This patch add supports for SIV, an AEAD block cipher
mode defined in RFC5297. SIV is only valid for AES.
The PRF of SIV (S2V) is factored out in the Protocol.KDF module.
See the following example to get a feeling of the API (slightly
different than other AEAD mode, during decryption).
Encryption (Python 2):
>>> from Crypto.Cipher import AES
>>> key = b'0'*32
>>> siv = AES.new(key, AES.MODE_SIV)
>>> ct = siv.encrypt(b'Message')
>>> mac = siv.digest()
Decryption (Python 2):
>>> from Crypto.Cipher import AES, MacMismatchError
>>> key = b'0'*32
>>> siv = AES.new(key, AES.MODE_SIV)
>>> pt = siv.decrypt(ct + mac)
>>> try:
>>> siv.verify(mac)
>>> print "Plaintext", pt
>>> except MacMismatchError:
>>> print "Error"
This change also fixes the description/design of AEAD API.
With SIV (RFC5297), decryption can only start when the MAC is known.
The original AEAD API did not support that.
For SIV the MAC is now exceptionally passed together with the ciphertext
to the decrypt() method.
[dlitz@dlitz.net: Included changes from the following commits from the author's pull request:]
- [9c13f9c] Rename 'IV' parameter to 'nonce' for AEAD modes.
- [d7727fb] Fix description/design of AEAD API.
- [fb62fae] ApiUsageError becomes TypeError [whitespace]
- [4ec64d8] Removed last references to ApiUsageError [whitespace]
- [ee46922] Removed most 'import *' statements
- [ca460a7] Made blockalgo.py more PEP-8 compliant;
The second parameter of the _GHASH constructor
is now the length of the block (block_size)
and not the full module.
[dlitz@dlitz.net: A conflict that was not resolved in the previous
commit was originally resolved here. Moved the
resolution to the previous commit.]
[dlitz@dlitz.net: Replaced MacMismatchError with ValueError]
[dlitz@dlitz.net: Replaced ApiUsageError with TypeError]
[dlitz@dlitz.net: Whitespace fixed with "git rebase --whitespace=fix"]
These algorithm names were confusing, because there are actually
algorithms called "SHA" (a.k.a. SHA-0) and "RIPEMD" (the original
version).
This commit just renames the modules, with no backward-compatibility
support.
Objects used by PKCS#1 modules were treated as private,
and therefore ignored by epydoc.
Replaced SHA module with None as PBKDF1 default parameter value, because it was
not displayed nicely by epydoc. Default value is assigned in the body.
