[strongSwan] AES-GCM-16: payload length is not multiple of a blocksize

Mike Belopuhov mkb at crypt.org.ru
Fri Aug 13 14:38:29 CEST 2010

On Fri, Aug 13, 2010 at 09:03 +0200, Andreas Steffen wrote:
> Hello Mike,
> according to GCM ESP RFC 4106
>   http://tools.ietf.org/html/rfc4106#section-3
> esp=aes128gcm16 packs an 8 octet IV in front of
> the ciphertext which has the same size as the plaintext
> padded to the next 4 octet boundary, followed by
> the 16 octet ICV. Since AES-GCM is a stream cipher
> the plaintext data does not have to be padded to
> a 16 octet block size. Therefore it is normal that the
> size of the ciphertext is not a multiple of 16 octets.
> Paragraph 3.2 of RFC 4106 explicitly states:
>    Implementations that do not seek to hide the length of the plaintext
>    SHOULD use the minimum amount of padding required, which will be less
>    than four octets.
> It might be that OpenBSD is padding up to the next 16 octet boundary,
> though.
> Best regards
> Andreas

Indeed, thank you.  Works fine without this check (and I pad
it with zeros when pass it to the decryptor).

More information about the Users mailing list