Niels Möller nisse@lysator.liu.se writes:
Changes to drop the digest size is now on branch delete-digest_func-size (https://git.lysator.liu.se/nettle/nettle/-/tree/delete-digest_func-size). Unsurprisingly breaks the gnutls build, see https://gitlab.com/gnutls/nettle/-/jobs/9379366785.
I've now merged this branch. I think I will have to disable the gnutls ci job, or mark as "allow_failure", for the time being, but it will be nice when there's a gnutls update (or development branch) that works with these changes; then I'll be happy to reenable that job test.
I haven't yet updated ccm and ocb; they are defined such that digest size also needs to be passed when setting the nonce, and not entirely sure how to deal with that. From a quick look, it appears both tls (RFC 6655) and ipsec (RFC 4309) specifies use of ccm with shorter authentication tags, so at least it's not very obscure.
I see a few different approaches:
1. Keep the tag size argument as is for ccm_set_nonce and ocb_set_nonce, drop it from ccm_digest and ocb_digest, and leave it to the application to copy a truncated version of the digest when needed.
2. Change both the _set_nonce and _digest functions to always use the full tag size (16 octets), for consistency with other nettle functions. And add separate _set_nonce_something function (and maybe _digest_something too) for supporting a truncated tag. I have no great idea on naming, though.
3. Like 2, but only add public functions for specific reasonable tag sizes. Could be named like ccm64 and ccm96 for the ones in RFC 6655.
4. Leave interface as is, with _digest functions different from all others.
And then we also have the _encrypt_message / _decrypt_message functions. They could either be left as is, or have separate functions for default (full 16 octet) tag size, and for truncated tags.
Opinions? Are you aware of applications actually using ccm and/or ocb with short tags?
Regards, /Niels