Corrected GCM counter incrementation to use only 32-bits instead of 128-bits
Using 32-bits has the possibility to overwrite the IV in the first 12 bytes of the Y variable. Found by Yawning Angel
This commit is contained in:
Paul Bakker
parent
e47b34bdc8
commit
3d2dc0f8e5
2 changed files with 3 additions and 1 deletions
|
|
@ -3,6 +3,8 @@ PolarSSL ChangeLog
|
|||
= Master
|
||||
Bugfix
|
||||
* Fixed memory leak in ssl_free() and ssl_reset() for active session
|
||||
* Corrected GCM counter incrementation to use only 32-bits instead of
|
||||
128-bits (found by Yawning Angel)
|
||||
|
||||
Security
|
||||
* Removed further timing differences during SSL message decryption in
|
||||
|
|
|
|||
|
|
@ -263,7 +263,7 @@ int gcm_crypt_and_tag( gcm_context *ctx,
|
|||
{
|
||||
use_len = ( length < 16 ) ? length : 16;
|
||||
|
||||
for( i = 16; i > 0; i-- )
|
||||
for( i = 16; i > 12; i-- )
|
||||
if( ++y[i - 1] != 0 )
|
||||
break;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue