umac96.c 3.19 KB
Newer Older
Niels Möller's avatar
Niels Möller committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
/* umac96.c
 */

/* nettle, low-level cryptographics library
 *
 * Copyright (C) 2013 Niels Möller
 *
 * The nettle library is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation; either version 2.1 of the License, or (at your
 * option) any later version.
 *
 * The nettle library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
 * License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with the nettle library; see the file COPYING.LIB.  If not, write to
 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 * MA 02111-1301, USA.
 */

#if HAVE_CONFIG_H
# include "config.h"
#endif

#include <assert.h>
#include <string.h>

#include "umac.h"

#include "macros.h"

void
umac96_set_key (struct umac96_ctx *ctx, const uint8_t *key)
{
  _umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2,
		 &ctx->pdf_key, key, 3);

  /* Clear nonce */
  memset (ctx->nonce, 0, sizeof(ctx->nonce));
  ctx->nonce_length = sizeof(ctx->nonce);

  /* Initialize buffer */
  ctx->count = ctx->index = 0;
}

void
umac96_set_nonce (struct umac96_ctx *ctx,
		  unsigned nonce_length, const uint8_t *nonce)
{
  assert (nonce_length > 0);
  assert (nonce_length <= AES_BLOCK_SIZE);

  memcpy (ctx->nonce, nonce, nonce_length);
  memset (ctx->nonce + nonce_length, 0, AES_BLOCK_SIZE - nonce_length);

  ctx->nonce_length = nonce_length;
}

#define UMAC96_BLOCK(ctx, block) do {					\
    uint64_t __umac96_y[3];						\
    _umac_nh_n (__umac96_y, 3, ctx->l1_key, UMAC_BLOCK_SIZE, block);	\
    __umac96_y[0] += 8*UMAC_BLOCK_SIZE;					\
    __umac96_y[1] += 8*UMAC_BLOCK_SIZE;					\
    __umac96_y[2] += 8*UMAC_BLOCK_SIZE;					\
68
    _umac_l2 (ctx->l2_key, ctx->l2_state, 3, ctx->count++, __umac96_y);	\
Niels Möller's avatar
Niels Möller committed
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
  } while (0)

void
umac96_update (struct umac96_ctx *ctx,
	       unsigned length, const uint8_t *data)
{
  MD_UPDATE (ctx, length, data, UMAC96_BLOCK, (void)0);
}


void
umac96_digest (struct umac96_ctx *ctx,
	       unsigned length, uint8_t *digest)
{
  uint32_t tag[4];
  unsigned i;

  assert (length > 0);
  assert (length <= 12);

  if (ctx->index > 0 || ctx->count == 0)
    {
      /* Zero pad to multiple of 32 */
      uint64_t y[3];
      unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32;
      memset (ctx->block + ctx->index, 0, pad);

      _umac_nh_n (y, 3, ctx->l1_key, ctx->index + pad, ctx->block);
      y[0] += 8 * ctx->index;
      y[1] += 8 * ctx->index;
      y[2] += 8 * ctx->index;
100
      _umac_l2 (ctx->l2_key, ctx->l2_state, 3, ctx->count++, y);
Niels Möller's avatar
Niels Möller committed
101
102
103
104
105
106
    }
  assert (ctx->count > 0);

  aes_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE,
	       (uint8_t *) tag, ctx->nonce);

Niels Möller's avatar
Niels Möller committed
107
  INCREMENT (ctx->nonce_length, ctx->nonce);
Niels Möller's avatar
Niels Möller committed
108

109
  _umac_l2_final (ctx->l2_key, ctx->l2_state, 3, ctx->count);
Niels Möller's avatar
Niels Möller committed
110
  for (i = 0; i < 3; i++)
111
112
    tag[i] ^= ctx->l3_key2[i] ^ _umac_l3 (ctx->l3_key1 + 8*i,
					  ctx->l2_state + 2*i);
Niels Möller's avatar
Niels Möller committed
113
114
115
116
117
118

  memcpy (digest, tag, length);

  /* Reinitialize */
  ctx->count = ctx->index = 0;
}