1 /*
2 * FreeSec: libcrypt for NetBSD
3 *
4 * contrib/pgcrypto/crypt-des.c
5 *
6 * Copyright (c) 1994 David Burren
7 * All rights reserved.
8 *
9 * Adapted for FreeBSD-2.0 by Geoffrey M. Rehmet
10 * this file should now *only* export crypt(), in order to make
11 * binaries of libcrypt exportable from the USA
12 *
13 * Adapted for FreeBSD-4.0 by Mark R V Murray
14 * this file should now *only* export crypt_des(), in order to make
15 * a module that can be optionally included in libcrypt.
16 *
17 * Redistribution and use in source and binary forms, with or without
18 * modification, are permitted provided that the following conditions
19 * are met:
20 * 1. Redistributions of source code must retain the above copyright
21 * notice, this list of conditions and the following disclaimer.
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in the
24 * documentation and/or other materials provided with the distribution.
25 * 3. Neither the name of the author nor the names of other contributors
26 * may be used to endorse or promote products derived from this software
27 * without specific prior written permission.
28 *
29 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
30 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
31 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
32 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
33 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
34 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
35 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
36 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
37 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
38 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
39 * SUCH DAMAGE.
40 *
41 * $FreeBSD: src/secure/lib/libcrypt/crypt-des.c,v 1.12 1999/09/20 12:39:20 markm Exp $
42 *
43 * This is an original implementation of the DES and the crypt(3) interfaces
44 * by David Burren <davidb@werj.com.au>.
45 *
46 * An excellent reference on the underlying algorithm (and related
47 * algorithms) is:
48 *
49 * B. Schneier, Applied Cryptography: protocols, algorithms,
50 * and source code in C, John Wiley & Sons, 1994.
51 *
52 * Note that in that book's description of DES the lookups for the initial,
53 * pbox, and final permutations are inverted (this has been brought to the
54 * attention of the author). A list of errata for this book has been
55 * posted to the sci.crypt newsgroup by the author and is available for FTP.
56 *
57 * ARCHITECTURE ASSUMPTIONS:
58 * It is assumed that the 8-byte arrays passed by reference can be
59 * addressed as arrays of uint32's (ie. the CPU is not picky about
60 * alignment).
61 */
62
63 #include "postgres.h"
64 #include "miscadmin.h"
65
66 #include "px-crypt.h"
67
68 /* for ntohl/htonl */
69 #include <netinet/in.h>
70 #include <arpa/inet.h>
71
72 #define _PASSWORD_EFMT1 '_'
73
74 static const char _crypt_a64[] =
75 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
76
77 static uint8 IP[64] = {
78 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4,
79 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8,
80 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3,
81 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7
82 };
83
84 static uint8 inv_key_perm[64];
85 static uint8 u_key_perm[56];
86 static uint8 key_perm[56] = {
87 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18,
88 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36,
89 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22,
90 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4
91 };
92
93 static uint8 key_shifts[16] = {
94 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1
95 };
96
97 static uint8 inv_comp_perm[56];
98 static uint8 comp_perm[48] = {
99 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10,
100 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2,
101 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48,
102 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32
103 };
104
105 /*
106 * No E box is used, as it's replaced by some ANDs, shifts, and ORs.
107 */
108
109 static uint8 u_sbox[8][64];
110 static uint8 sbox[8][64] = {
111 {
112 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
113 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
114 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
115 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13
116 },
117 {
118 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
119 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
120 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
121 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9
122 },
123 {
124 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
125 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
126 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
127 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12
128 },
129 {
130 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
131 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
132 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
133 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14
134 },
135 {
136 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
137 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
138 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
139 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3
140 },
141 {
142 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
143 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
144 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
145 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13
146 },
147 {
148 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
149 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
150 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
151 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12
152 },
153 {
154 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
155 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
156 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
157 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11
158 }
159 };
160
161 static uint8 un_pbox[32];
162 static uint8 pbox[32] = {
163 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10,
164 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25
165 };
166
167 static uint32 _crypt_bits32[32] =
168 {
169 0x80000000, 0x40000000, 0x20000000, 0x10000000,
170 0x08000000, 0x04000000, 0x02000000, 0x01000000,
171 0x00800000, 0x00400000, 0x00200000, 0x00100000,
172 0x00080000, 0x00040000, 0x00020000, 0x00010000,
173 0x00008000, 0x00004000, 0x00002000, 0x00001000,
174 0x00000800, 0x00000400, 0x00000200, 0x00000100,
175 0x00000080, 0x00000040, 0x00000020, 0x00000010,
176 0x00000008, 0x00000004, 0x00000002, 0x00000001
177 };
178
179 static uint8 _crypt_bits8[8] = {0x80, 0x40, 0x20, 0x10, 0x08, 0x04, 0x02, 0x01};
180
181 static uint32 saltbits;
182 static long old_salt;
183 static uint32 *bits28,
184 *bits24;
185 static uint8 init_perm[64],
186 final_perm[64];
187 static uint32 en_keysl[16],
188 en_keysr[16];
189 static uint32 de_keysl[16],
190 de_keysr[16];
191 static int des_initialised = 0;
192 static uint8 m_sbox[4][4096];
193 static uint32 psbox[4][256];
194 static uint32 ip_maskl[8][256],
195 ip_maskr[8][256];
196 static uint32 fp_maskl[8][256],
197 fp_maskr[8][256];
198 static uint32 key_perm_maskl[8][128],
199 key_perm_maskr[8][128];
200 static uint32 comp_maskl[8][128],
201 comp_maskr[8][128];
202 static uint32 old_rawkey0,
203 old_rawkey1;
204
205 static inline int
ascii_to_bin(char ch)206 ascii_to_bin(char ch)
207 {
208 if (ch > 'z')
209 return (0);
210 if (ch >= 'a')
211 return (ch - 'a' + 38);
212 if (ch > 'Z')
213 return (0);
214 if (ch >= 'A')
215 return (ch - 'A' + 12);
216 if (ch > '9')
217 return (0);
218 if (ch >= '.')
219 return (ch - '.');
220 return (0);
221 }
222
223 static void
des_init(void)224 des_init(void)
225 {
226 int i,
227 j,
228 b,
229 k,
230 inbit,
231 obit;
232 uint32 *p,
233 *il,
234 *ir,
235 *fl,
236 *fr;
237
238 old_rawkey0 = old_rawkey1 = 0L;
239 saltbits = 0L;
240 old_salt = 0L;
241 bits24 = (bits28 = _crypt_bits32 + 4) + 4;
242
243 /*
244 * Invert the S-boxes, reordering the input bits.
245 */
246 for (i = 0; i < 8; i++)
247 for (j = 0; j < 64; j++)
248 {
249 b = (j & 0x20) | ((j & 1) << 4) | ((j >> 1) & 0xf);
250 u_sbox[i][j] = sbox[i][b];
251 }
252
253 /*
254 * Convert the inverted S-boxes into 4 arrays of 8 bits. Each will handle
255 * 12 bits of the S-box input.
256 */
257 for (b = 0; b < 4; b++)
258 for (i = 0; i < 64; i++)
259 for (j = 0; j < 64; j++)
260 m_sbox[b][(i << 6) | j] =
261 (u_sbox[(b << 1)][i] << 4) |
262 u_sbox[(b << 1) + 1][j];
263
264 /*
265 * Set up the initial & final permutations into a useful form, and
266 * initialise the inverted key permutation.
267 */
268 for (i = 0; i < 64; i++)
269 {
270 init_perm[final_perm[i] = IP[i] - 1] = i;
271 inv_key_perm[i] = 255;
272 }
273
274 /*
275 * Invert the key permutation and initialise the inverted key compression
276 * permutation.
277 */
278 for (i = 0; i < 56; i++)
279 {
280 u_key_perm[i] = key_perm[i] - 1;
281 inv_key_perm[key_perm[i] - 1] = i;
282 inv_comp_perm[i] = 255;
283 }
284
285 /*
286 * Invert the key compression permutation.
287 */
288 for (i = 0; i < 48; i++)
289 inv_comp_perm[comp_perm[i] - 1] = i;
290
291 /*
292 * Set up the OR-mask arrays for the initial and final permutations, and
293 * for the key initial and compression permutations.
294 */
295 for (k = 0; k < 8; k++)
296 {
297 for (i = 0; i < 256; i++)
298 {
299 *(il = &ip_maskl[k][i]) = 0L;
300 *(ir = &ip_maskr[k][i]) = 0L;
301 *(fl = &fp_maskl[k][i]) = 0L;
302 *(fr = &fp_maskr[k][i]) = 0L;
303 for (j = 0; j < 8; j++)
304 {
305 inbit = 8 * k + j;
306 if (i & _crypt_bits8[j])
307 {
308 if ((obit = init_perm[inbit]) < 32)
309 *il |= _crypt_bits32[obit];
310 else
311 *ir |= _crypt_bits32[obit - 32];
312 if ((obit = final_perm[inbit]) < 32)
313 *fl |= _crypt_bits32[obit];
314 else
315 *fr |= _crypt_bits32[obit - 32];
316 }
317 }
318 }
319 for (i = 0; i < 128; i++)
320 {
321 *(il = &key_perm_maskl[k][i]) = 0L;
322 *(ir = &key_perm_maskr[k][i]) = 0L;
323 for (j = 0; j < 7; j++)
324 {
325 inbit = 8 * k + j;
326 if (i & _crypt_bits8[j + 1])
327 {
328 if ((obit = inv_key_perm[inbit]) == 255)
329 continue;
330 if (obit < 28)
331 *il |= bits28[obit];
332 else
333 *ir |= bits28[obit - 28];
334 }
335 }
336 *(il = &comp_maskl[k][i]) = 0L;
337 *(ir = &comp_maskr[k][i]) = 0L;
338 for (j = 0; j < 7; j++)
339 {
340 inbit = 7 * k + j;
341 if (i & _crypt_bits8[j + 1])
342 {
343 if ((obit = inv_comp_perm[inbit]) == 255)
344 continue;
345 if (obit < 24)
346 *il |= bits24[obit];
347 else
348 *ir |= bits24[obit - 24];
349 }
350 }
351 }
352 }
353
354 /*
355 * Invert the P-box permutation, and convert into OR-masks for handling
356 * the output of the S-box arrays setup above.
357 */
358 for (i = 0; i < 32; i++)
359 un_pbox[pbox[i] - 1] = i;
360
361 for (b = 0; b < 4; b++)
362 for (i = 0; i < 256; i++)
363 {
364 *(p = &psbox[b][i]) = 0L;
365 for (j = 0; j < 8; j++)
366 {
367 if (i & _crypt_bits8[j])
368 *p |= _crypt_bits32[un_pbox[8 * b + j]];
369 }
370 }
371
372 des_initialised = 1;
373 }
374
375 static void
setup_salt(long salt)376 setup_salt(long salt)
377 {
378 uint32 obit,
379 saltbit;
380 int i;
381
382 if (salt == old_salt)
383 return;
384 old_salt = salt;
385
386 saltbits = 0L;
387 saltbit = 1;
388 obit = 0x800000;
389 for (i = 0; i < 24; i++)
390 {
391 if (salt & saltbit)
392 saltbits |= obit;
393 saltbit <<= 1;
394 obit >>= 1;
395 }
396 }
397
398 static int
des_setkey(const char * key)399 des_setkey(const char *key)
400 {
401 uint32 k0,
402 k1,
403 rawkey0,
404 rawkey1;
405 int shifts,
406 round;
407
408 if (!des_initialised)
409 des_init();
410
411 rawkey0 = ntohl(*(const uint32 *) key);
412 rawkey1 = ntohl(*(const uint32 *) (key + 4));
413
414 if ((rawkey0 | rawkey1)
415 && rawkey0 == old_rawkey0
416 && rawkey1 == old_rawkey1)
417 {
418 /*
419 * Already setup for this key. This optimisation fails on a zero key
420 * (which is weak and has bad parity anyway) in order to simplify the
421 * starting conditions.
422 */
423 return (0);
424 }
425 old_rawkey0 = rawkey0;
426 old_rawkey1 = rawkey1;
427
428 /*
429 * Do key permutation and split into two 28-bit subkeys.
430 */
431 k0 = key_perm_maskl[0][rawkey0 >> 25]
432 | key_perm_maskl[1][(rawkey0 >> 17) & 0x7f]
433 | key_perm_maskl[2][(rawkey0 >> 9) & 0x7f]
434 | key_perm_maskl[3][(rawkey0 >> 1) & 0x7f]
435 | key_perm_maskl[4][rawkey1 >> 25]
436 | key_perm_maskl[5][(rawkey1 >> 17) & 0x7f]
437 | key_perm_maskl[6][(rawkey1 >> 9) & 0x7f]
438 | key_perm_maskl[7][(rawkey1 >> 1) & 0x7f];
439 k1 = key_perm_maskr[0][rawkey0 >> 25]
440 | key_perm_maskr[1][(rawkey0 >> 17) & 0x7f]
441 | key_perm_maskr[2][(rawkey0 >> 9) & 0x7f]
442 | key_perm_maskr[3][(rawkey0 >> 1) & 0x7f]
443 | key_perm_maskr[4][rawkey1 >> 25]
444 | key_perm_maskr[5][(rawkey1 >> 17) & 0x7f]
445 | key_perm_maskr[6][(rawkey1 >> 9) & 0x7f]
446 | key_perm_maskr[7][(rawkey1 >> 1) & 0x7f];
447
448 /*
449 * Rotate subkeys and do compression permutation.
450 */
451 shifts = 0;
452 for (round = 0; round < 16; round++)
453 {
454 uint32 t0,
455 t1;
456
457 shifts += key_shifts[round];
458
459 t0 = (k0 << shifts) | (k0 >> (28 - shifts));
460 t1 = (k1 << shifts) | (k1 >> (28 - shifts));
461
462 de_keysl[15 - round] =
463 en_keysl[round] = comp_maskl[0][(t0 >> 21) & 0x7f]
464 | comp_maskl[1][(t0 >> 14) & 0x7f]
465 | comp_maskl[2][(t0 >> 7) & 0x7f]
466 | comp_maskl[3][t0 & 0x7f]
467 | comp_maskl[4][(t1 >> 21) & 0x7f]
468 | comp_maskl[5][(t1 >> 14) & 0x7f]
469 | comp_maskl[6][(t1 >> 7) & 0x7f]
470 | comp_maskl[7][t1 & 0x7f];
471
472 de_keysr[15 - round] =
473 en_keysr[round] = comp_maskr[0][(t0 >> 21) & 0x7f]
474 | comp_maskr[1][(t0 >> 14) & 0x7f]
475 | comp_maskr[2][(t0 >> 7) & 0x7f]
476 | comp_maskr[3][t0 & 0x7f]
477 | comp_maskr[4][(t1 >> 21) & 0x7f]
478 | comp_maskr[5][(t1 >> 14) & 0x7f]
479 | comp_maskr[6][(t1 >> 7) & 0x7f]
480 | comp_maskr[7][t1 & 0x7f];
481 }
482 return (0);
483 }
484
485 static int
do_des(uint32 l_in,uint32 r_in,uint32 * l_out,uint32 * r_out,int count)486 do_des(uint32 l_in, uint32 r_in, uint32 *l_out, uint32 *r_out, int count)
487 {
488 /*
489 * l_in, r_in, l_out, and r_out are in pseudo-"big-endian" format.
490 */
491 uint32 l,
492 r,
493 *kl,
494 *kr,
495 *kl1,
496 *kr1;
497 uint32 f,
498 r48l,
499 r48r;
500 int round;
501
502 if (count == 0)
503 return (1);
504 else if (count > 0)
505 {
506 /*
507 * Encrypting
508 */
509 kl1 = en_keysl;
510 kr1 = en_keysr;
511 }
512 else
513 {
514 /*
515 * Decrypting
516 */
517 count = -count;
518 kl1 = de_keysl;
519 kr1 = de_keysr;
520 }
521
522 /*
523 * Do initial permutation (IP).
524 */
525 l = ip_maskl[0][l_in >> 24]
526 | ip_maskl[1][(l_in >> 16) & 0xff]
527 | ip_maskl[2][(l_in >> 8) & 0xff]
528 | ip_maskl[3][l_in & 0xff]
529 | ip_maskl[4][r_in >> 24]
530 | ip_maskl[5][(r_in >> 16) & 0xff]
531 | ip_maskl[6][(r_in >> 8) & 0xff]
532 | ip_maskl[7][r_in & 0xff];
533 r = ip_maskr[0][l_in >> 24]
534 | ip_maskr[1][(l_in >> 16) & 0xff]
535 | ip_maskr[2][(l_in >> 8) & 0xff]
536 | ip_maskr[3][l_in & 0xff]
537 | ip_maskr[4][r_in >> 24]
538 | ip_maskr[5][(r_in >> 16) & 0xff]
539 | ip_maskr[6][(r_in >> 8) & 0xff]
540 | ip_maskr[7][r_in & 0xff];
541
542 while (count--)
543 {
544 CHECK_FOR_INTERRUPTS();
545
546 /*
547 * Do each round.
548 */
549 kl = kl1;
550 kr = kr1;
551 round = 16;
552 while (round--)
553 {
554 /*
555 * Expand R to 48 bits (simulate the E-box).
556 */
557 r48l = ((r & 0x00000001) << 23)
558 | ((r & 0xf8000000) >> 9)
559 | ((r & 0x1f800000) >> 11)
560 | ((r & 0x01f80000) >> 13)
561 | ((r & 0x001f8000) >> 15);
562
563 r48r = ((r & 0x0001f800) << 7)
564 | ((r & 0x00001f80) << 5)
565 | ((r & 0x000001f8) << 3)
566 | ((r & 0x0000001f) << 1)
567 | ((r & 0x80000000) >> 31);
568
569 /*
570 * Do salting for crypt() and friends, and XOR with the permuted
571 * key.
572 */
573 f = (r48l ^ r48r) & saltbits;
574 r48l ^= f ^ *kl++;
575 r48r ^= f ^ *kr++;
576
577 /*
578 * Do sbox lookups (which shrink it back to 32 bits) and do the
579 * pbox permutation at the same time.
580 */
581 f = psbox[0][m_sbox[0][r48l >> 12]]
582 | psbox[1][m_sbox[1][r48l & 0xfff]]
583 | psbox[2][m_sbox[2][r48r >> 12]]
584 | psbox[3][m_sbox[3][r48r & 0xfff]];
585
586 /*
587 * Now that we've permuted things, complete f().
588 */
589 f ^= l;
590 l = r;
591 r = f;
592 }
593 r = l;
594 l = f;
595 }
596
597 /*
598 * Do final permutation (inverse of IP).
599 */
600 *l_out = fp_maskl[0][l >> 24]
601 | fp_maskl[1][(l >> 16) & 0xff]
602 | fp_maskl[2][(l >> 8) & 0xff]
603 | fp_maskl[3][l & 0xff]
604 | fp_maskl[4][r >> 24]
605 | fp_maskl[5][(r >> 16) & 0xff]
606 | fp_maskl[6][(r >> 8) & 0xff]
607 | fp_maskl[7][r & 0xff];
608 *r_out = fp_maskr[0][l >> 24]
609 | fp_maskr[1][(l >> 16) & 0xff]
610 | fp_maskr[2][(l >> 8) & 0xff]
611 | fp_maskr[3][l & 0xff]
612 | fp_maskr[4][r >> 24]
613 | fp_maskr[5][(r >> 16) & 0xff]
614 | fp_maskr[6][(r >> 8) & 0xff]
615 | fp_maskr[7][r & 0xff];
616 return (0);
617 }
618
619 static int
des_cipher(const char * in,char * out,long salt,int count)620 des_cipher(const char *in, char *out, long salt, int count)
621 {
622 uint32 buffer[2];
623 uint32 l_out,
624 r_out,
625 rawl,
626 rawr;
627 int retval;
628
629 if (!des_initialised)
630 des_init();
631
632 setup_salt(salt);
633
634 /* copy data to avoid assuming input is word-aligned */
635 memcpy(buffer, in, sizeof(buffer));
636
637 rawl = ntohl(buffer[0]);
638 rawr = ntohl(buffer[1]);
639
640 retval = do_des(rawl, rawr, &l_out, &r_out, count);
641 if (retval)
642 return (retval);
643
644 buffer[0] = htonl(l_out);
645 buffer[1] = htonl(r_out);
646
647 /* copy data to avoid assuming output is word-aligned */
648 memcpy(out, buffer, sizeof(buffer));
649
650 return (retval);
651 }
652
653 char *
px_crypt_des(const char * key,const char * setting)654 px_crypt_des(const char *key, const char *setting)
655 {
656 int i;
657 uint32 count,
658 salt,
659 l,
660 r0,
661 r1,
662 keybuf[2];
663 char *p;
664 uint8 *q;
665 static char output[21];
666
667 if (!des_initialised)
668 des_init();
669
670
671 /*
672 * Copy the key, shifting each character up by one bit and padding with
673 * zeros.
674 */
675 q = (uint8 *) keybuf;
676 while (q - (uint8 *) keybuf - 8)
677 {
678 *q++ = *key << 1;
679 if (*key != '\0')
680 key++;
681 }
682 if (des_setkey((char *) keybuf))
683 return (NULL);
684
685 #ifndef DISABLE_XDES
686 if (*setting == _PASSWORD_EFMT1)
687 {
688 /*
689 * "new"-style: setting must be a 9-character (underscore, then 4
690 * bytes of count, then 4 bytes of salt) string. See CRYPT(3) under
691 * the "Extended crypt" heading for further details.
692 *
693 * Unlimited characters of the input key are used. This is known as
694 * the "Extended crypt" DES method.
695 *
696 */
697 if (strlen(setting) < 9)
698 ereport(ERROR,
699 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
700 errmsg("invalid salt")));
701
702 for (i = 1, count = 0L; i < 5; i++)
703 count |= ascii_to_bin(setting[i]) << (i - 1) * 6;
704
705 for (i = 5, salt = 0L; i < 9; i++)
706 salt |= ascii_to_bin(setting[i]) << (i - 5) * 6;
707
708 while (*key)
709 {
710 /*
711 * Encrypt the key with itself.
712 */
713 if (des_cipher((char *) keybuf, (char *) keybuf, 0L, 1))
714 return (NULL);
715
716 /*
717 * And XOR with the next 8 characters of the key.
718 */
719 q = (uint8 *) keybuf;
720 while (q - (uint8 *) keybuf - 8 && *key)
721 *q++ ^= *key++ << 1;
722
723 if (des_setkey((char *) keybuf))
724 return (NULL);
725 }
726 StrNCpy(output, setting, 10);
727
728 /*
729 * Double check that we weren't given a short setting. If we were, the
730 * above code will probably have created weird values for count and
731 * salt, but we don't really care. Just make sure the output string
732 * doesn't have an extra NUL in it.
733 */
734 p = output + strlen(output);
735 }
736 else
737 #endif /* !DISABLE_XDES */
738 {
739 /*
740 * "old"-style: setting - 2 bytes of salt key - only up to the first 8
741 * characters of the input key are used.
742 */
743 count = 25;
744
745 if (strlen(setting) < 2)
746 ereport(ERROR,
747 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
748 errmsg("invalid salt")));
749
750 salt = (ascii_to_bin(setting[1]) << 6)
751 | ascii_to_bin(setting[0]);
752
753 output[0] = setting[0];
754
755 /*
756 * If the encrypted password that the salt was extracted from is only
757 * 1 character long, the salt will be corrupted. We need to ensure
758 * that the output string doesn't have an extra NUL in it!
759 */
760 output[1] = setting[1] ? setting[1] : output[0];
761
762 p = output + 2;
763 }
764 setup_salt(salt);
765
766 /*
767 * Do it.
768 */
769 if (do_des(0L, 0L, &r0, &r1, count))
770 return (NULL);
771
772 /*
773 * Now encode the result...
774 */
775 l = (r0 >> 8);
776 *p++ = _crypt_a64[(l >> 18) & 0x3f];
777 *p++ = _crypt_a64[(l >> 12) & 0x3f];
778 *p++ = _crypt_a64[(l >> 6) & 0x3f];
779 *p++ = _crypt_a64[l & 0x3f];
780
781 l = (r0 << 16) | ((r1 >> 16) & 0xffff);
782 *p++ = _crypt_a64[(l >> 18) & 0x3f];
783 *p++ = _crypt_a64[(l >> 12) & 0x3f];
784 *p++ = _crypt_a64[(l >> 6) & 0x3f];
785 *p++ = _crypt_a64[l & 0x3f];
786
787 l = r1 << 2;
788 *p++ = _crypt_a64[(l >> 12) & 0x3f];
789 *p++ = _crypt_a64[(l >> 6) & 0x3f];
790 *p++ = _crypt_a64[l & 0x3f];
791 *p = 0;
792
793 return (output);
794 }
795