[strongSwan] AES-GCM-16: payload length is not multiple of a blocksize
Mike Belopuhov
mkb at crypt.org.ru
Fri Aug 13 14:38:29 CEST 2010
On Fri, Aug 13, 2010 at 09:03 +0200, Andreas Steffen wrote:
> Hello Mike,
>
> according to GCM ESP RFC 4106
>
> http://tools.ietf.org/html/rfc4106#section-3
>
> esp=aes128gcm16 packs an 8 octet IV in front of
> the ciphertext which has the same size as the plaintext
> padded to the next 4 octet boundary, followed by
> the 16 octet ICV. Since AES-GCM is a stream cipher
> the plaintext data does not have to be padded to
> a 16 octet block size. Therefore it is normal that the
> size of the ciphertext is not a multiple of 16 octets.
>
> Paragraph 3.2 of RFC 4106 explicitly states:
>
> Implementations that do not seek to hide the length of the plaintext
> SHOULD use the minimum amount of padding required, which will be less
> than four octets.
>
> It might be that OpenBSD is padding up to the next 16 octet boundary,
> though.
>
> Best regards
>
> Andreas
>
Indeed, thank you. Works fine without this check (and I pad
it with zeros when pass it to the decryptor).
More information about the Users
mailing list