1 /*
2 * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 */
5
6
7 /*
8 * lib/crypto/des/string2key.c
9 *
10 * based on lib/crypto/des/string2key.c from MIT V5
11 * and on lib/des/afs_string_to_key.c from UMD.
12 * constructed by Mark Eichin, Cygnus Support, 1995.
13 * made thread-safe by Ken Raeburn, MIT, 2001.
14 */
15
16 /*
17 * Copyright 2001 by the Massachusetts Institute of Technology.
18 * All Rights Reserved.
19 *
20 * Export of this software from the United States of America may
21 * require a specific license from the United States Government.
22 * It is the responsibility of any person or organization contemplating
23 * export to obtain such a license before exporting.
24 *
25 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
26 * distribute this software and its documentation for any purpose and
27 * without fee is hereby granted, provided that the above copyright
28 * notice appear in all copies and that both that copyright notice and
29 * this permission notice appear in supporting documentation, and that
30 * the name of M.I.T. not be used in advertising or publicity pertaining
31 * to distribution of the software without specific, written prior
32 * permission. Furthermore if you modify this software you must label
33 * your software as modified software and not distribute it in such a
34 * fashion that it might be confused with the original M.I.T. software.
35 * M.I.T. makes no representations about the suitability of
36 * this software for any purpose. It is provided "as is" without express
37 * or implied warranty.
38 */
39
40 /*
41 * Copyright (C) 1998 by the FundsXpress, INC.
42 *
43 * All rights reserved.
44 *
45 * Export of this software from the United States of America may require
46 * a specific license from the United States Government. It is the
47 * responsibility of any person or organization contemplating export to
48 * obtain such a license before exporting.
49 *
50 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
51 * distribute this software and its documentation for any purpose and
52 * without fee is hereby granted, provided that the above copyright
53 * notice appear in all copies and that both that copyright notice and
54 * this permission notice appear in supporting documentation, and that
55 * the name of FundsXpress. not be used in advertising or publicity pertaining
56 * to distribution of the software without specific, written prior
57 * permission. FundsXpress makes no representations about the suitability of
58 * this software for any purpose. It is provided "as is" without express
59 * or implied warranty.
60 *
61 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
62 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
63 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
64 */
65
66 #include "k5-int.h"
67 #include "des_int.h"
68 #include <ctype.h>
69
70 #define afs_crypt mit_afs_crypt
71 char *afs_crypt (const char *, const char *, char *);
72
73 #undef min
74 #define min(a,b) ((a)>(b)?(b):(a))
75
76 /*ARGSUSED*/
77 krb5_error_code
mit_afs_string_to_key(krb5_context context,krb5_keyblock * keyblock,const krb5_data * data,const krb5_data * salt)78 mit_afs_string_to_key (krb5_context context,
79 krb5_keyblock *keyblock, const krb5_data *data,
80 const krb5_data *salt)
81 {
82 /* Solaris Kerberos */
83 krb5_error_code retval = KRB5_PROG_ETYPE_NOSUPP;
84 /* EXPORT DELETE START */
85 /* totally different approach from MIT string2key. */
86 /* much of the work has already been done by the only caller
87 which is mit_des_string_to_key; in particular, *keyblock is already
88 set up. */
89
90 char *realm = salt->data;
91 unsigned int i, j;
92 krb5_octet *key = keyblock->contents;
93 /* Solaris Kerberos */
94 krb5_keyblock usekey;
95
96 if (data->length <= 8) {
97 /* One block only. Run afs_crypt and use the first eight
98 returned bytes after the copy of the (fixed) salt.
99
100 Since the returned bytes are alphanumeric, the output is
101 limited to 2**48 possibilities; for each byte, only 64
102 possible values can be used. */
103 unsigned char password[9]; /* trailing nul for crypt() */
104 char afs_crypt_buf[16];
105
106 memset (password, 0, sizeof (password));
107 memcpy (password, realm, min (salt->length, 8));
108 for (i=0; i<8; i++)
109 if (isupper(password[i]))
110 password[i] = tolower(password[i]);
111 for (i=0; i<data->length; i++)
112 password[i] ^= data->data[i];
113 for (i=0; i<8; i++)
114 if (password[i] == '\0')
115 password[i] = 'X';
116 password[8] = '\0';
117 /* Out-of-bounds salt characters are equivalent to a salt string
118 of "p1". */
119 strncpy((char *) key,
120 (char *) afs_crypt((char *) password, "#~", afs_crypt_buf) + 2,
121 8);
122 for (i=0; i<8; i++)
123 key[i] <<= 1;
124 /* now fix up key parity again */
125 mit_des_fixup_key_parity(key);
126 /* clean & free the input string */
127 memset(password, 0, (size_t) sizeof(password));
128
129 /* Solaris Kerberos: Success */
130 retval = 0;
131 } else {
132 /* Multiple blocks. Do a CBC checksum, twice, and use the
133 result as the new key. */
134 mit_des_cblock ikey, tkey;
135 unsigned int pw_len = salt->length+data->length;
136 unsigned char *password = malloc(pw_len+1);
137 if (!password) return ENOMEM;
138
139 /* Some bound checks from the original code are elided here as
140 the malloc above makes sure we have enough storage. */
141 memcpy (password, data->data, data->length);
142 for (i=data->length, j = 0; j < salt->length; i++, j++) {
143 password[i] = realm[j];
144 if (isupper(password[i]))
145 password[i] = tolower(password[i]);
146 }
147
148 memcpy (ikey, "kerberos", sizeof(ikey));
149 memcpy (tkey, ikey, sizeof(tkey));
150 mit_des_fixup_key_parity (tkey);
151
152 /* Solaris Kerberos */
153 usekey.enctype = ENCTYPE_DES_CBC_CRC;
154 usekey.contents = tkey;
155 usekey.length = 8;
156 retval = mit_des_cbc_cksum (context, (unsigned char *)password,
157 tkey, i, &usekey, ikey);
158
159 memcpy (ikey, tkey, sizeof(ikey));
160 mit_des_fixup_key_parity (tkey);
161 /* Solaris Kerberos */
162 if (usekey.hKey != CK_INVALID_HANDLE) {
163 (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey);
164 usekey.hKey = CK_INVALID_HANDLE;
165 }
166 usekey.contents = tkey;
167 usekey.length = 8;
168 retval = mit_des_cbc_cksum (context, (unsigned char *) password,
169 key, i, &usekey, ikey);
170
171 /* now fix up key parity again */
172 mit_des_fixup_key_parity(key);
173
174 /* Solaris Kerberos */
175 if (usekey.hKey != CK_INVALID_HANDLE) {
176 (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey);
177 usekey.hKey = CK_INVALID_HANDLE;
178 }
179 /* clean & free the input string */
180 memset(password, 0, (size_t) pw_len);
181 krb5_xfree(password);
182 }
183 #if 0
184 /* must free here because it was copied for this special case */
185 krb5_xfree(salt->data);
186 #endif
187
188 /* EXPORT DELETE END */
189 return retval;
190 }
191
192
193 /* Portions of this code:
194 Copyright 1989 by the Massachusetts Institute of Technology
195 */
196
197 /*
198 * Copyright (c) 1990 Regents of The University of Michigan.
199 * All Rights Reserved.
200 *
201 * Permission to use, copy, modify, and distribute this software
202 * and its documentation for any purpose and without fee is hereby
203 * granted, provided that the above copyright notice appears in all
204 * copies and that both that copyright notice and this permission
205 * notice appear in supporting documentation, and that the name of
206 * The University of Michigan not be used in advertising or
207 * publicity pertaining to distribution of the software without
208 * specific, written prior permission. This software is supplied as
209 * is without expressed or implied warranties of any kind.
210 *
211 * ITD Research Systems
212 * University of Michigan
213 * 535 W. William Street
214 * Ann Arbor, Michigan
215 * +1-313-936-2652
216 * netatalk@terminator.cc.umich.edu
217 */
218
219 /* EXPORT DELETE START */
220
221 static void krb5_afs_crypt_setkey (char*, char*, char(*)[48]);
222 static void krb5_afs_encrypt (char*,char*,char (*)[48]);
223
224 /*
225 * Initial permutation,
226 */
227 static const char IP[] = {
228 58,50,42,34,26,18,10, 2,
229 60,52,44,36,28,20,12, 4,
230 62,54,46,38,30,22,14, 6,
231 64,56,48,40,32,24,16, 8,
232 57,49,41,33,25,17, 9, 1,
233 59,51,43,35,27,19,11, 3,
234 61,53,45,37,29,21,13, 5,
235 63,55,47,39,31,23,15, 7,
236 };
237
238 /*
239 * Final permutation, FP = IP^(-1)
240 */
241 static const char FP[] = {
242 40, 8,48,16,56,24,64,32,
243 39, 7,47,15,55,23,63,31,
244 38, 6,46,14,54,22,62,30,
245 37, 5,45,13,53,21,61,29,
246 36, 4,44,12,52,20,60,28,
247 35, 3,43,11,51,19,59,27,
248 34, 2,42,10,50,18,58,26,
249 33, 1,41, 9,49,17,57,25,
250 };
251
252 /*
253 * Permuted-choice 1 from the key bits to yield C and D.
254 * Note that bits 8,16... are left out: They are intended for a parity check.
255 */
256 static const char PC1_C[] = {
257 57,49,41,33,25,17, 9,
258 1,58,50,42,34,26,18,
259 10, 2,59,51,43,35,27,
260 19,11, 3,60,52,44,36,
261 };
262
263 static const char PC1_D[] = {
264 63,55,47,39,31,23,15,
265 7,62,54,46,38,30,22,
266 14, 6,61,53,45,37,29,
267 21,13, 5,28,20,12, 4,
268 };
269
270 /*
271 * Sequence of shifts used for the key schedule.
272 */
273 static const char shifts[] = {
274 1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1,
275 };
276
277 /*
278 * Permuted-choice 2, to pick out the bits from
279 * the CD array that generate the key schedule.
280 */
281 static const char PC2_C[] = {
282 14,17,11,24, 1, 5,
283 3,28,15, 6,21,10,
284 23,19,12, 4,26, 8,
285 16, 7,27,20,13, 2,
286 };
287
288 static const char PC2_D[] = {
289 41,52,31,37,47,55,
290 30,40,51,45,33,48,
291 44,49,39,56,34,53,
292 46,42,50,36,29,32,
293 };
294
295 /*
296 * The E bit-selection table.
297 */
298 static const char e[] = {
299 32, 1, 2, 3, 4, 5,
300 4, 5, 6, 7, 8, 9,
301 8, 9,10,11,12,13,
302 12,13,14,15,16,17,
303 16,17,18,19,20,21,
304 20,21,22,23,24,25,
305 24,25,26,27,28,29,
306 28,29,30,31,32, 1,
307 };
308
309 /*
310 * P is a permutation on the selected combination
311 * of the current L and key.
312 */
313 static const char P[] = {
314 16, 7,20,21,
315 29,12,28,17,
316 1,15,23,26,
317 5,18,31,10,
318 2, 8,24,14,
319 32,27, 3, 9,
320 19,13,30, 6,
321 22,11, 4,25,
322 };
323
324 /*
325 * The 8 selection functions.
326 * For some reason, they give a 0-origin
327 * index, unlike everything else.
328 */
329 static const char S[8][64] = {
330 {14, 4,13, 1, 2,15,11, 8, 3,10, 6,12, 5, 9, 0, 7,
331 0,15, 7, 4,14, 2,13, 1,10, 6,12,11, 9, 5, 3, 8,
332 4, 1,14, 8,13, 6, 2,11,15,12, 9, 7, 3,10, 5, 0,
333 15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13},
334
335 {15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10,
336 3,13, 4, 7,15, 2, 8,14,12, 0, 1,10, 6, 9,11, 5,
337 0,14, 7,11,10, 4,13, 1, 5, 8,12, 6, 9, 3, 2,15,
338 13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9},
339
340 {10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8,
341 13, 7, 0, 9, 3, 4, 6,10, 2, 8, 5,14,12,11,15, 1,
342 13, 6, 4, 9, 8,15, 3, 0,11, 1, 2,12, 5,10,14, 7,
343 1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12},
344
345 { 7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15,
346 13, 8,11, 5, 6,15, 0, 3, 4, 7, 2,12, 1,10,14, 9,
347 10, 6, 9, 0,12,11, 7,13,15, 1, 3,14, 5, 2, 8, 4,
348 3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14},
349
350 { 2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9,
351 14,11, 2,12, 4, 7,13, 1, 5, 0,15,10, 3, 9, 8, 6,
352 4, 2, 1,11,10,13, 7, 8,15, 9,12, 5, 6, 3, 0,14,
353 11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3},
354
355 {12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11,
356 10,15, 4, 2, 7,12, 9, 5, 6, 1,13,14, 0,11, 3, 8,
357 9,14,15, 5, 2, 8,12, 3, 7, 0, 4,10, 1,13,11, 6,
358 4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13},
359
360 { 4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1,
361 13, 0,11, 7, 4, 9, 1,10,14, 3, 5,12, 2,15, 8, 6,
362 1, 4,11,13,12, 3, 7,14,10,15, 6, 8, 0, 5, 9, 2,
363 6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12},
364
365 {13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7,
366 1,15,13, 8,10, 3, 7, 4,12, 5, 6,11, 0,14, 9, 2,
367 7,11, 4, 1, 9,12,14, 2, 0, 6,10,13,15, 3, 5, 8,
368 2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11},
369 };
370
371
afs_crypt(const char * pw,const char * salt,char * iobuf)372 char *afs_crypt(const char *pw, const char *salt,
373 /* must be at least 16 bytes */
374 char *iobuf)
375 {
376 int i, j, c;
377 int temp;
378 char block[66];
379 char E[48];
380 /*
381 * The key schedule.
382 * Generated from the key.
383 */
384 char KS[16][48];
385
386 for(i=0; i<66; i++)
387 block[i] = 0;
388 /* Solaris Kerberos */
389 for(i=0; ((c= *pw) != NULL) && i<64; pw++){
390 for(j=0; j<7; j++, i++)
391 block[i] = (c>>(6-j)) & 01;
392 i++;
393 }
394
395 krb5_afs_crypt_setkey(block, E, KS);
396
397 for(i=0; i<66; i++)
398 block[i] = 0;
399
400 for(i=0;i<2;i++){
401 c = *salt++;
402 iobuf[i] = c;
403 if(c>'Z') c -= 6;
404 if(c>'9') c -= 7;
405 c -= '.';
406 for(j=0;j<6;j++){
407 if((c>>j) & 01){
408 temp = E[6*i+j];
409 E[6*i+j] = E[6*i+j+24];
410 E[6*i+j+24] = temp;
411 }
412 }
413 }
414
415 for(i=0; i<25; i++)
416 krb5_afs_encrypt(block,E,KS);
417
418 for(i=0; i<11; i++){
419 c = 0;
420 for(j=0; j<6; j++){
421 c <<= 1;
422 c |= block[6*i+j];
423 }
424 c += '.';
425 if(c>'9') c += 7;
426 if(c>'Z') c += 6;
427 iobuf[i+2] = c;
428 }
429 iobuf[i+2] = 0;
430 if(iobuf[1]==0)
431 iobuf[1] = iobuf[0];
432 return(iobuf);
433 }
434
435 /*
436 * Set up the key schedule from the key.
437 */
438
krb5_afs_crypt_setkey(char * key,char * E,char (* KS)[48])439 static void krb5_afs_crypt_setkey(char *key, char *E, char (*KS)[48])
440 {
441 register int i, j, k;
442 int t;
443 /*
444 * The C and D arrays used to calculate the key schedule.
445 */
446 char C[28], D[28];
447
448 /*
449 * First, generate C and D by permuting
450 * the key. The low order bit of each
451 * 8-bit char is not used, so C and D are only 28
452 * bits apiece.
453 */
454 for (i=0; i<28; i++) {
455 C[i] = key[PC1_C[i]-1];
456 D[i] = key[PC1_D[i]-1];
457 }
458 /*
459 * To generate Ki, rotate C and D according
460 * to schedule and pick up a permutation
461 * using PC2.
462 */
463 for (i=0; i<16; i++) {
464 /*
465 * rotate.
466 */
467 for (k=0; k<shifts[i]; k++) {
468 t = C[0];
469 for (j=0; j<28-1; j++)
470 C[j] = C[j+1];
471 C[27] = t;
472 t = D[0];
473 for (j=0; j<28-1; j++)
474 D[j] = D[j+1];
475 D[27] = t;
476 }
477 /*
478 * get Ki. Note C and D are concatenated.
479 */
480 for (j=0; j<24; j++) {
481 KS[i][j] = C[PC2_C[j]-1];
482 KS[i][j+24] = D[PC2_D[j]-28-1];
483 }
484 }
485
486 #if 0
487 for(i=0;i<48;i++) {
488 E[i] = e[i];
489 }
490 #else
491 memcpy(E, e, 48);
492 #endif
493 }
494
495 /*
496 * The payoff: encrypt a block.
497 */
498
krb5_afs_encrypt(char * block,char * E,char (* KS)[48])499 static void krb5_afs_encrypt(char *block, char *E, char (*KS)[48])
500 {
501 const long edflag = 0;
502 int i, ii;
503 int t, j, k;
504 char tempL[32];
505 char f[32];
506 /*
507 * The current block, divided into 2 halves.
508 */
509 char L[64];
510 char *const R = &L[32];
511 /*
512 * The combination of the key and the input, before selection.
513 */
514 char preS[48];
515
516 /*
517 * First, permute the bits in the input
518 */
519 for (j=0; j<64; j++)
520 L[j] = block[IP[j]-1];
521 /*
522 * Perform an encryption operation 16 times.
523 */
524 for (ii=0; ii<16; ii++) {
525 /*
526 * Set direction
527 */
528 if (edflag)
529 i = 15-ii;
530 else
531 i = ii;
532 /*
533 * Save the R array,
534 * which will be the new L.
535 */
536 #if 0
537 for (j=0; j<32; j++)
538 tempL[j] = R[j];
539 #else
540 memcpy(tempL, R, 32);
541 #endif
542 /*
543 * Expand R to 48 bits using the E selector;
544 * exclusive-or with the current key bits.
545 */
546 for (j=0; j<48; j++)
547 preS[j] = R[E[j]-1] ^ KS[i][j];
548 /*
549 * The pre-select bits are now considered
550 * in 8 groups of 6 bits each.
551 * The 8 selection functions map these
552 * 6-bit quantities into 4-bit quantities
553 * and the results permuted
554 * to make an f(R, K).
555 * The indexing into the selection functions
556 * is peculiar; it could be simplified by
557 * rewriting the tables.
558 */
559 for (j=0; j<8; j++) {
560 t = 6*j;
561 k = S[j][(preS[t+0]<<5)+
562 (preS[t+1]<<3)+
563 (preS[t+2]<<2)+
564 (preS[t+3]<<1)+
565 (preS[t+4]<<0)+
566 (preS[t+5]<<4)];
567 t = 4*j;
568 f[t+0] = (k>>3)&01;
569 f[t+1] = (k>>2)&01;
570 f[t+2] = (k>>1)&01;
571 f[t+3] = (k>>0)&01;
572 }
573 /*
574 * The new R is L ^ f(R, K).
575 * The f here has to be permuted first, though.
576 */
577 for (j=0; j<32; j++)
578 R[j] = L[j] ^ f[P[j]-1];
579 /*
580 * Finally, the new L (the original R)
581 * is copied back.
582 */
583 #if 0
584 for (j=0; j<32; j++)
585 L[j] = tempL[j];
586 #else
587 memcpy(L, tempL, 32);
588 #endif
589 }
590 /*
591 * The output L and R are reversed.
592 */
593 for (j=0; j<32; j++) {
594 t = L[j];
595 L[j] = R[j];
596 R[j] = t;
597 }
598 /*
599 * The final output
600 * gets the inverse permutation of the very original.
601 */
602 for (j=0; j<64; j++)
603 block[j] = L[FP[j]-1];
604 }
605 /* EXPORT DELETE END */
606