diff options
author | Jack Lloyd <[email protected]> | 2016-05-23 11:40:11 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2016-05-23 11:40:11 -0400 |
commit | 4f04a39d104a65d55762b6d03cf7ec21aac02ffa (patch) | |
tree | 15d7e446b44c932c938c4367c6f2facb8a63a0af /src/lib/modes/aead | |
parent | e4829225d91fd712ad70bb61f291b268f8d0d0d0 (diff) |
Fix GCM counter increment
GCM is defined as having a 32-bit counter, but CTR_BE incremented the
counter across the entire block. This caused incorrect results if
a very large message (2**39 bits) was processed, or if the GHASH
derived nonce ended up having a counter field near to 2**32
Thanks to Juraj Somorovsky for the bug report and repro.
Diffstat (limited to 'src/lib/modes/aead')
-rw-r--r-- | src/lib/modes/aead/gcm/gcm.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/lib/modes/aead/gcm/gcm.cpp b/src/lib/modes/aead/gcm/gcm.cpp index 1dc5efe4f..e23551cb4 100644 --- a/src/lib/modes/aead/gcm/gcm.cpp +++ b/src/lib/modes/aead/gcm/gcm.cpp @@ -168,7 +168,7 @@ GCM_Mode::GCM_Mode(BlockCipher* cipher, size_t tag_size) : m_ghash.reset(new GHASH); - m_ctr.reset(new CTR_BE(cipher)); // CTR_BE takes ownership of cipher + m_ctr.reset(new CTR_BE(cipher, 4)); // CTR_BE takes ownership of cipher if(m_tag_size != 8 && m_tag_size != 16) throw Invalid_Argument(name() + ": Bad tag size " + std::to_string(m_tag_size)); |