CTR mode broken in libgcrypt 1.2.1

Werner Koch wk at gnupg.org
Fri Jun 17 19:46:19 CEST 2005

On Tue, 14 Jun 2005 17:50:32 +0100, Adam Langley said:

> With libgcrypt 1.2.1 there is a message boundary bug. In short,
> E('abc') will cause E(ctr) to be calculated and the last 13 bytes to
> be discarded. E('def') will use another, fresh, E(ctr+1) and will
> discard another 13 bytes. This is incorrect (by [1] above, and by
> OpenSSL's implementation)

Thanks for reporting and for the patch.  However, to apply this patch
we need to get a copyright assignment for the FSF from you. That is a
bit of a lengthly process so maybe we better fix it for ourself.  If
you are willing to sign a such an assignment (or a disclaimer) anyway
and save us some work, please contact me by private mail.



More information about the Gcrypt-devel mailing list