[openssl-dev] [openssl.org #2943] Bug Report: openssl enc -bf silently ignores key data after the first 128 bits

[Richard Levitte via RT]

This had a long time coming. The issues at hand was really that the buffer for
the key buffer was EVP_MAX_KEY_LENGTH (which is 64, which is 128 hex
characters) and that was the size that the input was checked against, not the
actual key length of the cipher that's used.

This is now fixed:

in master (8920a7cd04f43b1a090d0b0a8c9e16b94c6898d4)
in the 1.0.2 branch (3cf40601b7d164ab48addbb0456d7aa59fa38c88)
in the 1.0.2 branch (4b771121f2b657f50e8c7a27e9fab0bb043f91bc)

Incidently, I fixed the exact same issue with the IV length while I was at it.

On Sun Dec 23 14:08:40 2012, self at brendanlong.com wrote:
> If I do an openssl enc -bf with a > 128 bit key it just silently
> ignores
> everything over 128 bits:
> > ng at ubuntu:~$ openssl enc -bf -iv 0 -P -K
> > 000000000000000000000000000000012345
> > salt=0700000000000000
> > key=00000000000000000000000000000001
> > iv =0000000000000000
> If you go over 128 characters you get an error:
> > blong at ubuntu:~/workspace/webkit$ openssl enc -bf -iv 0 -P -K
> >
>
00000000000000000000000000000001234500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > salt=0700000000000000
> > key=00000000000000000000000000000001
> > iv =0000000000000000
> > blong at ubuntu:~/workspace/webkit$ openssl enc -bf -iv 0 -P -K
> >
>
000000000000000000000000000000012345000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > hex string is too long
> > invalid hex key value
> I'm guessing this is a unit mix-up, where it should be complaining
> with
> > 128 /bits/, but instead it complains at > 128 /characters/.


--
Richard Levitte
levitte at openssl.org