diff options
author | Niels Möller <nisse@lysator.liu.se> | 2019-05-15 10:11:22 +0200 |
---|---|---|
committer | Niels Möller <nisse@lysator.liu.se> | 2019-05-15 10:11:22 +0200 |
commit | 2b5dcfed94d66a3207f8bbd6d043e17532a88db8 (patch) | |
tree | 6a098be22eafdbf9658c1cc6c5a55fa4bdbc3011 | |
parent | ef82f2281f7c2459cd8fafa1e50598069c6a3732 (diff) | |
download | nettle-2b5dcfed94d66a3207f8bbd6d043e17532a88db8.tar.gz |
Require non-empty nonce for SIV mode.
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | nettle.texinfo | 26 | ||||
-rw-r--r-- | siv-cmac.c | 2 | ||||
-rw-r--r-- | siv-cmac.h | 1 |
4 files changed, 19 insertions, 16 deletions
@@ -1,3 +1,9 @@ +2019-05-15 Niels Möller <nisse@lysator.liu.se> + + * siv-cmac.h (SIV_MIN_NONCE_SIZE): New constant, 1. + * siv-cmac.c (_siv_s2v): Require non-empty nonce. + * nettle.texinfo (SIV-CMAC): Update documentation. + 2019-05-06 Niels Möller <nisse@lysator.liu.se> SIV-CMAC mode, based on patch by Nikos Mavrogiannopoulos: diff --git a/nettle.texinfo b/nettle.texinfo index bda807db..6d31f231 100644 --- a/nettle.texinfo +++ b/nettle.texinfo @@ -3326,22 +3326,12 @@ Note also, that the @acronym{SIV-CMAC} algorithm, as specified in consist of multiple components. For example with @acronym{SIV-CMAC} the authentication tag of data @code{X} followed by @code{Y}, is different than the concatenated data @code{X || Y}. The interfaces described below -follow the @acronym{AEAD} paradigm and uses a fix structure with single -string of authenticated data, a nonce, and the plaintext message itself. -In the terminology of the RFC, the input to the S2V function is always a -vector of three elements, where S1 is the authenticated data, S2 is the -nonce, and S3 is the plaintext. - -@emph{Empty nonce should be considered experimental:} The specification -also discusses nonce-less mode of operation, where the nonce is omitted -in the S2V input vector; this leads to some confusion on how to do -SIV-CMAC when the nonce is an empty string: Should S2 be an empty -string, or should this mean nonce-less mode? Nettle's implementation -currently uses an empty S2, but this may have interoperability issues. -If standards emerge, Nettle's implementation may be changed to follow. -In principle, we have the same ambiguity with empty associated data, but -at the time of writing, Nettle authors are not aware of any -interoperability problems with this. +follow the @acronym{AEAD} paradigm and do not allow access to this +feature and also require the use of a non-empty nonce. In the +terminology of the RFC, the input to the S2V function is always a vector +of three elements, where S1 is the authenticated data, S2 is the nonce, +and S3 is the plaintext. + @subsubsection General interface @@ -3353,6 +3343,10 @@ interoperability problems with this. Size of the @acronym{SIV-CMAC} digest or initialization vector, 16. @end defvr +@defvr Constant SIV_MIN_NONCE_SIZE +The the minimum size for an @acronym{SIV-CMAC} nonce, 1. +@end defvr + @subsubsection @acronym{SIV-CMAC}-@acronym{AES} interface The @acronym{AES} @acronym{SIV-CMAC} functions provide an API for using @@ -60,6 +60,8 @@ _siv_s2v (const struct nettle_cipher *nc, union nettle_block16 D, S, T; static const union nettle_block16 const_zero = {.b = 0 }; + assert (nlength >= SIV_MIN_NONCE_SIZE); + cmac128_update (siv_cmac_ctx, cmac_cipher_ctx, nc->encrypt, 16, const_zero.b); cmac128_digest (siv_cmac_ctx, cmac_cipher_ctx, nc->encrypt, 16, D.b); @@ -57,6 +57,7 @@ extern "C" { /* For SIV, the block size of the underlying cipher shall be 128 bits. */ #define SIV_BLOCK_SIZE 16 #define SIV_DIGEST_SIZE 16 +#define SIV_MIN_NONCE_SIZE 1 void siv_cmac_set_key(struct cmac128_ctx *siv_cmac_ctx, void *cmac_cipher_ctx, void *cipher_ctx, |