1/*	$NetBSD: salt-des.c,v 1.4 2023/06/19 21:41:44 christos Exp $	*/
2
3/*
4 * Copyright (c) 1997 - 2008 Kungliga Tekniska H��gskolan
5 * (Royal Institute of Technology, Stockholm, Sweden).
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 *    notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 *    notice, this list of conditions and the following disclaimer in the
17 *    documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 *    may be used to endorse or promote products derived from this software
21 *    without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36#include "krb5_locl.h"
37
38#ifdef HEIM_WEAK_CRYPTO
39
40#ifdef ENABLE_AFS_STRING_TO_KEY
41
42/* This defines the Andrew string_to_key function.  It accepts a password
43 * string as input and converts it via a one-way encryption algorithm to a DES
44 * encryption key.  It is compatible with the original Andrew authentication
45 * service password database.
46 */
47
48/*
49 * Short passwords, i.e 8 characters or less.
50 */
51static void
52krb5_DES_AFS3_CMU_string_to_key (krb5_data pw,
53				 krb5_data cell,
54				 DES_cblock *key)
55{
56    char  password[8+1];	/* crypt is limited to 8 chars anyway */
57    size_t   i;
58
59    for(i = 0; i < 8; i++) {
60	char c = ((i < pw.length) ? ((char*)pw.data)[i] : 0) ^
61	    ((i < cell.length) ?
62	     tolower(((unsigned char*)cell.data)[i]) : 0);
63	password[i] = c ? c : 'X';
64    }
65    password[8] = '\0';
66
67    memcpy(key, crypt(password, "p1") + 2, sizeof(DES_cblock));
68
69    /* parity is inserted into the LSB so left shift each byte up one
70       bit. This allows ascii characters with a zero MSB to retain as
71       much significance as possible. */
72    for (i = 0; i < sizeof(DES_cblock); i++)
73	((unsigned char*)key)[i] <<= 1;
74    DES_set_odd_parity (key);
75}
76
77/*
78 * Long passwords, i.e 9 characters or more.
79 */
80static void
81krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw,
82				      krb5_data cell,
83				      DES_cblock *key)
84{
85    DES_key_schedule schedule;
86    DES_cblock temp_key;
87    DES_cblock ivec;
88    char password[512];
89    size_t passlen;
90
91    memcpy(password, pw.data, min(pw.length, sizeof(password)));
92    if(pw.length < sizeof(password)) {
93	int len = min(cell.length, sizeof(password) - pw.length);
94	size_t i;
95
96	memcpy(password + pw.length, cell.data, len);
97	for (i = pw.length; i < pw.length + len; ++i)
98	    password[i] = tolower((unsigned char)password[i]);
99    }
100    passlen = min(sizeof(password), pw.length + cell.length);
101    memcpy(&ivec, "kerberos", 8);
102    memcpy(&temp_key, "kerberos", 8);
103    DES_set_odd_parity (&temp_key);
104    DES_set_key_unchecked (&temp_key, &schedule);
105    DES_cbc_cksum ((void*)password, &ivec, passlen, &schedule, &ivec);
106
107    memcpy(&temp_key, &ivec, 8);
108    DES_set_odd_parity (&temp_key);
109    DES_set_key_unchecked (&temp_key, &schedule);
110    DES_cbc_cksum ((void*)password, key, passlen, &schedule, &ivec);
111    memset(&schedule, 0, sizeof(schedule));
112    memset(&temp_key, 0, sizeof(temp_key));
113    memset(&ivec, 0, sizeof(ivec));
114    memset_s(password, sizeof(password), 0, sizeof(password));
115
116    DES_set_odd_parity (key);
117}
118
119static krb5_error_code
120DES_AFS3_string_to_key(krb5_context context,
121		       krb5_enctype enctype,
122		       krb5_data password,
123		       krb5_salt salt,
124		       krb5_data opaque,
125		       krb5_keyblock *key)
126{
127    DES_cblock tmp;
128    if(password.length > 8)
129	krb5_DES_AFS3_Transarc_string_to_key(password, salt.saltvalue, &tmp);
130    else
131	krb5_DES_AFS3_CMU_string_to_key(password, salt.saltvalue, &tmp);
132    key->keytype = enctype;
133    krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp));
134    memset(&key, 0, sizeof(key));
135    return 0;
136}
137#endif /* ENABLE_AFS_STRING_TO_KEY */
138
139static void
140DES_string_to_key_int(unsigned char *data, size_t length, DES_cblock *key)
141{
142    DES_key_schedule schedule;
143    size_t i;
144    int reverse = 0;
145    unsigned char *p;
146
147    unsigned char swap[] = { 0x0, 0x8, 0x4, 0xc, 0x2, 0xa, 0x6, 0xe,
148			     0x1, 0x9, 0x5, 0xd, 0x3, 0xb, 0x7, 0xf };
149    memset(key, 0, 8);
150
151    p = (unsigned char*)key;
152    for (i = 0; i < length; i++) {
153	unsigned char tmp = data[i];
154	if (!reverse)
155	    *p++ ^= (tmp << 1);
156	else
157	    *--p ^= (swap[tmp & 0xf] << 4) | swap[(tmp & 0xf0) >> 4];
158	if((i % 8) == 7)
159	    reverse = !reverse;
160    }
161    DES_set_odd_parity(key);
162    if(DES_is_weak_key(key))
163	(*key)[7] ^= 0xF0;
164    DES_set_key_unchecked(key, &schedule);
165    DES_cbc_cksum((void*)data, key, length, &schedule, key);
166    memset(&schedule, 0, sizeof(schedule));
167    DES_set_odd_parity(key);
168    if(DES_is_weak_key(key))
169	(*key)[7] ^= 0xF0;
170}
171
172static krb5_error_code
173krb5_DES_string_to_key(krb5_context context,
174		       krb5_enctype enctype,
175		       krb5_data password,
176		       krb5_salt salt,
177		       krb5_data opaque,
178		       krb5_keyblock *key)
179{
180    unsigned char *s;
181    size_t len;
182    DES_cblock tmp;
183
184#ifdef ENABLE_AFS_STRING_TO_KEY
185    if (opaque.length == 1) {
186	unsigned long v;
187	_krb5_get_int(opaque.data, &v, 1);
188	if (v == 1)
189	    return DES_AFS3_string_to_key(context, enctype, password,
190					  salt, opaque, key);
191    }
192#endif
193
194    len = password.length + salt.saltvalue.length;
195    s = malloc(len);
196    if (len > 0 && s == NULL)
197	return krb5_enomem(context);
198    memcpy(s, password.data, password.length);
199    if (salt.saltvalue.length)
200        memcpy(s + password.length, salt.saltvalue.data, salt.saltvalue.length);
201    DES_string_to_key_int(s, len, &tmp);
202    key->keytype = enctype;
203    krb5_data_copy(&key->keyvalue, tmp, sizeof(tmp));
204    memset(&tmp, 0, sizeof(tmp));
205    memset(s, 0, len);
206    free(s);
207    return 0;
208}
209
210struct salt_type _krb5_des_salt[] = {
211    {
212	KRB5_PW_SALT,
213	"pw-salt",
214	krb5_DES_string_to_key
215    },
216#ifdef ENABLE_AFS_STRING_TO_KEY
217    {
218	KRB5_AFS3_SALT,
219	"afs3-salt",
220	DES_AFS3_string_to_key
221    },
222#endif
223    { 0, NULL, NULL }
224};
225#endif
226