Project

General

Profile

Actions

Bug #11966

closed

CTR mode tries to be both a stream and block cipher and fails at both

Added by Jason King over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
lib - userland libraries
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

Upstream of Joyent OS-7964:

While testing multi-part AES CTR mode w/ inputs that aren't a multiple of AES_BLOCK_LEN, it was discovered that it yields the wrong results.
Looking closer, the implementation tries to handle CTR mode like a block cipher, collecting input data until it has at least AES_BLOCK_LEN bytes of input available to operate on. It then after every operation calls ctr_mode_final(). Unfortunately, this only works when the input is a multiple of AES_BLOCK_LEN. We also should not be collecting and buffering input – the whole point of a stream cipher is to not have to operate on blocks of data.

Actions #1

Updated by Jason King over 2 years ago

To test, the crypto test suite was ran, which completes successfully.

(Some additional detail) This change adds additional input sizes for the CTR test that aren't multiples of AES_BLOCK_LEN (16). When the updated test was run on an otherwise unmodified BE (i.e. without the actual CTR code changes), they fail as described in the ticket. With the changes in this ticket, they pass.

Actions #2

Updated by Electric Monk over 2 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit 2f9f8a9bcff03868ad346b312981e5d198aafd63

commit  2f9f8a9bcff03868ad346b312981e5d198aafd63
Author: Jason King <jason.king@joyent.com>
Date:   2020-01-21T16:42:28.000Z

    11966 CTR mode tries to be both a stream and block cipher and fails at both
    Reviewed by: Dan McDonald <danmcd@joyent.com>
    Reviewed by: Robert Mustacchi <rm@fingolfin.org>
    Approved by: Gordon Ross <gordon.w.ross@gmail.com>

Actions

Also available in: Atom PDF