xref: /illumos-gate/usr/src/lib/gss_mechs/mech_krb5/crypto/des/afsstring2key.c (revision 159d09a20817016f09b3ea28d1bdada4a336bb91) 
1 /*
2  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 
7 /*
8  * lib/crypto/des/string2key.c
9  *
10  * based on lib/crypto/des/string2key.c from MIT V5
11  * and on lib/des/afs_string_to_key.c from UMD.
12  * constructed by Mark Eichin, Cygnus Support, 1995.
13  * made thread-safe by Ken Raeburn, MIT, 2001.
14  */
15 
16 /*
17  * Copyright 2001 by the Massachusetts Institute of Technology.
18  * All Rights Reserved.
19  *
20  * Export of this software from the United States of America may
21  *   require a specific license from the United States Government.
22  *   It is the responsibility of any person or organization contemplating
23  *   export to obtain such a license before exporting.
24  *
25  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
26  * distribute this software and its documentation for any purpose and
27  * without fee is hereby granted, provided that the above copyright
28  * notice appear in all copies and that both that copyright notice and
29  * this permission notice appear in supporting documentation, and that
30  * the name of M.I.T. not be used in advertising or publicity pertaining
31  * to distribution of the software without specific, written prior
32  * permission.  Furthermore if you modify this software you must label
33  * your software as modified software and not distribute it in such a
34  * fashion that it might be confused with the original M.I.T. software.
35  * M.I.T. makes no representations about the suitability of
36  * this software for any purpose.  It is provided "as is" without express
37  * or implied warranty.
38  */
39 
40 /*
41  * Copyright (C) 1998 by the FundsXpress, INC.
42  *
43  * All rights reserved.
44  *
45  * Export of this software from the United States of America may require
46  * a specific license from the United States Government.  It is the
47  * responsibility of any person or organization contemplating export to
48  * obtain such a license before exporting.
49  *
50  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
51  * distribute this software and its documentation for any purpose and
52  * without fee is hereby granted, provided that the above copyright
53  * notice appear in all copies and that both that copyright notice and
54  * this permission notice appear in supporting documentation, and that
55  * the name of FundsXpress. not be used in advertising or publicity pertaining
56  * to distribution of the software without specific, written prior
57  * permission.  FundsXpress makes no representations about the suitability of
58  * this software for any purpose.  It is provided "as is" without express
59  * or implied warranty.
60  *
61  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
62  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
63  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
64  */
65 
66 #include "k5-int.h"
67 #include "des_int.h"
68 #include <ctype.h>
69 
70 #define afs_crypt mit_afs_crypt
71 char *afs_crypt (const char *, const char *, char *);
72 
73 #undef min
74 #define min(a,b) ((a)>(b)?(b):(a))
75 
76 /*ARGSUSED*/
77 krb5_error_code
78 mit_afs_string_to_key (krb5_context context,
79 		    krb5_keyblock *keyblock, const krb5_data *data,
80 		    const krb5_data *salt)
81 {
82     /* Solaris Kerberos */
83     krb5_error_code retval = KRB5_PROG_ETYPE_NOSUPP;
84 /* EXPORT DELETE START */
85   /* totally different approach from MIT string2key. */
86   /* much of the work has already been done by the only caller
87      which is mit_des_string_to_key; in particular, *keyblock is already
88      set up. */
89 
90     char *realm = salt->data;
91     unsigned int i, j;
92     krb5_octet *key = keyblock->contents;
93     /* Solaris Kerberos */
94     krb5_keyblock usekey;
95 
96     if (data->length <= 8) {
97       /* One block only.  Run afs_crypt and use the first eight
98 	 returned bytes after the copy of the (fixed) salt.
99 
100 	 Since the returned bytes are alphanumeric, the output is
101 	 limited to 2**48 possibilities; for each byte, only 64
102 	 possible values can be used.  */
103       unsigned char password[9]; /* trailing nul for crypt() */
104       char afs_crypt_buf[16];
105 
106       memset (password, 0, sizeof (password));
107       memcpy (password, realm, min (salt->length, 8));
108       for (i=0; i<8; i++)
109 	if (isupper(password[i]))
110 	  password[i] = tolower(password[i]);
111       for (i=0; i<data->length; i++)
112 	password[i] ^= data->data[i];
113       for (i=0; i<8; i++)
114 	if (password[i] == '\0')
115 	  password[i] = 'X';
116       password[8] = '\0';
117       /* Out-of-bounds salt characters are equivalent to a salt string
118 	 of "p1".  */
119       strncpy((char *) key,
120 	      (char *) afs_crypt((char *) password, "#~", afs_crypt_buf) + 2,
121 	      8);
122       for (i=0; i<8; i++)
123 	key[i] <<= 1;
124       /* now fix up key parity again */
125       mit_des_fixup_key_parity(key);
126       /* clean & free the input string */
127       memset(password, 0, (size_t) sizeof(password));
128 
129       /* Solaris Kerberos: Success */
130       retval = 0;
131     } else {
132       /* Multiple blocks.  Do a CBC checksum, twice, and use the
133 	 result as the new key.  */
134       mit_des_cblock ikey, tkey;
135       unsigned int pw_len = salt->length+data->length;
136       unsigned char *password = malloc(pw_len+1);
137       if (!password) return ENOMEM;
138 
139       /* Some bound checks from the original code are elided here as
140 	 the malloc above makes sure we have enough storage. */
141       memcpy (password, data->data, data->length);
142       for (i=data->length, j = 0; j < salt->length; i++, j++) {
143 	password[i] = realm[j];
144 	if (isupper(password[i]))
145 	  password[i] = tolower(password[i]);
146       }
147 
148       memcpy (ikey, "kerberos", sizeof(ikey));
149       memcpy (tkey, ikey, sizeof(tkey));
150       mit_des_fixup_key_parity (tkey);
151 
152     /* Solaris Kerberos */
153       usekey.enctype = ENCTYPE_DES_CBC_CRC;
154       usekey.contents = tkey;
155       usekey.length = 8;
156       retval = mit_des_cbc_cksum (context, (unsigned char *)password,
157 				tkey, i, &usekey, ikey);
158 
159       memcpy (ikey, tkey, sizeof(ikey));
160       mit_des_fixup_key_parity (tkey);
161       /* Solaris Kerberos */
162       if (usekey.hKey != CK_INVALID_HANDLE) {
163          (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey);
164          usekey.hKey = CK_INVALID_HANDLE;
165       }
166       usekey.contents = tkey;
167       usekey.length = 8;
168       retval = mit_des_cbc_cksum (context, (unsigned char *) password,
169 				key, i, &usekey, ikey);
170 
171       /* now fix up key parity again */
172       mit_des_fixup_key_parity(key);
173 
174       /* Solaris Kerberos */
175       if (usekey.hKey != CK_INVALID_HANDLE) {
176          (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey);
177          usekey.hKey = CK_INVALID_HANDLE;
178       }
179       /* clean & free the input string */
180       memset(password, 0, (size_t) pw_len);
181       krb5_xfree(password);
182     }
183 #if 0
184     /* must free here because it was copied for this special case */
185     krb5_xfree(salt->data);
186 #endif
187 
188 /* EXPORT DELETE END */
189     return retval;
190 }
191 
192 
193 /* Portions of this code:
194    Copyright 1989 by the Massachusetts Institute of Technology
195    */
196 
197 /*
198  * Copyright (c) 1990 Regents of The University of Michigan.
199  * All Rights Reserved.
200  *
201  * Permission to use, copy, modify, and distribute this software
202  * and its documentation for any purpose and without fee is hereby
203  * granted, provided that the above copyright notice appears in all
204  * copies and that both that copyright notice and this permission
205  * notice appear in supporting documentation, and that the name of
206  * The University of Michigan not be used in advertising or
207  * publicity pertaining to distribution of the software without
208  * specific, written prior permission. This software is supplied as
209  * is without expressed or implied warranties of any kind.
210  *
211  *	ITD Research Systems
212  *	University of Michigan
213  *	535 W. William Street
214  *	Ann Arbor, Michigan
215  *	+1-313-936-2652
216  *	netatalk@terminator.cc.umich.edu
217  */
218 
219 /* EXPORT DELETE START */
220 
221 static void krb5_afs_crypt_setkey (char*, char*, char(*)[48]);
222 static void krb5_afs_encrypt (char*,char*,char (*)[48]);
223 
224 /*
225  * Initial permutation,
226  */
227 static const char	IP[] = {
228 	58,50,42,34,26,18,10, 2,
229 	60,52,44,36,28,20,12, 4,
230 	62,54,46,38,30,22,14, 6,
231 	64,56,48,40,32,24,16, 8,
232 	57,49,41,33,25,17, 9, 1,
233 	59,51,43,35,27,19,11, 3,
234 	61,53,45,37,29,21,13, 5,
235 	63,55,47,39,31,23,15, 7,
236 };
237 
238 /*
239  * Final permutation, FP = IP^(-1)
240  */
241 static const char	FP[] = {
242 	40, 8,48,16,56,24,64,32,
243 	39, 7,47,15,55,23,63,31,
244 	38, 6,46,14,54,22,62,30,
245 	37, 5,45,13,53,21,61,29,
246 	36, 4,44,12,52,20,60,28,
247 	35, 3,43,11,51,19,59,27,
248 	34, 2,42,10,50,18,58,26,
249 	33, 1,41, 9,49,17,57,25,
250 };
251 
252 /*
253  * Permuted-choice 1 from the key bits to yield C and D.
254  * Note that bits 8,16... are left out: They are intended for a parity check.
255  */
256 static const char	PC1_C[] = {
257 	57,49,41,33,25,17, 9,
258 	 1,58,50,42,34,26,18,
259 	10, 2,59,51,43,35,27,
260 	19,11, 3,60,52,44,36,
261 };
262 
263 static const char	PC1_D[] = {
264 	63,55,47,39,31,23,15,
265 	 7,62,54,46,38,30,22,
266 	14, 6,61,53,45,37,29,
267 	21,13, 5,28,20,12, 4,
268 };
269 
270 /*
271  * Sequence of shifts used for the key schedule.
272  */
273 static const char	shifts[] = {
274 	1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1,
275 };
276 
277 /*
278  * Permuted-choice 2, to pick out the bits from
279  * the CD array that generate the key schedule.
280  */
281 static const char	PC2_C[] = {
282 	14,17,11,24, 1, 5,
283 	 3,28,15, 6,21,10,
284 	23,19,12, 4,26, 8,
285 	16, 7,27,20,13, 2,
286 };
287 
288 static const char	PC2_D[] = {
289 	41,52,31,37,47,55,
290 	30,40,51,45,33,48,
291 	44,49,39,56,34,53,
292 	46,42,50,36,29,32,
293 };
294 
295 /*
296  * The E bit-selection table.
297  */
298 static const char	e[] = {
299 	32, 1, 2, 3, 4, 5,
300 	 4, 5, 6, 7, 8, 9,
301 	 8, 9,10,11,12,13,
302 	12,13,14,15,16,17,
303 	16,17,18,19,20,21,
304 	20,21,22,23,24,25,
305 	24,25,26,27,28,29,
306 	28,29,30,31,32, 1,
307 };
308 
309 /*
310  * P is a permutation on the selected combination
311  * of the current L and key.
312  */
313 static const char	P[] = {
314 	16, 7,20,21,
315 	29,12,28,17,
316 	 1,15,23,26,
317 	 5,18,31,10,
318 	 2, 8,24,14,
319 	32,27, 3, 9,
320 	19,13,30, 6,
321 	22,11, 4,25,
322 };
323 
324 /*
325  * The 8 selection functions.
326  * For some reason, they give a 0-origin
327  * index, unlike everything else.
328  */
329 static const char	S[8][64] = {
330 	{14, 4,13, 1, 2,15,11, 8, 3,10, 6,12, 5, 9, 0, 7,
331 	  0,15, 7, 4,14, 2,13, 1,10, 6,12,11, 9, 5, 3, 8,
332 	  4, 1,14, 8,13, 6, 2,11,15,12, 9, 7, 3,10, 5, 0,
333 	 15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13},
334 
335 	{15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10,
336 	  3,13, 4, 7,15, 2, 8,14,12, 0, 1,10, 6, 9,11, 5,
337 	  0,14, 7,11,10, 4,13, 1, 5, 8,12, 6, 9, 3, 2,15,
338 	 13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9},
339 
340 	{10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8,
341 	 13, 7, 0, 9, 3, 4, 6,10, 2, 8, 5,14,12,11,15, 1,
342 	 13, 6, 4, 9, 8,15, 3, 0,11, 1, 2,12, 5,10,14, 7,
343 	  1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12},
344 
345 	{ 7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15,
346 	 13, 8,11, 5, 6,15, 0, 3, 4, 7, 2,12, 1,10,14, 9,
347 	 10, 6, 9, 0,12,11, 7,13,15, 1, 3,14, 5, 2, 8, 4,
348 	  3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14},
349 
350 	{ 2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9,
351 	 14,11, 2,12, 4, 7,13, 1, 5, 0,15,10, 3, 9, 8, 6,
352 	  4, 2, 1,11,10,13, 7, 8,15, 9,12, 5, 6, 3, 0,14,
353 	 11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3},
354 
355 	{12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11,
356 	 10,15, 4, 2, 7,12, 9, 5, 6, 1,13,14, 0,11, 3, 8,
357 	  9,14,15, 5, 2, 8,12, 3, 7, 0, 4,10, 1,13,11, 6,
358 	  4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13},
359 
360 	{ 4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1,
361 	 13, 0,11, 7, 4, 9, 1,10,14, 3, 5,12, 2,15, 8, 6,
362 	  1, 4,11,13,12, 3, 7,14,10,15, 6, 8, 0, 5, 9, 2,
363 	  6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12},
364 
365 	{13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7,
366 	  1,15,13, 8,10, 3, 7, 4,12, 5, 6,11, 0,14, 9, 2,
367 	  7,11, 4, 1, 9,12,14, 2, 0, 6,10,13,15, 3, 5, 8,
368 	  2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11},
369 };
370 
371 
372 char *afs_crypt(const char *pw, const char *salt,
373 		/* must be at least 16 bytes */
374 		char *iobuf)
375 {
376 	int i, j, c;
377 	int temp;
378 	char block[66];
379 	char E[48];
380 	/*
381 	 * The key schedule.
382 	 * Generated from the key.
383 	 */
384 	char KS[16][48];
385 
386 	for(i=0; i<66; i++)
387 		block[i] = 0;
388 	/* Solaris Kerberos */
389 	for(i=0; ((c= *pw) != NULL) && i<64; pw++){
390 		for(j=0; j<7; j++, i++)
391 			block[i] = (c>>(6-j)) & 01;
392 		i++;
393 	}
394 
395 	krb5_afs_crypt_setkey(block, E, KS);
396 
397 	for(i=0; i<66; i++)
398 		block[i] = 0;
399 
400 	for(i=0;i<2;i++){
401 		c = *salt++;
402 		iobuf[i] = c;
403 		if(c>'Z') c -= 6;
404 		if(c>'9') c -= 7;
405 		c -= '.';
406 		for(j=0;j<6;j++){
407 			if((c>>j) & 01){
408 				temp = E[6*i+j];
409 				E[6*i+j] = E[6*i+j+24];
410 				E[6*i+j+24] = temp;
411 				}
412 			}
413 		}
414 
415 	for(i=0; i<25; i++)
416 		krb5_afs_encrypt(block,E,KS);
417 
418 	for(i=0; i<11; i++){
419 		c = 0;
420 		for(j=0; j<6; j++){
421 			c <<= 1;
422 			c |= block[6*i+j];
423 			}
424 		c += '.';
425 		if(c>'9') c += 7;
426 		if(c>'Z') c += 6;
427 		iobuf[i+2] = c;
428 	}
429 	iobuf[i+2] = 0;
430 	if(iobuf[1]==0)
431 		iobuf[1] = iobuf[0];
432 	return(iobuf);
433 }
434 
435 /*
436  * Set up the key schedule from the key.
437  */
438 
439 static void krb5_afs_crypt_setkey(char *key, char *E, char (*KS)[48])
440 {
441 	register int i, j, k;
442 	int t;
443 	/*
444 	 * The C and D arrays used to calculate the key schedule.
445 	 */
446 	char C[28], D[28];
447 
448 	/*
449 	 * First, generate C and D by permuting
450 	 * the key.  The low order bit of each
451 	 * 8-bit char is not used, so C and D are only 28
452 	 * bits apiece.
453 	 */
454 	for (i=0; i<28; i++) {
455 		C[i] = key[PC1_C[i]-1];
456 		D[i] = key[PC1_D[i]-1];
457 	}
458 	/*
459 	 * To generate Ki, rotate C and D according
460 	 * to schedule and pick up a permutation
461 	 * using PC2.
462 	 */
463 	for (i=0; i<16; i++) {
464 		/*
465 		 * rotate.
466 		 */
467 		for (k=0; k<shifts[i]; k++) {
468 			t = C[0];
469 			for (j=0; j<28-1; j++)
470 				C[j] = C[j+1];
471 			C[27] = t;
472 			t = D[0];
473 			for (j=0; j<28-1; j++)
474 				D[j] = D[j+1];
475 			D[27] = t;
476 		}
477 		/*
478 		 * get Ki. Note C and D are concatenated.
479 		 */
480 		for (j=0; j<24; j++) {
481 			KS[i][j] = C[PC2_C[j]-1];
482 			KS[i][j+24] = D[PC2_D[j]-28-1];
483 		}
484 	}
485 
486 #if 0
487 	for(i=0;i<48;i++) {
488 		E[i] = e[i];
489 	}
490 #else
491 	memcpy(E, e, 48);
492 #endif
493 }
494 
495 /*
496  * The payoff: encrypt a block.
497  */
498 
499 static void krb5_afs_encrypt(char *block, char *E, char (*KS)[48])
500 {
501 	const long edflag = 0;
502 	int i, ii;
503 	int t, j, k;
504 	char tempL[32];
505 	char f[32];
506 	/*
507 	 * The current block, divided into 2 halves.
508 	 */
509 	char L[64];
510 	char *const R = &L[32];
511 	/*
512 	 * The combination of the key and the input, before selection.
513 	 */
514 	char preS[48];
515 
516 	/*
517 	 * First, permute the bits in the input
518 	 */
519 	for (j=0; j<64; j++)
520 		L[j] = block[IP[j]-1];
521 	/*
522 	 * Perform an encryption operation 16 times.
523 	 */
524 	for (ii=0; ii<16; ii++) {
525 		/*
526 		 * Set direction
527 		 */
528 		if (edflag)
529 			i = 15-ii;
530 		else
531 			i = ii;
532 		/*
533 		 * Save the R array,
534 		 * which will be the new L.
535 		 */
536 #if 0
537 		for (j=0; j<32; j++)
538 			tempL[j] = R[j];
539 #else
540 		memcpy(tempL, R, 32);
541 #endif
542 		/*
543 		 * Expand R to 48 bits using the E selector;
544 		 * exclusive-or with the current key bits.
545 		 */
546 		for (j=0; j<48; j++)
547 			preS[j] = R[E[j]-1] ^ KS[i][j];
548 		/*
549 		 * The pre-select bits are now considered
550 		 * in 8 groups of 6 bits each.
551 		 * The 8 selection functions map these
552 		 * 6-bit quantities into 4-bit quantities
553 		 * and the results permuted
554 		 * to make an f(R, K).
555 		 * The indexing into the selection functions
556 		 * is peculiar; it could be simplified by
557 		 * rewriting the tables.
558 		 */
559 		for (j=0; j<8; j++) {
560 			t = 6*j;
561 			k = S[j][(preS[t+0]<<5)+
562 				(preS[t+1]<<3)+
563 				(preS[t+2]<<2)+
564 				(preS[t+3]<<1)+
565 				(preS[t+4]<<0)+
566 				(preS[t+5]<<4)];
567 			t = 4*j;
568 				f[t+0] = (k>>3)&01;
569 				f[t+1] = (k>>2)&01;
570 				f[t+2] = (k>>1)&01;
571 				f[t+3] = (k>>0)&01;
572 		}
573 		/*
574 		 * The new R is L ^ f(R, K).
575 		 * The f here has to be permuted first, though.
576 		 */
577 		for (j=0; j<32; j++)
578 			R[j] = L[j] ^ f[P[j]-1];
579 		/*
580 		 * Finally, the new L (the original R)
581 		 * is copied back.
582 		 */
583 #if 0
584 		for (j=0; j<32; j++)
585 			L[j] = tempL[j];
586 #else
587 		memcpy(L, tempL, 32);
588 #endif
589 	}
590 	/*
591 	 * The output L and R are reversed.
592 	 */
593 	for (j=0; j<32; j++) {
594 		t = L[j];
595 		L[j] = R[j];
596 		R[j] = t;
597 	}
598 	/*
599 	 * The final output
600 	 * gets the inverse permutation of the very original.
601 	 */
602 	for (j=0; j<64; j++)
603 		block[j] = L[FP[j]-1];
604 }
605 /* EXPORT DELETE END */
606