1 /* 2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 7 /* 8 * lib/crypto/des/string2key.c 9 * 10 * based on lib/crypto/des/string2key.c from MIT V5 11 * and on lib/des/afs_string_to_key.c from UMD. 12 * constructed by Mark Eichin, Cygnus Support, 1995. 13 * made thread-safe by Ken Raeburn, MIT, 2001. 14 */ 15 16 /* 17 * Copyright 2001 by the Massachusetts Institute of Technology. 18 * All Rights Reserved. 19 * 20 * Export of this software from the United States of America may 21 * require a specific license from the United States Government. 22 * It is the responsibility of any person or organization contemplating 23 * export to obtain such a license before exporting. 24 * 25 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 26 * distribute this software and its documentation for any purpose and 27 * without fee is hereby granted, provided that the above copyright 28 * notice appear in all copies and that both that copyright notice and 29 * this permission notice appear in supporting documentation, and that 30 * the name of M.I.T. not be used in advertising or publicity pertaining 31 * to distribution of the software without specific, written prior 32 * permission. Furthermore if you modify this software you must label 33 * your software as modified software and not distribute it in such a 34 * fashion that it might be confused with the original M.I.T. software. 35 * M.I.T. makes no representations about the suitability of 36 * this software for any purpose. It is provided "as is" without express 37 * or implied warranty. 38 */ 39 40 /* 41 * Copyright (C) 1998 by the FundsXpress, INC. 42 * 43 * All rights reserved. 44 * 45 * Export of this software from the United States of America may require 46 * a specific license from the United States Government. It is the 47 * responsibility of any person or organization contemplating export to 48 * obtain such a license before exporting. 49 * 50 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 51 * distribute this software and its documentation for any purpose and 52 * without fee is hereby granted, provided that the above copyright 53 * notice appear in all copies and that both that copyright notice and 54 * this permission notice appear in supporting documentation, and that 55 * the name of FundsXpress. not be used in advertising or publicity pertaining 56 * to distribution of the software without specific, written prior 57 * permission. FundsXpress makes no representations about the suitability of 58 * this software for any purpose. It is provided "as is" without express 59 * or implied warranty. 60 * 61 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 62 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 63 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 64 */ 65 66 #include "k5-int.h" 67 #include "des_int.h" 68 #include <ctype.h> 69 70 #define afs_crypt mit_afs_crypt 71 char *afs_crypt (const char *, const char *, char *); 72 73 #undef min 74 #define min(a,b) ((a)>(b)?(b):(a)) 75 76 /*ARGSUSED*/ 77 krb5_error_code 78 mit_afs_string_to_key (krb5_context context, 79 krb5_keyblock *keyblock, const krb5_data *data, 80 const krb5_data *salt) 81 { 82 /* Solaris Kerberos */ 83 krb5_error_code retval = KRB5_PROG_ETYPE_NOSUPP; 84 /* EXPORT DELETE START */ 85 /* totally different approach from MIT string2key. */ 86 /* much of the work has already been done by the only caller 87 which is mit_des_string_to_key; in particular, *keyblock is already 88 set up. */ 89 90 char *realm = salt->data; 91 unsigned int i, j; 92 krb5_octet *key = keyblock->contents; 93 /* Solaris Kerberos */ 94 krb5_keyblock usekey; 95 96 if (data->length <= 8) { 97 /* One block only. Run afs_crypt and use the first eight 98 returned bytes after the copy of the (fixed) salt. 99 100 Since the returned bytes are alphanumeric, the output is 101 limited to 2**48 possibilities; for each byte, only 64 102 possible values can be used. */ 103 unsigned char password[9]; /* trailing nul for crypt() */ 104 char afs_crypt_buf[16]; 105 106 memset (password, 0, sizeof (password)); 107 memcpy (password, realm, min (salt->length, 8)); 108 for (i=0; i<8; i++) 109 if (isupper(password[i])) 110 password[i] = tolower(password[i]); 111 for (i=0; i<data->length; i++) 112 password[i] ^= data->data[i]; 113 for (i=0; i<8; i++) 114 if (password[i] == '\0') 115 password[i] = 'X'; 116 password[8] = '\0'; 117 /* Out-of-bounds salt characters are equivalent to a salt string 118 of "p1". */ 119 strncpy((char *) key, 120 (char *) afs_crypt((char *) password, "#~", afs_crypt_buf) + 2, 121 8); 122 for (i=0; i<8; i++) 123 key[i] <<= 1; 124 /* now fix up key parity again */ 125 mit_des_fixup_key_parity(key); 126 /* clean & free the input string */ 127 memset(password, 0, (size_t) sizeof(password)); 128 129 /* Solaris Kerberos: Success */ 130 retval = 0; 131 } else { 132 /* Multiple blocks. Do a CBC checksum, twice, and use the 133 result as the new key. */ 134 mit_des_cblock ikey, tkey; 135 unsigned int pw_len = salt->length+data->length; 136 unsigned char *password = malloc(pw_len+1); 137 if (!password) return ENOMEM; 138 139 /* Some bound checks from the original code are elided here as 140 the malloc above makes sure we have enough storage. */ 141 memcpy (password, data->data, data->length); 142 for (i=data->length, j = 0; j < salt->length; i++, j++) { 143 password[i] = realm[j]; 144 if (isupper(password[i])) 145 password[i] = tolower(password[i]); 146 } 147 148 memcpy (ikey, "kerberos", sizeof(ikey)); 149 memcpy (tkey, ikey, sizeof(tkey)); 150 mit_des_fixup_key_parity (tkey); 151 152 /* Solaris Kerberos */ 153 usekey.enctype = ENCTYPE_DES_CBC_CRC; 154 usekey.contents = tkey; 155 usekey.length = 8; 156 retval = mit_des_cbc_cksum (context, (unsigned char *)password, 157 tkey, i, &usekey, ikey); 158 159 memcpy (ikey, tkey, sizeof(ikey)); 160 mit_des_fixup_key_parity (tkey); 161 /* Solaris Kerberos */ 162 if (usekey.hKey != CK_INVALID_HANDLE) { 163 (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey); 164 usekey.hKey = CK_INVALID_HANDLE; 165 } 166 usekey.contents = tkey; 167 usekey.length = 8; 168 retval = mit_des_cbc_cksum (context, (unsigned char *) password, 169 key, i, &usekey, ikey); 170 171 /* now fix up key parity again */ 172 mit_des_fixup_key_parity(key); 173 174 /* Solaris Kerberos */ 175 if (usekey.hKey != CK_INVALID_HANDLE) { 176 (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey); 177 usekey.hKey = CK_INVALID_HANDLE; 178 } 179 /* clean & free the input string */ 180 memset(password, 0, (size_t) pw_len); 181 krb5_xfree(password); 182 } 183 #if 0 184 /* must free here because it was copied for this special case */ 185 krb5_xfree(salt->data); 186 #endif 187 188 /* EXPORT DELETE END */ 189 return retval; 190 } 191 192 193 /* Portions of this code: 194 Copyright 1989 by the Massachusetts Institute of Technology 195 */ 196 197 /* 198 * Copyright (c) 1990 Regents of The University of Michigan. 199 * All Rights Reserved. 200 * 201 * Permission to use, copy, modify, and distribute this software 202 * and its documentation for any purpose and without fee is hereby 203 * granted, provided that the above copyright notice appears in all 204 * copies and that both that copyright notice and this permission 205 * notice appear in supporting documentation, and that the name of 206 * The University of Michigan not be used in advertising or 207 * publicity pertaining to distribution of the software without 208 * specific, written prior permission. This software is supplied as 209 * is without expressed or implied warranties of any kind. 210 * 211 * ITD Research Systems 212 * University of Michigan 213 * 535 W. William Street 214 * Ann Arbor, Michigan 215 * +1-313-936-2652 216 * netatalk@terminator.cc.umich.edu 217 */ 218 219 /* EXPORT DELETE START */ 220 221 static void krb5_afs_crypt_setkey (char*, char*, char(*)[48]); 222 static void krb5_afs_encrypt (char*,char*,char (*)[48]); 223 224 /* 225 * Initial permutation, 226 */ 227 static const char IP[] = { 228 58,50,42,34,26,18,10, 2, 229 60,52,44,36,28,20,12, 4, 230 62,54,46,38,30,22,14, 6, 231 64,56,48,40,32,24,16, 8, 232 57,49,41,33,25,17, 9, 1, 233 59,51,43,35,27,19,11, 3, 234 61,53,45,37,29,21,13, 5, 235 63,55,47,39,31,23,15, 7, 236 }; 237 238 /* 239 * Final permutation, FP = IP^(-1) 240 */ 241 static const char FP[] = { 242 40, 8,48,16,56,24,64,32, 243 39, 7,47,15,55,23,63,31, 244 38, 6,46,14,54,22,62,30, 245 37, 5,45,13,53,21,61,29, 246 36, 4,44,12,52,20,60,28, 247 35, 3,43,11,51,19,59,27, 248 34, 2,42,10,50,18,58,26, 249 33, 1,41, 9,49,17,57,25, 250 }; 251 252 /* 253 * Permuted-choice 1 from the key bits to yield C and D. 254 * Note that bits 8,16... are left out: They are intended for a parity check. 255 */ 256 static const char PC1_C[] = { 257 57,49,41,33,25,17, 9, 258 1,58,50,42,34,26,18, 259 10, 2,59,51,43,35,27, 260 19,11, 3,60,52,44,36, 261 }; 262 263 static const char PC1_D[] = { 264 63,55,47,39,31,23,15, 265 7,62,54,46,38,30,22, 266 14, 6,61,53,45,37,29, 267 21,13, 5,28,20,12, 4, 268 }; 269 270 /* 271 * Sequence of shifts used for the key schedule. 272 */ 273 static const char shifts[] = { 274 1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1, 275 }; 276 277 /* 278 * Permuted-choice 2, to pick out the bits from 279 * the CD array that generate the key schedule. 280 */ 281 static const char PC2_C[] = { 282 14,17,11,24, 1, 5, 283 3,28,15, 6,21,10, 284 23,19,12, 4,26, 8, 285 16, 7,27,20,13, 2, 286 }; 287 288 static const char PC2_D[] = { 289 41,52,31,37,47,55, 290 30,40,51,45,33,48, 291 44,49,39,56,34,53, 292 46,42,50,36,29,32, 293 }; 294 295 /* 296 * The E bit-selection table. 297 */ 298 static const char e[] = { 299 32, 1, 2, 3, 4, 5, 300 4, 5, 6, 7, 8, 9, 301 8, 9,10,11,12,13, 302 12,13,14,15,16,17, 303 16,17,18,19,20,21, 304 20,21,22,23,24,25, 305 24,25,26,27,28,29, 306 28,29,30,31,32, 1, 307 }; 308 309 /* 310 * P is a permutation on the selected combination 311 * of the current L and key. 312 */ 313 static const char P[] = { 314 16, 7,20,21, 315 29,12,28,17, 316 1,15,23,26, 317 5,18,31,10, 318 2, 8,24,14, 319 32,27, 3, 9, 320 19,13,30, 6, 321 22,11, 4,25, 322 }; 323 324 /* 325 * The 8 selection functions. 326 * For some reason, they give a 0-origin 327 * index, unlike everything else. 328 */ 329 static const char S[8][64] = { 330 {14, 4,13, 1, 2,15,11, 8, 3,10, 6,12, 5, 9, 0, 7, 331 0,15, 7, 4,14, 2,13, 1,10, 6,12,11, 9, 5, 3, 8, 332 4, 1,14, 8,13, 6, 2,11,15,12, 9, 7, 3,10, 5, 0, 333 15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13}, 334 335 {15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10, 336 3,13, 4, 7,15, 2, 8,14,12, 0, 1,10, 6, 9,11, 5, 337 0,14, 7,11,10, 4,13, 1, 5, 8,12, 6, 9, 3, 2,15, 338 13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9}, 339 340 {10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8, 341 13, 7, 0, 9, 3, 4, 6,10, 2, 8, 5,14,12,11,15, 1, 342 13, 6, 4, 9, 8,15, 3, 0,11, 1, 2,12, 5,10,14, 7, 343 1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12}, 344 345 { 7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15, 346 13, 8,11, 5, 6,15, 0, 3, 4, 7, 2,12, 1,10,14, 9, 347 10, 6, 9, 0,12,11, 7,13,15, 1, 3,14, 5, 2, 8, 4, 348 3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14}, 349 350 { 2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9, 351 14,11, 2,12, 4, 7,13, 1, 5, 0,15,10, 3, 9, 8, 6, 352 4, 2, 1,11,10,13, 7, 8,15, 9,12, 5, 6, 3, 0,14, 353 11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3}, 354 355 {12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11, 356 10,15, 4, 2, 7,12, 9, 5, 6, 1,13,14, 0,11, 3, 8, 357 9,14,15, 5, 2, 8,12, 3, 7, 0, 4,10, 1,13,11, 6, 358 4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13}, 359 360 { 4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1, 361 13, 0,11, 7, 4, 9, 1,10,14, 3, 5,12, 2,15, 8, 6, 362 1, 4,11,13,12, 3, 7,14,10,15, 6, 8, 0, 5, 9, 2, 363 6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12}, 364 365 {13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7, 366 1,15,13, 8,10, 3, 7, 4,12, 5, 6,11, 0,14, 9, 2, 367 7,11, 4, 1, 9,12,14, 2, 0, 6,10,13,15, 3, 5, 8, 368 2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11}, 369 }; 370 371 372 char *afs_crypt(const char *pw, const char *salt, 373 /* must be at least 16 bytes */ 374 char *iobuf) 375 { 376 int i, j, c; 377 int temp; 378 char block[66]; 379 char E[48]; 380 /* 381 * The key schedule. 382 * Generated from the key. 383 */ 384 char KS[16][48]; 385 386 for(i=0; i<66; i++) 387 block[i] = 0; 388 /* Solaris Kerberos */ 389 for(i=0; ((c= *pw) != NULL) && i<64; pw++){ 390 for(j=0; j<7; j++, i++) 391 block[i] = (c>>(6-j)) & 01; 392 i++; 393 } 394 395 krb5_afs_crypt_setkey(block, E, KS); 396 397 for(i=0; i<66; i++) 398 block[i] = 0; 399 400 for(i=0;i<2;i++){ 401 c = *salt++; 402 iobuf[i] = c; 403 if(c>'Z') c -= 6; 404 if(c>'9') c -= 7; 405 c -= '.'; 406 for(j=0;j<6;j++){ 407 if((c>>j) & 01){ 408 temp = E[6*i+j]; 409 E[6*i+j] = E[6*i+j+24]; 410 E[6*i+j+24] = temp; 411 } 412 } 413 } 414 415 for(i=0; i<25; i++) 416 krb5_afs_encrypt(block,E,KS); 417 418 for(i=0; i<11; i++){ 419 c = 0; 420 for(j=0; j<6; j++){ 421 c <<= 1; 422 c |= block[6*i+j]; 423 } 424 c += '.'; 425 if(c>'9') c += 7; 426 if(c>'Z') c += 6; 427 iobuf[i+2] = c; 428 } 429 iobuf[i+2] = 0; 430 if(iobuf[1]==0) 431 iobuf[1] = iobuf[0]; 432 return(iobuf); 433 } 434 435 /* 436 * Set up the key schedule from the key. 437 */ 438 439 static void krb5_afs_crypt_setkey(char *key, char *E, char (*KS)[48]) 440 { 441 register int i, j, k; 442 int t; 443 /* 444 * The C and D arrays used to calculate the key schedule. 445 */ 446 char C[28], D[28]; 447 448 /* 449 * First, generate C and D by permuting 450 * the key. The low order bit of each 451 * 8-bit char is not used, so C and D are only 28 452 * bits apiece. 453 */ 454 for (i=0; i<28; i++) { 455 C[i] = key[PC1_C[i]-1]; 456 D[i] = key[PC1_D[i]-1]; 457 } 458 /* 459 * To generate Ki, rotate C and D according 460 * to schedule and pick up a permutation 461 * using PC2. 462 */ 463 for (i=0; i<16; i++) { 464 /* 465 * rotate. 466 */ 467 for (k=0; k<shifts[i]; k++) { 468 t = C[0]; 469 for (j=0; j<28-1; j++) 470 C[j] = C[j+1]; 471 C[27] = t; 472 t = D[0]; 473 for (j=0; j<28-1; j++) 474 D[j] = D[j+1]; 475 D[27] = t; 476 } 477 /* 478 * get Ki. Note C and D are concatenated. 479 */ 480 for (j=0; j<24; j++) { 481 KS[i][j] = C[PC2_C[j]-1]; 482 KS[i][j+24] = D[PC2_D[j]-28-1]; 483 } 484 } 485 486 #if 0 487 for(i=0;i<48;i++) { 488 E[i] = e[i]; 489 } 490 #else 491 memcpy(E, e, 48); 492 #endif 493 } 494 495 /* 496 * The payoff: encrypt a block. 497 */ 498 499 static void krb5_afs_encrypt(char *block, char *E, char (*KS)[48]) 500 { 501 const long edflag = 0; 502 int i, ii; 503 int t, j, k; 504 char tempL[32]; 505 char f[32]; 506 /* 507 * The current block, divided into 2 halves. 508 */ 509 char L[64]; 510 char *const R = &L[32]; 511 /* 512 * The combination of the key and the input, before selection. 513 */ 514 char preS[48]; 515 516 /* 517 * First, permute the bits in the input 518 */ 519 for (j=0; j<64; j++) 520 L[j] = block[IP[j]-1]; 521 /* 522 * Perform an encryption operation 16 times. 523 */ 524 for (ii=0; ii<16; ii++) { 525 /* 526 * Set direction 527 */ 528 if (edflag) 529 i = 15-ii; 530 else 531 i = ii; 532 /* 533 * Save the R array, 534 * which will be the new L. 535 */ 536 #if 0 537 for (j=0; j<32; j++) 538 tempL[j] = R[j]; 539 #else 540 memcpy(tempL, R, 32); 541 #endif 542 /* 543 * Expand R to 48 bits using the E selector; 544 * exclusive-or with the current key bits. 545 */ 546 for (j=0; j<48; j++) 547 preS[j] = R[E[j]-1] ^ KS[i][j]; 548 /* 549 * The pre-select bits are now considered 550 * in 8 groups of 6 bits each. 551 * The 8 selection functions map these 552 * 6-bit quantities into 4-bit quantities 553 * and the results permuted 554 * to make an f(R, K). 555 * The indexing into the selection functions 556 * is peculiar; it could be simplified by 557 * rewriting the tables. 558 */ 559 for (j=0; j<8; j++) { 560 t = 6*j; 561 k = S[j][(preS[t+0]<<5)+ 562 (preS[t+1]<<3)+ 563 (preS[t+2]<<2)+ 564 (preS[t+3]<<1)+ 565 (preS[t+4]<<0)+ 566 (preS[t+5]<<4)]; 567 t = 4*j; 568 f[t+0] = (k>>3)&01; 569 f[t+1] = (k>>2)&01; 570 f[t+2] = (k>>1)&01; 571 f[t+3] = (k>>0)&01; 572 } 573 /* 574 * The new R is L ^ f(R, K). 575 * The f here has to be permuted first, though. 576 */ 577 for (j=0; j<32; j++) 578 R[j] = L[j] ^ f[P[j]-1]; 579 /* 580 * Finally, the new L (the original R) 581 * is copied back. 582 */ 583 #if 0 584 for (j=0; j<32; j++) 585 L[j] = tempL[j]; 586 #else 587 memcpy(L, tempL, 32); 588 #endif 589 } 590 /* 591 * The output L and R are reversed. 592 */ 593 for (j=0; j<32; j++) { 594 t = L[j]; 595 L[j] = R[j]; 596 R[j] = t; 597 } 598 /* 599 * The final output 600 * gets the inverse permutation of the very original. 601 */ 602 for (j=0; j<64; j++) 603 block[j] = L[FP[j]-1]; 604 } 605 /* EXPORT DELETE END */ 606