account for a nuanced difference between phpseclib / mcrypt w.r.t. AES

Author: terrafrost

lib/mcrypt.php

@@ -108,6 +108,55 @@
 }
 
 if (!function_exists('phpseclib_mcrypt_list_algorithms')) {
+    /**
+     * mcrypt-compatible Rijndael wrapper
+     *
+     * With mcrypt you have algorithms like rijndael-128, rijndael-192 and rijndael-256.
+     * The numbers at the end refer to the block size. In Rijndael you can have a variable block size.
+     * In AES you cannot. So, technically, rijndael-128 is AES, the rest are not.
+     * Now, in both AES and Rijndael, you can have a variable key size. Rijndael supports
+     * 128, 160, 192, 224 and 256 bit keys but mcrypt only supports 128, 192 and 256 bit keys.
+     * Those are the same key sizes that AES supports but AES doesn't support variable block sizes so
+     * we need a wrapper that restricts the key lengths as AES restricts them but doesn't restrict
+     * the block size as AES restricts it.
+     *
+     * @package mcrypt_compat
+     * @author  Jim Wigginton <terrafrost@php.net>
+     * @access  public
+     */
+    class phpseclib_mcrypt_rijndael extends Rijndael
+    {
+        /**
+         * Sets the key.
+         *
+         * Rijndael supports five different key lengths, AES only supports three.
+         *
+         * @see Crypt_Rijndael:setKey()
+         * @see setKeyLength()
+         * @access public
+         * @param string $key
+         */
+        function setKey($key)
+        {
+            parent::setKey($key);
+
+            if (!$this->explicit_key_length) {
+                $length = strlen($key);
+                switch (true) {
+                    case $length <= 16:
+                        $this->key_length = 16;
+                        break;
+                    case $length <= 24:
+                        $this->key_length = 24;
+                        break;
+                    default:
+                        $this->key_length = 32;
+                }
+                $this->_setEngine();
+            }
+        }
+    }
+
     /**
      * Gets an array of all supported ciphers.
      *
@@ -206,14 +255,14 @@ function phpseclib_mcrypt_module_open($algorithm, $algorithm_directory, $mode, $
         }
         switch ($algorithm) {
             case 'rijndael-128':
-                $cipher = new Rijndael($modeMap[$mode]);
+                $cipher = new phpseclib_mcrypt_rijndael($modeMap[$mode]);
                 $cipher->setBlockLength(128);
                 break;
             case 'twofish':
                 $cipher = new Twofish($modeMap[$mode]);
                 break;
             case 'rijndael-192':
-                $cipher = new Rijndael($modeMap[$mode]);
+                $cipher = new phpseclib_mcrypt_rijndael($modeMap[$mode]);
                 $cipher->setBlockLength(192);
                 break;
             case 'blowfish-compat':
@@ -223,7 +272,7 @@ function phpseclib_mcrypt_module_open($algorithm, $algorithm_directory, $mode, $
                 $cipher = new DES($modeMap[$mode]);
                 break;
             case 'rijndael-256':
-                $cipher = new Rijndael($modeMap[$mode]);
+                $cipher = new phpseclib_mcrypt_rijndael($modeMap[$mode]);
                 $cipher->setBlockLength(256);
                 break;
             case 'blowfish':

tests/MCryptCompatTest.php

@@ -33,6 +33,19 @@ public function testAESBasicSuccess()
         $this->assertEquals($plaintext, $decrypted);
     }
 
+    public function testAESDiffKeyLength()
+    {
+        $key = str_repeat('z', 24);
+        $iv = str_repeat('z', 16);
+
+        // a plaintext / ciphertext of length 1 is of an insufficient length for cbc mode
+        $plaintext = str_repeat('a', 16);
+
+        $mcrypt = mcrypt_encrypt('rijndael-128', $key, $plaintext, 'cbc', $iv);
+        $compat = phpseclib_mcrypt_encrypt('rijndael-128', $key, $plaintext, 'cbc', $iv);
+        $this->assertEquals(bin2hex($mcrypt), bin2hex($compat));
+    }
+
     /**
      * @expectedException PHPUnit_Framework_Error_Warning
      */
@@ -106,6 +119,59 @@ public function testNullPadding()
         $this->assertEquals($mcrypt, $compat);
     }
 
+    /**
+     * valid AES key lengths are 128, 192 and 256-bit. if you pass in, say, a 160-bit key (20 bytes)
+     * both phpseclib 1.0/2.0 and mcrypt will null pad 192-bits. at least with mcrypt_generic().
+     */
+    public function testMiddleKey()
+    {
+        $key = str_repeat('z', 20);
+        $iv = str_repeat('z', 16);
+
+        $plaintext = 'a';
+
+        $td = mcrypt_module_open('rijndael-128', '', 'cbc', '');
+        mcrypt_generic_init($td, $key, $iv);
+        $mcrypt = bin2hex(mcrypt_generic($td, 'This is very important data'));
+
+        $td = phpseclib_mcrypt_module_open('rijndael-128', '', 'cbc', '');
+        phpseclib_mcrypt_generic_init($td, $key, $iv);
+        $phpseclib = bin2hex(phpseclib_mcrypt_generic($td, 'This is very important data'));
+
+        $this->assertEquals($mcrypt, $phpseclib);
+    }
+
+    /**
+     * although mcrypt_generic() null pads keys mcrypt_encrypt() does not
+     *
+     * @requires PHP 5.6
+     * @expectedException PHPUnit_Framework_Error_Warning
+     */
+    public function testMiddleKey2()
+    {
+        $key = str_repeat('z', 20);
+        $iv = str_repeat('z', 16);
+
+        $plaintext = 'a';
+
+        mcrypt_encrypt('rijndael-128', $key, $plaintext, 'cbc', $iv);
+    }
+
+    /**
+     * phpseclib_mcrypt_generic() behaves in the same way
+     *
+     * @expectedException PHPUnit_Framework_Error_Warning
+     */
+    public function testMiddleKey3()
+    {
+        $key = str_repeat('z', 20);
+        $iv = str_repeat('z', 16);
+
+        $plaintext = 'a';
+
+        phpseclib_mcrypt_encrypt('rijndael-128', $key, $plaintext, 'cbc', $iv);
+    }
+
     /**
      * adapted from the example at http://php.net/manual/en/filters.encryption.php
      */