2 Unix SMB/CIFS implementation.
4 a partial implementation of DES designed for use in the
5 SMB authentication protocol
7 Copyright (C) Andrew Tridgell 1998
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 #include "lib/crypto/crypto.h"
29 This code makes no attempt to be fast! In fact, it is a very
32 This code is NOT a complete DES implementation. It implements only
33 the minimum necessary for SMB authentication, as used by all SMB
34 products (including every copy of Microsoft Windows95 ever sold)
36 In particular, it can only do a unchained forward DES pass. This
37 means it is not possible to use this code for encryption/decryption
38 of data, instead it is only useful as a "hash" algorithm.
40 There is no entry point into this code that allows normal DES operation.
42 I believe this means that this code does not come under ITAR
43 regulations but this is NOT a legal opinion. If you are concerned
44 about the applicability of ITAR regulations to this code then you
45 should confirm it for yourself (and maybe let me know if you come
46 up with a different answer to the one above)
50 static const uint8_t perm1[56] = {57, 49, 41, 33, 25, 17, 9,
51 1, 58, 50, 42, 34, 26, 18,
52 10, 2, 59, 51, 43, 35, 27,
53 19, 11, 3, 60, 52, 44, 36,
54 63, 55, 47, 39, 31, 23, 15,
55 7, 62, 54, 46, 38, 30, 22,
56 14, 6, 61, 53, 45, 37, 29,
57 21, 13, 5, 28, 20, 12, 4};
59 static const uint8_t perm2[48] = {14, 17, 11, 24, 1, 5,
63 41, 52, 31, 37, 47, 55,
64 30, 40, 51, 45, 33, 48,
65 44, 49, 39, 56, 34, 53,
66 46, 42, 50, 36, 29, 32};
68 static const uint8_t perm3[64] = {58, 50, 42, 34, 26, 18, 10, 2,
69 60, 52, 44, 36, 28, 20, 12, 4,
70 62, 54, 46, 38, 30, 22, 14, 6,
71 64, 56, 48, 40, 32, 24, 16, 8,
72 57, 49, 41, 33, 25, 17, 9, 1,
73 59, 51, 43, 35, 27, 19, 11, 3,
74 61, 53, 45, 37, 29, 21, 13, 5,
75 63, 55, 47, 39, 31, 23, 15, 7};
77 static const uint8_t perm4[48] = { 32, 1, 2, 3, 4, 5,
80 12, 13, 14, 15, 16, 17,
81 16, 17, 18, 19, 20, 21,
82 20, 21, 22, 23, 24, 25,
83 24, 25, 26, 27, 28, 29,
84 28, 29, 30, 31, 32, 1};
86 static const uint8_t perm5[32] = { 16, 7, 20, 21,
96 static const uint8_t perm6[64] ={ 40, 8, 48, 16, 56, 24, 64, 32,
97 39, 7, 47, 15, 55, 23, 63, 31,
98 38, 6, 46, 14, 54, 22, 62, 30,
99 37, 5, 45, 13, 53, 21, 61, 29,
100 36, 4, 44, 12, 52, 20, 60, 28,
101 35, 3, 43, 11, 51, 19, 59, 27,
102 34, 2, 42, 10, 50, 18, 58, 26,
103 33, 1, 41, 9, 49, 17, 57, 25};
106 static const uint8_t sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1};
108 static const uint8_t sbox[8][4][16] = {
109 {{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7},
110 {0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8},
111 {4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0},
112 {15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}},
114 {{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10},
115 {3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5},
116 {0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15},
117 {13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}},
119 {{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8},
120 {13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1},
121 {13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7},
122 {1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}},
124 {{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15},
125 {13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9},
126 {10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4},
127 {3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}},
129 {{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9},
130 {14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6},
131 {4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14},
132 {11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}},
134 {{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11},
135 {10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8},
136 {9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6},
137 {4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}},
139 {{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1},
140 {13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6},
141 {1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2},
142 {6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}},
144 {{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7},
145 {1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2},
146 {7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8},
147 {2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}}};
149 static void permute(char *out, const char *in, const uint8_t *p, int n)
156 static void lshift(char *d, int count, int n)
161 out[i] = d[(i+count)%n];
166 static void concat(char *out, char *in1, char *in2, int l1, int l2)
174 static void xor(char *out, char *in1, char *in2, int n)
178 out[i] = in1[i] ^ in2[i];
181 static void dohash(char *out, char *in, char *key, int forw)
193 permute(pk1, key, perm1, 56);
201 lshift(c, sc[i], 28);
202 lshift(d, sc[i], 28);
204 concat(cd, c, d, 28, 28);
205 permute(ki[i], cd, perm2, 48);
208 permute(pd1, in, perm3, 64);
223 permute(er, r, perm4, 48);
225 xor(erk, er, ki[forw ? i : 15 - i], 48);
229 b[j][k] = erk[j*6 + k];
233 m = (b[j][0]<<1) | b[j][5];
235 n = (b[j][1]<<3) | (b[j][2]<<2) | (b[j][3]<<1) | b[j][4];
238 b[j][k] = (sbox[j][m][n] & (1<<(3-k)))?1:0;
244 permute(pcb, cb, perm5, 32);
255 concat(rl, r, l, 32, 32);
257 permute(out, rl, perm6, 64);
260 static void str_to_key(const uint8_t *str,uint8_t *key)
265 key[1] = ((str[0]&0x01)<<6) | (str[1]>>2);
266 key[2] = ((str[1]&0x03)<<5) | (str[2]>>3);
267 key[3] = ((str[2]&0x07)<<4) | (str[3]>>4);
268 key[4] = ((str[3]&0x0F)<<3) | (str[4]>>5);
269 key[5] = ((str[4]&0x1F)<<2) | (str[5]>>6);
270 key[6] = ((str[5]&0x3F)<<1) | (str[6]>>7);
271 key[7] = str[6]&0x7F;
273 key[i] = (key[i]<<1);
278 basic des crypt using a 56 bit (7 byte) key
280 void des_crypt56(uint8_t out[8], const uint8_t in[8], const uint8_t key[7], int forw)
288 str_to_key(key, key2);
291 inb[i] = (in[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
292 keyb[i] = (key2[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
296 dohash(outb, inb, keyb, forw);
304 out[i/8] |= (1<<(7-(i%8)));
308 void E_P16(const uint8_t *p14,uint8_t *p16)
310 const uint8_t sp8[8] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};
311 des_crypt56(p16, sp8, p14, 1);
312 des_crypt56(p16+8, sp8, p14+7, 1);
315 void E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24)
317 des_crypt56(p24, c8, p21, 1);
318 des_crypt56(p24+8, c8, p21+7, 1);
319 des_crypt56(p24+16, c8, p21+14, 1);
322 void D_P16(const uint8_t *p14, const uint8_t *in, uint8_t *out)
324 des_crypt56(out, in, p14, 0);
325 des_crypt56(out+8, in+8, p14+7, 0);
328 void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out)
330 des_crypt56(out, in, p14, 1);
331 des_crypt56(out+8, in+8, p14+7, 1);
334 /* des encryption with a 128 bit key */
335 void des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16])
338 des_crypt56(buf, in, key, 1);
339 des_crypt56(out, buf, key+9, 1);
342 /* des encryption with a 64 bit key */
343 void des_crypt64(uint8_t out[8], const uint8_t in[8], const uint8_t key[8], int forw)
348 des_crypt56(buf, in, key, forw);
350 des_crypt56(out, buf, key2, forw);
353 /* des encryption with a 112 bit (14 byte) key */
354 void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw)
357 des_crypt56(buf, in, key, forw);
358 des_crypt56(out, buf, key+7, forw);
361 /* des encryption of a 16 byte lump of data with a 112 bit key */
362 void des_crypt112_16(uint8_t out[16], uint8_t in[16], const uint8_t key[14], int forw)
364 des_crypt56(out, in, key, forw);
365 des_crypt56(out + 8, in + 8, key+7, forw);
368 /* Decode a sam password hash into a password. The password hash is the
369 same method used to store passwords in the NT registry. The DES key
370 used is based on the RID of the user. */
371 void sam_rid_crypt(uint_t rid, const uint8_t *in, uint8_t *out, int forw)
375 s[0] = s[4] = s[8] = s[12] = (uint8_t)(rid & 0xFF);
376 s[1] = s[5] = s[9] = s[13] = (uint8_t)((rid >> 8) & 0xFF);
377 s[2] = s[6] = s[10] = (uint8_t)((rid >> 16) & 0xFF);
378 s[3] = s[7] = s[11] = (uint8_t)((rid >> 24) & 0xFF);
380 des_crypt56(out, in, s, forw);
381 des_crypt56(out+8, in+8, s+7, forw);