[5691] in Kerberos
cns/krb4: suspicious code in des_cbc_encrypt()
daemon@ATHENA.MIT.EDU (Dieter Dworkin Muller)
Sat Aug 12 18:20:03 1995
To: kerberos@MIT.EDU
Date: 12 Aug 1995 15:58:20 -0600
From: dworkin@village.org (Dieter Dworkin Muller)
-----BEGIN PGP SIGNED MESSAGE-----
I'm in the process of trying to get the Cygnus Kerb4 package to pass
lint and gcc -Wall, as part of trying to get it to work on DEC Alpha
systems. As a result, I've run across a suspicious bit of code and
commentary in cbc_noop.c:des_cbc_encrypt():
[...]
#ifdef notdef
/* do the xor for cbc into the temp */
t_input[0] ^= t_output[0] ;
t_input[1] ^= t_output[1] ;
/* encrypt */
#endif
/* NO xor for debugging */
/* encrypt */
des_ecb_encrypt(t_input,t_output,key,encrypt);
/* copy temp output and save it for cbc */
[...]
This looks to me like someone was doing some debugging, and
didn't remember to put things back when they were done. (Putting
back, in this case, would be removing the #ifdef, #endif, and
`NO xor' lines).
My question is: is my reading of the code and commentary correct?
If so, what is broken by not doing the xor? What will break if it
is enabled again? As an inference, this means that when you ask
for cbc encryption, you really only get ecb encryption.
Constructive comments and suggestions would be most welcome. If
there's already a version of the Cygnus Kerberos4 that's been cleaned
up, or if there's a cleaned up Kerberos5 with the same functionality,
I'd love to hear about that, too.
Thanks!
Dworkin
***dworkin@village.org -- finger for public PGP key
***Cthulhu for President -- when you're tired of the LESSER of two evils.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQDUAwUBMC0jmfnQrJ/jCeehAQHI+gXyAtZQALCttyyQfLPAg4GqqkHOfVlA3ZCO
XGR9OG8Htcn9zjPmpN7zCGhFruSM8CRDbCwlYylhYd0Wq9YPVYPlm7w1DKi/ZzYn
ZAAPApLrZc8CrW+ApngkafueEEAhmCuCaY1zYm3g9YnElFcM4/hIq3vZu3i0BPjo
kAQYxXFwXcp7PqJxdZRYRvnANjZGScojAFXFjd/RkwAfYlrel6AfNLsXjcaHlj93
OU3IHjt7SlVFswHRPFbUslksOwLkrB0=
=0mx1
-----END PGP SIGNATURE-----
