Hi,
I have a question (maybe bug report) about the openssl library that
comes with the current ubuntu
(Version 0.9.8g-10.1ubuntu2):
I tried to decrypt the encrypted objects in PDF documents. These are
encrypted using RC4 and,
as far as I can see at the moment, key of key length 16 byte derived
from a master file key of 5 byte length.
After calculation of that master file key and before decryption of these
encrypted objects a test is performed to verify whether the 5 byte file
master key is correct (e.g. if the given password was correct), which
looks in the C source of a PDF interpreter like
if (encRevision == 2) {
rc4InitKey(fileKey, keyLength, fState);
fx = fy = 0;
for (i = 0; i < 32; ++i) {
test[i] = rc4DecryptByte(fState, &fx, &fy, userKey->getChar(i));
}
ok = memcmp(test, passwordPad, 32) == 0;
}
where keyLength = 5 at this time. So the rc4 code this library uses
seems to be able to use 5 byte keys, which is plausible since RC4 is of
variable key length.
But with openssl I get an error message from the Ruby-openssl-lib when
trying to set a 5 byte key, because EVP_CIPHER_CTX_key_length(ctx)
returns a value of 16 (which means 16 bytes I assume). The
Ruby-openssl glue code compares with EVP_CIPHER_CTX_key_length(ctx) and
throws an exception if the key is too short.
Ruby example code:
require 'openssl'
c=OpenSSL::Cipher::Cipher.new("rc4")
c.encrypt
c.key="abcde"
Why does openssl's RC4 implemention require that key length? Is that a
restriction of SSL? Is that implementation meant to be a general cipher
library or is it just to fulfill the needs of SSL?
regards (and happy new year)
Hadmut
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
