Account request + libgcrypt security finding
Bert van der Weerd
opalraava at riseup.net
Tue Apr 14 23:03:21 CEST 2026
> On Mon, Apr 13, 2026 at 05:12:09PM +0200, Werner Koch wrote:
> > On Sat, 11 Apr 2026 18:41, Bert van der Weerd said:
> >
> > > The first patch is the first high severity issue: GCM silent zero-IV
> > > fallback — patch and demonstration program made by Claude Code.
> >
> > Please explain the issue here.
Hi Werner, all,
This is an issue with the IV/nonce in the (Chacha20 stream cipher and) GCM encryption mode. The IV/nonce remains zero if set_iv() is not properly called before: _gcry_cipher_gcm_encrypt(), _gcry_cipher_gcm_decrypt(), _gcry_cipher_gcm_authenticate(). This is a known failure mode of these algorithmes, and the proper thing to do is return GPG_ERR_INV_STATE;
I attached some AI slob:
* cipher-gcm-zero-iv-fallback.readme.md - The full report of the bug, we did some digging in the code and found fips related code, and a function that was marked todo.
* cipher-gcm-zero-iv-fallback.patch - The actual patch. In many ways the clearest I guess. Handcrafted (yay).
* cipher-gcm-zero-iv-fallback.demo.md - This is the run results of the gcm issue: one patched, one unpatched.
I'm not sending the cipher-gcm-zero-iv-fallback.demo.c file to the list, but I guess one can craft one conceptually. Will send it to wk at gnupg.org if you want?
I'm not ready with the Chacha20 patch yet, sorry. I do have two other patches, that I can also just mail to this list, one is a typo in a function name and another is a forgotten wipememory().
This AI stuff is something I want to talk about. there are new (unreleased) AI models, from Anthropic and OpenAI. They actually eh... 'hack the planet' so to speak:)
I just wanted to start off with the most pressing ones this generation of AI can already find.
I can create a markdown file of all the bugs, but rather not. Well to be honest this is a lot of extra issues probably for a (short) while and then it cools down.
Short version: I basically did a:
for i in crypto/*.c;
do
foreach (fallacy in the Wikipedia 'fallacies' page) { check_the_c_file_for_it };
done;
and a heap of markdown came out.
I distrust AI professionally in code like this, so I just wanted to do the most critical then, and it did actually find something here, if I'm correct.
I saw in the code that, yes, that Chacha20 thing might also be a positive. This patch is only about GCM. But I don't know what to do now, really.
There also was two other pressing issues, both harder for me to grasp. One is about a missing point in an ECC implementation. The other one is simply just not clear to me yet.
I hope this helps,
--Bert
P.S. Sorry about not signing this email. This is just an email for this list.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cipher-gcm-zero-iv-fallback.demo.md
Type: text/markdown
Size: 2501 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20260414/8ae32caf/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cipher-gcm-zero-iv-fallback.readme.md
Type: text/markdown
Size: 5310 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20260414/8ae32caf/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cipher-gcm-zero-iv-fallback.patch
Type: text/x-diff
Size: 4353 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20260414/8ae32caf/attachment.patch>
More information about the Gcrypt-devel
mailing list