Re: bug in JCEea2 with DES/CBC/NoPadding decryption in place

Jan Luehe (Jan.Luehe@Eng)
Wed, 1 Apr 1998 16:29:18 -0800 (PST)

Date: Wed, 1 Apr 1998 16:29:18 -0800 (PST)
From: Jan Luehe <Jan.Luehe@Eng>
Subject: Re: bug in JCEea2 with DES/CBC/NoPadding decryption in place
To: java-security@javasoft.com, gchung@openhorizon.com

Hi George:

> I found this bug by plugging your crypto in an SSL package that allows 3rd
> party crypto to be plugged in, specifically IAIK SSL. Hey, I love your
> stuff, but I think it would be worth your while to examine the possibility
> of using their SSL framework to plug your crypto in, cycle through the
> various SSL ciphersuites and try to talk to commercial SSL web servers using
> their SSLClient sample. Hey, who can argue against too much QA! :-)
>
> Anyway, I've attached the source code that reproduces the bug to this email.
> Bug reproduces in ea in addition to ea2. Should be able to compile and run
> against ea2 and JDK 1.2beta3.

Thanks a lot for pointing this out!

It's fixed now. The fix will be made available in the upcoming
JCE 1.2 beta release.

Jan