[gnutls-devel] GnuTLS | Prohibit "duplexing the sponge" (#1592)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Tue Oct 15 14:29:43 CEST 2024
Alexander Sosedkin created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1592
A caller might alternate calls to `gnutls_hash_squeeze` with calls to `gnutls_hash` and expect that to work.
gnutls_hash_init(&h, GNUTLS_DIG_SHAKE_128);
gnutls_hash(h, "aaa", 5); // definitely legal and repeatable
gnutls_hash_squeeze(h, digest, 128); // definitely legal and repeatable
gnutls_hash(h, "bbbb", 5); // <- sha3.c:76: _nettle_sha3_update: Assertion `pos < block_size' failed. (4294967167 < 168)
gnutls_hash_squeeze(h, digest + 128, 128); // <- if alternating is well-defined, what would the result be?
But I couldn't find neither test vectors nor well-defined explanations of what must happen for SHAKE in that case.
Calling `gnutls_hash` after `gnutls_hash_squeeze` has been called at least once should be prohibited with a flag or something, and it should survive copying the handle.
Additionally, the documentation for `gnutls_hash_squeeze` could benefit from a sentence telling API user to refrain form absorb-after-squeezing.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1592
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20241015/a25a8ccb/attachment-0001.html>
More information about the Gnutls-devel
mailing list