Possibly incorrect counter overflow handling for AES-GCM
gniibe at fsij.org
Tue Jan 30 12:21:04 CET 2018
Clemens.Lang at bmw.de wrote:
> Note that you will also have to use the same key K to trigger the behavior. This is because the initial counter value J_0 is calculated from the given IV using the GHASH function, which uses the hash subkey H = CIPH_K(0^128).
> Just for the record, I tested this with 1.8.2 and 1.7.6.
Ah, I see. I created a ticket:
I was naively read your previous message which addressed section 7.1,
algorithm 4, step 3 of the document. It is actually section 6.5,
algorithm 3, step 5, which matters.
I'll create a test case in libgcrypt/tests/ and fix.
Since I'm going to travel, it will be next week.
More information about the Gcrypt-devel