Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
N
nettle
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Labels
Merge Requests
5
Merge Requests
5
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Commits
Open sidebar
Nettle
nettle
Commits
2b5dcfed
Commit
2b5dcfed
authored
May 15, 2019
by
Niels Möller
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Require non-empty nonce for SIV mode.
parent
ef82f228
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
19 additions
and
16 deletions
+19
-16
ChangeLog
ChangeLog
+6
-0
nettle.texinfo
nettle.texinfo
+10
-16
siv-cmac.c
siv-cmac.c
+2
-0
siv-cmac.h
siv-cmac.h
+1
-0
No files found.
ChangeLog
View file @
2b5dcfed
2019-05-15 Niels Möller <nisse@lysator.liu.se>
* siv-cmac.h (SIV_MIN_NONCE_SIZE): New constant, 1.
* siv-cmac.c (_siv_s2v): Require non-empty nonce.
* nettle.texinfo (SIV-CMAC): Update documentation.
2019-05-06 Niels Möller <nisse@lysator.liu.se>
SIV-CMAC mode, based on patch by Nikos Mavrogiannopoulos:
...
...
nettle.texinfo
View file @
2b5dcfed
...
...
@@ -3326,22 +3326,12 @@ Note also, that the @acronym{SIV-CMAC} algorithm, as specified in
consist of multiple components. For example with @acronym
{
SIV-CMAC
}
the
authentication tag of data @code
{
X
}
followed by @code
{
Y
}
, is different
than the concatenated data @code
{
X || Y
}
. The interfaces described below
follow the @acronym
{
AEAD
}
paradigm and uses a fix structure with single
string of authenticated data, a nonce, and the plaintext message itself.
In the terminology of the RFC, the input to the S2V function is always a
vector of three elements, where S1 is the authenticated data, S2 is the
nonce, and S3 is the plaintext.
@emph
{
Empty nonce should be considered experimental:
}
The specification
also discusses nonce-less mode of operation, where the nonce is omitted
in the S2V input vector; this leads to some confusion on how to do
SIV-CMAC when the nonce is an empty string: Should S2 be an empty
string, or should this mean nonce-less mode? Nettle's implementation
currently uses an empty S2, but this may have interoperability issues.
If standards emerge, Nettle's implementation may be changed to follow.
In principle, we have the same ambiguity with empty associated data, but
at the time of writing, Nettle authors are not aware of any
interoperability problems with this.
follow the @acronym
{
AEAD
}
paradigm and do not allow access to this
feature and also require the use of a non-empty nonce. In the
terminology of the RFC, the input to the S2V function is always a vector
of three elements, where S1 is the authenticated data, S2 is the nonce,
and S3 is the plaintext.
@subsubsection General interface
...
...
@@ -3353,6 +3343,10 @@ interoperability problems with this.
Size of the @acronym
{
SIV-CMAC
}
digest or initialization vector, 16.
@end defvr
@defvr Constant SIV
_
MIN
_
NONCE
_
SIZE
The the minimum size for an @acronym
{
SIV-CMAC
}
nonce, 1.
@end defvr
@subsubsection @acronym
{
SIV-CMAC
}
-@acronym
{
AES
}
interface
The @acronym
{
AES
}
@acronym
{
SIV-CMAC
}
functions provide an API for using
...
...
siv-cmac.c
View file @
2b5dcfed
...
...
@@ -60,6 +60,8 @@ _siv_s2v (const struct nettle_cipher *nc,
union
nettle_block16
D
,
S
,
T
;
static
const
union
nettle_block16
const_zero
=
{.
b
=
0
};
assert
(
nlength
>=
SIV_MIN_NONCE_SIZE
);
cmac128_update
(
siv_cmac_ctx
,
cmac_cipher_ctx
,
nc
->
encrypt
,
16
,
const_zero
.
b
);
cmac128_digest
(
siv_cmac_ctx
,
cmac_cipher_ctx
,
nc
->
encrypt
,
16
,
D
.
b
);
...
...
siv-cmac.h
View file @
2b5dcfed
...
...
@@ -57,6 +57,7 @@ extern "C" {
/* For SIV, the block size of the underlying cipher shall be 128 bits. */
#define SIV_BLOCK_SIZE 16
#define SIV_DIGEST_SIZE 16
#define SIV_MIN_NONCE_SIZE 1
void
siv_cmac_set_key
(
struct
cmac128_ctx
*
siv_cmac_ctx
,
void
*
cmac_cipher_ctx
,
void
*
cipher_ctx
,
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment