From nobody@FreeBSD.org  Fri Mar  6 02:16:42 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B9B601065675
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  6 Mar 2009 02:16:42 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id A7E8C8FC15
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  6 Mar 2009 02:16:42 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n262GgYj092008
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 6 Mar 2009 02:16:42 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n262GgWo092007;
	Fri, 6 Mar 2009 02:16:42 GMT
	(envelope-from nobody)
Message-Id: <200903060216.n262GgWo092007@www.freebsd.org>
Date: Fri, 6 Mar 2009 02:16:42 GMT
From: Rajesh Patel <RajeshMPatel@yahoo.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: rijndael CBC mode encryption incorrect
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         132351
>Category:       kern
>Synopsis:       [crypto] [patch] rijndael CBC mode encryption incorrect
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gavin
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Mar 06 02:20:01 UTC 2009
>Closed-Date:    Wed May 27 06:31:04 UTC 2009
>Last-Modified:  Wed May 27 06:31:04 UTC 2009
>Originator:     Rajesh Patel
>Release:        5.0
>Organization:
>Environment:
Windows XP professional - 32 bit
>Description:
The function has bug in CBC mode encryption
int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key,
		BYTE *input, int inputLen, BYTE *outBuffer) {

Original code

		for (i = numBlocks - 1; i > 0; i--) {
#if 1 /*STRICT_ALIGN*/
			AF_BCOPY(outBuffer, block, 16);
========>
			((word32*)block)[0] ^= ((word32*)iv)[0];
			((word32*)block)[1] ^= ((word32*)iv)[1];
			((word32*)block)[2] ^= ((word32*)iv)[2];
			((word32*)block)[3] ^= ((word32*)iv)[3];
#else
			((word32*)block)[0] = ((word32*)outBuffer)[0] ^ ((word32*)input)[0];
			((word32*)block)[1] = ((word32*)outBuffer)[1] ^ ((word32*)input)[1];
			((word32*)block)[2] = ((word32*)outBuffer)[2] ^ ((word32*)input)[2];
			((word32*)block)[3] = ((word32*)outBuffer)[3] ^ ((word32*)input)[3];
#endif
			outBuffer += 16;
			rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
			input += 16;
		}

This keeps using the same iv. As a result, the initial block is encrypted multiple times. input should be copied over iv inside the for loop.
>How-To-Repeat:

>Fix:

Code with Fix

		for (i = numBlocks - 1; i > 0; i--) {
#if 1 /*STRICT_ALIGN*/
			AF_BCOPY(outBuffer, block, 16);
/*needs this =======>*/	AF_BCOPY(input, iv, 16); /* Added by Rajesh */
			((word32*)block)[0] ^= ((word32*)iv)[0];
			((word32*)block)[1] ^= ((word32*)iv)[1];
			((word32*)block)[2] ^= ((word32*)iv)[2];
			((word32*)block)[3] ^= ((word32*)iv)[3];
#else
			((word32*)block)[0] = ((word32*)outBuffer)[0] ^ ((word32*)input)[0];
			((word32*)block)[1] = ((word32*)outBuffer)[1] ^ ((word32*)input)[1];
			((word32*)block)[2] = ((word32*)outBuffer)[2] ^ ((word32*)input)[2];
			((word32*)block)[3] = ((word32*)outBuffer)[3] ^ ((word32*)input)[3];
#endif
			outBuffer += 16;
			rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
			input += 16;
		}


>Release-Note:
>Audit-Trail:

From: Patrick =?ISO-8859-15?Q?Lamaizi=E8re?= <patfbsd@davenulle.org>
To: bug-followup@FreeBSD.org
Cc: Rajesh Patel <RajeshMPatel@yahoo.com>
Subject: Re: kern/132351: rijndael CBC mode encryption incorrect
Date: Sun, 8 Mar 2009 12:23:01 +0100

 Le Fri, 6 Mar 2009 02:16:42 GMT,
 Rajesh Patel <RajeshMPatel@yahoo.com>:
 
 > >Environment:
 > Windows XP professional - 32 bit
 
 ?
 
 > >Description:
 > The function has bug in CBC mode encryption
 > int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key,
 > 		BYTE *input, int inputLen, BYTE *outBuffer) {
 
 > 
 > Original code
 > 
 > 		for (i = numBlocks - 1; i > 0; i--) {
 > #if 1 /*STRICT_ALIGN*/
 > 			AF_BCOPY(outBuffer, block, 16);
 > ========>
 > 			((word32*)block)[0] ^= ((word32*)iv)[0];
 > 			((word32*)block)[1] ^= ((word32*)iv)[1];
 > 			((word32*)block)[2] ^= ((word32*)iv)[2];
 > 			((word32*)block)[3] ^= ((word32*)iv)[3];
 > #else
 > 			((word32*)block)[0] = ((word32*)outBuffer)[0]
 > ^ ((word32*)input)[0]; ((word32*)block)[1] = ((word32*)outBuffer)[1]
 > ^ ((word32*)input)[1]; ((word32*)block)[2] = ((word32*)outBuffer)[2]
 > ^ ((word32*)input)[2]; ((word32*)block)[3] = ((word32*)outBuffer)[3]
 > ^ ((word32*)input)[3]; #endif
 > 			outBuffer += 16;
 > 			rijndaelEncrypt(block, outBuffer,
 > key->keySched, key->ROUNDS); input += 16;
 > 		}
 > 
 > This keeps using the same iv. As a result, the initial block is
 > encrypted multiple times. input should be copied over iv inside the
 > for loop.
 
 You are right, but this code is not a part of the FreeBSD operating
 system.
 
 > >Fix:
 > 
 > Code with Fix
 > 
 > 		for (i = numBlocks - 1; i > 0; i--) {
 > #if 1 /*STRICT_ALIGN*/
 > 			AF_BCOPY(outBuffer, block, 16);
 > /*needs this =======>*/	AF_BCOPY(input, iv, 16); /* Added by
 > Rajesh */ 
 
 The implementation of rijndael_blockEncrypt()
 [sys/cryto/rijndael/rijndael-api-fst.c] in FreeBSD already contains
 this :
 
                 for (i = numBlocks - 1; i > 0; i--) {
 #if 1 /*STRICT_ALIGN*/
                         memcpy(block, outBuffer, 16);
                         memcpy(iv, input, 16);
 
 ----------
 
 I think we should clause this PR. Why: not the good operating system!
 
 Thanks.
State-Changed-From-To: open->closed 
State-Changed-By: gavin 
State-Changed-When: Wed May 27 06:20:43 UTC 2009 
State-Changed-Why:  
As pointed out already in the PR trail, this does not appear 
to be code found within any recent version of FreeBSD.  This 
bug existed in the 4.x timeframe, but was fixed in May 2002. 
This PR is also a duplicate of kern/38465. 


Responsible-Changed-From-To: freebsd-bugs->gavin 
Responsible-Changed-By: gavin 
Responsible-Changed-When: Wed May 27 06:20:43 UTC 2009 
Responsible-Changed-Why:  
Track 

http://www.freebsd.org/cgi/query-pr.cgi?pr=132351 
>Unformatted:
