From: Niels Möller Date: Thu, 6 Jun 2019 07:25:59 +0000 (+0200) Subject: Merge branch 'master' into siv-mode X-Git-Tag: nettle_3.6rc1~109^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=83296eb6a45f7dba125372a2ce3c8f4d6c8b9934;p=thirdparty%2Fnettle.git Merge branch 'master' into siv-mode The cmac changes on master breaks the previous version of the siv code. Now updated, and improved to use const context arguments for the _message functions. --- 83296eb6a45f7dba125372a2ce3c8f4d6c8b9934 diff --cc ChangeLog index 3f210b25,900a7e83..436ee556 --- a/ChangeLog +++ b/ChangeLog @@@ -1,43 -1,38 +1,96 @@@ ++2019-06-06 Niels Möller ++ ++ Update for cmac changes, enabling const for the _message fucntions. ++ * siv-cmac.c (_siv_s2v): Take a const struct cmac128_key as argument, ++ and use a local struct cmac128_ctx for message-specific state. ++ (siv_cmac_set_key): Take a struct cmac128_key as argument. Updated ++ callers. ++ (siv_cmac_encrypt_message, siv_cmac_decrypt_message): Take a const ++ struct cmac128_key as argument. Updated callers. ++ ++ * siv-cmac.h (SIV_CMAC_CTX): Changed to use struct cmac128_key ++ rather than struct cmac128_ctx. ++ ++ * siv-cmac-aes256.c (siv_cmac_aes256_encrypt_message) ++ (siv_cmac_aes256_decrypt_message): Likewise. ++ * siv-cmac-aes128.c (siv_cmac_aes128_encrypt_message) ++ (siv_cmac_aes128_decrypt_message): The ctx argument made const. ++ +2019-05-15 Niels Möller + + * siv-cmac.h (SIV_CMAC_AES128_KEY_SIZE, SIV_CMAC_AES256_KEY_SIZE): + New constants. + * testsuite/siv-test.c: Simplify tests a little. + + * siv-cmac.h (SIV_MIN_NONCE_SIZE): New constant, 1. + * siv-cmac.c (_siv_s2v): Require non-empty nonce. + * nettle.texinfo (SIV-CMAC): Update documentation. + +2019-05-06 Niels Möller + + SIV-CMAC mode, based on patch by Nikos Mavrogiannopoulos: + * siv-cmac.h (SIV_BLOCK_SIZE, SIV_DIGEST_SIZE): New constants. + (SIV_CMAC_CTX): New macro. + (struct siv_cmac_aes128_ctx, struct siv_cmac_aes256_ctx): New + context structs. + * siv-cmac.c (_siv_s2v, siv_cmac_set_key) + (siv_cmac_encrypt_message) + (siv_cmac_decrypt_message): New file, new functions. + * siv-cmac-aes128.c (siv_cmac_aes128_set_key) + (siv_cmac_aes128_encrypt_message) + (siv_cmac_aes128_decrypt_message): New file, new functions. + * siv-cmac-aes256.c (siv_cmac_aes256_set_key) + (siv_cmac_aes256_encrypt_message) + (siv_cmac_aes256_decrypt_message): New file, new functions. + * Makefile.in (nettle_SOURCES): Add siv-cmac source files. + (HEADERS): Add siv-cmac.h. + * testsuite/siv-test.c: New file. + * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added siv-test.c + * nettle.texinfo (SIV-CMAC): Documentation. + +2019-04-30 Niels Möller + + Based on a patch contributed by Nikos Mavrogiannopoulos. + * cmac.c (_cmac128_block_mulx): Renamed function... + (block_mulx): ... from old name. + * cmac-internal.h (_cmac128_block_mulx): New file, declare function. + * Makefile.in (DISTFILES): Added cmac-internal.h. + + 2019-06-05 Niels Möller + + Further separation of CMAC per-message state from the + message-independent subkeys, analogous to the gcm implementation. + * cmac.h (struct cmac128_ctx): Remove key, instead a struct + cmac128_key should be passed separately to functions that need it. + (CMAC128_CTX): Include both a struct cmac128_key and a struct + cmac128_ctx. + (CMAC128_SET_KEY, CMAC128_DIGEST): Updated accordingly. + + * cmac.c (cmac128_set_key): Change argument type from cmac128_ctx + to cmac128_key. Use a nettle_block16 for the constant zero block. + (cmac128_init): New function, to initialize a cmac128_ctx. + (cmac128_digest): Add cmac128_key argument. Move padding memset + into the block handling a partial block. Call cmac128_init to + reset state. + + 2019-06-01 Niels Möller + + * cmac.h (struct cmac128_key): New struct. + * cmac.h (struct cmac128_ctx): Use struct cmac128_key. + * cmac.c (cmac128_set_key, cmac128_digest): Update accordingly. + + 2019-05-12 Niels Möller + + Delete old libdes/openssl compatibility interface. + * des-compat.c: Delete file. + * des-compat.h: Delete file. + * testsuite/des-compat-test.c: Delete file. + * nettle.texinfo (Compatibility functions): Delete mention in documentation. + + 2019-05-11 Niels Möller + + * NEWS: More updates for Nettle-3.5. + 2019-04-27 Niels Möller From Simo Sorce: diff --cc cmac.c index 2f15a74d,c5a59b18..70ce8132 --- a/cmac.c +++ b/cmac.c @@@ -71,21 -70,24 +71,24 @@@ _cmac128_block_mulx(union nettle_block1 #endif /* !WORDS_BIGENDIAN */ void - cmac128_set_key(struct cmac128_ctx *ctx, const void *cipher, + cmac128_set_key(struct cmac128_key *key, const void *cipher, nettle_cipher_func *encrypt) { - static const uint8_t const_zero[] = { - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - }; - union nettle_block16 *L = &ctx->block; - memset(ctx, 0, sizeof(*ctx)); + static const union nettle_block16 zero_block; + union nettle_block16 L; /* step 1 - generate subkeys k1 and k2 */ - encrypt(cipher, 16, L->b, const_zero); + encrypt(cipher, 16, L.b, zero_block.b); - _cmac128_block_mulx(&ctx->K1, L); - _cmac128_block_mulx(&ctx->K2, &ctx->K1); - block_mulx(&key->K1, &L); - block_mulx(&key->K2, &key->K1); ++ _cmac128_block_mulx(&key->K1, &L); ++ _cmac128_block_mulx(&key->K2, &key->K1); + } + + void + cmac128_init(struct cmac128_ctx *ctx) + { + memset(&ctx->X, 0, sizeof(ctx->X)); + ctx->index = 0; } #define MIN(x,y) ((x)<(y)?(x):(y)) diff --cc siv-cmac-aes128.c index 91dbd036,00000000..82ac16e9 mode 100644,000000..100644 --- a/siv-cmac-aes128.c +++ b/siv-cmac-aes128.c @@@ -1,77 -1,0 +1,77 @@@ +/* siv-cmac-aes128.c + + AES-SIV, RFC5297 + + Copyright (C) 2017 Nikos Mavrogiannopoulos + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "aes.h" +#include "siv-cmac.h" +#include "cmac.h" +#include "ctr.h" +#include "memxor.h" +#include "memops.h" +#include "cmac-internal.h" + +void +siv_cmac_aes128_set_key(struct siv_cmac_aes128_ctx *ctx, const uint8_t *key) +{ - siv_cmac_set_key(&ctx->siv_cmac.ctx, &ctx->siv_cmac.cipher, &ctx->siv_cipher, &nettle_aes128, key); ++ siv_cmac_set_key(&ctx->cmac_key, &ctx->cmac_cipher, &ctx->ctr_cipher, &nettle_aes128, key); +} + +void - siv_cmac_aes128_encrypt_message(struct siv_cmac_aes128_ctx *ctx, ++siv_cmac_aes128_encrypt_message(const struct siv_cmac_aes128_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t clength, uint8_t *dst, const uint8_t *src) +{ - siv_cmac_encrypt_message(&ctx->siv_cmac.ctx, &ctx->siv_cmac.cipher, - &nettle_aes128, &ctx->siv_cipher, ++ siv_cmac_encrypt_message(&ctx->cmac_key, &ctx->cmac_cipher, ++ &nettle_aes128, &ctx->ctr_cipher, + nlength, nonce, alength, adata, + clength, dst, src); +} + +int - siv_cmac_aes128_decrypt_message(struct siv_cmac_aes128_ctx *ctx, ++siv_cmac_aes128_decrypt_message(const struct siv_cmac_aes128_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t mlength, uint8_t *dst, const uint8_t *src) +{ - return siv_cmac_decrypt_message(&ctx->siv_cmac.ctx, &ctx->siv_cmac.cipher, - &nettle_aes128, &ctx->siv_cipher, ++ return siv_cmac_decrypt_message(&ctx->cmac_key, &ctx->cmac_cipher, ++ &nettle_aes128, &ctx->ctr_cipher, + nlength, nonce, alength, adata, + mlength, dst, src); +} diff --cc siv-cmac-aes256.c index 1fb11ab2,00000000..9401bbf1 mode 100644,000000..100644 --- a/siv-cmac-aes256.c +++ b/siv-cmac-aes256.c @@@ -1,77 -1,0 +1,77 @@@ +/* siv-cmac-aes256.c + + AES-SIV, RFC5297 + + Copyright (C) 2017 Nikos Mavrogiannopoulos + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +# include "config.h" +#endif + +#include +#include + +#include "aes.h" +#include "siv-cmac.h" +#include "cmac.h" +#include "ctr.h" +#include "memxor.h" +#include "memops.h" +#include "cmac-internal.h" + +void +siv_cmac_aes256_set_key(struct siv_cmac_aes256_ctx *ctx, const uint8_t *key) +{ - siv_cmac_set_key(&ctx->siv_cmac.ctx, &ctx->siv_cmac.cipher, &ctx->siv_cipher, &nettle_aes256, key); ++ siv_cmac_set_key(&ctx->cmac_key, &ctx->cmac_cipher, &ctx->ctr_cipher, &nettle_aes256, key); +} + +void - siv_cmac_aes256_encrypt_message(struct siv_cmac_aes256_ctx *ctx, ++siv_cmac_aes256_encrypt_message(const struct siv_cmac_aes256_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t clength, uint8_t *dst, const uint8_t *src) +{ - siv_cmac_encrypt_message(&ctx->siv_cmac.ctx, &ctx->siv_cmac.cipher, - &nettle_aes256, &ctx->siv_cipher, ++ siv_cmac_encrypt_message(&ctx->cmac_key, &ctx->cmac_cipher, ++ &nettle_aes256, &ctx->ctr_cipher, + nlength, nonce, alength, adata, + clength, dst, src); +} + +int - siv_cmac_aes256_decrypt_message(struct siv_cmac_aes256_ctx *ctx, - size_t nlength, const uint8_t *nonce, - size_t alength, const uint8_t *adata, - size_t mlength, uint8_t *dst, const uint8_t *src) ++siv_cmac_aes256_decrypt_message(const struct siv_cmac_aes256_ctx *ctx, ++ size_t nlength, const uint8_t *nonce, ++ size_t alength, const uint8_t *adata, ++ size_t mlength, uint8_t *dst, const uint8_t *src) +{ - return siv_cmac_decrypt_message(&ctx->siv_cmac.ctx, &ctx->siv_cmac.cipher, - &nettle_aes256, &ctx->siv_cipher, ++ return siv_cmac_decrypt_message(&ctx->cmac_key, &ctx->cmac_cipher, ++ &nettle_aes256, &ctx->ctr_cipher, + nlength, nonce, alength, adata, + mlength, dst, src); +} diff --cc siv-cmac.c index 1debdc4b,00000000..f498cb86 mode 100644,000000..100644 --- a/siv-cmac.c +++ b/siv-cmac.c @@@ -1,164 -1,0 +1,165 @@@ +/* siv-cmac.c + + SIV-CMAC, RFC5297 + + Copyright (C) 2017 Nikos Mavrogiannopoulos + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#if HAVE_CONFIG_H +#include "config.h" +#endif + +#include +#include + +#include "aes.h" +#include "siv-cmac.h" +#include "cmac.h" +#include "ctr.h" +#include "memxor.h" +#include "memops.h" +#include "cmac-internal.h" +#include "nettle-internal.h" + +/* This is an implementation of S2V for the AEAD case where + * vectors if zero, are considered as S empty components */ +static void +_siv_s2v (const struct nettle_cipher *nc, - struct cmac128_ctx *siv_cmac_ctx, - const void *cmac_cipher_ctx, ++ const struct cmac128_key *cmac_key, ++ const void *cmac_cipher, + size_t alength, const uint8_t * adata, + size_t nlength, const uint8_t * nonce, + size_t plength, const uint8_t * pdata, uint8_t * v) +{ + union nettle_block16 D, S, T; + static const union nettle_block16 const_zero = {.b = 0 }; - ++ struct cmac128_ctx cmac_ctx; + assert (nlength >= SIV_MIN_NONCE_SIZE); + - cmac128_update (siv_cmac_ctx, cmac_cipher_ctx, nc->encrypt, 16, const_zero.b); - cmac128_digest (siv_cmac_ctx, cmac_cipher_ctx, nc->encrypt, 16, D.b); ++ cmac128_init(&cmac_ctx); ++ cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, 16, const_zero.b); ++ cmac128_digest (&cmac_ctx, cmac_key, cmac_cipher, nc->encrypt, 16, D.b); + + _cmac128_block_mulx (&D, &D); - cmac128_update (siv_cmac_ctx, cmac_cipher_ctx, nc->encrypt, alength, adata); - cmac128_digest (siv_cmac_ctx, cmac_cipher_ctx, nc->encrypt, 16, S.b); ++ cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, alength, adata); ++ cmac128_digest (&cmac_ctx, cmac_key, cmac_cipher, nc->encrypt, 16, S.b); + memxor (D.b, S.b, 16); + + _cmac128_block_mulx (&D, &D); - cmac128_update (siv_cmac_ctx, cmac_cipher_ctx, nc->encrypt, nlength, nonce); - cmac128_digest (siv_cmac_ctx, cmac_cipher_ctx, nc->encrypt, 16, S.b); ++ cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, nlength, nonce); ++ cmac128_digest (&cmac_ctx, cmac_key, cmac_cipher, nc->encrypt, 16, S.b); + memxor (D.b, S.b, 16); + + /* Sn */ + if (plength >= 16) + { - cmac128_update (siv_cmac_ctx, cmac_cipher_ctx, nc->encrypt, plength - 16, pdata); ++ cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, plength - 16, pdata); + + pdata += plength - 16; + + memxor3 (T.b, pdata, D.b, 16); + } + else + { + union nettle_block16 pad; + + _cmac128_block_mulx (&T, &D); + memcpy (pad.b, pdata, plength); + pad.b[plength] = 0x80; + if (plength + 1 < 16) + memset (&pad.b[plength + 1], 0, 16 - plength - 1); + + memxor (T.b, pad.b, 16); + } + - cmac128_update (siv_cmac_ctx, cmac_cipher_ctx, nc->encrypt, 16, T.b); - cmac128_digest (siv_cmac_ctx, cmac_cipher_ctx, nc->encrypt, 16, v); ++ cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, 16, T.b); ++ cmac128_digest (&cmac_ctx, cmac_key, cmac_cipher, nc->encrypt, 16, v); +} + +void - siv_cmac_set_key (struct cmac128_ctx *siv_cmac_ctx, void *cmac_cipher_ctx, void *cipher_ctx, ++siv_cmac_set_key (struct cmac128_key *cmac_key, void *cmac_cipher, void *siv_cipher, + const struct nettle_cipher *nc, const uint8_t * key) +{ - nc->set_encrypt_key (cmac_cipher_ctx, key); - cmac128_set_key (siv_cmac_ctx, cmac_cipher_ctx, nc->encrypt); - nc->set_encrypt_key (cipher_ctx, key + nc->key_size); ++ nc->set_encrypt_key (cmac_cipher, key); ++ cmac128_set_key (cmac_key, cmac_cipher, nc->encrypt); ++ nc->set_encrypt_key (siv_cipher, key + nc->key_size); +} + +void - siv_cmac_encrypt_message (struct cmac128_ctx *siv_cmac_ctx, - const void *cmac_cipher_ctx, ++siv_cmac_encrypt_message (const struct cmac128_key *cmac_key, ++ const void *cmac_cipher, + const struct nettle_cipher *nc, - const void *cipher_ctx, ++ const void *ctr_cipher, + size_t nlength, const uint8_t * nonce, + size_t alength, const uint8_t * adata, + size_t clength, uint8_t * dst, const uint8_t * src) +{ + union nettle_block16 siv; + size_t slength; + + assert (clength >= SIV_DIGEST_SIZE); + slength = clength - SIV_DIGEST_SIZE; + + /* create CTR nonce */ - _siv_s2v (nc, siv_cmac_ctx, cmac_cipher_ctx, alength, adata, nlength, nonce, slength, src, siv.b); ++ _siv_s2v (nc, cmac_key, cmac_cipher, alength, adata, nlength, nonce, slength, src, siv.b); + + memcpy (dst, siv.b, SIV_DIGEST_SIZE); + siv.b[8] &= ~0x80; + siv.b[12] &= ~0x80; + - ctr_crypt (cipher_ctx, nc->encrypt, AES_BLOCK_SIZE, siv.b, slength, ++ ctr_crypt (ctr_cipher, nc->encrypt, AES_BLOCK_SIZE, siv.b, slength, + dst + SIV_DIGEST_SIZE, src); +} + +int - siv_cmac_decrypt_message (struct cmac128_ctx *siv_cmac_ctx, - const void *cmac_cipher_ctx, ++siv_cmac_decrypt_message (const struct cmac128_key *cmac_key, ++ const void *cmac_cipher, + const struct nettle_cipher *nc, - const void *cipher_ctx, ++ const void *ctr_cipher, + size_t nlength, const uint8_t * nonce, + size_t alength, const uint8_t * adata, + size_t mlength, uint8_t * dst, const uint8_t * src) +{ + union nettle_block16 siv; + union nettle_block16 ctr; + + memcpy (ctr.b, src, SIV_DIGEST_SIZE); + ctr.b[8] &= ~0x80; + ctr.b[12] &= ~0x80; + - ctr_crypt (cipher_ctx, nc->encrypt, AES_BLOCK_SIZE, ctr.b, ++ ctr_crypt (ctr_cipher, nc->encrypt, AES_BLOCK_SIZE, ctr.b, + mlength, dst, src + SIV_DIGEST_SIZE); + + /* create CTR nonce */ + _siv_s2v (nc, - siv_cmac_ctx, cmac_cipher_ctx, alength, adata, ++ cmac_key, cmac_cipher, alength, adata, + nlength, nonce, mlength, dst, siv.b); + + return memeql_sec (siv.b, src, SIV_DIGEST_SIZE); +} diff --cc siv-cmac.h index 881a59ba,00000000..c631a41e mode 100644,000000..100644 --- a/siv-cmac.h +++ b/siv-cmac.h @@@ -1,134 -1,0 +1,134 @@@ +/* siv-cmac.h + + AES-SIV, RFC5297 + + Copyright (C) 2017 Nikos Mavrogiannopoulos + + This file is part of GNU Nettle. + + GNU Nettle is free software: you can redistribute it and/or + modify it under the terms of either: + + * the GNU Lesser General Public License as published by the Free + Software Foundation; either version 3 of the License, or (at your + option) any later version. + + or + + * the GNU General Public License as published by the Free + Software Foundation; either version 2 of the License, or (at your + option) any later version. + + or both in parallel, as here. + + GNU Nettle is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received copies of the GNU General Public License and + the GNU Lesser General Public License along with this program. If + not, see http://www.gnu.org/licenses/. +*/ + +#ifndef NETTLE_SIV_H_INCLUDED +#define NETTLE_SIV_H_INCLUDED + +#include "nettle-types.h" +#include "nettle-meta.h" +#include "cmac.h" +#include "aes.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Name mangling */ +#define siv_cmac_set_key nettle_siv_cmac_set_key +#define siv_cmac_encrypt_message nettle_siv_cmac_encrypt_message +#define siv_cmac_decrypt_message nettle_siv_cmac_decrypt_message +#define siv_cmac_aes128_set_key nettle_siv_cmac_aes128_set_key +#define siv_cmac_aes128_encrypt_message nettle_siv_cmac_aes128_encrypt_message +#define siv_cmac_aes128_decrypt_message nettle_siv_cmac_aes128_decrypt_message +#define siv_cmac_aes256_set_key nettle_siv_cmac_aes256_set_key +#define siv_cmac_aes256_encrypt_message nettle_siv_cmac_aes256_encrypt_message +#define siv_cmac_aes256_decrypt_message nettle_siv_cmac_aes256_decrypt_message + +/* For SIV, the block size of the underlying cipher shall be 128 bits. */ +#define SIV_BLOCK_SIZE 16 +#define SIV_DIGEST_SIZE 16 +#define SIV_MIN_NONCE_SIZE 1 + +void - siv_cmac_set_key(struct cmac128_ctx *siv_cmac_ctx, void *cmac_cipher_ctx, void *cipher_ctx, ++siv_cmac_set_key(struct cmac128_key *cmac_key, void *cmac_cipher, void *ctr_cipher, + const struct nettle_cipher *nc, + const uint8_t *key); + +void - siv_cmac_encrypt_message(struct cmac128_ctx *siv_cmac_ctx, const void *cmac_cipher_ctx, ++siv_cmac_encrypt_message(const struct cmac128_key *cmac_key, const void *cmac_cipher_ctx, + const struct nettle_cipher *nc, - const void *cipher_ctx, ++ const void *ctr_ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t clength, uint8_t *dst, const uint8_t *src); + +int - siv_cmac_decrypt_message(struct cmac128_ctx *siv_cmac_ctx, const void *cmac_cipher_ctx, ++siv_cmac_decrypt_message(const struct cmac128_key *cmac_key, const void *cmac_cipher, + const struct nettle_cipher *nc, - const void *cipher_ctx, ++ const void *ctr_cipher, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t mlength, uint8_t *dst, const uint8_t *src); + +/* + * SIV mode requires the aad and plaintext when building the IV, which + * prevents streaming processing and it incompatible with the AEAD API. + */ + - #define SIV_CMAC_CTX(type) { struct CMAC128_CTX(type) siv_cmac; type siv_cipher; } ++#define SIV_CMAC_CTX(type) { struct cmac128_key cmac_key; type cmac_cipher; type ctr_cipher; } + +/* SIV_CMAC_AES128 */ +#define SIV_CMAC_AES128_KEY_SIZE 32 + +struct siv_cmac_aes128_ctx SIV_CMAC_CTX(struct aes128_ctx); + +void +siv_cmac_aes128_set_key(struct siv_cmac_aes128_ctx *ctx, const uint8_t *key); + +void - siv_cmac_aes128_encrypt_message(struct siv_cmac_aes128_ctx *ctx, ++siv_cmac_aes128_encrypt_message(const struct siv_cmac_aes128_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t clength, uint8_t *dst, const uint8_t *src); + +int - siv_cmac_aes128_decrypt_message(struct siv_cmac_aes128_ctx *ctx, ++siv_cmac_aes128_decrypt_message(const struct siv_cmac_aes128_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t mlength, uint8_t *dst, const uint8_t *src); + +/* SIV_CMAC_AES256 */ +#define SIV_CMAC_AES256_KEY_SIZE 64 + +struct siv_cmac_aes256_ctx SIV_CMAC_CTX(struct aes256_ctx); + +void +siv_cmac_aes256_set_key(struct siv_cmac_aes256_ctx *ctx, const uint8_t *key); + +void - siv_cmac_aes256_encrypt_message(struct siv_cmac_aes256_ctx *ctx, ++siv_cmac_aes256_encrypt_message(const struct siv_cmac_aes256_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t clength, uint8_t *dst, const uint8_t *src); + +int - siv_cmac_aes256_decrypt_message(struct siv_cmac_aes256_ctx *ctx, ++siv_cmac_aes256_decrypt_message(const struct siv_cmac_aes256_ctx *ctx, + size_t nlength, const uint8_t *nonce, + size_t alength, const uint8_t *adata, + size_t mlength, uint8_t *dst, const uint8_t *src); + +#ifdef __cplusplus +} +#endif + +#endif /* NETTLE_SIV_H_INCLUDED */