2 Unix SMB/CIFS implementation.
4 a partial implementation of DES designed for use in the
5 SMB authentication protocol
7 Copyright (C) Andrew Tridgell 1998
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 #include "lib/crypto/crypto.h"
29 This code makes no attempt to be fast! In fact, it is a very
32 This code is NOT a complete DES implementation. It implements only
33 the minimum necessary for SMB authentication, as used by all SMB
34 products (including every copy of Microsoft Windows95 ever sold)
36 In particular, it can only do a unchained forward DES pass. This
37 means it is not possible to use this code for encryption/decryption
38 of data, instead it is only useful as a "hash" algorithm.
40 There is no entry point into this code that allows normal DES operation.
42 I believe this means that this code does not come under ITAR
43 regulations but this is NOT a legal opinion. If you are concerned
44 about the applicability of ITAR regulations to this code then you
45 should confirm it for yourself (and maybe let me know if you come
46 up with a different answer to the one above)
50 static const uint8_t perm1[56] = {57, 49, 41, 33, 25, 17, 9,
51 1, 58, 50, 42, 34, 26, 18,
52 10, 2, 59, 51, 43, 35, 27,
53 19, 11, 3, 60, 52, 44, 36,
54 63, 55, 47, 39, 31, 23, 15,
55 7, 62, 54, 46, 38, 30, 22,
56 14, 6, 61, 53, 45, 37, 29,
57 21, 13, 5, 28, 20, 12, 4};
59 static const uint8_t perm2[48] = {14, 17, 11, 24, 1, 5,
63 41, 52, 31, 37, 47, 55,
64 30, 40, 51, 45, 33, 48,
65 44, 49, 39, 56, 34, 53,
66 46, 42, 50, 36, 29, 32};
68 static const uint8_t perm3[64] = {58, 50, 42, 34, 26, 18, 10, 2,
69 60, 52, 44, 36, 28, 20, 12, 4,
70 62, 54, 46, 38, 30, 22, 14, 6,
71 64, 56, 48, 40, 32, 24, 16, 8,
72 57, 49, 41, 33, 25, 17, 9, 1,
73 59, 51, 43, 35, 27, 19, 11, 3,
74 61, 53, 45, 37, 29, 21, 13, 5,
75 63, 55, 47, 39, 31, 23, 15, 7};
77 static const uint8_t perm4[48] = { 32, 1, 2, 3, 4, 5,
80 12, 13, 14, 15, 16, 17,
81 16, 17, 18, 19, 20, 21,
82 20, 21, 22, 23, 24, 25,
83 24, 25, 26, 27, 28, 29,
84 28, 29, 30, 31, 32, 1};
86 static const uint8_t perm5[32] = { 16, 7, 20, 21,
96 static const uint8_t perm6[64] ={ 40, 8, 48, 16, 56, 24, 64, 32,
97 39, 7, 47, 15, 55, 23, 63, 31,
98 38, 6, 46, 14, 54, 22, 62, 30,
99 37, 5, 45, 13, 53, 21, 61, 29,
100 36, 4, 44, 12, 52, 20, 60, 28,
101 35, 3, 43, 11, 51, 19, 59, 27,
102 34, 2, 42, 10, 50, 18, 58, 26,
103 33, 1, 41, 9, 49, 17, 57, 25};
106 static const uint8_t sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1};
108 static const uint8_t sbox[8][4][16] = {
109 {{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7},
110 {0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8},
111 {4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0},
112 {15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}},
114 {{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10},
115 {3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5},
116 {0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15},
117 {13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}},
119 {{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8},
120 {13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1},
121 {13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7},
122 {1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}},
124 {{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15},
125 {13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9},
126 {10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4},
127 {3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}},
129 {{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9},
130 {14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6},
131 {4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14},
132 {11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}},
134 {{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11},
135 {10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8},
136 {9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6},
137 {4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}},
139 {{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1},
140 {13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6},
141 {1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2},
142 {6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}},
144 {{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7},
145 {1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2},
146 {7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8},
147 {2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}}};
149 static void permute(char *out, const char *in, const uint8_t *p, int n)
156 static void lshift(char *d, int count, int n)
161 out[i] = d[(i+count)%n];
166 static void concat(char *out, char *in1, char *in2, int l1, int l2)
174 static void xor(char *out, char *in1, char *in2, int n)
178 out[i] = in1[i] ^ in2[i];
181 static void dohash(char *out, char *in, char *key, int forw)
193 permute(pk1, key, perm1, 56);
201 lshift(c, sc[i], 28);
202 lshift(d, sc[i], 28);
204 concat(cd, c, d, 28, 28);
205 permute(ki[i], cd, perm2, 48);
208 permute(pd1, in, perm3, 64);
223 permute(er, r, perm4, 48);
225 xor(erk, er, ki[forw ? i : 15 - i], 48);
229 b[j][k] = erk[j*6 + k];
233 m = (b[j][0]<<1) | b[j][5];
235 n = (b[j][1]<<3) | (b[j][2]<<2) | (b[j][3]<<1) | b[j][4];
238 b[j][k] = (sbox[j][m][n] & (1<<(3-k)))?1:0;
244 permute(pcb, cb, perm5, 32);
255 concat(rl, r, l, 32, 32);
257 permute(out, rl, perm6, 64);
260 static void str_to_key(const uint8_t *str,uint8_t *key)
265 key[1] = ((str[0]&0x01)<<6) | (str[1]>>2);
266 key[2] = ((str[1]&0x03)<<5) | (str[2]>>3);
267 key[3] = ((str[2]&0x07)<<4) | (str[3]>>4);
268 key[4] = ((str[3]&0x0F)<<3) | (str[4]>>5);
269 key[5] = ((str[4]&0x1F)<<2) | (str[5]>>6);
270 key[6] = ((str[5]&0x3F)<<1) | (str[6]>>7);
271 key[7] = str[6]&0x7F;
273 key[i] = (key[i]<<1);
278 basic des crypt using a 56 bit (7 byte) key
280 void des_crypt56(uint8_t out[8], const uint8_t in[8], const uint8_t key[7], int forw)
288 str_to_key(key, key2);
291 inb[i] = (in[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
292 keyb[i] = (key2[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
296 dohash(outb, inb, keyb, forw);
304 out[i/8] |= (1<<(7-(i%8)));
308 void E_P16(const uint8_t *p14,uint8_t *p16)
310 const uint8_t sp8[8] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};
311 des_crypt56(p16, sp8, p14, 1);
312 des_crypt56(p16+8, sp8, p14+7, 1);
315 void E_P24(const uint8_t *p21, const uint8_t *c8, uint8_t *p24)
317 des_crypt56(p24, c8, p21, 1);
318 des_crypt56(p24+8, c8, p21+7, 1);
319 des_crypt56(p24+16, c8, p21+14, 1);
322 void D_P16(const uint8_t *p14, const uint8_t *in, uint8_t *out)
324 des_crypt56(out, in, p14, 0);
325 des_crypt56(out+8, in+8, p14+7, 0);
328 void E_old_pw_hash( uint8_t *p14, const uint8_t *in, uint8_t *out)
330 des_crypt56(out, in, p14, 1);
331 des_crypt56(out+8, in+8, p14+7, 1);
334 /* des encryption with a 128 bit key */
335 void des_crypt128(uint8_t out[8], const uint8_t in[8], const uint8_t key[16])
338 des_crypt56(buf, in, key, 1);
339 des_crypt56(out, buf, key+9, 1);
342 /* des encryption with a 64 bit key */
343 void des_crypt64(uint8_t out[8], const uint8_t in[8], const uint8_t key[8], int forw)
348 des_crypt56(buf, in, key, forw);
350 des_crypt56(out, buf, key2, forw);
353 /* des encryption with a 112 bit (14 byte) key */
354 void des_crypt112(uint8_t out[8], const uint8_t in[8], const uint8_t key[14], int forw)
357 des_crypt56(buf, in, key, forw);
358 des_crypt56(out, buf, key+7, forw);
361 /* des encryption of a 16 byte lump of data with a 112 bit key */
362 void des_crypt112_16(uint8_t out[16], uint8_t in[16], const uint8_t key[14], int forw)
364 des_crypt56(out, in, key, forw);
365 des_crypt56(out + 8, in + 8, key+7, forw);
368 /* initialise the arcfour sbox with key */
369 void arcfour_init(struct arcfour_state *state, const DATA_BLOB *key)
373 for (ind = 0; ind < sizeof(state->sbox); ind++) {
374 state->sbox[ind] = (uint8_t)ind;
377 for (ind = 0; ind < sizeof(state->sbox); ind++) {
380 j += (state->sbox[ind] + key->data[ind%key->length]);
382 tc = state->sbox[ind];
383 state->sbox[ind] = state->sbox[j];
390 /* crypt the data with arcfour */
391 void arcfour_crypt_sbox(struct arcfour_state *state, uint8_t *data, int len)
395 for (ind = 0; ind < len; ind++) {
400 state->index_j += state->sbox[state->index_i];
402 tc = state->sbox[state->index_i];
403 state->sbox[state->index_i] = state->sbox[state->index_j];
404 state->sbox[state->index_j] = tc;
406 t = state->sbox[state->index_i] + state->sbox[state->index_j];
407 data[ind] = data[ind] ^ state->sbox[t];
412 arcfour encryption with a blob key
414 void arcfour_crypt_blob(uint8_t *data, int len, const DATA_BLOB *key)
416 struct arcfour_state state;
417 arcfour_init(&state, key);
418 arcfour_crypt_sbox(&state, data, len);
422 a variant that assumes a 16 byte key. This should be removed
423 when the last user is gone
425 void arcfour_crypt(uint8_t *data, const uint8_t keystr[16], int len)
427 DATA_BLOB key = data_blob(keystr, 16);
429 arcfour_crypt_blob(data, len, &key);
431 data_blob_free(&key);
435 /* Decode a sam password hash into a password. The password hash is the
436 same method used to store passwords in the NT registry. The DES key
437 used is based on the RID of the user. */
438 void sam_rid_crypt(uint_t rid, const uint8_t *in, uint8_t *out, int forw)
442 s[0] = s[4] = s[8] = s[12] = (uint8_t)(rid & 0xFF);
443 s[1] = s[5] = s[9] = s[13] = (uint8_t)((rid >> 8) & 0xFF);
444 s[2] = s[6] = s[10] = (uint8_t)((rid >> 16) & 0xFF);
445 s[3] = s[7] = s[11] = (uint8_t)((rid >> 24) & 0xFF);
447 des_crypt56(out, in, s, forw);
448 des_crypt56(out+8, in+8, s+7, forw);