/* $NetBSD: crypt.c,v 1.39 2023/06/24 05:18:12 msaitoh Exp $ */
/*
* Copyright (c) 1989, 1993
* The Regents of the University of California. All rights reserved.
*
* This code is derived from software contributed to Berkeley by
* Tom Truscott.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
#if !defined(lint)
#if 0
static char sccsid[] = "@(#)crypt.c 8.1.1.1 (Berkeley) 8/18/93";
#else
__RCSID("$NetBSD: crypt.c,v 1.39 2023/06/24 05:18:12 msaitoh Exp $");
#endif
#endif /* not lint */
#include <limits.h>
#include <pwd.h>
#include <stdlib.h>
#include <string.h> /* for strcmp */
#include <unistd.h>
#if defined(DEBUG) || defined(MAIN) || defined(UNIT_TEST)
#include <stdio.h>
#endif
#include "crypt.h"
/*
* UNIX password, and DES, encryption.
* By Tom Truscott, trt@rti.rti.org,
* from algorithms by Robert W. Baldwin and James Gillogly.
*
* References:
* "Mathematical Cryptology for Computer Scientists and Mathematicians,"
* by Wayne Patterson, 1987, ISBN 0-8476-7438-X.
*
* "Password Security: A Case History," R. Morris and Ken Thompson,
* Communications of the ACM, vol. 22, pp. 594-597, Nov. 1979.
*
* "DES will be Totally Insecure within Ten Years," M.E. Hellman,
* IEEE Spectrum, vol. 16, pp. 32-39, July 1979.
*/
/* ===== Configuration ==================== */
/*
* define "MUST_ALIGN" if your compiler cannot load/store
* long integers at arbitrary (e.g. odd) memory locations.
* (Either that or never pass unaligned addresses to des_cipher!)
*/
#if !defined(__vax__) && !defined(__i386__)
#define MUST_ALIGN
#endif
#ifdef CHAR_BITS
#if CHAR_BITS != 8
#error C_block structure assumes 8 bit characters
#endif
#endif
/*
* define "B64" to be the declaration for a 64 bit integer.
* XXX this feature is currently unused, see "endian" comment below.
*/
#if defined(cray)
#define B64 long
#endif
#if defined(convex)
#define B64 long long
#endif
/*
* define "LARGEDATA" to get faster permutations, by using about 72 kilobytes
* of lookup tables. This speeds up des_setkey() and des_cipher(), but has
* little effect on crypt().
*/
#if defined(notdef)
#define LARGEDATA
#endif
/* compile with "-DSTATIC=void" when profiling */
#ifndef STATIC
#define STATIC static void
#endif
/* ==================================== */
/*
* Cipher-block representation (Bob Baldwin):
*
* DES operates on groups of 64 bits, numbered 1..64 (sigh). One
* representation is to store one bit per byte in an array of bytes. Bit N of
* the NBS spec is stored as the LSB of the Nth byte (index N-1) in the array.
* Another representation stores the 64 bits in 8 bytes, with bits 1..8 in the
* first byte, 9..16 in the second, and so on. The DES spec apparently has
* bit 1 in the MSB of the first byte, but that is particularly noxious so we
* bit-reverse each byte so that bit 1 is the LSB of the first byte, bit 8 is
* the MSB of the first byte. Specifically, the 64-bit input data and key are
* converted to LSB format, and the output 64-bit block is converted back into
* MSB format.
*
* DES operates internally on groups of 32 bits which are expanded to 48 bits
* by permutation E and shrunk back to 32 bits by the S boxes. To speed up
* the computation, the expansion is applied only once, the expanded
* representation is maintained during the encryption, and a compression
* permutation is applied only at the end. To speed up the S-box lookups,
* the 48 bits are maintained as eight 6 bit groups, one per byte, which
* directly feed the eight S-boxes. Within each byte, the 6 bits are the
* most significant ones. The low two bits of each byte are zero. (Thus,
* bit 1 of the 48 bit E expansion is stored as the "4"-valued bit of the
* first byte in the eight byte representation, bit 2 of the 48 bit value is
* the "8"-valued bit, and so on.) In fact, a combined "SPE"-box lookup is
* used, in which the output is the 64 bit result of an S-box lookup which
* has been permuted by P and expanded by E, and is ready for use in the next
* iteration. Two 32-bit wide tables, SPE[0] and SPE[1], are used for this
* lookup. Since each byte in the 48 bit path is a multiple of four, indexed
* lookup of SPE[0] and SPE[1] is simple and fast. The key schedule and
* "salt" are also converted to this 8*(6+2) format. The SPE table size is
* 8*64*8 = 4K bytes.
*
* To speed up bit-parallel operations (such as XOR), the 8 byte
* representation is "union"ed with 32 bit values "i0" and "i1", and, on
* machines which support it, a 64 bit value "b64". This data structure,
* "C_block", has two problems. First, alignment restrictions must be
* honored. Second, the byte-order (e.g. little-endian or big-endian) of
* the architecture becomes visible.
*
* The byte-order problem is unfortunate, since on the one hand it is good
* to have a machine-independent C_block representation (bits 1..8 in the
* first byte, etc.), and on the other hand it is good for the LSB of the
* first byte to be the LSB of i0. We cannot have both these things, so we
* currently use the "little-endian" representation and avoid any multi-byte
* operations that depend on byte order. This largely precludes use of the
* 64-bit datatype since the relative order of i0 and i1 are unknown. It
* also inhibits grouping the SPE table to look up 12 bits at a time. (The
* 12 bits can be stored in a 16-bit field with 3 low-order zeroes and 1
* high-order zero, providing fast indexing into a 64-bit wide SPE.) On the
* other hand, 64-bit datatypes are currently rare, and a 12-bit SPE lookup
* requires a 128 kilobyte table, so perhaps this is not a big loss.
*
* Permutation representation (Jim Gillogly):
*
* A transformation is defined by its effect on each of the 8 bytes of the
* 64-bit input. For each byte we give a 64-bit output that has the bits in
* the input distributed appropriately. The transformation is then the OR
* of the 8 sets of 64-bits. This uses 8*256*8 = 16K bytes of storage for
* each transformation. Unless LARGEDATA is defined, however, a more compact
* table is used which looks up 16 4-bit "chunks" rather than 8 8-bit chunks.
* The smaller table uses 16*16*8 = 2K bytes for each transformation. This
* is slower but tolerable, particularly for password encryption in which
* the SPE transformation is iterated many times. The small tables total 9K
* bytes, the large tables total 72K bytes.
*
* The transformations used are:
* IE3264: MSB->LSB conversion, initial permutation, and expansion.
* This is done by collecting the 32 even-numbered bits and applying
* a 32->64 bit transformation, and then collecting the 32 odd-numbered
* bits and applying the same transformation. Since there are only
* 32 input bits, the IE3264 transformation table is half the size of
* the usual table.
* CF6464: Compression, final permutation, and LSB->MSB conversion.
* This is done by two trivial 48->32 bit compressions to obtain
* a 64-bit block (the bit numbering is given in the "CIFP" table)
* followed by a 64->64 bit "cleanup" transformation. (It would
* be possible to group the bits in the 64-bit block so that 2
* identical 32->32 bit transformations could be used instead,
* saving a factor of 4 in space and possibly 2 in time, but
* byte-ordering and other complications rear their ugly head.
* Similar opportunities/problems arise in the key schedule
* transforms.)
* PC1ROT: MSB->LSB, PC1 permutation, rotate, and PC2 permutation.
* This admittedly baroque 64->64 bit transformation is used to
* produce the first code (in 8*(6+2) format) of the key schedule.
* PC2ROT[0]: Inverse PC2 permutation, rotate, and PC2 permutation.
* It would be possible to define 15 more transformations, each
* with a different rotation, to generate the entire key schedule.
* To save space, however, we instead permute each code into the
* next by using a transformation that "undoes" the PC2 permutation,
* rotates the code, and then applies PC2. Unfortunately, PC2
* transforms 56 bits into 48 bits, dropping 8 bits, so PC2 is not
* invertible. We get around that problem by using a modified PC2
* which retains the 8 otherwise-lost bits in the unused low-order
* bits of each byte. The low-order bits are cleared when the
* codes are stored into the key schedule.
* PC2ROT[1]: Same as PC2ROT[0], but with two rotations.
* This is faster than applying PC2ROT[0] twice,
*
* The Bell Labs "salt" (Bob Baldwin):
*
* The salting is a simple permutation applied to the 48-bit result of E.
* Specifically, if bit i (1 <= i <= 24) of the salt is set then bits i and
* i+24 of the result are swapped. The salt is thus a 24 bit number, with
* 16777216 possible values. (The original salt was 12 bits and could not
* swap bits 13..24 with 36..48.)
*
* It is possible, but ugly, to warp the SPE table to account for the salt
* permutation. Fortunately, the conditional bit swapping requires only
* about four machine instructions and can be done on-the-fly with about an
* 8% performance penalty.
*/
typedef union {
unsigned char b[8];
struct {
int32_t i0;
int32_t i1;
} b32;
#if defined(B64)
B64 b64;
#endif
} C_block;
/*
* Convert twenty-four-bit long in host-order
* to six bits (and 2 low-order zeroes) per char little-endian format.
*/
#define TO_SIX_BIT(rslt, src) { \
C_block cvt; \
cvt.b[0] = src; src >>= 6; \
cvt.b[1] = src; src >>= 6; \
cvt.b[2] = src; src >>= 6; \
cvt.b[3] = src; \
rslt = (cvt.b32.i0 & 0x3f3f3f3fL) << 2; \
}
/*
* These macros may someday permit efficient use of 64-bit integers.
*/
#define ZERO(d,d0,d1) d0 = 0, d1 = 0
#define LOAD(d,d0,d1,bl) d0 = (bl).b32.i0, d1 = (bl).b32.i1
#define LOADREG(d,d0,d1,s,s0,s1) d0 = s0, d1 = s1
#define OR(d,d0,d1,bl) d0 |= (bl).b32.i0, d1 |= (bl).b32.i1
#define STORE(s,s0,s1,bl) (bl).b32.i0 = s0, (bl).b32.i1 = s1
#define DCL_BLOCK(d,d0,d1) int32_t d0, d1
#if defined(LARGEDATA)
/* Waste memory like crazy. Also, do permutations in line */
#define LGCHUNKBITS 3
#define CHUNKBITS (1<<LGCHUNKBITS)
#define PERM6464(d,d0,d1,cpp,p) \
LOAD(d,d0,d1,(p)[(0<<CHUNKBITS)+(cpp)[0]]); \
OR (d,d0,d1,(p)[(1<<CHUNKBITS)+(cpp)[1]]); \
OR (d,d0,d1,(p)[(2<<CHUNKBITS)+(cpp)[2]]); \
OR (d,d0,d1,(p)[(3<<CHUNKBITS)+(cpp)[3]]); \
OR (d,d0,d1,(p)[(4<<CHUNKBITS)+(cpp)[4]]); \
OR (d,d0,d1,(p)[(5<<CHUNKBITS)+(cpp)[5]]); \
OR (d,d0,d1,(p)[(6<<CHUNKBITS)+(cpp)[6]]); \
OR (d,d0,d1,(p)[(7<<CHUNKBITS)+(cpp)[7]]);
#define PERM3264(d,d0,d1,cpp,p) \
LOAD(d,d0,d1,(p)[(0<<CHUNKBITS)+(cpp)[0]]); \
OR (d,d0,d1,(p)[(1<<CHUNKBITS)+(cpp)[1]]); \
OR (d,d0,d1,(p)[(2<<CHUNKBITS)+(cpp)[2]]); \
OR (d,d0,d1,(p)[(3<<CHUNKBITS)+(cpp)[3]]);
#else
/* "small data" */
#define LGCHUNKBITS 2
#define CHUNKBITS (1<<LGCHUNKBITS)
#define PERM6464(d,d0,d1,cpp,p) \
{ C_block tblk; permute(cpp,&tblk,p,8); LOAD (d,d0,d1,tblk); }
#define PERM3264(d,d0,d1,cpp,p) \
{ C_block tblk; permute(cpp,&tblk,p,4); LOAD (d,d0,d1,tblk); }
#endif /* LARGEDATA */
STATIC init_des(void);
STATIC init_perm(C_block [64/CHUNKBITS][1<<CHUNKBITS],
const unsigned char [64], int, int);
#ifndef LARGEDATA
STATIC permute(const unsigned char *, C_block *, C_block *, int);
#endif
#ifdef DEBUG
STATIC prtab(const char *, unsigned char *, int);
#endif
#ifndef LARGEDATA
STATIC
permute(const unsigned char *cp, C_block *out, C_block *p, int chars_in)
{
DCL_BLOCK(D,D0,D1);
C_block *tp;
int t;
ZERO(D,D0,D1);
do {
t = *cp++;
tp = &p[t&0xf]; OR(D,D0,D1,*tp); p += (1<<CHUNKBITS);
tp = &p[t>>4]; OR(D,D0,D1,*tp); p += (1<<CHUNKBITS);
} while (--chars_in > 0);
STORE(D,D0,D1,*out);
}
#endif /* LARGEDATA */
/* ===== (mostly) Standard DES Tables ==================== */
static const unsigned char IP[] = { /* initial permutation */
58, 50, 42, 34, 26, 18, 10, 2,
60, 52, 44, 36, 28, 20, 12, 4,
62, 54, 46, 38, 30, 22, 14, 6,
64, 56, 48, 40, 32, 24, 16, 8,
57, 49, 41, 33, 25, 17, 9, 1,
59, 51, 43, 35, 27, 19, 11, 3,
61, 53, 45, 37, 29, 21, 13, 5,
63, 55, 47, 39, 31, 23, 15, 7,
};
/* The final permutation is the inverse of IP - no table is necessary */
static const unsigned char ExpandTr[] = { /* expansion operation */
32, 1, 2, 3, 4, 5,
4, 5, 6, 7, 8, 9,
8, 9, 10, 11, 12, 13,
12, 13, 14, 15, 16, 17,
16, 17, 18, 19, 20, 21,
20, 21, 22, 23, 24, 25,
24, 25, 26, 27, 28, 29,
28, 29, 30, 31, 32, 1,
};
static const unsigned char PC1[] = { /* permuted choice table 1 */
57, 49, 41, 33, 25, 17, 9,
1, 58, 50, 42, 34, 26, 18,
10, 2, 59, 51, 43, 35, 27,
19, 11, 3, 60, 52, 44, 36,
63, 55, 47, 39, 31, 23, 15,
7, 62, 54, 46, 38, 30, 22,
14, 6, 61, 53, 45, 37, 29,
21, 13, 5, 28, 20, 12, 4,
};
static const unsigned char Rotates[] = {/* PC1 rotation schedule */
1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1,
};
/* note: each "row" of PC2 is left-padded with bits that make it invertible */
static const unsigned char PC2[] = { /* permuted choice table 2 */
9, 18, 14, 17, 11, 24, 1, 5,
22, 25, 3, 28, 15, 6, 21, 10,
35, 38, 23, 19, 12, 4, 26, 8,
43, 54, 16, 7, 27, 20, 13, 2,
0, 0, 41, 52, 31, 37, 47, 55,
0, 0, 30, 40, 51, 45, 33, 48,
0, 0, 44, 49, 39, 56, 34, 53,
0, 0, 46, 42, 50, 36, 29, 32,
};
static const unsigned char S[8][64] = { /* 48->32 bit substitution tables */
/* S[1] */
{ 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 },
/* S[2] */
{ 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 },
/* S[3] */
{ 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 },
/* S[4] */
{ 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 },
/* S[5] */
{ 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 },
/* S[6] */
{ 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13 },
/* S[7] */
{ 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 },
/* S[8] */
{ 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 }
};
static const unsigned char P32Tr[] = { /* 32-bit permutation function */
16, 7, 20, 21,
29, 12, 28, 17,
1, 15, 23, 26,
5, 18, 31, 10,
2, 8, 24, 14,
32, 27, 3, 9,
19, 13, 30, 6,
22, 11, 4, 25,
};
static const unsigned char CIFP[] = { /* compressed/interleaved permutation */
1, 2, 3, 4, 17, 18, 19, 20,
5, 6, 7, 8, 21, 22, 23, 24,
9, 10, 11, 12, 25, 26, 27, 28,
13, 14, 15, 16, 29, 30, 31, 32,
33, 34, 35, 36, 49, 50, 51, 52,
37, 38, 39, 40, 53, 54, 55, 56,
41, 42, 43, 44, 57, 58, 59, 60,
45, 46, 47, 48, 61, 62, 63, 64,
};
static const unsigned char itoa64[] = /* 0..63 => ascii-64 */
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
/* ===== Tables that are initialized at run time ==================== */
/* Initial key schedule permutation */
static C_block PC1ROT[64/CHUNKBITS][1<<CHUNKBITS];
/* Subsequent key schedule rotation permutations */
static C_block PC2ROT[2][64/CHUNKBITS][1<<CHUNKBITS];
/* Initial permutation/expansion table */
static C_block IE3264[32/CHUNKBITS][1<<CHUNKBITS];
/* Table that combines the S, P, and E operations. */
static int32_t SPE[2][8][64];
/* compressed/interleaved => final permutation table */
static C_block CF6464[64/CHUNKBITS][1<<CHUNKBITS];
/* ==================================== */
static C_block constdatablock; /* encryption constant */
static char cryptresult[1+4+4+11+1]; /* encrypted result */
/*
* We match the behavior of UFC-crypt on systems where "char" is signed by
* default (the majority), regardless of char's signedness on our system.
*/
static inline int
ascii_to_bin(char ch)
{
signed char sch = ch;
int retval;
if (sch >= 'a')
retval = sch - ('a' - 38);
else if (sch >= 'A')
retval = sch - ('A' - 12);
else
retval = sch - '.';
return retval & 0x3f;
}
/*
* When we choose to "support" invalid salts, nevertheless disallow those
* containing characters that would violate the passwd file format.
*/
static inline int
ascii_is_unsafe(char ch)
{
return !ch || ch == '\n' || ch == ':';
}
/*
* We extract the scheme from setting str to allow for
* full scheme name comparison
* Updated to reflect alc suggestion(s)
*
* returns boolean 0 on failure, 1 on success,
*/
static int
nondes_scheme_substr(const char * setting,char * scheme, unsigned int len)
{
const char * start;
const char * sep;
/* initialize head pointer */
start = setting;
/* clear out scheme buffer regardless of result */
memset(scheme, 0, len);
/* make sure we are working on non-des scheme string */
if (*start != _PASSWORD_NONDES) {
return 0;
}
/* increment passed initial _PASSWORD_NONDES */
start++;
if ((sep = memchr(start, _PASSWORD_NONDES,len-1)) == NULL) {
return 0;
}
/* if empty string, we are done */
if (sep == start) {
return 1;
}
/* copy scheme substr to buffer */
memcpy(scheme, start, (size_t)(sep - start));
return 1;
}
/*
* Return a pointer to static data consisting of the "setting"
* followed by an encryption produced by the "key" and "setting".
*/
static char *
__crypt(const char *key, const char *setting)
{
char *encp;
char scheme[12];
int32_t i;
int t;
int r;
int32_t salt;
int num_iter, salt_size;
C_block keyblock, rsltblock;
/* Non-DES encryption schemes hook in here. */
if (setting[0] == _PASSWORD_NONDES) {
r = nondes_scheme_substr(
setting, scheme, sizeof(scheme));
/* return NULL if we are unable to extract substring */
if (!r) {
return NULL;
}
/* $2a$ found in bcrypt.c:encode_salt */
if (strcmp(scheme, "2a") == 0) {
return (__bcrypt(key, setting));
} else if (strcmp(scheme, "sha1") == 0) {
/* $sha1$ found in crypt.h:SHA1_MAGIC */
return (__crypt_sha1(key, setting));
} else if (strcmp(scheme, "1") == 0) {
/* $1$ found in pw_gensalt.c:__gensalt_md5 */
return (__md5crypt(key, setting));
#ifdef HAVE_ARGON2
/* explicit argon2 variant */
} else if (strcmp(scheme, "argon2id") == 0) {
/* $argon2id$ found in pw_gensalt.c:__gensalt_argon2 */
return (__crypt_argon2(key, setting));
} else if (strcmp(scheme, "argon2i") == 0) {
/* $argon2i$ found in pw_gensalt.c:__gensalt_argon2 */
return (__crypt_argon2(key, setting));
} else if (strcmp(scheme, "argon2d") == 0) {
/* $argon2d$ found in pw_gensalt.c:__gensalt_argon2 */
return (__crypt_argon2(key, setting));
#endif /* HAVE_ARGON2 */
} else {
/* invalid scheme, including empty string */
return NULL;
}
}
/* End non-DES handling */
for (i = 0; i < 8; i++) {
if ((t = 2*(unsigned char)(*key)) != 0)
key++;
keyblock.b[i] = t;
}
if (des_setkey((char *)keyblock.b))
return (NULL);
encp = &cryptresult[0];
switch (*setting) {
case _PASSWORD_EFMT1:
/*
* Involve the rest of the password 8 characters at a time.
*/
while (*key) {
if (des_cipher((char *)(void *)&keyblock,
(char *)(void *)&keyblock, 0L, 1))
return (NULL);
for (i = 0; i < 8; i++) {
if ((t = 2*(unsigned char)(*key)) != 0)
key++;
keyblock.b[i] ^= t;
}
if (des_setkey((char *)keyblock.b))
return (NULL);
}
*encp++ = *setting++;
/* get iteration count */
num_iter = 0;
for (i = 4; --i >= 0; ) {
int value = ascii_to_bin(setting[i]);
if (itoa64[value] != setting[i])
return NULL;
encp[i] = setting[i];
num_iter = (num_iter << 6) | value;
}
if (num_iter == 0)
return NULL;
setting += 4;
encp += 4;
salt_size = 4;
break;
default:
num_iter = 25;
salt_size = 2;
if (ascii_is_unsafe(setting[0]) || ascii_is_unsafe(setting[1]))
return NULL;
}
salt = 0;
for (i = salt_size; --i >= 0; ) {
int value = ascii_to_bin(setting[i]);
if (salt_size > 2 && itoa64[value] != setting[i])
return NULL;
encp[i] = setting[i];
salt = (salt << 6) | value;
}
encp += salt_size;
if (des_cipher((char *)(void *)&constdatablock,
(char *)(void *)&rsltblock, salt, num_iter))
return (NULL);
/*
* Encode the 64 cipher bits as 11 ascii characters.
*/
i = ((int32_t)((rsltblock.b[0]<<8) | rsltblock.b[1])<<8) |
rsltblock.b[2];
encp[3] = itoa64[i&0x3f]; i >>= 6;
encp[2] = itoa64[i&0x3f]; i >>= 6;
encp[1] = itoa64[i&0x3f]; i >>= 6;
encp[0] = itoa64[i]; encp += 4;
i = ((int32_t)((rsltblock.b[3]<<8) | rsltblock.b[4])<<8) |
rsltblock.b[5];
encp[3] = itoa64[i&0x3f]; i >>= 6;
encp[2] = itoa64[i&0x3f]; i >>= 6;
encp[1] = itoa64[i&0x3f]; i >>= 6;
encp[0] = itoa64[i]; encp += 4;
i = ((int32_t)((rsltblock.b[6])<<8) | rsltblock.b[7])<<2;
encp[2] = itoa64[i&0x3f]; i >>= 6;
encp[1] = itoa64[i&0x3f]; i >>= 6;
encp[0] = itoa64[i];
encp[3] = 0;
return (cryptresult);
}
char *
crypt(const char *key, const char *salt)
{
char *res = __crypt(key, salt);
if (res)
return res;
/* How do I handle errors ? Return "*0" or "*1" */
return __UNCONST(salt[0] == '*' && salt[1] == '0' ? "*1" : "*0");
}
/*
* The Key Schedule, filled in by des_setkey() or setkey().
*/
#define KS_SIZE 16
static C_block KS[KS_SIZE];
/*
* Set up the key schedule from the key.
*/
int
des_setkey(const char *key)
{
DCL_BLOCK(K, K0, K1);
C_block *help, *ptabp;
int i;
static int des_ready = 0;
if (!des_ready) {
init_des();
des_ready = 1;
}
PERM6464(K,K0,K1,(const unsigned char *)key,(C_block *)PC1ROT);
help = &KS[0];
STORE(K&~0x03030303L, K0&~0x03030303L, K1, *help);
for (i = 1; i < 16; i++) {
help++;
STORE(K,K0,K1,*help);
ptabp = (C_block *)PC2ROT[Rotates[i]-1];
PERM6464(K,K0,K1,(const unsigned char *)help,ptabp);
STORE(K&~0x03030303L, K0&~0x03030303L, K1, *help);
}
return (0);
}
/*
* Encrypt (or decrypt if num_iter < 0) the 8 chars at "in" with abs(num_iter)
* iterations of DES, using the given 24-bit salt and the pre-computed key
* schedule, and store the resulting 8 chars at "out" (in == out is permitted).
*
* NOTE: the performance of this routine is critically dependent on your
* compiler and machine architecture.
*/
int
des_cipher(const char *in, char *out, long salt, int num_iter)
{
/* variables that we want in registers, most important first */
#if defined(pdp11)
int j;
#endif
int32_t L0, L1, R0, R1, k;
C_block *kp;
int ks_inc, loop_count;
C_block B;
L0 = salt;
TO_SIX_BIT(salt, L0); /* convert to 4*(6+2) format */
#if defined(__vax__) || defined(pdp11)
salt = ~salt; /* "x &~ y" is faster than "x & y". */
#define SALT (~salt)
#else
#define SALT salt
#endif
#if defined(MUST_ALIGN)
B.b[0] = in[0]; B.b[1] = in[1]; B.b[2] = in[2]; B.b[3] = in[3];
B.b[4] = in[4]; B.b[5] = in[5]; B.b[6] = in[6]; B.b[7] = in[7];
LOAD(L,L0,L1,B);
#else
LOAD(L,L0,L1,*(const C_block *)in);
#endif
LOADREG(R,R0,R1,L,L0,L1);
L0 &= 0x55555555L;
L1 &= 0x55555555L;
L0 = ((uint32_t)L0 << 1) | L1; /* L0 is the even-numbered input bits */
R0 &= 0xaaaaaaaaL;
R1 = ((uint32_t)R1 >> 1) & 0x55555555L;
L1 = R0 | R1; /* L1 is the odd-numbered input bits */
STORE(L,L0,L1,B);
PERM3264(L,L0,L1,B.b, (C_block *)IE3264); /* even bits */
PERM3264(R,R0,R1,B.b+4,(C_block *)IE3264); /* odd bits */
if (num_iter >= 0)
{ /* encryption */
kp = &KS[0];
ks_inc = sizeof(*kp);
}
else
{ /* decryption */
num_iter = -num_iter;
kp = &KS[KS_SIZE-1];
ks_inc = -(long)sizeof(*kp);
}
while (--num_iter >= 0) {
loop_count = 8;
do {
#define SPTAB(t, i) \
(*(int32_t *)((unsigned char *)t + i*(sizeof(int32_t)/4)))
#if defined(gould)
/* use this if B.b[i] is evaluated just once ... */
#define DOXOR(x,y,i) x^=SPTAB(SPE[0][i],B.b[i]); y^=SPTAB(SPE[1][i],B.b[i]);
#else
#if defined(pdp11)
/* use this if your "long" int indexing is slow */
#define DOXOR(x,y,i) j=B.b[i]; x^=SPTAB(SPE[0][i],j); y^=SPTAB(SPE[1][i],j);
#else
/* use this if "k" is allocated to a register ... */
#define DOXOR(x,y,i) k=B.b[i]; x^=SPTAB(SPE[0][i],k); y^=SPTAB(SPE[1][i],k);
#endif
#endif
#define CRUNCH(p0, p1, q0, q1) \
k = (q0 ^ q1) & SALT; \
B.b32.i0 = k ^ q0 ^ kp->b32.i0; \
B.b32.i1 = k ^ q1 ^ kp->b32.i1; \
kp = (C_block *)((char *)kp+ks_inc); \
\
DOXOR(p0, p1, 0); \
DOXOR(p0, p1, 1); \
DOXOR(p0, p1, 2); \
DOXOR(p0, p1, 3); \
DOXOR(p0, p1, 4); \
DOXOR(p0, p1, 5); \
DOXOR(p0, p1, 6); \
DOXOR(p0, p1, 7);
CRUNCH(L0, L1, R0, R1);
CRUNCH(R0, R1, L0, L1);
} while (--loop_count != 0);
kp = (C_block *)((char *)kp-(ks_inc*KS_SIZE));
/* swap L and R */
L0 ^= R0; L1 ^= R1;
R0 ^= L0; R1 ^= L1;
L0 ^= R0; L1 ^= R1;
}
/* store the encrypted (or decrypted) result */
L0 = (((uint32_t)L0 >> 3) & 0x0f0f0f0fL) | (((uint32_t)L1 << 1) & 0xf0f0f0f0L);
L1 = (((uint32_t)R0 >> 3) & 0x0f0f0f0fL) | (((uint32_t)R1 << 1) & 0xf0f0f0f0L);
STORE(L,L0,L1,B);
PERM6464(L,L0,L1,B.b, (C_block *)CF6464);
#if defined(MUST_ALIGN)
STORE(L,L0,L1,B);
out[0] = B.b[0]; out[1] = B.b[1]; out[2] = B.b[2]; out[3] = B.b[3];
out[4] = B.b[4]; out[5] = B.b[5]; out[6] = B.b[6]; out[7] = B.b[7];
#else
STORE(L,L0,L1,*(C_block *)out);
#endif
return (0);
}
/*
* Initialize various tables. This need only be done once. It could even be
* done at compile time, if the compiler were capable of that sort of thing.
*/
STATIC
init_des(void)
{
int i, j;
int32_t k;
int tableno;
static unsigned char perm[64], tmp32[32]; /* "static" for speed */
/*
* PC1ROT - bit reverse, then PC1, then Rotate, then PC2.
*/
for (i = 0; i < 64; i++)
perm[i] = 0;
for (i = 0; i < 64; i++) {
if ((k = PC2[i]) == 0)
continue;
k += Rotates[0]-1;
if ((k%28) < Rotates[0]) k -= 28;
k = PC1[k];
if (k > 0) {
k--;
k = (k|07) - (k&07);
k++;
}
perm[i] = k;
}
#ifdef DEBUG
prtab("pc1tab", perm, 8);
#endif
init_perm(PC1ROT, perm, 8, 8);
/*
* PC2ROT - PC2 inverse, then Rotate (once or twice), then PC2.
*/
for (j = 0; j < 2; j++) {
unsigned char pc2inv[64];
for (i = 0; i < 64; i++)
perm[i] = pc2inv[i] = 0;
for (i = 0; i < 64; i++) {
if ((k = PC2[i]) == 0)
continue;
pc2inv[k-1] = i+1;
}
for (i = 0; i < 64; i++) {
if ((k = PC2[i]) == 0)
continue;
k += j;
if ((k%28) <= j) k -= 28;
perm[i] = pc2inv[k];
}
#ifdef DEBUG
prtab("pc2tab", perm, 8);
#endif
init_perm(PC2ROT[j], perm, 8, 8);
}
/*
* Bit reverse, then initial permutation, then expansion.
*/
for (i = 0; i < 8; i++) {
for (j = 0; j < 8; j++) {
k = (j < 2)? 0: IP[ExpandTr[i*6+j-2]-1];
if (k > 32)
k -= 32;
else if (k > 0)
k--;
if (k > 0) {
k--;
k = (k|07) - (k&07);
k++;
}
perm[i*8+j] = k;
}
}
#ifdef DEBUG
prtab("ietab", perm, 8);
#endif
init_perm(IE3264, perm, 4, 8);
/*
* Compression, then final permutation, then bit reverse.
*/
for (i = 0; i < 64; i++) {
k = IP[CIFP[i]-1];
if (k > 0) {
k--;
k = (k|07) - (k&07);
k++;
}
perm[k-1] = i+1;
}
#ifdef DEBUG
prtab("cftab", perm, 8);
#endif
init_perm(CF6464, perm, 8, 8);
/*
* SPE table
*/
for (i = 0; i < 48; i++)
perm[i] = P32Tr[ExpandTr[i]-1];
for (tableno = 0; tableno < 8; tableno++) {
for (j = 0; j < 64; j++) {
k = (((j >> 0) &01) << 5)|
(((j >> 1) &01) << 3)|
(((j >> 2) &01) << 2)|
(((j >> 3) &01) << 1)|
(((j >> 4) &01) << 0)|
(((j >> 5) &01) << 4);
k = S[tableno][k];
k = (((k >> 3)&01) << 0)|
(((k >> 2)&01) << 1)|
(((k >> 1)&01) << 2)|
(((k >> 0)&01) << 3);
for (i = 0; i < 32; i++)
tmp32[i] = 0;
for (i = 0; i < 4; i++)
tmp32[4 * tableno + i] = (k >> i) & 01;
k = 0;
for (i = 24; --i >= 0; )
k = (k<<1) | tmp32[perm[i]-1];
TO_SIX_BIT(SPE[0][tableno][j], k);
k = 0;
for (i = 24; --i >= 0; )
k = (k<<1) | tmp32[perm[i+24]-1];
TO_SIX_BIT(SPE[1][tableno][j], k);
}
}
}
/*
* Initialize "perm" to represent transformation "p", which rearranges
* (perhaps with expansion and/or contraction) one packed array of bits
* (of size "chars_in" characters) into another array (of size "chars_out"
* characters).
*
* "perm" must be all-zeroes on entry to this routine.
*/
STATIC
init_perm(C_block perm[64/CHUNKBITS][1<<CHUNKBITS], const unsigned char p[64],
int chars_in, int chars_out)
{
int i, j, k, l;
for (k = 0; k < chars_out*8; k++) { /* each output bit position */
l = p[k] - 1; /* where this bit comes from */
if (l < 0)
continue; /* output bit is always 0 */
i = l>>LGCHUNKBITS; /* which chunk this bit comes from */
l = 1<<(l&(CHUNKBITS-1)); /* mask for this bit */
for (j = 0; j < (1<<CHUNKBITS); j++) { /* each chunk value */
if ((j & l) != 0)
perm[i][j].b[k>>3] |= 1<<(k&07);
}
}
}
/*
* "setkey" routine (for backwards compatibility)
*/
int
setkey(const char *key)
{
int i, j, k;
C_block keyblock;
for (i = 0; i < 8; i++) {
k = 0;
for (j = 0; j < 8; j++) {
k <<= 1;
k |= (unsigned char)*key++;
}
keyblock.b[i] = k;
}
return (des_setkey((char *)keyblock.b));
}
/*
* "encrypt" routine (for backwards compatibility)
*/
int
encrypt(char *block, int flag)
{
int i, j, k;
C_block cblock;
for (i = 0; i < 8; i++) {
k = 0;
for (j = 0; j < 8; j++) {
k <<= 1;
k |= (unsigned char)*block++;
}
cblock.b[i] = k;
}
if (des_cipher((char *)&cblock, (char *)&cblock, 0L, (flag ? -1: 1)))
return (1);
for (i = 7; i >= 0; i--) {
k = cblock.b[i];
for (j = 7; j >= 0; j--) {
*--block = k&01;
k >>= 1;
}
}
return (0);
}
#ifdef DEBUG
STATIC
prtab(const char *s, unsigned char *t, int num_rows)
{
int i, j;
(void)printf("%s:\n", s);
for (i = 0; i < num_rows; i++) {
for (j = 0; j < 8; j++) {
(void)printf("%3d", t[i*8+j]);
}
(void)printf("\n");
}
(void)printf("\n");
}
#endif
#if defined(MAIN) || defined(UNIT_TEST)
#include <err.h>
int
main(int argc, char *argv[])
{
if (argc < 2) {
fprintf(stderr, "Usage: %s password [salt]\n", getprogname());
return EXIT_FAILURE;
}
printf("%s\n", crypt(argv[1], (argc > 2) ? argv[2] : argv[1]));
return EXIT_SUCCESS;
}
#endif