Hi Niels :)
Niels Möller nisse@lysator.liu.se writes:
While looking at extended tests of the aead update function (for the associated data), I stumbled on a restriction of gcm_update that is different from most (all?) other update functions in Nettle. According to the docs,
-- Function: void gcm_update (struct gcm_ctx *CTX, const struct gcm_key *KEY, size_t LENGTH, const uint8_t *DATA) Provides associated data to be authenticated. If used, must be called before ‘gcm_encrypt’ or ‘gcm_decrypt’. All but the last call for each message _must_ use a length that is a multiple of the block size.
What happens if that restriction is violated? As the function cannot signal an error, does it lead to silent corruption of the data stream? Or does it assert that restriction?
Would it be worthwhile to drop the restriction of the last sentence, and allow all calls to gcm_update to use any size? This requirement may be particularly surprising when using nettle_aead; then gcm has different requirements for the update function than all other aead algorithms.
In the Rust bindings, we don't check for this, and we also didn't make the function fallible (likely because at the time we bound GCM we were not aware of the limitation), so we're not able to communicate any failures to the user. As such, dropping the requirement would be most welcome for us, because then we wouldn't need to change our interface.
Best, Justus