Fix for DES_cfb_encrypt corrupting output buffer. This renders certain

code in corresponding EVP modules obsolete, which I remove at once.

crypto/des/cfb64ede.c

@@ -150,9 +150,9 @@ void DES_ede3_cfb_encrypt(const unsigned char *in,unsigned char *out,
 			  DES_key_schedule *ks2,DES_key_schedule *ks3,
 			  DES_cblock *ivec,int enc)
 	{
-	register DES_LONG d0,d1,v0,v1,n=(numbits+7)/8;
+	register DES_LONG d0,d1,v0,v1;
 	register unsigned long l=length;
-	register int num=numbits;
+	register int num=numbits,n=(numbits+7)/8,i;
 	DES_LONG ti[2];
 	unsigned char *iv;
 	unsigned char ovec[16];
@@ -192,10 +192,10 @@ void DES_ede3_cfb_encrypt(const unsigned char *in,unsigned char *out,
 				memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
 				/* now the remaining bits */
 				if(num%8 != 0)
-					for(n=0 ; n < 8 ; ++n)
+					for(i=0 ; i < 8 ; ++i)
 						{
-						ovec[n]<<=num%8;
-						ovec[n]|=ovec[n+1]>>(8-num%8);
+						ovec[i]<<=num%8;
+						ovec[i]|=ovec[i+1]>>(8-num%8);
 						}
 				iv=&ovec[0];
 				c2l(iv,v0);
@@ -230,10 +230,10 @@ void DES_ede3_cfb_encrypt(const unsigned char *in,unsigned char *out,
 				memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
 				/* now the remaining bits */
 				if(num%8 != 0)
-					for(n=0 ; n < 8 ; ++n)
+					for(i=0 ; i < 8 ; ++i)
 						{
-						ovec[n]<<=num%8;
-						ovec[n]|=ovec[n+1]>>(8-num%8);
+						ovec[i]<<=num%8;
+						ovec[i]|=ovec[i+1]>>(8-num%8);
 						}
 				iv=&ovec[0];
 				c2l(iv,v0);

crypto/des/cfb_enc.c

@@ -65,17 +65,15 @@
  * the second.  The second 12 bits will come from the 3rd and half the 4th
  * byte.
  */
-/* WARNING WARNING: this uses in and out in 8-byte chunks regardless of
- * length */
 /* Until Aug 1 2003 this function did not correctly implement CFB-r, so it
  * will not be compatible with any encryption prior to that date. Ben. */
 void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
 		     long length, DES_key_schedule *schedule, DES_cblock *ivec,
 		     int enc)
 	{
-	register DES_LONG d0,d1,v0,v1,n=(numbits+7)/8;
+	register DES_LONG d0,d1,v0,v1;
 	register unsigned long l=length;
-	register int num=numbits;
+	register int num=numbits,n=(numbits+7)/8,i;
 	DES_LONG ti[2];
 	unsigned char *iv;
 	unsigned char ovec[16];
@@ -115,10 +113,10 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
 				memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
 				/* now the remaining bits */
 				if(num%8 != 0)
-					for(n=0 ; n < 8 ; ++n)
+					for(i=0 ; i < 8 ; ++i)
 						{
-						ovec[n]<<=num%8;
-						ovec[n]|=ovec[n+1]>>(8-num%8);
+						ovec[i]<<=num%8;
+						ovec[i]|=ovec[i+1]>>(8-num%8);
 						}
 				iv=&ovec[0];
 				c2l(iv,v0);
@@ -153,10 +151,10 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
 				memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
 				/* now the remaining bits */
 				if(num%8 != 0)
-					for(n=0 ; n < 8 ; ++n)
+					for(i=0 ; i < 8 ; ++i)
 						{
-						ovec[n]<<=num%8;
-						ovec[n]|=ovec[n+1]>>(8-num%8);
+						ovec[i]<<=num%8;
+						ovec[i]|=ovec[i+1]>>(8-num%8);
 						}
 				iv=&ovec[0];
 				c2l(iv,v0);

crypto/evp/e_des.c

@@ -56,9 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_DES
 #include <stdio.h>
 #include "cryptlib.h"
+#ifndef OPENSSL_NO_DES
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "evp_locl.h"
@@ -106,9 +106,8 @@ static int des_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 			   const unsigned char *in, unsigned int inl)
     {
     unsigned int n;
-    unsigned char c[8],d[8]; /* DES_cfb_encrypt rudely overwrites the whole buffer*/
+    unsigned char c[1],d[1];
 
-    memset(out,0,(inl+7)/8);
     for(n=0 ; n < inl ; ++n)
 	{
 	c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0;
@@ -116,21 +115,14 @@ static int des_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 			ctx->encrypt);
 	out[n/8]=(out[n/8]&~(0x80 >> (n%8)))|((d[0]&0x80) >> (n%8));
 	}
-
     return 1;
     }
 
 static int des_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 			   const unsigned char *in, unsigned int inl)
     {
-    unsigned char *tmp; /* DES_cfb_encrypt rudely overwrites the whole buffer*/
-
-    tmp=alloca(inl+7);
-    memcpy(tmp,in,inl);
-    DES_cfb_encrypt(tmp,tmp,8,inl,ctx->cipher_data,(DES_cblock *)ctx->iv,
+    DES_cfb_encrypt(in,out,8,inl,ctx->cipher_data,(DES_cblock *)ctx->iv,
 		    ctx->encrypt);
-    memcpy(out,tmp,inl);
-
     return 1;
     }
 

crypto/evp/e_des3.c

@@ -56,9 +56,9 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef OPENSSL_NO_DES
 #include <stdio.h>
 #include "cryptlib.h"
+#ifndef OPENSSL_NO_DES
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "evp_locl.h"
@@ -136,9 +136,8 @@ static int des_ede3_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 				const unsigned char *in, unsigned int inl)
     {
     unsigned int n;
-    unsigned char c[8],d[8]; /* DES_cfb_encrypt rudely overwrites the whole buffer*/
+    unsigned char c[1],d[1];
 
-    memset(out,0,(inl+7)/8);
     for(n=0 ; n < inl ; ++n)
 	{
 	c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0;
@@ -154,15 +153,9 @@ static int des_ede3_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 				const unsigned char *in, unsigned int inl)
     {
-    unsigned char *tmp; /* DES_cfb_encrypt rudely overwrites the whole buffer*/
-
-    tmp=alloca(inl+7);
-    memcpy(tmp,in,inl);
-    DES_ede3_cfb_encrypt(tmp,tmp,8,inl,
+    DES_ede3_cfb_encrypt(in,out,8,inl,
 			 &data(ctx)->ks1,&data(ctx)->ks2,&data(ctx)->ks3,
 			 (DES_cblock *)ctx->iv,ctx->encrypt);
-    memcpy(out,tmp,inl);
-
     return 1;
     }