Re: Blowfish with different compilers

Thu, 26 Oct 2000 18:17:48 -0700 

Bill Klein wrote:
> 
> Hi all,
> 
> I'm having what seems to be a strange problem. I have code to encrypt some text 
>using blowfish, and corresponding code to decrypt it. This works on compiler A: I can 
>encrypt some text, and then decrypt the encrypted data correctly. This also works on 
>compiler B: again I can have compiler B encrypt the text (using the same key) and 
>have it decrypt the resulting data. The problem is that if I have compiler A encrypt 
>the text, compiler B can't decrypt it (or vice versa)!
> 
> In other words, they are each producing different encrypted data based on the same 
>text and same key. Is this expected? I would like my application (and it's data 
>files) to be used across multiple platforms which is how I'm running into this. My 
>current test is just using VC++6 (with the latest OpenSSL) and the latest version of 
>Cygwin (with whatever version of OpenSSL it comes with).
> 
> The code I'm using to encrypt in my test is below. Is there something wrong with it 
>(I stole most of it from some OpenSSL example I seem to recall). This routine 
>produces different encrypted data on the two compliers. Any ideas?
....

> 
> 
>   EVP_BytesToKey( EVP_bf_cbc(), EVP_md5(), (unsigned char*)"quik",
>                   (unsigned char*)keystr.c_str(), keystr.size(), 1, key, iv );
> 

One problem is the line above. You are passing the string "quik" which
along with the null terminator is 5 characters in length as the 'salt'.
The salt length the function uses is PKCS5_SALT_LEN which is 8. As a
result it is reading past the end of the buffer and could be seeing
anything there.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to