Hi, I noticed in the following snippet from cipher_crypt() that the requested value to increment the the invocation field by is one octet while section 7.1 in RFC5647 states that it should be eight. Under the covers in OpenSSL's aes_gcm_ctrl, I see that the value passed in of 1 is ignored and is substituted by a hard-coded 8. If the value of arg is ever honored by the underlying OpenSSL code, the way this is coded may cause failures when using AES-GCM ciphers. Should cipher_crypt be updated to increment the value by 8 instead of 1? if (authlen) u_char lastiv[1]; if (authlen != cipher_authlen(cc->cipher)) return SSH_ERR_INVALID_ARGUMENT; /* increment IV */ if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN, 1, lastiv)) return SSH_ERR_LIBCRYPTO_ERROR; *snip* Thanks, Peter
My understanding of the API is that the 1 means: copy out 1 byte of the IV before incrementing Peter P. <p.pan48711 at gmail.com> schrieb am Mo. 7. Nov. 2016 um 23:46:> Hi, > > I noticed in the following snippet from cipher_crypt() that the requested > value to increment the the invocation field by is one octet while section > 7.1 in RFC5647 states that it should be eight. Under the covers in > OpenSSL's aes_gcm_ctrl, I see that the value passed in of 1 is ignored and > is substituted by a hard-coded 8. If the value of arg is ever honored by > the underlying OpenSSL code, the way this is coded may cause failures when > using AES-GCM ciphers. > > Should cipher_crypt be updated to increment the value by 8 instead of 1? > > if (authlen) > u_char lastiv[1]; > if (authlen != cipher_authlen(cc->cipher)) > return SSH_ERR_INVALID_ARGUMENT; > /* increment IV */ > if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN, > 1, lastiv)) > return SSH_ERR_LIBCRYPTO_ERROR; > *snip* > > Thanks, > Peter > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >