xref: /freebsd/crypto/heimdal/lib/krb5/salt-des.c (revision 6a068746777241722b2b32c5d0bc443a2a64d80b) 
1*ae771770SStanislav Sedov /*
2*ae771770SStanislav Sedov  * Copyright (c) 1997 - 2008 Kungliga Tekniska Högskolan
3*ae771770SStanislav Sedov  * (Royal Institute of Technology, Stockholm, Sweden).
4*ae771770SStanislav Sedov  * All rights reserved.
5*ae771770SStanislav Sedov  *
6*ae771770SStanislav Sedov  * Redistribution and use in source and binary forms, with or without
7*ae771770SStanislav Sedov  * modification, are permitted provided that the following conditions
8*ae771770SStanislav Sedov  * are met:
9*ae771770SStanislav Sedov  *
10*ae771770SStanislav Sedov  * 1. Redistributions of source code must retain the above copyright
11*ae771770SStanislav Sedov  *    notice, this list of conditions and the following disclaimer.
12*ae771770SStanislav Sedov  *
13*ae771770SStanislav Sedov  * 2. Redistributions in binary form must reproduce the above copyright
14*ae771770SStanislav Sedov  *    notice, this list of conditions and the following disclaimer in the
15*ae771770SStanislav Sedov  *    documentation and/or other materials provided with the distribution.
16*ae771770SStanislav Sedov  *
17*ae771770SStanislav Sedov  * 3. Neither the name of the Institute nor the names of its contributors
18*ae771770SStanislav Sedov  *    may be used to endorse or promote products derived from this software
19*ae771770SStanislav Sedov  *    without specific prior written permission.
20*ae771770SStanislav Sedov  *
21*ae771770SStanislav Sedov  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22*ae771770SStanislav Sedov  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23*ae771770SStanislav Sedov  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24*ae771770SStanislav Sedov  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25*ae771770SStanislav Sedov  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26*ae771770SStanislav Sedov  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27*ae771770SStanislav Sedov  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28*ae771770SStanislav Sedov  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29*ae771770SStanislav Sedov  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30*ae771770SStanislav Sedov  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31*ae771770SStanislav Sedov  * SUCH DAMAGE.
32*ae771770SStanislav Sedov  */
33*ae771770SStanislav Sedov 
34*ae771770SStanislav Sedov #include "krb5_locl.h"
35*ae771770SStanislav Sedov 
36*ae771770SStanislav Sedov #ifdef HEIM_WEAK_CRYPTO
37*ae771770SStanislav Sedov 
38*ae771770SStanislav Sedov #ifdef ENABLE_AFS_STRING_TO_KEY
39*ae771770SStanislav Sedov 
40*ae771770SStanislav Sedov /* This defines the Andrew string_to_key function.  It accepts a password
41*ae771770SStanislav Sedov  * string as input and converts it via a one-way encryption algorithm to a DES
42*ae771770SStanislav Sedov  * encryption key.  It is compatible with the original Andrew authentication
43*ae771770SStanislav Sedov  * service password database.
44*ae771770SStanislav Sedov  */
45*ae771770SStanislav Sedov 
46*ae771770SStanislav Sedov /*
47*ae771770SStanislav Sedov  * Short passwords, i.e 8 characters or less.
48*ae771770SStanislav Sedov  */
49*ae771770SStanislav Sedov static void
krb5_DES_AFS3_CMU_string_to_key(krb5_data pw,krb5_data cell,DES_cblock * key)50*ae771770SStanislav Sedov krb5_DES_AFS3_CMU_string_to_key (krb5_data pw,
51*ae771770SStanislav Sedov 				 krb5_data cell,
52*ae771770SStanislav Sedov 				 DES_cblock *key)
53*ae771770SStanislav Sedov {
54*ae771770SStanislav Sedov     char  password[8+1];	/* crypt is limited to 8 chars anyway */
55*ae771770SStanislav Sedov     size_t   i;
56*ae771770SStanislav Sedov 
57*ae771770SStanislav Sedov     for(i = 0; i < 8; i++) {
58*ae771770SStanislav Sedov 	char c = ((i < pw.length) ? ((char*)pw.data)[i] : 0) ^
59*ae771770SStanislav Sedov 	    ((i < cell.length) ?
60*ae771770SStanislav Sedov 	     tolower(((unsigned char*)cell.data)[i]) : 0);
61*ae771770SStanislav Sedov 	password[i] = c ? c : 'X';
62*ae771770SStanislav Sedov     }
63*ae771770SStanislav Sedov     password[8] = '\0';
64*ae771770SStanislav Sedov 
65*ae771770SStanislav Sedov     memcpy(key, crypt(password, "p1") + 2, sizeof(DES_cblock));
66*ae771770SStanislav Sedov 
67*ae771770SStanislav Sedov     /* parity is inserted into the LSB so left shift each byte up one
68*ae771770SStanislav Sedov        bit. This allows ascii characters with a zero MSB to retain as
69*ae771770SStanislav Sedov        much significance as possible. */
70*ae771770SStanislav Sedov     for (i = 0; i < sizeof(DES_cblock); i++)
71*ae771770SStanislav Sedov 	((unsigned char*)key)[i] <<= 1;
72*ae771770SStanislav Sedov     DES_set_odd_parity (key);
73*ae771770SStanislav Sedov }
74*ae771770SStanislav Sedov 
75*ae771770SStanislav Sedov /*
76*ae771770SStanislav Sedov  * Long passwords, i.e 9 characters or more.
77*ae771770SStanislav Sedov  */
78*ae771770SStanislav Sedov static void
krb5_DES_AFS3_Transarc_string_to_key(krb5_data pw,krb5_data cell,DES_cblock * key)79*ae771770SStanislav Sedov krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw,
80*ae771770SStanislav Sedov 				      krb5_data cell,
81*ae771770SStanislav Sedov 				      DES_cblock *key)
82*ae771770SStanislav Sedov {
83*ae771770SStanislav Sedov     DES_key_schedule schedule;
84*ae771770SStanislav Sedov     DES_cblock temp_key;
85*ae771770SStanislav Sedov     DES_cblock ivec;
86*ae771770SStanislav Sedov     char password[512];
87*ae771770SStanislav Sedov     size_t passlen;
88*ae771770SStanislav Sedov 
89*ae771770SStanislav Sedov     memcpy(password, pw.data, min(pw.length, sizeof(password)));
90*ae771770SStanislav Sedov     if(pw.length < sizeof(password)) {
91*ae771770SStanislav Sedov 	int len = min(cell.length, sizeof(password) - pw.length);
92*ae771770SStanislav Sedov 	size_t i;
93*ae771770SStanislav Sedov 
94*ae771770SStanislav Sedov 	memcpy(password + pw.length, cell.data, len);
95*ae771770SStanislav Sedov 	for (i = pw.length; i < pw.length + len; ++i)
96*ae771770SStanislav Sedov 	    password[i] = tolower((unsigned char)password[i]);
97*ae771770SStanislav Sedov     }
98*ae771770SStanislav Sedov     passlen = min(sizeof(password), pw.length + cell.length);
99*ae771770SStanislav Sedov     memcpy(&ivec, "kerberos", 8);
100*ae771770SStanislav Sedov     memcpy(&temp_key, "kerberos", 8);
101*ae771770SStanislav Sedov     DES_set_odd_parity (&temp_key);
102*ae771770SStanislav Sedov     DES_set_key_unchecked (&temp_key, &schedule);
103*ae771770SStanislav Sedov     DES_cbc_cksum ((void*)password, &ivec, passlen, &schedule, &ivec);
104*ae771770SStanislav Sedov 
105*ae771770SStanislav Sedov     memcpy(&temp_key, &ivec, 8);
106*ae771770SStanislav Sedov     DES_set_odd_parity (&temp_key);
107*ae771770SStanislav Sedov     DES_set_key_unchecked (&temp_key, &schedule);
108*ae771770SStanislav Sedov     DES_cbc_cksum ((void*)password, key, passlen, &schedule, &ivec);
109*ae771770SStanislav Sedov     memset(&schedule, 0, sizeof(schedule));
110*ae771770SStanislav Sedov     memset(&temp_key, 0, sizeof(temp_key));
111*ae771770SStanislav Sedov     memset(&ivec, 0, sizeof(ivec));
112*ae771770SStanislav Sedov     memset(password, 0, sizeof(password));
113*ae771770SStanislav Sedov 
114*ae771770SStanislav Sedov     DES_set_odd_parity (key);
115*ae771770SStanislav Sedov }
116*ae771770SStanislav Sedov 
117*ae771770SStanislav Sedov static krb5_error_code
DES_AFS3_string_to_key(krb5_context context,krb5_enctype enctype,krb5_data password,krb5_salt salt,krb5_data opaque,krb5_keyblock * key)118*ae771770SStanislav Sedov DES_AFS3_string_to_key(krb5_context context,
119*ae771770SStanislav Sedov 		       krb5_enctype enctype,
120*ae771770SStanislav Sedov 		       krb5_data password,
121*ae771770SStanislav Sedov 		       krb5_salt salt,
122*ae771770SStanislav Sedov 		       krb5_data opaque,
123*ae771770SStanislav Sedov 		       krb5_keyblock *key)
124*ae771770SStanislav Sedov {
125*ae771770SStanislav Sedov     DES_cblock tmp;
126*ae771770SStanislav Sedov     if(password.length > 8)
127*ae771770SStanislav Sedov 	krb5_DES_AFS3_Transarc_string_to_key(password, salt.saltvalue, &tmp);
128*ae771770SStanislav Sedov     else
129*ae771770SStanislav Sedov 	krb5_DES_AFS3_CMU_string_to_key(password, salt.saltvalue, &tmp);
130*ae771770SStanislav Sedov     key->keytype = enctype;
131*ae771770SStanislav Sedov     krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp));
132*ae771770SStanislav Sedov     memset(&key, 0, sizeof(key));
133*ae771770SStanislav Sedov     return 0;
134*ae771770SStanislav Sedov }
135*ae771770SStanislav Sedov #endif /* ENABLE_AFS_STRING_TO_KEY */
136*ae771770SStanislav Sedov 
137*ae771770SStanislav Sedov static void
DES_string_to_key_int(unsigned char * data,size_t length,DES_cblock * key)138*ae771770SStanislav Sedov DES_string_to_key_int(unsigned char *data, size_t length, DES_cblock *key)
139*ae771770SStanislav Sedov {
140*ae771770SStanislav Sedov     DES_key_schedule schedule;
141*ae771770SStanislav Sedov     size_t i;
142*ae771770SStanislav Sedov     int reverse = 0;
143*ae771770SStanislav Sedov     unsigned char *p;
144*ae771770SStanislav Sedov 
145*ae771770SStanislav Sedov     unsigned char swap[] = { 0x0, 0x8, 0x4, 0xc, 0x2, 0xa, 0x6, 0xe,
146*ae771770SStanislav Sedov 			     0x1, 0x9, 0x5, 0xd, 0x3, 0xb, 0x7, 0xf };
147*ae771770SStanislav Sedov     memset(key, 0, 8);
148*ae771770SStanislav Sedov 
149*ae771770SStanislav Sedov     p = (unsigned char*)key;
150*ae771770SStanislav Sedov     for (i = 0; i < length; i++) {
151*ae771770SStanislav Sedov 	unsigned char tmp = data[i];
152*ae771770SStanislav Sedov 	if (!reverse)
153*ae771770SStanislav Sedov 	    *p++ ^= (tmp << 1);
154*ae771770SStanislav Sedov 	else
155*ae771770SStanislav Sedov 	    *--p ^= (swap[tmp & 0xf] << 4) | swap[(tmp & 0xf0) >> 4];
156*ae771770SStanislav Sedov 	if((i % 8) == 7)
157*ae771770SStanislav Sedov 	    reverse = !reverse;
158*ae771770SStanislav Sedov     }
159*ae771770SStanislav Sedov     DES_set_odd_parity(key);
160*ae771770SStanislav Sedov     if(DES_is_weak_key(key))
161*ae771770SStanislav Sedov 	(*key)[7] ^= 0xF0;
162*ae771770SStanislav Sedov     DES_set_key_unchecked(key, &schedule);
163*ae771770SStanislav Sedov     DES_cbc_cksum((void*)data, key, length, &schedule, key);
164*ae771770SStanislav Sedov     memset(&schedule, 0, sizeof(schedule));
165*ae771770SStanislav Sedov     DES_set_odd_parity(key);
166*ae771770SStanislav Sedov     if(DES_is_weak_key(key))
167*ae771770SStanislav Sedov 	(*key)[7] ^= 0xF0;
168*ae771770SStanislav Sedov }
169*ae771770SStanislav Sedov 
170*ae771770SStanislav Sedov static krb5_error_code
krb5_DES_string_to_key(krb5_context context,krb5_enctype enctype,krb5_data password,krb5_salt salt,krb5_data opaque,krb5_keyblock * key)171*ae771770SStanislav Sedov krb5_DES_string_to_key(krb5_context context,
172*ae771770SStanislav Sedov 		       krb5_enctype enctype,
173*ae771770SStanislav Sedov 		       krb5_data password,
174*ae771770SStanislav Sedov 		       krb5_salt salt,
175*ae771770SStanislav Sedov 		       krb5_data opaque,
176*ae771770SStanislav Sedov 		       krb5_keyblock *key)
177*ae771770SStanislav Sedov {
178*ae771770SStanislav Sedov     unsigned char *s;
179*ae771770SStanislav Sedov     size_t len;
180*ae771770SStanislav Sedov     DES_cblock tmp;
181*ae771770SStanislav Sedov 
182*ae771770SStanislav Sedov #ifdef ENABLE_AFS_STRING_TO_KEY
183*ae771770SStanislav Sedov     if (opaque.length == 1) {
184*ae771770SStanislav Sedov 	unsigned long v;
185*ae771770SStanislav Sedov 	_krb5_get_int(opaque.data, &v, 1);
186*ae771770SStanislav Sedov 	if (v == 1)
187*ae771770SStanislav Sedov 	    return DES_AFS3_string_to_key(context, enctype, password,
188*ae771770SStanislav Sedov 					  salt, opaque, key);
189*ae771770SStanislav Sedov     }
190*ae771770SStanislav Sedov #endif
191*ae771770SStanislav Sedov 
192*ae771770SStanislav Sedov     len = password.length + salt.saltvalue.length;
193*ae771770SStanislav Sedov     s = malloc(len);
194*ae771770SStanislav Sedov     if(len > 0 && s == NULL) {
195*ae771770SStanislav Sedov 	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
196*ae771770SStanislav Sedov 	return ENOMEM;
197*ae771770SStanislav Sedov     }
198*ae771770SStanislav Sedov     memcpy(s, password.data, password.length);
199*ae771770SStanislav Sedov     memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length);
200*ae771770SStanislav Sedov     DES_string_to_key_int(s, len, &tmp);
201*ae771770SStanislav Sedov     key->keytype = enctype;
202*ae771770SStanislav Sedov     krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp));
203*ae771770SStanislav Sedov     memset(&tmp, 0, sizeof(tmp));
204*ae771770SStanislav Sedov     memset(s, 0, len);
205*ae771770SStanislav Sedov     free(s);
206*ae771770SStanislav Sedov     return 0;
207*ae771770SStanislav Sedov }
208*ae771770SStanislav Sedov 
209*ae771770SStanislav Sedov struct salt_type _krb5_des_salt[] = {
210*ae771770SStanislav Sedov     {
211*ae771770SStanislav Sedov 	KRB5_PW_SALT,
212*ae771770SStanislav Sedov 	"pw-salt",
213*ae771770SStanislav Sedov 	krb5_DES_string_to_key
214*ae771770SStanislav Sedov     },
215*ae771770SStanislav Sedov #ifdef ENABLE_AFS_STRING_TO_KEY
216*ae771770SStanislav Sedov     {
217*ae771770SStanislav Sedov 	KRB5_AFS3_SALT,
218*ae771770SStanislav Sedov 	"afs3-salt",
219*ae771770SStanislav Sedov 	DES_AFS3_string_to_key
220*ae771770SStanislav Sedov     },
221*ae771770SStanislav Sedov #endif
222*ae771770SStanislav Sedov     { 0 }
223*ae771770SStanislav Sedov };
224*ae771770SStanislav Sedov #endif
225