126234Swpaul/*
226234Swpaul * Copyright (c) 1996
326234Swpaul *	Bill Paul <wpaul@ctr.columbia.edu>.  All rights reserved.
426234Swpaul *
526234Swpaul * Redistribution and use in source and binary forms, with or without
626234Swpaul * modification, are permitted provided that the following conditions
726234Swpaul * are met:
826234Swpaul * 1. Redistributions of source code must retain the above copyright
926234Swpaul *    notice, this list of conditions and the following disclaimer.
1026234Swpaul * 2. Redistributions in binary form must reproduce the above copyright
1126234Swpaul *    notice, this list of conditions and the following disclaimer in the
1226234Swpaul *    documentation and/or other materials provided with the distribution.
1326234Swpaul * 3. All advertising materials mentioning features or use of this software
1426234Swpaul *    must display the following acknowledgement:
1526234Swpaul *	This product includes software developed by Bill Paul.
1626234Swpaul * 4. Neither the name of the author nor the names of any co-contributors
1726234Swpaul *    may be used to endorse or promote products derived from this software
1826234Swpaul *    without specific prior written permission.
1926234Swpaul *
2026234Swpaul * THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND
2126234Swpaul * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
2226234Swpaul * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
2326234Swpaul * ARE DISCLAIMED.  IN NO EVENT SHALL Bill Paul OR CONTRIBUTORS BE LIABLE
2426234Swpaul * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
2526234Swpaul * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
2626234Swpaul * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2726234Swpaul * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
2826234Swpaul * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
2926234Swpaul * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
3026234Swpaul * SUCH DAMAGE.
3126234Swpaul */
3226234Swpaul
3326234Swpaul#include <sys/types.h>
3426234Swpaul#include <sys/param.h>
3526234Swpaul#include <dirent.h>
3629735Scharnier#include <dlfcn.h>
3726234Swpaul#include <err.h>
3829735Scharnier#include <stdio.h>
3929735Scharnier#include <stdlib.h>
4029735Scharnier#include <string.h>
4126234Swpaul#include <rpc/des_crypt.h>
4226234Swpaul#include <rpc/des.h>
4326234Swpaul#include "crypt.h"
4426234Swpaul
4526234Swpaul#ifndef lint
4629735Scharnierstatic const char rcsid[] =
4750479Speter  "$FreeBSD$";
4829735Scharnier#endif /* not lint */
4926234Swpaul
5026234Swpaul/*
5126234Swpaul * The U.S. government stupidly believes that a) it can keep strong
5226234Swpaul * crypto code a secret and b) that doing so somehow protects national
5326234Swpaul * interests. It's wrong on both counts, but until it listens to reason
5426234Swpaul * we have to make certain compromises so it doesn't have an excuse to
5526234Swpaul * throw us in federal prison.
5626234Swpaul *
5726234Swpaul * Consequently, the core OS ships without DES support, and keyserv
5826703Swpaul * defaults to using ARCFOUR with only a 40 bit key, just like nutscrape.
5926234Swpaul * This breaks compatibility with Secure RPC on other systems, but it
6026234Swpaul * allows Secure RPC to work between FreeBSD systems that don't have the
6126234Swpaul * DES package installed without throwing security totally out the window.
6226234Swpaul *
6326234Swpaul * In order to avoid having to supply two versions of keyserv (one with
6426234Swpaul * DES and one without), we use dlopen() and friends to load libdes.so
6526234Swpaul * into our address space at runtime. We check for the presence of
6626234Swpaul * /usr/lib/libdes.so.3.0 at startup and load it if we find it. If we
6726234Swpaul * can't find it, or the __des_crypt symbol doesn't exist, we fall back
6826703Swpaul * to the ARCFOUR encryption code. The user can specify another path using
6926234Swpaul * the -p flag.
7026234Swpaul */
7126234Swpaul
7226703Swpaul /* arcfour.h */
7326703Swpaultypedef struct arcfour_key
7426234Swpaul{
7526234Swpaul   unsigned char state[256];
7626234Swpaul   unsigned char x;
7726234Swpaul   unsigned char y;
7826703Swpaul} arcfour_key;
7926234Swpaul
8026234Swpaulstatic void prepare_key(unsigned char *key_data_ptr,int key_data_len,
8126703Swpaul		 arcfour_key *key);
8226703Swpaulstatic void arcfour(unsigned char *buffer_ptr,int buffer_len,arcfour_key * key);
8326234Swpaulstatic void swap_byte(unsigned char *a, unsigned char *b);
8426234Swpaul
8526234Swpaulstatic void prepare_key(unsigned char *key_data_ptr, int key_data_len,
8626703Swpaul		 arcfour_key *key)
8726234Swpaul{
8826234Swpaul   unsigned char index1;
8926234Swpaul   unsigned char index2;
9026234Swpaul   unsigned char* state;
9126234Swpaul   short counter;
9226234Swpaul
9326234Swpaul   state = &key->state[0];
9426234Swpaul   for(counter = 0; counter < 256; counter++)
9526234Swpaul   state[counter] = counter;
9626234Swpaul   key->x = 0;
9726234Swpaul   key->y = 0;
9826234Swpaul   index1 = 0;
9926234Swpaul   index2 = 0;
10026234Swpaul   for(counter = 0; counter < 256; counter++)
10126234Swpaul   {
10226234Swpaul      index2 = (key_data_ptr[index1] + state[counter] +
10326234Swpaul                index2) % 256;
10426234Swpaul      swap_byte(&state[counter], &state[index2]);
10526234Swpaul
10626234Swpaul      index1 = (index1 + 1) % key_data_len;
10726234Swpaul   }
10826234Swpaul}
10926234Swpaul
11026703Swpaulstatic void arcfour(unsigned char *buffer_ptr, int buffer_len, arcfour_key *key)
11126234Swpaul{
11226234Swpaul   unsigned char x;
11326234Swpaul   unsigned char y;
11426234Swpaul   unsigned char* state;
11526234Swpaul   unsigned char xorIndex;
11626234Swpaul   short counter;
11726234Swpaul
11826234Swpaul   x = key->x;
11926234Swpaul   y = key->y;
12026234Swpaul
12126234Swpaul   state = &key->state[0];
12226234Swpaul   for(counter = 0; counter < buffer_len; counter ++)
12326234Swpaul   {
12426234Swpaul      x = (x + 1) % 256;
12526234Swpaul      y = (state[x] + y) % 256;
12626234Swpaul      swap_byte(&state[x], &state[y]);
12726234Swpaul
12826234Swpaul      xorIndex = (state[x] + state[y]) % 256;
12926234Swpaul
13026234Swpaul      buffer_ptr[counter] ^= state[xorIndex];
13126234Swpaul   }
13226234Swpaul   key->x = x;
13326234Swpaul   key->y = y;
13426234Swpaul}
13526234Swpaul
13626234Swpaulstatic void swap_byte(unsigned char *a, unsigned char *b)
13726234Swpaul{
13826234Swpaul   unsigned char swapByte;
13926234Swpaul
14026234Swpaul   swapByte = *a;
14126234Swpaul   *a = *b;
14226234Swpaul   *b = swapByte;
14326234Swpaul}
14426234Swpaul
14526703Swpaul/* Dummy _des_crypt function that uses ARCFOUR with a 40 bit key */
14626703Swpaulint _arcfour_crypt(buf, len, desp)
14726234Swpaul	char *buf;
14826234Swpaul	int len;
14926234Swpaul	struct desparams *desp;
15026234Swpaul{
15126703Swpaul	struct arcfour_key arcfourk;
15226234Swpaul
15326234Swpaul	/*
15426234Swpaul	 * U.S. government anti-crypto weasels take
15526234Swpaul	 * note: although we are supplied with a 64 bit
15626703Swpaul	 * key, we're only passing 40 bits to the ARCFOUR
15726234Swpaul	 * encryption code. So there.
15826234Swpaul	 */
15926703Swpaul	prepare_key(desp->des_key, 5, &arcfourk);
16026703Swpaul	arcfour(buf, len, &arcfourk);
16126234Swpaul
16226234Swpaul	return(DESERR_NOHWDEVICE);
16326234Swpaul}
16426234Swpaul
16599693Sjmallettint (*_my_crypt)(char *, int, struct desparams *) = NULL;
16626234Swpaul
16726234Swpaulstatic void *dlhandle;
16826234Swpaul
16926234Swpaul#ifndef _PATH_USRLIB
17026234Swpaul#define _PATH_USRLIB "/usr/lib"
17126234Swpaul#endif
17226234Swpaul
17357451Smarkm#ifndef LIBCRYPTO
17499693Sjmallett#define LIBCRYPTO "libcrypto.so.2"
17526234Swpaul#endif
17626234Swpaul
17726234Swpaulvoid load_des(warn, libpath)
17826234Swpaul	int warn;
17926234Swpaul	char *libpath;
18026234Swpaul{
18126234Swpaul	char dlpath[MAXPATHLEN];
18226234Swpaul
18326234Swpaul	if (libpath == NULL) {
18457451Smarkm		snprintf(dlpath, sizeof(dlpath), "%s/%s", _PATH_USRLIB, LIBCRYPTO);
18526234Swpaul	} else
18626234Swpaul		snprintf(dlpath, sizeof(dlpath), "%s", libpath);
18726234Swpaul
18826234Swpaul	if (dlpath != NULL && (dlhandle = dlopen(dlpath, 0444)) != NULL)
18939319Swpaul		_my_crypt = (int (*)())dlsym(dlhandle, "_des_crypt");
19026234Swpaul
19126234Swpaul	if (_my_crypt == NULL) {
19226234Swpaul		if (dlhandle != NULL)
19326234Swpaul			dlclose(dlhandle);
19426703Swpaul		_my_crypt = &_arcfour_crypt;
19526234Swpaul		if (warn) {
19626703Swpaul			printf ("DES support disabled -- using ARCFOUR instead.\n");
19726703Swpaul			printf ("Warning: ARCFOUR cipher is not compatible with ");
19826234Swpaul			printf ("other Secure RPC implementations.\nInstall ");
19926234Swpaul			printf ("the FreeBSD 'des' distribution to enable");
20026234Swpaul			printf (" DES encryption.\n");
20126234Swpaul		}
20226234Swpaul	} else {
20326234Swpaul		if (warn) {
20426234Swpaul			printf ("DES support enabled\n");
20526234Swpaul			printf ("Using %s shared object.\n", dlpath);
20626234Swpaul		}
20726234Swpaul	}
20826234Swpaul
20926234Swpaul	return;
21026234Swpaul}
21126234Swpaul
21226234Swpauldesresp *
21326234Swpauldes_crypt_1_svc(desargs *argp, struct svc_req *rqstp)
21426234Swpaul{
21526234Swpaul	static desresp  result;
21626234Swpaul	struct desparams dparm;
21726234Swpaul
21826234Swpaul	if (argp->desbuf.desbuf_len > DES_MAXDATA) {
21926234Swpaul		result.stat = DESERR_BADPARAM;
22026234Swpaul		return(&result);
22126234Swpaul	}
22226234Swpaul
22326703Swpaul
22426234Swpaul	bcopy(argp->des_key, dparm.des_key, 8);
22526234Swpaul	bcopy(argp->des_ivec, dparm.des_ivec, 8);
226228662Sdim	dparm.des_mode = (argp->des_mode == CBC_DES) ? CBC : ECB;
227228662Sdim	dparm.des_dir = (argp->des_dir == ENCRYPT_DES) ? ENCRYPT : DECRYPT;
22826234Swpaul#ifdef BROKEN_DES
22926234Swpaul	dparm.UDES.UDES_buf = argp->desbuf.desbuf_val;
23026234Swpaul#endif
23126234Swpaul
23226703Swpaul	/*
23326703Swpaul	 * XXX This compensates for a bug in the libdes Secure RPC
23426703Swpaul	 * compat interface. (Actually, there are a couple.) The
23526703Swpaul	 * des_ecb_encrypt() routine in libdes only encrypts 8 bytes
23626703Swpaul	 * (64 bits) at a time. However, the Sun Secure RPC ecb_crypt()
23726703Swpaul	 * routine is supposed to be able to handle buffers up to 8Kbytes.
23826703Swpaul	 * The rpc_enc module in libdes ignores this fact and just drops
23926703Swpaul	 * the length parameter on the floor, encrypting only the
24026703Swpaul	 * first 64 bits of whatever buffer you feed it. We deal with
24126703Swpaul	 * this here: if we're using DES encryption, and we're using
24226703Swpaul	 * ECB mode, then we make a pass over the entire buffer
24326703Swpaul	 * ourselves. Note: the rpc_enc module incorrectly transposes
24426703Swpaul	 * the mode flags, so when you ask for CBC mode, you're really
24526703Swpaul	 * getting ECB mode.
24626703Swpaul	 */
24726703Swpaul#ifdef BROKEN_DES
24826703Swpaul	if (_my_crypt != &_arcfour_crypt && argp->des_mode == CBC) {
24926703Swpaul#else
25026703Swpaul	if (_my_crypt != &_arcfour_crypt && argp->des_mode == ECB) {
25126703Swpaul#endif
25226703Swpaul		int			i;
25326703Swpaul		char			*dptr;
25426703Swpaul
25526703Swpaul		for (i = 0; i < argp->desbuf.desbuf_len / 8; i++) {
25626703Swpaul			dptr = argp->desbuf.desbuf_val;
25726703Swpaul			dptr += (i * 8);
25826703Swpaul#ifdef BROKEN_DES
25926703Swpaul			dparm.UDES.UDES_buf = dptr;
26026703Swpaul#endif
26126703Swpaul			result.stat = _my_crypt(dptr, 8, &dparm);
26226703Swpaul		}
26326703Swpaul	} else {
26426703Swpaul		result.stat = _my_crypt(argp->desbuf.desbuf_val,
26526703Swpaul					argp->desbuf.desbuf_len,
26626703Swpaul					&dparm);
26726703Swpaul	}
26826703Swpaul
26926234Swpaul	if (result.stat == DESERR_NONE || result.stat == DESERR_NOHWDEVICE) {
27026234Swpaul		bcopy(dparm.des_ivec, result.des_ivec, 8);
27126234Swpaul		result.desbuf.desbuf_len = argp->desbuf.desbuf_len;
27226234Swpaul		result.desbuf.desbuf_val = argp->desbuf.desbuf_val;
27326234Swpaul	}
27426234Swpaul
27526234Swpaul	return (&result);
27626234Swpaul}
277