diff --git a/src/include/aegis128l.h b/src/include/aegis128l.h index 3dc1f7f..7ceaa8f 100644 --- a/src/include/aegis128l.h +++ b/src/include/aegis128l.h @@ -265,7 +265,8 @@ void aegis128l_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t clen * The recommended way to use the MAC mode is to generate a random key and keep it secret. * * After initialization, the state can be reused to generate multiple MACs by cloning it - * with `aegis128l_mac_state_clone()`. + * with `aegis128l_mac_state_clone()`. It is only safe to copy a state directly without using + * the clone function if the state is guaranteed to be properly aligned. */ void aegis128l_mac_init(aegis128l_state *st_, const uint8_t *k); diff --git a/src/include/aegis128x2.h b/src/include/aegis128x2.h index 919f8b7..8ff0f17 100644 --- a/src/include/aegis128x2.h +++ b/src/include/aegis128x2.h @@ -265,7 +265,8 @@ void aegis128x2_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t cle * The recommended way to use the MAC mode is to generate a random key and keep it secret. * * After initialization, the state can be reused to generate multiple MACs by cloning it - * with `aegis128x2_mac_state_clone()`. + * with `aegis128x2_mac_state_clone()`. It is only safe to copy a state directly without using + * the clone function if the state is guaranteed to be properly aligned. */ void aegis128x2_mac_init(aegis128x2_state *st_, const uint8_t *k); diff --git a/src/include/aegis128x4.h b/src/include/aegis128x4.h index 9c97b01..5e5fb70 100644 --- a/src/include/aegis128x4.h +++ b/src/include/aegis128x4.h @@ -265,7 +265,8 @@ void aegis128x4_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t cle * The recommended way to use the MAC mode is to generate a random key and keep it secret. * * After initialization, the state can be reused to generate multiple MACs by cloning it - * with `aegis128x4_mac_state_clone()`. + * with `aegis128x4_mac_state_clone()`. It is only safe to copy a state directly without using + * the clone function if the state is guaranteed to be properly aligned. */ void aegis128x4_mac_init(aegis128x4_state *st_, const uint8_t *k); diff --git a/src/include/aegis256.h b/src/include/aegis256.h index 07a2da6..309a244 100644 --- a/src/include/aegis256.h +++ b/src/include/aegis256.h @@ -265,7 +265,8 @@ void aegis256_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t clen, * The recommended way to use the MAC mode is to generate a random key and keep it secret. * * After initialization, the state can be reused to generate multiple MACs by cloning it - * with `aegis256_mac_state_clone()`. + * with `aegis256_mac_state_clone()`. It is only safe to copy a state directly without using + * the clone function if the state is guaranteed to be properly aligned. */ void aegis256_mac_init(aegis256_state *st_, const uint8_t *k); diff --git a/src/include/aegis256x2.h b/src/include/aegis256x2.h index 58e7162..419c989 100644 --- a/src/include/aegis256x2.h +++ b/src/include/aegis256x2.h @@ -265,7 +265,8 @@ void aegis256x2_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t cle * The recommended way to use the MAC mode is to generate a random key and keep it secret. * * After initialization, the state can be reused to generate multiple MACs by cloning it - * with `aegis256x2_mac_state_clone()`. + * with `aegis256x2_mac_state_clone()`. It is only safe to copy a state directly without using + * the clone function if the state is guaranteed to be properly aligned. */ void aegis256x2_mac_init(aegis256x2_state *st_, const uint8_t *k); diff --git a/src/include/aegis256x4.h b/src/include/aegis256x4.h index 352af65..a04b761 100644 --- a/src/include/aegis256x4.h +++ b/src/include/aegis256x4.h @@ -265,7 +265,8 @@ void aegis256x4_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t cle * The recommended way to use the MAC mode is to generate a random key and keep it secret. * * After initialization, the state can be reused to generate multiple MACs by cloning it - * with `aegis256_mac_state_clone()`. + * with `aegis256_mac_state_clone()`. It is only safe to copy a state directly without using + * the clone function if the state is guaranteed to be properly aligned. */ void aegis256x4_mac_init(aegis256x4_state *st_, const uint8_t *k); diff --git a/src/test/main.zig b/src/test/main.zig index 110f868..6a85e06 100644 --- a/src/test/main.zig +++ b/src/test/main.zig @@ -741,52 +741,3 @@ test "aegis128x4 - MAC" { try testing.expectEqual(ret, 0); try testing.expectEqualSlices(u8, &mac, &mac2); } - -test "aegis128l - MAC with unaligned state" { - const key = [16]u8{ 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }; - const msg = [_]u8{ 1, 2, 3 } ** 100; - const msg2 = [_]u8{ 4, 5, 6, 7, 8 } ** 100 ++ [_]u8{0}; - - const UnalignedState1 = struct { - pad: u8 = 0xd0, - x: aegis.aegis128l_state, - }; - const UnalignedState2 = struct { - pad: u16 = 0xd0, - x: aegis.aegis128l_state, - }; - - var st0: UnalignedState1 = undefined; - aegis.aegis128l_mac_init(&st0.x, &key); - - var st: UnalignedState2 = undefined; - aegis.aegis128l_mac_state_clone(&st.x, &st0.x); - var ret = aegis.aegis128l_mac_update(&st.x, &msg, msg.len); - try testing.expectEqual(ret, 0); - ret = aegis.aegis128l_mac_update(&st.x, &msg2, msg2.len); - try testing.expectEqual(ret, 0); - var mac: [32]u8 = undefined; - ret = aegis.aegis128l_mac_final(&st.x, &mac, mac.len); - try testing.expectEqual(ret, 0); - - aegis.aegis128l_mac_state_clone(&st.x, &st0.x); - ret = aegis.aegis128l_mac_update(&st.x, &msg, msg.len); - try testing.expectEqual(ret, 0); - ret = aegis.aegis128l_mac_update(&st.x, &msg2, msg2.len); - try testing.expectEqual(ret, 0); - ret = aegis.aegis128l_mac_verify(&st.x, &mac, mac.len); - try testing.expectEqual(ret, 0); - - aegis.aegis128l_mac_state_clone(&st.x, &st0.x); - const msg3 = msg ++ msg2; - ret = aegis.aegis128l_mac_update(&st.x, &msg3, msg3.len); - try testing.expectEqual(ret, 0); - ret = aegis.aegis128l_mac_verify(&st.x, &mac, mac.len); - try testing.expectEqual(ret, 0); - - const nonce = [_]u8{0} ** 16; - var mac2: [mac.len]u8 = undefined; - ret = aegis.aegis128l_encrypt_detached(&mac2, &mac2, mac2.len, "", 0, &msg3, msg3.len, &nonce, &key); - try testing.expectEqual(ret, 0); - try testing.expectEqualSlices(u8, &mac, &mac2); -}