From fb3929aec7483fd5330939d22f1a2f094e4b115e Mon Sep 17 00:00:00 2001 From: AndrolGenhald Date: Sat, 24 Feb 2018 17:18:23 -0600 Subject: [PATCH] GCM: Reset ghash in setIV instead of in setKey --- libraries/Crypto/GCM.cpp | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/libraries/Crypto/GCM.cpp b/libraries/Crypto/GCM.cpp index 9550d801..793c4c82 100644 --- a/libraries/Crypto/GCM.cpp +++ b/libraries/Crypto/GCM.cpp @@ -79,20 +79,11 @@ bool GCMCommon::setKey(const uint8_t *key, size_t len) // Set the encryption key for the block cipher. if (!blockCipher->setKey(key, len)) return false; - - // Construct the hashing key by encrypting a zero block. - memset(state.nonce, 0, 16); - blockCipher->encryptBlock(state.nonce, state.nonce); - ghash.reset(state.nonce); return true; } bool GCMCommon::setIV(const uint8_t *iv, size_t len) { - // Note: We assume that setKey() has already been called to - // set the hashing key in the "ghash" object and that the - // hashing key itself is still stored in "state.nonce". - // Format the counter block from the IV. if (len == 12) { // IV's of exactly 96 bits are used directly as the counter block. @@ -109,7 +100,6 @@ bool GCMCommon::setIV(const uint8_t *iv, size_t len) ghash.update(sizes, sizeof(sizes)); clean(sizes); ghash.finalize(state.counter, 16); - ghash.reset(state.nonce); } // Reset the GCM object ready to process auth or payload data. @@ -118,6 +108,11 @@ bool GCMCommon::setIV(const uint8_t *iv, size_t len) state.dataStarted = false; state.posn = 16; + // Construct the hashing key by encrypting a zero block. + memset(state.nonce, 0, 16); + blockCipher->encryptBlock(state.nonce, state.nonce); + ghash.reset(state.nonce); + // Replace the hash key in "nonce" with the encrypted counter. // This value will be XOR'ed with the final authentication hash // value in computeTag().