#257 ciphertext stealing of small messages

[Andrew Archibald]

Mojonation uses ciphertext stealing to encode its
messages; well and good, but for plaintexts that are
less than a block long, mojonation tries to change the
IV in place, violating the strings-never-change
assumption of python. (See file
evil/common/crypto/Python/desx_openssl.c, line 188).
Later, when messages are encrypted (see, eg,
evil/common/mesgen.py, line 582) the IV is usually
packed before the encryption is done, making it
impossible to decrypt the output when messages smaller
than 8 bytes are sent.

Suggested solution 1: assert message length > 7

Suggested solution 2: make tripledescbc return a pair
(iv, crypted_string)

Suggested solution 3: abandon ciphertext stealing and
use padding or CFB mode.

[Gregory P. Smith]

Logged In: YES
user_id=413

Hmm, without really looking into it I'd call that a good
observation! :)
Suggested solution 1 is the best course of action. The
overhead for messages makes it a no brainer to simply
restrict the minimum message length to 8 bytes.

FYI - we don't use desx_openssl.c at the moment, it was user
contributed but doesn't make sense to use until the modval
and randsource modules are weaned away from Crypto++ as
well.

[Andrew Archibald]

Logged In: YES
user_id=180731

Ah. I see. I didn't have the crypto++ code in my
distribution, which is what misled me. What actually
happens is that the text just fails to decode correctly
(since crypto++ "solves" the problem by padding the
plaintext with zeroes, leaving no way to determine its
length). I'll try to attach a file demonstrating the problem.

[Andrew Archibald]

Test script for the problem

[Andrew Archibald]

patch to raise an exception on short data