Fix s_ocb_done aliasing bug in decrypt path#723
Merged
sjaeckel merged 1 commit intolibtom:developfrom Apr 15, 2026
Merged
Conversation
In decrypt mode (mode==1), s_ocb_done was XORing `ct[x]` into the checksum before writing the output. The function's parameter names are misleading (the header comment notes pt/ct really mean in/out), so in decrypt mode `ct` is the not-yet-written *output* buffer and `pt` is the *input* ciphertext. Reading from `ct` only worked when callers aliased the input and output buffers (in-place decryption), as the self-test does. Callers passing distinct buffers got CRYPT_OK with stat=0 -- correct plaintext but failed tag verification. Fix by reading from `pt[x]` (the input). Add a separate-buffer regression case to ocb_test that runs against every existing test vector and was confirmed to fail without the fix. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
cyanogilvie
force-pushed
the
fix/ocb-decrypt-aliasing
branch
from
b4dc275 to
8c68d99
Compare
Member
|
TBH I'm not sure whether we should maybe retire OCB v1 after taking this patch? Apparently nobody's using it and it has been superseded by OCB v3 for over a decade. Then there's the question whether we accept code written by an ML? I'm not sure about it overall, but for trivial fixes like this I don't see a good reason to decline it. @karel-m what do you think? |
Member
|
I agree that OCBv1 is obsolete; I am fine with removing it. I prefer that we stick to standards and here the standard is RFC 7253 (= OCBv3). I see no issue with code produced using AI-assisted development tools such as Claude/Codex. A malicious developer can produce poor, unsafe or even stolen code with or without them. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I'm preparing a new release of my Tcl wrapper of libtomcrypt and hit an ocb decrypt issue while having Claude write a skill file for the package, which it tracked back to libtomcrypt and fixed here. I don't know what this project's policy is on AI generated code, but I've reviewed it and the analysis appears correct (and boils down to a single character fix). The message below and the commit were authored by Claude:
In decrypt mode (mode==1), s_ocb_done was XORing
ct[x]into the checksum before writing the output. The function's parameter names are misleading (the header comment notes pt/ct really mean in/out), so in decrypt modectis the not-yet-written output buffer andptis the input ciphertext. Reading fromctonly worked when callers aliased the input and output buffers (in-place decryption), as the self-test does. Callers passing distinct buffers got CRYPT_OK with stat=0 — correct plaintext but failed tag verification.Fix by reading from
pt[x](the input). Add a separate-buffer regression case to ocb_test that runs against every existing test vector and was confirmed to fail without the fix.Checklist