Bug 38451 - [regression] Decrypting AES that was encrypted with Mono 4.0 (C5) throws an exception in 4.2 (C6)
Summary: [regression] Decrypting AES that was encrypted with Mono 4.0 (C5) throws an e...
Alias: None
Product: Class Libraries
Classification: Mono
Component: mscorlib ()
Version: 4.2.0 (C6)
Hardware: PC Mac OS
: High major
Target Milestone: (C7)
Assignee: Bugzilla
Depends on:
Reported: 2016-02-04 12:53 UTC by Adam Hartley [MSFT]
Modified: 2016-02-10 23:10 UTC (History)
9 users (show)

Is this bug a regression?: ---
Last known good build:

Samples (64.30 KB, application/zip)
2016-02-04 12:53 UTC, Adam Hartley [MSFT]

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.

Please create a new report on GitHub or Developer Community with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:

Description Adam Hartley [MSFT] 2016-02-04 12:53:05 UTC
Created attachment 14892 [details]

## Steps to reproduce

1. Install Xamarin.iOS
2. Build and run sample
3. Enter a value, such as 6, and tap "Update"
4. Close the app
5. Install Xamarin.iOS
6. Clean, re-build and run
7. App will crash

## Expected result

No crash, data should be decrypted

## Actual result

System.Security.Cryptography.CryptographicException: Bad PKCS7 padding. Error found at position 14.
  at Crimson.CommonCrypto.FastCryptorTransform.ThrowBadPaddingException (PaddingMode padding, Int32 length, Int32 position) [0x0004d] in /Users/builder/data/lanes/2689/962a0506/source/maccore/src/CommonCrypto/FastCryptorTransform.cs:198
  at Crimson.CommonCrypto.FastCryptorTransform.FinalDecrypt (System.Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount) [0x00177] in /Users/builder/data/lanes/2689/962a0506/source/maccore/src/CommonCrypto/FastCryptorTransform.cs:317
  at Crimson.CommonCrypto.FastCryptorTransform.TransformFinalBlock (System.Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount) [0x0001e] in /Users/builder/data/lanes/2689/962a0506/source/maccore/src/CommonCrypto/FastCryptorTransform.cs:345
  at System.Security.Cryptography.CryptoStream.Read (System.Byte[] buffer, Int32 offset, Int32 count) [0x00318] in /Users/builder/data/lanes/2689/962a0506/source/maccore/_build/Library/Frameworks/Xamarin.iOS.framework/Versions/git/src/mono/external/referencesource/mscorlib/system/security/cryptography/cryptostream.cs:278
  at System.IO.StreamReader.ReadBuffer () [0x0002b] in /Users/builder/data/lanes/2689/962a0506/source/maccore/_build/Library/Frameworks/Xamarin.iOS.framework/Versions/git/src/mono/external/referencesource/mscorlib/system/io/streamreader.cs:601
  at System.IO.StreamReader.ReadToEnd () [0x00055] in /Users/builder/data/lanes/2689/962a0506/source/maccore/_build/Library/Frameworks/Xamarin.iOS.framework/Versions/git/src/mono/external/referencesource/mscorlib/system/io/streamreader.cs:466
  at TestAppForXamarin.Crypto.DecryptStringFromBytes_Aes (System.Byte[] cipherText) [0x000b8] in /Users/Adam/Downloads/TestAppForXamarin/TestAppForXamarin/Crypto.cs:123
  at TestAppForXamarin.Crypto.Decrypt (System.String cipherBytes) [0x00009] in /Users/Adam/Downloads/TestAppForXamarin/TestAppForXamarin/Crypto.cs:41
  at TestAppForXamarin.ViewController.ViewDidLoad () [0x0003d] in /Users/Adam/Downloads/TestAppForXamarin/TestAppForXamarin/ViewController.cs:24
  at at (wrapper managed-to-native) UIKit.UIApplication:UIApplicationMain (int,string[],intptr,intptr)
  at UIKit.UIApplication.Main (System.String[] args, IntPtr principal, IntPtr delegate) [0x00005] in /Users/builder/data/lanes/2689/962a0506/source/maccore/src/UIKit/UIApplication.cs:77
  at UIKit.UIApplication.Main (System.String[] args, System.String principalClassName, System.String delegateClassName) [0x00038] in /Users/builder/data/lanes/2689/962a0506/source/maccore/src/UIKit/UIApplication.cs:61
  at TestAppForXamarin.Application.Main (System.String[] args) [0x00008] in /Users/Adam/Downloads/TestAppForXamarin/TestAppForXamarin/Main.cs:12

## Notes

Verified in the iOS Simulator.

Encrypting and decrypting while using the same version of Xamarin.iOS appears to work - the issue occurs when previously encrypted data is decrypted on a newer version of Xamarin.iOS
Comment 1 Rodrigo Kumpera 2016-02-08 20:24:00 UTC
Hey Sebastien,

This is hitting the common crypto code, could you guys take a look?
Comment 2 Sebastien Pouliot 2016-02-08 21:35:27 UTC
That's weird as CommonCrypto code did not change between those versions. The fact that it fails in common crypto code is "normal" since it's the only part that will do validation (which can only be done on the decrypted data).

A lot of other things (like CryptoStream) are now coming from MS RS code and might influence the process. I'll have a look to figure out where the issue is coming from.
Comment 3 Sebastien Pouliot 2016-02-09 03:12:50 UTC
As I thought this is an issue in Mono/BCL, nothing to do with XI.

If you encrypt with mono 4.0 (C5) and try to decrypt with 4.2.2 (C6) or master you'll get the exception. E.g.


I strongly suspect the CryptoStream form MS RS not playing well with other parts of mono (not updated to use MS RS).
Comment 5 Andi McClure 2016-02-09 18:43:59 UTC
Did some testing. The current (master) behavior is compatible with the behavior of Microsoft .NET. The 4.0 behavior is not.
Comment 6 Andi McClure 2016-02-10 18:44:59 UTC

After investigation, we have found that the problem is with PasswordDeriveBytes, and is the same root cause as an issue previously seen at https://bugzilla.xamarin.com/show_bug.cgi?id=37370

We have added a section to the 4.2.1 release notes documenting the problem:


Please see that note but, short version:

- Pre-4.2 are incompatible with Microsoft.NET; 4.2 and following are compatible with .NET but incompatible with pre-4.2. Because compatibility with Microsoft.NET is what we consider "correct", we will not be reverting this.

- If you need compatibility with pre-4.2, there is a small source package for an alternate version of PasswordDeriveBytes linked in the 4.2.1 release notes. If you embed the alternate PasswordDeriveBytes in your application and use it instead of the corlib version, it will encode and decode your files created with 4.0. This should solve your problem.

- If possible you should migrate off of PasswordDeriveBytes and onto Rfc2898DeriveBytes, which is compatible across all versions of Mono and MS.NET

Comment 7 Kevin 2016-02-10 23:10:25 UTC
Thanks for the clear explanation. The workaround in the release notes is working.