PHP :: Bug #66949 :: Serpent produces result which can not be decrypted from other languages

Bug #66949

Serpent produces result which can not be decrypted from other languages

Submitted:

2014-03-24 20:06 UTC

Modified:

2016-12-14 18:00 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	0 (0.0%)

From:

pkorsukov at gmail dot com

Assigned:

leigh (profile)

Status:

Closed

Package:

mcrypt related

PHP Version:

5.5.10

OS:

Windows 7

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	pkorsukov at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2014-03-24 20:06 UTC] pkorsukov at gmail dot com

Description:
------------
The implementation of Serpent in PHP not passes test from Serpent AES submission. As a result, the sting encrypted by PHP MCrypt can not be decrypted in other programming languages (I tried C# and Bouncy Castle support tried Java). If we use same key and iv, then PHP results for decrypt or encrypt differs from other programming languages.
More details: https://github.com/bcgit/bc-csharp/issues/13#issuecomment-38490830

Test script:
---------------
<?php
function crypt_test($algo, $mode, $key, $iv, $name, $plaintext, $expected) {
    $cipher = mcrypt_module_open($algo,'',$mode,'');
    mcrypt_generic_init($cipher, $key, $iv);
    $encrypted = mcrypt_generic($cipher, hex2bin($plaintext));

    printf("%s/%s %s:\n expected: %s\n   actual: %s\n", $algo, $mode, $name, bin2hex($encrypted), $expected);

    mcrypt_generic_deinit($cipher);
    mcrypt_module_close($cipher);
}

$key = hex2bin('00000000000000000000000000000000');
$iv = hex2bin('00000000000000000000000000000000');

crypt_test('serpent', 'ecb', $key, $iv, 'zeros', '00000000000000000000000000000000', 'e9ba668276b81896d093a9e67ab12036');
crypt_test('serpent', 'ecb', $key, $iv, 'I1', '80000000000000000000000000000000', '10b5ffb720b8cb9002a1142b0ba2e94a');
crypt_test('serpent', 'ecb', $key, $iv, 'I2', '40000000000000000000000000000000', '91a7847ef1cd87551b5b4bf6f8e96e2c');
crypt_test('serpent', 'ecb', $key, $iv, 'I3', '20000000000000000000000000000000', '5d32aece8383fb2ee22cb4a6061d1429');

?>

Expected result:
----------------
serpent/ecb zeros:
 expected: 3620b17ae6a993d09618b8768266bae9
   actual: 3620b17ae6a993d09618b8768266bae9
serpent/ecb I1:
 expected: a3b35de7c358ddd82644678c64b8bcbb
   actual: a3b35de7c358ddd82644678c64b8bcbb
serpent/ecb I2:
 expected: 04abcfe4e0af27ff92a2bb10949d7dd2
   actual: 04abcfe4e0af27ff92a2bb10949d7dd2
serpent/ecb I3:
 expected: 8f773194b78ef2b2740237ef12d08608
   actual: 8f773194b78ef2b2740237ef12d08608

Actual result:
--------------
serpent/ecb zeros:
 expected: 3620b17ae6a993d09618b8768266bae9
   actual: e9ba668276b81896d093a9e67ab12036
serpent/ecb I1:
 expected: a3b35de7c358ddd82644678c64b8bcbb
   actual: 10b5ffb720b8cb9002a1142b0ba2e94a
serpent/ecb I2:
 expected: 04abcfe4e0af27ff92a2bb10949d7dd2
   actual: 91a7847ef1cd87551b5b4bf6f8e96e2c
serpent/ecb I3:
 expected: 8f773194b78ef2b2740237ef12d08608
   actual: 5d32aece8383fb2ee22cb4a6061d1429

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-12-14 18:00 UTC] leigh@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: leigh

[2016-12-14 18:00 UTC] leigh@php.net

Closing this report as the bug is in the underlying mcrypt library, not PHP itself.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Jul 31 16:00:03 2025 UTC