xref: /freebsd/usr.sbin/keyserv/crypt_server.c (revision f4b37ed0f8b307b1f3f0f630ca725d68f1dff30d)
1 /*
2  * Copyright (c) 1996
3  *	Bill Paul <wpaul@ctr.columbia.edu>.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *	This product includes software developed by Bill Paul.
16  * 4. Neither the name of the author nor the names of any co-contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL Bill Paul OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32 
33 #include <sys/types.h>
34 #include <sys/param.h>
35 #include <dirent.h>
36 #include <dlfcn.h>
37 #include <err.h>
38 #include <stdio.h>
39 #include <stdlib.h>
40 #include <string.h>
41 #include <rpc/des_crypt.h>
42 #include <rpc/des.h>
43 #include "crypt.h"
44 
45 #ifndef lint
46 static const char rcsid[] =
47   "$FreeBSD$";
48 #endif /* not lint */
49 
50 /*
51  * The U.S. government stupidly believes that a) it can keep strong
52  * crypto code a secret and b) that doing so somehow protects national
53  * interests. It's wrong on both counts, but until it listens to reason
54  * we have to make certain compromises so it doesn't have an excuse to
55  * throw us in federal prison.
56  *
57  * Consequently, the core OS ships without DES support, and keyserv
58  * defaults to using ARCFOUR with only a 40 bit key, just like nutscrape.
59  * This breaks compatibility with Secure RPC on other systems, but it
60  * allows Secure RPC to work between FreeBSD systems that don't have the
61  * DES package installed without throwing security totally out the window.
62  *
63  * In order to avoid having to supply two versions of keyserv (one with
64  * DES and one without), we use dlopen() and friends to load libdes.so
65  * into our address space at runtime. We check for the presence of
66  * /usr/lib/libdes.so.3.0 at startup and load it if we find it. If we
67  * can't find it, or the __des_crypt symbol doesn't exist, we fall back
68  * to the ARCFOUR encryption code. The user can specify another path using
69  * the -p flag.
70  */
71 
72  /* arcfour.h */
73 typedef struct arcfour_key
74 {
75    unsigned char state[256];
76    unsigned char x;
77    unsigned char y;
78 } arcfour_key;
79 
80 static void prepare_key(unsigned char *key_data_ptr,int key_data_len,
81 		 arcfour_key *key);
82 static void arcfour(unsigned char *buffer_ptr,int buffer_len,arcfour_key * key);
83 static void swap_byte(unsigned char *a, unsigned char *b);
84 
85 static void prepare_key(unsigned char *key_data_ptr, int key_data_len,
86 		 arcfour_key *key)
87 {
88    unsigned char index1;
89    unsigned char index2;
90    unsigned char* state;
91    short counter;
92 
93    state = &key->state[0];
94    for(counter = 0; counter < 256; counter++)
95    state[counter] = counter;
96    key->x = 0;
97    key->y = 0;
98    index1 = 0;
99    index2 = 0;
100    for(counter = 0; counter < 256; counter++)
101    {
102       index2 = (key_data_ptr[index1] + state[counter] +
103                 index2) % 256;
104       swap_byte(&state[counter], &state[index2]);
105 
106       index1 = (index1 + 1) % key_data_len;
107    }
108 }
109 
110 static void arcfour(unsigned char *buffer_ptr, int buffer_len, arcfour_key *key)
111 {
112    unsigned char x;
113    unsigned char y;
114    unsigned char* state;
115    unsigned char xorIndex;
116    short counter;
117 
118    x = key->x;
119    y = key->y;
120 
121    state = &key->state[0];
122    for(counter = 0; counter < buffer_len; counter ++)
123    {
124       x = (x + 1) % 256;
125       y = (state[x] + y) % 256;
126       swap_byte(&state[x], &state[y]);
127 
128       xorIndex = (state[x] + state[y]) % 256;
129 
130       buffer_ptr[counter] ^= state[xorIndex];
131    }
132    key->x = x;
133    key->y = y;
134 }
135 
136 static void swap_byte(unsigned char *a, unsigned char *b)
137 {
138    unsigned char swapByte;
139 
140    swapByte = *a;
141    *a = *b;
142    *b = swapByte;
143 }
144 
145 /* Dummy _des_crypt function that uses ARCFOUR with a 40 bit key */
146 int _arcfour_crypt(buf, len, desp)
147 	char *buf;
148 	int len;
149 	struct desparams *desp;
150 {
151 	struct arcfour_key arcfourk;
152 
153 	/*
154 	 * U.S. government anti-crypto weasels take
155 	 * note: although we are supplied with a 64 bit
156 	 * key, we're only passing 40 bits to the ARCFOUR
157 	 * encryption code. So there.
158 	 */
159 	prepare_key(desp->des_key, 5, &arcfourk);
160 	arcfour(buf, len, &arcfourk);
161 
162 	return(DESERR_NOHWDEVICE);
163 }
164 
165 int (*_my_crypt)(char *, int, struct desparams *) = NULL;
166 
167 static void *dlhandle;
168 
169 #ifndef _PATH_USRLIB
170 #define _PATH_USRLIB "/usr/lib"
171 #endif
172 
173 #ifndef LIBCRYPTO
174 #define LIBCRYPTO "libcrypto.so.2"
175 #endif
176 
177 void load_des(warn, libpath)
178 	int warn;
179 	char *libpath;
180 {
181 	char dlpath[MAXPATHLEN];
182 
183 	if (libpath == NULL) {
184 		snprintf(dlpath, sizeof(dlpath), "%s/%s", _PATH_USRLIB, LIBCRYPTO);
185 	} else
186 		snprintf(dlpath, sizeof(dlpath), "%s", libpath);
187 
188 	if (dlpath != NULL && (dlhandle = dlopen(dlpath, 0444)) != NULL)
189 		_my_crypt = (int (*)())dlsym(dlhandle, "_des_crypt");
190 
191 	if (_my_crypt == NULL) {
192 		if (dlhandle != NULL)
193 			dlclose(dlhandle);
194 		_my_crypt = &_arcfour_crypt;
195 		if (warn) {
196 			printf ("DES support disabled -- using ARCFOUR instead.\n");
197 			printf ("Warning: ARCFOUR cipher is not compatible with ");
198 			printf ("other Secure RPC implementations.\nInstall ");
199 			printf ("the FreeBSD 'des' distribution to enable");
200 			printf (" DES encryption.\n");
201 		}
202 	} else {
203 		if (warn) {
204 			printf ("DES support enabled\n");
205 			printf ("Using %s shared object.\n", dlpath);
206 		}
207 	}
208 
209 	return;
210 }
211 
212 desresp *
213 des_crypt_1_svc(desargs *argp, struct svc_req *rqstp)
214 {
215 	static desresp  result;
216 	struct desparams dparm;
217 
218 	if (argp->desbuf.desbuf_len > DES_MAXDATA) {
219 		result.stat = DESERR_BADPARAM;
220 		return(&result);
221 	}
222 
223 
224 	bcopy(argp->des_key, dparm.des_key, 8);
225 	bcopy(argp->des_ivec, dparm.des_ivec, 8);
226 	dparm.des_mode = (argp->des_mode == CBC_DES) ? CBC : ECB;
227 	dparm.des_dir = (argp->des_dir == ENCRYPT_DES) ? ENCRYPT : DECRYPT;
228 #ifdef BROKEN_DES
229 	dparm.UDES.UDES_buf = argp->desbuf.desbuf_val;
230 #endif
231 
232 	/*
233 	 * XXX This compensates for a bug in the libdes Secure RPC
234 	 * compat interface. (Actually, there are a couple.) The
235 	 * des_ecb_encrypt() routine in libdes only encrypts 8 bytes
236 	 * (64 bits) at a time. However, the Sun Secure RPC ecb_crypt()
237 	 * routine is supposed to be able to handle buffers up to 8Kbytes.
238 	 * The rpc_enc module in libdes ignores this fact and just drops
239 	 * the length parameter on the floor, encrypting only the
240 	 * first 64 bits of whatever buffer you feed it. We deal with
241 	 * this here: if we're using DES encryption, and we're using
242 	 * ECB mode, then we make a pass over the entire buffer
243 	 * ourselves. Note: the rpc_enc module incorrectly transposes
244 	 * the mode flags, so when you ask for CBC mode, you're really
245 	 * getting ECB mode.
246 	 */
247 #ifdef BROKEN_DES
248 	if (_my_crypt != &_arcfour_crypt && argp->des_mode == CBC) {
249 #else
250 	if (_my_crypt != &_arcfour_crypt && argp->des_mode == ECB) {
251 #endif
252 		int			i;
253 		char			*dptr;
254 
255 		for (i = 0; i < argp->desbuf.desbuf_len / 8; i++) {
256 			dptr = argp->desbuf.desbuf_val;
257 			dptr += (i * 8);
258 #ifdef BROKEN_DES
259 			dparm.UDES.UDES_buf = dptr;
260 #endif
261 			result.stat = _my_crypt(dptr, 8, &dparm);
262 		}
263 	} else {
264 		result.stat = _my_crypt(argp->desbuf.desbuf_val,
265 					argp->desbuf.desbuf_len,
266 					&dparm);
267 	}
268 
269 	if (result.stat == DESERR_NONE || result.stat == DESERR_NOHWDEVICE) {
270 		bcopy(dparm.des_ivec, result.des_ivec, 8);
271 		result.desbuf.desbuf_len = argp->desbuf.desbuf_len;
272 		result.desbuf.desbuf_val = argp->desbuf.desbuf_val;
273 	}
274 
275 	return (&result);
276 }
277