--- /dev/null
+/* -*-c-*-
+ *
+ * The PMAC1 message authentication mode
+ *
+ * (c) 2018 Straylight/Edgeware
+ */
+
+/*----- Licensing notice --------------------------------------------------*
+ *
+ * This file is part of Catacomb.
+ *
+ * Catacomb is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU Library General Public License as published
+ * by the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * Catacomb is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Library General Public License for more details.
+ *
+ * You should have received a copy of the GNU Library General Public
+ * License along with Catacomb. If not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+ * USA.
+ */
+
+#ifndef CATACOMB_PMAC1_DEF_H
+#define CATACOMB_PMAC1_DEF_H
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+/*----- Header files ------------------------------------------------------*/
+
+#include <stddef.h>
+
+#include <mLib/bits.h>
+#include <mLib/sub.h>
+
+#ifndef CATACOMB_ARENA_H
+# include "arena.h"
+#endif
+
+#ifndef CATACOMB_BLKC_H
+# include "blkc.h"
+#endif
+
+#ifndef CATACOMB_PARANOIA_H
+# include "paranoia.h"
+#endif
+
+#ifndef CATACOMB_RSVR_H
+# include "rsvr.h"
+#endif
+
+/*----- Macros ------------------------------------------------------------*/
+
+/* --- @PMAC1_DEF@ --- *
+ *
+ * Arguments: @PRE@, @pre@ = prefixes for the underlying block cipher
+ *
+ * Use: Creates an implementation for the PMAC1 message-
+ * authentication mode.
+ */
+
+#define PMAC1_DEF(PRE, pre) PMAC1_DEFX(PRE, pre, #pre, #pre)
+
+#define PMAC1_DEFX(PRE, pre, name, fname) \
+ \
+OCB1_DECL(PRE, pre) \
+ \
+const rsvr_policy pre##_ocb1policy = \
+ { RSVRF_FULL, PRE##_BLKSZ, PRE##_BLKSZ }; \
+ \
+/* --- @pre_ocb1setkey@, @pre_pmac1setkey@ --- * \
+ * \
+ * Arguments: @pre_ocb1key *key@ = pointer to OCB1/PMAC1 key block \
+ * @ocnst void *k@ = pointer to key material \
+ * @size_t ksz@ = size of key material \
+ * \
+ * Returns: --- \
+ * \
+ * Use: Initializes a OCB1/PMAC1 key. This can be used for \
+ * several encryption and/or MAC operations. \
+ */ \
+ \
+void pre##_ocb1setkey(pre##_ocb1key *key, const void *k, size_t ksz) \
+{ \
+ unsigned i; \
+ \
+ pre##_init(&key->ctx, k, ksz); \
+ BLKC_ZERO(PRE, key->lmask[0]); \
+ pre##_eblk(&key->ctx, key->lmask[0], key->lmask[0]); \
+ BLKC_BRSHIFT(PRE, IRRED, key->lxinv, key->lmask[0]); \
+ for (i = 1; i < OCB_NCALC; i++) \
+ BLKC_BLSHIFT(PRE, IRRED, key->lmask[i], key->lmask[i - 1]); \
+} \
+void pre##_pmac1setkey(pre##_pmac1key *key, const void *k, size_t ksz) \
+ { pre##_ocb1setkey((pre##_ocb1key *)key, k, ksz); } \
+ \
+/* --- @pre_ocb1aadinit@, @pre_pmac1init --- * \
+ * \
+ * Arguments: @pre_ocb1aadctx *aad@ = pointer to context block \
+ * @pre_ocb1key *k@ = key block \
+ * \
+ * Returns: --- \
+ * \
+ * Use: Initializes an OCB1 AAD (`additional authenticated \
+ * data') or PMAC1 context associated witha a given key. \
+ * AAD contexts can be copied and/or reused, saving time \
+ * if the AAD for a number of messages has a common \
+ * prefix. \
+ * \
+ * The @key@ doesn't need to be kept around. \
+ */ \
+ \
+void pre##_ocb1aadinit(pre##_ocb1aadctx *aad, const pre##_ocb1key *k) \
+{ \
+ aad->k = *k; \
+ aad->off = 0; aad->i = 1; \
+ BLKC_ZERO(PRE, aad->a); \
+ BLKC_ZERO(PRE, aad->o); \
+} \
+void pre##_pmac1init(pre##_pmac1ctx *ctx, const pre##_pmac1key *k) \
+ { pre##_ocb1aadinit((pre##_ocb1aadctx *)ctx, (pre##_ocb1key *)k); } \
+ \
+/* --- @pre_ocb1aadhash@, @pre_pmac1hash@ --- * \
+ * \
+ * Arguments: @pre_ocb1aadctx *aad@ = pointer to context block \
+ * @ocnst void *p@ = pointer to message buffer \
+ * @size_t sz@ = size of message buffer \
+ * \
+ * Returns: --- \
+ * \
+ * Use: Hashes some AAD input data. \
+ */ \
+ \
+void pre##_ocb1aadhash(pre##_ocb1aadctx *aad, const void *p, size_t sz) \
+{ \
+ rsvr_state st; \
+ uint32 t[PRE##_BLKSZ/4]; \
+ const octet *q; \
+ \
+ rsvr_setup(&st, &pre##_ocb1policy, aad->b, &aad->off, p, sz); \
+ RSVR_DO(&st) while ((q = RSVR_NEXT(&st, PRE##_BLKSZ)) != 0) { \
+ OCB_OFFSET(PRE, aad->o, aad->k.lmask, aad->i++); \
+ BLKC_LOAD(PRE, t, q); BLKC_XMOVE(PRE, t, aad->o); \
+ pre##_eblk(&aad->k.ctx, t, t); \
+ BLKC_XMOVE(PRE, aad->a, t); \
+ } \
+} \
+void pre##_pmac1hash(pre##_pmac1ctx *ctx, const void *p, size_t sz) \
+ { pre##_ocb1aadhash((pre##_ocb1aadctx *)ctx, p, sz); } \
+ \
+/* --- @pre_ocb1aadtag@ --- * \
+ * \
+ * Arguments: @const pre_ocb1aadctx *aad@ = pointer to context block \
+ * @uint32 *u@ = where to write the tag \
+ * \
+ * Returns: --- \
+ * \
+ * Use: Finishes processing AAD and produces a tag which can be \
+ * mixed with an OCB1 checksum. This function is exposed \
+ * for internal reasons and is not expected to be \
+ * generally useful. \
+ */ \
+ \
+void pre##_ocb1aadtag(const pre##_ocb1aadctx *aad, uint32 *t) \
+{ \
+ octet b[PRE##_BLKSZ]; \
+ \
+ BLKC_MOVE(PRE, t, aad->a); \
+ if (aad->off == PRE##_BLKSZ) { \
+ BLKC_XLOAD(PRE, t, aad->b); \
+ BLKC_XMOVE(PRE, t, aad->k.lxinv); \
+ } else { \
+ memcpy(b, aad->b, aad->off); b[aad->off] = 0x80; \
+ memset(b + aad->off + 1, 0, PRE##_BLKSZ - aad->off - 1); \
+ BLKC_XLOAD(PRE, t, b); \
+ } \
+ pre##_eblk(&aad->k.ctx, t, t); \
+} \
+ \
+/* --- @pre_pmac1done@ --- * \
+ * \
+ * Arguments: @pre_pmac1ctx *ctx@ = pointer to context block \
+ * @void *t@ = where to write the tag \
+ * \
+ * Returns: --- \
+ * \
+ * Use: Finishes a MAC operation and produces the tag. The \
+ * context is clobbered and can't be used for anything \
+ * useful any more. \
+ */ \
+ \
+void pre##_pmac1done(pre##_pmac1ctx *ctx, void *t) \
+{ \
+ uint32 u[PRE##_BLKSZ]; \
+ pre##_ocb1aadtag((pre##_ocb1aadctx *)ctx, u); BLKC_STORE(PRE, t, u); \
+} \
+ \
+/* --- Generic MAC interface --- */ \
+ \
+static const gmac_ops gkops; \
+static const ghash_ops gops; \
+ \
+typedef struct gkctx { \
+ gmac m; \
+ pre##_pmac1key k; \
+} gkctx; \
+ \
+typedef struct gctx { \
+ ghash h; \
+ pre##_pmac1ctx c; \
+ octet buf[PRE##_BLKSZ]; \
+} gctx; \
+ \
+static ghash *gkinit(gmac *m) \
+{ \
+ gkctx *gk = (gkctx *)m; \
+ gctx *g = S_CREATE(gctx); \
+ g->h.ops = &gops; \
+ pre##_pmac1init(&g->c, &gk->k); \
+ return (&g->h); \
+} \
+ \
+static gmac *gkey(const void *k, size_t sz) \
+{ \
+ gkctx *gk = S_CREATE(gkctx); \
+ gk->m.ops = &gkops; \
+ pre##_pmac1setkey(&gk->k, k, sz); \
+ return (&gk->m); \
+} \
+ \
+static void ghhash(ghash *h, const void *p, size_t sz) \
+ { gctx *g = (gctx *)h; pre##_pmac1hash(&g->c, p, sz); } \
+ \
+static octet *ghdone(ghash *h, void *buf) \
+{ \
+ gctx *g = (gctx *)h; \
+ if (!buf) buf = g->buf; \
+ pre##_pmac1done(&g->c, buf); \
+ return (buf); \
+} \
+ \
+static ghash *ghcopy(ghash *h) \
+{ \
+ gctx *g = (gctx *)h; \
+ gctx *gg = S_CREATE(gctx); \
+ memcpy(gg, g, sizeof(gctx)); \
+ return (&gg->h); \
+} \
+ \
+static void ghdestroy(ghash *h) \
+ { gctx *g = (gctx *)h; BURN(*g); S_DESTROY(g); } \
+ \
+static void gkdestroy(gmac *m) \
+ { gkctx *gk = (gkctx *)m; BURN(*gk); S_DESTROY(gk); } \
+ \
+static ghash *ghinit(void) \
+{ \
+ assert(((void)"Attempt to instantiate an unkeyed MAC", 0)); \
+ return (0); \
+} \
+ \
+const gcmac pre##_pmac1 = \
+ { name "-pmac1", PRE##_BLKSZ, pre##_keysz, gkey }; \
+static const gmac_ops gkops = { &pre##_pmac1, gkinit, gkdestroy }; \
+static const gchash gch = { name "-pmac1", PRE##_BLKSZ, ghinit }; \
+static const ghash_ops gops = \
+ { &gch, ghhash, ghdone, ghdestroy, ghcopy }; \
+ \
+PMAC1_TESTX(PRE, pre, name, fname)
+
+#define PMAC1_TEST(PRE, pre) HMAC_TESTX(PRE, pre, #pre, #pre)
+
+/* --- @PMAC1_TEST@ --- *
+ *
+ * Arguments: @PRE@, @pre@ = prefixes for the underlying block cipher
+ *
+ * Use: Standard test rig for PMAC1 functions.
+ */
+
+#ifdef TEST_RIG
+
+#include <stdio.h>
+
+#include <mLib/dstr.h>
+#include <mLib/quis.h>
+#include <mLib/testrig.h>
+
+#define PMAC1_TESTX(PRE, pre, name, fname) \
+ \
+static int macverify(dstr *v) \
+{ \
+ pre##_pmac1ctx cctx; \
+ pre##_pmac1key ckey; \
+ int ok = 1; \
+ int i; \
+ octet *p; \
+ int szs[] = { 1, 7, 192, -1, 0 }, *ip; \
+ size_t csz; \
+ dstr d; \
+ \
+ dstr_create(&d); \
+ dstr_ensure(&d, PRE##_BLKSZ); \
+ d.len = PRE##_BLKSZ; \
+ \
+ pre##_pmac1setkey(&ckey, v[0].buf, v[0].len); \
+ \
+ for (ip = szs; *ip; ip++) { \
+ i = *ip; \
+ csz = v[1].len; \
+ if (i == -1) \
+ i = csz; \
+ if (i > csz) \
+ continue; \
+ p = (octet *)v[1].buf; \
+ pre##_pmac1init(&cctx, &ckey); \
+ while (csz) { \
+ if (i > csz) \
+ i = csz; \
+ pre##_pmac1hash(&cctx, p, i); \
+ p += i; \
+ csz -= i; \
+ } \
+ pre##_pmac1done(&cctx, d.buf); \
+ if (memcmp(d.buf, v[2].buf, PRE##_BLKSZ) != 0) { \
+ printf("\nfail:\n\tstep = %i\n\tkey = ", *ip); \
+ type_hex.dump(&v[0], stdout); \
+ fputs("\n\tinput = ", stdout); \
+ type_hex.dump(&v[1], stdout); \
+ fputs("\n\texpected = ", stdout); \
+ type_hex.dump(&v[2], stdout); \
+ fputs("\n\tcomputed = ", stdout); \
+ type_hex.dump(&d, stdout); \
+ putchar('\n'); \
+ ok = 0; \
+ } \
+ } \
+ \
+ dstr_destroy(&d); \
+ return (ok); \
+} \
+ \
+static test_chunk macdefs[] = { \
+ { name "-pmac1", macverify, \
+ { &type_hex, &type_hex, &type_hex, 0 } }, \
+ { 0, 0, { 0 } } \
+}; \
+ \
+int main(int argc, char *argv[]) \
+{ \
+ ego(argv[0]); \
+ test_run(argc, argv, macdefs, SRCDIR"/t/" fname); \
+ return (0); \
+}
+
+#else
+# define PMAC1_TESTX(PRE, pre, name, fname)
+#endif
+
+/*----- That's all, folks -------------------------------------------------*/
+
+#ifdef __cplusplus
+ }
+#endif
+
+#endif