Russtopia/xs
2
1
Fork 0
mirror of https://gogs.blitter.com/RLabs/xs synced 2024-08-14 10:26:42 +00:00
Code Issues Projects Releases Wiki Activity

Comment re: AtE vs. EtA

Browse source
This commit is contained in:
Russ Magee 2020-12-15 21:15:15 -08:00
parent 6890f3e5eb
commit 279f20d10b
1 changed files with 29 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

13
xsnet/net.go
View file

@ -1501,6 +1501,19 @@ func (hc *Conn) WritePacket(b []byte, ctrlStatOp byte) (n int, err error) {
log.Printf(" :>ptext:\r\n%s\r\n", hex.Dump(b[0:payloadLen])) log.Printf(" :>ptext:\r\n%s\r\n", hex.Dump(b[0:payloadLen]))
} }
// NOTE the code currently uses Authenticate-then-Encrypt, which in block modes
// is insecure; however
// 1) we are using exclusively XOR-stream modes with random padding,
// 2) are padding randomly either before or after the real payload, and
// 3) the padding side indicator value itself is part of the ciphertext
// ... thus are not subject to oracle attacks of the type used on SSL
// (see https://link.springer.com/content/pdf/10.1007%2F3-540-44647-8_19.pdf)
//
// Nevertheless, to address any future concerns this code may switch to
// Encrypt-then-Auth and offer the current scheme as a legacy mode
// (or just issue a breaking release since this is very pre-1.0.)
// -rlm 2020-12-15
// Calculate hmac on payload // Calculate hmac on payload
hc.wm.Write(b[0:payloadLen]) hc.wm.Write(b[0:payloadLen])
hmacOut = hc.wm.Sum(nil)[0:HMAC_CHK_SZ] hmacOut = hc.wm.Sum(nil)[0:HMAC_CHK_SZ]