Re: [openssl.org #3195] [bug] aes-cbc encryption on x86 is not working

[Johannes Bauer]

On 11.12.2013 17:14, Yanchuan Nian via RT wrote:
 hi guys,
 There is a bug in the implementation of AES_cbc_encrypt() on x86 architecture.
 If the length of plaintext is not multiple of 16 bytes (must greater than 16),
 the decoded message is different from the original. I tested it with a 
 testcase
 in the bottom of this letter, and the result is as follows:
 
 in = abcdefghijklmnopqrstuvwxyz
 in [hex] = 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 
 77 78 79 7a 00 00 00 00 00 00 
 result = abcdefghijklmnop���o��ʡ
 result [hex] = 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 e1 d5 d3 6f 03 
 e5 3e dc ca a1 00 00 00 00 00 00
 
 The data in the last block is wrong. I also tested it in a x86_64 machine,
 and the result is OK. My test is based on the master branch of openssl.

Cannot confirm. x86_64, gcc 4.6.3, tested with 1.0.1e and with latest
git (e3bc1f495522aac84dc7ebdd7da2dc503110394b). Both show

in = abcdefghijklmnopqrstuvwxyz
in [hex] = 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74
75 76 77 78 79 7a 00 00 00 00 00 00
result = abcdefghijklmnopqrstuvwxyz
result [hex] = 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73
74 75 76 77 78 79 7a 00 00 00 00 00 00

Valgrind also reports nothing.

I'm not sure, but is calling AES_cbc_encrypt() with a blocksize not a
multiple of 16 even allowed by the API? Wouldn't be surprised if that
were undefined behavior.

Best regards,
Johannes
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #3195] [bug] aes-cbc encryption on x86 is not working

[Johannes Bauer via RT]

On 11.12.2013 17:14, Yanchuan Nian via RT wrote:
 hi guys,
 There is a bug in the implementation of AES_cbc_encrypt() on x86 architecture.
 If the length of plaintext is not multiple of 16 bytes (must greater than 16),
 the decoded message is different from the original. I tested it with a 
 testcase
 in the bottom of this letter, and the result is as follows:
 
 in = abcdefghijklmnopqrstuvwxyz
 in [hex] = 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 
 77 78 79 7a 00 00 00 00 00 00 
 result = abcdefghijklmnop���o��ʡ
 result [hex] = 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 e1 d5 d3 6f 03 
 e5 3e dc ca a1 00 00 00 00 00 00
 
 The data in the last block is wrong. I also tested it in a x86_64 machine,
 and the result is OK. My test is based on the master branch of openssl.

Cannot confirm. x86_64, gcc 4.6.3, tested with 1.0.1e and with latest
git (e3bc1f495522aac84dc7ebdd7da2dc503110394b). Both show

in = abcdefghijklmnopqrstuvwxyz
in [hex] = 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74
75 76 77 78 79 7a 00 00 00 00 00 00
result = abcdefghijklmnopqrstuvwxyz
result [hex] = 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73
74 75 76 77 78 79 7a 00 00 00 00 00 00

Valgrind also reports nothing.

I'm not sure, but is calling AES_cbc_encrypt() with a blocksize not a
multiple of 16 even allowed by the API? Wouldn't be surprised if that
were undefined behavior.

Best regards,
Johannes


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #3195] [bug] aes-cbc encryption on x86 is not working

[Matt Caswell]

On 11 December 2013 16:14, Yanchuan Nian via RT r...@openssl.org wrote:
 hi guys,
 There is a bug in the implementation of AES_cbc_encrypt() on x86 architecture.
 If the length of plaintext is not multiple of 16 bytes (must greater than 16),
 the decoded message is different from the original.

If you are going to use the low level AES routines rather than the
high level EVP interface then you must also handle all padding issues
yourself. It is undefined behaviour to call AES_cbc_encrypt when the
input is not a multiple of the block size.

This has been previously discussed here:
https://rt.openssl.org/Ticket/Display.html?id=3182user=guestpass=guest

Unless there's a really good reason to use the low level routines I
would suggest EVP is what you should be using.

Matt
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org