ID: 10538
User Update by: [EMAIL PROTECTED]
Old-Status: Assigned
Status: Closed
Bug Type: mcrypt related
Description: mcrypt_generic_init truncates key/iv upon first '\0'

Seems to be a duplicate of Bug #8839 and it is already fixed in CVS.

Previous Comments:

[2001-04-28 12:50:42] [EMAIL PROTECTED]
Same happens in mcrypt_ecb, mcrypt_cbc, mcrypt_cfb and mcrypt_ofb too.

Script showing the bug:

$key1  = pack("H*", "FF00FF00000000000000000000000000000000000000000000000000000
$key2  = pack("H*", "FF000000000000000000000000000000000000000000000000000000000
$iv    = pack("H*", "00000000000000000000000000000000");
$plain = pack("H*", "0000000000000000");

$handle = mcrypt_module_open(MCRYPT_TWOFISH, "", MCRYPT_MODE_CFB, "");
mcrypt_generic_init($handle, $key1, $iv);
$crypted1 = mcrypt_generic($handle, $plain);

$handle = mcrypt_module_open(MCRYPT_TWOFISH, "", MCRYPT_MODE_CFB, "");
mcrypt_generic_init($handle, $key2, $iv);
$crypted2 = mcrypt_generic($handle, $plain);

print bin2hex($plain)."nn";
print bin2hex($crypted1)."nn";
print bin2hex($crypted2)."nn";

The two ciphertexts should NOT be the same as the key is different.

Proposed patch (also fixes a possible memory access problem, but only for the 
mcrypt_generic_init function, the I didn't fully understand php_mcrypt_do_crypt yet, 
when I do I will update the patch, see also Bug #10518):

--- php-4.0.4pl1/ext/mcrypt/mcrypt.c    Wed Nov 22 22:40:15 2000
+++ php-4.0.4pl1-sk/ext/mcrypt/mcrypt.c Sat Apr 28 18:53:07 2001
@@ -463,14 +463,22 @@
                        Z_STRLEN_PP(key), key_size);
                php_error (E_NOTICE, dummy);
-       strncpy (key_s, Z_STRVAL_PP(key), key_size);
+       if (Z_STRLEN_PP(key) > key_size) {
+               memcpy (key_s, Z_STRVAL_PP(key), key_size);
+       } else {
+               memcpy (key_s, Z_STRVAL_PP(key), Z_STRLEN_PP(key));
+       }
        if (Z_STRLEN_PP(iv) != iv_size) {
                sprintf (dummy, "iv size incorrect; supplied length: %d, needed: %d", 
                        Z_STRLEN_PP(iv), iv_size);
                php_error (E_WARNING, dummy);
-       strncpy (iv_s, Z_STRVAL_PP(iv), iv_size);
+       if (Z_STRLEN_PP(iv) > iv_size) {
+               memcpy (iv_s, Z_STRVAL_PP(iv), iv_size);
+       } else {
+               memcpy (iv_s, Z_STRVAL_PP(iv), Z_STRLEN_PP(iv));
+       }
        RETVAL_LONG (mcrypt_generic_init (td, key_s, key_size, iv_s));
        efree (iv_s);


Full Bug description available at:

PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to