Fix major cockup with short keys in CAST-128. (649cdb7b) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+10 −0

Original line number	Diff line number	Diff line
		@@ -5,6 +5,16 @@

		Changes between 0.9.1c and 0.9.2

		*) CAST-128 was incorrectly implemented for short keys. The C version has
		been fixed, but is untested. The assembler versions are also fixed, but
		new assembler HAS NOT BEEN GENERATED FOR WIN32 - the Makefile needs fixing
		to regenerate it if needed.
		[Ben Laurie, reported (with fix for C version) by Jun-ichiro itojun
		Hagino <itojun@kame.net>]

		*) File was opened incorrectly in randfile.c.
		[Ulf Möller <ulf@fitug.de>]

		*) Beginning of support for GeneralizedTime. d2i, i2d, check and print
		functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or
		GeneralizedTime. ASN1_TIME is the proper type used in certificates et

crypto/cast/Makefile.ssl

+1 −1

Original line number	Diff line number	Diff line
		@@ -66,7 +66,7 @@ asm/cx86-out.o: asm/cx86unix.cpp
		asm/cx86bsdi.o: asm/cx86unix.cpp
		$(CPP) -DBSDI asm/cx86unix.cpp \| sed 's/ :/:/' \| as -o asm/cx86bsdi.o

		asm/cx86unix.cpp:
		asm/cx86unix.cpp: asm/cast-586.pl
		(cd asm; perl cast-586.pl cpp >cx86unix.cpp)

		files:

crypto/cast/asm/cast-586.pl

+135 −127

Original line number	Diff line number	Diff line
		@@ -32,8 +32,7 @@ $S4="CAST_S_table3";

		&asm_finish();

		sub CAST_encrypt
		{
		sub CAST_encrypt {
		local($name,$enc)=@_;

		local($win_ex)=<<"EOF";
		@@ -42,7 +41,7 @@ EXTERN _CAST_S_table1:DWORD
		EXTERN _CAST_S_table2:DWORD
		EXTERN _CAST_S_table3:DWORD
		EOF
		&main'external_label(
		&main::external_label(
		"CAST_S_table0",
		"CAST_S_table1",
		"CAST_S_table2",
		@@ -64,12 +63,20 @@ EOF
		&mov($L,&DWP(0,$tmp2,"",0));
		&mov($R,&DWP(4,$tmp2,"",0));

		&comment('Get short key flag');
		&mov($tmp3,&DWP(128,$K,"",0));
		if($enc) {
		&push($tmp3);
		} else {
		&or($tmp3,$tmp3);
		&jnz(&label('cast_dec_skip'));
		}

		&xor($tmp3, $tmp3);

		# encrypting part

		if ($enc)
		{
		if ($enc) {
		&E_CAST( 0,$S,$L,$R,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
		&E_CAST( 1,$S,$R,$L,$K,@F2,$tmp1,$tmp2,$tmp3,$tmp4);
		&E_CAST( 2,$S,$L,$R,$K,@F3,$tmp1,$tmp2,$tmp3,$tmp4);
		@@ -82,17 +89,20 @@ EOF
		&E_CAST( 9,$S,$R,$L,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
		&E_CAST(10,$S,$L,$R,$K,@F2,$tmp1,$tmp2,$tmp3,$tmp4);
		&E_CAST(11,$S,$R,$L,$K,@F3,$tmp1,$tmp2,$tmp3,$tmp4);
		&comment('test short key flag');
		&pop($tmp4);
		&or($tmp4,$tmp4);
		&jnz(&label('cast_enc_done'));
		&E_CAST(12,$S,$L,$R,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
		&E_CAST(13,$S,$R,$L,$K,@F2,$tmp1,$tmp2,$tmp3,$tmp4);
		&E_CAST(14,$S,$L,$R,$K,@F3,$tmp1,$tmp2,$tmp3,$tmp4);
		&E_CAST(15,$S,$R,$L,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4,1);
		}
		else
		{
		&E_CAST(15,$S,$R,$L,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
		} else {
		&E_CAST(15,$S,$L,$R,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
		&E_CAST(14,$S,$R,$L,$K,@F3,$tmp1,$tmp2,$tmp3,$tmp4);
		&E_CAST(13,$S,$L,$R,$K,@F2,$tmp1,$tmp2,$tmp3,$tmp4);
		&E_CAST(12,$S,$R,$L,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
		&set_label('cast_dec_skip');
		&E_CAST(11,$S,$L,$R,$K,@F3,$tmp1,$tmp2,$tmp3,$tmp4);
		&E_CAST(10,$S,$R,$L,$K,@F2,$tmp1,$tmp2,$tmp3,$tmp4);
		&E_CAST( 9,$S,$L,$R,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
		@@ -104,30 +114,31 @@ EOF
		&E_CAST( 3,$S,$L,$R,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
		&E_CAST( 2,$S,$R,$L,$K,@F3,$tmp1,$tmp2,$tmp3,$tmp4);
		&E_CAST( 1,$S,$L,$R,$K,@F2,$tmp1,$tmp2,$tmp3,$tmp4);
		&E_CAST( 0,$S,$R,$L,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4,1);
		&E_CAST( 0,$S,$R,$L,$K,@F1,$tmp1,$tmp2,$tmp3,$tmp4);
		}

		&set_label('cast_enc_done') if $enc;
		# Why the nop? - Ben 17/1/99
		&nop();
		&mov($tmp3,&wparam(0));
		&mov(&DWP(4,$tmp3,"",0),$L);
		&mov(&DWP(0,$tmp3,"",0),$R);
		&function_end($name);
		}

		sub E_CAST
		{
		local($i,$S,$L,$R,$K,$OP1,$OP2,$OP3,$tmp1,$tmp2,$tmp3,$tmp4,$lst)=@_;
		sub E_CAST {
		local($i,$S,$L,$R,$K,$OP1,$OP2,$OP3,$tmp1,$tmp2,$tmp3,$tmp4)=@_;
		# Ri needs to have 16 pre added.

		&comment("round $i");
		&mov( $tmp4, &DWP($i*8,$K,"",1));

		&mov( $tmp1, &DWP($i*8+4,$K,"",1));# must be word
		&mov( $tmp1, &DWP($i*8+4,$K,"",1));
		&$OP1( $tmp4, $R);

		&rotl( $tmp4, &LB($tmp1));

		if ($ppro)
		{
		if ($ppro) {
		&mov( $tmp2, $tmp4); # B
		&xor( $tmp1, $tmp1);

		@@ -136,9 +147,7 @@ sub E_CAST

		&shr( $tmp4, 16); #
		&xor( $tmp3, $tmp3);
		}
		else
		{
		} else {
		&mov( $tmp2, $tmp4); # B
		&movb( &LB($tmp1), &HB($tmp4)); # A # BAD BAD BAD

		@@ -159,7 +168,6 @@ sub E_CAST
		&mov( $tmp2, &DWP($S4,"",$tmp4,4));

		&$OP1( $tmp1, $tmp2);
		&mov($tmp3,&wparam(0)) if $lst;
		# XXX

		&xor( $L, $tmp1);

crypto/cast/c_enc.c

+14 −8

Original line number	Diff line number	Diff line
		@@ -81,10 +81,13 @@ CAST_KEY *key;
		E_CAST( 9,k,r,l,+,^,-);
		E_CAST(10,k,l,r,^,-,+);
		E_CAST(11,k,r,l,-,+,^);
		if(!k->short_key)
		{
		E_CAST(12,k,l,r,+,^,-);
		E_CAST(13,k,r,l,^,-,+);
		E_CAST(14,k,l,r,-,+,^);
		E_CAST(15,k,r,l,+,^,-);
		}

		data[1]=l&0xffffffffL;
		data[0]=r&0xffffffffL;
		@@ -100,10 +103,13 @@ CAST_KEY *key;
		l=data[0];
		r=data[1];

		if(!k->short_key)
		{
		E_CAST(15,k,l,r,+,^,-);
		E_CAST(14,k,r,l,-,+,^);
		E_CAST(13,k,l,r,^,-,+);
		E_CAST(12,k,r,l,+,^,-);
		}
		E_CAST(11,k,l,r,-,+,^);
		E_CAST(10,k,r,l,^,-,+);
		E_CAST( 9,k,l,r,+,^,-);

crypto/cast/c_skey.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -88,6 +88,10 @@ unsigned char *data;
		if (len > 16) len=16;
		for (i=0; i<len; i++)
		x[i]=data[i];
		if(len <= 10)
		key->short_key=1;
		else
		key->short_key=0;

		K= &k[0];
		X[0]=((x[ 0]<<24)\|(x[ 1]<<16)\|(x[ 2]<<8)\|x[ 3])&0xffffffffL;