10, 13,  7,  8, 15,  9, 12,  5,  6,  3,  0, 14,
138 		11,  8, 12,  7,  1, 14,  2, 13,  6, 15,  0,  9, 10,  4,  5,  3
139 	},
140 	{
141 		12,  1, 10, 15,  9,  2,  6,  8,  0, 13,  3,  4, 14,  7,  5, 11,
142 		10, 15,  4,  2,  7, 12,  9,  5,  6,  1, 13, 14,  0, 11,  3,  8,
143 		 9, 14, 15,  5,  2,  8, 12,  3,  7,  0,  4, 10,  1, 13, 11,  6,
144 		 4,  3,  2, 12,  9,  5, 15, 10, 11, 14,  1,  7,  6,  0,  8, 13
145 	},
146 	{
147 		 4, 11,  2, 14, 15,  0,  8, 13,  3, 12,  9,  7,  5, 10,  6,  1,
148 		13,  0, 11,  7,  4,  9,  1, 10, 14,  3,  5, 12,  2, 15,  8,  6,
149 		 1,  4, 11, 13, 12,  3,  7, 14, 10, 15,  6,  8,  0,  5,  9,  2,
150 		 6, 11, 13,  8,  1,  4, 10,  7,  9,  5,  0, 15, 14,  2,  3, 12
151 	},
152 	{
153 		13,  2,  8,  4,  6, 15, 11,  1, 10,  9,  3, 14,  5,  0, 12,  7,
154 		 1, 15, 13,  8, 10,  3,  7,  4, 12,  5,  6, 11,  0, 14,  9,  2,
155 		 7, 11,  4,  1,  9, 12, 14,  2,  0,  6, 10, 13, 15,  3,  5,  8,
156 		 2,  1, 14,  7,  4, 10,  8, 13, 15, 12,  9,  0,  3,  5,  6, 11
157 	}
158 };
159 
160 static __thread u_char	un_pbox[32];
161 static const u_char	pbox[32] = {
162 	16,  7, 20, 21, 29, 12, 28, 17,  1, 15, 23, 26,  5, 18, 31, 10,
163 	 2,  8, 24, 14, 32, 27,  3,  9, 19, 13, 30,  6, 22, 11,  4, 25
164 };
165 
166 static const u_int32_t	bits32[32] =
167 {
168 	0x80000000, 0x40000000, 0x20000000, 0x10000000,
169 	0x08000000, 0x04000000, 0x02000000, 0x01000000,
170 	0x00800000, 0x00400000, 0x00200000, 0x00100000,
171 	0x00080000, 0x00040000, 0x00020000, 0x00010000,
172 	0x00008000, 0x00004000, 0x00002000, 0x00001000,
173 	0x00000800, 0x00000400, 0x00000200, 0x00000100,
174 	0x00000080, 0x00000040, 0x00000020, 0x00000010,
175 	0x00000008, 0x00000004, 0x00000002, 0x00000001
176 };
177 
178 static const u_char	bits8[8] = { 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01 };
179 
180 static __thread u_int32_t	saltbits;
181 static __thread u_int32_t	old_salt;
182 static __thread const u_int32_t	*bits28, *bits24;
183 static __thread u_char		init_perm[64], final_perm[64];
184 static __thread u_int32_t	en_keysl[16], en_keysr[16];
185 static __thread u_int32_t	de_keysl[16], de_keysr[16];
186 static __thread int		des_initialised = 0;
187 static __thread u_char		m_sbox[4][4096];
188 static __thread u_int32_t	psbox[4][256];
189 static __thread u_int32_t	ip_maskl[8][256], ip_maskr[8][256];
190 static __thread u_int32_t	fp_maskl[8][256], fp_maskr[8][256];
191 static __thread u_int32_t	key_perm_maskl[8][128], key_perm_maskr[8][128];
192 static __thread u_int32_t	comp_maskl[8][128], comp_maskr[8][128];
193 static __thread u_int32_t	old_rawkey0, old_rawkey1;
194 
195 static const u_char	ascii64[] =
196 	 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
197 /*	  0000000000111111111122222222223333333333444444444455555555556666 */
198 /*	  0123456789012345678901234567890123456789012345678901234567890123 */
199 
200 static INLINE int
201 ascii_to_bin(char ch)
202 {
203 	if (ch > 'z')
204 		return(0);
205 	if (ch >= 'a')
206 		return(ch - 'a' + 38);
207 	if (ch > 'Z')
208 		return(0);
209 	if (ch >= 'A')
210 		return(ch - 'A' + 12);
211 	if (ch > '9')
212 		return(0);
213 	if (ch >= '.')
214 		return(ch - '.');
215 	return(0);
216 }
217 
218 static void
219 des_init(void)
220 {
221 	int	i, j, b, k, inbit, obit;
222 	u_int32_t	*p, *il, *ir, *fl, *fr;
223 
224 	old_rawkey0 = old_rawkey1 = 0L;
225 	saltbits = 0L;
226 	old_salt = 0L;
227 	bits24 = (bits28 = bits32 + 4) + 4;
228 
229 	/*
230 	 * Invert the S-boxes, reordering the input bits.
231 	 */
232 	for (i = 0; i < 8; i++)
233 		for (j = 0; j < 64; j++) {
234 			b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf);
235 			u_sbox[i][j] = sbox[i][b];
236 		}
237 
238 	/*
239 	 * Convert the inverted S-boxes into 4 arrays of 8 bits.
240 	 * Each will handle 12 bits of the S-box input.
241 	 */
242 	for (b = 0; b < 4; b++)
243 		for (i = 0; i < 64; i++)
244 			for (j = 0; j < 64; j++)
245 				m_sbox[b][(i << 6) | j] =
246 					(u_char)((u_sbox[(b << 1)][i] << 4) |
247 					u_sbox[(b << 1) + 1][j]);
248 
249 	/*
250 	 * Set up the initial & final permutations into a useful form, and
251 	 * initialise the inverted key permutation.
252 	 */
253 	for (i = 0; i < 64; i++) {
254 		init_perm[final_perm[i] = IP[i] - 1] = (u_char)i;
255 		inv_key_perm[i] = 255;
256 	}
257 
258 	/*
259 	 * Invert the key permutation and initialise the inverted key
260 	 * compression permutation.
261 	 */
262 	for (i = 0; i < 56; i++) {
263 		inv_key_perm[key_perm[i] - 1] = (u_char)i;
264 		inv_comp_perm[i] = 255;
265 	}
266 
267 	/*
268 	 * Invert the key compression permutation.
269 	 */
270 	for (i = 0; i < 48; i++) {
271 		inv_comp_perm[comp_perm[i] - 1] = (u_char)i;
272 	}
273 
274 	/*
275 	 * Set up the OR-mask arrays for the initial and final permutations,
276 	 * and for the key initial and compression permutations.
277 	 */
278 	for (k = 0; k < 8; k++) {
279 		for (i = 0; i < 256; i++) {
280 			*(il = &ip_maskl[k][i]) = 0L;
281 			*(ir = &ip_maskr[k][i]) = 0L;
282 			*(fl = &fp_maskl[k][i]) = 0L;
283 			*(fr = &fp_maskr[k][i]) = 0L;
284 			for (j = 0; j < 8; j++) {
285 				inbit = 8 * k + j;
286 				if (i & bits8[j]) {
287 					if ((obit = init_perm[inbit]) < 32)
288 						*il |= bits32[obit];
289 					else
290 						*ir |= bits32[obit-32];
291 					if ((obit = final_perm[inbit]) < 32)
292 						*fl |= bits32[obit];
293 					else
294 						*fr |= bits32[obit - 32];
295 				}
296 			}
297 		}
298 		for (i = 0; i < 128; i++) {
299 			*(il = &key_perm_maskl[k][i]) = 0L;
300 			*(ir = &key_perm_maskr[k][i]) = 0L;
301 			for (j = 0; j < 7; j++) {
302 				inbit = 8 * k + j;
303 				if (i & bits8[j + 1]) {
304 					if ((obit = inv_key_perm[inbit]) == 255)
305 						continue;
306 					if (obit < 28)
307 						*il |= bits28[obit];
308 					else
309 						*ir |= bits28[obit - 28];
310 				}
311 			}
312 			*(il = &comp_maskl[k][i]) = 0L;
313 			*(ir = &comp_maskr[k][i]) = 0L;
314 			for (j = 0; j < 7; j++) {
315 				inbit = 7 * k + j;
316 				if (i & bits8[j + 1]) {
317 					if ((obit=inv_comp_perm[inbit]) == 255)
318 						continue;
319 					if (obit < 24)
320 						*il |= bits24[obit];
321 					else
322 						*ir |= bits24[obit - 24];
323 				}
324 			}
325 		}
326 	}
327 
328 	/*
329 	 * Invert the P-box permutation, and convert into OR-masks for
330 	 * handling the output of the S-box arrays setup above.
331 	 */
332 	for (i = 0; i < 32; i++)
333 		un_pbox[pbox[i] - 1] = (u_char)i;
334 
335 	for (b = 0; b < 4; b++)
336 		for (i = 0; i < 256; i++) {
337 			*(p = &psbox[b][i]) = 0L;
338 			for (j = 0; j < 8; j++) {
339 				if (i & bits8[j])
340 					*p |= bits32[un_pbox[8 * b + j]];
341 			}
342 		}
343 
344 	des_initialised = 1;
345 }
346 
347 static void
348 setup_salt(u_int32_t salt)
349 {
350 	u_int32_t	obit, saltbit;
351 	int		i;
352 
353 	if (salt == old_salt)
354 		return;
355 	old_salt = salt;
356 
357 	saltbits = 0L;
358 	saltbit = 1;
359 	obit = 0x800000;
360 	for (i = 0; i < 24; i++) {
361 		if (salt & saltbit)
362 			saltbits |= obit;
363 		saltbit <<= 1;
364 		obit >>= 1;
365 	}
366 }
367 
368 static int
369 des_setkey(const char *key)
370 {
371 	u_int32_t	k0, k1, rawkey0, rawkey1;
372 	int		shifts, round;
373 
374 	if (!des_initialised)
375 		des_init();
376 
377 	rawkey0 = ntohl(*(const u_int32_t *) key);
378 	rawkey1 = ntohl(*(const u_int32_t *) (key + 4));
379 
380 	if ((rawkey0 | rawkey1)
381 	    && rawkey0 == old_rawkey0
382 	    && rawkey1 == old_rawkey1) {
383 		/*
384 		 * Already setup for this key.
385 		 * This optimisation fails on a zero key (which is weak and
386 		 * has bad parity anyway) in order to simplify the starting
387 		 * conditions.
388 		 */
389 		return(0);
390 	}
391 	old_rawkey0 = rawkey0;
392 	old_rawkey1 = rawkey1;
393 
394 	/*
395 	 *	Do key permutation and split into two 28-bit subkeys.
396 	 */
397 	k0 = key_perm_maskl[0][rawkey0 >> 25]
398 	   | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
399 	   | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
400 	   | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
401 	   | key_perm_maskl[4][rawkey1 >> 25]
402 	   | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
403 	   | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
404 	   | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
405 	k1 = key_perm_maskr[0][rawkey0 >> 25]
406 	   | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
407 	   | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
408 	   | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
409 	   | key_perm_maskr[4][rawkey1 >> 25]
410 	   | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
411 	   | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
412 	   | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
413 	/*
414 	 *	Rotate subkeys and do compression permutation.
415 	 */
416 	shifts = 0;
417 	for (round = 0; round < 16; round++) {
418 		u_int32_t	t0, t1;
419 
420 		shifts += key_shifts[round];
421 
422 		t0 = (k0 << shifts) | (k0 >> (28 - shifts));
423 		t1 = (k1 << shifts) | (k1 >> (28 - shifts));
424 
425 		de_keysl[15 - round] =
426 		en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f]
427 				| comp_maskl[1][(t0 >> 14) & 0x7f]
428 				| comp_maskl[2][(t0 >> 7) & 0x7f]
429 				| comp_maskl[3][t0 & 0x7f]
430 				| comp_maskl[4][(t1 >> 21) & 0x7f]
431 				| comp_maskl[5][(t1 >> 14) & 0x7f]
432 				| comp_maskl[6][(t1 >> 7) & 0x7f]
433 				| comp_maskl[7][t1 & 0x7f];
434 
435 		de_keysr[15 - round] =
436 		en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f]
437 				| comp_maskr[1][(t0 >> 14) & 0x7f]
438 				| comp_maskr[2][(t0 >> 7) & 0x7f]
439 				| comp_maskr[3][t0 & 0x7f]
440 				| comp_maskr[4][(t1 >> 21) & 0x7f]
441 				| comp_maskr[5][(t1 >> 14) & 0x7f]
442 				| comp_maskr[6][(t1 >> 7) & 0x7f]
443 				| comp_maskr[7][t1 & 0x7f];
444 	}
445 	return(0);
446 }
447 
448 static int
449 do_des(	u_int32_t l_in, u_int32_t r_in, u_int32_t *l_out, u_int32_t *r_out, int count)
450 {
451 	/*
452 	 *	l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
453 	 */
454 	u_int32_t	l, r, *kl, *kr, *kl1, *kr1;
455 	u_int32_t	f, r48l, r48r;
456 	int		round;
457 
458 	if (count == 0) {
459 		return(1);
460 	} else if (count > 0) {
461 		/*
462 		 * Encrypting
463 		 */
464 		kl1 = en_keysl;
465 		kr1 = en_keysr;
466 	} else {
467 		/*
468 		 * Decrypting
469 		 */
470 		count = -count;
471 		kl1 = de_keysl;
472 		kr1 = de_keysr;
473 	}
474 
475 	/*
476 	 *	Do initial permutation (IP).
477 	 */
478 	l = ip_maskl[0][l_in >> 24]
479 	  | ip_maskl[1][(l_in >> 16) & 0xff]
480 	  | ip_maskl[2][(l_in >> 8) & 0xff]
481 	  | ip_maskl[3][l_in & 0xff]
482 	  | ip_maskl[4][r_in >> 24]
483 	  | ip_maskl[5][(r_in >> 16) & 0xff]
484 	  | ip_maskl[6][(r_in >> 8) & 0xff]
485 	  | ip_maskl[7][r_in & 0xff];
486 	r = ip_maskr[0][l_in >> 24]
487 	  | ip_maskr[1][(l_in >> 16) & 0xff]
488 	  | ip_maskr[2][(l_in >> 8) & 0xff]
489 	  | ip_maskr[3][l_in & 0xff]
490 	  | ip_maskr[4][r_in >> 24]
491 	  | ip_maskr[5][(r_in >> 16) & 0xff]
492 	  | ip_maskr[6][(r_in >> 8) & 0xff]
493 	  | ip_maskr[7][r_in & 0xff];
494 
495 	while (count--) {
496 		/*
497 		 * Do each round.
498 		 */
499 		kl = kl1;
500 		kr = kr1;
501 		round = 16;
502 		while (round--) {
503 			/*
504 			 * Expand R to 48 bits (simulate the E-box).
505 			 */
506 			r48l	= ((r & 0x00000001) << 23)
507 				| ((r & 0xf8000000) >> 9)
508 				| ((r & 0x1f800000) >> 11)
509 				| ((r & 0x01f80000) >> 13)
510 				| ((r & 0x001f8000) >> 15);
511 
512 			r48r	= ((r & 0x0001f800) << 7)
513 				| ((r & 0x00001f80) << 5)
514 				| ((r & 0x000001f8) << 3)
515 				| ((r & 0x0000001f) << 1)
516 				| ((r & 0x80000000) >> 31);
517 			/*
518 			 * Do salting for crypt() and friends, and
519 			 * XOR with the permuted key.
520 			 */
521 			f = (r48l ^ r48r) & saltbits;
522 			r48l ^= f ^ *kl++;
523 			r48r ^= f ^ *kr++;
524 			/*
525 			 * Do sbox lookups (which shrink it back to 32 bits)
526 			 * and do the pbox permutation at the same time.
527 			 */
528 			f = psbox[0][m_sbox[0][r48l >> 12]]
529 			  | psbox[1][m_sbox[1][r48l & 0xfff]]
530 			  | psbox[2][m_sbox[2][r48r >> 12]]
531 			  | psbox[3][m_sbox[3][r48r & 0xfff]];
532 			/*
533 			 * Now that we've permuted things, complete f().
534 			 */
535 			f ^= l;
536 			l = r;
537 			r = f;
538 		}
539 		r = l;
540 		l = f;
541 	}
542 	/*
543 	 * Do final permutation (inverse of IP).
544 	 */
545 	*l_out	= fp_maskl[0][l >> 24]
546 		| fp_maskl[1][(l >> 16) & 0xff]
547 		| fp_maskl[2][(l >> 8) & 0xff]
548 		| fp_maskl[3][l & 0xff]
549 		| fp_maskl[4][r >> 24]
550 		| fp_maskl[5][(r >> 16) & 0xff]
551 		| fp_maskl[6][(r >> 8) & 0xff]
552 		| fp_maskl[7][r & 0xff];
553 	*r_out	= fp_maskr[0][l >> 24]
554 		| fp_maskr[1][(l >> 16) & 0xff]
555 		| fp_maskr[2][(l >> 8) & 0xff]
556 		| fp_maskr[3][l & 0xff]
557 		| fp_maskr[4][r >> 24]
558 		| fp_maskr[5][(r >> 16) & 0xff]
559 		| fp_maskr[6][(r >> 8) & 0xff]
560 		| fp_maskr[7][r & 0xff];
561 	return(0);
562 }
563 
564 static int
565 des_cipher(const char *in, char *out, u_long salt, int count)
566 {
567 	u_int32_t	l_out, r_out, rawl, rawr;
568 	int		retval;
569 	union {
570 		u_int32_t	*ui32;
571 		const char	*c;
572 	} trans;
573 
574 	if (!des_initialised)
575 		des_init();
576 
577 	setup_salt(salt);
578 
579 	trans.c = in;
580 	rawl = ntohl(*trans.ui32++);
581 	rawr = ntohl(*trans.ui32);
582 
583 	retval = do_des(rawl, rawr, &l_out, &r_out, count);
584 
585 	trans.c = out;
586 	*trans.ui32++ = htonl(l_out);
587 	*trans.ui32 = htonl(r_out);
588 	return(retval);
589 }
590 
591 int
592 crypt_des(const char *key, const char *setting, char *buffer)
593 {
594 	int		i;
595 	u_int32_t	count, salt, l, r0, r1, keybuf[2];
596 	u_char		*q;
597 
598 	if (!des_initialised)
599 		des_init();
600 
601 	/*
602 	 * Copy the key, shifting each character up by one bit
603 	 * and padding with zeros.
604 	 */
605 	q = (u_char *)keybuf;
606 	while (q - (u_char *)keybuf - 8) {
607 		*q++ = *key << 1;
608 		if (*key != '\0')
609 			key++;
610 	}
611 	if (des_setkey((char *)keybuf))
612 		return (-1);
613 
614 	if (*setting == _PASSWORD_EFMT1) {
615 		/*
616 		 * "new"-style:
617 		 *	setting - underscore, 4 bytes of count, 4 bytes of salt
618 		 *	key - unlimited characters
619 		 */
620 		for (i = 1, count = 0L; i < 5; i++)
621 			count |= ascii_to_bin(setting[i]) << ((i - 1) * 6);
622 
623 		for (i = 5, salt = 0L; i < 9; i++)
624 			salt |= ascii_to_bin(setting[i]) << ((i - 5) * 6);
625 
626 		while (*key) {
627 			/*
628 			 * Encrypt the key with itself.
629 			 */
630 			if (des_cipher((char *)keybuf, (char *)keybuf, 0L, 1))
631 				return (-1);
632 			/*
633 			 * And XOR with the next 8 characters of the key.
634 			 */
635 			q = (u_char *)keybuf;
636 			while (q - (u_char *)keybuf - 8 && *key)
637 				*q++ ^= *key++ << 1;
638 
639 			if (des_setkey((char *)keybuf))
640 				return (-1);
641 		}
642 		buffer = stpncpy(buffer, setting, 9);
643 	} else {
644 		/*
645 		 * "old"-style:
646 		 *	setting - 2 bytes of salt
647 		 *	key - up to 8 characters
648 		 */
649 		count = 25;
650 
651 		salt = (ascii_to_bin(setting[1]) << 6)
652 		     |  ascii_to_bin(setting[0]);
653 
654 		*buffer++ = setting[0];
655 		/*
656 		 * If the encrypted password that the salt was extracted from
657 		 * is only 1 character long, the salt will be corrupted.  We
658 		 * need to ensure that the output string doesn't have an extra
659 		 * NUL in it!
660 		 */
661 		*buffer++ = setting[1] ? setting[1] : setting[0];
662 	}
663 	setup_salt(salt);
664 	/*
665 	 * Do it.
666 	 */
667 	if (do_des(0L, 0L, &r0, &r1, (int)count))
668 		return (-1);
669 	/*
670 	 * Now encode the result...
671 	 */
672 	l = (r0 >> 8);
673 	*buffer++ = ascii64[(l >> 18) & 0x3f];
674 	*buffer++ = ascii64[(l >> 12) & 0x3f];
675 	*buffer++ = ascii64[(l >> 6) & 0x3f];
676 	*buffer++ = ascii64[l & 0x3f];
677 
678 	l = (r0 << 16) | ((r1 >> 16) & 0xffff);
679 	*buffer++ = ascii64[(l >> 18) & 0x3f];
680 	*buffer++ = ascii64[(l >> 12) & 0x3f];
681 	*buffer++ = ascii64[(l >> 6) & 0x3f];
682 	*buffer++ = ascii64[l & 0x3f];
683 
684 	l = r1 << 2;
685 	*buffer++ = ascii64[(l >> 12) & 0x3f];
686 	*buffer++ = ascii64[(l >> 6) & 0x3f];
687 	*buffer++ = ascii64[l & 0x3f];
688 	*buffer = '\0';
689 
690 	return (0);
691 }
692