Merge pull request #2038 from s3inlc/pkzip-fix-4

Fix uncompressed hash attack when being longer than MAX_LOCAL
pull/2040/head
Jens Steube 5 years ago committed by GitHub
commit a2dee17fc5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -409,13 +409,45 @@ KERNEL_FQ void m17210_sxx (KERN_ATTR_RULES_ESALT (pkzip_t))
// global memory from here
for (u32 i = MAX_LOCAL * 4; i < data_length; i++)
for (u32 j = MAX_LOCAL, i = MAX_LOCAL * 4; i < data_length; j++, i += 4)
{
update_key3 (key2, key3);
plain = esalt_bufs[digests_offset].hash.data[i] ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
next = esalt_bufs[digests_offset].hash.data[j];
crc = CRC32 (crc, plain, l_crc32tab);
if (data_length >= (i + 1))
{
update_key3 (key2, key3);
plain = unpack_v8a_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
if (data_length >= (i + 2))
{
update_key3 (key2, key3);
plain = unpack_v8b_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
if (data_length >= (i + 3))
{
update_key3 (key2, key3);
plain = unpack_v8c_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
if (data_length >= (i + 4))
{
update_key3 (key2, key3);
plain = unpack_v8d_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
}
const u32 r0 = ~crc;
@ -604,13 +636,45 @@ KERNEL_FQ void m17210_mxx (KERN_ATTR_RULES_ESALT (pkzip_t))
// global memory from here
for (u32 i = MAX_LOCAL * 4; i < data_length; i++)
for (u32 j = MAX_LOCAL, i = MAX_LOCAL * 4; i < data_length; j++, i += 4)
{
update_key3 (key2, key3);
plain = esalt_bufs[digests_offset].hash.data[i] ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
next = esalt_bufs[digests_offset].hash.data[j];
crc = CRC32 (crc, plain, l_crc32tab);
if (data_length >= (i + 1))
{
update_key3 (key2, key3);
plain = unpack_v8a_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
if (data_length >= (i + 2))
{
update_key3 (key2, key3);
plain = unpack_v8b_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
if (data_length >= (i + 3))
{
update_key3 (key2, key3);
plain = unpack_v8c_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
if (data_length >= (i + 4))
{
update_key3 (key2, key3);
plain = unpack_v8d_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
}
const u32 r0 = ~crc;

@ -409,13 +409,45 @@ KERNEL_FQ void m17210_sxx (KERN_ATTR_ESALT (pkzip_t))
// global memory from here
for (u32 i = MAX_LOCAL * 4; i < data_length; i++)
for (u32 j = MAX_LOCAL, i = MAX_LOCAL * 4; i < data_length; j++, i += 4)
{
update_key3 (key2, key3);
plain = esalt_bufs[digests_offset].hash.data[i] ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
next = esalt_bufs[digests_offset].hash.data[j];
crc = CRC32 (crc, plain, l_crc32tab);
if (data_length >= (i + 1))
{
update_key3 (key2, key3);
plain = unpack_v8a_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
if (data_length >= (i + 2))
{
update_key3 (key2, key3);
plain = unpack_v8b_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
if (data_length >= (i + 3))
{
update_key3 (key2, key3);
plain = unpack_v8c_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
if (data_length >= (i + 4))
{
update_key3 (key2, key3);
plain = unpack_v8d_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
}
const u32 r0 = ~crc;
@ -606,13 +638,45 @@ KERNEL_FQ void m17210_mxx (KERN_ATTR_ESALT (pkzip_t))
// global memory from here
for (u32 i = MAX_LOCAL * 4; i < data_length; i++)
for (u32 j = MAX_LOCAL, i = MAX_LOCAL * 4; i < data_length; j++, i += 4)
{
update_key3 (key2, key3);
plain = esalt_bufs[digests_offset].hash.data[i] ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
next = esalt_bufs[digests_offset].hash.data[j];
crc = CRC32 (crc, plain, l_crc32tab);
if (data_length >= (i + 1))
{
update_key3 (key2, key3);
plain = unpack_v8a_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
if (data_length >= (i + 2))
{
update_key3 (key2, key3);
plain = unpack_v8b_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
if (data_length >= (i + 3))
{
update_key3 (key2, key3);
plain = unpack_v8c_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
if (data_length >= (i + 4))
{
update_key3 (key2, key3);
plain = unpack_v8d_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
}
const u32 r0 = ~crc;

@ -421,13 +421,45 @@ KERNEL_FQ void m17210_sxx (KERN_ATTR_VECTOR_ESALT (pkzip_t))
// global memory from here
for (u32 i = MAX_LOCAL * 4; i < data_length; i++)
for (u32 j = MAX_LOCAL, i = MAX_LOCAL * 4; i < data_length; j++, i += 4)
{
update_key3 (key2, key3);
plain = esalt_bufs[digests_offset].hash.data[i] ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
next = esalt_bufs[digests_offset].hash.data[j];
crc = CRC32 (crc, plain, l_crc32tab);
if (data_length >= (i + 1))
{
update_key3 (key2, key3);
plain = unpack_v8a_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
if (data_length >= (i + 2))
{
update_key3 (key2, key3);
plain = unpack_v8b_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
if (data_length >= (i + 3))
{
update_key3 (key2, key3);
plain = unpack_v8c_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
if (data_length >= (i + 4))
{
update_key3 (key2, key3);
plain = unpack_v8d_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
}
const u32 r0 = ~crc;
@ -630,13 +662,45 @@ KERNEL_FQ void m17210_mxx (KERN_ATTR_VECTOR_ESALT (pkzip_t))
// global memory from here
for (u32 i = MAX_LOCAL * 4; i < data_length; i++)
for (u32 j = MAX_LOCAL, i = MAX_LOCAL * 4; i < data_length; j++, i += 4)
{
update_key3 (key2, key3);
plain = esalt_bufs[digests_offset].hash.data[i] ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
next = esalt_bufs[digests_offset].hash.data[j];
crc = CRC32 (crc, plain, l_crc32tab);
if (data_length >= (i + 1))
{
update_key3 (key2, key3);
plain = unpack_v8a_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
if (data_length >= (i + 2))
{
update_key3 (key2, key3);
plain = unpack_v8b_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
if (data_length >= (i + 3))
{
update_key3 (key2, key3);
plain = unpack_v8c_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
if (data_length >= (i + 4))
{
update_key3 (key2, key3);
plain = unpack_v8d_from_v32_S (next) ^ key3;
update_key012 (key0, key1, key2, plain, l_crc32tab);
crc = CRC32 (crc, plain, l_crc32tab);
}
}
const u32 r0 = ~crc;

Loading…
Cancel
Save