Re: Possible bug in GCM/GMAC with (just) AAD of size unequal to block size

Wed, 19 Nov 2014 19:27:49 -0800 

> On Nov 19, 2014, at 6:26 PM, William McGovern <w...@thaiglish.com> wrote:
> 
> 
>> On Nov 19, 2014, at 6:09 PM, William McGovern <w...@thaiglish.com 
>> <mailto:w...@thaiglish.com>> wrote:
>> 
>> 
>>> On Nov 19, 2014, at 5:03 PM, Maarten Bodewes <maarten.bode...@gmail.com 
>>> <mailto:maarten.bode...@gmail.com>> wrote:
>>> 
>>> Hi all,
>>> 
>>> I would be very grateful if somebody could explain why the following 
>>> problem occurs:
>>> 
>>> a test vector with an AAD of 20 bytes created an authentication tag that is 
>>> not correct,
>>> this could for instance be a padding bug in OpenSSL's GCM implementation.
>>> 
>>> Ref: http://stackoverflow.com/q/27023287/589259 
>>> <http://stackoverflow.com/q/27023287/589259>
>>> 
>>> The Bouncy Castle implementation does seem to generate the correct value 
>>> for the same test vector.
>>> 
>>> I'll try and execute the code, but currently my openssl development 
>>> environment is not up.
>>> 
>>> Regards,
>>> Maarten
>> 
>> I built your code against 1.0.1j and got the expected result for the authtag 
>> on your test vector:
>> 
>> should be: c75b7832b2a2d9bd827412b6ef5769db
>> result is: c75b7832b2a2d9bd827412b6ef5769db
>> 
>> $ openssl version
>> OpenSSL 1.0.1j 15 Oct 2014
>> 
> 
> If I build against the native OpenSSL library in Ubuntu 12.04 that matches 
> your version I get the same failure you are seeing:
> 
> should be: c75b7832b2a2d9bd827412b6ef5769db
> result is: e5fb99cb5b9658aa5d2caa3308e0ce6c
> 
> $ /usr/bin/openssl version
> OpenSSL 1.0.1 14 Mar 2012
> 
> It does seem to work correctly and give expected output when built on Ubuntu 
> 14.04.
> 

And one last reply… I implemented the workaround in your code and verified that 
it now working as expected.

Add this to load zero length data after you load the AAD with EVP_EncryptUpdate 
and before EVP_Encrypt_Final_ex:

    rc = EVP_EncryptUpdate(ctx, empty, &unused, empty, 0);
    assert(rc == 1);

The “empty” reference is just a dummy array (i.e. not a NULL pointer):

u_char empty[] = {};

With this change you get the correct result for the authtag for your test 
vector:

should be: c75b7832b2a2d9bd827412b6ef5769db
result is: c75b7832b2a2d9bd827412b6ef5769db

$ /usr/bin/openssl version
OpenSSL 1.0.1 14 Mar 2012

Reply via email to