Hello,
We realized that cfb8_decrypt doesn't update the IV correctly when the input is shorter than AES block size. The attached patches should fix it.
Samba is also affected by this and there are similar fixes: https://git.samba.org/?p=gd/nettle;a=commit;h=c9926d319a44858d9bde5c28e37f37... https://git.samba.org/?p=gd/nettle;a=commit;h=a2aa783012ab874eebe79d61500271...
Regards,
Daiki Ueno ueno@gnu.org writes:
We realized that cfb8_decrypt doesn't update the IV correctly when the input is shorter than AES block size. The attached patches should fix it.
For testing, I think it would be good to take the testvectors for cfb8, and split into multiple calls to cfb8_*crypt, in several ways. And check they all give the same result. A bit like it's done in arcfour-test.c, or the test_cipher_stream (#if:ed out, not sure if it's worth reviving).
What do you think?
Regards, /Niels
nisse@lysator.liu.se (Niels Möller) writes:
Daiki Ueno ueno@gnu.org writes:
We realized that cfb8_decrypt doesn't update the IV correctly when the input is shorter than AES block size. The attached patches should fix it.
For testing, I think it would be good to take the testvectors for cfb8, and split into multiple calls to cfb8_*crypt, in several ways. And check they all give the same result. A bit like it's done in arcfour-test.c, or the test_cipher_stream (#if:ed out, not sure if it's worth reviving).
Indeed, thank you for the suggestion. I'm attaching updated patches.
Regards,
Daiki Ueno ueno@gnu.org writes:
For testing, I think it would be good to take the testvectors for cfb8, and split into multiple calls to cfb8_*crypt, in several ways. And check they all give the same result. A bit like it's done in arcfour-test.c, or the test_cipher_stream (#if:ed out, not sure if it's worth reviving).
Indeed, thank you for the suggestion. I'm attaching updated patches.
Pushed now, with a few additional fixes for the test.
Thanks! /Niels Möller
nettle-bugs@lists.lysator.liu.se
-
Daiki Ueno -
nisse@lysator.liu.se