Commit 2b5dcfed authored by Niels Möller's avatar Niels Möller

Require non-empty nonce for SIV mode.

parent ef82f228
2019-05-15 Niels Möller <nisse@lysator.liu.se>
* siv-cmac.h (SIV_MIN_NONCE_SIZE): New constant, 1.
* siv-cmac.c (_siv_s2v): Require non-empty nonce.
* nettle.texinfo (SIV-CMAC): Update documentation.
2019-05-06 Niels Möller <nisse@lysator.liu.se>
SIV-CMAC mode, based on patch by Nikos Mavrogiannopoulos:
......
......@@ -3326,22 +3326,12 @@ Note also, that the @acronym{SIV-CMAC} algorithm, as specified in
consist of multiple components. For example with @acronym{SIV-CMAC} the
authentication tag of data @code{X} followed by @code{Y}, is different
than the concatenated data @code{X || Y}. The interfaces described below
follow the @acronym{AEAD} paradigm and uses a fix structure with single
string of authenticated data, a nonce, and the plaintext message itself.
In the terminology of the RFC, the input to the S2V function is always a
vector of three elements, where S1 is the authenticated data, S2 is the
nonce, and S3 is the plaintext.
@emph{Empty nonce should be considered experimental:} The specification
also discusses nonce-less mode of operation, where the nonce is omitted
in the S2V input vector; this leads to some confusion on how to do
SIV-CMAC when the nonce is an empty string: Should S2 be an empty
string, or should this mean nonce-less mode? Nettle's implementation
currently uses an empty S2, but this may have interoperability issues.
If standards emerge, Nettle's implementation may be changed to follow.
In principle, we have the same ambiguity with empty associated data, but
at the time of writing, Nettle authors are not aware of any
interoperability problems with this.
follow the @acronym{AEAD} paradigm and do not allow access to this
feature and also require the use of a non-empty nonce. In the
terminology of the RFC, the input to the S2V function is always a vector
of three elements, where S1 is the authenticated data, S2 is the nonce,
and S3 is the plaintext.
@subsubsection General interface
......@@ -3353,6 +3343,10 @@ interoperability problems with this.
Size of the @acronym{SIV-CMAC} digest or initialization vector, 16.
@end defvr
@defvr Constant SIV_MIN_NONCE_SIZE
The the minimum size for an @acronym{SIV-CMAC} nonce, 1.
@end defvr
@subsubsection @acronym{SIV-CMAC}-@acronym{AES} interface
The @acronym{AES} @acronym{SIV-CMAC} functions provide an API for using
......
......@@ -60,6 +60,8 @@ _siv_s2v (const struct nettle_cipher *nc,
union nettle_block16 D, S, T;
static const union nettle_block16 const_zero = {.b = 0 };
assert (nlength >= SIV_MIN_NONCE_SIZE);
cmac128_update (siv_cmac_ctx, cmac_cipher_ctx, nc->encrypt, 16, const_zero.b);
cmac128_digest (siv_cmac_ctx, cmac_cipher_ctx, nc->encrypt, 16, D.b);
......
......@@ -57,6 +57,7 @@ extern "C" {
/* For SIV, the block size of the underlying cipher shall be 128 bits. */
#define SIV_BLOCK_SIZE 16
#define SIV_DIGEST_SIZE 16
#define SIV_MIN_NONCE_SIZE 1
void
siv_cmac_set_key(struct cmac128_ctx *siv_cmac_ctx, void *cmac_cipher_ctx, void *cipher_ctx,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment