The main loop from AES_ctr128_encrypt seems superficially incorrect. If
any non-zero initial value is provided for "*num," the first 16-*num
bytes are not necessarily encrypted.
Also, the value for *counter is never used as provided, but is always
incremented before use.
For your reference, the current implementation is:
while (l--) {
if (n == 0) {
AES_ctr128_inc(counter);
AES_encrypt(counter, tmp, key);
}
*(out++) = *(in++) ^ tmp[n];
n = (n+1) % AES_BLOCK_SIZE;
}
A more reasonable implementation might be:
AES_encrypt(counter, tmp, key);
while (l--) {
*(out++) = *(in++) ^ tmp[n];
n = (n+1) % AES_BLOCK_SIZE;
if (n == 0 && l) {
AES_ctr128_inc(counter);
AES_encrypt(counter, tmp, key);
}
}
I have tested this change myself, and it seems to be superficially
correct.
Please let me know if I can provide more information.
Yours,
--
Nick Mathewson
<[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
