mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [mina-sshd] jvz commented on a change in pull request #173: Fix incrementing the invocation_counter part of the IV.
Date Tue, 13 Oct 2020 15:30:53 GMT

jvz commented on a change in pull request #173:
URL: https://github.com/apache/mina-sshd/pull/173#discussion_r504049396

File path: sshd-common/src/main/java/org/apache/sshd/common/cipher/BaseGCMCipher.java
@@ -78,19 +78,25 @@ public void update(byte[] input, int inputOffset, int inputLen) throws
     protected static class CounterGCMParameterSpec extends GCMParameterSpec {
         protected final byte[] iv;
+        protected final long initialCounter;
         protected CounterGCMParameterSpec(int tLen, byte[] src) {
             super(tLen, src);
             if (src.length != 12) {
                 throw new IllegalArgumentException("GCM nonce must be 12 bytes, but given
len=" + src.length);
             iv = src.clone();
+            initialCounter = BufferUtils.getLong(iv, iv.length - Long.BYTES, Long.BYTES);
         protected void incrementCounter() {
             int off = iv.length - Long.BYTES;
             long counter = BufferUtils.getLong(iv, off, Long.BYTES);
-            BufferUtils.putLong(Math.addExact(counter, 1L), iv, off, Long.BYTES);
+            long newCounter = counter + 1L;
+            if (newCounter == initialCounter) {

Review comment:
       There doesn't seem to be any harm in adding this check, but the way that SSH works
would force a rekey event well before this counter would ever loop back to where it started
(rekey events happen far more often than every 2^64 packets).

This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:

To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org

View raw message