Update SIV diagram, length pad AAD.

2025-06-05 20:13:44 +02:00 · 2020-03-25 15:09:49 -07:00 · 2020-03-25 15:09:49 -07:00 · f92fca03a0
commit f92fca03a0
parent b5c01999b8
2 changed files with 33 additions and 1 deletions
--- a/doc/AES-GMAC-SIV.png
+++ b/doc/AES-GMAC-SIV.png
--- a/node/AES.hpp
+++ b/node/AES.hpp
@ -251,7 +251,7 @@ public:
 			_gmac(k0),
 			_ctr(k1) {}

-		/*
+		/**
 		 * Initialize AES-GMAC-SIV
 		 *
 		 * @param iv IV in network byte order (byte order in which it will appear on the wire)
@ -265,6 +265,29 @@ public:
 			_gmac.init(reinterpret_cast<const uint8_t *>(_iv));
 		}

+		/**
+		 * Process AAD (additional authenticated data) that is not being encrypted
+		 *
+		 * This must be called prior to update1, finish1, etc. if there is AAD to include
+		 * in the MAC that is not included in the plaintext.
+		 *
+		 * @param aad Additional authenticated data
+		 * @param len Length of AAD in bytes
+		 */
+		ZT_INLINE void aad(const void *const aad,unsigned int len) noexcept
+		{
+			_gmac.update(aad,len);
+			len &= 0xfU;
+			if (len != 0)
+				_gmac.update(Utils::ZERO256,16 - len);
+		}
+
+		/**
+		 * First pass plaintext input function
+		 *
+		 * @param input Plaintext chunk
+		 * @param len Length of plaintext chunk
+		 */
 		ZT_INLINE void update1(const void *const input,const unsigned int len) noexcept
 		{
 			_gmac.update(input,len);
@ -282,6 +305,15 @@ public:
 			_ctr.init(reinterpret_cast<const uint8_t *>(_iv),_output);
 		}

+		/**
+		 * Second pass plaintext input function
+		 *
+		 * The same plaintext must be fed in the second time in the same order,
+		 * though chunk boundaries do not have to be the same.
+		 *
+		 * @param input Plaintext chunk
+		 * @param len Length of plaintext chunk
+		 */
 		ZT_INLINE void update2(const void *const input,const unsigned int len) noexcept
 		{
 			_ctr.crypt(input,len);