gcm.c question regarding the rfc4106 cipher suite

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I recently watched some patches fly by fixing issues in other drivers regarding the checking
of supposedly illegal AAD sizes - i.e. to match the generic implementation there.
I followed that with some interest as I'm about to implement this for the inside-secure
driver.

And something puzzles me. These patches, as well as the generic driver, seem to expect
AAD lengths of 16 and 20. But to the best of my knowledge, and according to the actual
RFC, the AAD data for GCM for ESP is only 8 or 12 bytes, namely only SPI + sequence nr.

The IV is NOT part of the AAD according to the RFC. It's inserted in the encapsulated 
output but it's neither encrypted nor authenticated. (It doesn't need to be as it's 
already authenticated implicitly as its used to generate the ciphertext. Note that GMAC
(rfc4543) *does* have to authenticate the IV for this reason. But GCM doesn't ...)

So is this a bug or just some weird alternative way of providing the IV to the cipher?
(beyond the usual req->iv)

Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
www.insidesecure.com





[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux