Thanks for confirming and providing the work-around. Do you see any problems with the proposed patch, which could still be applied to the 1.0.1 trunk to avoid the work-around for non-FIPS users?
On 08/03/2012 09:10 AM, Stephen Henson via RT wrote: >> [fol...@cisco.com - Fri Aug 03 10:51:37 2012]: >> >> Under these conditions, the remaining AAD bytes beyond the last 16 byte >> block are never hashed. This results in a TAG mismatch when finalizing >> the decrypt operation. The problem can be easily reproduced by running >> the following command using the attached test vector file: >> > I can confirm the results. There is an alternative which doesn't involve > any changes to the validated algorithm code though. > > If you make a call to EVP_Cipher with non-NULL input and output buffers > and the length set to zero this case should then be handled correctly. I > made a small modification to fips_gcmtest.c to confirm this. > > Steve.
<<inline: foleyj.vcf>>