On Fri, Jul 19, 2019 at 02:48:11PM -0700, Eric Biggers wrote: > > > > > So are you proposing that it be renamed? Or are you proposing that a multi > > > argument hashing API be added? Or are you proposing that universal functions > > > not be exposed through the crypto API? What specifically is your constructive > > > suggestion to improve things? > > > > > I guess my constructive suggestion *for the future* would be to be more careful > > with the naming. Don't give something a "known" name if it does not comply with > > the matching specification. Renaming stuff now is probably counter-productive, > > but putting some remarks somewhere (near the actual test vectors may work?) > > about implementation x not actually being known entity X would be nice. > > (Or even just some reference on where the test vectors came from!) > > > > I think a comment at the top of ghash-generic.c would be helpful, similar to the > one I wrote in nhpoly1305.c explaining that particular algorithm. > > I'm surprised that you spent "days" debugging this, though. Since the API gives > you a single data stream, surely you would have had to check at some point how > the two formal arguments (AAD, ciphertext) were encoded into it? Were you just > passing the whole thing as the AAD or something? Also to reiterate, it actually > does implement the GHASH algorithm correctly; the two formal parameters just > have to be encoded into the single data stream in a particular way. > Hmm, NIST SP 800-38D actually defines GHASH to take one argument, same as the Linux version. So even outside Linux, there is no consensus on whether "GHASH" refers to the one argument or two argument versions. I.e. even if we had an API where the AAD and ciphertext were passed in separately, which is apparently what you'd prefer, people would complain that it doesn't match the NIST standard version. Of course, in the end the actually important thing is that everyone agrees on GCM, not that they agree on GHASH. - Eric