Require non-empty nonce for SIV mode.

4 files changed, 19 insertions, 16 deletions

diff --git a/ChangeLog b/ChangeLog
index 013b6753..d1336130 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2019-05-15  Niels Möller  <nisse@lysator.liu.se>
+
+	* siv-cmac.h (SIV_MIN_NONCE_SIZE): New constant, 1.
+	* siv-cmac.c (_siv_s2v): Require non-empty nonce.
+	* nettle.texinfo (SIV-CMAC): Update documentation.
+
 2019-05-06  Niels Möller  <nisse@lysator.liu.se>
 
 	SIV-CMAC mode, based on patch by Nikos Mavrogiannopoulos:
diff --git a/nettle.texinfo b/nettle.texinfo
index bda807db..6d31f231 100644
--- a/nettle.texinfo
+++ b/nettle.texinfo
@@ -3326,22 +3326,12 @@ Note also, that the @acronym{SIV-CMAC} algorithm, as specified in
 consist of multiple components. For example with @acronym{SIV-CMAC} the
 authentication tag of data @code{X} followed by @code{Y}, is different
 than the concatenated data @code{X || Y}. The interfaces described below
-follow the @acronym{AEAD} paradigm and uses a fix structure with single
-string of authenticated data, a nonce, and the plaintext message itself.
-In the terminology of the RFC, the input to the S2V function is always a
-vector of three elements, where S1 is the authenticated data, S2 is the
-nonce, and S3 is the plaintext.
-
-@emph{Empty nonce should be considered experimental:} The specification
-also discusses nonce-less mode of operation, where the nonce is omitted
-in the S2V input vector; this leads to some confusion on how to do
-SIV-CMAC when the nonce is an empty string: Should S2 be an empty
-string, or should this mean nonce-less mode? Nettle's implementation
-currently uses an empty S2, but this may have interoperability issues.
-If standards emerge, Nettle's implementation may be changed to follow.
-In principle, we have the same ambiguity with empty associated data, but
-at the time of writing, Nettle authors are not aware of any
-interoperability problems with this.
+follow the @acronym{AEAD} paradigm and do not allow access to this
+feature and also require the use of a non-empty nonce. In the
+terminology of the RFC, the input to the S2V function is always a vector
+of three elements, where S1 is the authenticated data, S2 is the nonce,
+and S3 is the plaintext.
+
 
 @subsubsection General interface
 
@@ -3353,6 +3343,10 @@ interoperability problems with this.
 Size of the @acronym{SIV-CMAC} digest or initialization vector, 16.
 @end defvr
 
+@defvr Constant SIV_MIN_NONCE_SIZE
+The the minimum size for an @acronym{SIV-CMAC} nonce, 1.
+@end defvr
+
 @subsubsection @acronym{SIV-CMAC}-@acronym{AES} interface
 
 The @acronym{AES} @acronym{SIV-CMAC} functions provide an API for using
diff --git a/siv-cmac.c b/siv-cmac.c
index 13bdbff4..1debdc4b 100644
--- a/siv-cmac.c
+++ b/siv-cmac.c
@@ -60,6 +60,8 @@ _siv_s2v (const struct nettle_cipher *nc,
   union nettle_block16 D, S, T;
   static const union nettle_block16 const_zero = {.b = 0 };
 
+  assert (nlength >= SIV_MIN_NONCE_SIZE);
+
   cmac128_update (siv_cmac_ctx, cmac_cipher_ctx, nc->encrypt, 16, const_zero.b);
   cmac128_digest (siv_cmac_ctx, cmac_cipher_ctx, nc->encrypt, 16, D.b);
 
diff --git a/siv-cmac.h b/siv-cmac.h
index 199e1402..a56dfd79 100644
--- a/siv-cmac.h
+++ b/siv-cmac.h
@@ -57,6 +57,7 @@ extern "C" {
 /* For SIV, the block size of the underlying cipher shall be 128 bits. */
 #define SIV_BLOCK_SIZE  16
 #define SIV_DIGEST_SIZE 16
+#define SIV_MIN_NONCE_SIZE 1
 
 void
 siv_cmac_set_key(struct cmac128_ctx *siv_cmac_ctx, void *cmac_cipher_ctx, void *cipher_ctx,