More info on AEAD decryption handling

author: lloyd <[email protected]> 2014-12-31 12:58:24 +0000
committer: lloyd <[email protected]> 2014-12-31 12:58:24 +0000
commit: c25cd2bf6058d92a09a38c27252cec74158f23e4 (patch)
tree: 4a7561298143ea42dbab38ac14cef348e0c5a70b /doc
parent: b5b92a8a3847e2f3ad5ea2b429c4c6129ed6cb53 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/manual/aead.rst b/doc/manual/aead.rst
index a5c60c14b..9798cac3b 100644
--- a/doc/manual/aead.rst
+++ b/doc/manual/aead.rst
@@ -65,6 +65,16 @@ AEAD modes currently available include GCM, OCB, and EAX. All three use a
        Note that if you have the entire message in hand, calling finish without
        ever calling update is both efficient and convenient.
 
+       .. note::
+          During decryption, finish will throw an instance of Integrity_Failure
+          if the MAC does not validate. If this occurs, all plaintext previously
+          output via calls to update must be destroyed and not used in any
+          way that an attacker could observe the effects of.
+
+          One simply way to assure this could never happen is to never
+          call update, and instead always marshall the entire message
+          into a single buffer and call finish on it when decrypting.
+
   .. cpp:function:: size_t update_granularity() const
 
        The AEAD interface requires :cpp:func:`update` be called with blocks of
author	lloyd <[email protected]>	2014-12-31 12:58:24 +0000
committer	lloyd <[email protected]>	2014-12-31 12:58:24 +0000
commit	c25cd2bf6058d92a09a38c27252cec74158f23e4 (patch)
tree	4a7561298143ea42dbab38ac14cef348e0c5a70b /doc
parent	b5b92a8a3847e2f3ad5ea2b429c4c6129ed6cb53 (diff)