From owner-freebsd-hackers@FreeBSD.ORG  Wed Sep 17 00:25:58 2003
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 515B816A4B3
	for <hackers@freebsd.org>; Wed, 17 Sep 2003 00:25:58 -0700 (PDT)
Received: from tide.yandex.ru (tide.yandex.ru [213.180.193.107])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2461F43FDF
	for <hackers@freebsd.org>; Wed, 17 Sep 2003 00:25:57 -0700 (PDT)
	(envelope-from zevlg@yandex.ru)
Received: from YAMAIL (tide.yandex.ru) by mail.yandex.ru
	id <S571261AbTIQHZo>; Wed, 17 Sep 2003 11:25:44 +0400
Date: Wed, 17 Sep 2003 11:25:44 +0400 (MSD)
From: "lg" <zevlg@yandex.ru>
Sender: zevlg@yandex.ru
Message-Id: <3F680C78.000003.13537@tide.yandex.ru>
MIME-Version: 1.0
X-Mailer: Yamail [ http://yandex.ru ]
Errors-To: zevlg@yandex.ru
To: hackers@freebsd.org
X-source-ip: 194.226.217.217
Content-Type: text/plain;
  charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Subject: possible rijndael bug
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: zevlg@yandex.ru
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Sep 2003 07:25:58 -0000

Hello hackers.

I recently examined rijndael implementation, which ships in sys/crypto/rijndael and there
is code in function rijndael_padEncrypt()(from rijndael-api-fst.c):

numBlocks = inputOctets/16;
...
...
padLen = 16 - (inputOctets - 16*numBlocks);
if (padLen > 0 && padLen <= 16)
        panic("...");
bcopy(input, block, 16 - padLen);
for (cp = block + 16 - padLen; cp < block + 16; cp++)
	*cp = padLen;
rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
...

so padLen check will always success and it surely will panic, or even if we admit that 
padLen check is bypassed(what is impossible i think) then bcopy() will be called with 
larger size argument then size of block array or with negative size. Isn't this padLen 
check is unneeded? or maybe it should look like 'if (padLen <= 0 || padLen > 16)'?

In RFC2040 there is a description about how to process last block and there is not such 
checks.