Problem solved - NetBSD kernel's DES implementation broken

VaX#n8 vax at carolina.rr.com
Mon May 17 06:49:05 EDT 2004 

Nevermind my previous message.  The NetBSD kernel's des_set_key is hosed.
The key schedule is not correctly written to, and subkeys are left
uninitialized.  It appears that someone changed the key schedule
organization and didn't change the code that rights to it.
(They added the weak_key field but forgot to account for that in des_set_key).

This code proves it (compile with -I/sys):

#include <stdio.h>
#include <stdlib.h>
#include <err.h>
#include <strings.h>
#include <sys/malloc.h>
#include <crypto/des/des.h>

int main() {
	des_key_schedule ks;
	int i, j;
	const char *kptr = calloc(1, sizeof(des_cblock));
    unsigned char *p;


	des_set_key_unchecked ((des_cblock *)kptr, ks);

for (j = 0; j<(sizeof(des_key_schedule)/sizeof(struct des_ks_struct)); j++) {
	for (i = 0; i < sizeof(des_cblock); i++) printf("%02x", ks[j].ks.cblock[i]);
	printf(", ");
    p = (char *) &ks[j].weak_key;
	for (i = 0; i < sizeof(int); i++) printf("%02x", p[i]);
	printf("\n");
}

	printf("\n");
	bzero(ks, sizeof(des_key_schedule));

	des_set_key_unchecked ((des_cblock *)kptr, ks);

for (j = 0; j<(sizeof(des_key_schedule)/sizeof(struct des_ks_struct)); j++) {
	for (i = 0; i < sizeof(des_cblock); i++) printf("%02x", ks[j].ks.cblock[i]);
	printf(", ");
    p = (char *) &ks[j].weak_key;
	for (i = 0; i < sizeof(int); i++) printf("%02x", p[i]);
	printf("\n");
}

    exit(0);
}

Sample output:

0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 1f000000
1f000000ecb8bfbf, 00720548
7c85040870aa0408, 07090000
000000002e850408, 58aa0408
40a90408ecb8bfbf, 1f000000
1f000000ecb8bfbf, 98b8bfbf

0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000
0000000000000000, 00000000

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list