Corrected GCM counter incrementation to use only 32-bits instead of 128-bits

Using 32-bits has the possibility to overwrite the IV in the first 12
bytes of the Y variable.

Found by Yawning Angel
This commit is contained in:
Paul Bakker 2013-02-27 14:52:37 +01:00
parent e47b34bdc8
commit 3d2dc0f8e5
2 changed files with 3 additions and 1 deletions

View file

@ -3,6 +3,8 @@ PolarSSL ChangeLog
= Master = Master
Bugfix Bugfix
* Fixed memory leak in ssl_free() and ssl_reset() for active session * Fixed memory leak in ssl_free() and ssl_reset() for active session
* Corrected GCM counter incrementation to use only 32-bits instead of
128-bits (found by Yawning Angel)
Security Security
* Removed further timing differences during SSL message decryption in * Removed further timing differences during SSL message decryption in

View file

@ -263,7 +263,7 @@ int gcm_crypt_and_tag( gcm_context *ctx,
{ {
use_len = ( length < 16 ) ? length : 16; use_len = ( length < 16 ) ? length : 16;
for( i = 16; i > 0; i-- ) for( i = 16; i > 12; i-- )
if( ++y[i - 1] != 0 ) if( ++y[i - 1] != 0 )
break; break;