I'm not sure the old code was wrong either.
It's unintuitive, but it is at least possible to pass the NIST compliance
tests with the old code - are you sure that's going to be possible with the
new code ?
Yes, I'm aware that there have been a lot of complaints about CFB in the
past - but it was at least functional for all the awkwardness.
Peter Waltenberg
From: "Kurt Roeckx via RT" <[email protected]>
To:
Cc: [email protected]
Date: 03/01/2010 06:44 PM
Subject: [openssl.org #2177] New CFB block length breaks old encrypted
data
Sent by: [email protected]
Hi,
With version 0.9.8m we're unable to read encrypted data written by
older versions. The commit that breaks it has this changelog:
The "block length" for CFB mode was incorrectly coded as 1 all the
time. It
should be the number of feedback bits expressed in bytes. For CFB1 mode
set
this to 1 by rounding up to the nearest multiple of 8.
And this diff:
--- crypto/evp/evp_locl.h
+++ crypto/evp/evp_locl.h
@@ -127,9 +127,9 @@ BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid,
block_size, key_len, \
#define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \
iv_len, cbits, flags, init_key,
cleanup, \
set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, 1, \
- key_len, iv_len, flags, init_key, cleanup,
set_asn1, \
- get_asn1, ctrl)
+BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, \
+ (cbits + 7)/8, key_len, iv_len, \
+ flags, init_key, cleanup, set_asn1, get_asn1,
ctrl)
#define BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, \
iv_len, cbits, flags, init_key,
cleanup, \
I'm not really sure what to do with this, but I will probably revert
that change for the Debian package.
Kurt
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
