AES GCM 128 and 256 fails TAG test vector

skelsec commented 1 year ago

NOTE: Please use stackoverflow for support questions. This repository's issues are reserved for feature requests and bug reports.

I am submitting a …

[X] bug report
[ ] feature request

Description

AES GCM 128 and 256 fails TAG test vector.

AES GCM 128 test vector:

key = '00000000000000000000000000000000'
nonce = '000000000000000000000000'
plaintext = ''
ciphertext = ''
adata = ''
mac = '58e2fccefa7e3061367f1d57a4e7455a'

AES256 GCM test vector:

key = '0000000000000000000000000000000000000000000000000000000000000000'
nonce = '000000000000000000000000'
plaintext = ''
ciphertext = ''
adata = ''
mac = '530f8afbc74536b9a963b4f1c4cb738b'

Current behavior

When trying to perform encryption with the above test vectors, the module produces the following error:

CIPHER - Decryption of block requires a full block'

Also note that the error message specifies DECRYPTION but it's an encryption operation.

Expected behavior

Passing the test :)

Steps to reproduce

pip install python-mbedtls
Execute the sample script

Minimal demo of the problem

from mbedtls import cipher as mbedcipher

key = bytes.fromhex('00000000000000000000000000000000')
nonce = bytes.fromhex('000000000000000000000000')
plaintext = b''
ciphertext = b''
adata = b''
mac = bytes.fromhex('530f8afbc74536b9a963b4f1c4cb738b')

cipherobj = mbedcipher.AES.new(key, mbedcipher.MODE_GCM, nonce, adata)
cipherobj.encrypt(plaintext)

Other information

This test passes on cryptography pycryptodome pycryptodomex and pyaes modules.

Synss commented 1 year ago

Thank you for reporting! Looking at the code and my tests, I apparently thought it was dumb to encrypt nothing (0-length string) and strictly forbidding it would make my life with pointers slightly easier. Of course, that's not correct. 😅

Fix is coming.

Synss commented 1 year ago

Hi! The fix has just been released with 2.6.1.

Synss / python-mbedtls