From owner-freebsd-bugs@FreeBSD.ORG Sun Mar 8 11:30:16 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0548E1065670 for ; Sun, 8 Mar 2009 11:30:16 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CCB0D8FC23 for ; Sun, 8 Mar 2009 11:30:15 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n28BUFVX085697 for ; Sun, 8 Mar 2009 11:30:15 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n28BUF1F085687; Sun, 8 Mar 2009 11:30:15 GMT (envelope-from gnats) Date: Sun, 8 Mar 2009 11:30:15 GMT Message-Id: <200903081130.n28BUF1F085687@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Patrick =?ISO-8859-15?Q?Lamaizi=E8re?= Cc: Subject: Re: kern/132351: rijndael CBC mode encryption incorrect X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Patrick =?ISO-8859-15?Q?Lamaizi=E8re?= List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Mar 2009 11:30:16 -0000 The following reply was made to PR kern/132351; it has been noted by GNATS. From: Patrick =?ISO-8859-15?Q?Lamaizi=E8re?= To: bug-followup@FreeBSD.org Cc: Rajesh Patel Subject: Re: kern/132351: rijndael CBC mode encryption incorrect Date: Sun, 8 Mar 2009 12:23:01 +0100 Le Fri, 6 Mar 2009 02:16:42 GMT, Rajesh Patel : > >Environment: > Windows XP professional - 32 bit ? > >Description: > The function has bug in CBC mode encryption > int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key, > BYTE *input, int inputLen, BYTE *outBuffer) { > > Original code > > for (i = numBlocks - 1; i > 0; i--) { > #if 1 /*STRICT_ALIGN*/ > AF_BCOPY(outBuffer, block, 16); > ========> > ((word32*)block)[0] ^= ((word32*)iv)[0]; > ((word32*)block)[1] ^= ((word32*)iv)[1]; > ((word32*)block)[2] ^= ((word32*)iv)[2]; > ((word32*)block)[3] ^= ((word32*)iv)[3]; > #else > ((word32*)block)[0] = ((word32*)outBuffer)[0] > ^ ((word32*)input)[0]; ((word32*)block)[1] = ((word32*)outBuffer)[1] > ^ ((word32*)input)[1]; ((word32*)block)[2] = ((word32*)outBuffer)[2] > ^ ((word32*)input)[2]; ((word32*)block)[3] = ((word32*)outBuffer)[3] > ^ ((word32*)input)[3]; #endif > outBuffer += 16; > rijndaelEncrypt(block, outBuffer, > key->keySched, key->ROUNDS); input += 16; > } > > This keeps using the same iv. As a result, the initial block is > encrypted multiple times. input should be copied over iv inside the > for loop. You are right, but this code is not a part of the FreeBSD operating system. > >Fix: > > Code with Fix > > for (i = numBlocks - 1; i > 0; i--) { > #if 1 /*STRICT_ALIGN*/ > AF_BCOPY(outBuffer, block, 16); > /*needs this =======>*/ AF_BCOPY(input, iv, 16); /* Added by > Rajesh */ The implementation of rijndael_blockEncrypt() [sys/cryto/rijndael/rijndael-api-fst.c] in FreeBSD already contains this : for (i = numBlocks - 1; i > 0; i--) { #if 1 /*STRICT_ALIGN*/ memcpy(block, outBuffer, 16); memcpy(iv, input, 16); ---------- I think we should clause this PR. Why: not the good operating system! Thanks.