Jussi Kivilinna writes:
> On 15.5.2023 23.21, Niels Möller wrote:
>> Jussi Kivilinna writes:
>>
>>> I ran into memory corruption issue when benchmarking new OCB code.
>>>
>>> I think "dst -= size;" in ocb_crypt_n() should be "dst += size;" ...
>>> https://git.lysator.liu.se/nettle/nettle/-/blob/master/ocb.c#L240
>> Ooops. I think you're right. How large input sizes did you need to
>> trigger problems?
>
> Input needs to be 272 bytes (16*17B) to trigger the problem. Here's
> what I get with valgrind (nettle and benchmarking tool compiled with -Og):
>
> I tried to add test-vector (see at bottom) from libgcrypt for large input
> testing but could not get it working. Ciphertext generation works after
> fixing dst pointer increment and changing "ctx->message_count += n;" to
> "ctx->message_count += blocks;" in ocb_crypt_n(), but tag still does not
> match output from libgcrypt:
I've applied your patch (including the test fix from your other mail).
Thanks a lot!
>>> Also it would be nice if ocb_aes128 could be added to nettle_aeads
>>> array for easy access.
>> Which combination(s) of nonce size and tag size would it be useful
>> to
>> advertise like that?
>
> Would same values as for gcm_aes128 make sense (nonce=12, tag=16)?
>
> My use-case is pretty simply to find "ocb_" from nettle_aeads
> list for benchmark run and don't really care about which nonce/tag
> length gets used.
I'd like the choice to be guided by what actual applications need. Nonce
12, tag 16 sounds reasonable, but if I've understood it correctly, at
least openpgp uses something different.
For benchmarks, I hope it's not too cumbersome to define your own
struct nettle_aead, similar to what's in nettle-internal.c.
Regards,
/Niels
--
Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677.
Internet email is subject to wholesale government surveillance.
___
nettle-bugs mailing list -- nettle-bugs@lists.lysator.liu.se
To unsubscribe send an email to nettle-bugs-le...@lists.lysator.liu.se
