brsmith@cs.umn.edu (Brian R. Smith) (07/27/90)
What does it take to get XDM-AUTHENTICATION-1 up and running? As far as I can tell, the big problem is getting "encryptBits" and "decryptBits" set up in lib/Xdmcp/*crypt.c. They just need to be interface routines to the DES library functions - but I can't figure out the right way to convert the arguments to the strange form required by the DES stuff. Anyone done it? Brian brsmith@cs.umn.edu
john@acorn.co.uk (John Bowler) (08/07/90)
In article <1990Jul26.201627.188@cs.umn.edu> brsmith@cs.umn.edu (Brian R. Smith) writes: >What does it take to get XDM-AUTHENTICATION-1 up and running? > >As far as I can tell, the big problem is getting "encryptBits" and >"decryptBits" set up in lib/Xdmcp/*crypt.c. They just need to be >interface routines to the DES library functions - but I can't figure >out the right way to convert the arguments to the strange form >required by the DES stuff. > You don't say which DES library you have, but assuming that you have something like the SUN one it is sufficient to treat the ``data'' argument as a block of 64 bits to encrypt (8 bytes) and the ``key'' argument as a (standard) 64 bit key. You may have to set the parity on the key first to make things work. In other words:- static void encryptBits(data, key) unsigned char *data; unsigned char *key; { des_setparity(key); ecb_crypt(key, data, 8, DES_ENCRYPT); } (Well, slightly inefficient, and it doesn't check the result of ecb_crypt...). The only problem with this is that the KERBEROS stuff seems to have decided to treat the format of the key data (and possibly the data itself) differently to the usual UN*X implementation :-(. Technically it may be necessary to reverse the bit sex of the bytes, rotate the bits in the keys and so on :-((. The only to this is Keith Packard's comments in Encrypt.c (notice that the XDMCP protocol might suggest packing the 56 bits of the key into the first 7 bytes...). What we have done is just to use the standard (traditional UN*X) mapping of DES 64 bit quantities to bytes - this works, so long as both ends of the system (xdm and server) do the same thing. John Bowler (jbowler@acorn.co.uk) [PS - if you want to use MIT-MAGIC-COOKIE-1 with XDM-AUTHENTICATION-1 you also need to fix up the part of xdm which does the key data encryption so that it matches what the server will do at the other end.]