1 /*
2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 */
5
6
7 /*
8 * lib/crypto/des/string2key.c
9 *
10 * based on lib/crypto/des/string2key.c from MIT V5
11 * and on lib/des/afs_string_to_key.c from UMD.
12 * constructed by Mark Eichin, Cygnus Support, 1995.
13 * made thread-safe by Ken Raeburn, MIT, 2001.
14 */
15
16 /*
17 * Copyright 2001 by the Massachusetts Institute of Technology.
18 * All Rights Reserved.
19 *
20 * Export of this software from the United States of America may
21 * require a specific license from the United States Government.
22 * It is the responsibility of any person or organization contemplating
23 * export to obtain such a license before exporting.
24 *
25 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
26 * distribute this software and its documentation for any purpose and
27 * without fee is hereby granted, provided that the above copyright
28 * notice appear in all copies and that both that copyright notice and
29 * this permission notice appear in supporting documentation, and that
30 * the name of M.I.T. not be used in advertising or publicity pertaining
31 * to distribution of the software without specific, written prior
32 * permission. Furthermore if you modify this software you must label
33 * your software as modified software and not distribute it in such a
34 * fashion that it might be confused with the original M.I.T. software.
35 * M.I.T. makes no representations about the suitability of
36 * this software for any purpose. It is provided "as is" without express
37 * or implied warranty.
38 */
39
40 /*
41 * Copyright (C) 1998 by the FundsXpress, INC.
42 *
43 * All rights reserved.
44 *
45 * Export of this software from the United States of America may require
46 * a specific license from the United States Government. It is the
47 * responsibility of any person or organization contemplating export to
48 * obtain such a license before exporting.
49 *
50 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
51 * distribute this software and its documentation for any purpose and
52 * without fee is hereby granted, provided that the above copyright
53 * notice appear in all copies and that both that copyright notice and
54 * this permission notice appear in supporting documentation, and that
55 * the name of FundsXpress. not be used in advertising or publicity pertaining
56 * to distribution of the software without specific, written prior
57 * permission. FundsXpress makes no representations about the suitability of
58 * this software for any purpose. It is provided "as is" without express
59 * or implied warranty.
60 *
61 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
62 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
63 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
64 */
65
66 #include "k5-int.h"
67 #include "des_int.h"
68 #include <ctype.h>
69
70 #define afs_crypt mit_afs_crypt
71 char *afs_crypt (const char *, const char *, char *);
72
73 #undef min
74 #define min(a,b) ((a)>(b)?(b):(a))
75
76 /*ARGSUSED*/
77 krb5_error_code
mit_afs_string_to_key(krb5_context context,krb5_keyblock * keyblock,const krb5_data * data,const krb5_data * salt)78 mit_afs_string_to_key (krb5_context context,
79 krb5_keyblock *keyblock, const krb5_data *data,
80 const krb5_data *salt)
81 {
82 /* Solaris Kerberos */
83 krb5_error_code retval = KRB5_PROG_ETYPE_NOSUPP;
84 /* totally different approach from MIT string2key. */
85 /* much of the work has already been done by the only caller
86 which is mit_des_string_to_key; in particular, *keyblock is already
87 set up. */
88
89 char *realm = salt->data;
90 unsigned int i, j;
91 krb5_octet *key = keyblock->contents;
92 /* Solaris Kerberos */
93 krb5_keyblock usekey;
94
95 if (data->length <= 8) {
96 /* One block only. Run afs_crypt and use the first eight
97 returned bytes after the copy of the (fixed) salt.
98
99 Since the returned bytes are alphanumeric, the output is
100 limited to 2**48 possibilities; for each byte, only 64
101 possible values can be used. */
102 unsigned char password[9]; /* trailing nul for crypt() */
103 char afs_crypt_buf[16];
104
105 memset (password, 0, sizeof (password));
106 memcpy (password, realm, min (salt->length, 8));
107 for (i=0; i<8; i++)
108 if (isupper(password[i]))
109 password[i] = tolower(password[i]);
110 for (i=0; i<data->length; i++)
111 password[i] ^= data->data[i];
112 for (i=0; i<8; i++)
113 if (password[i] == '\0')
114 password[i] = 'X';
115 password[8] = '\0';
116 /* Out-of-bounds salt characters are equivalent to a salt string
117 of "p1". */
118 strncpy((char *) key,
119 (char *) afs_crypt((char *) password, "#~", afs_crypt_buf) + 2,
120 8);
121 for (i=0; i<8; i++)
122 key[i] <<= 1;
123 /* now fix up key parity again */
124 mit_des_fixup_key_parity(key);
125 /* clean & free the input string */
126 memset(password, 0, (size_t) sizeof(password));
127
128 /* Solaris Kerberos: Success */
129 retval = 0;
130 } else {
131 /* Multiple blocks. Do a CBC checksum, twice, and use the
132 result as the new key. */
133 mit_des_cblock ikey, tkey;
134 unsigned int pw_len = salt->length+data->length;
135 unsigned char *password = malloc(pw_len+1);
136 if (!password) return ENOMEM;
137
138 /* Some bound checks from the original code are elided here as
139 the malloc above makes sure we have enough storage. */
140 memcpy (password, data->data, data->length);
141 for (i=data->length, j = 0; j < salt->length; i++, j++) {
142 password[i] = realm[j];
143 if (isupper(password[i]))
144 password[i] = tolower(password[i]);
145 }
146
147 memcpy (ikey, "kerberos", sizeof(ikey));
148 memcpy (tkey, ikey, sizeof(tkey));
149 mit_des_fixup_key_parity (tkey);
150
151 /* Solaris Kerberos */
152 usekey.enctype = ENCTYPE_DES_CBC_CRC;
153 usekey.contents = tkey;
154 usekey.length = 8;
155 retval = mit_des_cbc_cksum (context, (unsigned char *)password,
156 tkey, i, &usekey, ikey);
157
158 memcpy (ikey, tkey, sizeof(ikey));
159 mit_des_fixup_key_parity (tkey);
160 /* Solaris Kerberos */
161 if (usekey.hKey != CK_INVALID_HANDLE) {
162 (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey);
163 usekey.hKey = CK_INVALID_HANDLE;
164 }
165 usekey.contents = tkey;
166 usekey.length = 8;
167 retval = mit_des_cbc_cksum (context, (unsigned char *) password,
168 key, i, &usekey, ikey);
169
170 /* now fix up key parity again */
171 mit_des_fixup_key_parity(key);
172
173 /* Solaris Kerberos */
174 if (usekey.hKey != CK_INVALID_HANDLE) {
175 (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey);
176 usekey.hKey = CK_INVALID_HANDLE;
177 }
178 /* clean & free the input string */
179 memset(password, 0, (size_t) pw_len);
180 krb5_xfree(password);
181 }
182 #if 0
183 /* must free here because it was copied for this special case */
184 krb5_xfree(salt->data);
185 #endif
186
187 return retval;
188 }
189
190
191 /* Portions of this code:
192 Copyright 1989 by the Massachusetts Institute of Technology
193 */
194
195 /*
196 * Copyright (c) 1990 Regents of The University of Michigan.
197 * All Rights Reserved.
198 *
199 * Permission to use, copy, modify, and distribute this software
200 * and its documentation for any purpose and without fee is hereby
201 * granted, provided that the above copyright notice appears in all
202 * copies and that both that copyright notice and this permission
203 * notice appear in supporting documentation, and that the name of
204 * The University of Michigan not be used in advertising or
205 * publicity pertaining to distribution of the software without
206 * specific, written prior permission. This software is supplied as
207 * is without expressed or implied warranties of any kind.
208 *
209 * ITD Research Systems
210 * University of Michigan
211 * 535 W. William Street
212 * Ann Arbor, Michigan
213 * +1-313-936-2652
214 * netatalk@terminator.cc.umich.edu
215 */
216
217 static void krb5_afs_crypt_setkey (char*, char*, char(*)[48]);
218 static void krb5_afs_encrypt (char*,char*,char (*)[48]);
219
220 /*
221 * Initial permutation,
222 */
223 static const char IP[] = {
224 58,50,42,34,26,18,10, 2,
225 60,52,44,36,28,20,12, 4,
226 62,54,46,38,30,22,14, 6,
227 64,56,48,40,32,24,16, 8,
228 57,49,41,33,25,17, 9, 1,
229 59,51,43,35,27,19,11, 3,
230 61,53,45,37,29,21,13, 5,
231 63,55,47,39,31,23,15, 7,
232 };
233
234 /*
235 * Final permutation, FP = IP^(-1)
236 */
237 static const char FP[] = {
238 40, 8,48,16,56,24,64,32,
239 39, 7,47,15,55,23,63,31,
240 38, 6,46,14,54,22,62,30,
241 37, 5,45,13,53,21,61,29,
242 36, 4,44,12,52,20,60,28,
243 35, 3,43,11,51,19,59,27,
244 34, 2,42,10,50,18,58,26,
245 33, 1,41, 9,49,17,57,25,
246 };
247
248 /*
249 * Permuted-choice 1 from the key bits to yield C and D.
250 * Note that bits 8,16... are left out: They are intended for a parity check.
251 */
252 static const char PC1_C[] = {
253 57,49,41,33,25,17, 9,
254 1,58,50,42,34,26,18,
255 10, 2,59,51,43,35,27,
256 19,11, 3,60,52,44,36,
257 };
258
259 static const char PC1_D[] = {
260 63,55,47,39,31,23,15,
261 7,62,54,46,38,30,22,
262 14, 6,61,53,45,37,29,
263 21,13, 5,28,20,12, 4,
264 };
265
266 /*
267 * Sequence of shifts used for the key schedule.
268 */
269 static const char shifts[] = {
270 1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1,
271 };
272
273 /*
274 * Permuted-choice 2, to pick out the bits from
275 * the CD array that generate the key schedule.
276 */
277 static const char PC2_C[] = {
278 14,17,11,24, 1, 5,
279 3,28,15, 6,21,10,
280 23,19,12, 4,26, 8,
281 16, 7,27,20,13, 2,
282 };
283
284 static const char PC2_D[] = {
285 41,52,31,37,47,55,
286 30,40,51,45,33,48,
287 44,49,39,56,34,53,
288 46,42,50,36,29,32,
289 };
290
291 /*
292 * The E bit-selection table.
293 */
294 static const char e[] = {
295 32, 1, 2, 3, 4, 5,
296 4, 5, 6, 7, 8, 9,
297 8, 9,10,11,12,13,
298 12,13,14,15,16,17,
299 16,17,18,19,20,21,
300 20,21,22,23,24,25,
301 24,25,26,27,28,29,
302 28,29,30,31,32, 1,
303 };
304
305 /*
306 * P is a permutation on the selected combination
307 * of the current L and key.
308 */
309 static const char P[] = {
310 16, 7,20,21,
311 29,12,28,17,
312 1,15,23,26,
313 5,18,31,10,
314 2, 8,24,14,
315 32,27, 3, 9,
316 19,13,30, 6,
317 22,11, 4,25,
318 };
319
320 /*
321 * The 8 selection functions.
322 * For some reason, they give a 0-origin
323 * index, unlike everything else.
324 */
325 static const char S[8][64] = {
326 {14, 4,13, 1, 2,15,11, 8, 3,10, 6,12, 5, 9, 0, 7,
327 0,15, 7, 4,14, 2,13, 1,10, 6,12,11, 9, 5, 3, 8,
328 4, 1,14, 8,13, 6, 2,11,15,12, 9, 7, 3,10, 5, 0,
329 15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13},
330
331 {15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10,
332 3,13, 4, 7,15, 2, 8,14,12, 0, 1,10, 6, 9,11, 5,
333 0,14, 7,11,10, 4,13, 1, 5, 8,12, 6, 9, 3, 2,15,
334 13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9},
335
336 {10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8,
337 13, 7, 0, 9, 3, 4, 6,10, 2, 8, 5,14,12,11,15, 1,
338 13, 6, 4, 9, 8,15, 3, 0,11, 1, 2,12, 5,10,14, 7,
339 1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12},
340
341 { 7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15,
342 13, 8,11, 5, 6,15, 0, 3, 4, 7, 2,12, 1,10,14, 9,
343 10, 6, 9, 0,12,11, 7,13,15, 1, 3,14, 5, 2, 8, 4,
344 3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14},
345
346 { 2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9,
347 14,11, 2,12, 4, 7,13, 1, 5, 0,15,10, 3, 9, 8, 6,
348 4, 2, 1,11,10,13, 7, 8,15, 9,12, 5, 6, 3, 0,14,
349 11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3},
350
351 {12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11,
352 10,15, 4, 2, 7,12, 9, 5, 6, 1,13,14, 0,11, 3, 8,
353 9,14,15, 5, 2, 8,12, 3, 7, 0, 4,10, 1,13,11, 6,
354 4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13},
355
356 { 4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1,
357 13, 0,11, 7, 4, 9, 1,10,14, 3, 5,12, 2,15, 8, 6,
358 1, 4,11,13,12, 3, 7,14,10,15, 6, 8, 0, 5, 9, 2,
359 6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12},
360
361 {13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7,
362 1,15,13, 8,10, 3, 7, 4,12, 5, 6,11, 0,14, 9, 2,
363 7,11, 4, 1, 9,12,14, 2, 0, 6,10,13,15, 3, 5, 8,
364 2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11},
365 };
366
367
afs_crypt(const char * pw,const char * salt,char * iobuf)368 char *afs_crypt(const char *pw, const char *salt,
369 /* must be at least 16 bytes */
370 char *iobuf)
371 {
372 int i, j, c;
373 int temp;
374 char block[66];
375 char E[48];
376 /*
377 * The key schedule.
378 * Generated from the key.
379 */
380 char KS[16][48];
381
382 for(i=0; i<66; i++)
383 block[i] = 0;
384 /* Solaris Kerberos */
385 for(i=0; ((c= *pw) != NULL) && i<64; pw++){
386 for(j=0; j<7; j++, i++)
387 block[i] = (c>>(6-j)) & 01;
388 i++;
389 }
390
391 krb5_afs_crypt_setkey(block, E, KS);
392
393 for(i=0; i<66; i++)
394 block[i] = 0;
395
396 for(i=0;i<2;i++){
397 c = *salt++;
398 iobuf[i] = c;
399 if(c>'Z') c -= 6;
400 if(c>'9') c -= 7;
401 c -= '.';
402 for(j=0;j<6;j++){
403 if((c>>j) & 01){
404 temp = E[6*i+j];
405 E[6*i+j] = E[6*i+j+24];
406 E[6*i+j+24] = temp;
407 }
408 }
409 }
410
411 for(i=0; i<25; i++)
412 krb5_afs_encrypt(block,E,KS);
413
414 for(i=0; i<11; i++){
415 c = 0;
416 for(j=0; j<6; j++){
417 c <<= 1;
418 c |= block[6*i+j];
419 }
420 c += '.';
421 if(c>'9') c += 7;
422 if(c>'Z') c += 6;
423 iobuf[i+2] = c;
424 }
425 iobuf[i+2] = 0;
426 if(iobuf[1]==0)
427 iobuf[1] = iobuf[0];
428 return(iobuf);
429 }
430
431 /*
432 * Set up the key schedule from the key.
433 */
434
krb5_afs_crypt_setkey(char * key,char * E,char (* KS)[48])435 static void krb5_afs_crypt_setkey(char *key, char *E, char (*KS)[48])
436 {
437 register int i, j, k;
438 int t;
439 /*
440 * The C and D arrays used to calculate the key schedule.
441 */
442 char C[28], D[28];
443
444 /*
445 * First, generate C and D by permuting
446 * the key. The low order bit of each
447 * 8-bit char is not used, so C and D are only 28
448 * bits apiece.
449 */
450 for (i=0; i<28; i++) {
451 C[i] = key[PC1_C[i]-1];
452 D[i] = key[PC1_D[i]-1];
453 }
454 /*
455 * To generate Ki, rotate C and D according
456 * to schedule and pick up a permutation
457 * using PC2.
458 */
459 for (i=0; i<16; i++) {
460 /*
461 * rotate.
462 */
463 for (k=0; k<shifts[i]; k++) {
464 t = C[0];
465 for (j=0; j<28-1; j++)
466 C[j] = C[j+1];
467 C[27] = t;
468 t = D[0];
469 for (j=0; j<28-1; j++)
470 D[j] = D[j+1];
471 D[27] = t;
472 }
473 /*
474 * get Ki. Note C and D are concatenated.
475 */
476 for (j=0; j<24; j++) {
477 KS[i][j] = C[PC2_C[j]-1];
478 KS[i][j+24] = D[PC2_D[j]-28-1];
479 }
480 }
481
482 #if 0
483 for(i=0;i<48;i++) {
484 E[i] = e[i];
485 }
486 #else
487 memcpy(E, e, 48);
488 #endif
489 }
490
491 /*
492 * The payoff: encrypt a block.
493 */
494
krb5_afs_encrypt(char * block,char * E,char (* KS)[48])495 static void krb5_afs_encrypt(char *block, char *E, char (*KS)[48])
496 {
497 const long edflag = 0;
498 int i, ii;
499 int t, j, k;
500 char tempL[32];
501 char f[32];
502 /*
503 * The current block, divided into 2 halves.
504 */
505 char L[64];
506 char *const R = &L[32];
507 /*
508 * The combination of the key and the input, before selection.
509 */
510 char preS[48];
511
512 /*
513 * First, permute the bits in the input
514 */
515 for (j=0; j<64; j++)
516 L[j] = block[IP[j]-1];
517 /*
518 * Perform an encryption operation 16 times.
519 */
520 for (ii=0; ii<16; ii++) {
521 /*
522 * Set direction
523 */
524 if (edflag)
525 i = 15-ii;
526 else
527 i = ii;
528 /*
529 * Save the R array,
530 * which will be the new L.
531 */
532 #if 0
533 for (j=0; j<32; j++)
534 tempL[j] = R[j];
535 #else
536 memcpy(tempL, R, 32);
537 #endif
538 /*
539 * Expand R to 48 bits using the E selector;
540 * exclusive-or with the current key bits.
541 */
542 for (j=0; j<48; j++)
543 preS[j] = R[E[j]-1] ^ KS[i][j];
544 /*
545 * The pre-select bits are now considered
546 * in 8 groups of 6 bits each.
547 * The 8 selection functions map these
548 * 6-bit quantities into 4-bit quantities
549 * and the results permuted
550 * to make an f(R, K).
551 * The indexing into the selection functions
552 * is peculiar; it could be simplified by
553 * rewriting the tables.
554 */
555 for (j=0; j<8; j++) {
556 t = 6*j;
557 k = S[j][(preS[t+0]<<5)+
558 (preS[t+1]<<3)+
559 (preS[t+2]<<2)+
560 (preS[t+3]<<1)+
561 (preS[t+4]<<0)+
562 (preS[t+5]<<4)];
563 t = 4*j;
564 f[t+0] = (k>>3)&01;
565 f[t+1] = (k>>2)&01;
566 f[t+2] = (k>>1)&01;
567 f[t+3] = (k>>0)&01;
568 }
569 /*
570 * The new R is L ^ f(R, K).
571 * The f here has to be permuted first, though.
572 */
573 for (j=0; j<32; j++)
574 R[j] = L[j] ^ f[P[j]-1];
575 /*
576 * Finally, the new L (the original R)
577 * is copied back.
578 */
579 #if 0
580 for (j=0; j<32; j++)
581 L[j] = tempL[j];
582 #else
583 memcpy(L, tempL, 32);
584 #endif
585 }
586 /*
587 * The output L and R are reversed.
588 */
589 for (j=0; j<32; j++) {
590 t = L[j];
591 L[j] = R[j];
592 R[j] = t;
593 }
594 /*
595 * The final output
596 * gets the inverse permutation of the very original.
597 */
598 for (j=0; j<64; j++)
599 block[j] = L[FP[j]-1];
600 }
601