Re: On AES_cbc_encrypt

Mon, 09 Jun 2003 21:14:27 -0700 

In message <[EMAIL PROTECTED]> on Tue, 10 Jun 2003 01:56:28 +0200, "Y.W. Law" <[EMAIL 
PROTECTED]> said:

ywlaw> First, in file crypto/aes/aes_cbc.c, line 94--98:
ywlaw>      memcpy(tmp, in, sizeof tmp);
ywlaw>      AES_decrypt(in, out, key);
ywlaw>      for(n=0; n < AES_BLOCK_SIZE; ++n)
ywlaw>          out[n] ^= ivec[n];
ywlaw>      memcpy(ivec, tmp, AES_BLOCK_SIZE);
ywlaw> 
ywlaw> is equivalent to the shorter form (that saves several CPU cycles) below:
ywlaw>      AES_decrypt(in, out, key);
ywlaw>      for(n=0; n < AES_BLOCK_SIZE; ++n)
ywlaw>          out[n] ^= ivec[n];
ywlaw>      memcpy(ivec, in, AES_BLOCK_SIZE);
ywlaw> 
ywlaw> So, if the experts can verify this, i wonder if i should submit a patch?

Unfortunately, your change will break support for in == out.

ywlaw> Second, i don't think AES_cbc_encrypt currently handles partial blocks
ywlaw> correctly. The reason is line 88-89:
ywlaw> 
ywlaw>      AES_encrypt(tmp, tmp, key);
ywlaw>      memcpy(out, tmp, len);
ywlaw> 
ywlaw> truncates the ciphertext, but the decryption part tries to decrypt the
ywlaw> whole block (line 104-105):
ywlaw> 
ywlaw>      memcpy(tmp, in, sizeof tmp);
ywlaw>      AES_decrypt(tmp, tmp, key);
ywlaw> 
ywlaw> It is easy to verify this by writing a simple encrypt/decrypt program
ywlaw> (which I have written) -- multiple blocks work; partial don't.

That's because line 89 is incorrect.  The last argument should be
sizeof tmp, not len.  The output from encryption should always be an
exact multiple of the block size.

I've committed such a change.  Thank you.

ywlaw> As far as i can tell, it is also not implementing a technique
ywlaw> called ciphertext stealing. So, if the experts can verify this,
ywlaw> i wonder if i should submit a patch?

Someone else will have to say something about this.

-- 
Richard Levitte   \ Tunnlandsvägen 3  \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-8-26 52 47
                    \      SWEDEN       \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis                -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to