[PHP-BUG] Bug #60705 [NEW]: rijndael iv problem

Tue, 10 Jan 2012 15:08:46 -0800 

From:             
Operating system: linux/windows
PHP version:      5.3.8
Package:          mcrypt related
Bug Type:         Bug
Bug description:rijndael iv problem

Description:
------------
Cryptography basics: IV is always the same as the block size, which is 16
bytes (128 bits) in case of AES(Rijndael). However, when you use
RIJNDAEL_192 or RIJNDAEL_256 with an IV of 16 bytes in CBC mode, you got a
warning "mcrypt_generic_init() [function.mcrypt-generic-init]: Iv size
incorrect; supplied length: 16, needed: 32". This is bullshit.

This way if you try to decrypt data encrypted by a 32 byte (256 bit) key
with 16 byte (128 bit) IV with RIJNDAEL_256 in CBC mode, the decrypted data
is WRONG. Even worse, if you modify the constant to RIJNDAEL_128, it
decrypts the ciphertext correctly. This is a major failure.

Tested with PHP 5.3.4 Win32 and 5.3.8 Linux.


Test script:
---------------
http://pastebin.com/X1S7bUXV

Expected result:
----------------
decrypted : hello world

decrypted : *garbage*



Actual result:
--------------
Warning: mcrypt_generic_init() [function.mcrypt-generic-init]: Iv size
incorrect; supplied length: 16, needed: 32 in ...
decrypted : ц2‘в АЭ/(ѕвy7YЃƒ0z=/оч|µ8„0Г£

decrypted : hello world

-- 
Edit bug report at https://bugs.php.net/bug.php?id=60705&edit=1
-- 
Try a snapshot (PHP 5.4):            
https://bugs.php.net/fix.php?id=60705&r=trysnapshot54
Try a snapshot (PHP 5.3):            
https://bugs.php.net/fix.php?id=60705&r=trysnapshot53
Try a snapshot (trunk):              
https://bugs.php.net/fix.php?id=60705&r=trysnapshottrunk
Fixed in SVN:                        
https://bugs.php.net/fix.php?id=60705&r=fixed
Fixed in SVN and need be documented: 
https://bugs.php.net/fix.php?id=60705&r=needdocs
Fixed in release:                    
https://bugs.php.net/fix.php?id=60705&r=alreadyfixed
Need backtrace:                      
https://bugs.php.net/fix.php?id=60705&r=needtrace
Need Reproduce Script:               
https://bugs.php.net/fix.php?id=60705&r=needscript
Try newer version:                   
https://bugs.php.net/fix.php?id=60705&r=oldversion
Not developer issue:                 
https://bugs.php.net/fix.php?id=60705&r=support
Expected behavior:                   
https://bugs.php.net/fix.php?id=60705&r=notwrong
Not enough info:                     
https://bugs.php.net/fix.php?id=60705&r=notenoughinfo
Submitted twice:                     
https://bugs.php.net/fix.php?id=60705&r=submittedtwice
register_globals:                    
https://bugs.php.net/fix.php?id=60705&r=globals
PHP 4 support discontinued:          
https://bugs.php.net/fix.php?id=60705&r=php4
Daylight Savings:                    https://bugs.php.net/fix.php?id=60705&r=dst
IIS Stability:                       
https://bugs.php.net/fix.php?id=60705&r=isapi
Install GNU Sed:                     
https://bugs.php.net/fix.php?id=60705&r=gnused
Floating point limitations:          
https://bugs.php.net/fix.php?id=60705&r=float
No Zend Extensions:                  
https://bugs.php.net/fix.php?id=60705&r=nozend
MySQL Configuration Error:           
https://bugs.php.net/fix.php?id=60705&r=mysqlcfg

Reply via email to