|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60705 rijndael iv problem
Submitted: 2012-01-10 23:08 UTC Modified: 2014-03-04 15:45 UTC
Avg. Score:4.0 ± 1.5
Reproduced:5 of 5 (100.0%)
Same Version:4 (80.0%)
Same OS:4 (80.0%)
From: erno dot kovacs at freemail dot hu Assigned:
Status: Not a bug Package: mcrypt related
PHP Version: 5.3.8 OS: linux/windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: erno dot kovacs at freemail dot hu
New email:
PHP Version: OS:


 [2012-01-10 23:08 UTC] erno dot kovacs at freemail dot hu
Cryptography basics: IV is always the same as the block size, which is 16 bytes (128 bits) in case of AES(Rijndael). However, when you use RIJNDAEL_192 or RIJNDAEL_256 with an IV of 16 bytes in CBC mode, you got a warning "mcrypt_generic_init() [function.mcrypt-generic-init]: Iv size incorrect; supplied length: 16, needed: 32". This is bullshit.

This way if you try to decrypt data encrypted by a 32 byte (256 bit) key with 16 byte (128 bit) IV with RIJNDAEL_256 in CBC mode, the decrypted data is WRONG. Even worse, if you modify the constant to RIJNDAEL_128, it decrypts the ciphertext correctly. This is a major failure.

Tested with PHP 5.3.4 Win32 and 5.3.8 Linux.

Test script:

Expected result:
decrypted : hello world

decrypted : *garbage*

Actual result:
Warning: mcrypt_generic_init() [function.mcrypt-generic-init]: Iv size incorrect; supplied length: 16, needed: 32 in ...
decrypted : ц2‘в АЭ/(ѕвy7YЃƒ0z=/оч|µ8„0Г£

decrypted : hello world


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-02-26 20:11 UTC]
After looking at the mcrypt implementation it turns out, that the way you're doing 
that in perl is non standard. The init vector SHOULD have the same size the block 
does. In your case 32 bytes. Looking at some other libs, for instance
the stuff is handled the same way - vi size = block size.
 [2012-02-26 21:25 UTC] erno dot kovacs at freemail dot hu
you are absolutly wrong. the iv must have the same size as the ciphers block size.
 [2012-02-26 21:27 UTC] erno dot kovacs at freemail dot hu
it seems you dont recognize the difference between the cipher block size and the input plaintext data...
 [2012-02-26 21:30 UTC] erno dot kovacs at freemail dot hu
AES blocksize is constant 16 bytes, so is the IV.
 [2012-10-02 10:01 UTC] miha dot vrhovnik at domenca dot com
I have the same problem as the reporter of this bug.
However the library used to decode the data is openssl 1.0.1c and I'd really doubt that they messed this up.
 [2012-10-02 12:28 UTC] miha dot vrhovnik at domenca dot com
Or maybe just the docs are foobar.
 [2014-03-04 15:35 UTC] narf at devilix dot net
This is not a bug, just something that is often confused.

AES does indeed have a fixed block size of 16 bytes and it is based on Rijndael. However, it is only based on Rijndael-128, allowing different key sizes. Rijndael-192 and Rijndael-256 have different block sizes and are NOT AES-compatible. 

If you want to use AES-192, AES-256 with MCrypt, you just have to use Rijndael-128 with a 24 or 32-byte key respectively.
 [2014-03-04 15:45 UTC]
-Status: Open +Status: Not a bug
 [2014-03-04 15:45 UTC]
As the last comments pointed, there's no bug here. AES-128, AES-192 and AES-256 are all handled by Rijndael-128.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Apr 20 19:01:28 2024 UTC