1 /*        $NetBSD: salt-des.c,v 1.4 2023/06/19 21:41:44 christos Exp $          */
2 
3 /*
4  * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
5  * (Royal Institute of Technology, Stockholm, Sweden).
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * 3. Neither the name of the Institute nor the names of its contributors
20  *    may be used to endorse or promote products derived from this software
21  *    without specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33  * SUCH DAMAGE.
34  */
35 
36 #include "krb5_locl.h"
37 
38 #ifdef HEIM_WEAK_CRYPTO
39 
40 #ifdef ENABLE_AFS_STRING_TO_KEY
41 
42 /* This defines the Andrew string_to_key function.  It accepts a password
43  * string as input and converts it via a one-way encryption algorithm to a DES
44  * encryption key.  It is compatible with the original Andrew authentication
45  * service password database.
46  */
47 
48 /*
49  * Short passwords, i.e 8 characters or less.
50  */
51 static void
krb5_DES_AFS3_CMU_string_to_key(krb5_data pw,krb5_data cell,DES_cblock * key)52 krb5_DES_AFS3_CMU_string_to_key (krb5_data pw,
53                                          krb5_data cell,
54                                          DES_cblock *key)
55 {
56     char  password[8+1];      /* crypt is limited to 8 chars anyway */
57     size_t   i;
58 
59     for(i = 0; i < 8; i++) {
60           char c = ((i < pw.length) ? ((char*)pw.data)[i] : 0) ^
61               ((i < cell.length) ?
62                tolower(((unsigned char*)cell.data)[i]) : 0);
63           password[i] = c ? c : 'X';
64     }
65     password[8] = '\0';
66 
67     memcpy(key, crypt(password, "p1") + 2, sizeof(DES_cblock));
68 
69     /* parity is inserted into the LSB so left shift each byte up one
70        bit. This allows ascii characters with a zero MSB to retain as
71        much significance as possible. */
72     for (i = 0; i < sizeof(DES_cblock); i++)
73           ((unsigned char*)key)[i] <<= 1;
74     DES_set_odd_parity (key);
75 }
76 
77 /*
78  * Long passwords, i.e 9 characters or more.
79  */
80 static void
krb5_DES_AFS3_Transarc_string_to_key(krb5_data pw,krb5_data cell,DES_cblock * key)81 krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw,
82                                               krb5_data cell,
83                                               DES_cblock *key)
84 {
85     DES_key_schedule schedule;
86     DES_cblock temp_key;
87     DES_cblock ivec;
88     char password[512];
89     size_t passlen;
90 
91     memcpy(password, pw.data, min(pw.length, sizeof(password)));
92     if(pw.length < sizeof(password)) {
93           int len = min(cell.length, sizeof(password) - pw.length);
94           size_t i;
95 
96           memcpy(password + pw.length, cell.data, len);
97           for (i = pw.length; i < pw.length + len; ++i)
98               password[i] = tolower((unsigned char)password[i]);
99     }
100     passlen = min(sizeof(password), pw.length + cell.length);
101     memcpy(&ivec, "kerberos", 8);
102     memcpy(&temp_key, "kerberos", 8);
103     DES_set_odd_parity (&temp_key);
104     DES_set_key_unchecked (&temp_key, &schedule);
105     DES_cbc_cksum ((void*)password, &ivec, passlen, &schedule, &ivec);
106 
107     memcpy(&temp_key, &ivec, 8);
108     DES_set_odd_parity (&temp_key);
109     DES_set_key_unchecked (&temp_key, &schedule);
110     DES_cbc_cksum ((void*)password, key, passlen, &schedule, &ivec);
111     memset(&schedule, 0, sizeof(schedule));
112     memset(&temp_key, 0, sizeof(temp_key));
113     memset(&ivec, 0, sizeof(ivec));
114     memset_s(password, sizeof(password), 0, sizeof(password));
115 
116     DES_set_odd_parity (key);
117 }
118 
119 static krb5_error_code
DES_AFS3_string_to_key(krb5_context context,krb5_enctype enctype,krb5_data password,krb5_salt salt,krb5_data opaque,krb5_keyblock * key)120 DES_AFS3_string_to_key(krb5_context context,
121                            krb5_enctype enctype,
122                            krb5_data password,
123                            krb5_salt salt,
124                            krb5_data opaque,
125                            krb5_keyblock *key)
126 {
127     DES_cblock tmp;
128     if(password.length > 8)
129           krb5_DES_AFS3_Transarc_string_to_key(password, salt.saltvalue, &tmp);
130     else
131           krb5_DES_AFS3_CMU_string_to_key(password, salt.saltvalue, &tmp);
132     key->keytype = enctype;
133     krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp));
134     memset(&key, 0, sizeof(key));
135     return 0;
136 }
137 #endif /* ENABLE_AFS_STRING_TO_KEY */
138 
139 static void
DES_string_to_key_int(unsigned char * data,size_t length,DES_cblock * key)140 DES_string_to_key_int(unsigned char *data, size_t length, DES_cblock *key)
141 {
142     DES_key_schedule schedule;
143     size_t i;
144     int reverse = 0;
145     unsigned char *p;
146 
147     unsigned char swap[] = { 0x0, 0x8, 0x4, 0xc, 0x2, 0xa, 0x6, 0xe,
148                                    0x1, 0x9, 0x5, 0xd, 0x3, 0xb, 0x7, 0xf };
149     memset(key, 0, 8);
150 
151     p = (unsigned char*)key;
152     for (i = 0; i < length; i++) {
153           unsigned char tmp = data[i];
154           if (!reverse)
155               *p++ ^= (tmp << 1);
156           else
157               *--p ^= (swap[tmp & 0xf] << 4) | swap[(tmp & 0xf0) >> 4];
158           if((i % 8) == 7)
159               reverse = !reverse;
160     }
161     DES_set_odd_parity(key);
162     if(DES_is_weak_key(key))
163           (*key)[7] ^= 0xF0;
164     DES_set_key_unchecked(key, &schedule);
165     DES_cbc_cksum((void*)data, key, length, &schedule, key);
166     memset(&schedule, 0, sizeof(schedule));
167     DES_set_odd_parity(key);
168     if(DES_is_weak_key(key))
169           (*key)[7] ^= 0xF0;
170 }
171 
172 static krb5_error_code
krb5_DES_string_to_key(krb5_context context,krb5_enctype enctype,krb5_data password,krb5_salt salt,krb5_data opaque,krb5_keyblock * key)173 krb5_DES_string_to_key(krb5_context context,
174                            krb5_enctype enctype,
175                            krb5_data password,
176                            krb5_salt salt,
177                            krb5_data opaque,
178                            krb5_keyblock *key)
179 {
180     unsigned char *s;
181     size_t len;
182     DES_cblock tmp;
183 
184 #ifdef ENABLE_AFS_STRING_TO_KEY
185     if (opaque.length == 1) {
186           unsigned long v;
187           _krb5_get_int(opaque.data, &v, 1);
188           if (v == 1)
189               return DES_AFS3_string_to_key(context, enctype, password,
190                                                     salt, opaque, key);
191     }
192 #endif
193 
194     len = password.length + salt.saltvalue.length;
195     s = malloc(len);
196     if (len > 0 && s == NULL)
197           return krb5_enomem(context);
198     memcpy(s, password.data, password.length);
199     if (salt.saltvalue.length)
200         memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length);
201     DES_string_to_key_int(s, len, &tmp);
202     key->keytype = enctype;
203     krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp));
204     memset(&tmp, 0, sizeof(tmp));
205     memset(s, 0, len);
206     free(s);
207     return 0;
208 }
209 
210 struct salt_type _krb5_des_salt[] = {
211     {
212           KRB5_PW_SALT,
213           "pw-salt",
214           krb5_DES_string_to_key
215     },
216 #ifdef ENABLE_AFS_STRING_TO_KEY
217     {
218           KRB5_AFS3_SALT,
219           "afs3-salt",
220           DES_AFS3_string_to_key
221     },
222 #endif
223     { 0, NULL, NULL }
224 };
225 #endif
226