/*
* FreeSec: libcrypt for NetBSD
*
* Copyright (c) 1994 David Burren
* All rights reserved.
*
* Adapted for FreeBSD-2.0 by Geoffrey M. Rehmet
* this file should now *only* export crypt(), in order to make
* binaries of libcrypt exportable from the USA
*
* Adapted for FreeBSD-4.0 by Mark R V Murray
* this file should now *only* export crypt_des(), in order to make
* a module that can be optionally included in libcrypt.
*
* Adapted for libxcrypt by Zack Weinberg, 2017
* writable global data eliminated; type-punning eliminated;
* des_init() run at build time (see des-mktables.c);
* made into a libxcrypt algorithm module (see des-crypt.c);
* functionality required to support the legacy encrypt() and
* setkey() primitives re-exposed (see des-obsolete.c).
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the author nor the names of other contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* This is an original implementation of the DES and the crypt(3) interfaces
* by David Burren <davidb@werj.com.au>.
*
* An excellent reference on the underlying algorithm (and related
* algorithms) is:
*
* B. Schneier, Applied Cryptography: protocols, algorithms,
* and source code in C, John Wiley & Sons, 1994.
*
* Note that in that book's description of DES the lookups for the initial,
* pbox, and final permutations are inverted (this has been brought to the
* attention of the author). A list of errata for this book has been
* posted to the sci.crypt newsgroup by the author and is available for FTP.
*/
#include "crypt-port.h"
#if INCLUDE_des || INCLUDE_des_big || INCLUDE_des_xbsd
#include "alg-des.h"
#include "byteorder.h"
static const uint8_t key_shifts[16] =
{
1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
};
void
des_set_key (struct des_ctx *restrict ctx, const unsigned char *key)
{
uint32_t rawkey0, rawkey1, k0, k1, t0, t1;
int shifts, round;
rawkey0 = be32_to_cpu (key);
rawkey1 = be32_to_cpu (key + 4);
/* Do key permutation and split into two 28-bit subkeys. */
k0 = key_perm_maskl[0][rawkey0 >> 25]
| key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
| key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
| key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
| key_perm_maskl[4][rawkey1 >> 25]
| key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
| key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
| key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
k1 = key_perm_maskr[0][rawkey0 >> 25]
| key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
| key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
| key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
| key_perm_maskr[4][rawkey1 >> 25]
| key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
| key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
| key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
/* Rotate subkeys and do compression permutation. */
shifts = 0;
for (round = 0; round < 16; round++)
{
shifts += key_shifts[round];
t0 = (k0 << shifts) | (k0 >> (28 - shifts));
t1 = (k1 << shifts) | (k1 >> (28 - shifts));
ctx->keysl[round] =
comp_maskl[0][(t0 >> 21) & 0x7f]
| comp_maskl[1][(t0 >> 14) & 0x7f]
| comp_maskl[2][(t0 >> 7) & 0x7f]
| comp_maskl[3][(t0 >> 0) & 0x7f]
| comp_maskl[4][(t1 >> 21) & 0x7f]
| comp_maskl[5][(t1 >> 14) & 0x7f]
| comp_maskl[6][(t1 >> 7) & 0x7f]
| comp_maskl[7][(t1 >> 0) & 0x7f];
ctx->keysr[round] =
comp_maskr[0][(t0 >> 21) & 0x7f]
| comp_maskr[1][(t0 >> 14) & 0x7f]
| comp_maskr[2][(t0 >> 7) & 0x7f]
| comp_maskr[3][(t0 >> 0) & 0x7f]
| comp_maskr[4][(t1 >> 21) & 0x7f]
| comp_maskr[5][(t1 >> 14) & 0x7f]
| comp_maskr[6][(t1 >> 7) & 0x7f]
| comp_maskr[7][(t1 >> 0) & 0x7f];
}
}
void
des_set_salt (struct des_ctx *restrict ctx, uint32_t salt)
{
uint32_t obit, saltbit, saltbits;
int i;
saltbits = 0L;
saltbit = 1;
obit = 0x800000;
for (i = 0; i < 24; i++)
{
if (salt & saltbit)
saltbits |= obit;
saltbit <<= 1;
obit >>= 1;
}
ctx->saltbits = saltbits;
}
void
des_crypt_block (struct des_ctx *restrict ctx,
unsigned char *out, const unsigned char *in,
unsigned int count, bool decrypt)
{
uint32_t l_in, r_in, l_out, r_out;
uint32_t l, r, *kl, *kr, *kl1, *kr1;
uint32_t f, r48l, r48r;
uint32_t saltbits = ctx->saltbits;
int round, rk_step;
/* Zero encryptions/decryptions doesn't make sense. */
if (count == 0)
count = 1;
if (decrypt)
{
kl1 = ctx->keysl + 15;
kr1 = ctx->keysr + 15;
rk_step = -1;
}
else
{
kl1 = ctx->keysl;
kr1 = ctx->keysr;
rk_step = 1;
}
/* Read the input, which is notionally in "big-endian" format. */
l_in = be32_to_cpu (in);
r_in = be32_to_cpu (in + 4);
/* Do initial permutation. */
l = ip_maskl[0][(l_in >> 24) & 0xff]
| ip_maskl[1][(l_in >> 16) & 0xff]
| ip_maskl[2][(l_in >> 8) & 0xff]
| ip_maskl[3][(l_in >> 0) & 0xff]
| ip_maskl[4][(r_in >> 24) & 0xff]
| ip_maskl[5][(r_in >> 16) & 0xff]
| ip_maskl[6][(r_in >> 8) & 0xff]
| ip_maskl[7][(r_in >> 0) & 0xff];
r = ip_maskr[0][(l_in >> 24) & 0xff]
| ip_maskr[1][(l_in >> 16) & 0xff]
| ip_maskr[2][(l_in >> 8) & 0xff]
| ip_maskr[3][(l_in >> 0) & 0xff]
| ip_maskr[4][(r_in >> 24) & 0xff]
| ip_maskr[5][(r_in >> 16) & 0xff]
| ip_maskr[6][(r_in >> 8) & 0xff]
| ip_maskr[7][(r_in >> 0) & 0xff];
do
{
kl = kl1;
kr = kr1;
round = 16;
do
{
/* Expand R to 48 bits (simulate the E-box). */
r48l = ((r & 0x00000001) << 23)
| ((r & 0xf8000000) >> 9)
| ((r & 0x1f800000) >> 11)
| ((r & 0x01f80000) >> 13)
| ((r & 0x001f8000) >> 15);
r48r = ((r & 0x0001f800) << 7)
| ((r & 0x00001f80) << 5)
| ((r & 0x000001f8) << 3)
| ((r & 0x0000001f) << 1)
| ((r & 0x80000000) >> 31);
/* Apply salt and permuted round key. */
f = (r48l ^ r48r) & saltbits;
r48l ^= f ^ *kl;
r48r ^= f ^ *kr;
kl += rk_step;
kr += rk_step;
/* Do sbox lookups (which shrink it back to 32 bits)
and the pbox permutation at the same time. */
f = psbox[0][m_sbox[0][r48l >> 12]]
| psbox[1][m_sbox[1][r48l & 0xfff]]
| psbox[2][m_sbox[2][r48r >> 12]]
| psbox[3][m_sbox[3][r48r & 0xfff]];
/* Now that we've permuted things, complete f(). */
f ^= l;
l = r;
r = f;
}
while (--round);
r = l;
l = f;
}
while (--count);
/* Do final permutation (inverse of IP). */
l_out =
fp_maskl[0][(l >> 24) & 0xff]
| fp_maskl[1][(l >> 16) & 0xff]
| fp_maskl[2][(l >> 8) & 0xff]
| fp_maskl[3][(l >> 0) & 0xff]
| fp_maskl[4][(r >> 24) & 0xff]
| fp_maskl[5][(r >> 16) & 0xff]
| fp_maskl[6][(r >> 8) & 0xff]
| fp_maskl[7][(r >> 0) & 0xff];
r_out =
fp_maskr[0][(l >> 24) & 0xff]
| fp_maskr[1][(l >> 16) & 0xff]
| fp_maskr[2][(l >> 8) & 0xff]
| fp_maskr[3][(l >> 0) & 0xff]
| fp_maskr[4][(r >> 24) & 0xff]
| fp_maskr[5][(r >> 16) & 0xff]
| fp_maskr[6][(r >> 8) & 0xff]
| fp_maskr[7][(r >> 0) & 0xff];
cpu_to_be32 (out, l_out);
cpu_to_be32 (out + 4, r_out);
}
#endif