Fix DES CFB-r.

crypto/des/cfb_enc.c

@@ -64,33 +64,22 @@
  * the second.  The second 12 bits will come from the 3rd and half the 4th
  * byte.
  */
+/* WARNING WARNING: this uses in and out in 8-byte chunks regardless of
+ * length */
+/* Until Aug 1 2003 this function did not correctly implement CFB-r, so it
+ * will not be compatible with any encryption prior to that date. Ben. */
 void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
 		     long length, DES_key_schedule *schedule, DES_cblock *ivec,
 		     int enc)
 	{
 	register DES_LONG d0,d1,v0,v1,n=(numbits+7)/8;
-	register DES_LONG mask0,mask1;
 	register unsigned long l=length;
 	register int num=numbits;
 	DES_LONG ti[2];
 	unsigned char *iv;
+	unsigned char ovec[16];
 
 	if (num > 64) return;
-	if (num > 32)
-		{
-		mask0=0xffffffffL;
-		if (num == 64)
-			mask1=mask0;
-		else	mask1=(1L<<(num-32))-1;
-		}
-	else
-		{
-		if (num == 32)
-			mask0=0xffffffffL;
-		else	mask0=(1L<<num)-1;
-		mask1=0x00000000L;
-		}
-
 	iv = &(*ivec)[0];
 	c2l(iv,v0);
 	c2l(iv,v1);
@@ -104,8 +93,8 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
 			DES_encrypt1((DES_LONG *)ti,schedule,DES_ENCRYPT);
 			c2ln(in,d0,d1,n);
 			in+=n;
-			d0=(d0^ti[0])&mask0;
+			d0^=ti[0];
-			d1=(d1^ti[1])&mask1;
+			d1^=ti[1];
 			l2cn(d0,d1,out,n);
 			out+=n;
 			/* 30-08-94 - eay - changed because l>>32 and
@@ -114,15 +103,25 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
 				{ v0=v1; v1=d0; }
 			else if (num == 64)
 				{ v0=d0; v1=d1; }
-			else if (num > 32) /* && num != 64 */
+			else
 				{
-				v0=((v1>>(num-32))|(d0<<(64-num)))&0xffffffffL;
+				iv=&ovec[0];
-				v1=((d0>>(num-32))|(d1<<(64-num)))&0xffffffffL;
+				l2c(v0,iv);
+				l2c(v1,iv);
+				l2c(d0,iv);
+				l2c(d1,iv);
+				/* shift ovec left most of the bits... */
+				memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
+				/* now the remaining bits */
+				if(num%8 != 0)
+					for(n=0 ; n < 8 ; ++n)
+						{
+						ovec[n]<<=num%8;
+						ovec[n]|=ovec[n+1]>>(8-num%8);
 						}
-			else /* num < 32 */
+				iv=&ovec[0];
-				{
+				c2l(iv,v0);
-				v0=((v0>>num)|(v1<<(32-num)))&0xffffffffL;
+				c2l(iv,v1);
-				v1=((v1>>num)|(d0<<(32-num)))&0xffffffffL;
 				}
 			}
 		}
@@ -142,18 +141,28 @@ void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits,
 				{ v0=v1; v1=d0; }
 			else if (num == 64)
 				{ v0=d0; v1=d1; }
-			else if (num > 32) /* && num != 64 */
+			else
 				{
-				v0=((v1>>(num-32))|(d0<<(64-num)))&0xffffffffL;
+				iv=&ovec[0];
-				v1=((d0>>(num-32))|(d1<<(64-num)))&0xffffffffL;
+				l2c(v0,iv);
-				}
+				l2c(v1,iv);
-			else /* num < 32 */
+				l2c(d0,iv);
+				l2c(d1,iv);
+				/* shift ovec left most of the bits... */
+				memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
+				/* now the remaining bits */
+				if(num%8 != 0)
+					for(n=0 ; n < 8 ; ++n)
 						{
-				v0=((v0>>num)|(v1<<(32-num)))&0xffffffffL;
+						ovec[n]<<=num%8;
-				v1=((v1>>num)|(d0<<(32-num)))&0xffffffffL;
+						ovec[n]|=ovec[n+1]>>(8-num%8);
 						}
-			d0=(d0^ti[0])&mask0;
+				iv=&ovec[0];
-			d1=(d1^ti[1])&mask1;
+				c2l(iv,v0);
+				c2l(iv,v1);
+				}
+			d0^=ti[0];
+			d1^=ti[1];
 			l2cn(d0,d1,out,n);
 			out+=n;
 			}

crypto/evp/c_allc.c

@@ -67,6 +67,8 @@ void OpenSSL_add_all_ciphers(void)
 
 #ifndef OPENSSL_NO_DES
 	EVP_add_cipher(EVP_des_cfb());
+	EVP_add_cipher(EVP_des_cfb1());
+	EVP_add_cipher(EVP_des_cfb8());
 	EVP_add_cipher(EVP_des_ede_cfb());
 	EVP_add_cipher(EVP_des_ede3_cfb());
 

crypto/evp/e_des.c

@@ -106,7 +106,7 @@ static int des_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 			   const unsigned char *in, unsigned int inl)
     {
     unsigned int n;
-    unsigned char c[1],d[1];
+    unsigned char c[8],d[8]; /* DES_cfb_encrypt rudely overwrites the whole buffer*/
 
     memset(out,0,(inl+7)/8);
     for(n=0 ; n < inl ; ++n)
@@ -114,7 +114,7 @@ static int des_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 	c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0;
 	DES_cfb_encrypt(c,d,1,1,ctx->cipher_data,(DES_cblock *)ctx->iv,
 			ctx->encrypt);
-	out[n/8]=(out[n/8]&~(1 << (7-n%8)))|((d[0]&0x80) >> (n%8));
+	out[n/8]=(out[n/8]&~(0x80 >> (n%8)))|((d[0]&0x80) >> (n%8));
 	}
 
     return 1;
@@ -123,8 +123,13 @@ static int des_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 static int des_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 			   const unsigned char *in, unsigned int inl)
     {
-    DES_cfb_encrypt(in,out,8,inl,ctx->cipher_data,(DES_cblock *)ctx->iv,
+    unsigned char *tmp; /* DES_cfb_encrypt rudely overwrites the whole buffer*/
+
+    tmp=alloca(inl);
+    memcpy(tmp,in,inl);
+    DES_cfb_encrypt(tmp,tmp,8,inl,ctx->cipher_data,(DES_cblock *)ctx->iv,
 		    ctx->encrypt);
+    memcpy(out,tmp,inl);
 
     return 1;
     }

crypto/evp/evptests.txt

@@ -269,6 +269,12 @@ DESX-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363
 # DES EDE3 CBC tests (from destest)
 DES-EDE3-CBC:0123456789abcdeff1e0d3c2b5a49786fedcba9876543210:fedcba9876543210:37363534333231204E6F77206973207468652074696D6520666F722000000000:3FE301C962AC01D02213763C1CBD4CDC799657C064ECF5D41C673812CFDE9675
 
+# DES CFB1 from FIPS 81
+# plaintext: 0100 1110 0110 1111 0111 0111 = 4e6f77
+# ciphertext: 1100 1101 0001 1110 1100 1001 = cd1ec9
+
+DES-CFB1*8:0123456789abcdef:1234567890abcdef:4e6f77:cd1ec9
+
 # RC4 tests (from rc4test)
 RC4:0123456789abcdef0123456789abcdef::0123456789abcdef:75b7878099e0c596
 RC4:0123456789abcdef0123456789abcdef::0000000000000000:7494c2e7104b0879