From owner-freebsd-hackers@FreeBSD.ORG  Wed Sep 17 00:42:56 2003
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B21C416A4B3
	for <hackers@freebsd.org>; Wed, 17 Sep 2003 00:42:56 -0700 (PDT)
Received: from smtp.netli.com (ip2-pal-focal.netli.com [66.243.52.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3DC6A43F85
	for <hackers@freebsd.org>; Wed, 17 Sep 2003 00:42:53 -0700 (PDT)
	(envelope-from vlm@netli.com)
Received: (qmail 8188 invoked by uid 84); 17 Sep 2003 07:42:52 -0000
Received: from vlm@netli.com by l3-1 with qmail-scanner-0.96 (uvscan:
	v4.1.40/v4121. . Clean. Processed in 0.151563 secs); 17 Sep 2003 07:42:52
	-0000
Received: from unknown (HELO netli.com) (172.17.1.12)
  by mx01-pal-lan.netli.lan with SMTP; 17 Sep 2003 07:42:52 -0000
Message-ID: <3F6810B7.4050205@netli.com>
Date: Wed, 17 Sep 2003 00:43:51 -0700
From: Lev Walkin <vlm@netli.com>
Organization: Netli, Inc.
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820
X-Accept-Language: ru, en-us, en
MIME-Version: 1.0
To: zevlg@yandex.ru
References: <3F680C78.000003.13537@tide.yandex.ru>
In-Reply-To: <3F680C78.000003.13537@tide.yandex.ru>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: hackers@freebsd.org
Subject: Re: possible rijndael bug
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Sep 2003 07:42:56 -0000

lg wrote:
> Hello hackers.
> 
> I recently examined rijndael implementation, which ships in sys/crypto/rijndael and there
> is code in function rijndael_padEncrypt()(from rijndael-api-fst.c):
> 
> numBlocks = inputOctets/16;
> ...
> ...
> padLen = 16 - (inputOctets - 16*numBlocks);
> if (padLen > 0 && padLen <= 16)
>         panic("...");
> bcopy(input, block, 16 - padLen);
> for (cp = block + 16 - padLen; cp < block + 16; cp++)
> 	*cp = padLen;
> rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
> ...
> 
> so padLen check will always success and it surely will panic, or even if we admit that 
> padLen check is bypassed(what is impossible i think) then bcopy() will be called with 
> larger size argument then size of block array or with negative size. Isn't this padLen 
> check is unneeded? or maybe it should look like 'if (padLen <= 0 || padLen > 16)'?
> 
> In RFC2040 there is a description about how to process last block and there is not such 
> checks.

Thanks God ECB mode isn't in much use nowadays.


 From KAME sources:


http://orange.kame.net/dev/cvsweb.cgi/kame/kame/sys/crypto/rijndael/rijndael-api-fst.c.diff?r1=1.15&r2=1.16


=== cut cvs diff ===
  		padLen = 16 - (inputOctets - 16*numBlocks);
-		if (padLen <= 0 || padLen > 16)
-			panic("rijndael_padEncrypt(ECB)");
-		bcopy(input, block, 16 - padLen);
-		for (cp = block + 16 - padLen; cp < block + 16; cp++)
-			*cp = padLen;
-		rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
+		assert(padLen > 0 && padLen <= 16);
+		memcpy(block, input, 16 - padLen);
+		memset(block + 16 - padLen, padLen, padLen);
+		rijndaelEncrypt(key->rk, key->Nr, block, outBuffer);
  		break;
=== cut cvs diff ===

And then somebody changed assert() into a direct if()!

-- 
Lev Walkin
vlm@netli.com