umac32.c 3.39 KB
Newer Older
Niels Möller's avatar
Niels Möller committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68
/* umac32.c
 */

/* nettle, low-level cryptographics library
 *
 * Copyright (C) 2013 Niels Möller
 *
 * The nettle library is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation; either version 2.1 of the License, or (at your
 * option) any later version.
 *
 * The nettle library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public
 * License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with the nettle library; see the file COPYING.LIB.  If not, write to
 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 * MA 02111-1301, USA.
 */

#if HAVE_CONFIG_H
# include "config.h"
#endif

#include <assert.h>
#include <string.h>

#include "umac.h"

#include "macros.h"

void
umac32_set_key (struct umac32_ctx *ctx, const uint8_t *key)
{
  _umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2,
		 &ctx->pdf_key, key, 1);

  /* Clear nonce */
  memset (ctx->nonce, 0, sizeof(ctx->nonce));
  ctx->nonce_low = 0;
  ctx->nonce_length = sizeof(ctx->nonce);

  /* Initialize buffer */
  ctx->count = ctx->index = 0;
}

void
umac32_set_nonce (struct umac32_ctx *ctx,
		  unsigned nonce_length, const uint8_t *nonce)
{
  assert (nonce_length > 0);
  assert (nonce_length <= AES_BLOCK_SIZE);

  memcpy (ctx->nonce, nonce, nonce_length);
  memset (ctx->nonce + nonce_length, 0, AES_BLOCK_SIZE - nonce_length);

  ctx->nonce_low = ctx->nonce[nonce_length - 1] & 3;
  ctx->nonce[nonce_length - 1] &= ~3;
  ctx->nonce_length = nonce_length;
}

#define UMAC32_BLOCK(ctx, block) do {					\
    uint64_t __umac32_y							\
      = _umac_nh (ctx->l1_key, UMAC_BLOCK_SIZE, block)			\
      + 8*UMAC_BLOCK_SIZE ;						\
69
    _umac_l2 (ctx->l2_key, ctx->l2_state, 1, ctx->count++, &__umac32_y); \
Niels Möller's avatar
Niels Möller committed
70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97
  } while (0)

void
umac32_update (struct umac32_ctx *ctx,
	       unsigned length, const uint8_t *data)
{
  MD_UPDATE (ctx, length, data, UMAC32_BLOCK, (void)0);
}


void
umac32_digest (struct umac32_ctx *ctx,
	       unsigned length, uint8_t *digest)
{
  uint32_t pad;

  assert (length > 0);
  assert (length <= 4);

  if (ctx->index > 0 || ctx->count == 0)
    {
      /* Zero pad to multiple of 32 */
      uint64_t y;
      unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32;
      memset (ctx->block + ctx->index, 0, pad);

      y = _umac_nh (ctx->l1_key, ctx->index + pad, ctx->block)
	+ 8 * ctx->index;
98
      _umac_l2 (ctx->l2_key, ctx->l2_state, 1, ctx->count++, &y);
Niels Möller's avatar
Niels Möller committed
99 100 101
    }
  assert (ctx->count > 0);
  if ( !(ctx->nonce_low & _UMAC_NONCE_CACHED))
102 103 104 105 106
    {
      aes_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE,
		   (uint8_t *) ctx->pad_cache, ctx->nonce);
      ctx->nonce_low |= _UMAC_NONCE_CACHED;
    }
Niels Möller's avatar
Niels Möller committed
107 108 109 110 111 112 113 114 115 116 117 118

  pad = ctx->pad_cache[ctx->nonce_low & 3];

  /* Increment nonce */
  ctx->nonce_low++;
  if ( !(ctx->nonce_low & 3))
    {
      unsigned i = ctx->nonce_length - 1;

      ctx->nonce_low = 0;
      ctx->nonce[i] += 4;

Niels Möller's avatar
Niels Möller committed
119 120
      if (ctx->nonce[i] == 0 && i > 0)
	INCREMENT (i, ctx->nonce);
Niels Möller's avatar
Niels Möller committed
121 122
    }

123
  _umac_l2_final (ctx->l2_key, ctx->l2_state, 1, ctx->count);
124
  pad ^= ctx->l3_key2[0] ^ _umac_l3 (ctx->l3_key1, ctx->l2_state);
Niels Möller's avatar
Niels Möller committed
125 126 127 128 129
  memcpy (digest, &pad, length);

  /* Reinitialize */
  ctx->count = ctx->index = 0;
}