Hi Stephen, I could not spot in the kernel where we are computing GHASH when the IV is bigger than 12 Bytes for GCM encryption. libkcapi and kernel appears to ignore the bytes beyond 12th byte in the IV. SO the o/p is same with iv=12 bytes or iv=128 bytes as can be seen below: jlulla@ubuntu:~/libkcapi-1.0.3/bin$ ./kcapi -x 2 -e -c "gcm(aes)" -k 88768354df414ce4097f4d357837116685beee0d93aab343576b893088256260 -i f649d375e4e896397a8a96cbb847fbf45cb54132c76baf814f4e35e9f7737f16d5cd710370f143612b46724bbdded2a26264b90a91f5ed425d08d317f49a56828fcfeb9ebe1bc53117bb4156c2e99d70b238dd9166cc05906719818022c75957d25ad9c36c93ce2626248c783e0207c35db74996f47d096c3cafe701a38154ce -a "" -p "" -l 16 output (with 128 Byte IV): cb35642763e3a112857acc7aeab15720 jlulla@ubuntu:~/libkcapi-1.0.3/bin$ ./kcapi -x 2 -e -c "gcm(aes)" -k 88768354df414ce4097f4d357837116685beee0d93aab343576b893088256260 -i f649d375e4e896397a8a96cb -a "" -p "" -l 16 output (with 12 byte IV): cb35642763e3a112857acc7aeab15720 The standard says something different as can be seen here Algorithm 4's step 2 [page 15] https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf Freebsd's aes_gcm_prepare_j0() seems to be doing what is expected https://github.com/lattera/freebsd/blob/master/contrib/wpa/src/crypto/aes-gcm.c Does linux have any corresponding function? thanks Jitendra
