[thirdparty/nettle.git] / umac128.c

/* umac128.c

   Copyright (C) 2013 Niels Möller

   This file is part of GNU Nettle.

   GNU Nettle is free software: you can redistribute it and/or
   modify it under the terms of either:

     * the GNU Lesser General Public License as published by the Free
       Software Foundation; either version 3 of the License, or (at your
       option) any later version.

   or

     * the GNU General Public License as published by the Free
       Software Foundation; either version 2 of the License, or (at your
       option) any later version.

   or both in parallel, as here.

   GNU Nettle is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   General Public License for more details.

   You should have received copies of the GNU General Public License and
   the GNU Lesser General Public License along with this program.  If
   not, see http://www.gnu.org/licenses/.
*/

#if HAVE_CONFIG_H
# include "config.h"
#endif

#include <assert.h>
#include <string.h>

#include "umac.h"
#include "umac-internal.h"

#include "macros.h"

void
umac128_set_key (struct umac128_ctx *ctx, const uint8_t *key)
{
  _nettle_umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2,
			&ctx->pdf_key, key, 4);

  /* Clear nonce */
  memset (ctx->nonce, 0, sizeof(ctx->nonce));
  ctx->nonce_length = sizeof(ctx->nonce);

  /* Initialize buffer */
  ctx->count = ctx->index = 0;
}

void
umac128_set_nonce (struct umac128_ctx *ctx,
		   size_t nonce_length, const uint8_t *nonce)
{
  assert (nonce_length > 0);
  assert (nonce_length <= AES_BLOCK_SIZE);

  memcpy (ctx->nonce, nonce, nonce_length);
  memset (ctx->nonce + nonce_length, 0, AES_BLOCK_SIZE - nonce_length);

  ctx->nonce_length = nonce_length;
}

#define UMAC128_BLOCK(ctx, block) do {					\
    uint64_t __umac128_y[4];						\
    _nettle_umac_nh_n (__umac128_y, 4, ctx->l1_key, UMAC_BLOCK_SIZE, block); \
    __umac128_y[0] += 8*UMAC_BLOCK_SIZE;				\
    __umac128_y[1] += 8*UMAC_BLOCK_SIZE;				\
    __umac128_y[2] += 8*UMAC_BLOCK_SIZE;				\
    __umac128_y[3] += 8*UMAC_BLOCK_SIZE;				\
    _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 4, ctx->count++, __umac128_y); \
  } while (0)

void
umac128_update (struct umac128_ctx *ctx,
		size_t length, const uint8_t *data)
{
  MD_UPDATE (ctx, length, data, UMAC128_BLOCK, (void)0);
}


void
umac128_digest (struct umac128_ctx *ctx,
		size_t length, uint8_t *digest)
{
  uint32_t tag[4];
  unsigned i;

  assert (length > 0);
  assert (length <= 16);

  if (ctx->index > 0 || ctx->count == 0)
    {
      /* Zero pad to multiple of 32 */
      uint64_t y[4];
      unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32;
      memset (ctx->block + ctx->index, 0, pad);

      _nettle_umac_nh_n (y, 4, ctx->l1_key, ctx->index + pad, ctx->block);
      y[0] += 8 * ctx->index;
      y[1] += 8 * ctx->index;
      y[2] += 8 * ctx->index;
      y[3] += 8 * ctx->index;
      _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 4, ctx->count++, y);
    }
  assert (ctx->count > 0);

  aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE,
		  (uint8_t *) tag, ctx->nonce);

  INCREMENT (ctx->nonce_length, ctx->nonce);

  _nettle_umac_l2_final (ctx->l2_key, ctx->l2_state, 4, ctx->count);
  for (i = 0; i < 4; i++)
    tag[i] ^= ctx->l3_key2[i] ^ _nettle_umac_l3 (ctx->l3_key1 + 8*i,
						 ctx->l2_state + 2*i);

  memcpy (digest, tag, length);

  /* Reinitialize */
  ctx->count = ctx->index = 0;
}
Commit	Line	Data
34aef19b	1	/* umac128.c
90112edb NM	2
	3	Copyright (C) 2013 Niels Möller
	4
	5	This file is part of GNU Nettle.
	6
	7	GNU Nettle is free software: you can redistribute it and/or
	8	modify it under the terms of either:
	9
	10	* the GNU Lesser General Public License as published by the Free
	11	Software Foundation; either version 3 of the License, or (at your
	12	option) any later version.
	13
	14	or
	15
	16	* the GNU General Public License as published by the Free
	17	Software Foundation; either version 2 of the License, or (at your
	18	option) any later version.
	19
	20	or both in parallel, as here.
	21
	22	GNU Nettle is distributed in the hope that it will be useful,
	23	but WITHOUT ANY WARRANTY; without even the implied warranty of
	24	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	25	General Public License for more details.
	26
	27	You should have received copies of the GNU General Public License and
	28	the GNU Lesser General Public License along with this program. If
	29	not, see http://www.gnu.org/licenses/.
	30	*/
34aef19b NM	31
	32	#if HAVE_CONFIG_H
	33	# include "config.h"
	34	#endif
	35
	36	#include <assert.h>
	37	#include <string.h>
	38
	39	#include "umac.h"
da81c86a	40	#include "umac-internal.h"
34aef19b NM	41
	42	#include "macros.h"
	43
	44	void
	45	umac128_set_key (struct umac128_ctx ctx, const uint8_t key)
	46	{
54a9be1e NM	47	_nettle_umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2,
54a9be1e NM	48	&ctx->pdf_key, key, 4);
34aef19b NM	49
	50	/* Clear nonce */
	51	memset (ctx->nonce, 0, sizeof(ctx->nonce));
	52	ctx->nonce_length = sizeof(ctx->nonce);
	53
	54	/* Initialize buffer */
	55	ctx->count = ctx->index = 0;
	56	}
	57
	58	void
	59	umac128_set_nonce (struct umac128_ctx *ctx,
b8bfc32f	60	size_t nonce_length, const uint8_t *nonce)
34aef19b NM	61	{
	62	assert (nonce_length > 0);
	63	assert (nonce_length <= AES_BLOCK_SIZE);
	64
	65	memcpy (ctx->nonce, nonce, nonce_length);
	66	memset (ctx->nonce + nonce_length, 0, AES_BLOCK_SIZE - nonce_length);
	67
	68	ctx->nonce_length = nonce_length;
	69	}
	70
	71	#define UMAC128_BLOCK(ctx, block) do { \
	72	uint64_t __umac128_y[4]; \
54a9be1e	73	_nettle_umac_nh_n (__umac128_y, 4, ctx->l1_key, UMAC_BLOCK_SIZE, block); \
d22bac82 NM	74	__umac128_y[0] += 8*UMAC_BLOCK_SIZE; \
	75	__umac128_y[1] += 8*UMAC_BLOCK_SIZE; \
	76	__umac128_y[2] += 8*UMAC_BLOCK_SIZE; \
	77	__umac128_y[3] += 8*UMAC_BLOCK_SIZE; \
54a9be1e	78	_nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 4, ctx->count++, __umac128_y); \
34aef19b NM	79	} while (0)
	80
	81	void
	82	umac128_update (struct umac128_ctx *ctx,
b8bfc32f	83	size_t length, const uint8_t *data)
34aef19b NM	84	{
	85	MD_UPDATE (ctx, length, data, UMAC128_BLOCK, (void)0);
	86	}
	87
	88
	89	void
	90	umac128_digest (struct umac128_ctx *ctx,
b8bfc32f	91	size_t length, uint8_t *digest)
34aef19b NM	92	{
	93	uint32_t tag[4];
	94	unsigned i;
	95
	96	assert (length > 0);
	97	assert (length <= 16);
	98
	99	if (ctx->index > 0 \|\| ctx->count == 0)
	100	{
	101	/* Zero pad to multiple of 32 */
	102	uint64_t y[4];
	103	unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32;
	104	memset (ctx->block + ctx->index, 0, pad);
	105
54a9be1e	106	_nettle_umac_nh_n (y, 4, ctx->l1_key, ctx->index + pad, ctx->block);
34aef19b NM	107	y[0] += 8 * ctx->index;
	108	y[1] += 8 * ctx->index;
	109	y[2] += 8 * ctx->index;
	110	y[3] += 8 * ctx->index;
54a9be1e	111	_nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 4, ctx->count++, y);
34aef19b NM	112	}
	113	assert (ctx->count > 0);
	114
31a51477 NM	115	aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE,
31a51477 NM	116	(uint8_t *) tag, ctx->nonce);
34aef19b	117
1d4c756c	118	INCREMENT (ctx->nonce_length, ctx->nonce);
34aef19b	119
54a9be1e	120	_nettle_umac_l2_final (ctx->l2_key, ctx->l2_state, 4, ctx->count);
34aef19b	121	for (i = 0; i < 4; i++)
54a9be1e NM	122	tag[i] ^= ctx->l3_key2[i] ^ _nettle_umac_l3 (ctx->l3_key1 + 8*i,
54a9be1e NM	123	ctx->l2_state + 2*i);
34aef19b NM	124
	125	memcpy (digest, tag, length);
	126
	127	/* Reinitialize */
	128	ctx->count = ctx->index = 0;
	129	}