From owner-freebsd-bugs  Thu May 23 12:21: 6 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 64ACF37B423
	for <freebsd-bugs@hub.freebsd.org>; Thu, 23 May 2002 12:20:02 -0700 (PDT)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g4NJK2O82285;
	Thu, 23 May 2002 12:20:02 -0700 (PDT)
	(envelope-from gnats)
Received: from nwww.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by hub.freebsd.org (Postfix) with ESMTP id 951BB37B414
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 23 May 2002 12:13:31 -0700 (PDT)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g4NJDVhG079059
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 23 May 2002 12:13:31 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.2/8.12.2/Submit) id g4NJDVWI079058;
	Thu, 23 May 2002 12:13:31 -0700 (PDT)
Message-Id: <200205231913.g4NJDVWI079058@www.freebsd.org>
Date: Thu, 23 May 2002 12:13:31 -0700 (PDT)
From: Ramana Yarlagadda <ramana.yarlagadda@analog.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-1.0
Subject: kern/38465: AES encryption algorithm output is wrong
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         38465
>Category:       kern
>Synopsis:       AES encryption algorithm output is wrong
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 23 12:20:02 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Ramana Yarlagadda
>Release:        4.5
>Organization:
Analog Devices
>Environment:
/usr/src/sys/compile/GENERIC i386
>Description:
     The BSD4.5 supports AES cryptographic algorithms. And i am using 
this algorithm in my application. Before i integrated this with my code 
 tried the algorithm calling with a known pattern ( i have taken
known pattern from AES standard) to make sure that i am using it 
properly. 

I was getting the output correct for the first block and the rest of
the blocks differ from the expected output. 

And as a second step , i just decrypted the output from the Encry-
ption algorithms.The first block matches with the expected output.
And in the remaining blocks contains the output value same as the
first block.

The reason was though the pointer to input data is moved properly,
the data is not copied from the new location. So always only the
first block of the message gets encrypted.
>How-To-Repeat:
     
>Fix:
FILE: sys/crypto/rijndael/rijndael-api-fst.c.
FUNCTION:

I added one statement which marked with ******** in the following code
        case MODE_CBC:
#if 1 /*STRICT_ALIGN*/
                bcopy(cipher->IV, block, 16);
                bcopy(input, iv, 16);
                ((word32*)block)[0] ^= ((word32*)iv)[0];
                ((word32*)block)[1] ^= ((word32*)iv)[1];
                ((word32*)block)[2] ^= ((word32*)iv)[2];
                ((word32*)block)[3] ^= ((word32*)iv)[3];
#else
                ((word32*)block)[0] = ((word32*)cipher->IV)[0] ^ ((word32*)inp
ut)[0];
                ((word32*)block)[1] = ((word32*)cipher->IV)[1] ^ ((word32*)inp
ut)[1];
                ((word32*)block)[2] = ((word32*)cipher->IV)[2] ^ ((word32*)inp
ut)[2];
                ((word32*)block)[3] = ((word32*)cipher->IV)[3] ^ ((word32*)inp
ut)[3];
#endif
                rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
                input += 16;
                for (i = numBlocks - 1; i > 0; i--) {
#if 1 /*STRICT_ALIGN*/
                        bcopy(outBuffer, block, 16);
   *********     bcopy(input, iv, 16); // ramana **************
/* basically with out the above stmt the input is always theh first block */
                        ((word32*)block)[0] ^= ((word32*)iv)[0];
                        ((word32*)block)[1] ^= ((word32*)iv)[1];
                        ((word32*)block)[2] ^= ((word32*)iv)[2];
                        ((word32*)block)[3] ^= ((word32*)iv)[3];
#else
                        ((word32*)block)[0] = ((word32*)outBuffer)[0] ^ ((word
32*)input)[0];
                        ((word32*)block)[1] = ((word32*)outBuffer)[1] ^ ((word
32*)input)[1];
                        ((word32*)block)[2] = ((word32*)outBuffer)[2] ^ ((word
32*)input)[2];
                        ((word32*)block)[3] = ((word32*)outBuffer)[3] ^ ((word
32*)input)[3];
#endif
                        outBuffer += 16;
                        rijndaelEncrypt(block, outBuffer, key->keySched, key->
ROUNDS);
                        input += 16;
                }
                break;

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message