Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Possible bug in GCM/GMAC with (just) AAD of size unequal to block size

954 views
Skip to first unread message

Maarten Bodewes

unread,
Nov 19, 2014, 8:12:54 PM11/19/14
to
Hi all,

I would be very grateful if somebody could explain why the following problem occurs:

a test vector with an AAD of 20 bytes created an authentication tag that is not correct,
this could for instance be a padding bug in OpenSSL's GCM implementation.

The Bouncy Castle implementation does seem to generate the correct value for the same test vector.

I'll try and execute the code, but currently my openssl development environment is not up.

Regards,
Maarten

William McGovern

unread,
Nov 19, 2014, 9:22:15 PM11/19/14
to
I built your code against 1.0.1j and got the expected result for the authtag on your test vector:

should be: c75b7832b2a2d9bd827412b6ef5769db
result is: c75b7832b2a2d9bd827412b6ef5769db

$ openssl version
OpenSSL 1.0.1j 15 Oct 2014

William McGovern

unread,
Nov 19, 2014, 9:27:06 PM11/19/14
to
If I build against the native OpenSSL library in Ubuntu 12.04 that matches your version I get the same failure you are seeing:

should be: c75b7832b2a2d9bd827412b6ef5769db
result is: e5fb99cb5b9658aa5d2caa3308e0ce6c

$ /usr/bin/openssl version
OpenSSL 1.0.1 14 Mar 2012

It does seem to work correctly and give expected output when built on Ubuntu 14.04.

William McGovern

unread,
Nov 19, 2014, 10:16:02 PM11/19/14
to
Looks like the version that is failing still has this bug:


There is also a workaround detailed in the ticket that you might be able to utilize if you don’t want to build a newer library version.

William McGovern

unread,
Nov 19, 2014, 10:27:02 PM11/19/14
to

On Nov 19, 2014, at 6:26 PM, William McGovern <wi...@thaiglish.com> wrote:


On Nov 19, 2014, at 6:09 PM, William McGovern <wi...@thaiglish.com> wrote:


On Nov 19, 2014, at 5:03 PM, Maarten Bodewes <maarten...@gmail.com> wrote:

Hi all,

I would be very grateful if somebody could explain why the following problem occurs:

a test vector with an AAD of 20 bytes created an authentication tag that is not correct,
this could for instance be a padding bug in OpenSSL's GCM implementation.

The Bouncy Castle implementation does seem to generate the correct value for the same test vector.

I'll try and execute the code, but currently my openssl development environment is not up.

Regards,
Maarten

I built your code against 1.0.1j and got the expected result for the authtag on your test vector:

should be: c75b7832b2a2d9bd827412b6ef5769db
result is: c75b7832b2a2d9bd827412b6ef5769db

$ openssl version
OpenSSL 1.0.1j 15 Oct 2014


If I build against the native OpenSSL library in Ubuntu 12.04 that matches your version I get the same failure you are seeing:

should be: c75b7832b2a2d9bd827412b6ef5769db
result is: e5fb99cb5b9658aa5d2caa3308e0ce6c

$ /usr/bin/openssl version
OpenSSL 1.0.1 14 Mar 2012

It does seem to work correctly and give expected output when built on Ubuntu 14.04.


And one last reply… I implemented the workaround in your code and verified that it now working as expected.

Add this to load zero length data after you load the AAD with EVP_EncryptUpdate and before EVP_Encrypt_Final_ex:

    rc = EVP_EncryptUpdate(ctx, empty, &unused, empty, 0);
    assert(rc == 1);

The “empty” reference is just a dummy array (i.e. not a NULL pointer):

u_char empty[] = {};

With this change you get the correct result for the authtag for your test vector:

should be: c75b7832b2a2d9bd827412b6ef5769db
result is: c75b7832b2a2d9bd827412b6ef5769db

0 new messages