How to implement aes{128,256)-gcm at openssh.com.

[Stef Bon]

Thanks a lot for answering,

The tag, can you compare it with the hmac integrity code?
And, I cannot read that directly from the code from libssh, it is
placed directly like the hmac code after the encrypted message?

The iv, according to the libssh code is like:

4B   fixed iv
8B   packet counter
4B   block counter

The function gcry_cipher_authenticate adds the blockcounter after the
first 12 bytes.

I cannot see the iv is 12 bytes long (and libgcrypt copies it to
another buffer of 16 bytes) or it is 16 bytes already and libgcrypt
uses that without copying. Can someone shine a light here?

BTW In the latest version of libgcrypt I see the function gcry_cipher_geniv(..)
but not on the version installed on my OS (Gentoo, libgcrypt
1.10.2-unknown). It's not a problem, I prefer creating this iv on a
higher level (in the code of my service).
The aes128-gcm at openssh.com cipher uses its own source file and I can
implement it there.

Stef
the Netherlands

Op do 13 jul 2023 om 11:11 schreef Jakub Jelen <jjelen at redhat.com>:
>
> Hi,
> you can use the example from libssh, but note that it is using the
> "external counter" as at the time of implementing this, there was not
> the new API to allow "internal counter", which should be more
> straightforward using functions gcry_cipher_geniv() and
> gcry_cipher_setup_geniv() -- not sure if they are in any released
> versions yet already.
>
> If you will have any specific questions, please let me know.