The following patch makes sure that string2key does not use weak DES keys (then making them non-weak by xor:ing with 0xF0).
/assar Index: str2key.c =================================================================== RCS file: /scratch/openssl-box/repo/openssl/crypto/des/str2key.c,v retrieving revision 1.11 diff -u -w -u -w -r1.11 str2key.c --- str2key.c 2001/10/24 21:20:28 1.11 +++ str2key.c 2002/02/04 21:54:31 @@ -86,7 +86,9 @@ } #endif DES_set_odd_parity(key); - DES_set_key_unchecked(key,&ks); + if(DES_is_weak_key(key)) + (*key)[7] ^= 0xF0; + DES_set_key(key,&ks); DES_cbc_cksum((const unsigned char*)str,key,length,&ks,key); memset(&ks,0,sizeof(ks)); DES_set_odd_parity(key); @@ -145,9 +147,13 @@ #endif DES_set_odd_parity(key1); DES_set_odd_parity(key2); - DES_set_key_unchecked(key1,&ks); + if(DES_is_weak_key(key1)) + (*key1)[7] ^= 0xF0; + DES_set_key(key1,&ks); DES_cbc_cksum((const unsigned char*)str,key1,length,&ks,key1); - DES_set_key_unchecked(key2,&ks); + if(DES_is_weak_key(key2)) + (*key2)[7] ^= 0xF0; + DES_set_key(key2,&ks); DES_cbc_cksum((const unsigned char*)str,key2,length,&ks,key2); memset(&ks,0,sizeof(ks)); DES_set_odd_parity(key1); ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]