Page MenuHome GnuPG

ntbtls: AEAD GCM nonce
Closed, ResolvedPublic


I read:

And it says The Counter fields of successive nonces form a monotonically increasing sequence, when those fields are regarded as unsigned integers in network byte order.

But our implementation is currently in host endian (in protocol.c), it only works well in big-endian platform, when counter is more than or equals to 1.

Event Timeline

gniibe triaged this task as Unbreak Now! priority.Feb 28 2022, 2:20 AM
gniibe created this task.

My reading was wrong; Indeed we use memcpy from out_ctr. But it increments in network byte order.
So, for AES-GCM, it works well.

Potentially, we would need a fix, though (for the semantics of out_ctr).

At least, we need to update this logic when we support TLS 1.3, which uses XORed counter and nonce.

gniibe lowered the priority of this task from Unbreak Now! to Normal.Feb 28 2022, 11:21 AM

In TLS 1.2, it refers RFC5116. In RFC5116, it says:

The Counter part SHOULD be equal to zero for the first nonce, and increment by one for each successive nonce that is generated.

So, current code is fine.