1 /* 2 * Copyright (c) 1996 3 * Bill Paul <wpaul@ctr.columbia.edu>. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by Bill Paul. 16 * 4. Neither the name of the author nor the names of any co-contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 #include <sys/types.h> 34 #include <sys/param.h> 35 #include <dirent.h> 36 #include <dlfcn.h> 37 #include <err.h> 38 #include <stdio.h> 39 #include <stdlib.h> 40 #include <string.h> 41 #include <rpc/des_crypt.h> 42 #include <rpc/des.h> 43 #include "crypt.h" 44 45 /* 46 * The U.S. government stupidly believes that a) it can keep strong 47 * crypto code a secret and b) that doing so somehow protects national 48 * interests. It's wrong on both counts, but until it listens to reason 49 * we have to make certain compromises so it doesn't have an excuse to 50 * throw us in federal prison. 51 * 52 * Consequently, the core OS ships without DES support, and keyserv 53 * defaults to using ARCFOUR with only a 40 bit key, just like nutscrape. 54 * This breaks compatibility with Secure RPC on other systems, but it 55 * allows Secure RPC to work between FreeBSD systems that don't have the 56 * DES package installed without throwing security totally out the window. 57 * 58 * In order to avoid having to supply two versions of keyserv (one with 59 * DES and one without), we use dlopen() and friends to load libdes.so 60 * into our address space at runtime. We check for the presence of 61 * /usr/lib/libdes.so.3.0 at startup and load it if we find it. If we 62 * can't find it, or the __des_crypt symbol doesn't exist, we fall back 63 * to the ARCFOUR encryption code. The user can specify another path using 64 * the -p flag. 65 */ 66 67 /* arcfour.h */ 68 typedef struct arcfour_key 69 { 70 unsigned char state[256]; 71 unsigned char x; 72 unsigned char y; 73 } arcfour_key; 74 75 static void prepare_key(unsigned char *key_data_ptr,int key_data_len, 76 arcfour_key *key); 77 static void arcfour(unsigned char *buffer_ptr,int buffer_len,arcfour_key * key); 78 static void swap_byte(unsigned char *a, unsigned char *b); 79 80 static void prepare_key(unsigned char *key_data_ptr, int key_data_len, 81 arcfour_key *key) 82 { 83 unsigned char index1; 84 unsigned char index2; 85 unsigned char* state; 86 short counter; 87 88 state = &key->state[0]; 89 for(counter = 0; counter < 256; counter++) 90 state[counter] = counter; 91 key->x = 0; 92 key->y = 0; 93 index1 = 0; 94 index2 = 0; 95 for(counter = 0; counter < 256; counter++) 96 { 97 index2 = (key_data_ptr[index1] + state[counter] + 98 index2) % 256; 99 swap_byte(&state[counter], &state[index2]); 100 101 index1 = (index1 + 1) % key_data_len; 102 } 103 } 104 105 static void arcfour(unsigned char *buffer_ptr, int buffer_len, arcfour_key *key) 106 { 107 unsigned char x; 108 unsigned char y; 109 unsigned char* state; 110 unsigned char xorIndex; 111 short counter; 112 113 x = key->x; 114 y = key->y; 115 116 state = &key->state[0]; 117 for(counter = 0; counter < buffer_len; counter ++) 118 { 119 x = (x + 1) % 256; 120 y = (state[x] + y) % 256; 121 swap_byte(&state[x], &state[y]); 122 123 xorIndex = (state[x] + state[y]) % 256; 124 125 buffer_ptr[counter] ^= state[xorIndex]; 126 } 127 key->x = x; 128 key->y = y; 129 } 130 131 static void swap_byte(unsigned char *a, unsigned char *b) 132 { 133 unsigned char swapByte; 134 135 swapByte = *a; 136 *a = *b; 137 *b = swapByte; 138 } 139 140 /* Dummy _des_crypt function that uses ARCFOUR with a 40 bit key */ 141 int _arcfour_crypt(char *buf, int len, struct desparams *desp) 142 { 143 struct arcfour_key arcfourk; 144 145 /* 146 * U.S. government anti-crypto weasels take 147 * note: although we are supplied with a 64 bit 148 * key, we're only passing 40 bits to the ARCFOUR 149 * encryption code. So there. 150 */ 151 prepare_key(desp->des_key, 5, &arcfourk); 152 arcfour(buf, len, &arcfourk); 153 154 return(DESERR_NOHWDEVICE); 155 } 156 157 int (*_my_crypt)(char *, int, struct desparams *) = NULL; 158 159 static void *dlhandle; 160 161 #ifndef _PATH_USRLIB 162 #define _PATH_USRLIB "/usr/lib" 163 #endif 164 165 #ifndef LIBCRYPTO 166 #define LIBCRYPTO "libcrypto.so.2" 167 #endif 168 169 void load_des(int warn, char *libpath) 170 { 171 char dlpath[MAXPATHLEN]; 172 173 if (libpath == NULL) 174 snprintf(dlpath, sizeof(dlpath), "%s/%s", _PATH_USRLIB, 175 LIBCRYPTO); 176 else 177 snprintf(dlpath, sizeof(dlpath), "%s", libpath); 178 179 if ((dlhandle = dlopen(dlpath, 0444)) != NULL) 180 _my_crypt = (int (*)())dlsym(dlhandle, "_des_crypt"); 181 182 if (_my_crypt == NULL) { 183 if (dlhandle != NULL) 184 dlclose(dlhandle); 185 _my_crypt = &_arcfour_crypt; 186 if (warn) { 187 printf ("DES support disabled -- using ARCFOUR instead.\n"); 188 printf ("Warning: ARCFOUR cipher is not compatible with "); 189 printf ("other Secure RPC implementations.\nInstall "); 190 printf ("the FreeBSD 'des' distribution to enable"); 191 printf (" DES encryption.\n"); 192 } 193 } else { 194 if (warn) { 195 printf ("DES support enabled\n"); 196 printf ("Using %s shared object.\n", dlpath); 197 } 198 } 199 200 return; 201 } 202 203 desresp * 204 des_crypt_1_svc(desargs *argp, struct svc_req *rqstp) 205 { 206 static desresp result; 207 struct desparams dparm; 208 209 if (argp->desbuf.desbuf_len > DES_MAXDATA) { 210 result.stat = DESERR_BADPARAM; 211 return(&result); 212 } 213 214 215 bcopy(argp->des_key, dparm.des_key, 8); 216 bcopy(argp->des_ivec, dparm.des_ivec, 8); 217 dparm.des_mode = (argp->des_mode == CBC_DES) ? CBC : ECB; 218 dparm.des_dir = (argp->des_dir == ENCRYPT_DES) ? ENCRYPT : DECRYPT; 219 #ifdef BROKEN_DES 220 dparm.UDES.UDES_buf = argp->desbuf.desbuf_val; 221 #endif 222 223 /* 224 * XXX This compensates for a bug in the libdes Secure RPC 225 * compat interface. (Actually, there are a couple.) The 226 * des_ecb_encrypt() routine in libdes only encrypts 8 bytes 227 * (64 bits) at a time. However, the Sun Secure RPC ecb_crypt() 228 * routine is supposed to be able to handle buffers up to 8Kbytes. 229 * The rpc_enc module in libdes ignores this fact and just drops 230 * the length parameter on the floor, encrypting only the 231 * first 64 bits of whatever buffer you feed it. We deal with 232 * this here: if we're using DES encryption, and we're using 233 * ECB mode, then we make a pass over the entire buffer 234 * ourselves. Note: the rpc_enc module incorrectly transposes 235 * the mode flags, so when you ask for CBC mode, you're really 236 * getting ECB mode. 237 */ 238 #ifdef BROKEN_DES 239 if (_my_crypt != &_arcfour_crypt && argp->des_mode == CBC) { 240 #else 241 if (_my_crypt != &_arcfour_crypt && argp->des_mode == ECB) { 242 #endif 243 int i; 244 char *dptr; 245 246 for (i = 0; i < argp->desbuf.desbuf_len / 8; i++) { 247 dptr = argp->desbuf.desbuf_val; 248 dptr += (i * 8); 249 #ifdef BROKEN_DES 250 dparm.UDES.UDES_buf = dptr; 251 #endif 252 result.stat = _my_crypt(dptr, 8, &dparm); 253 } 254 } else { 255 result.stat = _my_crypt(argp->desbuf.desbuf_val, 256 argp->desbuf.desbuf_len, 257 &dparm); 258 } 259 260 if (result.stat == DESERR_NONE || result.stat == DESERR_NOHWDEVICE) { 261 bcopy(dparm.des_ivec, result.des_ivec, 8); 262 result.desbuf.desbuf_len = argp->desbuf.desbuf_len; 263 result.desbuf.desbuf_val = argp->desbuf.desbuf_val; 264 } 265 266 return (&result); 267 } 268