[Openvas-commits] r466 - in trunk/openvas-libnasl: . nasl test

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Mon Oct 29 12:04:21 CET 2007


Author: bh
Date: 2007-10-29 12:04:20 +0100 (Mon, 29 Oct 2007)
New Revision: 466

Modified:
   trunk/openvas-libnasl/ChangeLog
   trunk/openvas-libnasl/nasl/nasl_crypto2.c
   trunk/openvas-libnasl/test/test_blowfish.nasl
Log:
* test/test_blowfish.nasl (test_bf_cbc_encrypt): New parameter
variant so that multiple calls can be distinguished in the output.
There's a new test now for keys longer than 16 bytes and ivs
longer 8 bytes.

* nasl/nasl_crypto2.c (nasl_bf_cbc): Make if behave more like the
original OpenSSL based implementation.  Now it's OK to pass in a
key longer than 16 bytes and an iv longer than 8 bytes.  However
only first 16 bytes of the key and first 8 bytes of the iv are
actually used.  Using shorter keys/ivs is still an error.


Modified: trunk/openvas-libnasl/ChangeLog
===================================================================
--- trunk/openvas-libnasl/ChangeLog	2007-10-29 09:25:04 UTC (rev 465)
+++ trunk/openvas-libnasl/ChangeLog	2007-10-29 11:04:20 UTC (rev 466)
@@ -1,3 +1,16 @@
+2007-10-29  Bernhard Herzog  <bh at intevation.de>
+
+	* test/test_blowfish.nasl (test_bf_cbc_encrypt): New parameter
+	variant so that multiple calls can be distinguished in the output.
+	There's a new test now for keys longer than 16 bytes and ivs
+	longer 8 bytes.
+
+	* nasl/nasl_crypto2.c (nasl_bf_cbc): Make if behave more like the
+	original OpenSSL based implementation.  Now it's OK to pass in a
+	key longer than 16 bytes and an iv longer than 8 bytes.  However
+	only first 16 bytes of the key and first 8 bytes of the iv are
+	actually used.  Using shorter keys/ivs is still an error.
+
 2007-10-26  Bernhard Herzog  <bh at intevation.de>
 
 	* nasl/nasl_crypto2.c (nasl_rsa_public_decrypt): Pass the

Modified: trunk/openvas-libnasl/nasl/nasl_crypto2.c
===================================================================
--- trunk/openvas-libnasl/nasl/nasl_crypto2.c	2007-10-29 09:25:04 UTC (rev 465)
+++ trunk/openvas-libnasl/nasl/nasl_crypto2.c	2007-10-29 11:04:20 UTC (rev 466)
@@ -1081,14 +1081,28 @@
 
   if ( enckey == NULL || data == NULL || iv == NULL )
 	goto fail;
-  if (enckeylen != 16)
+  if (enckeylen < 16)
     {
-      /* key length must be 16 for compatibility with libnasl code from
-       * before the OpenSSL -> GnuTLS migration */
-      nasl_perror(lexic, "nasl_bf_cbc: unexpected enckeylen = %d; must be 16\n",
+      /* key length must be at least 16 for compatibility with libnasl
+       * code from before the OpenSSL -> GnuTLS migration */
+      nasl_perror(lexic,
+		  "nasl_bf_cbc: unexpected enckeylen = %d; must be >= 16\n",
 		  enckeylen);
       goto fail;
     }
+#if 0
+  else if (enckeylen > 16)
+    {
+      /* Ideally we would warn about this.  However, the old OpenSSL
+       * based code also silently used only the first 16 bytes and this
+       * function is actually called from ssh_funcs.inc with keys longer
+       * than 16 bytes for some reason */
+      nasl_perror(lexic,
+		  "nasl_bf_cbc: unexpected enckeylen = %d;"
+		  " will only use the first 16 bytes\n",
+		  enckeylen);
+    }
+#endif
   if (ivlen < 8)
     {
       nasl_perror(lexic, "nasl_bf_cbc: unexpected ivlen = %d; must >= 8\n",
@@ -1109,13 +1123,19 @@
       goto fail;
     }
 
-  err = gcry_cipher_setkey(hd, enckey, enckeylen);
+  /* Always pass 16 as the length of enckey.  The old OpenSSL based code
+   * did this explicitly.  The length cannot be < 16 at this point
+   * because we checked for this case above. */
+  err = gcry_cipher_setkey(hd, enckey, 16);
   if (err)
     {
       print_gcrypt_error(lexic, "gcry_cipher_setkey", err);
       goto fail;
     }
-  err = gcry_cipher_setiv(hd, iv, ivlen);
+  /* Always pass 8 as the length of iv.  The old OpenSSL based code did
+   * this implicitly.  The length cannot be < 8 at this point because we
+   * checked for this case above. */
+  err = gcry_cipher_setiv(hd, iv, 8);
   if (err)
     {
       print_gcrypt_error(lexic, "gcry_cipher_setiv", err);

Modified: trunk/openvas-libnasl/test/test_blowfish.nasl
===================================================================
--- trunk/openvas-libnasl/test/test_blowfish.nasl	2007-10-29 09:25:04 UTC (rev 465)
+++ trunk/openvas-libnasl/test/test_blowfish.nasl	2007-10-29 11:04:20 UTC (rev 466)
@@ -1,8 +1,9 @@
-function test_bf_cbc_encrypt(key, iv, data, expected_enc, expected_iv)
+function test_bf_cbc_encrypt(key, iv, data, expected_enc, expected_iv,
+			     variant)
 {
   local_var enc;
 
-  testcase_start("test_bf_cbc_encrypt");
+  testcase_start("test_bf_cbc_encrypt " + variant);
 
   enc = bf_cbc_encrypt(key:key, iv:iv, data:data);
   if (enc[0] == expected_enc && hexstr(enc[1]) == expected_iv)
@@ -41,7 +42,8 @@
 			 0x1c, 0xe0, 0x1f, 0x0b, 0x0d, 0x7d, 0x68, 0x31,
 			 0x09, 0x44, 0xab, 0x3b, 0x17, 0x9d, 0x18, 0x15);
 
-test_bf_cbc_encrypt(key:"0123456789abcdef", iv:"00000000",
+test_bf_cbc_encrypt(variant:"standard lengths",
+		    key:"0123456789abcdef", iv:"00000000",
 		    data:clear_text,
 		    expected_enc:cipher_text,
 		    expected_iv:"0944ab3b179d1815");
@@ -49,3 +51,22 @@
 		    data:cipher_text,
 		    expected_dec:clear_text,
 		    expected_iv:"0944ab3b179d1815");
+test_bf_cbc_encrypt(variant:"long key and iv",
+		    key:raw_string(0x74, 0x39, 0xbf, 0x6a, 0x61, 0x99, 0xe2,
+				   0x1b, 0xd4, 0xa3, 0x53, 0xcc, 0x55, 0x11,
+				   0x26, 0x55, 0xc5, 0x80, 0x03, 0xbb),
+		    iv:raw_string(0x28, 0x42, 0x42, 0x36, 0xfb, 0x93, 0xa2,
+				  0x4a, 0x59, 0x67, 0x74, 0xfc, 0x78, 0xf7,
+				  0xb6, 0xcf, 0xad, 0x3e, 0xb7, 0x60),
+		    data:raw_string(0x00, 0x00, 0x00, 0x1c, 0x0a, 0x05, 0x00,
+				    0x00, 0x00, 0x0c, 0x73, 0x73, 0x68, 0x2d,
+				    0x75, 0x73, 0x65, 0x72, 0x61, 0x75, 0x74,
+				    0x68, 0x29, 0xf8, 0xaa, 0x18, 0xcf, 0x29,
+				    0xa3, 0x39, 0x10, 0x65),
+		    expected_enc:raw_string(0x56, 0x0e, 0x45, 0x31, 0x14, 0x5c,
+					    0xfe, 0x93, 0x66, 0x3a, 0xcd, 0x3a,
+					    0x5f, 0x2b, 0xc9, 0xac, 0x22, 0xa0,
+					    0x52, 0xb3, 0xec, 0xc6, 0x90, 0x6e,
+					    0xb0, 0x8b, 0xeb, 0x69, 0xcf, 0xaa,
+					    0x78, 0x42),
+		    expected_iv:"b08beb69cfaa7842");



More information about the Openvas-commits mailing list