ARIA/CTR mode self test failures

weidai11 / cryptopp

free C++ class library of cryptographic schemes

https://cryptopp.com

Other

4.66k stars 1.47k forks source link

ARIA/CTR mode self test failures #1235

Closed noloader closed 9 months ago

noloader commented 9 months ago

Rabbit, RabbitWithIV, HC128 and HC256 were producing incorrect results when inString == outString as reported in GH #1231. We added self tests to detect the failures, and cleared the failures.

The new tests also revealed ARIA/CTR mode also has problems. The failure can be duplicated with ./cryptest.exe tv aria.

This bug will track ARIA/CTR.

noloader commented 9 months ago

This was cleared in two steps. The 2nd step, which fixed the issue, is Commit dde8e9fa23bc. The dde8e9fa23bc commit removed this block, and folded the XOR into building outBlock.

-   if (xorBlock != NULLPTR)
-       for (unsigned int n=0; n<ARIA::BLOCKSIZE; ++n)
-           outBlock[n] ^= xorBlock[n];

The 1st commit, Commit 5250ab2bf2b0, removed the SIMD code since it was no longer needed due to the second commit.

I do not know why this fixed ARIA. The two codes should have been equivalent.

noloader commented 9 months ago

I do not know why this fixed ARIA. The two codes should have been equivalent.

ARIA had undefined behavior. Ugh!

The working area - m_w - was too small. It should have been a SecWordBlock with room for 28 word-sized elements. Instead it only had room for 17 elements. Arg!!!

Even more baffling, Valgrind never alerted to the problem.

Also see Commit d3d23002f607.