1 /* 2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 7 /* 8 * lib/crypto/des/string2key.c 9 * 10 * based on lib/crypto/des/string2key.c from MIT V5 11 * and on lib/des/afs_string_to_key.c from UMD. 12 * constructed by Mark Eichin, Cygnus Support, 1995. 13 * made thread-safe by Ken Raeburn, MIT, 2001. 14 */ 15 16 /* 17 * Copyright 2001 by the Massachusetts Institute of Technology. 18 * All Rights Reserved. 19 * 20 * Export of this software from the United States of America may 21 * require a specific license from the United States Government. 22 * It is the responsibility of any person or organization contemplating 23 * export to obtain such a license before exporting. 24 * 25 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 26 * distribute this software and its documentation for any purpose and 27 * without fee is hereby granted, provided that the above copyright 28 * notice appear in all copies and that both that copyright notice and 29 * this permission notice appear in supporting documentation, and that 30 * the name of M.I.T. not be used in advertising or publicity pertaining 31 * to distribution of the software without specific, written prior 32 * permission. Furthermore if you modify this software you must label 33 * your software as modified software and not distribute it in such a 34 * fashion that it might be confused with the original M.I.T. software. 35 * M.I.T. makes no representations about the suitability of 36 * this software for any purpose. It is provided "as is" without express 37 * or implied warranty. 38 */ 39 40 /* 41 * Copyright (C) 1998 by the FundsXpress, INC. 42 * 43 * All rights reserved. 44 * 45 * Export of this software from the United States of America may require 46 * a specific license from the United States Government. It is the 47 * responsibility of any person or organization contemplating export to 48 * obtain such a license before exporting. 49 * 50 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 51 * distribute this software and its documentation for any purpose and 52 * without fee is hereby granted, provided that the above copyright 53 * notice appear in all copies and that both that copyright notice and 54 * this permission notice appear in supporting documentation, and that 55 * the name of FundsXpress. not be used in advertising or publicity pertaining 56 * to distribution of the software without specific, written prior 57 * permission. FundsXpress makes no representations about the suitability of 58 * this software for any purpose. It is provided "as is" without express 59 * or implied warranty. 60 * 61 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 62 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 63 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 64 */ 65 66 #include "k5-int.h" 67 #include "des_int.h" 68 #include <ctype.h> 69 70 #define afs_crypt mit_afs_crypt 71 char *afs_crypt (const char *, const char *, char *); 72 73 #undef min 74 #define min(a,b) ((a)>(b)?(b):(a)) 75 76 /*ARGSUSED*/ 77 krb5_error_code 78 mit_afs_string_to_key (krb5_context context, 79 krb5_keyblock *keyblock, const krb5_data *data, 80 const krb5_data *salt) 81 { 82 /* Solaris Kerberos */ 83 krb5_error_code retval = KRB5_PROG_ETYPE_NOSUPP; 84 /* totally different approach from MIT string2key. */ 85 /* much of the work has already been done by the only caller 86 which is mit_des_string_to_key; in particular, *keyblock is already 87 set up. */ 88 89 char *realm = salt->data; 90 unsigned int i, j; 91 krb5_octet *key = keyblock->contents; 92 /* Solaris Kerberos */ 93 krb5_keyblock usekey; 94 95 if (data->length <= 8) { 96 /* One block only. Run afs_crypt and use the first eight 97 returned bytes after the copy of the (fixed) salt. 98 99 Since the returned bytes are alphanumeric, the output is 100 limited to 2**48 possibilities; for each byte, only 64 101 possible values can be used. */ 102 unsigned char password[9]; /* trailing nul for crypt() */ 103 char afs_crypt_buf[16]; 104 105 memset (password, 0, sizeof (password)); 106 memcpy (password, realm, min (salt->length, 8)); 107 for (i=0; i<8; i++) 108 if (isupper(password[i])) 109 password[i] = tolower(password[i]); 110 for (i=0; i<data->length; i++) 111 password[i] ^= data->data[i]; 112 for (i=0; i<8; i++) 113 if (password[i] == '\0') 114 password[i] = 'X'; 115 password[8] = '\0'; 116 /* Out-of-bounds salt characters are equivalent to a salt string 117 of "p1". */ 118 strncpy((char *) key, 119 (char *) afs_crypt((char *) password, "#~", afs_crypt_buf) + 2, 120 8); 121 for (i=0; i<8; i++) 122 key[i] <<= 1; 123 /* now fix up key parity again */ 124 mit_des_fixup_key_parity(key); 125 /* clean & free the input string */ 126 memset(password, 0, (size_t) sizeof(password)); 127 128 /* Solaris Kerberos: Success */ 129 retval = 0; 130 } else { 131 /* Multiple blocks. Do a CBC checksum, twice, and use the 132 result as the new key. */ 133 mit_des_cblock ikey, tkey; 134 unsigned int pw_len = salt->length+data->length; 135 unsigned char *password = malloc(pw_len+1); 136 if (!password) return ENOMEM; 137 138 /* Some bound checks from the original code are elided here as 139 the malloc above makes sure we have enough storage. */ 140 memcpy (password, data->data, data->length); 141 for (i=data->length, j = 0; j < salt->length; i++, j++) { 142 password[i] = realm[j]; 143 if (isupper(password[i])) 144 password[i] = tolower(password[i]); 145 } 146 147 memcpy (ikey, "kerberos", sizeof(ikey)); 148 memcpy (tkey, ikey, sizeof(tkey)); 149 mit_des_fixup_key_parity (tkey); 150 151 /* Solaris Kerberos */ 152 usekey.enctype = ENCTYPE_DES_CBC_CRC; 153 usekey.contents = tkey; 154 usekey.length = 8; 155 retval = mit_des_cbc_cksum (context, (unsigned char *)password, 156 tkey, i, &usekey, ikey); 157 158 memcpy (ikey, tkey, sizeof(ikey)); 159 mit_des_fixup_key_parity (tkey); 160 /* Solaris Kerberos */ 161 if (usekey.hKey != CK_INVALID_HANDLE) { 162 (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey); 163 usekey.hKey = CK_INVALID_HANDLE; 164 } 165 usekey.contents = tkey; 166 usekey.length = 8; 167 retval = mit_des_cbc_cksum (context, (unsigned char *) password, 168 key, i, &usekey, ikey); 169 170 /* now fix up key parity again */ 171 mit_des_fixup_key_parity(key); 172 173 /* Solaris Kerberos */ 174 if (usekey.hKey != CK_INVALID_HANDLE) { 175 (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey); 176 usekey.hKey = CK_INVALID_HANDLE; 177 } 178 /* clean & free the input string */ 179 memset(password, 0, (size_t) pw_len); 180 krb5_xfree(password); 181 } 182 #if 0 183 /* must free here because it was copied for this special case */ 184 krb5_xfree(salt->data); 185 #endif 186 187 return retval; 188 } 189 190 191 /* Portions of this code: 192 Copyright 1989 by the Massachusetts Institute of Technology 193 */ 194 195 /* 196 * Copyright (c) 1990 Regents of The University of Michigan. 197 * All Rights Reserved. 198 * 199 * Permission to use, copy, modify, and distribute this software 200 * and its documentation for any purpose and without fee is hereby 201 * granted, provided that the above copyright notice appears in all 202 * copies and that both that copyright notice and this permission 203 * notice appear in supporting documentation, and that the name of 204 * The University of Michigan not be used in advertising or 205 * publicity pertaining to distribution of the software without 206 * specific, written prior permission. This software is supplied as 207 * is without expressed or implied warranties of any kind. 208 * 209 * ITD Research Systems 210 * University of Michigan 211 * 535 W. William Street 212 * Ann Arbor, Michigan 213 * +1-313-936-2652 214 * netatalk@terminator.cc.umich.edu 215 */ 216 217 static void krb5_afs_crypt_setkey (char*, char*, char(*)[48]); 218 static void krb5_afs_encrypt (char*,char*,char (*)[48]); 219 220 /* 221 * Initial permutation, 222 */ 223 static const char IP[] = { 224 58,50,42,34,26,18,10, 2, 225 60,52,44,36,28,20,12, 4, 226 62,54,46,38,30,22,14, 6, 227 64,56,48,40,32,24,16, 8, 228 57,49,41,33,25,17, 9, 1, 229 59,51,43,35,27,19,11, 3, 230 61,53,45,37,29,21,13, 5, 231 63,55,47,39,31,23,15, 7, 232 }; 233 234 /* 235 * Final permutation, FP = IP^(-1) 236 */ 237 static const char FP[] = { 238 40, 8,48,16,56,24,64,32, 239 39, 7,47,15,55,23,63,31, 240 38, 6,46,14,54,22,62,30, 241 37, 5,45,13,53,21,61,29, 242 36, 4,44,12,52,20,60,28, 243 35, 3,43,11,51,19,59,27, 244 34, 2,42,10,50,18,58,26, 245 33, 1,41, 9,49,17,57,25, 246 }; 247 248 /* 249 * Permuted-choice 1 from the key bits to yield C and D. 250 * Note that bits 8,16... are left out: They are intended for a parity check. 251 */ 252 static const char PC1_C[] = { 253 57,49,41,33,25,17, 9, 254 1,58,50,42,34,26,18, 255 10, 2,59,51,43,35,27, 256 19,11, 3,60,52,44,36, 257 }; 258 259 static const char PC1_D[] = { 260 63,55,47,39,31,23,15, 261 7,62,54,46,38,30,22, 262 14, 6,61,53,45,37,29, 263 21,13, 5,28,20,12, 4, 264 }; 265 266 /* 267 * Sequence of shifts used for the key schedule. 268 */ 269 static const char shifts[] = { 270 1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1, 271 }; 272 273 /* 274 * Permuted-choice 2, to pick out the bits from 275 * the CD array that generate the key schedule. 276 */ 277 static const char PC2_C[] = { 278 14,17,11,24, 1, 5, 279 3,28,15, 6,21,10, 280 23,19,12, 4,26, 8, 281 16, 7,27,20,13, 2, 282 }; 283 284 static const char PC2_D[] = { 285 41,52,31,37,47,55, 286 30,40,51,45,33,48, 287 44,49,39,56,34,53, 288 46,42,50,36,29,32, 289 }; 290 291 /* 292 * The E bit-selection table. 293 */ 294 static const char e[] = { 295 32, 1, 2, 3, 4, 5, 296 4, 5, 6, 7, 8, 9, 297 8, 9,10,11,12,13, 298 12,13,14,15,16,17, 299 16,17,18,19,20,21, 300 20,21,22,23,24,25, 301 24,25,26,27,28,29, 302 28,29,30,31,32, 1, 303 }; 304 305 /* 306 * P is a permutation on the selected combination 307 * of the current L and key. 308 */ 309 static const char P[] = { 310 16, 7,20,21, 311 29,12,28,17, 312 1,15,23,26, 313 5,18,31,10, 314 2, 8,24,14, 315 32,27, 3, 9, 316 19,13,30, 6, 317 22,11, 4,25, 318 }; 319 320 /* 321 * The 8 selection functions. 322 * For some reason, they give a 0-origin 323 * index, unlike everything else. 324 */ 325 static const char S[8][64] = { 326 {14, 4,13, 1, 2,15,11, 8, 3,10, 6,12, 5, 9, 0, 7, 327 0,15, 7, 4,14, 2,13, 1,10, 6,12,11, 9, 5, 3, 8, 328 4, 1,14, 8,13, 6, 2,11,15,12, 9, 7, 3,10, 5, 0, 329 15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13}, 330 331 {15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10, 332 3,13, 4, 7,15, 2, 8,14,12, 0, 1,10, 6, 9,11, 5, 333 0,14, 7,11,10, 4,13, 1, 5, 8,12, 6, 9, 3, 2,15, 334 13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9}, 335 336 {10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8, 337 13, 7, 0, 9, 3, 4, 6,10, 2, 8, 5,14,12,11,15, 1, 338 13, 6, 4, 9, 8,15, 3, 0,11, 1, 2,12, 5,10,14, 7, 339 1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12}, 340 341 { 7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15, 342 13, 8,11, 5, 6,15, 0, 3, 4, 7, 2,12, 1,10,14, 9, 343 10, 6, 9, 0,12,11, 7,13,15, 1, 3,14, 5, 2, 8, 4, 344 3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14}, 345 346 { 2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9, 347 14,11, 2,12, 4, 7,13, 1, 5, 0,15,10, 3, 9, 8, 6, 348 4, 2, 1,11,10,13, 7, 8,15, 9,12, 5, 6, 3, 0,14, 349 11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3}, 350 351 {12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11, 352 10,15, 4, 2, 7,12, 9, 5, 6, 1,13,14, 0,11, 3, 8, 353 9,14,15, 5, 2, 8,12, 3, 7, 0, 4,10, 1,13,11, 6, 354 4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13}, 355 356 { 4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1, 357 13, 0,11, 7, 4, 9, 1,10,14, 3, 5,12, 2,15, 8, 6, 358 1, 4,11,13,12, 3, 7,14,10,15, 6, 8, 0, 5, 9, 2, 359 6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12}, 360 361 {13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7, 362 1,15,13, 8,10, 3, 7, 4,12, 5, 6,11, 0,14, 9, 2, 363 7,11, 4, 1, 9,12,14, 2, 0, 6,10,13,15, 3, 5, 8, 364 2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11}, 365 }; 366 367 368 char *afs_crypt(const char *pw, const char *salt, 369 /* must be at least 16 bytes */ 370 char *iobuf) 371 { 372 int i, j, c; 373 int temp; 374 char block[66]; 375 char E[48]; 376 /* 377 * The key schedule. 378 * Generated from the key. 379 */ 380 char KS[16][48]; 381 382 for(i=0; i<66; i++) 383 block[i] = 0; 384 /* Solaris Kerberos */ 385 for(i=0; ((c= *pw) != NULL) && i<64; pw++){ 386 for(j=0; j<7; j++, i++) 387 block[i] = (c>>(6-j)) & 01; 388 i++; 389 } 390 391 krb5_afs_crypt_setkey(block, E, KS); 392 393 for(i=0; i<66; i++) 394 block[i] = 0; 395 396 for(i=0;i<2;i++){ 397 c = *salt++; 398 iobuf[i] = c; 399 if(c>'Z') c -= 6; 400 if(c>'9') c -= 7; 401 c -= '.'; 402 for(j=0;j<6;j++){ 403 if((c>>j) & 01){ 404 temp = E[6*i+j]; 405 E[6*i+j] = E[6*i+j+24]; 406 E[6*i+j+24] = temp; 407 } 408 } 409 } 410 411 for(i=0; i<25; i++) 412 krb5_afs_encrypt(block,E,KS); 413 414 for(i=0; i<11; i++){ 415 c = 0; 416 for(j=0; j<6; j++){ 417 c <<= 1; 418 c |= block[6*i+j]; 419 } 420 c += '.'; 421 if(c>'9') c += 7; 422 if(c>'Z') c += 6; 423 iobuf[i+2] = c; 424 } 425 iobuf[i+2] = 0; 426 if(iobuf[1]==0) 427 iobuf[1] = iobuf[0]; 428 return(iobuf); 429 } 430 431 /* 432 * Set up the key schedule from the key. 433 */ 434 435 static void krb5_afs_crypt_setkey(char *key, char *E, char (*KS)[48]) 436 { 437 register int i, j, k; 438 int t; 439 /* 440 * The C and D arrays used to calculate the key schedule. 441 */ 442 char C[28], D[28]; 443 444 /* 445 * First, generate C and D by permuting 446 * the key. The low order bit of each 447 * 8-bit char is not used, so C and D are only 28 448 * bits apiece. 449 */ 450 for (i=0; i<28; i++) { 451 C[i] = key[PC1_C[i]-1]; 452 D[i] = key[PC1_D[i]-1]; 453 } 454 /* 455 * To generate Ki, rotate C and D according 456 * to schedule and pick up a permutation 457 * using PC2. 458 */ 459 for (i=0; i<16; i++) { 460 /* 461 * rotate. 462 */ 463 for (k=0; k<shifts[i]; k++) { 464 t = C[0]; 465 for (j=0; j<28-1; j++) 466 C[j] = C[j+1]; 467 C[27] = t; 468 t = D[0]; 469 for (j=0; j<28-1; j++) 470 D[j] = D[j+1]; 471 D[27] = t; 472 } 473 /* 474 * get Ki. Note C and D are concatenated. 475 */ 476 for (j=0; j<24; j++) { 477 KS[i][j] = C[PC2_C[j]-1]; 478 KS[i][j+24] = D[PC2_D[j]-28-1]; 479 } 480 } 481 482 #if 0 483 for(i=0;i<48;i++) { 484 E[i] = e[i]; 485 } 486 #else 487 memcpy(E, e, 48); 488 #endif 489 } 490 491 /* 492 * The payoff: encrypt a block. 493 */ 494 495 static void krb5_afs_encrypt(char *block, char *E, char (*KS)[48]) 496 { 497 const long edflag = 0; 498 int i, ii; 499 int t, j, k; 500 char tempL[32]; 501 char f[32]; 502 /* 503 * The current block, divided into 2 halves. 504 */ 505 char L[64]; 506 char *const R = &L[32]; 507 /* 508 * The combination of the key and the input, before selection. 509 */ 510 char preS[48]; 511 512 /* 513 * First, permute the bits in the input 514 */ 515 for (j=0; j<64; j++) 516 L[j] = block[IP[j]-1]; 517 /* 518 * Perform an encryption operation 16 times. 519 */ 520 for (ii=0; ii<16; ii++) { 521 /* 522 * Set direction 523 */ 524 if (edflag) 525 i = 15-ii; 526 else 527 i = ii; 528 /* 529 * Save the R array, 530 * which will be the new L. 531 */ 532 #if 0 533 for (j=0; j<32; j++) 534 tempL[j] = R[j]; 535 #else 536 memcpy(tempL, R, 32); 537 #endif 538 /* 539 * Expand R to 48 bits using the E selector; 540 * exclusive-or with the current key bits. 541 */ 542 for (j=0; j<48; j++) 543 preS[j] = R[E[j]-1] ^ KS[i][j]; 544 /* 545 * The pre-select bits are now considered 546 * in 8 groups of 6 bits each. 547 * The 8 selection functions map these 548 * 6-bit quantities into 4-bit quantities 549 * and the results permuted 550 * to make an f(R, K). 551 * The indexing into the selection functions 552 * is peculiar; it could be simplified by 553 * rewriting the tables. 554 */ 555 for (j=0; j<8; j++) { 556 t = 6*j; 557 k = S[j][(preS[t+0]<<5)+ 558 (preS[t+1]<<3)+ 559 (preS[t+2]<<2)+ 560 (preS[t+3]<<1)+ 561 (preS[t+4]<<0)+ 562 (preS[t+5]<<4)]; 563 t = 4*j; 564 f[t+0] = (k>>3)&01; 565 f[t+1] = (k>>2)&01; 566 f[t+2] = (k>>1)&01; 567 f[t+3] = (k>>0)&01; 568 } 569 /* 570 * The new R is L ^ f(R, K). 571 * The f here has to be permuted first, though. 572 */ 573 for (j=0; j<32; j++) 574 R[j] = L[j] ^ f[P[j]-1]; 575 /* 576 * Finally, the new L (the original R) 577 * is copied back. 578 */ 579 #if 0 580 for (j=0; j<32; j++) 581 L[j] = tempL[j]; 582 #else 583 memcpy(L, tempL, 32); 584 #endif 585 } 586 /* 587 * The output L and R are reversed. 588 */ 589 for (j=0; j<32; j++) { 590 t = L[j]; 591 L[j] = R[j]; 592 R[j] = t; 593 } 594 /* 595 * The final output 596 * gets the inverse permutation of the very original. 597 */ 598 for (j=0; j<64; j++) 599 block[j] = L[FP[j]-1]; 600 } 601