Am Freitag, 7. Februar 2020, 12:50:51 CET schrieb Gilad Ben-Yossef: Hi Gilad, > > It is correct, but is it smart? > > Either we require the same IV to be passed twice as we do today, in which > case passing different IV should fail in a predictable manner OR we should > define the operation is taking two IV like structures - one as the IV and > one as bytes in the associated data and have the IPsec code use it in a > specific way of happen to pass the same IV in both places. > > I don't care either way - but right now the tests basically relies on > undefined behaviour > which is always a bad thing, I think. I am not sure about the motivation of this discussion: we have exactly one user of the RFC4106 implementation: IPSec. Providing the IV/AAD is efficient as the rfc4106 template intents to require the data in a format that requires minimal processing on the IPSec side to bring it in the right format. On the other hand, the cipher implementation should just do the operation regardless of where the data comes from or whether the AAD buffer overlaps with the IV buffer. I.e. the cipher should try to interpret the data but just do the work. So, where is it inefficient? Maybe the API for RFC4106 could be a bit nicer, but it needs to fit into the overall AEAD API as a specific RFC4106-API seems to be overkill. Ciao Stephan
