Hi, I recently watched some patches fly by fixing issues in other drivers regarding the checking of supposedly illegal AAD sizes - i.e. to match the generic implementation there. I followed that with some interest as I'm about to implement this for the inside-secure driver.
And something puzzles me. These patches, as well as the generic driver, seem to expect AAD lengths of 16 and 20. But to the best of my knowledge, and according to the actual RFC, the AAD data for GCM for ESP is only 8 or 12 bytes, namely only SPI + sequence nr. The IV is NOT part of the AAD according to the RFC. It's inserted in the encapsulated output but it's neither encrypted nor authenticated. (It doesn't need to be as it's already authenticated implicitly as its used to generate the ciphertext. Note that GMAC (rfc4543) *does* have to authenticate the IV for this reason. But GCM doesn't ...) So is this a bug or just some weird alternative way of providing the IV to the cipher? (beyond the usual req->iv) Regards, Pascal van Leeuwen Silicon IP Architect, Multi-Protocol Engines @ Verimatrix www.insidesecure.com
