aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/modes/aead
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-05-23 11:40:11 -0400
committerJack Lloyd <[email protected]>2016-05-23 11:40:11 -0400
commit4f04a39d104a65d55762b6d03cf7ec21aac02ffa (patch)
tree15d7e446b44c932c938c4367c6f2facb8a63a0af /src/lib/modes/aead
parente4829225d91fd712ad70bb61f291b268f8d0d0d0 (diff)
Fix GCM counter increment
GCM is defined as having a 32-bit counter, but CTR_BE incremented the counter across the entire block. This caused incorrect results if a very large message (2**39 bits) was processed, or if the GHASH derived nonce ended up having a counter field near to 2**32 Thanks to Juraj Somorovsky for the bug report and repro.
Diffstat (limited to 'src/lib/modes/aead')
-rw-r--r--src/lib/modes/aead/gcm/gcm.cpp2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/lib/modes/aead/gcm/gcm.cpp b/src/lib/modes/aead/gcm/gcm.cpp
index 1dc5efe4f..e23551cb4 100644
--- a/src/lib/modes/aead/gcm/gcm.cpp
+++ b/src/lib/modes/aead/gcm/gcm.cpp
@@ -168,7 +168,7 @@ GCM_Mode::GCM_Mode(BlockCipher* cipher, size_t tag_size) :
m_ghash.reset(new GHASH);
- m_ctr.reset(new CTR_BE(cipher)); // CTR_BE takes ownership of cipher
+ m_ctr.reset(new CTR_BE(cipher, 4)); // CTR_BE takes ownership of cipher
if(m_tag_size != 8 && m_tag_size != 16)
throw Invalid_Argument(name() + ": Bad tag size " + std::to_string(m_tag_size));