Return-Path: 
 <security-dev-return-4586-apmail-xml-security-dev-archive=xml.apache.org@xml.apache.org>
Delivered-To: apmail-xml-security-dev-archive@www.apache.org
Received: (qmail 55530 invoked from network); 29 Aug 2005 08:28:57 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 29 Aug 2005 08:28:57 -0000
Received: (qmail 63396 invoked by uid 500); 29 Aug 2005 08:28:53 -0000
Delivered-To: apmail-xml-security-dev-archive@xml.apache.org
Received: (qmail 63368 invoked by uid 500); 29 Aug 2005 08:28:52 -0000
Mailing-List: contact security-dev-help@xml.apache.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:security-dev@xml.apache.org>
List-Help: <mailto:security-dev-help@xml.apache.org>
List-Unsubscribe: <mailto:security-dev-unsubscribe@xml.apache.org>
Reply-To: security-dev@xml.apache.org
List-Id: <security-dev.xml.apache.org>
Delivered-To: mailing list security-dev@xml.apache.org
Received: (qmail 63353 invoked by uid 99); 29 Aug 2005 08:28:52 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 29 Aug 2005 01:28:52 -0700
X-ASF-Spam-Status: No, hits=0.5 required=10.0
	tests=HTML_40_50,HTML_MESSAGE,SPF_HELO_FAIL
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: local policy)
Received: from [193.138.1.2] (HELO e5.ijs.si) (193.138.1.2)
    by apache.org (qpsmtpd/0.29) with SMTP; Mon, 29 Aug 2005 01:29:05 -0700
Received: (qmail 5808 invoked from network); 29 Aug 2005 08:28:43 -0000
Received: from localhost (127.0.0.1)
  by e5.ijs.si with SMTP; 29 Aug 2005 08:28:43 -0000
Received: from e5.ijs.si ([127.0.0.1])
 by localhost (kekec.e5.ijs.si [127.0.0.1]) (amavisd-new, port 10024)
 with SMTP id 05317-04 for <security-dev@xml.apache.org>;
 Mon, 29 Aug 2005 10:28:42 +0200 (CEST)
Received: (qmail 5804 invoked from network); 29 Aug 2005 08:28:42 -0000
Received: from unknown (HELO Majestix) (193.138.1.206)
  by e5.ijs.si with SMTP; 29 Aug 2005 08:28:42 -0000
From: "Milan Tomic" <milan@setcce.org>
To: <security-dev@xml.apache.org>
Subject: [c++] WinCAPICryptoSymmetricKey::encrypt()
Date: Mon, 29 Aug 2005 10:28:48 +0200
Message-ID: <002d01c5ac73$adee2890$ce018ac1@Majestix>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_002E_01C5AC84.7176F890"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2616
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Importance: Normal
X-Virus-Scanned: amavisd-new at e5.ijs.si
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

This is a multi-part message in MIME format.

------=_NextPart_000_002E_01C5AC84.7176F890
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Berin,

I have found very interesting bug inside
WinCAPICryptoSymmetricKey::encrypt(). I've been encrypting an XML file
and used encrypt content (not whole element) option (
cipher->encryptElementContent() func ). The bug occur when there are
i.e. less then 12 (in my case only 4) characters inside XML element to
encrypt. In the case of 4 characters values are:

//unsigned int rounding = (m_bytesInLastBlock + inLength) % m_blockSize;
unsigned int rounding = (0 + 4) % 8; // rounding == 8 now

//rounding += m_blockSize;
rounding += 8; // rounding == 12 now

//memcpy(m_lastBlock, &inBuf[inLength - rounding], rounding);
memcpy(m_lastBlock, &inBuf[4 - 12], 12); // 4 - 12 ??? buffer
"underflow"

//memcpy(bufPtr, inBuf, inLength - rounding);
memcpy(bufPtr, inBuf, 4 - 12); // again 4 - 12 :(

Best regards,
Milan

------=_NextPart_000_002E_01C5AC84.7176F890
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.0.4630.0">
<TITLE>[c++] WinCAPICryptoSymmetricKey::encrypt()</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=3D2 FACE=3D"Arial CE">Berin,</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial CE">I have found very interesting bug =
inside WinCAPICryptoSymmetricKey::encrypt(). I've been encrypting an XML =
file and used encrypt content (not whole element) option ( =
cipher-&gt;encryptElementContent() func ). The bug occur when there are =
i.e. less then 12 (in my case only 4) characters inside XML element to =
encrypt. In the case of 4 characters values are:</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial CE">//unsigned int rounding =3D =
(m_bytesInLastBlock + inLength) % m_blockSize;</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial CE">unsigned int rounding =3D (0 + 4) % =
8; // rounding =3D=3D 8 now</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial CE">//rounding +=3D m_blockSize;</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial CE">rounding +=3D 8; // rounding =3D=3D =
12 now</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial CE">//memcpy(m_lastBlock, =
&amp;inBuf[inLength - rounding], rounding);</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial CE">memcpy(m_lastBlock, &amp;inBuf[4 - =
12], 12); // 4 - 12 ??? buffer &quot;underflow&quot;</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial CE">//memcpy(bufPtr, inBuf, inLength - =
rounding);</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial CE">memcpy(bufPtr, inBuf, 4 - 12); // =
again 4 - 12 :(</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial CE">Best regards,</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial CE">Milan</FONT>
</P>

</BODY>
</HTML>
------=_NextPart_000_002E_01C5AC84.7176F890--