picky-krb 0.12.3

Encode/decode Kerberos ASN.1 DER structs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

//! [Encryption and Checksum Specifications for Kerberos 5](https://datatracker.ietf.org/doc/html/rfc3961)
//! This RFC contains key derivation algorithm for triple DES
//!
//! [DES-Based Encryption and Checksum Types](https://datatracker.ietf.org/doc/html/rfc3961#section-6.2)
//! This sections contains explanation and pseudo code of the implemented functions

use crate::crypto::nfold::n_fold;
use crate::crypto::{KERBEROS, KerberosCryptoError, KerberosCryptoResult};

use super::encrypt::encrypt_des;
use super::{DES3_BLOCK_SIZE, DES3_KEY_SIZE, DES3_SEED_LEN};

// weak keys from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-67r1.pdf
const WEAK_KEYS: [[u8; 8]; 4] = [
    [0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01],
    [0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE],
    [0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1],
    [0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E],
];

const SEMI_WEAK_KEYS: [[u8; 8]; 12] = [
    [0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E],
    [0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01],
    [0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1],
    [0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1, 0x01],
    [0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE],
    [0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01, 0xFE, 0x01],
    [0x1F, 0xE0, 0x1F, 0xE0, 0x0E, 0xF1, 0x0E, 0xF1],
    [0xE0, 0x1F, 0xE0, 0x1F, 0xF1, 0x0E, 0xF1, 0x0E],
    [0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E, 0xFE],
    [0xFE, 0x1F, 0xFE, 0x1F, 0xFE, 0x0E, 0xFE, 0x0E],
    [0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1, 0xFE],
    [0xFE, 0xE0, 0xFE, 0xE0, 0xFE, 0xF1, 0xFE, 0xF1],
];

pub fn derive_key(key: &[u8], well_known: &[u8]) -> KerberosCryptoResult<Vec<u8>> {
    if key.len() != DES3_KEY_SIZE {
        return Err(KerberosCryptoError::KeyLength(key.len(), DES3_KEY_SIZE));
    }

    let mut n_fold_usage = n_fold(well_known, DES3_BLOCK_SIZE * 8);

    let key_len = DES3_SEED_LEN;
    let mut out = Vec::with_capacity(key_len);

    while out.len() < key_len {
        n_fold_usage = encrypt_des(key, &n_fold_usage)?;
        out.extend_from_slice(&n_fold_usage);
    }

    Ok(random_to_key(&out))
}

fn fix_weak_key(mut key: Vec<u8>) -> Vec<u8> {
    if weak(&key) {
        key[7] ^= 0xF0;
    }

    key
}

fn weak(key: &[u8]) -> bool {
    for weak_key in WEAK_KEYS {
        if weak_key == key {
            return true;
        }
    }

    for weak_key in SEMI_WEAK_KEYS {
        if weak_key == key {
            return true;
        }
    }

    false
}

fn calc_even_parity(mut b: u8) -> (u8, u8) {
    let lowestbit = b & 0x01;
    let mut c = 0;

    for p in 1..8 {
        let v = b & (1 << p);
        if v != 0 {
            c += 1;
        }
    }

    if c % 2 == 0 {
        b |= 1;
    } else {
        b &= !1;
    }

    (lowestbit, b)
}

fn stretch_56_bits(key: &[u8]) -> Vec<u8> {
    let mut d = key.to_vec();

    let mut lb: u8 = 0;

    for (i, value) in d.iter_mut().enumerate() {
        let (bv, nb) = calc_even_parity(*value);
        *value = nb;
        if bv != 0 {
            lb |= 1 << (i + 1);
        } else {
            lb &= !(1 << (i + 1));
        }
    }

    let (_, lb) = calc_even_parity(lb);
    d.push(lb);

    d
}

pub fn random_to_key(key: &[u8]) -> Vec<u8> {
    let mut r = fix_weak_key(stretch_56_bits(&key[0..7]));

    let r2 = fix_weak_key(stretch_56_bits(&key[7..14]));
    r.extend_from_slice(&r2);

    let r3 = fix_weak_key(stretch_56_bits(&key[14..21]));
    r.extend_from_slice(&r3);

    r
}

//= [Triple DES Key Production](https://datatracker.ietf.org/doc/html/rfc3961#section-6.3.1) =//
pub fn derive_key_from_password<P: AsRef<[u8]>, S: AsRef<[u8]>>(password: P, salt: S) -> KerberosCryptoResult<Vec<u8>> {
    let mut secret = password.as_ref().to_vec();
    secret.extend_from_slice(salt.as_ref());

    let temp_key = random_to_key(&n_fold(&secret, DES3_SEED_LEN * 8));

    derive_key(&temp_key, KERBEROS)
}

#[cfg(test)]
mod tests {
    use crate::crypto::des::derive_key_from_password;

    #[test]
    fn test_derive_key_from_password() {
        let password = "5hYYSAfFJp";
        let salt = "EXAMPLE.COMtest1";

        let key = derive_key_from_password(password, salt).unwrap();

        assert_eq!(
            &[
                115, 248, 21, 32, 230, 42, 157, 138, 158, 254, 157, 145, 13, 110, 64, 107, 173, 206, 247, 93, 55, 146,
                167, 138
            ],
            key.as_slice()
        );
    }
}