1 /* 2 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 #pragma ident "%Z%%M% %I% %E% SMI" 7 8 /* 9 * lib/crypto/des/string2key.c 10 * 11 * based on lib/crypto/des/string2key.c from MIT V5 12 * and on lib/des/afs_string_to_key.c from UMD. 13 * constructed by Mark Eichin, Cygnus Support, 1995. 14 * made thread-safe by Ken Raeburn, MIT, 2001. 15 */ 16 17 /* 18 * Copyright 2001 by the Massachusetts Institute of Technology. 19 * All Rights Reserved. 20 * 21 * Export of this software from the United States of America may 22 * require a specific license from the United States Government. 23 * It is the responsibility of any person or organization contemplating 24 * export to obtain such a license before exporting. 25 * 26 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 27 * distribute this software and its documentation for any purpose and 28 * without fee is hereby granted, provided that the above copyright 29 * notice appear in all copies and that both that copyright notice and 30 * this permission notice appear in supporting documentation, and that 31 * the name of M.I.T. not be used in advertising or publicity pertaining 32 * to distribution of the software without specific, written prior 33 * permission. Furthermore if you modify this software you must label 34 * your software as modified software and not distribute it in such a 35 * fashion that it might be confused with the original M.I.T. software. 36 * M.I.T. makes no representations about the suitability of 37 * this software for any purpose. It is provided "as is" without express 38 * or implied warranty. 39 */ 40 41 /* 42 * Copyright (C) 1998 by the FundsXpress, INC. 43 * 44 * All rights reserved. 45 * 46 * Export of this software from the United States of America may require 47 * a specific license from the United States Government. It is the 48 * responsibility of any person or organization contemplating export to 49 * obtain such a license before exporting. 50 * 51 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 52 * distribute this software and its documentation for any purpose and 53 * without fee is hereby granted, provided that the above copyright 54 * notice appear in all copies and that both that copyright notice and 55 * this permission notice appear in supporting documentation, and that 56 * the name of FundsXpress. not be used in advertising or publicity pertaining 57 * to distribution of the software without specific, written prior 58 * permission. FundsXpress makes no representations about the suitability of 59 * this software for any purpose. It is provided "as is" without express 60 * or implied warranty. 61 * 62 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 63 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 64 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 65 */ 66 67 #include "k5-int.h" 68 #include "des_int.h" 69 #include <ctype.h> 70 71 #define afs_crypt mit_afs_crypt 72 char *afs_crypt (const char *, const char *, char *); 73 74 #undef min 75 #define min(a,b) ((a)>(b)?(b):(a)) 76 77 /*ARGSUSED*/ 78 krb5_error_code 79 mit_afs_string_to_key (krb5_context context, 80 krb5_keyblock *keyblock, const krb5_data *data, 81 const krb5_data *salt) 82 { 83 krb5_error_code retval = KRB5_PROG_ETYPE_NOSUPP; 84 /* EXPORT DELETE START */ 85 /* totally different approach from MIT string2key. */ 86 /* much of the work has already been done by the only caller 87 which is mit_des_string_to_key; in particular, *keyblock is already 88 set up. */ 89 90 char *realm = salt->data; 91 unsigned int i, j; 92 krb5_octet *key = keyblock->contents; 93 krb5_keyblock usekey; 94 95 if (data->length <= 8) { 96 /* One block only. Run afs_crypt and use the first eight 97 returned bytes after the copy of the (fixed) salt. 98 99 Since the returned bytes are alphanumeric, the output is 100 limited to 2**48 possibilities; for each byte, only 64 101 possible values can be used. */ 102 unsigned char password[9]; /* trailing nul for crypt() */ 103 char afs_crypt_buf[16]; 104 105 memset (password, 0, sizeof (password)); 106 memcpy (password, realm, min (salt->length, 8)); 107 for (i=0; i<8; i++) 108 if (isupper(password[i])) 109 password[i] = tolower(password[i]); 110 for (i=0; i<data->length; i++) 111 password[i] ^= data->data[i]; 112 for (i=0; i<8; i++) 113 if (password[i] == '\0') 114 password[i] = 'X'; 115 password[8] = '\0'; 116 /* Out-of-bounds salt characters are equivalent to a salt string 117 of "p1". */ 118 strncpy((char *) key, 119 (char *) afs_crypt((char *) password, "#~", afs_crypt_buf) + 2, 120 8); 121 for (i=0; i<8; i++) 122 key[i] <<= 1; 123 /* now fix up key parity again */ 124 mit_des_fixup_key_parity(key); 125 /* clean & free the input string */ 126 memset(password, 0, (size_t) sizeof(password)); 127 } else { 128 /* Multiple blocks. Do a CBC checksum, twice, and use the 129 result as the new key. */ 130 mit_des_cblock ikey, tkey; 131 unsigned int pw_len = salt->length+data->length; 132 unsigned char *password = malloc(pw_len+1); 133 134 if (!password) return ENOMEM; 135 136 /* Some bound checks from the original code are elided here as 137 the malloc above makes sure we have enough storage. */ 138 memcpy (password, data->data, data->length); 139 for (i=data->length, j = 0; j < salt->length; i++, j++) { 140 password[i] = realm[j]; 141 if (isupper(password[i])) 142 password[i] = tolower(password[i]); 143 } 144 145 memcpy (ikey, "kerberos", sizeof(ikey)); 146 memcpy (tkey, ikey, sizeof(tkey)); 147 mit_des_fixup_key_parity (tkey); 148 149 usekey.enctype = ENCTYPE_DES_CBC_CRC; 150 usekey.contents = tkey; 151 usekey.length = 8; 152 retval = mit_des_cbc_cksum (context, (unsigned char *)password, 153 tkey, i, &usekey, ikey); 154 155 memcpy (ikey, tkey, sizeof(ikey)); 156 mit_des_fixup_key_parity (tkey); 157 158 if (usekey.hKey != CK_INVALID_HANDLE) { 159 (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey); 160 usekey.hKey = CK_INVALID_HANDLE; 161 } 162 usekey.contents = tkey; 163 usekey.length = 8; 164 retval = mit_des_cbc_cksum (context, (unsigned char *) password, 165 key, i, &usekey, ikey); 166 167 /* now fix up key parity again */ 168 mit_des_fixup_key_parity(key); 169 170 if (usekey.hKey != CK_INVALID_HANDLE) { 171 (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey); 172 usekey.hKey = CK_INVALID_HANDLE; 173 } 174 /* clean & free the input string */ 175 memset(password, 0, (size_t) pw_len); 176 krb5_xfree(password); 177 } 178 #if 0 179 /* must free here because it was copied for this special case */ 180 krb5_xfree(salt->data); 181 #endif 182 183 /* EXPORT DELETE END */ 184 return retval; 185 } 186 187 188 /* Portions of this code: 189 Copyright 1989 by the Massachusetts Institute of Technology 190 */ 191 192 /* 193 * Copyright (c) 1990 Regents of The University of Michigan. 194 * All Rights Reserved. 195 * 196 * Permission to use, copy, modify, and distribute this software 197 * and its documentation for any purpose and without fee is hereby 198 * granted, provided that the above copyright notice appears in all 199 * copies and that both that copyright notice and this permission 200 * notice appear in supporting documentation, and that the name of 201 * The University of Michigan not be used in advertising or 202 * publicity pertaining to distribution of the software without 203 * specific, written prior permission. This software is supplied as 204 * is without expressed or implied warranties of any kind. 205 * 206 * ITD Research Systems 207 * University of Michigan 208 * 535 W. William Street 209 * Ann Arbor, Michigan 210 * +1-313-936-2652 211 * netatalk@terminator.cc.umich.edu 212 */ 213 214 /* EXPORT DELETE START */ 215 216 static void krb5_afs_crypt_setkey (char*, char*, char(*)[48]); 217 static void krb5_afs_encrypt (char*,char*,char (*)[48]); 218 219 /* 220 * Initial permutation, 221 */ 222 static const char IP[] = { 223 58,50,42,34,26,18,10, 2, 224 60,52,44,36,28,20,12, 4, 225 62,54,46,38,30,22,14, 6, 226 64,56,48,40,32,24,16, 8, 227 57,49,41,33,25,17, 9, 1, 228 59,51,43,35,27,19,11, 3, 229 61,53,45,37,29,21,13, 5, 230 63,55,47,39,31,23,15, 7, 231 }; 232 233 /* 234 * Final permutation, FP = IP^(-1) 235 */ 236 static const char FP[] = { 237 40, 8,48,16,56,24,64,32, 238 39, 7,47,15,55,23,63,31, 239 38, 6,46,14,54,22,62,30, 240 37, 5,45,13,53,21,61,29, 241 36, 4,44,12,52,20,60,28, 242 35, 3,43,11,51,19,59,27, 243 34, 2,42,10,50,18,58,26, 244 33, 1,41, 9,49,17,57,25, 245 }; 246 247 /* 248 * Permuted-choice 1 from the key bits to yield C and D. 249 * Note that bits 8,16... are left out: They are intended for a parity check. 250 */ 251 static const char PC1_C[] = { 252 57,49,41,33,25,17, 9, 253 1,58,50,42,34,26,18, 254 10, 2,59,51,43,35,27, 255 19,11, 3,60,52,44,36, 256 }; 257 258 static const char PC1_D[] = { 259 63,55,47,39,31,23,15, 260 7,62,54,46,38,30,22, 261 14, 6,61,53,45,37,29, 262 21,13, 5,28,20,12, 4, 263 }; 264 265 /* 266 * Sequence of shifts used for the key schedule. 267 */ 268 static const char shifts[] = { 269 1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1, 270 }; 271 272 /* 273 * Permuted-choice 2, to pick out the bits from 274 * the CD array that generate the key schedule. 275 */ 276 static const char PC2_C[] = { 277 14,17,11,24, 1, 5, 278 3,28,15, 6,21,10, 279 23,19,12, 4,26, 8, 280 16, 7,27,20,13, 2, 281 }; 282 283 static const char PC2_D[] = { 284 41,52,31,37,47,55, 285 30,40,51,45,33,48, 286 44,49,39,56,34,53, 287 46,42,50,36,29,32, 288 }; 289 290 /* 291 * The E bit-selection table. 292 */ 293 static const char e[] = { 294 32, 1, 2, 3, 4, 5, 295 4, 5, 6, 7, 8, 9, 296 8, 9,10,11,12,13, 297 12,13,14,15,16,17, 298 16,17,18,19,20,21, 299 20,21,22,23,24,25, 300 24,25,26,27,28,29, 301 28,29,30,31,32, 1, 302 }; 303 304 /* 305 * P is a permutation on the selected combination 306 * of the current L and key. 307 */ 308 static const char P[] = { 309 16, 7,20,21, 310 29,12,28,17, 311 1,15,23,26, 312 5,18,31,10, 313 2, 8,24,14, 314 32,27, 3, 9, 315 19,13,30, 6, 316 22,11, 4,25, 317 }; 318 319 /* 320 * The 8 selection functions. 321 * For some reason, they give a 0-origin 322 * index, unlike everything else. 323 */ 324 static const char S[8][64] = { 325 {14, 4,13, 1, 2,15,11, 8, 3,10, 6,12, 5, 9, 0, 7, 326 0,15, 7, 4,14, 2,13, 1,10, 6,12,11, 9, 5, 3, 8, 327 4, 1,14, 8,13, 6, 2,11,15,12, 9, 7, 3,10, 5, 0, 328 15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13}, 329 330 {15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10, 331 3,13, 4, 7,15, 2, 8,14,12, 0, 1,10, 6, 9,11, 5, 332 0,14, 7,11,10, 4,13, 1, 5, 8,12, 6, 9, 3, 2,15, 333 13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9}, 334 335 {10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8, 336 13, 7, 0, 9, 3, 4, 6,10, 2, 8, 5,14,12,11,15, 1, 337 13, 6, 4, 9, 8,15, 3, 0,11, 1, 2,12, 5,10,14, 7, 338 1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12}, 339 340 { 7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15, 341 13, 8,11, 5, 6,15, 0, 3, 4, 7, 2,12, 1,10,14, 9, 342 10, 6, 9, 0,12,11, 7,13,15, 1, 3,14, 5, 2, 8, 4, 343 3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14}, 344 345 { 2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9, 346 14,11, 2,12, 4, 7,13, 1, 5, 0,15,10, 3, 9, 8, 6, 347 4, 2, 1,11,10,13, 7, 8,15, 9,12, 5, 6, 3, 0,14, 348 11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3}, 349 350 {12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11, 351 10,15, 4, 2, 7,12, 9, 5, 6, 1,13,14, 0,11, 3, 8, 352 9,14,15, 5, 2, 8,12, 3, 7, 0, 4,10, 1,13,11, 6, 353 4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13}, 354 355 { 4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1, 356 13, 0,11, 7, 4, 9, 1,10,14, 3, 5,12, 2,15, 8, 6, 357 1, 4,11,13,12, 3, 7,14,10,15, 6, 8, 0, 5, 9, 2, 358 6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12}, 359 360 {13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7, 361 1,15,13, 8,10, 3, 7, 4,12, 5, 6,11, 0,14, 9, 2, 362 7,11, 4, 1, 9,12,14, 2, 0, 6,10,13,15, 3, 5, 8, 363 2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11}, 364 }; 365 366 367 char *afs_crypt(const char *pw, const char *salt, 368 /* must be at least 16 bytes */ 369 char *iobuf) 370 { 371 int i, j, c; 372 int temp; 373 char block[66]; 374 char E[48]; 375 /* 376 * The key schedule. 377 * Generated from the key. 378 */ 379 char KS[16][48]; 380 381 for(i=0; i<66; i++) 382 block[i] = 0; 383 for(i=0; ((c= *pw) != NULL) && i<64; pw++){ 384 for(j=0; j<7; j++, i++) 385 block[i] = (c>>(6-j)) & 01; 386 i++; 387 } 388 389 krb5_afs_crypt_setkey(block, E, KS); 390 391 for(i=0; i<66; i++) 392 block[i] = 0; 393 394 for(i=0;i<2;i++){ 395 c = *salt++; 396 iobuf[i] = c; 397 if(c>'Z') c -= 6; 398 if(c>'9') c -= 7; 399 c -= '.'; 400 for(j=0;j<6;j++){ 401 if((c>>j) & 01){ 402 temp = E[6*i+j]; 403 E[6*i+j] = E[6*i+j+24]; 404 E[6*i+j+24] = temp; 405 } 406 } 407 } 408 409 for(i=0; i<25; i++) 410 krb5_afs_encrypt(block,E,KS); 411 412 for(i=0; i<11; i++){ 413 c = 0; 414 for(j=0; j<6; j++){ 415 c <<= 1; 416 c |= block[6*i+j]; 417 } 418 c += '.'; 419 if(c>'9') c += 7; 420 if(c>'Z') c += 6; 421 iobuf[i+2] = c; 422 } 423 iobuf[i+2] = 0; 424 if(iobuf[1]==0) 425 iobuf[1] = iobuf[0]; 426 return(iobuf); 427 } 428 429 /* 430 * Set up the key schedule from the key. 431 */ 432 433 static void krb5_afs_crypt_setkey(char *key, char *E, char (*KS)[48]) 434 { 435 int i, j, k; 436 int t; 437 /* 438 * The C and D arrays used to calculate the key schedule. 439 */ 440 char C[28], D[28]; 441 442 /* 443 * First, generate C and D by permuting 444 * the key. The low order bit of each 445 * 8-bit char is not used, so C and D are only 28 446 * bits apiece. 447 */ 448 for (i=0; i<28; i++) { 449 C[i] = key[PC1_C[i]-1]; 450 D[i] = key[PC1_D[i]-1]; 451 } 452 /* 453 * To generate Ki, rotate C and D according 454 * to schedule and pick up a permutation 455 * using PC2. 456 */ 457 for (i=0; i<16; i++) { 458 /* 459 * rotate. 460 */ 461 for (k=0; k<shifts[i]; k++) { 462 t = C[0]; 463 for (j=0; j<28-1; j++) 464 C[j] = C[j+1]; 465 C[27] = t; 466 t = D[0]; 467 for (j=0; j<28-1; j++) 468 D[j] = D[j+1]; 469 D[27] = t; 470 } 471 /* 472 * get Ki. Note C and D are concatenated. 473 */ 474 for (j=0; j<24; j++) { 475 KS[i][j] = C[PC2_C[j]-1]; 476 KS[i][j+24] = D[PC2_D[j]-28-1]; 477 } 478 } 479 480 #if 0 481 for(i=0;i<48;i++) { 482 E[i] = e[i]; 483 } 484 #else 485 memcpy(E, e, 48); 486 #endif 487 } 488 489 /* 490 * The payoff: encrypt a block. 491 */ 492 493 static void krb5_afs_encrypt(char *block, char *E, char (*KS)[48]) 494 { 495 const long edflag = 0; 496 int i, ii; 497 int t, j, k; 498 char tempL[32]; 499 char f[32]; 500 /* 501 * The current block, divided into 2 halves. 502 */ 503 char L[64]; 504 char *const R = &L[32]; 505 /* 506 * The combination of the key and the input, before selection. 507 */ 508 char preS[48]; 509 510 /* 511 * First, permute the bits in the input 512 */ 513 for (j=0; j<64; j++) 514 L[j] = block[IP[j]-1]; 515 /* 516 * Perform an encryption operation 16 times. 517 */ 518 for (ii=0; ii<16; ii++) { 519 /* 520 * Set direction 521 */ 522 if (edflag) 523 i = 15-ii; 524 else 525 i = ii; 526 /* 527 * Save the R array, 528 * which will be the new L. 529 */ 530 #if 0 531 for (j=0; j<32; j++) 532 tempL[j] = R[j]; 533 #else 534 memcpy(tempL, R, 32); 535 #endif 536 /* 537 * Expand R to 48 bits using the E selector; 538 * exclusive-or with the current key bits. 539 */ 540 for (j=0; j<48; j++) 541 preS[j] = R[E[j]-1] ^ KS[i][j]; 542 /* 543 * The pre-select bits are now considered 544 * in 8 groups of 6 bits each. 545 * The 8 selection functions map these 546 * 6-bit quantities into 4-bit quantities 547 * and the results permuted 548 * to make an f(R, K). 549 * The indexing into the selection functions 550 * is peculiar; it could be simplified by 551 * rewriting the tables. 552 */ 553 for (j=0; j<8; j++) { 554 t = 6*j; 555 k = S[j][(preS[t+0]<<5)+ 556 (preS[t+1]<<3)+ 557 (preS[t+2]<<2)+ 558 (preS[t+3]<<1)+ 559 (preS[t+4]<<0)+ 560 (preS[t+5]<<4)]; 561 t = 4*j; 562 f[t+0] = (k>>3)&01; 563 f[t+1] = (k>>2)&01; 564 f[t+2] = (k>>1)&01; 565 f[t+3] = (k>>0)&01; 566 } 567 /* 568 * The new R is L ^ f(R, K). 569 * The f here has to be permuted first, though. 570 */ 571 for (j=0; j<32; j++) 572 R[j] = L[j] ^ f[P[j]-1]; 573 /* 574 * Finally, the new L (the original R) 575 * is copied back. 576 */ 577 #if 0 578 for (j=0; j<32; j++) 579 L[j] = tempL[j]; 580 #else 581 memcpy(L, tempL, 32); 582 #endif 583 } 584 /* 585 * The output L and R are reversed. 586 */ 587 for (j=0; j<32; j++) { 588 t = L[j]; 589 L[j] = R[j]; 590 R[j] = t; 591 } 592 /* 593 * The final output 594 * gets the inverse permutation of the very original. 595 */ 596 for (j=0; j<64; j++) 597 block[j] = L[FP[j]-1]; 598 } 599 /* EXPORT DELETE END */ 600