MODE_PGP seems broken
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Python-Crypto |
Fix Released
|
High
|
Unassigned |
Bug Description
I choose the verb "seem" because I cannot find any test vector for this mode, and it's not totally clear to me what specification the code follows, and when the method sync() should be used.
If the intention was to implement the mode described in RFC2440 (Section 12.8), the actual code seems wrong.
The PGP chaining mode is basically CFB, where the first 10 bytes (for a cipher with 8 byte blocks)
of the plaintext are random, the IV is all zeroes, and the CFB cipher is "synced" after encrypting those 10 bytes.
The main problem I see is that self->oldCipher (block_cipher.c) is used as input for all block encryptions but it is never updated: it remains zero. That means that the plaintext is XOR-ed always with the same value. Decryption will work fine though.
Instead, I think self->oldCipher should be loaded each time with the previous value of self->IV (like in MODE_CFB).
I could provide a patch, but another good option is to remove the mode altogether (who uses it?).
Changed in pycrypto: | |
status: | Confirmed → In Progress |
And with "Decryption will work fine" I simply mean that the decryption combined with encryption (as done in this module) gives back the correct plaintext, not that decryption is implemented securely and as it should be.