Continuing with: Account request + libgcrypt security finding
Werner Koch
wk at gnupg.org
Thu Apr 16 10:36:27 CEST 2026
Hi!
On Wed, 15 Apr 2026 13:54, Bert van der Weerd said:
> In non-FIPS mode, _if_ the caller never invokes set_iv() before
> calling gcm_encrypt(), gcm_decrypt(), or gcm_authenticate(), the
> library does not return an error.
GCM aas well as all other counter modes are pretty fragile and tehre are
a lot of conditions which lead to catastrophic failures. So better
avoid GCM and use a robust mode like OCB.
I do not considere this a bug becuase it is improper use of the
algorithms. Right, we may check whether set_iv has been used but it
won't be possible to check for nonce re-use - that is the caller's duty.
Let us open a feature request to return a GPG_ERR_MISSING_ACTION error
if set_iv has not been used.
Salam-Shalom,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 284 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20260416/62254d41/attachment.sig>
More information about the Gcrypt-devel
mailing list