[gnutls-devel] GnuTLS | AEAD output difference on Mac (#1494)

Tue Jul 18 21:27:19 CEST 2023

Vivien Kraus Would Rather Not Be On Gitlab_com commented: https://gitlab.com/gnutls/gnutls/-/issues/1494#note_1475454426

The issue here turns out to be that the nonce length is not 12. The macos version of gnutls seems to be doing what this equivalent code in Nettle is doing:

```c
#include <nettle/gcm.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int
main ()
{
  static const char *key = "the secret key is 32 bytes long.";
  static const char *auth = "Additional secret data";
  static const char *nonce = "Never encrypt more data with this nonce";
  static const char *data = "Confidential data.";
  struct gcm_aes256_ctx context;
  gcm_aes256_set_key (&context, key);
  gcm_aes256_set_iv (&context, strlen (nonce), nonce);
  static const size_t tag_size = 16;
  size_t used_size = tag_size + strlen (data);
  char output[used_size];
  gcm_aes256_update (&context, strlen (auth), auth);
  gcm_aes256_encrypt (&context, strlen (data), output, data);
  gcm_aes256_digest (&context, tag_size, & (output[strlen (data)]));
  for (int i= 0; i < used_size; i++)
    fprintf (stderr, "%x ", 0xFF & output[i]);
  if (output[0] != (char) 165)
    {
      return EXIT_FAILURE;
    }
  fprintf (stderr, "OK\n");
  return EXIT_SUCCESS;
}
```

While the other versions are doing something different. The question is thus about decryption: why can’t the macos version of gnutls decrypt the encrypted data with the non-standard nonce length, while the other versions can? I guess it is safer to refuse to decrypt, but it is surprising.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1494#note_1475454426
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20230718/e13c660e/attachment-0001.html>