diff options
| author | Jack Lloyd <[email protected]> | 2019-08-26 11:24:04 -0400 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2019-08-26 11:24:04 -0400 |
| commit | 14ba8584069e927210bc5a1707f865746f6f93c6 (patch) | |
| tree | c191d8e8c97c45f1a3506e11e0552b8eb6bccd99 | |
| parent | 8a77591b2dccef8e5849fcefd214f3ae2f48ba6a (diff) | |
Fix a bug in CAST-128 affecting 11, 13, 14, or 15 byte keys
With keys not a multiple of 4 bytes, the zero bytes ended up in the
wrong place. In the unlikely event anyone was affected by this they
could just use the equivalent 16 byte key.
Closes #2081
| -rw-r--r-- | news.rst | 3 | ||||
| -rw-r--r-- | src/lib/block/cast128/cast128.cpp | 7 | ||||
| -rw-r--r-- | src/tests/data/block/cast128.vec | 24 | ||||
| -rw-r--r-- | src/tests/data/modes/cbc.vec | 6 |
4 files changed, 38 insertions, 2 deletions
@@ -10,6 +10,9 @@ Version 2.12.0, Not Yet Released * Support Argon2 outputs longer than 64 bytes (GH #2079 #2078) +* Correct a bug in CAST-128 which caused incorrect computation using + 11, 13, 14, or 15 byte keys. (GH #2081) + * In DTLS server, support a client crashing and then reconnecting from the same source port, as described in RFC 6347 sec 4.2.8 (GH #2029) diff --git a/src/lib/block/cast128/cast128.cpp b/src/lib/block/cast128/cast128.cpp index 7ed7aa5e7..c5b66992b 100644 --- a/src/lib/block/cast128/cast128.cpp +++ b/src/lib/block/cast128/cast128.cpp @@ -210,9 +210,12 @@ void CAST_128::key_schedule(const uint8_t key[], size_t length) m_MK.resize(48); m_RK.resize(48); + secure_vector<uint8_t> key16(16); + copy_mem(key16.data(), key, length); + secure_vector<uint32_t> X(4); - for(size_t i = 0; i != length; ++i) - X[i/4] = (X[i/4] << 8) + key[i]; + for(size_t i = 0; i != 4; ++i) + X[i] = load_be<uint32_t>(key16.data(), i); cast_ks(m_MK, X); diff --git a/src/tests/data/block/cast128.vec b/src/tests/data/block/cast128.vec index c10ebacc1..981f95f64 100644 --- a/src/tests/data/block/cast128.vec +++ b/src/tests/data/block/cast128.vec @@ -167,3 +167,27 @@ Key = 9F79CA83F4FDCCACA166BF18BF1B0CC2 In = 8420D1986EBBABFC Out = EAACBF83A093CB44 +# Generated by OpenSSL +Key = 4A2E8263369E38719BA401 +In = 5E22303EE1F763BF +Out = F5040CA81941BC73 + +Key = 4A2E8263369E38719BA401E5 +In = 5E22303EE1F763BF +Out = 789965F2DD2A0A36 + +Key = 4A2E8263369E38719BA401E5D4 +In = 5E22303EE1F763BF +Out = 94D97218D38611DA + +Key = 4A2E8263369E38719BA401E5D460 +In = 5E22303EE1F763BF +Out = AAB10DA344EC7D93 + +Key = 4A2E8263369E38719BA401E5D46099 +In = 5E22303EE1F763BF +Out = 0E8FB9776CEBE257 + +Key = 4A2E8263369E38719BA401E5D46099FE +In = 5E22303EE1F763BF +Out = B4DD9FBFCEC7EFDD diff --git a/src/tests/data/modes/cbc.vec b/src/tests/data/modes/cbc.vec index 0089d6170..9e8d3f5ce 100644 --- a/src/tests/data/modes/cbc.vec +++ b/src/tests/data/modes/cbc.vec @@ -5,6 +5,12 @@ Nonce = 1234567890ABCDEF In = 4E6F77206973207468652074696D6520666F7220616C6C20 Out = E5C7CDDE872BF27C43E934008C389C0F683788499A7C05F6 +[CAST-128/CBC/PKCS7] +Nonce = 38c269b1cd42dd27 +Key = 0ab0aabb24ff0105b6aa6d2820 +In = 2b2b2e511700010000000080ce0040d9 +Out = 93f6ffd533004f1daf352beba06817fcf26d99b910733321 + [DES/CBC/PKCS7] Key = 0123456789ABCDEF Nonce = 1234567890ABCDEF |