Account request + libgcrypt security finding
NIIBE Yutaka
gniibe at fsij.org
Wed Apr 15 07:27:33 CEST 2026
Hello,
Bert van der Weerd wrote:
> This is an issue with the IV/nonce in the (Chacha20 stream cipher and)
> GCM encryption mode. The IV/nonce remains zero if set_iv() is not
> properly called before: _gcry_cipher_gcm_encrypt(),
> _gcry_cipher_gcm_decrypt(), _gcry_cipher_gcm_authenticate(). This is a
> known failure mode of these algorithmes, and the proper thing to do is
> return GPG_ERR_INV_STATE;
Thank you for your argument. I could understand the last point of yours
(returning GPG_ERR_INV_STATE). But I, for myself, don't think it's a
severe issue of our implementation. Your patch is not good,
unfortunately, it's removing important parts under FIPS mode.
I know that it's hard to use the crypto API of libgcrypt. Problems
around here are a bit larger. If interested, please have a look at:
https://dev.gnupg.org/T5870
https://dev.gnupg.org/T4873
and not-yet-applied patch of ntbtls:
https://dev.gnupg.org/rTf550b3323c8efd38c79b1daa26821a35ad486cf7
Direct use of set IV API for GCM is considered bad. We tried
GCRY_CIPHER_GENIV_METHOD_CONCAT for now.
> I attached some AI slob:
I'd like to ask you, please, please don't do that. It's too noisy.
If possible, please keep it in your blog post or else where.
--
More information about the Gcrypt-devel
mailing list