Possibly incorrect counter overflow handling for AES-GCM

NIIBE Yutaka gniibe at fsij.org
Tue Jan 30 03:43:47 CET 2018


Thanks for your report.  I tried to test your example program with 20MB
(not MiB, but MB) payload.  Given the IV, it works correctly for me.  I
use libgcrypt version 1.8.1.

Clemens.Lang at bmw.de wrote:
> I believe we have found what seems to be a bug in counter overflow
> handling in AES-GCM in libgcrypt's implementation.

No, it's your example program which must be wrong.

libgcrypt does the increment correctly by the function gcm_add32_be128
in cipher/cipher-gcm.c.  Well, I admit that the function name is
misleading, but it _does_ inc_32, indeed.

I think that your line:

    std::size_t ciphertextsize = ((plaintext.size() - 1) | (kBlockSize - 1)) + 1 + kAuthTagSize;

... it doesn't work well for plaintext size not multiple of 16.

Another line:

    if ((err = gcry_cipher_encrypt(hd, ciphertext.data(), ciphertext.size() - kAuthTagSize, plaintext.data(), plaintext.size())))

This doesn't work either for plaintext size not multiple of 16.

More information about the Gcrypt-devel mailing list