> Subject: [openssl.org &3182] Bug in OpenSSL 1.0.1e 586 assembly optimized 
> AES_cbc_encrypt 
> From: r...@openssl.org
> To: cosborn...@hotmail.com
> CC: openssl-dev@openssl.org
> Date: Wed, 27 Nov 2013 15:33:08 +0100
> 
> On Tue Nov 26 22:30:34 2013, cosborn...@hotmail.com wrote:
>> I've noticed what appears to be a bug in the 586 assembly-optimized
>> AES_cbc_encrypt function of OpenSSL 1.0.1e, (compiled on Windows)
>> when encrypting data that is> 1 block in length, but not an
>> integral multiple of the block size.
> 
> Well the low level cbc routines behaviour when the input is not a multiple of
> the block size is undefined. The higher level EVP routines pad the input data
> to a multiple of the blocks size if block padding is not disabled. If block
> padding is disabled then attempting to encrypt data whose total length is not 
> a
> multiple of the block size returns an error.
> 
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
>

I don't seem to be able to find any documentation indicating that this is 
undefined behavior, however documentation for the near identical method 
DES_ncbc_encrypt states: "If the length argument is not an integral multiple of 
<block size> bytes, the last block is copied to a temporary area and zero 
filled. The output is always an integral multiple of <block size> bytes."
It seems reasonable to assume a consistent API, and any ambiguity should be 
resolved by referring to the C source, which appears to confirm that partial 
blocks are indeed zero-padded.

CO                                        

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to