A few days ago I put a question on SO, without any meaningful answer. Bellow is it on short:
I have a client server program in C that encrypts/decrypts data with mcrypt C's library. The client encrypts the string that wants to send to server, send it, and after the server reads, decrypts it. Bellow are my encrypt and decrypt function:
encrypt function:
void encrypt(char *es, char *key, char *civ, size_t length) {
MCRYPT td;
int n;
td = mcrypt_module_open(MCRYPT_TWOFISH, NULL, MCRYPT_CFB, NULL );
if (td == MCRYPT_FAILED) {
log_err(log_opts, strerror(errno));
exit(1);
}
n = mcrypt_enc_get_iv_size(td);
char iv[n + 1];
strncpy(iv, civ, n);
iv[n] = '\0';
if ((mcrypt_generic_init(td, key, KEY_SIZE, iv)) < 0) {
log_err(log_opts, "while trying to do mcrypt_generic_init.");
exit(1);
}
mcrypt_generic(td, es, length);
if (mcrypt_module_close(td) < 0) {
log_err(log_opts, "while trying to close module.");
exit(1);
}
}
decrypt function
void decrypt(char *ds, char *key, char *civ, size_t length) {
MCRYPT td;
int n;
td = mcrypt_module_open(MCRYPT_TWOFISH, NULL, MCRYPT_CFB, NULL );
n = mcrypt_enc_get_iv_size(td);
char iv[n + 1];
strncpy(iv, civ, n);
iv[n] = '\0';
if ((mcrypt_generic_init(td, key, KEY_SIZE, iv)) < 0) {
log_err(log_opts, "trying to do mcrypt_generic_init.");
exit(1);
}
mdecrypt_generic(td, ds, length);
if (mcrypt_module_close(td) < 0) {
log_err(log_opts, "while trying to close module.");
exit(1);
}
}
My problem:
There are cases (1 to 10 rate) when a string decrypted on server side but encrypted on client side is not the same like original. Can anyone suggest my where the problem can come from?
Now, I managed to catch a scenario when I'm getting the above bad behavior that I already described. Bellow is my main function:
int main(void) {
char *newKey = "P1adEfRuPX0AP2UDmSWHhgS6DaIrE4eb5EEJudC";
char *iv = "asdfkSSDFAEGasld3G9dkDF0";
char *s1 = "XZH9ZYKQC9*NYSR6UDUII";
char *s2 = malloc(STRING_SIZE * sizeof(char));
strcpy(s2, s1);
printf("%s - %s\n", s1, s2);
encrypt(s2, newKey, iv, strlen(s2));
decrypt(s2, newKey, iv, strlen(s2));
if (strncmp(s1, s2, STRING_SIZE) != 0)
printf("wrong encrypt-decrypt: %s %s\n", s1, s2);
exit(0);
}
Bellow is the output from that main function:
XZH9ZYKQC9*NYSR6UDUII - XZH9ZYKQC9*NYSR6UDUII
wrong encrypt-decrypt: XZH9ZYKQC9*NYSR6UDUII XZH9ZYKQC
Question: Am I doing something wrong, or is that library problematic?
Finally, I figured out where the problem comes from.
In main function, I have two lines:
encrypt(s2, newKey, iv, strlen(s2));
decrypt(s2, newKey, iv, strlen(s2));
The first line is ok, as long as s2 is a well defined string of char. But in the second line, strlen(s2) can return an erroneous result if the resulted encrypted text contains '\0''s in it.
I just want to say that @chrylis' comment gave me a hint where to search for problem.
In the end, as a rule of thumb, I would say: IN C, YOU MUST NOT USE STRING'S FUNCTIONS ON ENCRYPTED TEXT.
Thanks to all for assistance!