Apparent bug: OpenSSL 0.9.7 crypto/evp_enc.c EVP_DecryptInit()

Thu, 16 Jan 2003 14:58:56 -0800 

I've searched the archives, don't find a mention of this, and the Jan 15 snapshot has 
the same apparent bug.   I'm not absolutely sure, and even if I'm right it's a 
one-line fix so I'm hoping one of the active members would be willing to patch it.


[[By the way, the webpage form to submit to MajorDomo seems broken: though it reports 
success, no email ever arrives; when I sent the subscription request manually it 
worked immediately.]]


The problem is that EVP_DecryptInit() calls EVP_CipherInit_ex() rather than 
EVP_CipherInit().

The reasons I believe this is a problem:

(1) Paralellism: EVP_EncryptInit() calls EVP_CipherInit(), not the _ex() form.

(2) In v0.9.6, both EVP_DecryptInit() and EVP_EncryptInit() called EVP_CipherInit(). 
[there was no _ex()].  In v0.9.7, there is no comment to indicate why these two now 
differ, so it may be a typo.

(3) The PTPTL v0.2 code I'm building (Peer-to-peer Trusted Library from Intel, don't 
ask me why) was built to SSL v0.9.6, and it calls EVP_DecryptInit() immediately after 
declaring the EVP_CIPHER_CTX variable -- this worked fine with v0.9.6, because in that 
version, EVP_DecryptInit() calls EVP_CipherInit() which, in both 0.9.6 and 0.9.7, 
initializes the ctx (given that the cipher param is non-null).

[This code crashes because of the lack of initialization of the ctx: at the testing of 
ctx->cipher->nid on line 99 of evp_enc.c -- ctx->cipher being initialized to 
0xcccccccc in the debugging version.]

(4) It could be the case that users are now required to call EVP_CIPHER_CTX_init() 
manually for the decryption phase (only), but the lack of symmetry here strikes me as 
very unlikely.


So, assuming I've got this right, my one line fix would be to change line 239 of 
crypto\evp\evp_enc.c (in EVP_DecryptInit())

from:

        return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0);

to:
        return EVP_CipherInit(ctx, cipher, key, iv, 0);


Needless to say, if I've misunderstood anything here, I'd appreciate a brief note to 
that effect.

Thanks very much!

Oh, not that it matters but: MSVC6 on Windows 2000.  Also using on RedHat Linux, but 
not this function.

// Larry West
// Entropia, Inc.
// 858-623-5362
// mailto:[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to