Am Donnerstag, 16. August 2018, 09:14:59 CEST schrieb Jitendra Lulla: Hi Jitendra, > Hi Stephen, > > I could not spot in the kernel where we are computing GHASH when the > IV is bigger than 12 Bytes for GCM encryption. > > libkcapi and kernel appears to ignore the bytes beyond 12th byte in the IV. > SO the o/p is same with iv=12 bytes or iv=128 bytes as can be seen below: > > jlulla@ubuntu:~/libkcapi-1.0.3/bin$ ./kcapi -x 2 -e -c "gcm(aes)" -k > 88768354df414ce4097f4d357837116685beee0d93aab343576b893088256260 -i > f649d375e4e896397a8a96cbb847fbf45cb54132c76baf814f4e35e9f7737f16d5cd710370f1 > 43612b46724bbdded2a26264b90a91f5ed425d08d317f49a56828fcfeb9ebe1bc53117bb4156 > c2e99d70b238dd9166cc05906719818022c75957d25ad9c36c93ce2626248c783e0207c35db7 > 4996f47d096c3cafe701a38154ce -a "" -p "" -l 16 > > output (with 128 Byte IV): cb35642763e3a112857acc7aeab15720 > > jlulla@ubuntu:~/libkcapi-1.0.3/bin$ ./kcapi -x 2 -e -c "gcm(aes)" -k > 88768354df414ce4097f4d357837116685beee0d93aab343576b893088256260 -i > f649d375e4e896397a8a96cb -a "" -p "" -l 16 > > output (with 12 byte IV): cb35642763e3a112857acc7aeab15720 > > > The standard says something different as can be seen here Algorithm > 4's step 2 [page 15] > > https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pd > f > > > Freebsd's aes_gcm_prepare_j0() seems to be doing what is expected > https://github.com/lattera/freebsd/blob/master/contrib/wpa/src/crypto/aes-gc > m.c > > Does linux have any corresponding function? GCM implemented in the kernel only supports IVs with 12 bytes as defined by GCM_AES_IV_SIZE. There is no GHASH operation of the IV if it is larger. Most implementations simply copy only 12 bytes from the IV irrespective whether the IV is larger. Libkcapi will only consume the IV size specified by the kernel: uint32_t iv_msg_size = handle->cipher.iv ? CMSG_SPACE(sizeof(*alg_iv) + tfm->info.ivsize) : 0; Ciao Stephan
