Computing GHASH for GCM when IV > 12 Bytes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Stephen,

I could not spot in the kernel where we are computing GHASH when the
IV is bigger than 12 Bytes for GCM encryption.

libkcapi and kernel appears to ignore the bytes beyond 12th byte in the IV.
SO the o/p is same with iv=12 bytes or iv=128 bytes as can be seen below:

jlulla@ubuntu:~/libkcapi-1.0.3/bin$ ./kcapi -x 2 -e -c "gcm(aes)" -k
88768354df414ce4097f4d357837116685beee0d93aab343576b893088256260 -i
f649d375e4e896397a8a96cbb847fbf45cb54132c76baf814f4e35e9f7737f16d5cd710370f143612b46724bbdded2a26264b90a91f5ed425d08d317f49a56828fcfeb9ebe1bc53117bb4156c2e99d70b238dd9166cc05906719818022c75957d25ad9c36c93ce2626248c783e0207c35db74996f47d096c3cafe701a38154ce
-a "" -p "" -l 16

output (with 128 Byte IV): cb35642763e3a112857acc7aeab15720

jlulla@ubuntu:~/libkcapi-1.0.3/bin$ ./kcapi -x 2 -e -c "gcm(aes)" -k
88768354df414ce4097f4d357837116685beee0d93aab343576b893088256260 -i
f649d375e4e896397a8a96cb -a "" -p "" -l 16

output (with 12 byte IV): cb35642763e3a112857acc7aeab15720


The standard says something different as can be seen here Algorithm
4's step 2 [page 15]

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf


Freebsd's aes_gcm_prepare_j0() seems to be doing what is expected
https://github.com/lattera/freebsd/blob/master/contrib/wpa/src/crypto/aes-gcm.c

Does linux have any corresponding function?

thanks
Jitendra



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux