CTR mode broken in libgcrypt 1.2.1
alangley at gmail.com
Tue Jun 14 18:50:32 CEST 2005
CTR mode is defined as:
Let C be the XOR (excusive-or) of M and the first |M| bits of the
pad E(ctr) | E(ctr+1) | ...
With libgcrypt 1.2.1 there is a message boundary bug. In short,
E('abc') will cause E(ctr) to be calculated and the last 13 bytes to
be discarded. E('def') will use another, fresh, E(ctr+1) and will
discard another 13 bytes. This is incorrect (by  above, and by
The attached patch fixes this. This patch has been tested against code
which uses OpenSSL for AES128 CTR.
Adam Langley agl at imperialviolet.org
http://www.imperialviolet.org (+44) (0)7906 332512
PGP: 9113 256A CC0F 71A6 4C84 5087 CDA5 52DF 2CB6 3D60
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2373 bytes
Desc: not available
Url : /pipermail/attachments/20050614/21ed1262/ctr-mode.agl-0001.obj
More information about the Gcrypt-devel