Hi,
I'm trying (without much success) to decrypt in-kernel
(2.6.18-194.el5PAE) a cipher that was created using openSSL
(0.9.8e-fips-rhel5) using blowfish with a 56-byte key/8-byte iv. Are the
implementations incompatible (i.e. can't encrypt in one and decrypt in
the other?) or am I doing something wrong?
Thanks,
Tzvi
Tzvi Chumash wrote:
> I'm trying (without much success) to decrypt in-kernel
> (2.6.18-194.el5PAE) a cipher that was created using openSSL
> (0.9.8e-fips-rhel5) using blowfish with a 56-byte key/8-byte iv. Are the
> implementations incompatible (i.e. can't encrypt in one and decrypt in
> the other?) or am I doing something wrong?
Check byte order of the two implementations. Many blowfish implementations
got byte order wrong. Does it help if you swap byte order from
0-1-2-3-4-5-6-7 to 7-6-5-4-3-2-1-0 of key/data/IV before and after crypto
operation?
--
Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD
Thanks for your response, Jari. I tried changing the byte ordering on
the key,iv and the data(before and after decrypt) and the result is
still wrong. Unless someone has another idea, I will have to change the
user-space part to also encrypt in-kernel instead of using openSSL...
I was assuming that given the same parameters (e.g. encryption
algorithm, CBC, key, iv), the cipher data would be equivalent between
different implementations (in this case openSSL/cryptoapi). Was that a
wrong assumption?
Thanks again,
Tzvi
On 5/3/2011 10:48 AM, Jari Ruusu wrote:
> Tzvi Chumash wrote:
>> I'm trying (without much success) to decrypt in-kernel
>> (2.6.18-194.el5PAE) a cipher that was created using openSSL
>> (0.9.8e-fips-rhel5) using blowfish with a 56-byte key/8-byte iv. Are the
>> implementations incompatible (i.e. can't encrypt in one and decrypt in
>> the other?) or am I doing something wrong?
>
> Check byte order of the two implementations. Many blowfish implementations
> got byte order wrong. Does it help if you swap byte order from
> 0-1-2-3-4-5-6-7 to 7-6-5-4-3-2-1-0 of key/data/IV before and after crypto
> operation?
>
On Tue, 2011-05-03 at 11:46 -0400, Tzvi Chumash wrote:
> I was assuming that given the same parameters (e.g. encryption
> algorithm, CBC, key, iv), the cipher data would be equivalent between
> different implementations (in this case openSSL/cryptoapi). Was that a
> wrong assumption?
>
It may be a stupid remark... anyway, OpenSSL uses key/iv "internally"
and exposes to the user passphrase and salt. Did you check that you have
not confused them?
Best,
--
Emanuele Cesena <[email protected]>
Il corpo non ha ideali
On 5/3/2011 12:19 PM, Emanuele Cesena wrote:
> It may be a stupid remark... anyway, OpenSSL uses key/iv "internally"
> and exposes to the user passphrase and salt. Did you check that you have
> not confused them?
I'm not using the command line openssl to produce the cipher.. the API
says nothing about a salt or a passphrase:
int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
ENGINE *impl, unsigned char *key, unsigned char *iv);
relevant parts of my openSSL code:
...
rc = EVP_EncryptInit_ex(&ctx, EVP_bf_cbc(), NULL, env_key, env_iv);
...
rc = EVP_EncryptUpdate(&ctx, out, &olen, in, ilen);
...
rc = EVP_EncryptFinal_ex(&ctx, out+olen, &olen);
where
EVP_CIPHER_CTX ctx;
unsigned char env_key[56];
unsigned char env_iv[8];
unsigned char *in, *out;
int rc, ilen, olen;
Thanks,
Tzvi
Tzvi Chumash <[email protected]> wrote:
>
> I'm not using the command line openssl to produce the cipher.. the API
> says nothing about a salt or a passphrase:
>
> int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
> ENGINE *impl, unsigned char *key, unsigned char *iv);
>
> relevant parts of my openSSL code:
> ...
> rc = EVP_EncryptInit_ex(&ctx, EVP_bf_cbc(), NULL, env_key, env_iv);
> ...
> rc = EVP_EncryptUpdate(&ctx, out, &olen, in, ilen);
> ...
> rc = EVP_EncryptFinal_ex(&ctx, out+olen, &olen);
>
> where
> EVP_CIPHER_CTX ctx;
> unsigned char env_key[56];
> unsigned char env_iv[8];
> unsigned char *in, *out;
> int rc, ilen, olen;
Please show us the user-space and kernel code you used for this
so we can check for ourselves.
Thanks!
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt