I've noticed what appears to be a bug in the OpenSSL 1.0.1e 586 assembly-optimized AES_cbc_encrypt function when encrypting data that is> 1 block in length, but not an integral multiple of the block size. Specifically it appears that when encrypting the partial-block "tail", the block is XOR-ed with the *original* IV passed to AES_cbc_encrypt, rather than the previous ciphertext block. This results in incorrect output when decrypting.
To test this, I encrypted 40 bytes (2 full blocks plus a half-block "tail") of zeros with a 128-bit all-zeros key (key-size does not appear to be a factor but provided for reproducability), and all-zeros initial IV. The output is as follows: 66 E9 4B D4 EF 8A 2C 3B 88 4C FA 59 CA 34 2B 2E F7 95 BD 4A 52 E2 9E D7 13 D3 13 FA 20 E9 8D BC 66 E9 4B D4 EF 8A 2C 3B 88 4C FA 59 CA 34 2B 2E Note that the last ciphertext block is identical to the first ciphertext block, which since the plaintext is the same (after the internal zero-padding that occurs before encrypting final partial-block) further indicates that it was encrypted using the same IV as the first block. When decrypting this, the final block is corrupt: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F7 95 BD 4A 52 E2 9E D7 13 D3 13 FA 20 E9 8D BC If instead the partial-block "tail" is encrypted separately to the full blocks, the ciphertext is: 66 E9 4B D4 EF 8A 2C 3B 88 4C FA 59 CA 34 2B 2E F7 95 BD 4A 52 E2 9E D7 13 D3 13 FA 20 E9 8D BC A1 0C F6 6D 0F DD F3 40 53 70 B4 BF 8D F5 BF B3 This decrypts to 3 blocks of zeros as expected. Recompiling without assembly-optimized AES results in the expected functionality in both cases. I've searched the request tracker and performed other general searches to see if this has already been raised/debunked but couldn't find anything. Can anyone confirm whether this is a bug, or am I missing something? I can provide code used for the above if required. Thanks, CO ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
