CTR mode broken in libgcrypt 1.2.1

Adam Langley alangley at gmail.com
Tue Jun 14 18:50:32 CEST 2005

CTR mode is defined as[1]:
  Let C be the XOR (excusive-or) of M and the first |M| bits of the
  pad E(ctr) | E(ctr+1) | ...

With libgcrypt 1.2.1 there is a message boundary bug. In short,
E('abc') will cause E(ctr) to be calculated and the last 13 bytes to
be discarded. E('def') will use another, fresh, E(ctr+1) and will
discard another 13 bytes. This is incorrect (by [1] above, and by
OpenSSL's implementation)

The attached patch fixes this. This patch has been tested against code
which uses OpenSSL for AES128 CTR.

[1] http://csrc.nist.gov/CryptoToolkit/modes/workshop1/papers/lipmaa-ctr.pdf


Adam Langley                                      agl at imperialviolet.org
http://www.imperialviolet.org                       (+44) (0)7906 332512
PGP: 9113   256A   CC0F   71A6   4C84   5087   CDA5   52DF   2CB6   3D60
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ctr-mode.agl.patch
Type: application/octet-stream
Size: 2373 bytes
Desc: not available
Url : /pipermail/attachments/20050614/21ed1262/ctr-mode.agl-0001.obj

More information about the Gcrypt-devel mailing list