1 /*
2 * UFC-crypt: ultra fast crypt(3) implementation
3 *
4 * Copyright (C) 1991-2022 Free Software Foundation, Inc.
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; see the file COPYING.LIB. If not,
18 * see <https://www.gnu.org/licenses/>.
19 *
20 * @(#)crypt_util.c 2.56 12/20/96
21 *
22 * Support routines
23 *
24 */
25
26 #ifdef DEBUG
27 #include <stdio.h>
28 #endif
29 #include <atomic.h>
30 #include <string.h>
31
32 #ifndef STATIC
33 #define STATIC static
34 #endif
35
36 #include "crypt-private.h"
37 #include <shlib-compat.h>
38
39 /* Prototypes for local functions. */
40 #ifndef __GNU_LIBRARY__
41 void _ufc_clearmem (char *start, int cnt);
42 void _ufc_copymem (char *from, char *to, int cnt);
43 #endif
44 #ifdef _UFC_32_
45 STATIC void shuffle_sb (long32 *k, ufc_long saltbits);
46 #else
47 STATIC void shuffle_sb (long64 *k, ufc_long saltbits);
48 #endif
49
50
51 /*
52 * Permutation done once on the 56 bit
53 * key derived from the original 8 byte ASCII key.
54 */
55 static const int pc1[56] = {
56 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18,
57 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36,
58 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22,
59 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4
60 };
61
62 /*
63 * How much to rotate each 28 bit half of the pc1 permutated
64 * 56 bit key before using pc2 to give the i' key
65 */
66 static const int rots[16] = {
67 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
68 };
69
70 /*
71 * Permutation giving the key
72 * of the i' DES round
73 */
74 static const int pc2[48] = {
75 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10,
76 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2,
77 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
78 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
79 };
80
81 /*
82 * The E expansion table which selects
83 * bits from the 32 bit intermediate result.
84 */
85 static const int esel[48] = {
86 32, 1, 2, 3, 4, 5, 4, 5, 6, 7, 8, 9,
87 8, 9, 10, 11, 12, 13, 12, 13, 14, 15, 16, 17,
88 16, 17, 18, 19, 20, 21, 20, 21, 22, 23, 24, 25,
89 24, 25, 26, 27, 28, 29, 28, 29, 30, 31, 32, 1
90 };
91
92 /*
93 * Permutation done on the
94 * result of sbox lookups
95 */
96 static const int perm32[32] = {
97 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
98 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
99 };
100
101 /*
102 * The sboxes
103 */
104 static const int sbox[8][4][16]= {
105 { { 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7 },
106 { 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8 },
107 { 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0 },
108 { 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 }
109 },
110
111 { { 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10 },
112 { 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5 },
113 { 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15 },
114 { 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 }
115 },
116
117 { { 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8 },
118 { 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1 },
119 { 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7 },
120 { 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 }
121 },
122
123 { { 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15 },
124 { 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9 },
125 { 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4 },
126 { 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 }
127 },
128
129 { { 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9 },
130 { 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6 },
131 { 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14 },
132 { 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 }
133 },
134
135 { { 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11 },
136 { 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8 },
137 { 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6 },
138 { 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13 }
139 },
140
141 { { 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1 },
142 { 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6 },
143 { 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2 },
144 { 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 }
145 },
146
147 { { 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7 },
148 { 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2 },
149 { 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8 },
150 { 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 }
151 }
152 };
153
154 #if SHLIB_COMPAT (libcrypt, GLIBC_2_0, GLIBC_2_28)
155 /*
156 * This is the initial
157 * permutation matrix
158 */
159 static const int initial_perm[64] = {
160 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
161 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
162 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
163 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7
164 };
165 #endif
166
167 /*
168 * This is the final
169 * permutation matrix
170 */
171 static const int final_perm[64] = {
172 40, 8, 48, 16, 56, 24, 64, 32, 39, 7, 47, 15, 55, 23, 63, 31,
173 38, 6, 46, 14, 54, 22, 62, 30, 37, 5, 45, 13, 53, 21, 61, 29,
174 36, 4, 44, 12, 52, 20, 60, 28, 35, 3, 43, 11, 51, 19, 59, 27,
175 34, 2, 42, 10, 50, 18, 58, 26, 33, 1, 41, 9, 49, 17, 57, 25
176 };
177
178 #define ascii_to_bin(c) ((c)>='a'?(c-59):(c)>='A'?((c)-53):(c)-'.')
179 #define bin_to_ascii(c) ((c)>=38?((c)-38+'a'):(c)>=12?((c)-12+'A'):(c)+'.')
180
181 static const ufc_long BITMASK[24] = {
182 0x40000000, 0x20000000, 0x10000000, 0x08000000, 0x04000000, 0x02000000,
183 0x01000000, 0x00800000, 0x00400000, 0x00200000, 0x00100000, 0x00080000,
184 0x00004000, 0x00002000, 0x00001000, 0x00000800, 0x00000400, 0x00000200,
185 0x00000100, 0x00000080, 0x00000040, 0x00000020, 0x00000010, 0x00000008
186 };
187
188 static const unsigned char bytemask[8] = {
189 0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01
190 };
191
192 static const ufc_long longmask[32] = {
193 0x80000000, 0x40000000, 0x20000000, 0x10000000,
194 0x08000000, 0x04000000, 0x02000000, 0x01000000,
195 0x00800000, 0x00400000, 0x00200000, 0x00100000,
196 0x00080000, 0x00040000, 0x00020000, 0x00010000,
197 0x00008000, 0x00004000, 0x00002000, 0x00001000,
198 0x00000800, 0x00000400, 0x00000200, 0x00000100,
199 0x00000080, 0x00000040, 0x00000020, 0x00000010,
200 0x00000008, 0x00000004, 0x00000002, 0x00000001
201 };
202
203 /*
204 * do_pc1: permform pc1 permutation in the key schedule generation.
205 *
206 * The first index is the byte number in the 8 byte ASCII key
207 * - second - - the two 28 bits halfs of the result
208 * - third - selects the 7 bits actually used of each byte
209 *
210 * The result is kept with 28 bit per 32 bit with the 4 most significant
211 * bits zero.
212 */
213 static ufc_long do_pc1[8][2][128];
214
215 /*
216 * do_pc2: permform pc2 permutation in the key schedule generation.
217 *
218 * The first index is the septet number in the two 28 bit intermediate values
219 * - second - - - septet values
220 *
221 * Knowledge of the structure of the pc2 permutation is used.
222 *
223 * The result is kept with 28 bit per 32 bit with the 4 most significant
224 * bits zero.
225 */
226 static ufc_long do_pc2[8][128];
227
228 /*
229 * eperm32tab: do 32 bit permutation and E selection
230 *
231 * The first index is the byte number in the 32 bit value to be permuted
232 * - second - is the value of this byte
233 * - third - selects the two 32 bit values
234 *
235 * The table is used and generated internally in init_des to speed it up
236 */
237 static ufc_long eperm32tab[4][256][2];
238
239 /*
240 * efp: undo an extra e selection and do final
241 * permutation giving the DES result.
242 *
243 * Invoked 6 bit a time on two 48 bit values
244 * giving two 32 bit longs.
245 */
246 static ufc_long efp[16][64][2];
247
248 /* Table with characters for base64 transformation. */
249 static const char b64t[64] =
250 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
251
252 /*
253 * For use by the old, non-reentrant routines
254 * (crypt/encrypt/setkey)
255 */
256 struct crypt_data _ufc_foobar;
257
258 #ifdef __GNU_LIBRARY__
259 #include <libc-lock.h>
260
__libc_lock_define_initialized(static,_ufc_tables_lock)261 __libc_lock_define_initialized (static, _ufc_tables_lock)
262 #endif
263
264 #ifdef DEBUG
265
266 void
267 _ufc_prbits (ufc_long *a, int n)
268 {
269 ufc_long i, j, t, tmp;
270 n /= 8;
271 for(i = 0; i < n; i++) {
272 tmp=0;
273 for(j = 0; j < 8; j++) {
274 t=8*i+j;
275 tmp|=(a[t/24] & BITMASK[t % 24])?bytemask[j]:0;
276 }
277 (void)printf("%02lx ", tmp);
278 }
279 printf(" ");
280 }
281
282 static void __attribute__ ((unused))
_ufc_set_bits(ufc_long v,ufc_long * b)283 _ufc_set_bits (ufc_long v, ufc_long *b)
284 {
285 ufc_long i;
286 *b = 0;
287 for(i = 0; i < 24; i++) {
288 if(v & longmask[8 + i])
289 *b |= BITMASK[i];
290 }
291 }
292
293 #endif
294
295 #ifndef __GNU_LIBRARY__
296 /*
297 * Silly rewrites of 'bzero'/'memset'. I do so
298 * because some machines don't have
299 * bzero and some don't have memset.
300 */
301
302 void
_ufc_clearmem(char * start,int cnt)303 _ufc_clearmem (char *start, int cnt)
304 {
305 while(cnt--)
306 *start++ = '\0';
307 }
308
309 void
_ufc_copymem(char * from,char * to,int cnt)310 _ufc_copymem (char *from, char *to, int cnt)
311 {
312 while(cnt--)
313 *to++ = *from++;
314 }
315 #else
316 #define _ufc_clearmem(start, cnt) memset(start, 0, cnt)
317 #define _ufc_copymem(from, to, cnt) memcpy(to, from, cnt)
318 #endif
319
320 /* lookup a 6 bit value in sbox */
321
322 #define s_lookup(i,s) sbox[(i)][(((s)>>4) & 0x2)|((s) & 0x1)][((s)>>1) & 0xf];
323
324 /*
325 * Initialize unit - may be invoked directly
326 * by fcrypt users.
327 */
328
329 void
__init_des_r(struct crypt_data * __restrict __data)330 __init_des_r (struct crypt_data * __restrict __data)
331 {
332 int comes_from_bit;
333 int bit, sg;
334 ufc_long j;
335 ufc_long mask1, mask2;
336 int e_inverse[64];
337 static volatile int small_tables_initialized = 0;
338
339 #ifdef _UFC_32_
340 long32 *sb[4];
341 sb[0] = (long32*)__data->sb0; sb[1] = (long32*)__data->sb1;
342 sb[2] = (long32*)__data->sb2; sb[3] = (long32*)__data->sb3;
343 #endif
344 #ifdef _UFC_64_
345 long64 *sb[4];
346 sb[0] = (long64*)__data->sb0; sb[1] = (long64*)__data->sb1;
347 sb[2] = (long64*)__data->sb2; sb[3] = (long64*)__data->sb3;
348 #endif
349
350 if(small_tables_initialized == 0) {
351 #ifdef __GNU_LIBRARY__
352 __libc_lock_lock (_ufc_tables_lock);
353 if(small_tables_initialized)
354 goto small_tables_done;
355 #endif
356
357 /*
358 * Create the do_pc1 table used
359 * to affect pc1 permutation
360 * when generating keys
361 */
362 _ufc_clearmem((char*)do_pc1, (int)sizeof(do_pc1));
363 for(bit = 0; bit < 56; bit++) {
364 comes_from_bit = pc1[bit] - 1;
365 mask1 = bytemask[comes_from_bit % 8 + 1];
366 mask2 = longmask[bit % 28 + 4];
367 for(j = 0; j < 128; j++) {
368 if(j & mask1)
369 do_pc1[comes_from_bit / 8][bit / 28][j] |= mask2;
370 }
371 }
372
373 /*
374 * Create the do_pc2 table used
375 * to affect pc2 permutation when
376 * generating keys
377 */
378 _ufc_clearmem((char*)do_pc2, (int)sizeof(do_pc2));
379 for(bit = 0; bit < 48; bit++) {
380 comes_from_bit = pc2[bit] - 1;
381 mask1 = bytemask[comes_from_bit % 7 + 1];
382 mask2 = BITMASK[bit % 24];
383 for(j = 0; j < 128; j++) {
384 if(j & mask1)
385 do_pc2[comes_from_bit / 7][j] |= mask2;
386 }
387 }
388
389 /*
390 * Now generate the table used to do combined
391 * 32 bit permutation and e expansion
392 *
393 * We use it because we have to permute 16384 32 bit
394 * longs into 48 bit in order to initialize sb.
395 *
396 * Looping 48 rounds per permutation becomes
397 * just too slow...
398 *
399 */
400
401 _ufc_clearmem((char*)eperm32tab, (int)sizeof(eperm32tab));
402 for(bit = 0; bit < 48; bit++) {
403 ufc_long mask1,comes_from;
404 comes_from = perm32[esel[bit]-1]-1;
405 mask1 = bytemask[comes_from % 8];
406 for(j = 256; j--;) {
407 if(j & mask1)
408 eperm32tab[comes_from / 8][j][bit / 24] |= BITMASK[bit % 24];
409 }
410 }
411
412 /*
413 * Create an inverse matrix for esel telling
414 * where to plug out bits if undoing it
415 */
416 for(bit=48; bit--;) {
417 e_inverse[esel[bit] - 1 ] = bit;
418 e_inverse[esel[bit] - 1 + 32] = bit + 48;
419 }
420
421 /*
422 * create efp: the matrix used to
423 * undo the E expansion and effect final permutation
424 */
425 _ufc_clearmem((char*)efp, (int)sizeof efp);
426 for(bit = 0; bit < 64; bit++) {
427 int o_bit, o_long;
428 ufc_long word_value, mask1, mask2;
429 int comes_from_f_bit, comes_from_e_bit;
430 int comes_from_word, bit_within_word;
431
432 /* See where bit i belongs in the two 32 bit long's */
433 o_long = bit / 32; /* 0..1 */
434 o_bit = bit % 32; /* 0..31 */
435
436 /*
437 * And find a bit in the e permutated value setting this bit.
438 *
439 * Note: the e selection may have selected the same bit several
440 * times. By the initialization of e_inverse, we only look
441 * for one specific instance.
442 */
443 comes_from_f_bit = final_perm[bit] - 1; /* 0..63 */
444 comes_from_e_bit = e_inverse[comes_from_f_bit]; /* 0..95 */
445 comes_from_word = comes_from_e_bit / 6; /* 0..15 */
446 bit_within_word = comes_from_e_bit % 6; /* 0..5 */
447
448 mask1 = longmask[bit_within_word + 26];
449 mask2 = longmask[o_bit];
450
451 for(word_value = 64; word_value--;) {
452 if(word_value & mask1)
453 efp[comes_from_word][word_value][o_long] |= mask2;
454 }
455 }
456 atomic_write_barrier ();
457 small_tables_initialized = 1;
458 #ifdef __GNU_LIBRARY__
459 small_tables_done:
460 __libc_lock_unlock(_ufc_tables_lock);
461 #endif
462 } else
463 atomic_read_barrier ();
464
465 /*
466 * Create the sb tables:
467 *
468 * For each 12 bit segment of an 48 bit intermediate
469 * result, the sb table precomputes the two 4 bit
470 * values of the sbox lookups done with the two 6
471 * bit halves, shifts them to their proper place,
472 * sends them through perm32 and finally E expands
473 * them so that they are ready for the next
474 * DES round.
475 *
476 */
477
478 if (__data->sb0 + sizeof (__data->sb0) == __data->sb1
479 && __data->sb1 + sizeof (__data->sb1) == __data->sb2
480 && __data->sb2 + sizeof (__data->sb2) == __data->sb3)
481 _ufc_clearmem(__data->sb0,
482 (int)sizeof(__data->sb0)
483 + (int)sizeof(__data->sb1)
484 + (int)sizeof(__data->sb2)
485 + (int)sizeof(__data->sb3));
486 else {
487 _ufc_clearmem(__data->sb0, (int)sizeof(__data->sb0));
488 _ufc_clearmem(__data->sb1, (int)sizeof(__data->sb1));
489 _ufc_clearmem(__data->sb2, (int)sizeof(__data->sb2));
490 _ufc_clearmem(__data->sb3, (int)sizeof(__data->sb3));
491 }
492
493 for(sg = 0; sg < 4; sg++) {
494 int j1, j2;
495 int s1, s2;
496
497 for(j1 = 0; j1 < 64; j1++) {
498 s1 = s_lookup(2 * sg, j1);
499 for(j2 = 0; j2 < 64; j2++) {
500 ufc_long to_permute, inx;
501
502 s2 = s_lookup(2 * sg + 1, j2);
503 to_permute = (((ufc_long)s1 << 4) |
504 (ufc_long)s2) << (24 - 8 * (ufc_long)sg);
505
506 #ifdef _UFC_32_
507 inx = ((j1 << 6) | j2) << 1;
508 sb[sg][inx ] = eperm32tab[0][(to_permute >> 24) & 0xff][0];
509 sb[sg][inx+1] = eperm32tab[0][(to_permute >> 24) & 0xff][1];
510 sb[sg][inx ] |= eperm32tab[1][(to_permute >> 16) & 0xff][0];
511 sb[sg][inx+1] |= eperm32tab[1][(to_permute >> 16) & 0xff][1];
512 sb[sg][inx ] |= eperm32tab[2][(to_permute >> 8) & 0xff][0];
513 sb[sg][inx+1] |= eperm32tab[2][(to_permute >> 8) & 0xff][1];
514 sb[sg][inx ] |= eperm32tab[3][(to_permute) & 0xff][0];
515 sb[sg][inx+1] |= eperm32tab[3][(to_permute) & 0xff][1];
516 #endif
517 #ifdef _UFC_64_
518 inx = ((j1 << 6) | j2);
519 sb[sg][inx] =
520 ((long64)eperm32tab[0][(to_permute >> 24) & 0xff][0] << 32) |
521 (long64)eperm32tab[0][(to_permute >> 24) & 0xff][1];
522 sb[sg][inx] |=
523 ((long64)eperm32tab[1][(to_permute >> 16) & 0xff][0] << 32) |
524 (long64)eperm32tab[1][(to_permute >> 16) & 0xff][1];
525 sb[sg][inx] |=
526 ((long64)eperm32tab[2][(to_permute >> 8) & 0xff][0] << 32) |
527 (long64)eperm32tab[2][(to_permute >> 8) & 0xff][1];
528 sb[sg][inx] |=
529 ((long64)eperm32tab[3][(to_permute) & 0xff][0] << 32) |
530 (long64)eperm32tab[3][(to_permute) & 0xff][1];
531 #endif
532 }
533 }
534 }
535
536 __data->current_saltbits = 0;
537 __data->current_salt[0] = 0;
538 __data->current_salt[1] = 0;
539 __data->initialized++;
540 }
541
542 void
__init_des(void)543 __init_des (void)
544 {
545 __init_des_r(&_ufc_foobar);
546 }
547
548 /*
549 * Process the elements of the sb table permuting the
550 * bits swapped in the expansion by the current salt.
551 */
552
553 #ifdef _UFC_32_
554 STATIC void
shuffle_sb(long32 * k,ufc_long saltbits)555 shuffle_sb (long32 *k, ufc_long saltbits)
556 {
557 ufc_long j;
558 long32 x;
559 for(j=4096; j--;) {
560 x = (k[0] ^ k[1]) & (long32)saltbits;
561 *k++ ^= x;
562 *k++ ^= x;
563 }
564 }
565 #endif
566
567 #ifdef _UFC_64_
568 STATIC void
shuffle_sb(long64 * k,ufc_long saltbits)569 shuffle_sb (long64 *k, ufc_long saltbits)
570 {
571 ufc_long j;
572 long64 x;
573 for(j=4096; j--;) {
574 x = ((*k >> 32) ^ *k) & (long64)saltbits;
575 *k++ ^= (x << 32) | x;
576 }
577 }
578 #endif
579
580 /*
581 * Return false iff C is in the specified alphabet for crypt salt.
582 */
583
584 static bool
bad_for_salt(char c)585 bad_for_salt (char c)
586 {
587 switch (c)
588 {
589 case '0' ... '9':
590 case 'A' ... 'Z':
591 case 'a' ... 'z':
592 case '.': case '/':
593 return false;
594
595 default:
596 return true;
597 }
598 }
599
600 /*
601 * Setup the unit for a new salt
602 * Hopefully we'll not see a new salt in each crypt call.
603 * Return false if an unexpected character was found in s[0] or s[1].
604 */
605
606 bool
_ufc_setup_salt_r(const char * s,struct crypt_data * __restrict __data)607 _ufc_setup_salt_r (const char *s, struct crypt_data * __restrict __data)
608 {
609 ufc_long i, j, saltbits;
610 char s0, s1;
611
612 if(__data->initialized == 0)
613 __init_des_r(__data);
614
615 s0 = s[0];
616 if(bad_for_salt (s0))
617 return false;
618
619 s1 = s[1];
620 if(bad_for_salt (s1))
621 return false;
622
623 if(s0 == __data->current_salt[0] && s1 == __data->current_salt[1])
624 return true;
625
626 __data->current_salt[0] = s0;
627 __data->current_salt[1] = s1;
628
629 /*
630 * This is the only crypt change to DES:
631 * entries are swapped in the expansion table
632 * according to the bits set in the salt.
633 */
634 saltbits = 0;
635 for(i = 0; i < 2; i++) {
636 long c=ascii_to_bin(s[i]);
637 for(j = 0; j < 6; j++) {
638 if((c >> j) & 0x1)
639 saltbits |= BITMASK[6 * i + j];
640 }
641 }
642
643 /*
644 * Permute the sb table values
645 * to reflect the changed e
646 * selection table
647 */
648 #ifdef _UFC_32_
649 #define LONGG long32*
650 #endif
651 #ifdef _UFC_64_
652 #define LONGG long64*
653 #endif
654
655 shuffle_sb((LONGG)__data->sb0, __data->current_saltbits ^ saltbits);
656 shuffle_sb((LONGG)__data->sb1, __data->current_saltbits ^ saltbits);
657 shuffle_sb((LONGG)__data->sb2, __data->current_saltbits ^ saltbits);
658 shuffle_sb((LONGG)__data->sb3, __data->current_saltbits ^ saltbits);
659
660 __data->current_saltbits = saltbits;
661
662 return true;
663 }
664
665 void
_ufc_mk_keytab_r(const char * key,struct crypt_data * __restrict __data)666 _ufc_mk_keytab_r (const char *key, struct crypt_data * __restrict __data)
667 {
668 ufc_long v1, v2, *k1;
669 int i;
670 #ifdef _UFC_32_
671 long32 v, *k2;
672 k2 = (long32*)__data->keysched;
673 #endif
674 #ifdef _UFC_64_
675 long64 v, *k2;
676 k2 = (long64*)__data->keysched;
677 #endif
678
679 v1 = v2 = 0; k1 = &do_pc1[0][0][0];
680 for(i = 8; i--;) {
681 v1 |= k1[*key & 0x7f]; k1 += 128;
682 v2 |= k1[*key++ & 0x7f]; k1 += 128;
683 }
684
685 for(i = 0; i < 16; i++) {
686 k1 = &do_pc2[0][0];
687
688 v1 = (v1 << rots[i]) | (v1 >> (28 - rots[i]));
689 v = k1[(v1 >> 21) & 0x7f]; k1 += 128;
690 v |= k1[(v1 >> 14) & 0x7f]; k1 += 128;
691 v |= k1[(v1 >> 7) & 0x7f]; k1 += 128;
692 v |= k1[(v1 ) & 0x7f]; k1 += 128;
693
694 #ifdef _UFC_32_
695 *k2++ = (v | 0x00008000);
696 v = 0;
697 #endif
698 #ifdef _UFC_64_
699 v = (v << 32);
700 #endif
701
702 v2 = (v2 << rots[i]) | (v2 >> (28 - rots[i]));
703 v |= k1[(v2 >> 21) & 0x7f]; k1 += 128;
704 v |= k1[(v2 >> 14) & 0x7f]; k1 += 128;
705 v |= k1[(v2 >> 7) & 0x7f]; k1 += 128;
706 v |= k1[(v2 ) & 0x7f];
707
708 #ifdef _UFC_32_
709 *k2++ = (v | 0x00008000);
710 #endif
711 #ifdef _UFC_64_
712 *k2++ = v | 0x0000800000008000l;
713 #endif
714 }
715
716 __data->direction = 0;
717 }
718
719 /*
720 * Undo an extra E selection and do final permutations
721 */
722
723 void
_ufc_dofinalperm_r(ufc_long * res,struct crypt_data * __restrict __data)724 _ufc_dofinalperm_r (ufc_long *res, struct crypt_data * __restrict __data)
725 {
726 ufc_long v1, v2, x;
727 ufc_long l1,l2,r1,r2;
728
729 l1 = res[0]; l2 = res[1];
730 r1 = res[2]; r2 = res[3];
731
732 x = (l1 ^ l2) & __data->current_saltbits; l1 ^= x; l2 ^= x;
733 x = (r1 ^ r2) & __data->current_saltbits; r1 ^= x; r2 ^= x;
734
735 v1=v2=0; l1 >>= 3; l2 >>= 3; r1 >>= 3; r2 >>= 3;
736
737 v1 |= efp[15][ r2 & 0x3f][0]; v2 |= efp[15][ r2 & 0x3f][1];
738 v1 |= efp[14][(r2 >>= 6) & 0x3f][0]; v2 |= efp[14][ r2 & 0x3f][1];
739 v1 |= efp[13][(r2 >>= 10) & 0x3f][0]; v2 |= efp[13][ r2 & 0x3f][1];
740 v1 |= efp[12][(r2 >>= 6) & 0x3f][0]; v2 |= efp[12][ r2 & 0x3f][1];
741
742 v1 |= efp[11][ r1 & 0x3f][0]; v2 |= efp[11][ r1 & 0x3f][1];
743 v1 |= efp[10][(r1 >>= 6) & 0x3f][0]; v2 |= efp[10][ r1 & 0x3f][1];
744 v1 |= efp[ 9][(r1 >>= 10) & 0x3f][0]; v2 |= efp[ 9][ r1 & 0x3f][1];
745 v1 |= efp[ 8][(r1 >>= 6) & 0x3f][0]; v2 |= efp[ 8][ r1 & 0x3f][1];
746
747 v1 |= efp[ 7][ l2 & 0x3f][0]; v2 |= efp[ 7][ l2 & 0x3f][1];
748 v1 |= efp[ 6][(l2 >>= 6) & 0x3f][0]; v2 |= efp[ 6][ l2 & 0x3f][1];
749 v1 |= efp[ 5][(l2 >>= 10) & 0x3f][0]; v2 |= efp[ 5][ l2 & 0x3f][1];
750 v1 |= efp[ 4][(l2 >>= 6) & 0x3f][0]; v2 |= efp[ 4][ l2 & 0x3f][1];
751
752 v1 |= efp[ 3][ l1 & 0x3f][0]; v2 |= efp[ 3][ l1 & 0x3f][1];
753 v1 |= efp[ 2][(l1 >>= 6) & 0x3f][0]; v2 |= efp[ 2][ l1 & 0x3f][1];
754 v1 |= efp[ 1][(l1 >>= 10) & 0x3f][0]; v2 |= efp[ 1][ l1 & 0x3f][1];
755 v1 |= efp[ 0][(l1 >>= 6) & 0x3f][0]; v2 |= efp[ 0][ l1 & 0x3f][1];
756
757 res[0] = v1; res[1] = v2;
758 }
759
760 /*
761 * crypt only: convert from 64 bit to 11 bit ASCII
762 * prefixing with the salt
763 */
764
765 void
_ufc_output_conversion_r(ufc_long v1,ufc_long v2,const char * salt,struct crypt_data * __restrict __data)766 _ufc_output_conversion_r (ufc_long v1, ufc_long v2, const char *salt,
767 struct crypt_data * __restrict __data)
768 {
769 int i, s, shf;
770
771 __data->crypt_3_buf[0] = salt[0];
772 __data->crypt_3_buf[1] = salt[1] ? salt[1] : salt[0];
773
774 for(i = 0; i < 5; i++) {
775 shf = (26 - 6 * i); /* to cope with MSC compiler bug */
776 __data->crypt_3_buf[i + 2] = bin_to_ascii((v1 >> shf) & 0x3f);
777 }
778
779 s = (v2 & 0xf) << 2;
780 v2 = (v2 >> 2) | ((v1 & 0x3) << 30);
781
782 for(i = 5; i < 10; i++) {
783 shf = (56 - 6 * i);
784 __data->crypt_3_buf[i + 2] = bin_to_ascii((v2 >> shf) & 0x3f);
785 }
786
787 __data->crypt_3_buf[12] = bin_to_ascii(s);
788 __data->crypt_3_buf[13] = 0;
789 }
790
791 #if SHLIB_COMPAT (libcrypt, GLIBC_2_0, GLIBC_2_28)
792
793 /*
794 * UNIX encrypt function. Takes a bitvector
795 * represented by one byte per bit and
796 * encrypt/decrypt according to edflag
797 */
798
799 void
__encrypt_r(char * __block,int __edflag,struct crypt_data * __restrict __data)800 __encrypt_r (char *__block, int __edflag,
801 struct crypt_data * __restrict __data)
802 {
803 ufc_long l1, l2, r1, r2, res[4];
804 int i;
805 #ifdef _UFC_32_
806 long32 *kt;
807 kt = (long32*)__data->keysched;
808 #endif
809 #ifdef _UFC_64_
810 long64 *kt;
811 kt = (long64*)__data->keysched;
812 #endif
813
814 /*
815 * Undo any salt changes to E expansion
816 */
817 _ufc_setup_salt_r("..", __data);
818
819 /*
820 * Reverse key table if
821 * changing operation (encrypt/decrypt)
822 */
823 if((__edflag == 0) != (__data->direction == 0)) {
824 for(i = 0; i < 8; i++) {
825 #ifdef _UFC_32_
826 long32 x;
827 x = kt[2 * (15-i)];
828 kt[2 * (15-i)] = kt[2 * i];
829 kt[2 * i] = x;
830
831 x = kt[2 * (15-i) + 1];
832 kt[2 * (15-i) + 1] = kt[2 * i + 1];
833 kt[2 * i + 1] = x;
834 #endif
835 #ifdef _UFC_64_
836 long64 x;
837 x = kt[15-i];
838 kt[15-i] = kt[i];
839 kt[i] = x;
840 #endif
841 }
842 __data->direction = __edflag;
843 }
844
845 /*
846 * Do initial permutation + E expansion
847 */
848 i = 0;
849 for(l1 = 0; i < 24; i++) {
850 if(__block[initial_perm[esel[i]-1]-1])
851 l1 |= BITMASK[i];
852 }
853 for(l2 = 0; i < 48; i++) {
854 if(__block[initial_perm[esel[i]-1]-1])
855 l2 |= BITMASK[i-24];
856 }
857
858 i = 0;
859 for(r1 = 0; i < 24; i++) {
860 if(__block[initial_perm[esel[i]-1+32]-1])
861 r1 |= BITMASK[i];
862 }
863 for(r2 = 0; i < 48; i++) {
864 if(__block[initial_perm[esel[i]-1+32]-1])
865 r2 |= BITMASK[i-24];
866 }
867
868 /*
869 * Do DES inner loops + final conversion
870 */
871 res[0] = l1; res[1] = l2;
872 res[2] = r1; res[3] = r2;
873 _ufc_doit_r((ufc_long)1, __data, &res[0]);
874
875 /*
876 * Do final permutations
877 */
878 _ufc_dofinalperm_r(res, __data);
879
880 /*
881 * And convert to bit array
882 */
883 l1 = res[0]; r1 = res[1];
884 for(i = 0; i < 32; i++) {
885 *__block++ = (l1 & longmask[i]) != 0;
886 }
887 for(i = 0; i < 32; i++) {
888 *__block++ = (r1 & longmask[i]) != 0;
889 }
890 }
891 weak_alias (__encrypt_r, encrypt_r)
892 compat_symbol (libcrypt, encrypt_r, encrypt_r, GLIBC_2_0);
893
894 void
encrypt(char * __block,int __edflag)895 encrypt (char *__block, int __edflag)
896 {
897 __encrypt_r(__block, __edflag, &_ufc_foobar);
898 }
899 compat_symbol (libcrypt, encrypt, encrypt, GLIBC_2_0);
900
901
902 /*
903 * UNIX setkey function. Take a 64 bit DES
904 * key and setup the machinery.
905 */
906
907 void
__setkey_r(const char * __key,struct crypt_data * __restrict __data)908 __setkey_r (const char *__key, struct crypt_data * __restrict __data)
909 {
910 int i,j;
911 unsigned char c;
912 unsigned char ktab[8];
913
914 _ufc_setup_salt_r("..", __data); /* be sure we're initialized */
915
916 for(i = 0; i < 8; i++) {
917 for(j = 0, c = 0; j < 8; j++)
918 c = c << 1 | *__key++;
919 ktab[i] = c >> 1;
920 }
921 _ufc_mk_keytab_r((char *) ktab, __data);
922 }
923 weak_alias (__setkey_r, setkey_r)
924 compat_symbol (libcrypt, setkey_r, setkey_r, GLIBC_2_0);
925
926 void
setkey(const char * __key)927 setkey (const char *__key)
928 {
929 __setkey_r(__key, &_ufc_foobar);
930 }
931 compat_symbol (libcrypt, setkey, setkey, GLIBC_2_0);
932 #endif /* SHLIB_COMPAT (libcrypt, GLIBC_2_0, GLIBC_2_28) */
933
934 void
__b64_from_24bit(char ** cp,int * buflen,unsigned int b2,unsigned int b1,unsigned int b0,int n)935 __b64_from_24bit (char **cp, int *buflen,
936 unsigned int b2, unsigned int b1, unsigned int b0,
937 int n)
938 {
939 unsigned int w = (b2 << 16) | (b1 << 8) | b0;
940 while (n-- > 0 && (*buflen) > 0)
941 {
942 *(*cp)++ = b64t[w & 0x3f];
943 --(*buflen);
944 w >>= 6;
945 }
946 }
947