Correction de la génération du tag SCT-2

C'est pour *ça* que j'avais mis le nonce dans la signature de la fonction… 🤦
author: Kévin Le Gouguec <kevin.legouguec@airbus.com> 2018-11-27 16:47:59 +0100
committer: Kévin Le Gouguec <kevin.legouguec@airbus.com> 2018-11-27 16:47:59 +0100
commit: a6246a810859c09d12c928d5f95a897ecca18cb9 (patch)
tree: d743a12b684f5102e49bb9672f0d90af0348d260 /src
parent: 1f359c1cdbb7a9bd41f3cb9717187e8aeacce43b (diff)
download: lilliput-ae-implem-a6246a810859c09d12c928d5f95a897ecca18cb9.tar.xz
1 files changed, 23 insertions, 6 deletions
diff --git a/src/lilliput-ae-ii.c b/src/lilliput-ae-ii.c
index e0e268e..26885e5 100644
--- a/src/lilliput-ae-ii.c
+++ b/src/lilliput-ae-ii.c
@@ -31,19 +31,33 @@ static void _fill_msg_tweak(const uint8_t tag[TAG_BYTES], uint64_t block_index,
     }
 }
 
+static void _fill_tag_tweak(const uint8_t N[NONCE_BYTES], uint8_t tweak[TWEAK_BYTES])
+{
+    /* The t-bit tweak is filled as follows:
+     *
+     * - bits [  1, t-7]: N
+     * - bits [t-7,   t]: 0001||0^4
+     */
+
+    memcpy(tweak, N, TWEAK_BYTES-1);
+    tweak[TWEAK_BYTES-1] = 0x10;
+}
+
 static void _generate_tag(
     const uint8_t key[KEY_BYTES],
     size_t        M_len,
     const uint8_t M[M_len],
+    const uint8_t N[NONCE_BYTES],
     const uint8_t Auth[BLOCK_BYTES],
     uint8_t       tag[TAG_BYTES]
 )
 {
     uint8_t Ek_Mj[BLOCK_BYTES];
+    uint8_t tag_tmp[TAG_BYTES];
     uint8_t tweak[TWEAK_BYTES];
-    memset(tweak, 0, TWEAK_BYTES);
 
-    memcpy(tag, Auth, TAG_BYTES);
+    memset(tweak, 0, TWEAK_BYTES);
+    memcpy(tag_tmp, Auth, TAG_BYTES);
 
     size_t l = M_len / BLOCK_BYTES;
     size_t rest = M_len % BLOCK_BYTES;
@@ -52,7 +66,7 @@ static void _generate_tag(
     {
         fill_index_tweak(0x0, j, tweak);
         encrypt(key, tweak, &M[j*BLOCK_BYTES], Ek_Mj);
-        xor_into(tag, Ek_Mj);
+        xor_into(tag_tmp, Ek_Mj);
     }
 
     if (rest != 0)
@@ -61,8 +75,11 @@ static void _generate_tag(
         pad10(rest, &M[l*BLOCK_BYTES], M_rest);
         fill_index_tweak(0x4, l, tweak);
         encrypt(key, tweak, M_rest, Ek_Mj);
-        xor_into(tag, Ek_Mj);
+        xor_into(tag_tmp, Ek_Mj);
     }
+
+    _fill_tag_tweak(N, tweak);
+    encrypt(key, tweak, tag_tmp, tag);
 }
 
 static void _encrypt_message(
@@ -115,7 +132,7 @@ void lilliput_ae_encrypt(
     uint8_t auth[BLOCK_BYTES];
     process_associated_data(key, auth_data_len, auth_data, auth);
 
-    _generate_tag(key, message_len, message, auth, tag);
+    _generate_tag(key, message_len, message, nonce, auth, tag);
 
     _encrypt_message(key, message_len, message, nonce, tag, ciphertext);
 }
@@ -137,7 +154,7 @@ bool lilliput_ae_decrypt(
     process_associated_data(key, auth_data_len, auth_data, auth);
 
     uint8_t effective_tag[TAG_BYTES];
-    _generate_tag(key, ciphertext_len, message, auth, effective_tag);
+    _generate_tag(key, ciphertext_len, message, nonce, auth, effective_tag);
 
     return memcmp(tag, effective_tag, TAG_BYTES) == 0;
 }
author	Kévin Le Gouguec <kevin.legouguec@airbus.com>	2018-11-27 16:47:59 +0100
committer	Kévin Le Gouguec <kevin.legouguec@airbus.com>	2018-11-27 16:47:59 +0100
commit	a6246a810859c09d12c928d5f95a897ecca18cb9 (patch)
tree	d743a12b684f5102e49bb9672f0d90af0348d260 /src
parent	1f359c1cdbb7a9bd41f3cb9717187e8aeacce43b (diff)
download	lilliput-ae-implem-a6246a810859c09d12c928d5f95a897ecca18cb9.tar.xz