Implement DES ECB encrypt via EVP_CIPHER api

author Arne Schwabe <arne@rfc2549.org>

Fri, 29 Oct 2021 11:11:08 +0000 (13:11 +0200)

committer Gert Doering <gert@greenie.muc.de>

Fri, 5 Nov 2021 14:47:09 +0000 (15:47 +0100)
author Arne Schwabe <arne@rfc2549.org>
Fri, 29 Oct 2021 11:11:08 +0000 (13:11 +0200)
committer Gert Doering <gert@greenie.muc.de>
Fri, 5 Nov 2021 14:47:09 +0000 (15:47 +0100)
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c

index f4b209228cf3aacde0b3f14fa82bf7d0a469eadb..c43d18b9c1fe71fe0f7c91305e09b2e9a94b3463 100644 (file)
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -867,10 +867,44 @@ cipher_des_encrypt_ecb(const unsigned char key[DES_KEY_LENGTH],
                         unsigned char src[DES_KEY_LENGTH],
                         unsigned char dst[DES_KEY_LENGTH])
  {
-    DES_key_schedule sched;
+    /* We are using 3DES here with three times the same key to cheat
+     * and emulate DES as 3DES is better supported than DES */
+    EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
+    if (!ctx)
+    {
+        crypto_msg(M_FATAL, "%s: EVP_CIPHER_CTX_new() failed", __func__);
+    }
+
+    unsigned char key3[DES_KEY_LENGTH*3];
+    for (int i = 0;i < 3;i++)
+    {
+        memcpy(key3 + (i * DES_KEY_LENGTH), key, DES_KEY_LENGTH);
+    }
  
-    DES_set_key_unchecked((DES_cblock *)key, &sched);
-    DES_ecb_encrypt((DES_cblock *)src, (DES_cblock *)dst, &sched, DES_ENCRYPT);
+    if (!EVP_EncryptInit_ex(ctx, EVP_des_ede3_ecb(), NULL, key3, NULL))
+    {
+        crypto_msg(M_FATAL, "%s: EVP_EncryptInit_ex() failed", __func__);
+    }
+
+    int len;
+
+    /* The EVP_EncryptFinal method will write to the dst+len pointer even
+     * though there is nothing to encrypt anymore, provide space for that to
+     * not overflow the stack */
+    unsigned char dst2[DES_KEY_LENGTH * 2];
+    if(!EVP_EncryptUpdate(ctx, dst2, &len, src, DES_KEY_LENGTH))
+    {
+        crypto_msg(M_FATAL, "%s: EVP_EncryptUpdate() failed", __func__);
+    }
+
+    if (!EVP_EncryptFinal(ctx, dst2 + len, &len))
+    {
+        crypto_msg(M_FATAL, "%s: EVP_EncryptFinal() failed", __func__);
+    }
+
+    memcpy(dst, dst2, DES_KEY_LENGTH);
+
+    EVP_CIPHER_CTX_free(ctx);
  }
  
  /*
diff --git a/tests/unit_tests/openvpn/test_crypto.c b/tests/unit_tests/openvpn/test_crypto.c

index 66f53a02020b249e17be80bb09c7d5bd8ba8d186..d3ce2d6f59e4522d2326ea25cc5b8b2f09ec86de 100644 (file)
--- a/tests/unit_tests/openvpn/test_crypto.c
+++ b/tests/unit_tests/openvpn/test_crypto.c
@@ -212,6 +212,30 @@ crypto_test_hmac(void **state)
      hmac_ctx_free(hmac);
  }
  
+void
+test_des_encrypt(void **state)
+{
+    /* We have a small des encrypt method that is only for NTLMv1. This unit
+     * test ensures that it is not accidentally broken */
+
+    const unsigned char des_key[DES_KEY_LENGTH] = {0x42, 0x23};
+
+    const char *src = "MoinWelt";
+
+    /* cipher_des_encrypt_ecb wants a non const */
+    unsigned char *src2 = (unsigned char *) strdup(src);
+
+    unsigned char dst[DES_KEY_LENGTH];
+    cipher_des_encrypt_ecb(des_key, src2, dst);
+
+    const unsigned char dst_good[DES_KEY_LENGTH] = {0xd3, 0x8f, 0x61, 0xf7, 0xbe, 0x27, 0xb6, 0xa2};
+
+    assert_memory_equal(dst, dst_good, DES_KEY_LENGTH);
+
+    free(src2);
+}
+
+
  int
  main(void)
  {
@@ -219,7 +243,8 @@ main(void)
          cmocka_unit_test(crypto_pem_encode_decode_loopback),
          cmocka_unit_test(crypto_translate_cipher_names),
          cmocka_unit_test(crypto_test_tls_prf),
-        cmocka_unit_test(crypto_test_hmac)
+        cmocka_unit_test(crypto_test_hmac),
+        cmocka_unit_test(test_des_encrypt)
      };
  
  #if defined(ENABLE_CRYPTO_OPENSSL)
author	Arne Schwabe <arne@rfc2549.org>
	Fri, 29 Oct 2021 11:11:08 +0000 (13:11 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Fri, 5 Nov 2021 14:47:09 +0000 (15:47 +0100)
src/openvpn/crypto_openssl.c		patch \| blob \| blame \| history
tests/unit_tests/openvpn/test_crypto.c		patch \| blob \| blame \| history