From nobody@www.freebsd.org  Thu May 23 12:13:33 2002
Return-Path: <nobody@www.freebsd.org>
Received: from nwww.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by hub.freebsd.org (Postfix) with ESMTP id 951BB37B414
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 23 May 2002 12:13:31 -0700 (PDT)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g4NJDVhG079059
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 23 May 2002 12:13:31 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.2/8.12.2/Submit) id g4NJDVWI079058;
	Thu, 23 May 2002 12:13:31 -0700 (PDT)
Message-Id: <200205231913.g4NJDVWI079058@www.freebsd.org>
Date: Thu, 23 May 2002 12:13:31 -0700 (PDT)
From: Ramana Yarlagadda <ramana.yarlagadda@analog.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: AES encryption algorithm output is wrong
X-Send-Pr-Version: www-1.0

>Number:         38465
>Category:       kern
>Synopsis:       AES encryption algorithm output is wrong
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    suz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 23 12:20:02 PDT 2002
>Closed-Date:    Fri May 24 01:50:16 PDT 2002
>Last-Modified:  Fri May 24 01:50:16 PDT 2002
>Originator:     Ramana Yarlagadda
>Release:        4.5
>Organization:
Analog Devices
>Environment:
/usr/src/sys/compile/GENERIC i386
>Description:
     The BSD4.5 supports AES cryptographic algorithms. And i am using 
this algorithm in my application. Before i integrated this with my code 
 tried the algorithm calling with a known pattern ( i have taken
known pattern from AES standard) to make sure that i am using it 
properly. 

I was getting the output correct for the first block and the rest of
the blocks differ from the expected output. 

And as a second step , i just decrypted the output from the Encry-
ption algorithms.The first block matches with the expected output.
And in the remaining blocks contains the output value same as the
first block.

The reason was though the pointer to input data is moved properly,
the data is not copied from the new location. So always only the
first block of the message gets encrypted.
>How-To-Repeat:
     
>Fix:
FILE: sys/crypto/rijndael/rijndael-api-fst.c.
FUNCTION:

I added one statement which marked with ******** in the following code
        case MODE_CBC:
#if 1 /*STRICT_ALIGN*/
                bcopy(cipher->IV, block, 16);
                bcopy(input, iv, 16);
                ((word32*)block)[0] ^= ((word32*)iv)[0];
                ((word32*)block)[1] ^= ((word32*)iv)[1];
                ((word32*)block)[2] ^= ((word32*)iv)[2];
                ((word32*)block)[3] ^= ((word32*)iv)[3];
#else
                ((word32*)block)[0] = ((word32*)cipher->IV)[0] ^ ((word32*)inp
ut)[0];
                ((word32*)block)[1] = ((word32*)cipher->IV)[1] ^ ((word32*)inp
ut)[1];
                ((word32*)block)[2] = ((word32*)cipher->IV)[2] ^ ((word32*)inp
ut)[2];
                ((word32*)block)[3] = ((word32*)cipher->IV)[3] ^ ((word32*)inp
ut)[3];
#endif
                rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
                input += 16;
                for (i = numBlocks - 1; i > 0; i--) {
#if 1 /*STRICT_ALIGN*/
                        bcopy(outBuffer, block, 16);
   *********     bcopy(input, iv, 16); // ramana **************
/* basically with out the above stmt the input is always theh first block */
                        ((word32*)block)[0] ^= ((word32*)iv)[0];
                        ((word32*)block)[1] ^= ((word32*)iv)[1];
                        ((word32*)block)[2] ^= ((word32*)iv)[2];
                        ((word32*)block)[3] ^= ((word32*)iv)[3];
#else
                        ((word32*)block)[0] = ((word32*)outBuffer)[0] ^ ((word
32*)input)[0];
                        ((word32*)block)[1] = ((word32*)outBuffer)[1] ^ ((word
32*)input)[1];
                        ((word32*)block)[2] = ((word32*)outBuffer)[2] ^ ((word
32*)input)[2];
                        ((word32*)block)[3] = ((word32*)outBuffer)[3] ^ ((word
32*)input)[3];
#endif
                        outBuffer += 16;
                        rijndaelEncrypt(block, outBuffer, key->keySched, key->
ROUNDS);
                        input += 16;
                }
                break;

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: suz 
State-Changed-When: Fri May 24 01:43:56 PDT 2002 
State-Changed-Why:  
the proposed patch is committed 


Responsible-Changed-From-To: freebsd-bugs->suz 
Responsible-Changed-By: suz 
Responsible-Changed-When: Fri May 24 01:43:56 PDT 2002 
Responsible-Changed-Why:  


http://www.freebsd.org/cgi/query-pr.cgi?pr=38465 
>Unformatted:
the proposed patch is correct, so it is committed to 5-current and 
feedbacked to KAME
