Project

General

Profile

Actions

Bug #14265

closed

Possible bug in OpenSSL library

Added by careta (Dumb Thomas) almost 4 years ago. Updated almost 4 years ago.

Status:
Third Party's Issue
Priority:
Normal
Assignee:
-
Target version:
-
ruby -v:
ruby 2.3.3p222 (2016-11-21) [x86_64-linux-gnu] (Debian Stable)
[ruby-core:84579]

Description

Hi,

I'm not sure if this is a bug or not, but there is a difference between Ruby and
Python when using Blowfish encryption in ECB mode. Using the same algorithm parameters, and the same input, the encrypted output is completely different.

Behold these two code samples:

RUBY==================
require 'digest'
require 'openssl'

cleartext = 'whatevs'

md5 = Digest::MD5.new
md5.update(cleartext)

payload = (md5.digest + cleartext).ljust(0x80, "\x00")

puts "plaintext: " + payload.unpack('H*')[0]

secret_key = "supersecretsupersecret"

cipher = OpenSSL::Cipher::Cipher.new("bf-ecb").send :encrypt
cipher.key = secret_key
cipher.padding = 0
binary_data = (cipher.update(payload) << cipher.final)

puts "ciphertext: " + binary_data.unpack('H*')[0]

cipher = OpenSSL::Cipher::Cipher.new("bf-ecb").send :decrypt
cipher.key = secret_key
cipher.padding = 0
str = (cipher.update(binary_data) << cipher.final)

puts "decrypted: " + str.unpack('H*')[0]
RUBY==================

PYTHON================
from Crypto.Cipher import Blowfish
from Crypto.Hash import MD5
import binascii

cleartext = 'whatevs'
md5_key = MD5.new(cleartext).digest()
payload = (md5_key + cleartext).ljust(0x80, "\x00")
print "plaintext: " + binascii.hexlify(payload)
secret_key = "supersecretsupersecret"

ciphertext = Blowfish.new(secret_key, Blowfish.MODE_ECB).encrypt(payload)

print "ciphertext: " + binascii.hexlify(ciphertext)

print "decrypted: " + binascii.hexlify(Blowfish.new(secret_key,
1).decrypt(ciphertext))
PYTHON================

It seems that the Ruby OpenSSL makes some assumptions with regards to
key length - I'm not sure if this is a bug or not. The fix for the code
I pasted before was very simple: when initializing the cipher, I have to
specify the key_len before setting the key:

cipher = OpenSSL::Cipher::Cipher.new("bf-ecb").send :encrypt
cipher.key_len = secret_key.length
cipher.key = secret_key
cipher.padding = 0
binary_data = (cipher.update(payload) << cipher.final)

This makes it work correctly and match the Python output.


Related issues

Is duplicate of Ruby master - Bug #12561: OpenSSL::Cipher#key= silently truncates key strings.ClosedActions
Actions #1

Updated by rhenium (Kazuki Yamaguchi) almost 4 years ago

  • Is duplicate of Bug #12561: OpenSSL::Cipher#key= silently truncates key strings. added

Updated by rhenium (Kazuki Yamaguchi) almost 4 years ago

  • Status changed from Open to Third Party's Issue

Duplicate of [Bug #12561]. Current versions of Ruby/OpenSSL raise an exception:

$ ruby a.rb
plaintext: 030fa889aa00fc6554023a9aad8c9ca177686174657673000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
a.rb:15: warning: constant OpenSSL::Cipher::Cipher is deprecated
Traceback (most recent call last):
    1: from a.rb:16:in `<main>'
a.rb:16:in `key=': key must be 16 bytes (ArgumentError)
Actions

Also available in: Atom PDF