1 /* 2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 #pragma ident "%Z%%M% %I% %E% SMI" 7 8 /* 9 * lib/crypto/des/string2key.c 10 * 11 * based on lib/crypto/des/string2key.c from MIT V5 12 * and on lib/des/afs_string_to_key.c from UMD. 13 * constructed by Mark Eichin, Cygnus Support, 1995. 14 * made thread-safe by Ken Raeburn, MIT, 2001. 15 */ 16 17 /* 18 * Copyright 2001 by the Massachusetts Institute of Technology. 19 * All Rights Reserved. 20 * 21 * Export of this software from the United States of America may 22 * require a specific license from the United States Government. 23 * It is the responsibility of any person or organization contemplating 24 * export to obtain such a license before exporting. 25 * 26 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 27 * distribute this software and its documentation for any purpose and 28 * without fee is hereby granted, provided that the above copyright 29 * notice appear in all copies and that both that copyright notice and 30 * this permission notice appear in supporting documentation, and that 31 * the name of M.I.T. not be used in advertising or publicity pertaining 32 * to distribution of the software without specific, written prior 33 * permission. Furthermore if you modify this software you must label 34 * your software as modified software and not distribute it in such a 35 * fashion that it might be confused with the original M.I.T. software. 36 * M.I.T. makes no representations about the suitability of 37 * this software for any purpose. It is provided "as is" without express 38 * or implied warranty. 39 */ 40 41 /* 42 * Copyright (C) 1998 by the FundsXpress, INC. 43 * 44 * All rights reserved. 45 * 46 * Export of this software from the United States of America may require 47 * a specific license from the United States Government. It is the 48 * responsibility of any person or organization contemplating export to 49 * obtain such a license before exporting. 50 * 51 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 52 * distribute this software and its documentation for any purpose and 53 * without fee is hereby granted, provided that the above copyright 54 * notice appear in all copies and that both that copyright notice and 55 * this permission notice appear in supporting documentation, and that 56 * the name of FundsXpress. not be used in advertising or publicity pertaining 57 * to distribution of the software without specific, written prior 58 * permission. FundsXpress makes no representations about the suitability of 59 * this software for any purpose. It is provided "as is" without express 60 * or implied warranty. 61 * 62 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 63 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 64 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 65 */ 66 67 #include "k5-int.h" 68 #include "des_int.h" 69 #include <ctype.h> 70 71 #define afs_crypt mit_afs_crypt 72 char *afs_crypt (const char *, const char *, char *); 73 74 #undef min 75 #define min(a,b) ((a)>(b)?(b):(a)) 76 77 /*ARGSUSED*/ 78 krb5_error_code 79 mit_afs_string_to_key (krb5_context context, 80 krb5_keyblock *keyblock, const krb5_data *data, 81 const krb5_data *salt) 82 { 83 krb5_error_code retval = KRB5_PROG_ETYPE_NOSUPP; 84 /* EXPORT DELETE START */ 85 /* totally different approach from MIT string2key. */ 86 /* much of the work has already been done by the only caller 87 which is mit_des_string_to_key; in particular, *keyblock is already 88 set up. */ 89 90 char *realm = salt->data; 91 unsigned int i, j; 92 krb5_octet *key = keyblock->contents; 93 krb5_keyblock usekey; 94 95 if (data->length <= 8) { 96 /* One block only. Run afs_crypt and use the first eight 97 returned bytes after the copy of the (fixed) salt. 98 99 Since the returned bytes are alphanumeric, the output is 100 limited to 2**48 possibilities; for each byte, only 64 101 possible values can be used. */ 102 unsigned char password[9]; /* trailing nul for crypt() */ 103 char afs_crypt_buf[16]; 104 105 memset (password, 0, sizeof (password)); 106 memcpy (password, realm, min (salt->length, 8)); 107 for (i=0; i<8; i++) 108 if (isupper(password[i])) 109 password[i] = tolower(password[i]); 110 for (i=0; i<data->length; i++) 111 password[i] ^= data->data[i]; 112 for (i=0; i<8; i++) 113 if (password[i] == '\0') 114 password[i] = 'X'; 115 password[8] = '\0'; 116 /* Out-of-bounds salt characters are equivalent to a salt string 117 of "p1". */ 118 strncpy((char *) key, 119 (char *) afs_crypt((char *) password, "#~", afs_crypt_buf) + 2, 120 8); 121 for (i=0; i<8; i++) 122 key[i] <<= 1; 123 /* now fix up key parity again */ 124 mit_des_fixup_key_parity(key); 125 /* clean & free the input string */ 126 memset(password, 0, (size_t) sizeof(password)); 127 128 /* Solaris Kerberos: Success */ 129 retval = 0; 130 } else { 131 /* Multiple blocks. Do a CBC checksum, twice, and use the 132 result as the new key. */ 133 mit_des_cblock ikey, tkey; 134 unsigned int pw_len = salt->length+data->length; 135 unsigned char *password = malloc(pw_len+1); 136 137 if (!password) return ENOMEM; 138 139 /* Some bound checks from the original code are elided here as 140 the malloc above makes sure we have enough storage. */ 141 memcpy (password, data->data, data->length); 142 for (i=data->length, j = 0; j < salt->length; i++, j++) { 143 password[i] = realm[j]; 144 if (isupper(password[i])) 145 password[i] = tolower(password[i]); 146 } 147 148 memcpy (ikey, "kerberos", sizeof(ikey)); 149 memcpy (tkey, ikey, sizeof(tkey)); 150 mit_des_fixup_key_parity (tkey); 151 152 usekey.enctype = ENCTYPE_DES_CBC_CRC; 153 usekey.contents = tkey; 154 usekey.length = 8; 155 retval = mit_des_cbc_cksum (context, (unsigned char *)password, 156 tkey, i, &usekey, ikey); 157 158 memcpy (ikey, tkey, sizeof(ikey)); 159 mit_des_fixup_key_parity (tkey); 160 161 if (usekey.hKey != CK_INVALID_HANDLE) { 162 (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey); 163 usekey.hKey = CK_INVALID_HANDLE; 164 } 165 usekey.contents = tkey; 166 usekey.length = 8; 167 retval = mit_des_cbc_cksum (context, (unsigned char *) password, 168 key, i, &usekey, ikey); 169 170 /* now fix up key parity again */ 171 mit_des_fixup_key_parity(key); 172 173 if (usekey.hKey != CK_INVALID_HANDLE) { 174 (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey); 175 usekey.hKey = CK_INVALID_HANDLE; 176 } 177 /* clean & free the input string */ 178 memset(password, 0, (size_t) pw_len); 179 krb5_xfree(password); 180 } 181 #if 0 182 /* must free here because it was copied for this special case */ 183 krb5_xfree(salt->data); 184 #endif 185 186 /* EXPORT DELETE END */ 187 return retval; 188 } 189 190 191 /* Portions of this code: 192 Copyright 1989 by the Massachusetts Institute of Technology 193 */ 194 195 /* 196 * Copyright (c) 1990 Regents of The University of Michigan. 197 * All Rights Reserved. 198 * 199 * Permission to use, copy, modify, and distribute this software 200 * and its documentation for any purpose and without fee is hereby 201 * granted, provided that the above copyright notice appears in all 202 * copies and that both that copyright notice and this permission 203 * notice appear in supporting documentation, and that the name of 204 * The University of Michigan not be used in advertising or 205 * publicity pertaining to distribution of the software without 206 * specific, written prior permission. This software is supplied as 207 * is without expressed or implied warranties of any kind. 208 * 209 * ITD Research Systems 210 * University of Michigan 211 * 535 W. William Street 212 * Ann Arbor, Michigan 213 * +1-313-936-2652 214 * netatalk@terminator.cc.umich.edu 215 */ 216 217 /* EXPORT DELETE START */ 218 219 static void krb5_afs_crypt_setkey (char*, char*, char(*)[48]); 220 static void krb5_afs_encrypt (char*,char*,char (*)[48]); 221 222 /* 223 * Initial permutation, 224 */ 225 static const char IP[] = { 226 58,50,42,34,26,18,10, 2, 227 60,52,44,36,28,20,12, 4, 228 62,54,46,38,30,22,14, 6, 229 64,56,48,40,32,24,16, 8, 230 57,49,41,33,25,17, 9, 1, 231 59,51,43,35,27,19,11, 3, 232 61,53,45,37,29,21,13, 5, 233 63,55,47,39,31,23,15, 7, 234 }; 235 236 /* 237 * Final permutation, FP = IP^(-1) 238 */ 239 static const char FP[] = { 240 40, 8,48,16,56,24,64,32, 241 39, 7,47,15,55,23,63,31, 242 38, 6,46,14,54,22,62,30, 243 37, 5,45,13,53,21,61,29, 244 36, 4,44,12,52,20,60,28, 245 35, 3,43,11,51,19,59,27, 246 34, 2,42,10,50,18,58,26, 247 33, 1,41, 9,49,17,57,25, 248 }; 249 250 /* 251 * Permuted-choice 1 from the key bits to yield C and D. 252 * Note that bits 8,16... are left out: They are intended for a parity check. 253 */ 254 static const char PC1_C[] = { 255 57,49,41,33,25,17, 9, 256 1,58,50,42,34,26,18, 257 10, 2,59,51,43,35,27, 258 19,11, 3,60,52,44,36, 259 }; 260 261 static const char PC1_D[] = { 262 63,55,47,39,31,23,15, 263 7,62,54,46,38,30,22, 264 14, 6,61,53,45,37,29, 265 21,13, 5,28,20,12, 4, 266 }; 267 268 /* 269 * Sequence of shifts used for the key schedule. 270 */ 271 static const char shifts[] = { 272 1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1, 273 }; 274 275 /* 276 * Permuted-choice 2, to pick out the bits from 277 * the CD array that generate the key schedule. 278 */ 279 static const char PC2_C[] = { 280 14,17,11,24, 1, 5, 281 3,28,15, 6,21,10, 282 23,19,12, 4,26, 8, 283 16, 7,27,20,13, 2, 284 }; 285 286 static const char PC2_D[] = { 287 41,52,31,37,47,55, 288 30,40,51,45,33,48, 289 44,49,39,56,34,53, 290 46,42,50,36,29,32, 291 }; 292 293 /* 294 * The E bit-selection table. 295 */ 296 static const char e[] = { 297 32, 1, 2, 3, 4, 5, 298 4, 5, 6, 7, 8, 9, 299 8, 9,10,11,12,13, 300 12,13,14,15,16,17, 301 16,17,18,19,20,21, 302 20,21,22,23,24,25, 303 24,25,26,27,28,29, 304 28,29,30,31,32, 1, 305 }; 306 307 /* 308 * P is a permutation on the selected combination 309 * of the current L and key. 310 */ 311 static const char P[] = { 312 16, 7,20,21, 313 29,12,28,17, 314 1,15,23,26, 315 5,18,31,10, 316 2, 8,24,14, 317 32,27, 3, 9, 318 19,13,30, 6, 319 22,11, 4,25, 320 }; 321 322 /* 323 * The 8 selection functions. 324 * For some reason, they give a 0-origin 325 * index, unlike everything else. 326 */ 327 static const char S[8][64] = { 328 {14, 4,13, 1, 2,15,11, 8, 3,10, 6,12, 5, 9, 0, 7, 329 0,15, 7, 4,14, 2,13, 1,10, 6,12,11, 9, 5, 3, 8, 330 4, 1,14, 8,13, 6, 2,11,15,12, 9, 7, 3,10, 5, 0, 331 15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13}, 332 333 {15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10, 334 3,13, 4, 7,15, 2, 8,14,12, 0, 1,10, 6, 9,11, 5, 335 0,14, 7,11,10, 4,13, 1, 5, 8,12, 6, 9, 3, 2,15, 336 13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9}, 337 338 {10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8, 339 13, 7, 0, 9, 3, 4, 6,10, 2, 8, 5,14,12,11,15, 1, 340 13, 6, 4, 9, 8,15, 3, 0,11, 1, 2,12, 5,10,14, 7, 341 1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12}, 342 343 { 7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15, 344 13, 8,11, 5, 6,15, 0, 3, 4, 7, 2,12, 1,10,14, 9, 345 10, 6, 9, 0,12,11, 7,13,15, 1, 3,14, 5, 2, 8, 4, 346 3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14}, 347 348 { 2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9, 349 14,11, 2,12, 4, 7,13, 1, 5, 0,15,10, 3, 9, 8, 6, 350 4, 2, 1,11,10,13, 7, 8,15, 9,12, 5, 6, 3, 0,14, 351 11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3}, 352 353 {12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11, 354 10,15, 4, 2, 7,12, 9, 5, 6, 1,13,14, 0,11, 3, 8, 355 9,14,15, 5, 2, 8,12, 3, 7, 0, 4,10, 1,13,11, 6, 356 4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13}, 357 358 { 4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1, 359 13, 0,11, 7, 4, 9, 1,10,14, 3, 5,12, 2,15, 8, 6, 360 1, 4,11,13,12, 3, 7,14,10,15, 6, 8, 0, 5, 9, 2, 361 6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12}, 362 363 {13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7, 364 1,15,13, 8,10, 3, 7, 4,12, 5, 6,11, 0,14, 9, 2, 365 7,11, 4, 1, 9,12,14, 2, 0, 6,10,13,15, 3, 5, 8, 366 2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11}, 367 }; 368 369 370 char *afs_crypt(const char *pw, const char *salt, 371 /* must be at least 16 bytes */ 372 char *iobuf) 373 { 374 int i, j, c; 375 int temp; 376 char block[66]; 377 char E[48]; 378 /* 379 * The key schedule. 380 * Generated from the key. 381 */ 382 char KS[16][48]; 383 384 for(i=0; i<66; i++) 385 block[i] = 0; 386 for(i=0; ((c= *pw) != NULL) && i<64; pw++){ 387 for(j=0; j<7; j++, i++) 388 block[i] = (c>>(6-j)) & 01; 389 i++; 390 } 391 392 krb5_afs_crypt_setkey(block, E, KS); 393 394 for(i=0; i<66; i++) 395 block[i] = 0; 396 397 for(i=0;i<2;i++){ 398 c = *salt++; 399 iobuf[i] = c; 400 if(c>'Z') c -= 6; 401 if(c>'9') c -= 7; 402 c -= '.'; 403 for(j=0;j<6;j++){ 404 if((c>>j) & 01){ 405 temp = E[6*i+j]; 406 E[6*i+j] = E[6*i+j+24]; 407 E[6*i+j+24] = temp; 408 } 409 } 410 } 411 412 for(i=0; i<25; i++) 413 krb5_afs_encrypt(block,E,KS); 414 415 for(i=0; i<11; i++){ 416 c = 0; 417 for(j=0; j<6; j++){ 418 c <<= 1; 419 c |= block[6*i+j]; 420 } 421 c += '.'; 422 if(c>'9') c += 7; 423 if(c>'Z') c += 6; 424 iobuf[i+2] = c; 425 } 426 iobuf[i+2] = 0; 427 if(iobuf[1]==0) 428 iobuf[1] = iobuf[0]; 429 return(iobuf); 430 } 431 432 /* 433 * Set up the key schedule from the key. 434 */ 435 436 static void krb5_afs_crypt_setkey(char *key, char *E, char (*KS)[48]) 437 { 438 int i, j, k; 439 int t; 440 /* 441 * The C and D arrays used to calculate the key schedule. 442 */ 443 char C[28], D[28]; 444 445 /* 446 * First, generate C and D by permuting 447 * the key. The low order bit of each 448 * 8-bit char is not used, so C and D are only 28 449 * bits apiece. 450 */ 451 for (i=0; i<28; i++) { 452 C[i] = key[PC1_C[i]-1]; 453 D[i] = key[PC1_D[i]-1]; 454 } 455 /* 456 * To generate Ki, rotate C and D according 457 * to schedule and pick up a permutation 458 * using PC2. 459 */ 460 for (i=0; i<16; i++) { 461 /* 462 * rotate. 463 */ 464 for (k=0; k<shifts[i]; k++) { 465 t = C[0]; 466 for (j=0; j<28-1; j++) 467 C[j] = C[j+1]; 468 C[27] = t; 469 t = D[0]; 470 for (j=0; j<28-1; j++) 471 D[j] = D[j+1]; 472 D[27] = t; 473 } 474 /* 475 * get Ki. Note C and D are concatenated. 476 */ 477 for (j=0; j<24; j++) { 478 KS[i][j] = C[PC2_C[j]-1]; 479 KS[i][j+24] = D[PC2_D[j]-28-1]; 480 } 481 } 482 483 #if 0 484 for(i=0;i<48;i++) { 485 E[i] = e[i]; 486 } 487 #else 488 memcpy(E, e, 48); 489 #endif 490 } 491 492 /* 493 * The payoff: encrypt a block. 494 */ 495 496 static void krb5_afs_encrypt(char *block, char *E, char (*KS)[48]) 497 { 498 const long edflag = 0; 499 int i, ii; 500 int t, j, k; 501 char tempL[32]; 502 char f[32]; 503 /* 504 * The current block, divided into 2 halves. 505 */ 506 char L[64]; 507 char *const R = &L[32]; 508 /* 509 * The combination of the key and the input, before selection. 510 */ 511 char preS[48]; 512 513 /* 514 * First, permute the bits in the input 515 */ 516 for (j=0; j<64; j++) 517 L[j] = block[IP[j]-1]; 518 /* 519 * Perform an encryption operation 16 times. 520 */ 521 for (ii=0; ii<16; ii++) { 522 /* 523 * Set direction 524 */ 525 if (edflag) 526 i = 15-ii; 527 else 528 i = ii; 529 /* 530 * Save the R array, 531 * which will be the new L. 532 */ 533 #if 0 534 for (j=0; j<32; j++) 535 tempL[j] = R[j]; 536 #else 537 memcpy(tempL, R, 32); 538 #endif 539 /* 540 * Expand R to 48 bits using the E selector; 541 * exclusive-or with the current key bits. 542 */ 543 for (j=0; j<48; j++) 544 preS[j] = R[E[j]-1] ^ KS[i][j]; 545 /* 546 * The pre-select bits are now considered 547 * in 8 groups of 6 bits each. 548 * The 8 selection functions map these 549 * 6-bit quantities into 4-bit quantities 550 * and the results permuted 551 * to make an f(R, K). 552 * The indexing into the selection functions 553 * is peculiar; it could be simplified by 554 * rewriting the tables. 555 */ 556 for (j=0; j<8; j++) { 557 t = 6*j; 558 k = S[j][(preS[t+0]<<5)+ 559 (preS[t+1]<<3)+ 560 (preS[t+2]<<2)+ 561 (preS[t+3]<<1)+ 562 (preS[t+4]<<0)+ 563 (preS[t+5]<<4)]; 564 t = 4*j; 565 f[t+0] = (k>>3)&01; 566 f[t+1] = (k>>2)&01; 567 f[t+2] = (k>>1)&01; 568 f[t+3] = (k>>0)&01; 569 } 570 /* 571 * The new R is L ^ f(R, K). 572 * The f here has to be permuted first, though. 573 */ 574 for (j=0; j<32; j++) 575 R[j] = L[j] ^ f[P[j]-1]; 576 /* 577 * Finally, the new L (the original R) 578 * is copied back. 579 */ 580 #if 0 581 for (j=0; j<32; j++) 582 L[j] = tempL[j]; 583 #else 584 memcpy(L, tempL, 32); 585 #endif 586 } 587 /* 588 * The output L and R are reversed. 589 */ 590 for (j=0; j<32; j++) { 591 t = L[j]; 592 L[j] = R[j]; 593 R[j] = t; 594 } 595 /* 596 * The final output 597 * gets the inverse permutation of the very original. 598 */ 599 for (j=0; j<64; j++) 600 block[j] = L[FP[j]-1]; 601 } 602 /* EXPORT DELETE END */ 603