Mbed TLS is now part of TrustedFirmware.org.

check on IV lenght of GCM

Nov 16, 2016 14:10

Good morning, I read in GCM specification that Inizialization Vector "can have any number of bits between 1 and 2^64, but in the code I didn't find a control like if(iv_len !=0) and the control:

if( ( (uint64_t) iv_len  ) >> 61 != 0 ||
    ( (uint64_t) add_len ) >> 61 != 0 )
    return( NSUN_ERR_GCM_BAD_INPUT );

makes the end value of the range (2^64 bit) not valid. Is it a bug?

Thanks in advance.

Dec 8, 2016 09:35
Janos Follath

Hi Roberto,

The standard that defines GCM over TLS that we implement, RFC5288, references a NIST standard for GCM which defines the highest valid value as 2^64-1, so I don’t see a problem there (see subsection on page 8).

On the other hand, as you said, the function mbedtls_gcm_starts() doesn’t seem to check if iv_len is zero and since the lowest valid value is 1, we have a minor bug here.

I have raised an issue on github for you, to track this. (We are going to give you credit for finding the bug in the Changelog, so if you want us to mention you by a different name or alias, please tell)

Kind regards,
mbed TLS Team Member