Mbed TLS is now part of TrustedFirmware.org.

check on IV lenght of GCM


Nov 16, 2016 14:10
roberto

Good morning, I read in GCM specification that Inizialization Vector "can have any number of bits between 1 and 2^64, but in the code I didn't find a control like if(iv_len !=0) and the control:

if( ( (uint64_t) iv_len  ) >> 61 != 0 ||
    ( (uint64_t) add_len ) >> 61 != 0 )
{
    return( NSUN_ERR_GCM_BAD_INPUT );
}

makes the end value of the range (2^64 bit) not valid. Is it a bug?

Thanks in advance.

 
Dec 8, 2016 09:35
Janos Follath

Hi Roberto,

The standard that defines GCM over TLS that we implement, RFC5288, references a NIST standard for GCM which defines the highest valid value as 2^64-1, so I don’t see a problem there (see subsection 5.2.1.1 on page 8).

On the other hand, as you said, the function mbedtls_gcm_starts() doesn’t seem to check if iv_len is zero and since the lowest valid value is 1, we have a minor bug here.

I have raised an issue on github for you, to track this. (We are going to give you credit for finding the bug in the Changelog, so if you want us to mention you by a different name or alias, please tell)

Kind regards,
Janos
mbed TLS Team Member