Undefined offset when using Rijndael with block sizes > 128

[vizvayu]

Hi! I'm getting a NOTICE when using Rijndael with a block size greater than 128bits. This is a quick example:

$cipher = new phpseclib3\Crypt\Rijndael('cbc');
$cipher->setIV(random_bytes(16));
$cipher->setKey(random_bytes(32));
$cipher->setBlockLength(256);
$e = $cipher->encrypt('test123');

This throws:
AH01071: Got error 'PHP message: PHP Notice: Undefined offset: 5 in /var/www/external/phpseclib/Crypt/Common/SymmetricKey.php(3092) : eval()'d code on line 24

I'm using PHP 7.3.19-1~deb10u1 and phpseclib 3.0.4.

It works fine with a block size of 128bit, but anything bigger than that (160, 192, 224 or 256) throws that notice.

Am I doing something wrong or is this a bug?

Thanks!

[terrafrost]

I'm able to reproduce this. It looks like a bug. I have to get ready for work soon but I'll try to take a look at this evening!

[terrafrost]

Actually, it's an error in your code (altho phpseclib ought to fail "better").

$cipher = new phpseclib3\Crypt\Rijndael('cbc');
$cipher->setIV(random_bytes(16));
$cipher->setKey(random_bytes(32));
$cipher->setBlockLength(256);
$e = $cipher->encrypt('test123');

The IV should be equal to the block length BUT you're setting the IV to a 128-bit value. Simply replacing $cipher->setIV(random_bytes(16)); with $cipher->setIV(random_bytes(32)); won't work because you're trying to set the IV before you're setting the block size.

Here's what does work:

$cipher = new phpseclib3\Crypt\Rijndael('cbc');
$cipher->setKey(random_bytes(32));
$cipher->setBlockLength(256);
$cipher->setIV(random_bytes(32));
$e = $cipher->encrypt('test123');

I'll work on making phpseclib fail more gracefully!

[vizvayu]

Awesome, thank you so much!

[terrafrost]

An exception should now be thrown that makes things more clear when this situation arises henceforth!:

d096769