commit b2c2b4d0630716fa6a61ec27df26c5253f2de5b0 (tree)
parent 1311880eea5e80b5a50eb6360d183b21ec66f0c7
Author: Frank Denis <jedisct1@noreply.codeberg.org>
Date: Mon, 23 Mar 2026 03:11:13 +0100
Merge pull request 'crypto: correct aes-siv s2v' (#31623) from sinon/zig:fix-aes-siv into master
Reviewed-on: https://codeberg.org/ziglang/zig/pulls/31623
Reviewed-by: Frank Denis <jedisct1@noreply.codeberg.org>
Diffstat:
1 file changed, 53 insertions(+), 8 deletions(-)
diff --git a/lib/std/crypto/aes_siv.zig b/lib/std/crypto/aes_siv.zig
@@ -88,16 +88,19 @@ fn AesSiv(comptime Aes: anytype) type {
// Process the final string
const sn = strings[strings.len - 1];
if (sn.len >= 16) {
- // XOR d with the first 16 bytes of Sn
- var xored_msg_buf: [4096]u8 = undefined;
- const xored_len = @min(sn.len, xored_msg_buf.len);
- @memcpy(xored_msg_buf[0..xored_len], sn[0..xored_len]);
-
- for (d, 0..) |b, j| {
- xored_msg_buf[j] ^= b;
+ // XOR d with the last 16 bytes of Sn,
+ // and give the entire Sn to CMAC incrementally.
+ var cmac = CmacImpl.init(&key);
+ const prefix = sn.len - 16;
+ cmac.update(sn[0..prefix]);
+
+ var tail: [16]u8 = undefined;
+ for (&tail, sn[prefix..][0..16], d) |*out, s, db| {
+ out.* = s ^ db;
}
+ cmac.update(&tail);
- CmacImpl.create(iv, xored_msg_buf[0..xored_len], &key);
+ cmac.final(iv);
} else {
// Pad and XOR
d = dbl(d);
@@ -355,6 +358,48 @@ test "Aes128Siv - RFC 5297 Test Vector A.1" {
try testing.expectEqualSlices(u8, &plaintext, &decrypted);
}
+test "Aes128Siv - RFC 5297 Test Vector A.2" {
+ // Test vector from RFC 5297 Appendix A.2
+ const key: [32]u8 = .{
+ 0x7f, 0x7e, 0x7d, 0x7c, 0x7b, 0x7a, 0x79, 0x78,
+ 0x77, 0x76, 0x75, 0x74, 0x73, 0x72, 0x71, 0x70,
+ 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+ 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
+ };
+ const ad1 = [_]u8{
+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
+ 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
+ 0xde, 0xad, 0xda, 0xda, 0xde, 0xad, 0xda, 0xda,
+ 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99, 0x88,
+ 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00,
+ };
+ const ad2 = [_]u8{
+ 0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70, 0x80,
+ 0x90, 0xa0,
+ };
+ const nonce: [16]u8 = .{
+ 0x09, 0xf9, 0x11, 0x02, 0x9d, 0x74, 0xe3, 0x5b,
+ 0xd8, 0x41, 0x56, 0xc5, 0x63, 0x56, 0x88, 0xc0,
+ };
+ const plaintext = [_]u8{
+ 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20,
+ 0x73, 0x6f, 0x6d, 0x65, 0x20, 0x70, 0x6c, 0x61,
+ 0x69, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x20, 0x74,
+ 0x6f, 0x20, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70,
+ 0x74, 0x20, 0x75, 0x73, 0x69, 0x6e, 0x67, 0x20,
+ 0x53, 0x49, 0x56, 0x2d, 0x41, 0x45, 0x53,
+ };
+
+ var ciphertext: [plaintext.len]u8 = undefined;
+ var tag: [16]u8 = undefined;
+
+ Aes128Siv.encryptWithAdVector(&ciphertext, &tag, &plaintext, &.{ &ad1, &ad2, &nonce }, key);
+
+ // Expected values from RFC 5297
+ try htest.assertEqual("7bdb6e3b432667eb06f4d14bff2fbd0f", &tag);
+ try htest.assertEqual("cb900f2fddbe404326601965c889bf17dba77ceb094fa663b7a3f748ba8af829ea64ad544a272e9c485b62a3fd5c0d", &ciphertext);
+}
+
test "Aes128Siv - empty plaintext" {
const key: [32]u8 = @splat(0x42);
const plaintext = "";