On Fri, Jul 19, 2019 at 02:05:01PM +0000, Pascal Van Leeuwen wrote: > Hi, > > While implementing GHASH support for the inside-secure driver and wondering why I couldn't get > the test vectors to pass I have come to the conclusion that ghash-generic.c actually does *not* > implement GHASH at all. It merely implements the underlying chained GF multiplication, which, > I understand, is convenient as a building block for e.g. aes-gcm but is is NOT the full GHASH. > Most importantly, it does NOT actually close the hash, so you can trivially add more data to the > authenticated block (i.e. the resulting output cannot be used directly without external closing) > > GHASH is defined as GHASH(H,A,C) whereby you do this chained GF multiply on a block of AAD > data padded to 16 byte alignment with zeroes, followed by a block of ciphertext padded to 16 > byte alignment with zeroes, followed by a block that contains both AAD and cipher length. > > See also https://en.wikipedia.org/wiki/Galois/Counter_Mode > > Regards, > Pascal van Leeuwen > Silicon IP Architect, Multi-Protocol Engines @ Verimatrix > www.insidesecure.com > Yes that's correct. The hash APIs don't support multi-argument hashes, so there's no natural way for it to be "full GHASH". So it relies on the caller to format the AAD and ciphertext into a single stream. IMO it really should be called something like "ghash_core". Do you have some question or suggestion, or was this just an observation? - Eric