xref: /illumos-gate/usr/src/lib/gss_mechs/mech_krb5/crypto/des/afsstring2key.c (revision 694c35faa87b858ecdadfe4fc592615f4eefbb07)
1 /*
2  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 
7 /*
8  * lib/crypto/des/string2key.c
9  *
10  * based on lib/crypto/des/string2key.c from MIT V5
11  * and on lib/des/afs_string_to_key.c from UMD.
12  * constructed by Mark Eichin, Cygnus Support, 1995.
13  * made thread-safe by Ken Raeburn, MIT, 2001.
14  */
15 
16 /*
17  * Copyright 2001 by the Massachusetts Institute of Technology.
18  * All Rights Reserved.
19  *
20  * Export of this software from the United States of America may
21  *   require a specific license from the United States Government.
22  *   It is the responsibility of any person or organization contemplating
23  *   export to obtain such a license before exporting.
24  *
25  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
26  * distribute this software and its documentation for any purpose and
27  * without fee is hereby granted, provided that the above copyright
28  * notice appear in all copies and that both that copyright notice and
29  * this permission notice appear in supporting documentation, and that
30  * the name of M.I.T. not be used in advertising or publicity pertaining
31  * to distribution of the software without specific, written prior
32  * permission.  Furthermore if you modify this software you must label
33  * your software as modified software and not distribute it in such a
34  * fashion that it might be confused with the original M.I.T. software.
35  * M.I.T. makes no representations about the suitability of
36  * this software for any purpose.  It is provided "as is" without express
37  * or implied warranty.
38  */
39 
40 /*
41  * Copyright (C) 1998 by the FundsXpress, INC.
42  *
43  * All rights reserved.
44  *
45  * Export of this software from the United States of America may require
46  * a specific license from the United States Government.  It is the
47  * responsibility of any person or organization contemplating export to
48  * obtain such a license before exporting.
49  *
50  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
51  * distribute this software and its documentation for any purpose and
52  * without fee is hereby granted, provided that the above copyright
53  * notice appear in all copies and that both that copyright notice and
54  * this permission notice appear in supporting documentation, and that
55  * the name of FundsXpress. not be used in advertising or publicity pertaining
56  * to distribution of the software without specific, written prior
57  * permission.  FundsXpress makes no representations about the suitability of
58  * this software for any purpose.  It is provided "as is" without express
59  * or implied warranty.
60  *
61  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
62  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
63  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
64  */
65 
66 #include "k5-int.h"
67 #include "des_int.h"
68 #include <ctype.h>
69 
70 #define afs_crypt mit_afs_crypt
71 char *afs_crypt (const char *, const char *, char *);
72 
73 #undef min
74 #define min(a,b) ((a)>(b)?(b):(a))
75 
76 /*ARGSUSED*/
77 krb5_error_code
78 mit_afs_string_to_key (krb5_context context,
79 		    krb5_keyblock *keyblock, const krb5_data *data,
80 		    const krb5_data *salt)
81 {
82     /* Solaris Kerberos */
83     krb5_error_code retval = KRB5_PROG_ETYPE_NOSUPP;
84   /* totally different approach from MIT string2key. */
85   /* much of the work has already been done by the only caller
86      which is mit_des_string_to_key; in particular, *keyblock is already
87      set up. */
88 
89     char *realm = salt->data;
90     unsigned int i, j;
91     krb5_octet *key = keyblock->contents;
92     /* Solaris Kerberos */
93     krb5_keyblock usekey;
94 
95     if (data->length <= 8) {
96       /* One block only.  Run afs_crypt and use the first eight
97 	 returned bytes after the copy of the (fixed) salt.
98 
99 	 Since the returned bytes are alphanumeric, the output is
100 	 limited to 2**48 possibilities; for each byte, only 64
101 	 possible values can be used.  */
102       unsigned char password[9]; /* trailing nul for crypt() */
103       char afs_crypt_buf[16];
104 
105       memset (password, 0, sizeof (password));
106       memcpy (password, realm, min (salt->length, 8));
107       for (i=0; i<8; i++)
108 	if (isupper(password[i]))
109 	  password[i] = tolower(password[i]);
110       for (i=0; i<data->length; i++)
111 	password[i] ^= data->data[i];
112       for (i=0; i<8; i++)
113 	if (password[i] == '\0')
114 	  password[i] = 'X';
115       password[8] = '\0';
116       /* Out-of-bounds salt characters are equivalent to a salt string
117 	 of "p1".  */
118       strncpy((char *) key,
119 	      (char *) afs_crypt((char *) password, "#~", afs_crypt_buf) + 2,
120 	      8);
121       for (i=0; i<8; i++)
122 	key[i] <<= 1;
123       /* now fix up key parity again */
124       mit_des_fixup_key_parity(key);
125       /* clean & free the input string */
126       memset(password, 0, (size_t) sizeof(password));
127 
128       /* Solaris Kerberos: Success */
129       retval = 0;
130     } else {
131       /* Multiple blocks.  Do a CBC checksum, twice, and use the
132 	 result as the new key.  */
133       mit_des_cblock ikey, tkey;
134       unsigned int pw_len = salt->length+data->length;
135       unsigned char *password = malloc(pw_len+1);
136       if (!password) return ENOMEM;
137 
138       /* Some bound checks from the original code are elided here as
139 	 the malloc above makes sure we have enough storage. */
140       memcpy (password, data->data, data->length);
141       for (i=data->length, j = 0; j < salt->length; i++, j++) {
142 	password[i] = realm[j];
143 	if (isupper(password[i]))
144 	  password[i] = tolower(password[i]);
145       }
146 
147       memcpy (ikey, "kerberos", sizeof(ikey));
148       memcpy (tkey, ikey, sizeof(tkey));
149       mit_des_fixup_key_parity (tkey);
150 
151     /* Solaris Kerberos */
152       usekey.enctype = ENCTYPE_DES_CBC_CRC;
153       usekey.contents = tkey;
154       usekey.length = 8;
155       retval = mit_des_cbc_cksum (context, (unsigned char *)password,
156 				tkey, i, &usekey, ikey);
157 
158       memcpy (ikey, tkey, sizeof(ikey));
159       mit_des_fixup_key_parity (tkey);
160       /* Solaris Kerberos */
161       if (usekey.hKey != CK_INVALID_HANDLE) {
162          (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey);
163          usekey.hKey = CK_INVALID_HANDLE;
164       }
165       usekey.contents = tkey;
166       usekey.length = 8;
167       retval = mit_des_cbc_cksum (context, (unsigned char *) password,
168 				key, i, &usekey, ikey);
169 
170       /* now fix up key parity again */
171       mit_des_fixup_key_parity(key);
172 
173       /* Solaris Kerberos */
174       if (usekey.hKey != CK_INVALID_HANDLE) {
175          (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey);
176          usekey.hKey = CK_INVALID_HANDLE;
177       }
178       /* clean & free the input string */
179       memset(password, 0, (size_t) pw_len);
180       krb5_xfree(password);
181     }
182 #if 0
183     /* must free here because it was copied for this special case */
184     krb5_xfree(salt->data);
185 #endif
186 
187     return retval;
188 }
189 
190 
191 /* Portions of this code:
192    Copyright 1989 by the Massachusetts Institute of Technology
193    */
194 
195 /*
196  * Copyright (c) 1990 Regents of The University of Michigan.
197  * All Rights Reserved.
198  *
199  * Permission to use, copy, modify, and distribute this software
200  * and its documentation for any purpose and without fee is hereby
201  * granted, provided that the above copyright notice appears in all
202  * copies and that both that copyright notice and this permission
203  * notice appear in supporting documentation, and that the name of
204  * The University of Michigan not be used in advertising or
205  * publicity pertaining to distribution of the software without
206  * specific, written prior permission. This software is supplied as
207  * is without expressed or implied warranties of any kind.
208  *
209  *	ITD Research Systems
210  *	University of Michigan
211  *	535 W. William Street
212  *	Ann Arbor, Michigan
213  *	+1-313-936-2652
214  *	netatalk@terminator.cc.umich.edu
215  */
216 
217 static void krb5_afs_crypt_setkey (char*, char*, char(*)[48]);
218 static void krb5_afs_encrypt (char*,char*,char (*)[48]);
219 
220 /*
221  * Initial permutation,
222  */
223 static const char	IP[] = {
224 	58,50,42,34,26,18,10, 2,
225 	60,52,44,36,28,20,12, 4,
226 	62,54,46,38,30,22,14, 6,
227 	64,56,48,40,32,24,16, 8,
228 	57,49,41,33,25,17, 9, 1,
229 	59,51,43,35,27,19,11, 3,
230 	61,53,45,37,29,21,13, 5,
231 	63,55,47,39,31,23,15, 7,
232 };
233 
234 /*
235  * Final permutation, FP = IP^(-1)
236  */
237 static const char	FP[] = {
238 	40, 8,48,16,56,24,64,32,
239 	39, 7,47,15,55,23,63,31,
240 	38, 6,46,14,54,22,62,30,
241 	37, 5,45,13,53,21,61,29,
242 	36, 4,44,12,52,20,60,28,
243 	35, 3,43,11,51,19,59,27,
244 	34, 2,42,10,50,18,58,26,
245 	33, 1,41, 9,49,17,57,25,
246 };
247 
248 /*
249  * Permuted-choice 1 from the key bits to yield C and D.
250  * Note that bits 8,16... are left out: They are intended for a parity check.
251  */
252 static const char	PC1_C[] = {
253 	57,49,41,33,25,17, 9,
254 	 1,58,50,42,34,26,18,
255 	10, 2,59,51,43,35,27,
256 	19,11, 3,60,52,44,36,
257 };
258 
259 static const char	PC1_D[] = {
260 	63,55,47,39,31,23,15,
261 	 7,62,54,46,38,30,22,
262 	14, 6,61,53,45,37,29,
263 	21,13, 5,28,20,12, 4,
264 };
265 
266 /*
267  * Sequence of shifts used for the key schedule.
268  */
269 static const char	shifts[] = {
270 	1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1,
271 };
272 
273 /*
274  * Permuted-choice 2, to pick out the bits from
275  * the CD array that generate the key schedule.
276  */
277 static const char	PC2_C[] = {
278 	14,17,11,24, 1, 5,
279 	 3,28,15, 6,21,10,
280 	23,19,12, 4,26, 8,
281 	16, 7,27,20,13, 2,
282 };
283 
284 static const char	PC2_D[] = {
285 	41,52,31,37,47,55,
286 	30,40,51,45,33,48,
287 	44,49,39,56,34,53,
288 	46,42,50,36,29,32,
289 };
290 
291 /*
292  * The E bit-selection table.
293  */
294 static const char	e[] = {
295 	32, 1, 2, 3, 4, 5,
296 	 4, 5, 6, 7, 8, 9,
297 	 8, 9,10,11,12,13,
298 	12,13,14,15,16,17,
299 	16,17,18,19,20,21,
300 	20,21,22,23,24,25,
301 	24,25,26,27,28,29,
302 	28,29,30,31,32, 1,
303 };
304 
305 /*
306  * P is a permutation on the selected combination
307  * of the current L and key.
308  */
309 static const char	P[] = {
310 	16, 7,20,21,
311 	29,12,28,17,
312 	 1,15,23,26,
313 	 5,18,31,10,
314 	 2, 8,24,14,
315 	32,27, 3, 9,
316 	19,13,30, 6,
317 	22,11, 4,25,
318 };
319 
320 /*
321  * The 8 selection functions.
322  * For some reason, they give a 0-origin
323  * index, unlike everything else.
324  */
325 static const char	S[8][64] = {
326 	{14, 4,13, 1, 2,15,11, 8, 3,10, 6,12, 5, 9, 0, 7,
327 	  0,15, 7, 4,14, 2,13, 1,10, 6,12,11, 9, 5, 3, 8,
328 	  4, 1,14, 8,13, 6, 2,11,15,12, 9, 7, 3,10, 5, 0,
329 	 15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13},
330 
331 	{15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10,
332 	  3,13, 4, 7,15, 2, 8,14,12, 0, 1,10, 6, 9,11, 5,
333 	  0,14, 7,11,10, 4,13, 1, 5, 8,12, 6, 9, 3, 2,15,
334 	 13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9},
335 
336 	{10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8,
337 	 13, 7, 0, 9, 3, 4, 6,10, 2, 8, 5,14,12,11,15, 1,
338 	 13, 6, 4, 9, 8,15, 3, 0,11, 1, 2,12, 5,10,14, 7,
339 	  1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12},
340 
341 	{ 7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15,
342 	 13, 8,11, 5, 6,15, 0, 3, 4, 7, 2,12, 1,10,14, 9,
343 	 10, 6, 9, 0,12,11, 7,13,15, 1, 3,14, 5, 2, 8, 4,
344 	  3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14},
345 
346 	{ 2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9,
347 	 14,11, 2,12, 4, 7,13, 1, 5, 0,15,10, 3, 9, 8, 6,
348 	  4, 2, 1,11,10,13, 7, 8,15, 9,12, 5, 6, 3, 0,14,
349 	 11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3},
350 
351 	{12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11,
352 	 10,15, 4, 2, 7,12, 9, 5, 6, 1,13,14, 0,11, 3, 8,
353 	  9,14,15, 5, 2, 8,12, 3, 7, 0, 4,10, 1,13,11, 6,
354 	  4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13},
355 
356 	{ 4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1,
357 	 13, 0,11, 7, 4, 9, 1,10,14, 3, 5,12, 2,15, 8, 6,
358 	  1, 4,11,13,12, 3, 7,14,10,15, 6, 8, 0, 5, 9, 2,
359 	  6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12},
360 
361 	{13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7,
362 	  1,15,13, 8,10, 3, 7, 4,12, 5, 6,11, 0,14, 9, 2,
363 	  7,11, 4, 1, 9,12,14, 2, 0, 6,10,13,15, 3, 5, 8,
364 	  2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11},
365 };
366 
367 
368 char *afs_crypt(const char *pw, const char *salt,
369 		/* must be at least 16 bytes */
370 		char *iobuf)
371 {
372 	int i, j, c;
373 	int temp;
374 	char block[66];
375 	char E[48];
376 	/*
377 	 * The key schedule.
378 	 * Generated from the key.
379 	 */
380 	char KS[16][48];
381 
382 	for(i=0; i<66; i++)
383 		block[i] = 0;
384 	/* Solaris Kerberos */
385 	for(i=0; ((c= *pw) != NULL) && i<64; pw++){
386 		for(j=0; j<7; j++, i++)
387 			block[i] = (c>>(6-j)) & 01;
388 		i++;
389 	}
390 
391 	krb5_afs_crypt_setkey(block, E, KS);
392 
393 	for(i=0; i<66; i++)
394 		block[i] = 0;
395 
396 	for(i=0;i<2;i++){
397 		c = *salt++;
398 		iobuf[i] = c;
399 		if(c>'Z') c -= 6;
400 		if(c>'9') c -= 7;
401 		c -= '.';
402 		for(j=0;j<6;j++){
403 			if((c>>j) & 01){
404 				temp = E[6*i+j];
405 				E[6*i+j] = E[6*i+j+24];
406 				E[6*i+j+24] = temp;
407 				}
408 			}
409 		}
410 
411 	for(i=0; i<25; i++)
412 		krb5_afs_encrypt(block,E,KS);
413 
414 	for(i=0; i<11; i++){
415 		c = 0;
416 		for(j=0; j<6; j++){
417 			c <<= 1;
418 			c |= block[6*i+j];
419 			}
420 		c += '.';
421 		if(c>'9') c += 7;
422 		if(c>'Z') c += 6;
423 		iobuf[i+2] = c;
424 	}
425 	iobuf[i+2] = 0;
426 	if(iobuf[1]==0)
427 		iobuf[1] = iobuf[0];
428 	return(iobuf);
429 }
430 
431 /*
432  * Set up the key schedule from the key.
433  */
434 
435 static void krb5_afs_crypt_setkey(char *key, char *E, char (*KS)[48])
436 {
437 	register int i, j, k;
438 	int t;
439 	/*
440 	 * The C and D arrays used to calculate the key schedule.
441 	 */
442 	char C[28], D[28];
443 
444 	/*
445 	 * First, generate C and D by permuting
446 	 * the key.  The low order bit of each
447 	 * 8-bit char is not used, so C and D are only 28
448 	 * bits apiece.
449 	 */
450 	for (i=0; i<28; i++) {
451 		C[i] = key[PC1_C[i]-1];
452 		D[i] = key[PC1_D[i]-1];
453 	}
454 	/*
455 	 * To generate Ki, rotate C and D according
456 	 * to schedule and pick up a permutation
457 	 * using PC2.
458 	 */
459 	for (i=0; i<16; i++) {
460 		/*
461 		 * rotate.
462 		 */
463 		for (k=0; k<shifts[i]; k++) {
464 			t = C[0];
465 			for (j=0; j<28-1; j++)
466 				C[j] = C[j+1];
467 			C[27] = t;
468 			t = D[0];
469 			for (j=0; j<28-1; j++)
470 				D[j] = D[j+1];
471 			D[27] = t;
472 		}
473 		/*
474 		 * get Ki. Note C and D are concatenated.
475 		 */
476 		for (j=0; j<24; j++) {
477 			KS[i][j] = C[PC2_C[j]-1];
478 			KS[i][j+24] = D[PC2_D[j]-28-1];
479 		}
480 	}
481 
482 #if 0
483 	for(i=0;i<48;i++) {
484 		E[i] = e[i];
485 	}
486 #else
487 	memcpy(E, e, 48);
488 #endif
489 }
490 
491 /*
492  * The payoff: encrypt a block.
493  */
494 
495 static void krb5_afs_encrypt(char *block, char *E, char (*KS)[48])
496 {
497 	const long edflag = 0;
498 	int i, ii;
499 	int t, j, k;
500 	char tempL[32];
501 	char f[32];
502 	/*
503 	 * The current block, divided into 2 halves.
504 	 */
505 	char L[64];
506 	char *const R = &L[32];
507 	/*
508 	 * The combination of the key and the input, before selection.
509 	 */
510 	char preS[48];
511 
512 	/*
513 	 * First, permute the bits in the input
514 	 */
515 	for (j=0; j<64; j++)
516 		L[j] = block[IP[j]-1];
517 	/*
518 	 * Perform an encryption operation 16 times.
519 	 */
520 	for (ii=0; ii<16; ii++) {
521 		/*
522 		 * Set direction
523 		 */
524 		if (edflag)
525 			i = 15-ii;
526 		else
527 			i = ii;
528 		/*
529 		 * Save the R array,
530 		 * which will be the new L.
531 		 */
532 #if 0
533 		for (j=0; j<32; j++)
534 			tempL[j] = R[j];
535 #else
536 		memcpy(tempL, R, 32);
537 #endif
538 		/*
539 		 * Expand R to 48 bits using the E selector;
540 		 * exclusive-or with the current key bits.
541 		 */
542 		for (j=0; j<48; j++)
543 			preS[j] = R[E[j]-1] ^ KS[i][j];
544 		/*
545 		 * The pre-select bits are now considered
546 		 * in 8 groups of 6 bits each.
547 		 * The 8 selection functions map these
548 		 * 6-bit quantities into 4-bit quantities
549 		 * and the results permuted
550 		 * to make an f(R, K).
551 		 * The indexing into the selection functions
552 		 * is peculiar; it could be simplified by
553 		 * rewriting the tables.
554 		 */
555 		for (j=0; j<8; j++) {
556 			t = 6*j;
557 			k = S[j][(preS[t+0]<<5)+
558 				(preS[t+1]<<3)+
559 				(preS[t+2]<<2)+
560 				(preS[t+3]<<1)+
561 				(preS[t+4]<<0)+
562 				(preS[t+5]<<4)];
563 			t = 4*j;
564 				f[t+0] = (k>>3)&01;
565 				f[t+1] = (k>>2)&01;
566 				f[t+2] = (k>>1)&01;
567 				f[t+3] = (k>>0)&01;
568 		}
569 		/*
570 		 * The new R is L ^ f(R, K).
571 		 * The f here has to be permuted first, though.
572 		 */
573 		for (j=0; j<32; j++)
574 			R[j] = L[j] ^ f[P[j]-1];
575 		/*
576 		 * Finally, the new L (the original R)
577 		 * is copied back.
578 		 */
579 #if 0
580 		for (j=0; j<32; j++)
581 			L[j] = tempL[j];
582 #else
583 		memcpy(L, tempL, 32);
584 #endif
585 	}
586 	/*
587 	 * The output L and R are reversed.
588 	 */
589 	for (j=0; j<32; j++) {
590 		t = L[j];
591 		L[j] = R[j];
592 		R[j] = t;
593 	}
594 	/*
595 	 * The final output
596 	 * gets the inverse permutation of the very original.
597 	 */
598 	for (j=0; j<64; j++)
599 		block[j] = L[FP[j]-1];
600 }
601