Date: Wed, 17 Sep 2003 11:25:44 +0400 (MSD) From: "lg" <zevlg@yandex.ru> To: hackers@freebsd.org Subject: possible rijndael bug Message-ID: <3F680C78.000003.13537@tide.yandex.ru>
next in thread | raw e-mail | index | archive | help
Hello hackers.
I recently examined rijndael implementation, which ships in sys/crypto/rijndael and there
is code in function rijndael_padEncrypt()(from rijndael-api-fst.c):
numBlocks = inputOctets/16;
...
...
padLen = 16 - (inputOctets - 16*numBlocks);
if (padLen > 0 && padLen <= 16)
panic("...");
bcopy(input, block, 16 - padLen);
for (cp = block + 16 - padLen; cp < block + 16; cp++)
*cp = padLen;
rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
...
so padLen check will always success and it surely will panic, or even if we admit that
padLen check is bypassed(what is impossible i think) then bcopy() will be called with
larger size argument then size of block array or with negative size. Isn't this padLen
check is unneeded? or maybe it should look like 'if (padLen <= 0 || padLen > 16)'?
In RFC2040 there is a description about how to process last block and there is not such
checks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F680C78.000003.13537>