|
Packit |
13e0ca |
/*
|
|
Packit |
13e0ca |
* FreeSec: libcrypt for NetBSD
|
|
Packit |
13e0ca |
*
|
|
Packit |
13e0ca |
* Copyright (c) 1994 David Burren
|
|
Packit |
13e0ca |
* All rights reserved.
|
|
Packit |
13e0ca |
*
|
|
Packit |
13e0ca |
* Adapted for FreeBSD-2.0 by Geoffrey M. Rehmet
|
|
Packit |
13e0ca |
* this file should now *only* export crypt(), in order to make
|
|
Packit |
13e0ca |
* binaries of libcrypt exportable from the USA
|
|
Packit |
13e0ca |
*
|
|
Packit |
13e0ca |
* Adapted for FreeBSD-4.0 by Mark R V Murray
|
|
Packit |
13e0ca |
* this file should now *only* export crypt_des(), in order to make
|
|
Packit |
13e0ca |
* a module that can be optionally included in libcrypt.
|
|
Packit |
13e0ca |
*
|
|
Packit |
13e0ca |
* Adapted for libxcrypt by Zack Weinberg, 2017
|
|
Packit |
13e0ca |
* writable global data eliminated; type-punning eliminated;
|
|
Packit |
13e0ca |
* des_init() run at build time (see des-mktables.c);
|
|
Packit |
13e0ca |
* made into a libxcrypt algorithm module (see des-crypt.c);
|
|
Packit |
13e0ca |
* functionality required to support the legacy encrypt() and
|
|
Packit |
13e0ca |
* setkey() primitives re-exposed (see des-obsolete.c).
|
|
Packit |
13e0ca |
*
|
|
Packit |
13e0ca |
* Redistribution and use in source and binary forms, with or without
|
|
Packit |
13e0ca |
* modification, are permitted provided that the following conditions
|
|
Packit |
13e0ca |
* are met:
|
|
Packit |
13e0ca |
* 1. Redistributions of source code must retain the above copyright
|
|
Packit |
13e0ca |
* notice, this list of conditions and the following disclaimer.
|
|
Packit |
13e0ca |
* 2. Redistributions in binary form must reproduce the above copyright
|
|
Packit |
13e0ca |
* notice, this list of conditions and the following disclaimer in the
|
|
Packit |
13e0ca |
* documentation and/or other materials provided with the distribution.
|
|
Packit |
13e0ca |
* 3. Neither the name of the author nor the names of other contributors
|
|
Packit |
13e0ca |
* may be used to endorse or promote products derived from this software
|
|
Packit |
13e0ca |
* without specific prior written permission.
|
|
Packit |
13e0ca |
*
|
|
Packit |
13e0ca |
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
Packit |
13e0ca |
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
Packit |
13e0ca |
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
Packit |
13e0ca |
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
Packit |
13e0ca |
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
Packit |
13e0ca |
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
Packit |
13e0ca |
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
Packit |
13e0ca |
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
Packit |
13e0ca |
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
Packit |
13e0ca |
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
Packit |
13e0ca |
* SUCH DAMAGE.
|
|
Packit |
13e0ca |
*
|
|
Packit |
13e0ca |
* This is an original implementation of the DES and the crypt(3) interfaces
|
|
Packit |
13e0ca |
* by David Burren <davidb@werj.com.au>.
|
|
Packit |
13e0ca |
*
|
|
Packit |
13e0ca |
* An excellent reference on the underlying algorithm (and related
|
|
Packit |
13e0ca |
* algorithms) is:
|
|
Packit |
13e0ca |
*
|
|
Packit |
13e0ca |
* B. Schneier, Applied Cryptography: protocols, algorithms,
|
|
Packit |
13e0ca |
* and source code in C, John Wiley & Sons, 1994.
|
|
Packit |
13e0ca |
*
|
|
Packit |
13e0ca |
* Note that in that book's description of DES the lookups for the initial,
|
|
Packit |
13e0ca |
* pbox, and final permutations are inverted (this has been brought to the
|
|
Packit |
13e0ca |
* attention of the author). A list of errata for this book has been
|
|
Packit |
13e0ca |
* posted to the sci.crypt newsgroup by the author and is available for FTP.
|
|
Packit |
13e0ca |
*/
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
#include "crypt-port.h"
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
#if INCLUDE_des || INCLUDE_des_big || INCLUDE_des_xbsd
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
#include "alg-des.h"
|
|
Packit |
13e0ca |
#include "byteorder.h"
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
static const uint8_t key_shifts[16] =
|
|
Packit |
13e0ca |
{
|
|
Packit |
13e0ca |
1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
|
|
Packit |
13e0ca |
};
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
void
|
|
Packit |
13e0ca |
des_set_key (struct des_ctx *restrict ctx, const unsigned char *key)
|
|
Packit |
13e0ca |
{
|
|
Packit |
13e0ca |
uint32_t rawkey0, rawkey1, k0, k1, t0, t1;
|
|
Packit |
13e0ca |
int shifts, round;
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
rawkey0 = be32_to_cpu (key);
|
|
Packit |
13e0ca |
rawkey1 = be32_to_cpu (key + 4);
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
/* Do key permutation and split into two 28-bit subkeys. */
|
|
Packit |
13e0ca |
k0 = key_perm_maskl[0][rawkey0 >> 25]
|
|
Packit |
13e0ca |
| key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
|
|
Packit |
13e0ca |
| key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
|
|
Packit |
13e0ca |
| key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
|
|
Packit |
13e0ca |
| key_perm_maskl[4][rawkey1 >> 25]
|
|
Packit |
13e0ca |
| key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
|
|
Packit |
13e0ca |
| key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
|
|
Packit |
13e0ca |
| key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
|
|
Packit |
13e0ca |
k1 = key_perm_maskr[0][rawkey0 >> 25]
|
|
Packit |
13e0ca |
| key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
|
|
Packit |
13e0ca |
| key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
|
|
Packit |
13e0ca |
| key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
|
|
Packit |
13e0ca |
| key_perm_maskr[4][rawkey1 >> 25]
|
|
Packit |
13e0ca |
| key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
|
|
Packit |
13e0ca |
| key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
|
|
Packit |
13e0ca |
| key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
/* Rotate subkeys and do compression permutation. */
|
|
Packit |
13e0ca |
shifts = 0;
|
|
Packit |
13e0ca |
for (round = 0; round < 16; round++)
|
|
Packit |
13e0ca |
{
|
|
Packit |
13e0ca |
shifts += key_shifts[round];
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
t0 = (k0 << shifts) | (k0 >> (28 - shifts));
|
|
Packit |
13e0ca |
t1 = (k1 << shifts) | (k1 >> (28 - shifts));
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
ctx->keysl[round] =
|
|
Packit |
13e0ca |
comp_maskl[0][(t0 >> 21) & 0x7f]
|
|
Packit |
13e0ca |
| comp_maskl[1][(t0 >> 14) & 0x7f]
|
|
Packit |
13e0ca |
| comp_maskl[2][(t0 >> 7) & 0x7f]
|
|
Packit |
13e0ca |
| comp_maskl[3][(t0 >> 0) & 0x7f]
|
|
Packit |
13e0ca |
| comp_maskl[4][(t1 >> 21) & 0x7f]
|
|
Packit |
13e0ca |
| comp_maskl[5][(t1 >> 14) & 0x7f]
|
|
Packit |
13e0ca |
| comp_maskl[6][(t1 >> 7) & 0x7f]
|
|
Packit |
13e0ca |
| comp_maskl[7][(t1 >> 0) & 0x7f];
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
ctx->keysr[round] =
|
|
Packit |
13e0ca |
comp_maskr[0][(t0 >> 21) & 0x7f]
|
|
Packit |
13e0ca |
| comp_maskr[1][(t0 >> 14) & 0x7f]
|
|
Packit |
13e0ca |
| comp_maskr[2][(t0 >> 7) & 0x7f]
|
|
Packit |
13e0ca |
| comp_maskr[3][(t0 >> 0) & 0x7f]
|
|
Packit |
13e0ca |
| comp_maskr[4][(t1 >> 21) & 0x7f]
|
|
Packit |
13e0ca |
| comp_maskr[5][(t1 >> 14) & 0x7f]
|
|
Packit |
13e0ca |
| comp_maskr[6][(t1 >> 7) & 0x7f]
|
|
Packit |
13e0ca |
| comp_maskr[7][(t1 >> 0) & 0x7f];
|
|
Packit |
13e0ca |
}
|
|
Packit |
13e0ca |
}
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
void
|
|
Packit |
13e0ca |
des_set_salt (struct des_ctx *restrict ctx, uint32_t salt)
|
|
Packit |
13e0ca |
{
|
|
Packit |
13e0ca |
uint32_t obit, saltbit, saltbits;
|
|
Packit |
13e0ca |
int i;
|
|
Packit |
13e0ca |
saltbits = 0L;
|
|
Packit |
13e0ca |
saltbit = 1;
|
|
Packit |
13e0ca |
obit = 0x800000;
|
|
Packit |
13e0ca |
for (i = 0; i < 24; i++)
|
|
Packit |
13e0ca |
{
|
|
Packit |
13e0ca |
if (salt & saltbit)
|
|
Packit |
13e0ca |
saltbits |= obit;
|
|
Packit |
13e0ca |
saltbit <<= 1;
|
|
Packit |
13e0ca |
obit >>= 1;
|
|
Packit |
13e0ca |
}
|
|
Packit |
13e0ca |
ctx->saltbits = saltbits;
|
|
Packit |
13e0ca |
}
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
void
|
|
Packit |
13e0ca |
des_crypt_block (struct des_ctx *restrict ctx,
|
|
Packit |
13e0ca |
unsigned char *out, const unsigned char *in,
|
|
Packit |
13e0ca |
unsigned int count, bool decrypt)
|
|
Packit |
13e0ca |
{
|
|
Packit |
13e0ca |
uint32_t l_in, r_in, l_out, r_out;
|
|
Packit |
13e0ca |
uint32_t l, r, *kl, *kr, *kl1, *kr1;
|
|
Packit |
13e0ca |
uint32_t f, r48l, r48r;
|
|
Packit |
13e0ca |
uint32_t saltbits = ctx->saltbits;
|
|
Packit |
13e0ca |
int round, rk_step;
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
/* Zero encryptions/decryptions doesn't make sense. */
|
|
Packit |
13e0ca |
if (count == 0)
|
|
Packit |
13e0ca |
count = 1;
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
if (decrypt)
|
|
Packit |
13e0ca |
{
|
|
Packit |
13e0ca |
kl1 = ctx->keysl + 15;
|
|
Packit |
13e0ca |
kr1 = ctx->keysr + 15;
|
|
Packit |
13e0ca |
rk_step = -1;
|
|
Packit |
13e0ca |
}
|
|
Packit |
13e0ca |
else
|
|
Packit |
13e0ca |
{
|
|
Packit |
13e0ca |
kl1 = ctx->keysl;
|
|
Packit |
13e0ca |
kr1 = ctx->keysr;
|
|
Packit |
13e0ca |
rk_step = 1;
|
|
Packit |
13e0ca |
}
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
/* Read the input, which is notionally in "big-endian" format. */
|
|
Packit |
13e0ca |
l_in = be32_to_cpu (in);
|
|
Packit |
13e0ca |
r_in = be32_to_cpu (in + 4);
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
/* Do initial permutation. */
|
|
Packit |
13e0ca |
l = ip_maskl[0][(l_in >> 24) & 0xff]
|
|
Packit |
13e0ca |
| ip_maskl[1][(l_in >> 16) & 0xff]
|
|
Packit |
13e0ca |
| ip_maskl[2][(l_in >> 8) & 0xff]
|
|
Packit |
13e0ca |
| ip_maskl[3][(l_in >> 0) & 0xff]
|
|
Packit |
13e0ca |
| ip_maskl[4][(r_in >> 24) & 0xff]
|
|
Packit |
13e0ca |
| ip_maskl[5][(r_in >> 16) & 0xff]
|
|
Packit |
13e0ca |
| ip_maskl[6][(r_in >> 8) & 0xff]
|
|
Packit |
13e0ca |
| ip_maskl[7][(r_in >> 0) & 0xff];
|
|
Packit |
13e0ca |
r = ip_maskr[0][(l_in >> 24) & 0xff]
|
|
Packit |
13e0ca |
| ip_maskr[1][(l_in >> 16) & 0xff]
|
|
Packit |
13e0ca |
| ip_maskr[2][(l_in >> 8) & 0xff]
|
|
Packit |
13e0ca |
| ip_maskr[3][(l_in >> 0) & 0xff]
|
|
Packit |
13e0ca |
| ip_maskr[4][(r_in >> 24) & 0xff]
|
|
Packit |
13e0ca |
| ip_maskr[5][(r_in >> 16) & 0xff]
|
|
Packit |
13e0ca |
| ip_maskr[6][(r_in >> 8) & 0xff]
|
|
Packit |
13e0ca |
| ip_maskr[7][(r_in >> 0) & 0xff];
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
do
|
|
Packit |
13e0ca |
{
|
|
Packit |
13e0ca |
kl = kl1;
|
|
Packit |
13e0ca |
kr = kr1;
|
|
Packit |
13e0ca |
round = 16;
|
|
Packit |
13e0ca |
do
|
|
Packit |
13e0ca |
{
|
|
Packit |
13e0ca |
/* Expand R to 48 bits (simulate the E-box). */
|
|
Packit |
13e0ca |
r48l = ((r & 0x00000001) << 23)
|
|
Packit |
13e0ca |
| ((r & 0xf8000000) >> 9)
|
|
Packit |
13e0ca |
| ((r & 0x1f800000) >> 11)
|
|
Packit |
13e0ca |
| ((r & 0x01f80000) >> 13)
|
|
Packit |
13e0ca |
| ((r & 0x001f8000) >> 15);
|
|
Packit |
13e0ca |
r48r = ((r & 0x0001f800) << 7)
|
|
Packit |
13e0ca |
| ((r & 0x00001f80) << 5)
|
|
Packit |
13e0ca |
| ((r & 0x000001f8) << 3)
|
|
Packit |
13e0ca |
| ((r & 0x0000001f) << 1)
|
|
Packit |
13e0ca |
| ((r & 0x80000000) >> 31);
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
/* Apply salt and permuted round key. */
|
|
Packit |
13e0ca |
f = (r48l ^ r48r) & saltbits;
|
|
Packit |
13e0ca |
r48l ^= f ^ *kl;
|
|
Packit |
13e0ca |
r48r ^= f ^ *kr;
|
|
Packit |
13e0ca |
kl += rk_step;
|
|
Packit |
13e0ca |
kr += rk_step;
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
/* Do sbox lookups (which shrink it back to 32 bits)
|
|
Packit |
13e0ca |
and the pbox permutation at the same time. */
|
|
Packit |
13e0ca |
f = psbox[0][m_sbox[0][r48l >> 12]]
|
|
Packit |
13e0ca |
| psbox[1][m_sbox[1][r48l & 0xfff]]
|
|
Packit |
13e0ca |
| psbox[2][m_sbox[2][r48r >> 12]]
|
|
Packit |
13e0ca |
| psbox[3][m_sbox[3][r48r & 0xfff]];
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
/* Now that we've permuted things, complete f(). */
|
|
Packit |
13e0ca |
f ^= l;
|
|
Packit |
13e0ca |
l = r;
|
|
Packit |
13e0ca |
r = f;
|
|
Packit |
13e0ca |
}
|
|
Packit |
13e0ca |
while (--round);
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
r = l;
|
|
Packit |
13e0ca |
l = f;
|
|
Packit |
13e0ca |
}
|
|
Packit |
13e0ca |
while (--count);
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
/* Do final permutation (inverse of IP). */
|
|
Packit |
13e0ca |
l_out =
|
|
Packit |
13e0ca |
fp_maskl[0][(l >> 24) & 0xff]
|
|
Packit |
13e0ca |
| fp_maskl[1][(l >> 16) & 0xff]
|
|
Packit |
13e0ca |
| fp_maskl[2][(l >> 8) & 0xff]
|
|
Packit |
13e0ca |
| fp_maskl[3][(l >> 0) & 0xff]
|
|
Packit |
13e0ca |
| fp_maskl[4][(r >> 24) & 0xff]
|
|
Packit |
13e0ca |
| fp_maskl[5][(r >> 16) & 0xff]
|
|
Packit |
13e0ca |
| fp_maskl[6][(r >> 8) & 0xff]
|
|
Packit |
13e0ca |
| fp_maskl[7][(r >> 0) & 0xff];
|
|
Packit |
13e0ca |
r_out =
|
|
Packit |
13e0ca |
fp_maskr[0][(l >> 24) & 0xff]
|
|
Packit |
13e0ca |
| fp_maskr[1][(l >> 16) & 0xff]
|
|
Packit |
13e0ca |
| fp_maskr[2][(l >> 8) & 0xff]
|
|
Packit |
13e0ca |
| fp_maskr[3][(l >> 0) & 0xff]
|
|
Packit |
13e0ca |
| fp_maskr[4][(r >> 24) & 0xff]
|
|
Packit |
13e0ca |
| fp_maskr[5][(r >> 16) & 0xff]
|
|
Packit |
13e0ca |
| fp_maskr[6][(r >> 8) & 0xff]
|
|
Packit |
13e0ca |
| fp_maskr[7][(r >> 0) & 0xff];
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
cpu_to_be32 (out, l_out);
|
|
Packit |
13e0ca |
cpu_to_be32 (out + 4, r_out);
|
|
Packit |
13e0ca |
}
|
|
Packit |
13e0ca |
|
|
Packit |
13e0ca |
#endif
|