Possibly incorrect counter overflow handling for AES-GCM
gniibe at fsij.org
Tue Jan 30 03:43:47 CET 2018
Thanks for your report. I tried to test your example program with 20MB
(not MiB, but MB) payload. Given the IV, it works correctly for me. I
use libgcrypt version 1.8.1.
Clemens.Lang at bmw.de wrote:
> I believe we have found what seems to be a bug in counter overflow
> handling in AES-GCM in libgcrypt's implementation.
No, it's your example program which must be wrong.
libgcrypt does the increment correctly by the function gcm_add32_be128
in cipher/cipher-gcm.c. Well, I admit that the function name is
misleading, but it _does_ inc_32, indeed.
I think that your line:
std::size_t ciphertextsize = ((plaintext.size() - 1) | (kBlockSize - 1)) + 1 + kAuthTagSize;
... it doesn't work well for plaintext size not multiple of 16.
if ((err = gcry_cipher_encrypt(hd, ciphertext.data(), ciphertext.size() - kAuthTagSize, plaintext.data(), plaintext.size())))
This doesn't work either for plaintext size not multiple of 16.
More information about the Gcrypt-devel