diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..c97d6fe --- /dev/null +++ b/Makefile @@ -0,0 +1,33 @@ +# +# makefile for cram-md5 checkpassword +# + +TARGET=cmd5apoppw +SRCS=main.c md5c.c hmac_md5.c base64.c +MAKEFILE=Makefile +OBJS=${SRCS:.c=.o} +PREFIX = /usr/local +CGROUP = nofiles + + +CC=gcc +CFLAGS=-c -g -Wall -O3 +LD=gcc +LDFLAGS=-g -o ${TARGET} + +all: cmd5apoppw + +cmd5apoppw: ${OBJS} + ${LD} ${LDFLAGS} ${OBJS} + +ht: ht.c hmac_md5.o base64.o + gcc -o ht ht.c hmac_md5.o base64.o + +clean: + rm -f ${OBJS} ${CODEOBJS} ${GENOBJS} ${TARGET} *~ core cmd5apoppw + +install: + install -m 4750 -u root -g ${CGROUP} cmd5apoppw ${PREFIX}/bin + cp apoppasswd ${PREFIX}/bin + cp cmd5apoppw.8 ${PREFIX}/share/man/man8/ + cp deapop ${PREFIX}/sbin diff --git a/README b/README new file mode 100644 index 0000000..14f941a --- /dev/null +++ b/README @@ -0,0 +1,21 @@ +cmd5apoppw 20060922 +by HIROSE, Yuuji +http://www.gentei.org/~yuuji/software/qmapop-smtp-auth/ + +Based on these programs; +cmd5checkpw 0.20, beta. +20000130 +Krzysztof Dabrowski aka Brush/Elysium +http://www.elysium.pl/members/brush/cmd5checkpw/ + +Based on checkpassword by D. J. Bernstein, djb@pobox.com +http://pobox.com/~djb/checkpwd.html + +cmd5checkpw provides a simple, uniform authorization solution for all +application that use CRAM-MD5 auth type. It tries to conform with +checkpassword's interface as much as possible. + +Read included man page to learn how does it work. + +The cmd5apoppw code is in the public domain except for files with different +license inside them. diff --git a/apoppasswd b/apoppasswd new file mode 100755 index 0000000..c3975d6 --- /dev/null +++ b/apoppasswd @@ -0,0 +1,201 @@ +#!/usr/local/bin/perl +# Customize these variables. +# If you change APOPFILEBASE, change the same variable in apopcall.c too. +# See http://www.gentei.org/~yuuji/software/imapext/ + +$HOME=$ENV{"HOME"}; + +$APOPFILEBASE = ".apop"; # "$HOME/$APOPFILEBASE" is the password file +# $APOPFILEBASE = "maildir/apop"; +# $APOPFILEBASE = "Mail/apop"; + +# $ENCODER = "cat"; +$ENCODER = "gzip"; +# $ENCODER = "uuencode $$|gzip"; + +# $DECODER = "cat"; +$DECODER = "gzip -dc"; +# $DECODER = "gzip -dc | uudecode"; + + +$EXT = ""; +$force = 0; +$base = 0; + +$APOPFILE = "$HOME/$APOPFILEBASE"; + +sub handler { + system "stty echo"; + print STDERR "Abort:\n"; + exit 1; +} + +$SIG{'INT'} = $SIG{'KILL'} = $SIG{'QUIT'} = $SIG{'HUP'} = 'handler'; + +while ($_=$ARGV[0], /^-.+/ && shift) { + if (/^-e/) { + $APOPFILE .= "-" . ($EXT=shift); + } elsif (/^-b/) { + $base++; + } elsif (/^-c/) { + $create++; + } elsif (/^-s/) { + $stream++; + # and exit; + } elsif (/^-f/) { + $force++; + } elsif (/^-h/) { + &usage; # and exit + } +} + +sub checkmaildir { + local($dotqmail) = ("$HOME/.qmail"); + local($maildir) = ("maildir"); # default + $dotqmail .= "-$EXT" if $EXT; + $maildir .= "-$EXT" if $EXT; + unless (-f "$dotqmail") { + if ($create) { + if (open(DQMAIL, "> $dotqmail")) { + print DQMAIL "./$maildir/\n"; + print "File [$dotqmail] created\n"; + close(DQMAIL); + } + } else { + print "$dotqmail file does not exist.\n"; # shoud go to stdout + print "Your shoud create maildir first!\n"; + print "(-c option automatically makes it)\n"; + exit 1; + } + } + if (-s $dotqmail) { + $maildir=''; + if (open(DQMAIL, "< $dotqmail")) { + while () { + s/[\r\n \t]*$//g; + next if /#/; + next unless m,\./.*/,; + chop; # strip trailing "/" + $maildir = $_; + last; + } + close(DQMAIL); + unless (-d "$HOME/$maildir" + && -d "$HOME/$maildir/new" + && -d "$HOME/$maildir/cur" + && -d "$HOME/$maildir/tmp") { + if ($create) { + mkdir "$HOME/$maildir", 0700; + mkdir "$HOME/$maildir/new", 0700; + mkdir "$HOME/$maildir/cur", 0700; + mkdir "$HOME/$maildir/tmp", 0700; + print "Maildir [$maildir/] created\n"; + } else { + print "Maildir($maildir) does not exist\n"; + print "Your shoud do maildirmake $maildir first!\n"; + print "(-c option automatically makes it)\n"; + exit 1; + } + } + } + } +} + +sub usage { + local($mydir, $myname) = ($0 =~ m,(.*)/(.*),); + print<<_EOU_; +$myname Change Mail password for imap-4.7+qmailapop +Usage: $myname [options] +Options are... + -e EXT Set target email address to "user-EXT" + -c If no .qmail file and maildir, create them + +_EOU_ + exit 0; +} + +if ($stream) { + &stream; + exit; # not reached +} +$OK=0; +until ($OK) { + system "stty -echo"; + print STDERR "Enter APOP Password: "; + $new1 = <>; + print STDERR "\n"; + if (length($new1) == 1) { + print STDERR "Canceled\n"; + exit 1; + } elsif (length($new1) < 9) { + print STDERR "Password is too short! Please use more than 8 chars.\n"; + next; + } + print STDERR "Again APOP Password: "; + $new2 = <>; + if ($new1 eq $new2) { + $OK=1; + } else { + print STDERR "\nPassword mismatch! Try again.\n"; + } +} +#OK +$force || &checkmaildir; +system "stty echo"; +open(NP, "| $ENCODER > $APOPFILE") || die "Cannot write on $APOPFILE\n"; +print NP "$new1"; +close(NP); +chmod 0600, $APOPFILE; +print STDERR "\nUpdated APOP password successfully.\n"; + +sub stream { # Must match with old password + local($PASS, $old, $new1, $new2, $master) = (0); + local($masterfile) = ($APOPFILE); + $masterfile = "$HOME/$APOPFILEBASE" if $base; + exit 1 if ($> == 0); + while (<>) { + chop; + if (/^PASS (.*)$/i) { + $old = $1; + } elsif (/^NEW (.*)/i) { + $new1 = $1; + } elsif (/^NEW2 (.*)/i) { + $new2 = $1; + } + last if ("$new1" ne "" && "$new2" ne ""); + } + if (-s $APOPFILE || ($base && -f $masterfile)) { # Already exist + if (open(OLD, "$DECODER $masterfile |")) { + ($master = ) =~ s/[\n\r]$//g; + close(OLD); + } else { + print "Old password file corrupted.\n"; + print "Please ask to administrator.\n"; + exit 1; + } + if ($master ne $old) { + print "Illegal password\nBye\n"; + exit 1; + } + } + if ($new1 ne $new2) { + print "Password(new) mismatch\nBye\n"; + exit 1; + } + # OK, now begin to create! + $force || &checkmaildir; + if (open(P, "| $ENCODER > $APOPFILE")) { + # open success + print P "$new1"; + close(P); + chmod 0600, $APOPFILE; + if (-s $APOPFILE) { + print "Success!\n"; + exit 0; + } + } else { + print "Cannot output to $APOPFILE\nBye\n"; + exit 1; + } + exit 0; +} diff --git a/archive/CHANGES b/archive/CHANGES new file mode 100644 index 0000000..1b9f101 --- /dev/null +++ b/archive/CHANGES @@ -0,0 +1,11 @@ +0.20 +- initial public release + +0.21 +- accidentaly a debug version left my computer. It reads descriptor 0 +instead of 3. It's fixed now. + +0.22 +- fix for a crash when user is not found in the passwd database. +- Support for PLAIN/LOGIN auth (so you can use cmd5checkpw for both CRAM-MD5 +and PLAIN/LOGIN). Changes contributed by Javier Kohen . diff --git a/archive/CREDITS b/archive/CREDITS new file mode 100644 index 0000000..ddf34b5 --- /dev/null +++ b/archive/CREDITS @@ -0,0 +1,5 @@ +Dan Bernstein - did the original checkpassword +Jedi/Sector One - did a plain text version of checkpassword. I borrowed few +line of code from him. +RSA Labs. - did the md5c.c and hold copyrights over it (read the source) +RFC 2104 authors - provided sample implementation of HMAC which i have used. diff --git a/archive/INSTALL b/archive/INSTALL new file mode 100644 index 0000000..e068ed4 --- /dev/null +++ b/archive/INSTALL @@ -0,0 +1,17 @@ +Like any other piece of software (and information generally), +cmd5checkpw comes with NO WARRANTY. + +How to install: + + 1. Compile the program. + % make + + 2. Install the programs and man page: + # make install + +Now you should have an example poppasswd copied to your /etc directory and +cmd5checkpw binary in your /bin directory. +Now select a free user id in your system. Create that user in /etc/passwd +do "chown thatuser /etc/poppasswd" , "chmod 400 /etc/poppasswd", +"chown thatuser /bin/cmd5checkpw" and "chmod a+s /etc/cmd5checkpw". +Of course replace "thatuser" with username of the user you have created. diff --git a/archive/README b/archive/README new file mode 100644 index 0000000..8401303 --- /dev/null +++ b/archive/README @@ -0,0 +1,20 @@ +cmd5checkpw 0.20, beta. +20000130 +Krzysztof Dabrowski aka Brush/Elysium +http://www.elysium.pl/members/brush/cmd5checkpw/ + +Based on checkpassword by D. J. Bernstein, djb@pobox.com +http://pobox.com/~djb/checkpwd.html + +cmd5checkpw provides a simple, uniform authorization solution for all +application that use CRAM-MD5 auth type. It tries to conform with +checkpassword's interface as much as possible. + +Read included man page to learn how does it work. + +INSTALL says how to set it up. + +CREDITS contains information about who did what. + +The cmd5checpw code is in the public domain except for files with different +license inside them. diff --git a/archive/poppasswd b/archive/poppasswd new file mode 100644 index 0000000..04bdd8e --- /dev/null +++ b/archive/poppasswd @@ -0,0 +1 @@ +brush:dupa98 diff --git a/archive/rfc1321.txt b/archive/rfc1321.txt new file mode 100644 index 0000000..1596217 --- /dev/null +++ b/archive/rfc1321.txt @@ -0,0 +1,1179 @@ + + + + + + +Network Working Group R. Rivest +Request for Comments: 1321 MIT Laboratory for Computer Science + and RSA Data Security, Inc. + April 1992 + + + The MD5 Message-Digest Algorithm + +Status of this Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard. Distribution of this memo is + unlimited. + +Acknowlegements + + We would like to thank Don Coppersmith, Burt Kaliski, Ralph Merkle, + David Chaum, and Noam Nisan for numerous helpful comments and + suggestions. + +Table of Contents + + 1. Executive Summary 1 + 2. Terminology and Notation 2 + 3. MD5 Algorithm Description 3 + 4. Summary 6 + 5. Differences Between MD4 and MD5 6 + References 7 + APPENDIX A - Reference Implementation 7 + Security Considerations 21 + Author's Address 21 + +1. Executive Summary + + This document describes the MD5 message-digest algorithm. The + algorithm takes as input a message of arbitrary length and produces + as output a 128-bit "fingerprint" or "message digest" of the input. + It is conjectured that it is computationally infeasible to produce + two messages having the same message digest, or to produce any + message having a given prespecified target message digest. The MD5 + algorithm is intended for digital signature applications, where a + large file must be "compressed" in a secure manner before being + encrypted with a private (secret) key under a public-key cryptosystem + such as RSA. + + + + + + + +Rivest [Page 1] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + + The MD5 algorithm is designed to be quite fast on 32-bit machines. In + addition, the MD5 algorithm does not require any large substitution + tables; the algorithm can be coded quite compactly. + + The MD5 algorithm is an extension of the MD4 message-digest algorithm + 1,2]. MD5 is slightly slower than MD4, but is more "conservative" in + design. MD5 was designed because it was felt that MD4 was perhaps + being adopted for use more quickly than justified by the existing + critical review; because MD4 was designed to be exceptionally fast, + it is "at the edge" in terms of risking successful cryptanalytic + attack. MD5 backs off a bit, giving up a little in speed for a much + greater likelihood of ultimate security. It incorporates some + suggestions made by various reviewers, and contains additional + optimizations. The MD5 algorithm is being placed in the public domain + for review and possible adoption as a standard. + + For OSI-based applications, MD5's object identifier is + + md5 OBJECT IDENTIFIER ::= + iso(1) member-body(2) US(840) rsadsi(113549) digestAlgorithm(2) 5} + + In the X.509 type AlgorithmIdentifier [3], the parameters for MD5 + should have type NULL. + +2. Terminology and Notation + + In this document a "word" is a 32-bit quantity and a "byte" is an + eight-bit quantity. A sequence of bits can be interpreted in a + natural manner as a sequence of bytes, where each consecutive group + of eight bits is interpreted as a byte with the high-order (most + significant) bit of each byte listed first. Similarly, a sequence of + bytes can be interpreted as a sequence of 32-bit words, where each + consecutive group of four bytes is interpreted as a word with the + low-order (least significant) byte given first. + + Let x_i denote "x sub i". If the subscript is an expression, we + surround it in braces, as in x_{i+1}. Similarly, we use ^ for + superscripts (exponentiation), so that x^i denotes x to the i-th + power. + + Let the symbol "+" denote addition of words (i.e., modulo-2^32 + addition). Let X <<< s denote the 32-bit value obtained by circularly + shifting (rotating) X left by s bit positions. Let not(X) denote the + bit-wise complement of X, and let X v Y denote the bit-wise OR of X + and Y. Let X xor Y denote the bit-wise XOR of X and Y, and let XY + denote the bit-wise AND of X and Y. + + + + + +Rivest [Page 2] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + +3. MD5 Algorithm Description + + We begin by supposing that we have a b-bit message as input, and that + we wish to find its message digest. Here b is an arbitrary + nonnegative integer; b may be zero, it need not be a multiple of + eight, and it may be arbitrarily large. We imagine the bits of the + message written down as follows: + + m_0 m_1 ... m_{b-1} + + The following five steps are performed to compute the message digest + of the message. + +3.1 Step 1. Append Padding Bits + + The message is "padded" (extended) so that its length (in bits) is + congruent to 448, modulo 512. That is, the message is extended so + that it is just 64 bits shy of being a multiple of 512 bits long. + Padding is always performed, even if the length of the message is + already congruent to 448, modulo 512. + + Padding is performed as follows: a single "1" bit is appended to the + message, and then "0" bits are appended so that the length in bits of + the padded message becomes congruent to 448, modulo 512. In all, at + least one bit and at most 512 bits are appended. + +3.2 Step 2. Append Length + + A 64-bit representation of b (the length of the message before the + padding bits were added) is appended to the result of the previous + step. In the unlikely event that b is greater than 2^64, then only + the low-order 64 bits of b are used. (These bits are appended as two + 32-bit words and appended low-order word first in accordance with the + previous conventions.) + + At this point the resulting message (after padding with bits and with + b) has a length that is an exact multiple of 512 bits. Equivalently, + this message has a length that is an exact multiple of 16 (32-bit) + words. Let M[0 ... N-1] denote the words of the resulting message, + where N is a multiple of 16. + +3.3 Step 3. Initialize MD Buffer + + A four-word buffer (A,B,C,D) is used to compute the message digest. + Here each of A, B, C, D is a 32-bit register. These registers are + initialized to the following values in hexadecimal, low-order bytes + first): + + + + +Rivest [Page 3] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + + word A: 01 23 45 67 + word B: 89 ab cd ef + word C: fe dc ba 98 + word D: 76 54 32 10 + +3.4 Step 4. Process Message in 16-Word Blocks + + We first define four auxiliary functions that each take as input + three 32-bit words and produce as output one 32-bit word. + + F(X,Y,Z) = XY v not(X) Z + G(X,Y,Z) = XZ v Y not(Z) + H(X,Y,Z) = X xor Y xor Z + I(X,Y,Z) = Y xor (X v not(Z)) + + In each bit position F acts as a conditional: if X then Y else Z. + The function F could have been defined using + instead of v since XY + and not(X)Z will never have 1's in the same bit position.) It is + interesting to note that if the bits of X, Y, and Z are independent + and unbiased, the each bit of F(X,Y,Z) will be independent and + unbiased. + + The functions G, H, and I are similar to the function F, in that they + act in "bitwise parallel" to produce their output from the bits of X, + Y, and Z, in such a manner that if the corresponding bits of X, Y, + and Z are independent and unbiased, then each bit of G(X,Y,Z), + H(X,Y,Z), and I(X,Y,Z) will be independent and unbiased. Note that + the function H is the bit-wise "xor" or "parity" function of its + inputs. + + This step uses a 64-element table T[1 ... 64] constructed from the + sine function. Let T[i] denote the i-th element of the table, which + is equal to the integer part of 4294967296 times abs(sin(i)), where i + is in radians. The elements of the table are given in the appendix. + + Do the following: + + /* Process each 16-word block. */ + For i = 0 to N/16-1 do + + /* Copy block i into X. */ + For j = 0 to 15 do + Set X[j] to M[i*16+j]. + end /* of loop on j */ + + /* Save A as AA, B as BB, C as CC, and D as DD. */ + AA = A + BB = B + + + +Rivest [Page 4] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + + CC = C + DD = D + + /* Round 1. */ + /* Let [abcd k s i] denote the operation + a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s). */ + /* Do the following 16 operations. */ + [ABCD 0 7 1] [DABC 1 12 2] [CDAB 2 17 3] [BCDA 3 22 4] + [ABCD 4 7 5] [DABC 5 12 6] [CDAB 6 17 7] [BCDA 7 22 8] + [ABCD 8 7 9] [DABC 9 12 10] [CDAB 10 17 11] [BCDA 11 22 12] + [ABCD 12 7 13] [DABC 13 12 14] [CDAB 14 17 15] [BCDA 15 22 16] + + /* Round 2. */ + /* Let [abcd k s i] denote the operation + a = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s). */ + /* Do the following 16 operations. */ + [ABCD 1 5 17] [DABC 6 9 18] [CDAB 11 14 19] [BCDA 0 20 20] + [ABCD 5 5 21] [DABC 10 9 22] [CDAB 15 14 23] [BCDA 4 20 24] + [ABCD 9 5 25] [DABC 14 9 26] [CDAB 3 14 27] [BCDA 8 20 28] + [ABCD 13 5 29] [DABC 2 9 30] [CDAB 7 14 31] [BCDA 12 20 32] + + /* Round 3. */ + /* Let [abcd k s t] denote the operation + a = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s). */ + /* Do the following 16 operations. */ + [ABCD 5 4 33] [DABC 8 11 34] [CDAB 11 16 35] [BCDA 14 23 36] + [ABCD 1 4 37] [DABC 4 11 38] [CDAB 7 16 39] [BCDA 10 23 40] + [ABCD 13 4 41] [DABC 0 11 42] [CDAB 3 16 43] [BCDA 6 23 44] + [ABCD 9 4 45] [DABC 12 11 46] [CDAB 15 16 47] [BCDA 2 23 48] + + /* Round 4. */ + /* Let [abcd k s t] denote the operation + a = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s). */ + /* Do the following 16 operations. */ + [ABCD 0 6 49] [DABC 7 10 50] [CDAB 14 15 51] [BCDA 5 21 52] + [ABCD 12 6 53] [DABC 3 10 54] [CDAB 10 15 55] [BCDA 1 21 56] + [ABCD 8 6 57] [DABC 15 10 58] [CDAB 6 15 59] [BCDA 13 21 60] + [ABCD 4 6 61] [DABC 11 10 62] [CDAB 2 15 63] [BCDA 9 21 64] + + /* Then perform the following additions. (That is increment each + of the four registers by the value it had before this block + was started.) */ + A = A + AA + B = B + BB + C = C + CC + D = D + DD + + end /* of loop on i */ + + + +Rivest [Page 5] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + +3.5 Step 5. Output + + The message digest produced as output is A, B, C, D. That is, we + begin with the low-order byte of A, and end with the high-order byte + of D. + + This completes the description of MD5. A reference implementation in + C is given in the appendix. + +4. Summary + + The MD5 message-digest algorithm is simple to implement, and provides + a "fingerprint" or message digest of a message of arbitrary length. + It is conjectured that the difficulty of coming up with two messages + having the same message digest is on the order of 2^64 operations, + and that the difficulty of coming up with any message having a given + message digest is on the order of 2^128 operations. The MD5 algorithm + has been carefully scrutinized for weaknesses. It is, however, a + relatively new algorithm and further security analysis is of course + justified, as is the case with any new proposal of this sort. + +5. Differences Between MD4 and MD5 + + The following are the differences between MD4 and MD5: + + 1. A fourth round has been added. + + 2. Each step now has a unique additive constant. + + 3. The function g in round 2 was changed from (XY v XZ v YZ) to + (XZ v Y not(Z)) to make g less symmetric. + + 4. Each step now adds in the result of the previous step. This + promotes a faster "avalanche effect". + + 5. The order in which input words are accessed in rounds 2 and + 3 is changed, to make these patterns less like each other. + + 6. The shift amounts in each round have been approximately + optimized, to yield a faster "avalanche effect." The shifts in + different rounds are distinct. + + + + + + + + + + +Rivest [Page 6] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + +References + + [1] Rivest, R., "The MD4 Message Digest Algorithm", RFC 1320, MIT and + RSA Data Security, Inc., April 1992. + + [2] Rivest, R., "The MD4 message digest algorithm", in A.J. Menezes + and S.A. Vanstone, editors, Advances in Cryptology - CRYPTO '90 + Proceedings, pages 303-311, Springer-Verlag, 1991. + + [3] CCITT Recommendation X.509 (1988), "The Directory - + Authentication Framework." + +APPENDIX A - Reference Implementation + + This appendix contains the following files taken from RSAREF: A + Cryptographic Toolkit for Privacy-Enhanced Mail: + + global.h -- global header file + + md5.h -- header file for MD5 + + md5c.c -- source code for MD5 + + For more information on RSAREF, send email to . + + The appendix also includes the following file: + + mddriver.c -- test driver for MD2, MD4 and MD5 + + The driver compiles for MD5 by default but can compile for MD2 or MD4 + if the symbol MD is defined on the C compiler command line as 2 or 4. + + The implementation is portable and should work on many different + plaforms. However, it is not difficult to optimize the implementation + on particular platforms, an exercise left to the reader. For example, + on "little-endian" platforms where the lowest-addressed byte in a 32- + bit word is the least significant and there are no alignment + restrictions, the call to Decode in MD5Transform can be replaced with + a typecast. + +A.1 global.h + +/* GLOBAL.H - RSAREF types and constants + */ + +/* PROTOTYPES should be set to one if and only if the compiler supports + function argument prototyping. +The following makes PROTOTYPES default to 0 if it has not already + + + +Rivest [Page 7] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + + been defined with C compiler flags. + */ +#ifndef PROTOTYPES +#define PROTOTYPES 0 +#endif + +/* POINTER defines a generic pointer type */ +typedef unsigned char *POINTER; + +/* UINT2 defines a two byte word */ +typedef unsigned short int UINT2; + +/* UINT4 defines a four byte word */ +typedef unsigned long int UINT4; + +/* PROTO_LIST is defined depending on how PROTOTYPES is defined above. +If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it + returns an empty list. + */ +#if PROTOTYPES +#define PROTO_LIST(list) list +#else +#define PROTO_LIST(list) () +#endif + +A.2 md5.h + +/* MD5.H - header file for MD5C.C + */ + +/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All +rights reserved. + +License to copy and use this software is granted provided that it +is identified as the "RSA Data Security, Inc. MD5 Message-Digest +Algorithm" in all material mentioning or referencing this software +or this function. + +License is also granted to make and use derivative works provided +that such works are identified as "derived from the RSA Data +Security, Inc. MD5 Message-Digest Algorithm" in all material +mentioning or referencing the derived work. + +RSA Data Security, Inc. makes no representations concerning either +the merchantability of this software or the suitability of this +software for any particular purpose. It is provided "as is" +without express or implied warranty of any kind. + + + + +Rivest [Page 8] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + +These notices must be retained in any copies of any part of this +documentation and/or software. + */ + +/* MD5 context. */ +typedef struct { + UINT4 state[4]; /* state (ABCD) */ + UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */ + unsigned char buffer[64]; /* input buffer */ +} MD5_CTX; + +void MD5Init PROTO_LIST ((MD5_CTX *)); +void MD5Update PROTO_LIST + ((MD5_CTX *, unsigned char *, unsigned int)); +void MD5Final PROTO_LIST ((unsigned char [16], MD5_CTX *)); + +A.3 md5c.c + +/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm + */ + +/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All +rights reserved. + +License to copy and use this software is granted provided that it +is identified as the "RSA Data Security, Inc. MD5 Message-Digest +Algorithm" in all material mentioning or referencing this software +or this function. + +License is also granted to make and use derivative works provided +that such works are identified as "derived from the RSA Data +Security, Inc. MD5 Message-Digest Algorithm" in all material +mentioning or referencing the derived work. + +RSA Data Security, Inc. makes no representations concerning either +the merchantability of this software or the suitability of this +software for any particular purpose. It is provided "as is" +without express or implied warranty of any kind. + +These notices must be retained in any copies of any part of this +documentation and/or software. + */ + +#include "global.h" +#include "md5.h" + +/* Constants for MD5Transform routine. + */ + + + +Rivest [Page 9] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + +#define S11 7 +#define S12 12 +#define S13 17 +#define S14 22 +#define S21 5 +#define S22 9 +#define S23 14 +#define S24 20 +#define S31 4 +#define S32 11 +#define S33 16 +#define S34 23 +#define S41 6 +#define S42 10 +#define S43 15 +#define S44 21 + +static void MD5Transform PROTO_LIST ((UINT4 [4], unsigned char [64])); +static void Encode PROTO_LIST + ((unsigned char *, UINT4 *, unsigned int)); +static void Decode PROTO_LIST + ((UINT4 *, unsigned char *, unsigned int)); +static void MD5_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int)); +static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int)); + +static unsigned char PADDING[64] = { + 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 +}; + +/* F, G, H and I are basic MD5 functions. + */ +#define F(x, y, z) (((x) & (y)) | ((~x) & (z))) +#define G(x, y, z) (((x) & (z)) | ((y) & (~z))) +#define H(x, y, z) ((x) ^ (y) ^ (z)) +#define I(x, y, z) ((y) ^ ((x) | (~z))) + +/* ROTATE_LEFT rotates x left n bits. + */ +#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n)))) + +/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4. +Rotation is separate from addition to prevent recomputation. + */ +#define FF(a, b, c, d, x, s, ac) { \ + (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \ + (a) = ROTATE_LEFT ((a), (s)); \ + + + +Rivest [Page 10] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + + (a) += (b); \ + } +#define GG(a, b, c, d, x, s, ac) { \ + (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \ + (a) = ROTATE_LEFT ((a), (s)); \ + (a) += (b); \ + } +#define HH(a, b, c, d, x, s, ac) { \ + (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \ + (a) = ROTATE_LEFT ((a), (s)); \ + (a) += (b); \ + } +#define II(a, b, c, d, x, s, ac) { \ + (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \ + (a) = ROTATE_LEFT ((a), (s)); \ + (a) += (b); \ + } + +/* MD5 initialization. Begins an MD5 operation, writing a new context. + */ +void MD5Init (context) +MD5_CTX *context; /* context */ +{ + context->count[0] = context->count[1] = 0; + /* Load magic initialization constants. +*/ + context->state[0] = 0x67452301; + context->state[1] = 0xefcdab89; + context->state[2] = 0x98badcfe; + context->state[3] = 0x10325476; +} + +/* MD5 block update operation. Continues an MD5 message-digest + operation, processing another message block, and updating the + context. + */ +void MD5Update (context, input, inputLen) +MD5_CTX *context; /* context */ +unsigned char *input; /* input block */ +unsigned int inputLen; /* length of input block */ +{ + unsigned int i, index, partLen; + + /* Compute number of bytes mod 64 */ + index = (unsigned int)((context->count[0] >> 3) & 0x3F); + + /* Update number of bits */ + if ((context->count[0] += ((UINT4)inputLen << 3)) + + + +Rivest [Page 11] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + + < ((UINT4)inputLen << 3)) + context->count[1]++; + context->count[1] += ((UINT4)inputLen >> 29); + + partLen = 64 - index; + + /* Transform as many times as possible. +*/ + if (inputLen >= partLen) { + MD5_memcpy + ((POINTER)&context->buffer[index], (POINTER)input, partLen); + MD5Transform (context->state, context->buffer); + + for (i = partLen; i + 63 < inputLen; i += 64) + MD5Transform (context->state, &input[i]); + + index = 0; + } + else + i = 0; + + /* Buffer remaining input */ + MD5_memcpy + ((POINTER)&context->buffer[index], (POINTER)&input[i], + inputLen-i); +} + +/* MD5 finalization. Ends an MD5 message-digest operation, writing the + the message digest and zeroizing the context. + */ +void MD5Final (digest, context) +unsigned char digest[16]; /* message digest */ +MD5_CTX *context; /* context */ +{ + unsigned char bits[8]; + unsigned int index, padLen; + + /* Save number of bits */ + Encode (bits, context->count, 8); + + /* Pad out to 56 mod 64. +*/ + index = (unsigned int)((context->count[0] >> 3) & 0x3f); + padLen = (index < 56) ? (56 - index) : (120 - index); + MD5Update (context, PADDING, padLen); + + /* Append length (before padding) */ + MD5Update (context, bits, 8); + + + +Rivest [Page 12] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + + /* Store state in digest */ + Encode (digest, context->state, 16); + + /* Zeroize sensitive information. +*/ + MD5_memset ((POINTER)context, 0, sizeof (*context)); +} + +/* MD5 basic transformation. Transforms state based on block. + */ +static void MD5Transform (state, block) +UINT4 state[4]; +unsigned char block[64]; +{ + UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16]; + + Decode (x, block, 64); + + /* Round 1 */ + FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */ + FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */ + FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */ + FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */ + FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */ + FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */ + FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */ + FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */ + FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */ + FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */ + FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */ + FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */ + FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */ + FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */ + FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */ + FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */ + + /* Round 2 */ + GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */ + GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */ + GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */ + GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */ + GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */ + GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */ + GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */ + GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */ + GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */ + GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */ + GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */ + + + +Rivest [Page 13] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + + GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */ + GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */ + GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */ + GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */ + GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */ + + /* Round 3 */ + HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */ + HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */ + HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */ + HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */ + HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */ + HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */ + HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */ + HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */ + HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */ + HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */ + HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */ + HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */ + HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */ + HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */ + HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */ + HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */ + + /* Round 4 */ + II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */ + II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */ + II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */ + II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */ + II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */ + II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */ + II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */ + II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */ + II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */ + II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */ + II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */ + II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */ + II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */ + II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */ + II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */ + II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */ + + state[0] += a; + state[1] += b; + state[2] += c; + state[3] += d; + + /* Zeroize sensitive information. + + + +Rivest [Page 14] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + +*/ + MD5_memset ((POINTER)x, 0, sizeof (x)); +} + +/* Encodes input (UINT4) into output (unsigned char). Assumes len is + a multiple of 4. + */ +static void Encode (output, input, len) +unsigned char *output; +UINT4 *input; +unsigned int len; +{ + unsigned int i, j; + + for (i = 0, j = 0; j < len; i++, j += 4) { + output[j] = (unsigned char)(input[i] & 0xff); + output[j+1] = (unsigned char)((input[i] >> 8) & 0xff); + output[j+2] = (unsigned char)((input[i] >> 16) & 0xff); + output[j+3] = (unsigned char)((input[i] >> 24) & 0xff); + } +} + +/* Decodes input (unsigned char) into output (UINT4). Assumes len is + a multiple of 4. + */ +static void Decode (output, input, len) +UINT4 *output; +unsigned char *input; +unsigned int len; +{ + unsigned int i, j; + + for (i = 0, j = 0; j < len; i++, j += 4) + output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) | + (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24); +} + +/* Note: Replace "for loop" with standard memcpy if possible. + */ + +static void MD5_memcpy (output, input, len) +POINTER output; +POINTER input; +unsigned int len; +{ + unsigned int i; + + for (i = 0; i < len; i++) + + + +Rivest [Page 15] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + + output[i] = input[i]; +} + +/* Note: Replace "for loop" with standard memset if possible. + */ +static void MD5_memset (output, value, len) +POINTER output; +int value; +unsigned int len; +{ + unsigned int i; + + for (i = 0; i < len; i++) + ((char *)output)[i] = (char)value; +} + +A.4 mddriver.c + +/* MDDRIVER.C - test driver for MD2, MD4 and MD5 + */ + +/* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All +rights reserved. + +RSA Data Security, Inc. makes no representations concerning either +the merchantability of this software or the suitability of this +software for any particular purpose. It is provided "as is" +without express or implied warranty of any kind. + +These notices must be retained in any copies of any part of this +documentation and/or software. + */ + +/* The following makes MD default to MD5 if it has not already been + defined with C compiler flags. + */ +#ifndef MD +#define MD MD5 +#endif + +#include +#include +#include +#include "global.h" +#if MD == 2 +#include "md2.h" +#endif +#if MD == 4 + + + +Rivest [Page 16] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + +#include "md4.h" +#endif +#if MD == 5 +#include "md5.h" +#endif + +/* Length of test block, number of test blocks. + */ +#define TEST_BLOCK_LEN 1000 +#define TEST_BLOCK_COUNT 1000 + +static void MDString PROTO_LIST ((char *)); +static void MDTimeTrial PROTO_LIST ((void)); +static void MDTestSuite PROTO_LIST ((void)); +static void MDFile PROTO_LIST ((char *)); +static void MDFilter PROTO_LIST ((void)); +static void MDPrint PROTO_LIST ((unsigned char [16])); + +#if MD == 2 +#define MD_CTX MD2_CTX +#define MDInit MD2Init +#define MDUpdate MD2Update +#define MDFinal MD2Final +#endif +#if MD == 4 +#define MD_CTX MD4_CTX +#define MDInit MD4Init +#define MDUpdate MD4Update +#define MDFinal MD4Final +#endif +#if MD == 5 +#define MD_CTX MD5_CTX +#define MDInit MD5Init +#define MDUpdate MD5Update +#define MDFinal MD5Final +#endif + +/* Main driver. + +Arguments (may be any combination): + -sstring - digests string + -t - runs time trial + -x - runs test script + filename - digests file + (none) - digests standard input + */ +int main (argc, argv) +int argc; + + + +Rivest [Page 17] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + +char *argv[]; +{ + int i; + + if (argc > 1) + for (i = 1; i < argc; i++) + if (argv[i][0] == '-' && argv[i][1] == 's') + MDString (argv[i] + 2); + else if (strcmp (argv[i], "-t") == 0) + MDTimeTrial (); + else if (strcmp (argv[i], "-x") == 0) + MDTestSuite (); + else + MDFile (argv[i]); + else + MDFilter (); + + return (0); +} + +/* Digests a string and prints the result. + */ +static void MDString (string) +char *string; +{ + MD_CTX context; + unsigned char digest[16]; + unsigned int len = strlen (string); + + MDInit (&context); + MDUpdate (&context, string, len); + MDFinal (digest, &context); + + printf ("MD%d (\"%s\") = ", MD, string); + MDPrint (digest); + printf ("\n"); +} + +/* Measures the time to digest TEST_BLOCK_COUNT TEST_BLOCK_LEN-byte + blocks. + */ +static void MDTimeTrial () +{ + MD_CTX context; + time_t endTime, startTime; + unsigned char block[TEST_BLOCK_LEN], digest[16]; + unsigned int i; + + + + +Rivest [Page 18] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + + printf + ("MD%d time trial. Digesting %d %d-byte blocks ...", MD, + TEST_BLOCK_LEN, TEST_BLOCK_COUNT); + + /* Initialize block */ + for (i = 0; i < TEST_BLOCK_LEN; i++) + block[i] = (unsigned char)(i & 0xff); + + /* Start timer */ + time (&startTime); + + /* Digest blocks */ + MDInit (&context); + for (i = 0; i < TEST_BLOCK_COUNT; i++) + MDUpdate (&context, block, TEST_BLOCK_LEN); + MDFinal (digest, &context); + + /* Stop timer */ + time (&endTime); + + printf (" done\n"); + printf ("Digest = "); + MDPrint (digest); + printf ("\nTime = %ld seconds\n", (long)(endTime-startTime)); + printf + ("Speed = %ld bytes/second\n", + (long)TEST_BLOCK_LEN * (long)TEST_BLOCK_COUNT/(endTime-startTime)); +} + +/* Digests a reference suite of strings and prints the results. + */ +static void MDTestSuite () +{ + printf ("MD%d test suite:\n", MD); + + MDString (""); + MDString ("a"); + MDString ("abc"); + MDString ("message digest"); + MDString ("abcdefghijklmnopqrstuvwxyz"); + MDString + ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"); + MDString + ("1234567890123456789012345678901234567890\ +1234567890123456789012345678901234567890"); +} + +/* Digests a file and prints the result. + + + +Rivest [Page 19] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + + */ +static void MDFile (filename) +char *filename; +{ + FILE *file; + MD_CTX context; + int len; + unsigned char buffer[1024], digest[16]; + + if ((file = fopen (filename, "rb")) == NULL) + printf ("%s can't be opened\n", filename); + + else { + MDInit (&context); + while (len = fread (buffer, 1, 1024, file)) + MDUpdate (&context, buffer, len); + MDFinal (digest, &context); + + fclose (file); + + printf ("MD%d (%s) = ", MD, filename); + MDPrint (digest); + printf ("\n"); + } +} + +/* Digests the standard input and prints the result. + */ +static void MDFilter () +{ + MD_CTX context; + int len; + unsigned char buffer[16], digest[16]; + + MDInit (&context); + while (len = fread (buffer, 1, 16, stdin)) + MDUpdate (&context, buffer, len); + MDFinal (digest, &context); + + MDPrint (digest); + printf ("\n"); +} + +/* Prints a message digest in hexadecimal. + */ +static void MDPrint (digest) +unsigned char digest[16]; +{ + + + +Rivest [Page 20] + +RFC 1321 MD5 Message-Digest Algorithm April 1992 + + + unsigned int i; + + for (i = 0; i < 16; i++) + printf ("%02x", digest[i]); +} + +A.5 Test suite + + The MD5 test suite (driver option "-x") should print the following + results: + +MD5 test suite: +MD5 ("") = d41d8cd98f00b204e9800998ecf8427e +MD5 ("a") = 0cc175b9c0f1b6a831c399e269772661 +MD5 ("abc") = 900150983cd24fb0d6963f7d28e17f72 +MD5 ("message digest") = f96b697d7cb7938d525a2f31aaf161d0 +MD5 ("abcdefghijklmnopqrstuvwxyz") = c3fcd3d76192e4007dfb496cca67e13b +MD5 ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") = +d174ab98d277d9f5a5611c2c9f419d9f +MD5 ("123456789012345678901234567890123456789012345678901234567890123456 +78901234567890") = 57edf4a22be3c955ac49da2e2107b67a + +Security Considerations + + The level of security discussed in this memo is considered to be + sufficient for implementing very high security hybrid digital- + signature schemes based on MD5 and a public-key cryptosystem. + +Author's Address + + Ronald L. Rivest + Massachusetts Institute of Technology + Laboratory for Computer Science + NE43-324 + 545 Technology Square + Cambridge, MA 02139-1986 + + Phone: (617) 253-5880 + EMail: rivest@theory.lcs.mit.edu + + + + + + + + + + + + +Rivest [Page 21] + \ No newline at end of file diff --git a/archive/rfc2104.txt b/archive/rfc2104.txt new file mode 100644 index 0000000..16a6461 --- /dev/null +++ b/archive/rfc2104.txt @@ -0,0 +1,619 @@ + + + + + + +Network Working Group H. Krawczyk +Request for Comments: 2104 IBM +Category: Informational M. Bellare + UCSD + R. Canetti + IBM + February 1997 + + + HMAC: Keyed-Hashing for Message Authentication + +Status of This Memo + + This memo provides information for the Internet community. This memo + does not specify an Internet standard of any kind. Distribution of + this memo is unlimited. + +Abstract + + This document describes HMAC, a mechanism for message authentication + using cryptographic hash functions. HMAC can be used with any + iterative cryptographic hash function, e.g., MD5, SHA-1, in + combination with a secret shared key. The cryptographic strength of + HMAC depends on the properties of the underlying hash function. + +1. Introduction + + Providing a way to check the integrity of information transmitted + over or stored in an unreliable medium is a prime necessity in the + world of open computing and communications. Mechanisms that provide + such integrity check based on a secret key are usually called + "message authentication codes" (MAC). Typically, message + authentication codes are used between two parties that share a secret + key in order to validate information transmitted between these + parties. In this document we present such a MAC mechanism based on + cryptographic hash functions. This mechanism, called HMAC, is based + on work by the authors [BCK1] where the construction is presented and + cryptographically analyzed. We refer to that work for the details on + the rationale and security analysis of HMAC, and its comparison to + other keyed-hash methods. + + + + + + + + + + + +Krawczyk, et. al. Informational [Page 1] + +RFC 2104 HMAC February 1997 + + + HMAC can be used in combination with any iterated cryptographic hash + function. MD5 and SHA-1 are examples of such hash functions. HMAC + also uses a secret key for calculation and verification of the + message authentication values. The main goals behind this + construction are + + * To use, without modifications, available hash functions. + In particular, hash functions that perform well in software, + and for which code is freely and widely available. + + * To preserve the original performance of the hash function without + incurring a significant degradation. + + * To use and handle keys in a simple way. + + * To have a well understood cryptographic analysis of the strength of + the authentication mechanism based on reasonable assumptions on the + underlying hash function. + + * To allow for easy replaceability of the underlying hash function in + case that faster or more secure hash functions are found or + required. + + This document specifies HMAC using a generic cryptographic hash + function (denoted by H). Specific instantiations of HMAC need to + define a particular hash function. Current candidates for such hash + functions include SHA-1 [SHA], MD5 [MD5], RIPEMD-128/160 [RIPEMD]. + These different realizations of HMAC will be denoted by HMAC-SHA1, + HMAC-MD5, HMAC-RIPEMD, etc. + + Note: To the date of writing of this document MD5 and SHA-1 are the + most widely used cryptographic hash functions. MD5 has been recently + shown to be vulnerable to collision search attacks [Dobb]. This + attack and other currently known weaknesses of MD5 do not compromise + the use of MD5 within HMAC as specified in this document (see + [Dobb]); however, SHA-1 appears to be a cryptographically stronger + function. To this date, MD5 can be considered for use in HMAC for + applications where the superior performance of MD5 is critical. In + any case, implementers and users need to be aware of possible + cryptanalytic developments regarding any of these cryptographic hash + functions, and the eventual need to replace the underlying hash + function. (See section 6 for more information on the security of + HMAC.) + + + + + + + + +Krawczyk, et. al. Informational [Page 2] + +RFC 2104 HMAC February 1997 + + +2. Definition of HMAC + + The definition of HMAC requires a cryptographic hash function, which + we denote by H, and a secret key K. We assume H to be a cryptographic + hash function where data is hashed by iterating a basic compression + function on blocks of data. We denote by B the byte-length of such + blocks (B=64 for all the above mentioned examples of hash functions), + and by L the byte-length of hash outputs (L=16 for MD5, L=20 for + SHA-1). The authentication key K can be of any length up to B, the + block length of the hash function. Applications that use keys longer + than B bytes will first hash the key using H and then use the + resultant L byte string as the actual key to HMAC. In any case the + minimal recommended length for K is L bytes (as the hash output + length). See section 3 for more information on keys. + + We define two fixed and different strings ipad and opad as follows + (the 'i' and 'o' are mnemonics for inner and outer): + + ipad = the byte 0x36 repeated B times + opad = the byte 0x5C repeated B times. + + To compute HMAC over the data `text' we perform + + H(K XOR opad, H(K XOR ipad, text)) + + Namely, + + (1) append zeros to the end of K to create a B byte string + (e.g., if K is of length 20 bytes and B=64, then K will be + appended with 44 zero bytes 0x00) + (2) XOR (bitwise exclusive-OR) the B byte string computed in step + (1) with ipad + (3) append the stream of data 'text' to the B byte string resulting + from step (2) + (4) apply H to the stream generated in step (3) + (5) XOR (bitwise exclusive-OR) the B byte string computed in + step (1) with opad + (6) append the H result from step (4) to the B byte string + resulting from step (5) + (7) apply H to the stream generated in step (6) and output + the result + + For illustration purposes, sample code based on MD5 is provided as an + appendix. + + + + + + + +Krawczyk, et. al. Informational [Page 3] + +RFC 2104 HMAC February 1997 + + +3. Keys + + The key for HMAC can be of any length (keys longer than B bytes are + first hashed using H). However, less than L bytes is strongly + discouraged as it would decrease the security strength of the + function. Keys longer than L bytes are acceptable but the extra + length would not significantly increase the function strength. (A + longer key may be advisable if the randomness of the key is + considered weak.) + + Keys need to be chosen at random (or using a cryptographically strong + pseudo-random generator seeded with a random seed), and periodically + refreshed. (Current attacks do not indicate a specific recommended + frequency for key changes as these attacks are practically + infeasible. However, periodic key refreshment is a fundamental + security practice that helps against potential weaknesses of the + function and keys, and limits the damage of an exposed key.) + +4. Implementation Note + + HMAC is defined in such a way that the underlying hash function H can + be used with no modification to its code. In particular, it uses the + function H with the pre-defined initial value IV (a fixed value + specified by each iterative hash function to initialize its + compression function). However, if desired, a performance + improvement can be achieved at the cost of (possibly) modifying the + code of H to support variable IVs. + + The idea is that the intermediate results of the compression function + on the B-byte blocks (K XOR ipad) and (K XOR opad) can be precomputed + only once at the time of generation of the key K, or before its first + use. These intermediate results are stored and then used to + initialize the IV of H each time that a message needs to be + authenticated. This method saves, for each authenticated message, + the application of the compression function of H on two B-byte blocks + (i.e., on (K XOR ipad) and (K XOR opad)). Such a savings may be + significant when authenticating short streams of data. We stress + that the stored intermediate values need to be treated and protected + the same as secret keys. + + Choosing to implement HMAC in the above way is a decision of the + local implementation and has no effect on inter-operability. + + + + + + + + + +Krawczyk, et. al. Informational [Page 4] + +RFC 2104 HMAC February 1997 + + +5. Truncated output + + A well-known practice with message authentication codes is to + truncate the output of the MAC and output only part of the bits + (e.g., [MM, ANSI]). Preneel and van Oorschot [PV] show some + analytical advantages of truncating the output of hash-based MAC + functions. The results in this area are not absolute as for the + overall security advantages of truncation. It has advantages (less + information on the hash result available to an attacker) and + disadvantages (less bits to predict for the attacker). Applications + of HMAC can choose to truncate the output of HMAC by outputting the t + leftmost bits of the HMAC computation for some parameter t (namely, + the computation is carried in the normal way as defined in section 2 + above but the end result is truncated to t bits). We recommend that + the output length t be not less than half the length of the hash + output (to match the birthday attack bound) and not less than 80 bits + (a suitable lower bound on the number of bits that need to be + predicted by an attacker). We propose denoting a realization of HMAC + that uses a hash function H with t bits of output as HMAC-H-t. For + example, HMAC-SHA1-80 denotes HMAC computed using the SHA-1 function + and with the output truncated to 80 bits. (If the parameter t is not + specified, e.g. HMAC-MD5, then it is assumed that all the bits of the + hash are output.) + +6. Security + + The security of the message authentication mechanism presented here + depends on cryptographic properties of the hash function H: the + resistance to collision finding (limited to the case where the + initial value is secret and random, and where the output of the + function is not explicitly available to the attacker), and the + message authentication property of the compression function of H when + applied to single blocks (in HMAC these blocks are partially unknown + to an attacker as they contain the result of the inner H computation + and, in particular, cannot be fully chosen by the attacker). + + These properties, and actually stronger ones, are commonly assumed + for hash functions of the kind used with HMAC. In particular, a hash + function for which the above properties do not hold would become + unsuitable for most (probably, all) cryptographic applications, + including alternative message authentication schemes based on such + functions. (For a complete analysis and rationale of the HMAC + function the reader is referred to [BCK1].) + + + + + + + + +Krawczyk, et. al. Informational [Page 5] + +RFC 2104 HMAC February 1997 + + + Given the limited confidence gained so far as for the cryptographic + strength of candidate hash functions, it is important to observe the + following two properties of the HMAC construction and its secure use + for message authentication: + + 1. The construction is independent of the details of the particular + hash function H in use and then the latter can be replaced by any + other secure (iterative) cryptographic hash function. + + 2. Message authentication, as opposed to encryption, has a + "transient" effect. A published breaking of a message authentication + scheme would lead to the replacement of that scheme, but would have + no adversarial effect on information authenticated in the past. This + is in sharp contrast with encryption, where information encrypted + today may suffer from exposure in the future if, and when, the + encryption algorithm is broken. + + The strongest attack known against HMAC is based on the frequency of + collisions for the hash function H ("birthday attack") [PV,BCK2], and + is totally impractical for minimally reasonable hash functions. + + As an example, if we consider a hash function like MD5 where the + output length equals L=16 bytes (128 bits) the attacker needs to + acquire the correct message authentication tags computed (with the + _same_ secret key K!) on about 2**64 known plaintexts. This would + require the processing of at least 2**64 blocks under H, an + impossible task in any realistic scenario (for a block length of 64 + bytes this would take 250,000 years in a continuous 1Gbps link, and + without changing the secret key K during all this time). This attack + could become realistic only if serious flaws in the collision + behavior of the function H are discovered (e.g. collisions found + after 2**30 messages). Such a discovery would determine the immediate + replacement of the function H (the effects of such failure would be + far more severe for the traditional uses of H in the context of + digital signatures, public key certificates, etc.). + + Note: this attack needs to be strongly contrasted with regular + collision attacks on cryptographic hash functions where no secret key + is involved and where 2**64 off-line parallelizable (!) operations + suffice to find collisions. The latter attack is approaching + feasibility [VW] while the birthday attack on HMAC is totally + impractical. (In the above examples, if one uses a hash function + with, say, 160 bit of output then 2**64 should be replaced by 2**80.) + + + + + + + + +Krawczyk, et. al. Informational [Page 6] + +RFC 2104 HMAC February 1997 + + + A correct implementation of the above construction, the choice of + random (or cryptographically pseudorandom) keys, a secure key + exchange mechanism, frequent key refreshments, and good secrecy + protection of keys are all essential ingredients for the security of + the integrity verification mechanism provided by HMAC. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Krawczyk, et. al. Informational [Page 7] + +RFC 2104 HMAC February 1997 + + +Appendix -- Sample Code + + For the sake of illustration we provide the following sample code for + the implementation of HMAC-MD5 as well as some corresponding test + vectors (the code is based on MD5 code as described in [MD5]). + +/* +** Function: hmac_md5 +*/ + +void +hmac_md5(text, text_len, key, key_len, digest) +unsigned char* text; /* pointer to data stream */ +int text_len; /* length of data stream */ +unsigned char* key; /* pointer to authentication key */ +int key_len; /* length of authentication key */ +caddr_t digest; /* caller digest to be filled in */ + +{ + MD5_CTX context; + unsigned char k_ipad[65]; /* inner padding - + * key XORd with ipad + */ + unsigned char k_opad[65]; /* outer padding - + * key XORd with opad + */ + unsigned char tk[16]; + int i; + /* if key is longer than 64 bytes reset it to key=MD5(key) */ + if (key_len > 64) { + + MD5_CTX tctx; + + MD5Init(&tctx); + MD5Update(&tctx, key, key_len); + MD5Final(tk, &tctx); + + key = tk; + key_len = 16; + } + + /* + * the HMAC_MD5 transform looks like: + * + * MD5(K XOR opad, MD5(K XOR ipad, text)) + * + * where K is an n byte key + * ipad is the byte 0x36 repeated 64 times + + + +Krawczyk, et. al. Informational [Page 8] + +RFC 2104 HMAC February 1997 + + + * opad is the byte 0x5c repeated 64 times + * and text is the data being protected + */ + + /* start out by storing key in pads */ + bzero( k_ipad, sizeof k_ipad); + bzero( k_opad, sizeof k_opad); + bcopy( key, k_ipad, key_len); + bcopy( key, k_opad, key_len); + + /* XOR key with ipad and opad values */ + for (i=0; i<64; i++) { + k_ipad[i] ^= 0x36; + k_opad[i] ^= 0x5c; + } + /* + * perform inner MD5 + */ + MD5Init(&context); /* init context for 1st + * pass */ + MD5Update(&context, k_ipad, 64) /* start with inner pad */ + MD5Update(&context, text, text_len); /* then text of datagram */ + MD5Final(digest, &context); /* finish up 1st pass */ + /* + * perform outer MD5 + */ + MD5Init(&context); /* init context for 2nd + * pass */ + MD5Update(&context, k_opad, 64); /* start with outer pad */ + MD5Update(&context, digest, 16); /* then results of 1st + * hash */ + MD5Final(digest, &context); /* finish up 2nd pass */ +} + +Test Vectors (Trailing '\0' of a character string not included in test): + + key = 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b + key_len = 16 bytes + data = "Hi There" + data_len = 8 bytes + digest = 0x9294727a3638bb1c13f48ef8158bfc9d + + key = "Jefe" + data = "what do ya want for nothing?" + data_len = 28 bytes + digest = 0x750c783e6ab0b503eaa86e310a5db738 + + key = 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + + + +Krawczyk, et. al. Informational [Page 9] + +RFC 2104 HMAC February 1997 + + + key_len 16 bytes + data = 0xDDDDDDDDDDDDDDDDDDDD... + ..DDDDDDDDDDDDDDDDDDDD... + ..DDDDDDDDDDDDDDDDDDDD... + ..DDDDDDDDDDDDDDDDDDDD... + ..DDDDDDDDDDDDDDDDDDDD + data_len = 50 bytes + digest = 0x56be34521d144c88dbb8c733f0e8b3f6 + +Acknowledgments + + Pau-Chen Cheng, Jeff Kraemer, and Michael Oehler, have provided + useful comments on early drafts, and ran the first interoperability + tests of this specification. Jeff and Pau-Chen kindly provided the + sample code and test vectors that appear in the appendix. Burt + Kaliski, Bart Preneel, Matt Robshaw, Adi Shamir, and Paul van + Oorschot have provided useful comments and suggestions during the + investigation of the HMAC construction. + +References + + [ANSI] ANSI X9.9, "American National Standard for Financial + Institution Message Authentication (Wholesale)," American + Bankers Association, 1981. Revised 1986. + + [Atk] Atkinson, R., "IP Authentication Header", RFC 1826, August + 1995. + + [BCK1] M. Bellare, R. Canetti, and H. Krawczyk, + "Keyed Hash Functions and Message Authentication", + Proceedings of Crypto'96, LNCS 1109, pp. 1-15. + (http://www.research.ibm.com/security/keyed-md5.html) + + [BCK2] M. Bellare, R. Canetti, and H. Krawczyk, + "Pseudorandom Functions Revisited: The Cascade Construction", + Proceedings of FOCS'96. + + [Dobb] H. Dobbertin, "The Status of MD5 After a Recent Attack", + RSA Labs' CryptoBytes, Vol. 2 No. 2, Summer 1996. + http://www.rsa.com/rsalabs/pubs/cryptobytes.html + + [PV] B. Preneel and P. van Oorschot, "Building fast MACs from hash + functions", Advances in Cryptology -- CRYPTO'95 Proceedings, + Lecture Notes in Computer Science, Springer-Verlag Vol.963, + 1995, pp. 1-14. + + [MD5] Rivest, R., "The MD5 Message-Digest Algorithm", + RFC 1321, April 1992. + + + +Krawczyk, et. al. Informational [Page 10] + +RFC 2104 HMAC February 1997 + + + [MM] Meyer, S. and Matyas, S.M., Cryptography, New York Wiley, + 1982. + + [RIPEMD] H. Dobbertin, A. Bosselaers, and B. Preneel, "RIPEMD-160: A + strengthened version of RIPEMD", Fast Software Encryption, + LNCS Vol 1039, pp. 71-82. + ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/bosselae/ripemd/. + + [SHA] NIST, FIPS PUB 180-1: Secure Hash Standard, April 1995. + + [Tsu] G. Tsudik, "Message authentication with one-way hash + functions", In Proceedings of Infocom'92, May 1992. + (Also in "Access Control and Policy Enforcement in + Internetworks", Ph.D. Dissertation, Computer Science + Department, University of Southern California, April 1991.) + + [VW] P. van Oorschot and M. Wiener, "Parallel Collision + Search with Applications to Hash Functions and Discrete + Logarithms", Proceedings of the 2nd ACM Conf. Computer and + Communications Security, Fairfax, VA, November 1994. + +Authors' Addresses + + Hugo Krawczyk + IBM T.J. Watson Research Center + P.O.Box 704 + Yorktown Heights, NY 10598 + + EMail: hugo@watson.ibm.com + + Mihir Bellare + Dept of Computer Science and Engineering + Mail Code 0114 + University of California at San Diego + 9500 Gilman Drive + La Jolla, CA 92093 + + EMail: mihir@cs.ucsd.edu + + Ran Canetti + IBM T.J. Watson Research Center + P.O.Box 704 + Yorktown Heights, NY 10598 + + EMail: canetti@watson.ibm.com + + + + + + +Krawczyk, et. al. Informational [Page 11] + diff --git a/base64.c b/base64.c new file mode 100644 index 0000000..c05624d --- /dev/null +++ b/base64.c @@ -0,0 +1,324 @@ +/* OPENBSD ORIGINAL: lib/libc/net/base64.c */ + +/* $OpenBSD: base64.c,v 1.4 2002/01/02 23:00:10 deraadt Exp $ */ + +/* + * Copyright (c) 1996 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +/* + * Portions Copyright (c) 1995 by International Business Machines, Inc. + * + * International Business Machines, Inc. (hereinafter called IBM) grants + * permission under its copyrights to use, copy, modify, and distribute this + * Software with or without fee, provided that the above copyright notice and + * all paragraphs of this notice appear in all copies, and that the name of IBM + * not be used in connection with the marketing of any product incorporating + * the Software or modifications thereof, without specific, written prior + * permission. + * + * To the extent it has a right to do so, IBM grants an immunity from suit + * under its patents, if any, for the use, sale or manufacture of products to + * the extent that such products are used for performing Domain Name System + * dynamic updates in TCP/IP networks by means of the Software. No immunity is + * granted for any product per se or for any other function of any product. + * + * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE. IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL, + * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN + * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. + */ + +/* #include "includes.h" */ + +#if (!defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP)) || (!defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON)) + +#include +#include +#include +#include +#include + +#include +#include + +#include +#include + +#include "base64.h" + +/* XXX abort illegal in library */ +#define Assert(Cond) if (!(Cond)) abort() + +static const char Base64[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; +static const char Pad64 = '='; + +/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt) + The following encoding technique is taken from RFC 1521 by Borenstein + and Freed. It is reproduced here in a slightly edited form for + convenience. + + A 65-character subset of US-ASCII is used, enabling 6 bits to be + represented per printable character. (The extra 65th character, "=", + is used to signify a special processing function.) + + The encoding process represents 24-bit groups of input bits as output + strings of 4 encoded characters. Proceeding from left to right, a + 24-bit input group is formed by concatenating 3 8-bit input groups. + These 24 bits are then treated as 4 concatenated 6-bit groups, each + of which is translated into a single digit in the base64 alphabet. + + Each 6-bit group is used as an index into an array of 64 printable + characters. The character referenced by the index is placed in the + output string. + + Table 1: The Base64 Alphabet + + Value Encoding Value Encoding Value Encoding Value Encoding + 0 A 17 R 34 i 51 z + 1 B 18 S 35 j 52 0 + 2 C 19 T 36 k 53 1 + 3 D 20 U 37 l 54 2 + 4 E 21 V 38 m 55 3 + 5 F 22 W 39 n 56 4 + 6 G 23 X 40 o 57 5 + 7 H 24 Y 41 p 58 6 + 8 I 25 Z 42 q 59 7 + 9 J 26 a 43 r 60 8 + 10 K 27 b 44 s 61 9 + 11 L 28 c 45 t 62 + + 12 M 29 d 46 u 63 / + 13 N 30 e 47 v + 14 O 31 f 48 w (pad) = + 15 P 32 g 49 x + 16 Q 33 h 50 y + + Special processing is performed if fewer than 24 bits are available + at the end of the data being encoded. A full encoding quantum is + always completed at the end of a quantity. When fewer than 24 input + bits are available in an input group, zero bits are added (on the + right) to form an integral number of 6-bit groups. Padding at the + end of the data is performed using the '=' character. + + Since all base64 input is an integral number of octets, only the + ------------------------------------------------- + following cases can arise: + + (1) the final quantum of encoding input is an integral + multiple of 24 bits; here, the final unit of encoded + output will be an integral multiple of 4 characters + with no "=" padding, + (2) the final quantum of encoding input is exactly 8 bits; + here, the final unit of encoded output will be two + characters followed by two "=" padding characters, or + (3) the final quantum of encoding input is exactly 16 bits; + here, the final unit of encoded output will be three + characters followed by one "=" padding character. + */ + +#if !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) +int +b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize) +{ + size_t datalength = 0; + u_char input[3]; + u_char output[4]; + int i; + + while (2 < srclength) { + input[0] = *src++; + input[1] = *src++; + input[2] = *src++; + srclength -= 3; + + output[0] = input[0] >> 2; + output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4); + output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6); + output[3] = input[2] & 0x3f; + Assert(output[0] < 64); + Assert(output[1] < 64); + Assert(output[2] < 64); + Assert(output[3] < 64); + + if (datalength + 4 > targsize) + return (-1); + target[datalength++] = Base64[output[0]]; + target[datalength++] = Base64[output[1]]; + target[datalength++] = Base64[output[2]]; + target[datalength++] = Base64[output[3]]; + } + + /* Now we worry about padding. */ + if (0 != srclength) { + /* Get what's left. */ + input[0] = input[1] = input[2] = '\0'; + for (i = 0; i < srclength; i++) + input[i] = *src++; + + output[0] = input[0] >> 2; + output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4); + output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6); + Assert(output[0] < 64); + Assert(output[1] < 64); + Assert(output[2] < 64); + + if (datalength + 4 > targsize) + return (-1); + target[datalength++] = Base64[output[0]]; + target[datalength++] = Base64[output[1]]; + if (srclength == 1) + target[datalength++] = Pad64; + else + target[datalength++] = Base64[output[2]]; + target[datalength++] = Pad64; + } + if (datalength >= targsize) + return (-1); + target[datalength] = '\0'; /* Returned value doesn't count \0. */ + return (datalength); +} +#endif /* !defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP) */ + +#if !defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON) + +/* skips all whitespace anywhere. + converts characters, four at a time, starting at (or after) + src from base - 64 numbers into three 8 bit bytes in the target area. + it returns the number of data bytes stored at the target, or -1 on error. + */ + +int +b64_pton(char const *src, u_char *target, size_t targsize) +{ + int tarindex, state, ch; + char *pos; + + state = 0; + tarindex = 0; + + while ((ch = *src++) != '\0') { + if (isspace(ch)) /* Skip whitespace anywhere. */ + continue; + + if (ch == Pad64) + break; + + pos = strchr(Base64, ch); + if (pos == 0) /* A non-base64 character. */ + return (-1); + + switch (state) { + case 0: + if (target) { + if (tarindex >= targsize) + return (-1); + target[tarindex] = (pos - Base64) << 2; + } + state = 1; + break; + case 1: + if (target) { + if (tarindex + 1 >= targsize) + return (-1); + target[tarindex] |= (pos - Base64) >> 4; + target[tarindex+1] = ((pos - Base64) & 0x0f) + << 4 ; + } + tarindex++; + state = 2; + break; + case 2: + if (target) { + if (tarindex + 1 >= targsize) + return (-1); + target[tarindex] |= (pos - Base64) >> 2; + target[tarindex+1] = ((pos - Base64) & 0x03) + << 6; + } + tarindex++; + state = 3; + break; + case 3: + if (target) { + if (tarindex >= targsize) + return (-1); + target[tarindex] |= (pos - Base64); + } + tarindex++; + state = 0; + break; + } + } + + /* + * We are done decoding Base-64 chars. Let's see if we ended + * on a byte boundary, and/or with erroneous trailing characters. + */ + + if (ch == Pad64) { /* We got a pad char. */ + ch = *src++; /* Skip it, get next. */ + switch (state) { + case 0: /* Invalid = in first position */ + case 1: /* Invalid = in second position */ + return (-1); + + case 2: /* Valid, means one byte of info */ + /* Skip any number of spaces. */ + for (; ch != '\0'; ch = *src++) + if (!isspace(ch)) + break; + /* Make sure there is another trailing = sign. */ + if (ch != Pad64) + return (-1); + ch = *src++; /* Skip the = */ + /* Fall through to "single trailing =" case. */ + /* FALLTHROUGH */ + + case 3: /* Valid, means two bytes of info */ + /* + * We know this char is an =. Is there anything but + * whitespace after it? + */ + for (; ch != '\0'; ch = *src++) + if (!isspace(ch)) + return (-1); + + /* + * Now make sure for cases 2 and 3 that the "extra" + * bits that slopped past the last full byte were + * zeros. If we don't check them, they become a + * subliminal channel. + */ + if (target && target[tarindex] != 0) + return (-1); + } + } else { + /* + * We ended by seeing the end of the string. Make sure we + * have no partial bytes lying around. + */ + if (state != 0) + return (-1); + } + + return (tarindex); +} + +#endif /* !defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON) */ +#endif diff --git a/base64.h b/base64.h new file mode 100644 index 0000000..8f6c11c --- /dev/null +++ b/base64.h @@ -0,0 +1,65 @@ +/* $Id$ */ + +/* + * Copyright (c) 1996 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +/* + * Portions Copyright (c) 1995 by International Business Machines, Inc. + * + * International Business Machines, Inc. (hereinafter called IBM) grants + * permission under its copyrights to use, copy, modify, and distribute this + * Software with or without fee, provided that the above copyright notice and + * all paragraphs of this notice appear in all copies, and that the name of IBM + * not be used in connection with the marketing of any product incorporating + * the Software or modifications thereof, without specific, written prior + * permission. + * + * To the extent it has a right to do so, IBM grants an immunity from suit + * under its patents, if any, for the use, sale or manufacture of products to + * the extent that such products are used for performing Domain Name System + * dynamic updates in TCP/IP networks by means of the Software. No immunity is + * granted for any product per se or for any other function of any product. + * + * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES, + * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE. IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL, + * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN + * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES. + */ + +#ifndef _BSD_BASE64_H +#define _BSD_BASE64_H + +/* #include "includes.h" */ + +#ifndef HAVE___B64_NTOP +# ifndef HAVE_B64_NTOP +int b64_ntop(u_char const *src, size_t srclength, char *target, + size_t targsize); +# endif /* !HAVE_B64_NTOP */ +# define __b64_ntop(a,b,c,d) b64_ntop(a,b,c,d) +#endif /* HAVE___B64_NTOP */ + +#ifndef HAVE___B64_PTON +# ifndef HAVE_B64_PTON +int b64_pton(char const *src, u_char *target, size_t targsize); +# endif /* !HAVE_B64_PTON */ +# define __b64_pton(a,b,c) b64_pton(a,b,c) +#endif /* HAVE___B64_PTON */ + +#endif /* _BSD_BASE64_H */ diff --git a/cmd5apoppw.8 b/cmd5apoppw.8 new file mode 100644 index 0000000..1053e5b --- /dev/null +++ b/cmd5apoppw.8 @@ -0,0 +1,106 @@ +.TH cmd5apoppw 8 +.SH NAME +cmd5apoppw \- check a cram-md5 authentication +.SH SYNOPSIS +.B cmd5apoppw +.I subprogram +[ +.I args ... +] +.SH DESCRIPTION +.B cmd5apoppw +reads descriptor 3 through end of file +and then closes descriptor 3. +There must be at most 512 bytes of data before end of file. + +The information supplied on descriptor 3 +is a login name terminated by \e0, +a cram-md5 challenge terminated by \e0, +and a cram-md5 response terminated by \e0. + +.B cmd5apoppw +encrypts the challenge with keyed MD5 using passwords from +.BR ~/.apop . +It's compared with response (3rd parameter) and if they are the same +then +.B cmd5apoppw +uses +.B execvp +to run +.B subprogram +with the given arguments. +If they differ then it returns -1. + +If challenge and response differ, +.B cmd5apoppw +exits 1. +If +.B cmd5apoppw +is misused, +it may instead exit 2. +If there is a temporary problem checking the password, +.B cmd5apoppw +exits 111. + +.B cmd5apoppw +does not provide PLAIN nor LOGIN authtype. + +.SH "CHECKPASSWORD-COMPATIBLE TOOLS" +.B cmd5apoppw +tries to conform to the +.B checkpassword +interface. +There are other tools that offer the same interface as +.BR checkpassword . +Applications that use +.B checkpassword +are encouraged to take the +.B checkpassword +name as an argument, +so that they can be used with different +.BR checkpassword -compatible +tools. + +Note that these tools do not follow the +.B getopt +interface. +Optional features are controlled through +(1) the tool name and +(2) environment variables. +.SH "FILES" +~/.apop - this file contains user's APOP and SMTP-AUTH password in +any encoded format. The text will be extracted via +.B deapop +command, whose default location is /usr/local/sbin. +Note that text in ~/.apop is NOT encrypted. The reason for +saving in encoded format is because it won't be exposed by user's +misoperation or filesystem trouble. + +User have to make it unreadable by others. + +.SH "EXTENDED MAIL ACCOUNT" +We can use extra mail address by creating ~/.qmail-suffix in qmail world. +Also we can create many mail accounts in virtualdomain with or without +creating real user in /etc/passwd. +.B cmdapoppw +will take appropriate password file other than default ~/.apop when +that mail account is controled by another dot-qmail file. The file +name will be decided by the same manner as dot-qmail. + +If you are using +.B foo@vdom.example.co.jp, +which is controled by +.B /some/dir/.qmail-foo, +just put its password in +.B /some/dir/.apop-foo . +In this case, smtp-auth user name for mail user agent should be +.B "foo@vdom.example.co.jp" . +.SH "VERSION" +This documentation describes +.B cmd5apoppw +version 1. +See +.B http://www.gentei.org/software/qmapop-smtp-auth/ +for updates. +.SH "SEE ALSO" +checkpassword(8) diff --git a/deapop b/deapop new file mode 100755 index 0000000..2e1cb64 --- /dev/null +++ b/deapop @@ -0,0 +1,6 @@ +#!/bin/sh +# This is sample decoding script. +case `file $1` in + *ASCII*) cat $1 ;; + *gzip*) gzcat $1 ;; +esac diff --git a/global.h b/global.h new file mode 100644 index 0000000..e990ee0 --- /dev/null +++ b/global.h @@ -0,0 +1,48 @@ +/* GLOBAL.H - RSAREF types and constants */ + +#include + +/* Copyright (C) RSA Laboratories, a division of RSA Data Security, + Inc., created 1991. All rights reserved. + */ + +#ifndef _GLOBAL_H_ +#define _GLOBAL_H_ 1 + +/* PROTOTYPES should be set to one if and only if the compiler supports + function argument prototyping. + The following makes PROTOTYPES default to 1 if it has not already been + defined as 0 with C compiler flags. + */ +#ifndef PROTOTYPES +#define PROTOTYPES 1 +#endif + +/* POINTER defines a generic pointer type */ +typedef unsigned char *POINTER; + +/* UINT2 defines a two byte word */ +typedef unsigned short int UINT2; + +/* UINT4 defines a four byte word */ +typedef unsigned long int UINT4; + +#ifndef NULL_PTR +#define NULL_PTR ((POINTER)0) +#endif + +#ifndef UNUSED_ARG +#define UNUSED_ARG(x) x = *(&x); +#endif + +/* PROTO_LIST is defined depending on how PROTOTYPES is defined above. + If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it + returns an empty list. + */ +#if PROTOTYPES +#define PROTO_LIST(list) list +#else +#define PROTO_LIST(list) () +#endif + +#endif /* end _GLOBAL_H_ */ diff --git a/hmac_md5.c b/hmac_md5.c new file mode 100644 index 0000000..606979d --- /dev/null +++ b/hmac_md5.c @@ -0,0 +1,76 @@ +#include "global.h" +#include "md5.h" + +/* +** Function: hmac_md5 +*/ + +void hmac_md5(text, text_len, key, key_len, digest) +unsigned char* text; /* pointer to data stream */ +int text_len; /* length of data stream */ +unsigned char* key; /* pointer to authentication key */ +int key_len; /* length of authentication key */ +unsigned char *digest; /* caller digest to be filled in */ + +{ + MD5_CTX context; + unsigned char k_ipad[65]; /* inner padding - + * key XORd with ipad + */ + unsigned char k_opad[65]; /* outer padding - + * key XORd with opad + */ + unsigned char tk[16]; + int i; + /* if key is longer than 64 bytes reset it to key=MD5(key) */ + if (key_len > 64) { + + MD5_CTX tctx; + + MD5Init(&tctx); + MD5Update(&tctx, key, key_len); + MD5Final(tk, &tctx); + + key = tk; + key_len = 16; + } + + /* + * the HMAC_MD5 transform looks like: + * + * MD5(K XOR opad, MD5(K XOR ipad, text)) + * + * where K is an n byte key + * ipad is the byte 0x36 repeated 64 times + * opad is the byte 0x5c repeated 64 times + * and text is the data being protected + */ + + /* start out by storing key in pads */ + bzero( k_ipad, sizeof k_ipad); + bzero( k_opad, sizeof k_opad); + bcopy( key, k_ipad, key_len); + bcopy( key, k_opad, key_len); + + /* XOR key with ipad and opad values */ + for (i=0; i<64; i++) { + k_ipad[i] ^= 0x36; + k_opad[i] ^= 0x5c; + } + /* + * perform inner MD5 + */ + MD5Init(&context); /* init context for 1st pass */ + MD5Update(&context, k_ipad, 64); /* start with inner pad */ + MD5Update(&context, text, text_len); /* then text of datagram */ + MD5Final(digest, &context); /* finish up 1st pass */ + /* + * perform outer MD5 + */ + MD5Init(&context); /* init context for 2nd + * pass */ + MD5Update(&context, k_opad, 64); /* start with outer pad */ + MD5Update(&context, digest, 16); /* then results of 1st + * hash */ + MD5Final(digest, &context); /* finish up 2nd pass */ +} diff --git a/hmac_md5.h b/hmac_md5.h new file mode 100644 index 0000000..8c1d835 --- /dev/null +++ b/hmac_md5.h @@ -0,0 +1,11 @@ + +/* prototypes */ + +void hmac_md5( unsigned char* text, int text_len, unsigned char* key, int key_len, unsigned char* digest); + +/* pointer to data stream */ +/* length of data stream */ +/* pointer to authentication key */ +/* length of authentication key */ +/* caller digest to be filled in */ + diff --git a/ht b/ht new file mode 100755 index 0000000..03c8c96 --- /dev/null +++ b/ht Binary files differ diff --git a/ht.c b/ht.c new file mode 100644 index 0000000..72b63be --- /dev/null +++ b/ht.c @@ -0,0 +1,33 @@ +#include +#include +#include +#include +#include +#include "hmac_md5.h" +#include "base64.h" + +#define L (_PASSWORD_LEN+256) +int main(int argc, char *argv[]) +{ + unsigned char digest[16]; + char d_str[L]; + char b6[L*2]; + char *pw, *p; + int i; + if (argc != 3) { + printf("Usage: ht UserName ChallengeInBase64\n"); + exit(1); + } + pw = getpass("SMTP-AUTH Password: "); + b64_pton(argv[2], b6, L*2); + hmac_md5(b6, strlen(b6), pw, strlen(pw), digest); + memset(pw, 0, strlen(pw)); + snprintf(d_str, sizeof d_str, "%s ", argv[1]); + p = d_str+strlen(d_str); + for (i=0; i<16 && p +#include +#include +#include +#include +#include +#include +#include +#include + +#define LINE_MAX 256 +char up[513]; +int uplen; +static char hextab[]="0123456789abcdef"; + +#ifndef USERAPOPFILE +# define USERAPOPFILE ".apop" +#endif +#ifndef APOPOPEN +# define APOPOPEN "/usr/local/sbin/deapop" +#endif +#ifndef DASH +# define DASH "-" +#endif +#define PATHSIZ MAXPATHLEN +#ifndef QMAILCONTROL +# define QMAILCONTROL "/var/qmail/control" +#endif +static char pathname[MAXPATHLEN]; +static char *qmailcontrol = QMAILCONTROL; + + +void abortwithmsg(char *msg) +{ + fprintf(stderr, "%s\n", msg); + _exit(3); +} +void nomem() +{ + abortwithmsg("Out of memory"); +} + + +/* memo: + \0 can be dropped by strncpy. + \0 never be dropped by snprintf. + */ + +char* conv_virtualdomain(char *mailname) +{ + char *dom = strchr(mailname, '@'), *p; + char vd[PATHSIZ+1], previous[PATHSIZ+1]; + static char rewrite[PATHSIZ+1]; + FILE *vdfd; + int match=0; + if (!dom) return mailname; + + snprintf(vd, PATHSIZ, "%s/%s", qmailcontrol, "virtualdomains"); + dom++; /* set position of domain part beginning */ + if (dom && NULL != (vdfd = fopen (vd, "r"))) { + char buf[PATHSIZ+1], *s; + int l = strlen(dom); + int L = strlen(mailname); + while ((s=fgets(buf, PATHSIZ, vdfd))) { + if ((p=strchr(s, '#'))) + *p = '\0'; /* zap comments */ + if (!strchr(buf, ':')) + continue; + while (s && (strrchr(s, '\n') || strrchr(s, '\r') || strrchr(s, ' '))) + s[strlen(s)-1] = '\0'; + if (!strncmp(mailname, s, L) && s[L] == ':' && s[L+1]) { /* user matches */ + match = 3; + snprintf(rewrite, PATHSIZ, "%s%s%s", s+L+1, DASH, mailname); + break; + } + if (!strncmp(dom, s, l) && s[l] == ':' && s[l+1]) { /* domain matches */ + match = 2; + snprintf(rewrite, PATHSIZ, "%s%s%s", s+l+1, DASH, mailname); + continue; + } + if (match < 2 && s[0] == '.') { /* if domain described in wildcard */ + if ((p=strchr(s, ':'))) { + *p = '\0'; + if (!strcmp(dom+(strlen(dom)-strlen(s)), s)) { + if (match == 0 || strlen(previous) < strlen(s)) { + match = 1; + strncpy(previous, s, PATHSIZ); + snprintf(rewrite, PATHSIZ, "%s%s%s", p+1, DASH, mailname); + } + } + } + } + } + fclose(vdfd); + if (match) { + p = strchr(rewrite, '@'); + if (p) { + *p = '\0'; + } + memset(vd, 0, sizeof(vd)); + memset(previous, 0, sizeof(previous)); + return rewrite; + } + } + return mailname; /* no @ marks, return itself */ +} + +typedef union mixval { + int i; + char c; + char* cp; + FILE* fp; +} mix; + +mix* assign(char* job, mix arg) +{ + static mix rval; + return &rval; +} + +typedef struct { + int n; + char **line; +} Assign; + +static Assign ag[2] = {{0, 0}, {0, 0}}; +/* ag[0][] is for users/assign '=' type, + * ag[1][] is for users/assign '+' type. + */ +void init_assign() +{ + char assign[MAXPATHLEN]; + char *buf, *p; + FILE *fp; + struct stat st; + int i; + if (ag[0].line && ag[1].line) return; + snprintf(pathname, sizeof pathname, "%s", dirname(qmailcontrol)); + snprintf(assign, sizeof assign, "%s/%s", pathname, "users/assign"); + if (stat(assign, &st) < 0) + return; + if (NULL == (buf=(char*)malloc(st.st_size))) nomem(); + if (NULL == (fp=fopen(assign, "r"))) + return; + + for (i=0; i<2; i++) { + if (NULL == (ag[i].line = (char**)malloc(sizeof(char**)))) nomem(); + ag[i].line[0] = NULL; + } + + while (fgets(buf, st.st_size, fp)) { + int atype, n; + for (p=buf; strchr(" \t", *p); p++) ; + if (*p == '#') continue; + atype = *p=='+' ? 1 : -(*p!='='); /* '='=0, '+'=1, other=-1 */ + if (atype==-1) continue; + n = ag[atype].n; + if (NULL == (ag[atype].line[n]=(char*)malloc(strlen(p)+1))) nomem(); + strncpy(ag[atype].line[n], p, strlen(p)); + ag[atype].line = (char**)realloc(ag[atype].line, (++n+1)*sizeof(char**)); + if (NULL == ag[atype].line) + _exit(3); + ag[atype].n = n; + ag[atype].line[n] = NULL; + } +#if 1 + int j; + for (i=0; i<2; i++) { + for (j=0; jpw_uid = (uid_t)atoi(p); + free(p); + } + if ((p=getfieldn(line, 4, delim))) { + pw->pw_gid = (uid_t)atoi(p); + free(p); + } + if ((p=getfieldn(line, 5, delim))) { + pw->pw_dir = p; /* Don't free here */ + } +} + +static char* substr(char *s, char *e) +{ + char *news; + int len = e-s+1; + if (NULL == (news=(char*)malloc(len))) nomem(); + strncpy(news, s, len); + return news; +} + +typedef struct { + struct passwd *p; + char *dotapop; +} pwapop; + +static pwapop* lookupassign(char *user) +{ + int type, j, len, maxlen; + char *l, *r, *dash, *ext, *pre, *field; + static pwapop pa; + static struct passwd p; + init_assign(); + pa.p = &p; + type=0; /* check against strict assignment */ + for (j=0; j 0 && p.pw_dir && pa.dotapop) + return &pa; + return NULL; +} + +FILE* getapopfd(char *user) +{ + FILE *fp; + struct passwd *pw; + struct stat stbuf; + char apopfile[PATHSIZ], aprog[PATHSIZ*2]; + char *suffix = NULL; + pwapop *pa; + int dashlen = strlen(DASH); + uid_t uid; + + //fprintf(stderr, "%s\n", user); + user=conv_virtualdomain(user); + //fprintf(stderr, "%s\n", user); + if (!user) _exit(2); + /* First, lookup users/assign */ + if ((pa=lookupassign(user))) { + strncpy(apopfile, pa->dotapop, PATHSIZ); + free(pa->dotapop); + pa->dotapop = NULL; + uid = pa->p->pw_uid; + } else { + /* Then, try to get real user from passwd entries */ + pw = getpwnam(user); + if (!pw && strstr(user, DASH)) { + /* Try again after removing extension - Check qmail alias name */ + char tmp[PATHSIZ]; + char *s = user; + memset(tmp, 0, PATHSIZ); + while (*s && s && !pw) { + s = strstr(s, DASH); /* Search from left. */ + if (!s) break; + strncpy(tmp, user, s-user); /* copy upto '-' */ + s += dashlen; + pw = getpwnam(tmp); + } + if (pw) { + /* s points to the next of DASH */ + if (NULL == (suffix=(char*)malloc(strlen(s)+dashlen+1))) nomem(); + memcpy(suffix, s-dashlen, strlen(s)+dashlen+1); /* including \0 */ + user[strlen(tmp)] = '\0'; /* zap suffix */ + } + } + if (!pw) _exit(2); /* If no user entry here, abort. */ + uid = pw->pw_uid; + snprintf(apopfile, sizeof apopfile, "%s/%s", pw->pw_dir, USERAPOPFILE); + + if (suffix) + strncat(apopfile, suffix, (sizeof apopfile)-strlen(apopfile)-1); + /* Do not care if path name truncated. Just skip it. */ + + } + // fprintf(stderr, "a=%s\n", apopfile); + if (setuid(uid) != 0) _exit(2); + if (stat(apopfile, &stbuf) < 0) + return (FILE*)-2; /* no password file, exit with error */ + if (stbuf.st_mode & ~(S_IFREG | S_IREAD | S_IWRITE)) + return (FILE*)-3; /* if readable by others, exit with error */ + if (stat(APOPOPEN, &stbuf) >= 0) { + snprintf(aprog, sizeof aprog, "%s %s", APOPOPEN, apopfile); + fp = popen(aprog, "r"); + } else { + fp = fopen(apopfile, "r"); + } + return fp; +} + +int doit(unsigned char *testlogin, unsigned char *challenge, unsigned char *response) +{ + static char line[LINE_MAX + 1]; + int found_user= 0; + unsigned char *password = NULL; + unsigned char digest[16]; + unsigned char digascii[33]; + unsigned char h; + FILE *fp; + int j; + // char *linepnt; + + if (0 >= (fp=getapopfd(testlogin))) + _exit(2); + + if (fp) { + fgets(line, sizeof line, fp); + fclose(fp); + if (line[0]) { + int p = strlen(line); + while (p > 0 && (line[p-1] == '\n' || line[p-1] == '\r')) { + line[--p] = '\0'; /* zap trailing newlines */ + } + password = line; + found_user=1; + } + } + + if (!found_user) { + memset(line, 0, sizeof line); + return(1); + } + + hmac_md5(challenge, strlen(challenge), password, strlen(password), digest); + memset(line, 0, sizeof line); + + digascii[32]=0; + + for (j=0; j<16; j++) + { + h=digest[j] >> 4; + digascii[2*j]=hextab[h]; + h=digest[j] & 0x0f; + digascii[(2*j)+1]=hextab[h]; + } + return (strcmp(digascii,response) && strcmp(password,challenge)); +} + +int main(int argc,char **argv) +{ + char *login; + char *response; + char *challenge; + int r; + int i; + int accepted; + + if (!argv[1]) _exit(2); + if (getenv("QMAILCONTROL")) + qmailcontrol = getenv("QMAILCONTROL"); + + uplen = 0; + for (;;) { + do + r = read(3,up + uplen,sizeof(up) - uplen); + while ((r == -1) && (errno == EINTR)); + if (r == -1) _exit(111); + if (r == 0) break; + uplen += r; + if (uplen >= sizeof(up)) _exit(1); + } + + close(3); + + i = 0; + login = up + i; + while (up[i++]) if (i == uplen) _exit(2); + challenge = up + i; + if (i == uplen) _exit(2); + while (up[i++]) if (i == uplen) _exit(2); + response = up + i; + + accepted=doit(login, challenge, response); + + for (i = 0;i < sizeof(up);++i) up[i] = 0; + + if (accepted) _exit(1); + execvp(argv[1], argv + 1); + _exit(111); +} diff --git a/md5.h b/md5.h new file mode 100644 index 0000000..94774ba --- /dev/null +++ b/md5.h @@ -0,0 +1,49 @@ +/* MD5.H - header file for MD5C.C + */ + +/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All + rights reserved. + + License to copy and use this software is granted provided that it + is identified as the "RSA Data Security, Inc. MD5 Message-Digest + Algorithm" in all material mentioning or referencing this software + or this function. + + License is also granted to make and use derivative works provided + that such works are identified as "derived from the RSA Data + Security, Inc. MD5 Message-Digest Algorithm" in all material + mentioning or referencing the derived work. + + RSA Data Security, Inc. makes no representations concerning either + the merchantability of this software or the suitability of this + software for any particular purpose. It is provided "as is" + without express or implied warranty of any kind. + + These notices must be retained in any copies of any part of this + documentation and/or software. + */ + +#ifndef _MD5_H_ +#define _MD5_H_ 1 + +#ifdef __cplusplus +extern "C" { +#endif + +/* MD5 context. */ +typedef struct { + UINT4 state[4]; /* state (ABCD) */ + UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */ + unsigned char buffer[64]; /* input buffer */ +} MD5_CTX; + +void MD5Init PROTO_LIST ((MD5_CTX *)); +void MD5Update PROTO_LIST + ((MD5_CTX *, unsigned char *, unsigned int)); +void MD5Final PROTO_LIST ((unsigned char [16], MD5_CTX *)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/md5c.c b/md5c.c new file mode 100644 index 0000000..8b0c856 --- /dev/null +++ b/md5c.c @@ -0,0 +1,334 @@ +/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm + */ + +/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All + rights reserved. + + License to copy and use this software is granted provided that it + is identified as the "RSA Data Security, Inc. MD5 Message-Digest + Algorithm" in all material mentioning or referencing this software + or this function. + + License is also granted to make and use derivative works provided + that such works are identified as "derived from the RSA Data + Security, Inc. MD5 Message-Digest Algorithm" in all material + mentioning or referencing the derived work. + + RSA Data Security, Inc. makes no representations concerning either + the merchantability of this software or the suitability of this + software for any particular purpose. It is provided "as is" + without express or implied warranty of any kind. + + These notices must be retained in any copies of any part of this + documentation and/or software. + */ + +#include "global.h" +#include "md5.h" + +/* Constants for MD5Transform routine. + */ +#define S11 7 +#define S12 12 +#define S13 17 +#define S14 22 +#define S21 5 +#define S22 9 +#define S23 14 +#define S24 20 +#define S31 4 +#define S32 11 +#define S33 16 +#define S34 23 +#define S41 6 +#define S42 10 +#define S43 15 +#define S44 21 + +static void MD5Transform PROTO_LIST ((UINT4 [4], unsigned char [64])); +static void Encode PROTO_LIST + ((unsigned char *, UINT4 *, unsigned int)); +static void Decode PROTO_LIST + ((UINT4 *, unsigned char *, unsigned int)); +static void MD5_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int)); +static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int)); + +static unsigned char PADDING[64] = { + 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 +}; + +/* F, G, H and I are basic MD5 functions. + */ +#define F(x, y, z) (((x) & (y)) | ((~x) & (z))) +#define G(x, y, z) (((x) & (z)) | ((y) & (~z))) +#define H(x, y, z) ((x) ^ (y) ^ (z)) +#define I(x, y, z) ((y) ^ ((x) | (~z))) + +/* ROTATE_LEFT rotates x left n bits. + */ +#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n)))) + +/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4. + Rotation is separate from addition to prevent recomputation. + */ +#define FF(a, b, c, d, x, s, ac) { \ + (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \ + (a) = ROTATE_LEFT ((a), (s)); \ + (a) += (b); \ + } +#define GG(a, b, c, d, x, s, ac) { \ + (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \ + (a) = ROTATE_LEFT ((a), (s)); \ + (a) += (b); \ + } +#define HH(a, b, c, d, x, s, ac) { \ + (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \ + (a) = ROTATE_LEFT ((a), (s)); \ + (a) += (b); \ + } +#define II(a, b, c, d, x, s, ac) { \ + (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \ + (a) = ROTATE_LEFT ((a), (s)); \ + (a) += (b); \ + } + +/* MD5 initialization. Begins an MD5 operation, writing a new context. + */ +void MD5Init (context) +MD5_CTX *context; /* context */ +{ + context->count[0] = context->count[1] = 0; + + /* Load magic initialization constants. + */ + context->state[0] = 0x67452301; + context->state[1] = 0xefcdab89; + context->state[2] = 0x98badcfe; + context->state[3] = 0x10325476; +} + +/* MD5 block update operation. Continues an MD5 message-digest + operation, processing another message block, and updating the + context. + */ +void MD5Update (context, input, inputLen) +MD5_CTX *context; /* context */ +unsigned char *input; /* input block */ +unsigned int inputLen; /* length of input block */ +{ + unsigned int i, index, partLen; + + /* Compute number of bytes mod 64 */ + index = (unsigned int)((context->count[0] >> 3) & 0x3F); + + /* Update number of bits */ + if ((context->count[0] += ((UINT4)inputLen << 3)) + < ((UINT4)inputLen << 3)) + context->count[1]++; + context->count[1] += ((UINT4)inputLen >> 29); + + partLen = 64 - index; + + /* Transform as many times as possible. + */ + if (inputLen >= partLen) { + MD5_memcpy + ((POINTER)&context->buffer[index], (POINTER)input, partLen); + MD5Transform (context->state, context->buffer); + + for (i = partLen; i + 63 < inputLen; i += 64) + MD5Transform (context->state, &input[i]); + + index = 0; + } + else + i = 0; + + /* Buffer remaining input */ + MD5_memcpy + ((POINTER)&context->buffer[index], (POINTER)&input[i], + inputLen-i); +} + +/* MD5 finalization. Ends an MD5 message-digest operation, writing the + the message digest and zeroizing the context. + */ +void MD5Final (digest, context) +unsigned char digest[16]; /* message digest */ +MD5_CTX *context; /* context */ +{ + unsigned char bits[8]; + unsigned int index, padLen; + + /* Save number of bits */ + Encode (bits, context->count, 8); + + /* Pad out to 56 mod 64. + */ + index = (unsigned int)((context->count[0] >> 3) & 0x3f); + padLen = (index < 56) ? (56 - index) : (120 - index); + MD5Update (context, PADDING, padLen); + + /* Append length (before padding) */ + MD5Update (context, bits, 8); + + /* Store state in digest */ + Encode (digest, context->state, 16); + + /* Zeroize sensitive information. + */ + MD5_memset ((POINTER)context, 0, sizeof (*context)); +} + +/* MD5 basic transformation. Transforms state based on block. + */ +static void MD5Transform (state, block) +UINT4 state[4]; +unsigned char block[64]; +{ + UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16]; + + Decode (x, block, 64); + + /* Round 1 */ + FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */ + FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */ + FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */ + FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */ + FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */ + FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */ + FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */ + FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */ + FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */ + FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */ + FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */ + FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */ + FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */ + FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */ + FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */ + FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */ + + /* Round 2 */ + GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */ + GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */ + GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */ + GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */ + GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */ + GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */ + GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */ + GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */ + GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */ + GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */ + GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */ + GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */ + GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */ + GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */ + GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */ + GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */ + + /* Round 3 */ + HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */ + HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */ + HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */ + HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */ + HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */ + HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */ + HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */ + HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */ + HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */ + HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */ + HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */ + HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */ + HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */ + HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */ + HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */ + HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */ + + /* Round 4 */ + II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */ + II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */ + II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */ + II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */ + II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */ + II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */ + II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */ + II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */ + II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */ + II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */ + II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */ + II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */ + II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */ + II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */ + II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */ + II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */ + + state[0] += a; + state[1] += b; + state[2] += c; + state[3] += d; + + /* Zeroize sensitive information. + */ + MD5_memset ((POINTER)x, 0, sizeof (x)); +} + +/* Encodes input (UINT4) into output (unsigned char). Assumes len is + a multiple of 4. + */ +static void Encode (output, input, len) +unsigned char *output; +UINT4 *input; +unsigned int len; +{ + unsigned int i, j; + + for (i = 0, j = 0; j < len; i++, j += 4) { + output[j] = (unsigned char)(input[i] & 0xff); + output[j+1] = (unsigned char)((input[i] >> 8) & 0xff); + output[j+2] = (unsigned char)((input[i] >> 16) & 0xff); + output[j+3] = (unsigned char)((input[i] >> 24) & 0xff); + } +} + +/* Decodes input (unsigned char) into output (UINT4). Assumes len is + a multiple of 4. + */ +static void Decode (output, input, len) +UINT4 *output; +unsigned char *input; +unsigned int len; +{ + unsigned int i, j; + + for (i = 0, j = 0; j < len; i++, j += 4) + output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) | + (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24); +} + +/* Note: Replace "for loop" with standard memcpy if possible. + */ +static void MD5_memcpy (output, input, len) +POINTER output; +POINTER input; +unsigned int len; +{ + unsigned int i; + + for (i = 0; i < len; i++) + output[i] = input[i]; +} + +/* Note: Replace "for loop" with standard memset if possible. + */ +static void MD5_memset (output, value, len) +POINTER output; +int value; +unsigned int len; +{ + unsigned int i; + + for (i = 0; i < len; i++) + ((char *)output)[i] = (char)value; +}