On Wed, 2019-04-17 at 11:37 +0200, Nikos Mavrogiannopoulos wrote:
On Sun, 2019-04-14 at 09:33 +0200, Niels Möller wrote:
- assert(nc->context_size <= NETTLE_MAX_CIPHER16_CONTEXT_SIZE);
- /* ensure we have enough size of context plus any padding size
*/
- CMAC128_SET_KEY(&ctx, nc->set_encrypt_key, nc->encrypt, s2vk);
- if (nlength == 0 && alength == 0) {
- CMAC128_UPDATE(&ctx, nc->encrypt, 16, const_one);
- CMAC128_DIGEST(&ctx, nc->encrypt, 16, v);
- return;
- }
Shouldn't the plaintext, plength, pdata, still be processed in this case?
Right, there should be an and plength == 0 as well. I've added an two additional test cases to check these cases, and the case where everything is zero, doesn't seem to interoperate with two libs I tried.
Hopefully it is issue of this code.
https://github.com/miscreant/miscreant/issues/194 https://github.com/dfoxfranke/libaes_siv/issues/14
Based on the discussions on these bugs, I think it makes sense to strictly restrict the implementation to the common interoperable conventions (AEAD). That is, always assume (aad, nonce, plaintext), even if empty. As such I've updated the test vectors to include non empty nonce and tested them against libaes_siv.
The attached bugs update this implementation, and an additional patch adds a "make distcheck" check to CI. That ensures that any missing or incorrectly added in Makefile files are caught by the CI.
regards, Nikos