possible rijndael bug
lg
zevlg at yandex.ru
Wed Sep 17 00:25:58 PDT 2003
Hello hackers.
I recently examined rijndael implementation, which ships in sys/crypto/rijndael and there
is code in function rijndael_padEncrypt()(from rijndael-api-fst.c):
numBlocks = inputOctets/16;
...
...
padLen = 16 - (inputOctets - 16*numBlocks);
if (padLen > 0 && padLen <= 16)
panic("...");
bcopy(input, block, 16 - padLen);
for (cp = block + 16 - padLen; cp < block + 16; cp++)
*cp = padLen;
rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
...
so padLen check will always success and it surely will panic, or even if we admit that
padLen check is bypassed(what is impossible i think) then bcopy() will be called with
larger size argument then size of block array or with negative size. Isn't this padLen
check is unneeded? or maybe it should look like 'if (padLen <= 0 || padLen > 16)'?
In RFC2040 there is a description about how to process last block and there is not such
checks.
More information about the freebsd-hackers
mailing list