wrong gcm computation when iv length is big enough in main branch #4884
Labels
bug
component-crypto
Crypto primitives and low-level interfaces
help-wanted
This issue is not being actively worked on, but PRs welcome.
Summary
In the GCM cipher mode, it may be wrong in the computation of Y0 when the bit length of iv is not smaller than 232.
System information
Mbed TLS version (number or commit id):
Operating system and version:
Configuration (if not default, please attach
mbedtls_config.h
):Compiler and options (if you used a pre-built binary, please indicate how you obtained it):
Additional environment information:
Expected behavior
Xi = (Xm+n) ^ (len(A) || len(C)) . H
Since the bit length of C(here is iv) can be upper to 264. So, it may be something like
PUT_UINT32_BE( iv_len * 8, work_buf, 8 )
Actual behavior
PUT_UINT32_BE( iv_len * 8, work_buf, 12 )
Steps to reproduce
Additional information
The text was updated successfully, but these errors were encountered: