1 /* 2 * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 #pragma ident "%Z%%M% %I% %E% SMI" 7 8 /* 9 * lib/crypto/des/string2key.c 10 * 11 * based on lib/crypto/des/string2key.c from MIT V5 12 * and on lib/des/afs_string_to_key.c from UMD. 13 * constructed by Mark Eichin, Cygnus Support, 1995. 14 */ 15 16 #include <k5-int.h> 17 #include <des_int.h> 18 #include <ctype.h> 19 20 static char *afs_crypt PROTOTYPE((char*,char*)); 21 22 /*ARGSUSED*/ 23 krb5_error_code 24 mit_afs_string_to_key (context, keyblock, data, salt) 25 krb5_context context; 26 krb5_keyblock FAR * keyblock; 27 const krb5_data FAR * data; 28 const krb5_data FAR * salt; 29 { 30 krb5_error_code retval = KRB5_PROG_ETYPE_NOSUPP; 31 /* EXPORT DELETE START */ 32 /* totally different approach from MIT string2key. */ 33 /* much of the work has already been done by the only caller 34 which is mit_des_string_to_key; in particular, *keyblock is already 35 set up. */ 36 char *realm = salt->data; 37 int i; 38 krb5_octet *key = keyblock->contents; 39 krb5_keyblock usekey; 40 41 if (data->length <= 8) { 42 char password[9]; /* trailing null for crypt() */ 43 strncpy(password, realm, 8); 44 for (i=0; i<8; i++) 45 if (isupper(password[i])) 46 password[i] = tolower(password[i]); 47 for (i=0; i<data->length; i++) 48 password[i] ^= data->data[i]; 49 for (i=0; i<8; i++) 50 if (password[i] == '\0') 51 password[i] = 'X'; 52 password[8] = '\0'; 53 strncpy((char *)key, (char *) afs_crypt(password, "#~") + 2, 8); 54 for (i=0; i<8; i++) 55 key[i] <<= 1; 56 57 /* now fix up key parity again */ 58 mit_des_fixup_key_parity(key); 59 /* clean & free the input string */ 60 memset(password, 0, (size_t) sizeof(password)); 61 } else { 62 mit_des_cblock ikey, tkey; 63 64 int pw_len = strlen(realm)+data->length; 65 char *password = malloc(pw_len+1); 66 if (!password) return ENOMEM; 67 68 /* some bound checks from the original code are elided here as 69 the malloc above makes sure we have enough storage. */ 70 strcpy (password, data->data); 71 for (i=data->length; *realm; i++) { 72 password[i] = *realm++; 73 if (isupper(password[i])) 74 password[i] = tolower(password[i]); 75 } 76 77 memcpy (ikey, "kerberos", sizeof(ikey)); 78 memcpy (tkey, ikey, sizeof(tkey)); 79 mit_des_fixup_key_parity (tkey); 80 81 usekey.enctype = ENCTYPE_DES_CBC_CRC; 82 usekey.contents = tkey; 83 usekey.length = 8; 84 85 retval = mit_des_cbc_cksum (context, (unsigned char *)password, 86 tkey, i, &usekey, ikey); 87 88 memcpy (ikey, tkey, sizeof(ikey)); 89 mit_des_fixup_key_parity (tkey); 90 91 if (usekey.hKey != CK_INVALID_HANDLE) { 92 (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey); 93 usekey.hKey = CK_INVALID_HANDLE; 94 } 95 usekey.contents = tkey; 96 usekey.length = 8; 97 98 retval = mit_des_cbc_cksum (context, (unsigned char *) password, 99 key, i, &usekey, ikey); 100 101 /* now fix up key parity again */ 102 mit_des_fixup_key_parity(key); 103 104 if (usekey.hKey != CK_INVALID_HANDLE) { 105 (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey); 106 usekey.hKey = CK_INVALID_HANDLE; 107 } 108 /* clean & free the input string */ 109 memset(password, 0, (size_t) pw_len); 110 krb5_xfree(password); 111 } 112 #if 0 113 /* must free here because it was copied for this special case */ 114 krb5_xfree(salt->data); 115 #endif 116 117 retval = 0; 118 /* EXPORT DELETE END */ 119 return retval; 120 } 121 122 123 /* Portions of this code: 124 Copyright 1989 by the Massachusetts Institute of Technology 125 */ 126 127 /* 128 * Copyright (c) 1990 Regents of The University of Michigan. 129 * All Rights Reserved. 130 * 131 * Permission to use, copy, modify, and distribute this software 132 * and its documentation for any purpose and without fee is hereby 133 * granted, provided that the above copyright notice appears in all 134 * copies and that both that copyright notice and this permission 135 * notice appear in supporting documentation, and that the name of 136 * The University of Michigan not be used in advertising or 137 * publicity pertaining to distribution of the software without 138 * specific, written prior permission. This software is supplied as 139 * is without expressed or implied warranties of any kind. 140 * 141 * ITD Research Systems 142 * University of Michigan 143 * 535 W. William Street 144 * Ann Arbor, Michigan 145 * +1-313-936-2652 146 * netatalk@terminator.cc.umich.edu 147 */ 148 149 /* EXPORT DELETE START */ 150 static void krb5_afs_crypt_setkey PROTOTYPE((char*)); 151 static void krb5_afs_encrypt PROTOTYPE((char*,long)); 152 153 /* 154 * Initial permutation, 155 */ 156 static char IP[] = { 157 58,50,42,34,26,18,10, 2, 158 60,52,44,36,28,20,12, 4, 159 62,54,46,38,30,22,14, 6, 160 64,56,48,40,32,24,16, 8, 161 57,49,41,33,25,17, 9, 1, 162 59,51,43,35,27,19,11, 3, 163 61,53,45,37,29,21,13, 5, 164 63,55,47,39,31,23,15, 7, 165 }; 166 167 /* 168 * Final permutation, FP = IP^(-1) 169 */ 170 static char FP[] = { 171 40, 8,48,16,56,24,64,32, 172 39, 7,47,15,55,23,63,31, 173 38, 6,46,14,54,22,62,30, 174 37, 5,45,13,53,21,61,29, 175 36, 4,44,12,52,20,60,28, 176 35, 3,43,11,51,19,59,27, 177 34, 2,42,10,50,18,58,26, 178 33, 1,41, 9,49,17,57,25, 179 }; 180 181 /* 182 * Permuted-choice 1 from the key bits to yield C and D. 183 * Note that bits 8,16... are left out: They are intended for a parity check. 184 */ 185 static char PC1_C[] = { 186 57,49,41,33,25,17, 9, 187 1,58,50,42,34,26,18, 188 10, 2,59,51,43,35,27, 189 19,11, 3,60,52,44,36, 190 }; 191 192 static char PC1_D[] = { 193 63,55,47,39,31,23,15, 194 7,62,54,46,38,30,22, 195 14, 6,61,53,45,37,29, 196 21,13, 5,28,20,12, 4, 197 }; 198 199 /* 200 * Sequence of shifts used for the key schedule. 201 */ 202 static char shifts[] = { 203 1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1, 204 }; 205 206 /* 207 * Permuted-choice 2, to pick out the bits from 208 * the CD array that generate the key schedule. 209 */ 210 static char PC2_C[] = { 211 14,17,11,24, 1, 5, 212 3,28,15, 6,21,10, 213 23,19,12, 4,26, 8, 214 16, 7,27,20,13, 2, 215 }; 216 217 static char PC2_D[] = { 218 41,52,31,37,47,55, 219 30,40,51,45,33,48, 220 44,49,39,56,34,53, 221 46,42,50,36,29,32, 222 }; 223 224 /* 225 * The E bit-selection table. 226 */ 227 static char E[48]; 228 static char e[] = { 229 32, 1, 2, 3, 4, 5, 230 4, 5, 6, 7, 8, 9, 231 8, 9,10,11,12,13, 232 12,13,14,15,16,17, 233 16,17,18,19,20,21, 234 20,21,22,23,24,25, 235 24,25,26,27,28,29, 236 28,29,30,31,32, 1, 237 }; 238 239 /* 240 * P is a permutation on the selected combination 241 * of the current L and key. 242 */ 243 static char P[] = { 244 16, 7,20,21, 245 29,12,28,17, 246 1,15,23,26, 247 5,18,31,10, 248 2, 8,24,14, 249 32,27, 3, 9, 250 19,13,30, 6, 251 22,11, 4,25, 252 }; 253 254 /* 255 * The 8 selection functions. 256 * For some reason, they give a 0-origin 257 * index, unlike everything else. 258 */ 259 static char S[8][64] = { 260 14, 4,13, 1, 2,15,11, 8, 3,10, 6,12, 5, 9, 0, 7, 261 0,15, 7, 4,14, 2,13, 1,10, 6,12,11, 9, 5, 3, 8, 262 4, 1,14, 8,13, 6, 2,11,15,12, 9, 7, 3,10, 5, 0, 263 15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13, 264 265 15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10, 266 3,13, 4, 7,15, 2, 8,14,12, 0, 1,10, 6, 9,11, 5, 267 0,14, 7,11,10, 4,13, 1, 5, 8,12, 6, 9, 3, 2,15, 268 13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9, 269 270 10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8, 271 13, 7, 0, 9, 3, 4, 6,10, 2, 8, 5,14,12,11,15, 1, 272 13, 6, 4, 9, 8,15, 3, 0,11, 1, 2,12, 5,10,14, 7, 273 1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12, 274 275 7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15, 276 13, 8,11, 5, 6,15, 0, 3, 4, 7, 2,12, 1,10,14, 9, 277 10, 6, 9, 0,12,11, 7,13,15, 1, 3,14, 5, 2, 8, 4, 278 3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14, 279 280 2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9, 281 14,11, 2,12, 4, 7,13, 1, 5, 0,15,10, 3, 9, 8, 6, 282 4, 2, 1,11,10,13, 7, 8,15, 9,12, 5, 6, 3, 0,14, 283 11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3, 284 285 12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11, 286 10,15, 4, 2, 7,12, 9, 5, 6, 1,13,14, 0,11, 3, 8, 287 9,14,15, 5, 2, 8,12, 3, 7, 0, 4,10, 1,13,11, 6, 288 4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13, 289 290 4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1, 291 13, 0,11, 7, 4, 9, 1,10,14, 3, 5,12, 2,15, 8, 6, 292 1, 4,11,13,12, 3, 7,14,10,15, 6, 8, 0, 5, 9, 2, 293 6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12, 294 295 13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7, 296 1,15,13, 8,10, 3, 7, 4,12, 5, 6,11, 0,14, 9, 2, 297 7,11, 4, 1, 9,12,14, 2, 0, 6,10,13,15, 3, 5, 8, 298 2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11, 299 }; 300 301 /* 302 * The C and D arrays used to calculate the key schedule. 303 */ 304 305 static char C[28]; 306 static char D[28]; 307 /* 308 * The key schedule. 309 * Generated from the key. 310 */ 311 static char KS[16][48]; 312 313 /* 314 * The current block, divided into 2 halves. 315 */ 316 static char L[64]; 317 static char *R=&L[32]; 318 319 static char tempL[32]; 320 static char f[32]; 321 322 /* 323 * The combination of the key and the input, before selection. 324 */ 325 static char preS[48]; 326 327 static char *afs_crypt(pw, salt) 328 char *pw; 329 char *salt; 330 { 331 int i, j, c; 332 int temp; 333 static char block[66], iobuf[16]; 334 335 for(i=0; i<66; i++) 336 block[i] = 0; 337 for(i=0; ((c= *pw) != NULL) && i<64; pw++){ 338 for(j=0; j<7; j++, i++) 339 block[i] = (c>>(6-j)) & 01; 340 i++; 341 } 342 343 krb5_afs_crypt_setkey(block); 344 345 for(i=0; i<66; i++) 346 block[i] = 0; 347 348 for(i=0;i<2;i++){ 349 c = *salt++; 350 iobuf[i] = c; 351 if(c>'Z') c -= 6; 352 if(c>'9') c -= 7; 353 c -= '.'; 354 for(j=0;j<6;j++){ 355 if((c>>j) & 01){ 356 temp = E[6*i+j]; 357 E[6*i+j] = E[6*i+j+24]; 358 E[6*i+j+24] = temp; 359 } 360 } 361 } 362 363 for(i=0; i<25; i++) 364 krb5_afs_encrypt(block,0); 365 366 for(i=0; i<11; i++){ 367 c = 0; 368 for(j=0; j<6; j++){ 369 c <<= 1; 370 c |= block[6*i+j]; 371 } 372 c += '.'; 373 if(c>'9') c += 7; 374 if(c>'Z') c += 6; 375 iobuf[i+2] = c; 376 } 377 iobuf[i+2] = 0; 378 if(iobuf[1]==0) 379 iobuf[1] = iobuf[0]; 380 return(iobuf); 381 } 382 383 384 /* 385 * Set up the key schedule from the key. 386 */ 387 388 static void krb5_afs_crypt_setkey(key) 389 char *key; 390 { 391 int i, j, k; 392 int t; 393 394 /* 395 * First, generate C and D by permuting 396 * the key. The low order bit of each 397 * 8-bit char is not used, so C and D are only 28 398 * bits apiece. 399 */ 400 for (i=0; i<28; i++) { 401 C[i] = key[PC1_C[i]-1]; 402 D[i] = key[PC1_D[i]-1]; 403 } 404 /* 405 * To generate Ki, rotate C and D according 406 * to schedule and pick up a permutation 407 * using PC2. 408 */ 409 for (i=0; i<16; i++) { 410 /* 411 * rotate. 412 */ 413 for (k=0; k<shifts[i]; k++) { 414 t = C[0]; 415 for (j=0; j<28-1; j++) 416 C[j] = C[j+1]; 417 C[27] = t; 418 t = D[0]; 419 for (j=0; j<28-1; j++) 420 D[j] = D[j+1]; 421 D[27] = t; 422 } 423 /* 424 * get Ki. Note C and D are concatenated. 425 */ 426 for (j=0; j<24; j++) { 427 KS[i][j] = C[PC2_C[j]-1]; 428 KS[i][j+24] = D[PC2_D[j]-28-1]; 429 } 430 } 431 432 for(i=0;i<48;i++) { 433 E[i] = e[i]; 434 } 435 } 436 437 /* 438 * The payoff: encrypt a block. 439 */ 440 441 static void krb5_afs_encrypt(block, edflag) 442 char *block; 443 long edflag; 444 { 445 int i, ii; 446 int t, j, k; 447 448 /* 449 * First, permute the bits in the input 450 */ 451 for (j=0; j<64; j++) 452 L[j] = block[IP[j]-1]; 453 /* 454 * Perform an encryption operation 16 times. 455 */ 456 for (ii=0; ii<16; ii++) { 457 /* 458 * Set direction 459 */ 460 if (edflag) 461 i = 15-ii; 462 else 463 i = ii; 464 /* 465 * Save the R array, 466 * which will be the new L. 467 */ 468 for (j=0; j<32; j++) 469 tempL[j] = R[j]; 470 /* 471 * Expand R to 48 bits using the E selector; 472 * exclusive-or with the current key bits. 473 */ 474 for (j=0; j<48; j++) 475 preS[j] = R[E[j]-1] ^ KS[i][j]; 476 /* 477 * The pre-select bits are now considered 478 * in 8 groups of 6 bits each. 479 * The 8 selection functions map these 480 * 6-bit quantities into 4-bit quantities 481 * and the results permuted 482 * to make an f(R, K). 483 * The indexing into the selection functions 484 * is peculiar; it could be simplified by 485 * rewriting the tables. 486 */ 487 for (j=0; j<8; j++) { 488 t = 6*j; 489 k = S[j][(preS[t+0]<<5)+ 490 (preS[t+1]<<3)+ 491 (preS[t+2]<<2)+ 492 (preS[t+3]<<1)+ 493 (preS[t+4]<<0)+ 494 (preS[t+5]<<4)]; 495 t = 4*j; 496 f[t+0] = (k>>3)&01; 497 f[t+1] = (k>>2)&01; 498 f[t+2] = (k>>1)&01; 499 f[t+3] = (k>>0)&01; 500 } 501 /* 502 * The new R is L ^ f(R, K). 503 * The f here has to be permuted first, though. 504 */ 505 for (j=0; j<32; j++) 506 R[j] = L[j] ^ f[P[j]-1]; 507 /* 508 * Finally, the new L (the original R) 509 * is copied back. 510 */ 511 for (j=0; j<32; j++) 512 L[j] = tempL[j]; 513 } 514 /* 515 * The output L and R are reversed. 516 */ 517 for (j=0; j<32; j++) { 518 t = L[j]; 519 L[j] = R[j]; 520 R[j] = t; 521 } 522 /* 523 * The final output 524 * gets the inverse permutation of the very original. 525 */ 526 for (j=0; j<64; j++) 527 block[j] = L[FP[j]-1]; 528 } 529 530 /* EXPORT DELETE END */ 531