summaryrefslogtreecommitdiff
path: root/umac.c
diff options
context:
space:
mode:
Diffstat (limited to 'umac.c')
-rw-r--r--umac.c194
1 files changed, 97 insertions, 97 deletions
diff --git a/umac.c b/umac.c
index 9f2187c9a..eab831072 100644
--- a/umac.c
+++ b/umac.c
@@ -1,6 +1,6 @@
1/* $OpenBSD: umac.c,v 1.12 2017/05/31 08:09:45 markus Exp $ */ 1/* $OpenBSD: umac.c,v 1.16 2017/12/12 15:06:12 naddy Exp $ */
2/* ----------------------------------------------------------------------- 2/* -----------------------------------------------------------------------
3 * 3 *
4 * umac.c -- C Implementation UMAC Message Authentication 4 * umac.c -- C Implementation UMAC Message Authentication
5 * 5 *
6 * Version 0.93b of rfc4418.txt -- 2006 July 18 6 * Version 0.93b of rfc4418.txt -- 2006 July 18
@@ -10,7 +10,7 @@
10 * Please report bugs and suggestions to the UMAC webpage. 10 * Please report bugs and suggestions to the UMAC webpage.
11 * 11 *
12 * Copyright (c) 1999-2006 Ted Krovetz 12 * Copyright (c) 1999-2006 Ted Krovetz
13 * 13 *
14 * Permission to use, copy, modify, and distribute this software and 14 * Permission to use, copy, modify, and distribute this software and
15 * its documentation for any purpose and with or without fee, is hereby 15 * its documentation for any purpose and with or without fee, is hereby
16 * granted provided that the above copyright notice appears in all copies 16 * granted provided that the above copyright notice appears in all copies
@@ -18,10 +18,10 @@
18 * holder not be used in advertising or publicity pertaining to 18 * holder not be used in advertising or publicity pertaining to
19 * distribution of the software without specific, written prior permission. 19 * distribution of the software without specific, written prior permission.
20 * 20 *
21 * Comments should be directed to Ted Krovetz (tdk@acm.org) 21 * Comments should be directed to Ted Krovetz (tdk@acm.org)
22 * 22 *
23 * ---------------------------------------------------------------------- */ 23 * ---------------------------------------------------------------------- */
24 24
25 /* ////////////////////// IMPORTANT NOTES ///////////////////////////////// 25 /* ////////////////////// IMPORTANT NOTES /////////////////////////////////
26 * 26 *
27 * 1) This version does not work properly on messages larger than 16MB 27 * 1) This version does not work properly on messages larger than 16MB
@@ -47,7 +47,7 @@
47 * produced under gcc with optimizations set -O3 or higher. Dunno why. 47 * produced under gcc with optimizations set -O3 or higher. Dunno why.
48 * 48 *
49 /////////////////////////////////////////////////////////////////////// */ 49 /////////////////////////////////////////////////////////////////////// */
50 50
51/* ---------------------------------------------------------------------- */ 51/* ---------------------------------------------------------------------- */
52/* --- User Switches ---------------------------------------------------- */ 52/* --- User Switches ---------------------------------------------------- */
53/* ---------------------------------------------------------------------- */ 53/* ---------------------------------------------------------------------- */
@@ -187,11 +187,11 @@ static void kdf(void *bufp, aes_int_key key, UINT8 ndx, int nbytes)
187 UINT8 out_buf[AES_BLOCK_LEN]; 187 UINT8 out_buf[AES_BLOCK_LEN];
188 UINT8 *dst_buf = (UINT8 *)bufp; 188 UINT8 *dst_buf = (UINT8 *)bufp;
189 int i; 189 int i;
190 190
191 /* Setup the initial value */ 191 /* Setup the initial value */
192 in_buf[AES_BLOCK_LEN-9] = ndx; 192 in_buf[AES_BLOCK_LEN-9] = ndx;
193 in_buf[AES_BLOCK_LEN-1] = i = 1; 193 in_buf[AES_BLOCK_LEN-1] = i = 1;
194 194
195 while (nbytes >= AES_BLOCK_LEN) { 195 while (nbytes >= AES_BLOCK_LEN) {
196 aes_encryption(in_buf, out_buf, key); 196 aes_encryption(in_buf, out_buf, key);
197 memcpy(dst_buf,out_buf,AES_BLOCK_LEN); 197 memcpy(dst_buf,out_buf,AES_BLOCK_LEN);
@@ -208,7 +208,7 @@ static void kdf(void *bufp, aes_int_key key, UINT8 ndx, int nbytes)
208} 208}
209 209
210/* The final UHASH result is XOR'd with the output of a pseudorandom 210/* The final UHASH result is XOR'd with the output of a pseudorandom
211 * function. Here, we use AES to generate random output and 211 * function. Here, we use AES to generate random output and
212 * xor the appropriate bytes depending on the last bits of nonce. 212 * xor the appropriate bytes depending on the last bits of nonce.
213 * This scheme is optimized for sequential, increasing big-endian nonces. 213 * This scheme is optimized for sequential, increasing big-endian nonces.
214 */ 214 */
@@ -222,10 +222,10 @@ typedef struct {
222static void pdf_init(pdf_ctx *pc, aes_int_key prf_key) 222static void pdf_init(pdf_ctx *pc, aes_int_key prf_key)
223{ 223{
224 UINT8 buf[UMAC_KEY_LEN]; 224 UINT8 buf[UMAC_KEY_LEN];
225 225
226 kdf(buf, prf_key, 0, UMAC_KEY_LEN); 226 kdf(buf, prf_key, 0, UMAC_KEY_LEN);
227 aes_key_setup(buf, pc->prf_key); 227 aes_key_setup(buf, pc->prf_key);
228 228
229 /* Initialize pdf and cache */ 229 /* Initialize pdf and cache */
230 memset(pc->nonce, 0, sizeof(pc->nonce)); 230 memset(pc->nonce, 0, sizeof(pc->nonce));
231 aes_encryption(pc->nonce, pc->cache, pc->prf_key); 231 aes_encryption(pc->nonce, pc->cache, pc->prf_key);
@@ -238,7 +238,7 @@ static void pdf_gen_xor(pdf_ctx *pc, const UINT8 nonce[8], UINT8 buf[8])
238 * of the AES output. If last time around we returned the ndx-1st 238 * of the AES output. If last time around we returned the ndx-1st
239 * element, then we may have the result in the cache already. 239 * element, then we may have the result in the cache already.
240 */ 240 */
241 241
242#if (UMAC_OUTPUT_LEN == 4) 242#if (UMAC_OUTPUT_LEN == 4)
243#define LOW_BIT_MASK 3 243#define LOW_BIT_MASK 3
244#elif (UMAC_OUTPUT_LEN == 8) 244#elif (UMAC_OUTPUT_LEN == 8)
@@ -255,7 +255,7 @@ static void pdf_gen_xor(pdf_ctx *pc, const UINT8 nonce[8], UINT8 buf[8])
255#endif 255#endif
256 *(UINT32 *)t.tmp_nonce_lo = ((const UINT32 *)nonce)[1]; 256 *(UINT32 *)t.tmp_nonce_lo = ((const UINT32 *)nonce)[1];
257 t.tmp_nonce_lo[3] &= ~LOW_BIT_MASK; /* zero last bit */ 257 t.tmp_nonce_lo[3] &= ~LOW_BIT_MASK; /* zero last bit */
258 258
259 if ( (((UINT32 *)t.tmp_nonce_lo)[0] != ((UINT32 *)pc->nonce)[1]) || 259 if ( (((UINT32 *)t.tmp_nonce_lo)[0] != ((UINT32 *)pc->nonce)[1]) ||
260 (((const UINT32 *)nonce)[0] != ((UINT32 *)pc->nonce)[0]) ) 260 (((const UINT32 *)nonce)[0] != ((UINT32 *)pc->nonce)[0]) )
261 { 261 {
@@ -263,7 +263,7 @@ static void pdf_gen_xor(pdf_ctx *pc, const UINT8 nonce[8], UINT8 buf[8])
263 ((UINT32 *)pc->nonce)[1] = ((UINT32 *)t.tmp_nonce_lo)[0]; 263 ((UINT32 *)pc->nonce)[1] = ((UINT32 *)t.tmp_nonce_lo)[0];
264 aes_encryption(pc->nonce, pc->cache, pc->prf_key); 264 aes_encryption(pc->nonce, pc->cache, pc->prf_key);
265 } 265 }
266 266
267#if (UMAC_OUTPUT_LEN == 4) 267#if (UMAC_OUTPUT_LEN == 4)
268 *((UINT32 *)buf) ^= ((UINT32 *)pc->cache)[ndx]; 268 *((UINT32 *)buf) ^= ((UINT32 *)pc->cache)[ndx];
269#elif (UMAC_OUTPUT_LEN == 8) 269#elif (UMAC_OUTPUT_LEN == 8)
@@ -284,28 +284,28 @@ static void pdf_gen_xor(pdf_ctx *pc, const UINT8 nonce[8], UINT8 buf[8])
284/* ---------------------------------------------------------------------- */ 284/* ---------------------------------------------------------------------- */
285 285
286/* The NH-based hash functions used in UMAC are described in the UMAC paper 286/* The NH-based hash functions used in UMAC are described in the UMAC paper
287 * and specification, both of which can be found at the UMAC website. 287 * and specification, both of which can be found at the UMAC website.
288 * The interface to this implementation has two 288 * The interface to this implementation has two
289 * versions, one expects the entire message being hashed to be passed 289 * versions, one expects the entire message being hashed to be passed
290 * in a single buffer and returns the hash result immediately. The second 290 * in a single buffer and returns the hash result immediately. The second
291 * allows the message to be passed in a sequence of buffers. In the 291 * allows the message to be passed in a sequence of buffers. In the
292 * muliple-buffer interface, the client calls the routine nh_update() as 292 * muliple-buffer interface, the client calls the routine nh_update() as
293 * many times as necessary. When there is no more data to be fed to the 293 * many times as necessary. When there is no more data to be fed to the
294 * hash, the client calls nh_final() which calculates the hash output. 294 * hash, the client calls nh_final() which calculates the hash output.
295 * Before beginning another hash calculation the nh_reset() routine 295 * Before beginning another hash calculation the nh_reset() routine
296 * must be called. The single-buffer routine, nh(), is equivalent to 296 * must be called. The single-buffer routine, nh(), is equivalent to
297 * the sequence of calls nh_update() and nh_final(); however it is 297 * the sequence of calls nh_update() and nh_final(); however it is
298 * optimized and should be prefered whenever the multiple-buffer interface 298 * optimized and should be prefered whenever the multiple-buffer interface
299 * is not necessary. When using either interface, it is the client's 299 * is not necessary. When using either interface, it is the client's
300 * responsability to pass no more than L1_KEY_LEN bytes per hash result. 300 * responsability to pass no more than L1_KEY_LEN bytes per hash result.
301 * 301 *
302 * The routine nh_init() initializes the nh_ctx data structure and 302 * The routine nh_init() initializes the nh_ctx data structure and
303 * must be called once, before any other PDF routine. 303 * must be called once, before any other PDF routine.
304 */ 304 */
305 305
306 /* The "nh_aux" routines do the actual NH hashing work. They 306 /* The "nh_aux" routines do the actual NH hashing work. They
307 * expect buffers to be multiples of L1_PAD_BOUNDARY. These routines 307 * expect buffers to be multiples of L1_PAD_BOUNDARY. These routines
308 * produce output for all STREAMS NH iterations in one call, 308 * produce output for all STREAMS NH iterations in one call,
309 * allowing the parallel implementation of the streams. 309 * allowing the parallel implementation of the streams.
310 */ 310 */
311 311
@@ -328,10 +328,10 @@ typedef struct {
328#if (UMAC_OUTPUT_LEN == 4) 328#if (UMAC_OUTPUT_LEN == 4)
329 329
330static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen) 330static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen)
331/* NH hashing primitive. Previous (partial) hash result is loaded and 331/* NH hashing primitive. Previous (partial) hash result is loaded and
332* then stored via hp pointer. The length of the data pointed at by "dp", 332* then stored via hp pointer. The length of the data pointed at by "dp",
333* "dlen", is guaranteed to be divisible by L1_PAD_BOUNDARY (32). Key 333* "dlen", is guaranteed to be divisible by L1_PAD_BOUNDARY (32). Key
334* is expected to be endian compensated in memory at key setup. 334* is expected to be endian compensated in memory at key setup.
335*/ 335*/
336{ 336{
337 UINT64 h; 337 UINT64 h;
@@ -340,7 +340,7 @@ static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen)
340 const UINT32 *d = (const UINT32 *)dp; 340 const UINT32 *d = (const UINT32 *)dp;
341 UINT32 d0,d1,d2,d3,d4,d5,d6,d7; 341 UINT32 d0,d1,d2,d3,d4,d5,d6,d7;
342 UINT32 k0,k1,k2,k3,k4,k5,k6,k7; 342 UINT32 k0,k1,k2,k3,k4,k5,k6,k7;
343 343
344 h = *((UINT64 *)hp); 344 h = *((UINT64 *)hp);
345 do { 345 do {
346 d0 = LOAD_UINT32_LITTLE(d+0); d1 = LOAD_UINT32_LITTLE(d+1); 346 d0 = LOAD_UINT32_LITTLE(d+0); d1 = LOAD_UINT32_LITTLE(d+1);
@@ -353,7 +353,7 @@ static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen)
353 h += MUL64((k1 + d1), (k5 + d5)); 353 h += MUL64((k1 + d1), (k5 + d5));
354 h += MUL64((k2 + d2), (k6 + d6)); 354 h += MUL64((k2 + d2), (k6 + d6));
355 h += MUL64((k3 + d3), (k7 + d7)); 355 h += MUL64((k3 + d3), (k7 + d7));
356 356
357 d += 8; 357 d += 8;
358 k += 8; 358 k += 8;
359 } while (--c); 359 } while (--c);
@@ -421,7 +421,7 @@ static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen)
421 UINT32 d0,d1,d2,d3,d4,d5,d6,d7; 421 UINT32 d0,d1,d2,d3,d4,d5,d6,d7;
422 UINT32 k0,k1,k2,k3,k4,k5,k6,k7, 422 UINT32 k0,k1,k2,k3,k4,k5,k6,k7,
423 k8,k9,k10,k11,k12,k13,k14,k15; 423 k8,k9,k10,k11,k12,k13,k14,k15;
424 424
425 h1 = *((UINT64 *)hp); 425 h1 = *((UINT64 *)hp);
426 h2 = *((UINT64 *)hp + 1); 426 h2 = *((UINT64 *)hp + 1);
427 h3 = *((UINT64 *)hp + 2); 427 h3 = *((UINT64 *)hp + 2);
@@ -434,26 +434,26 @@ static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen)
434 d6 = LOAD_UINT32_LITTLE(d+6); d7 = LOAD_UINT32_LITTLE(d+7); 434 d6 = LOAD_UINT32_LITTLE(d+6); d7 = LOAD_UINT32_LITTLE(d+7);
435 k8 = *(k+8); k9 = *(k+9); k10 = *(k+10); k11 = *(k+11); 435 k8 = *(k+8); k9 = *(k+9); k10 = *(k+10); k11 = *(k+11);
436 k12 = *(k+12); k13 = *(k+13); k14 = *(k+14); k15 = *(k+15); 436 k12 = *(k+12); k13 = *(k+13); k14 = *(k+14); k15 = *(k+15);
437 437
438 h1 += MUL64((k0 + d0), (k4 + d4)); 438 h1 += MUL64((k0 + d0), (k4 + d4));
439 h2 += MUL64((k4 + d0), (k8 + d4)); 439 h2 += MUL64((k4 + d0), (k8 + d4));
440 h3 += MUL64((k8 + d0), (k12 + d4)); 440 h3 += MUL64((k8 + d0), (k12 + d4));
441 441
442 h1 += MUL64((k1 + d1), (k5 + d5)); 442 h1 += MUL64((k1 + d1), (k5 + d5));
443 h2 += MUL64((k5 + d1), (k9 + d5)); 443 h2 += MUL64((k5 + d1), (k9 + d5));
444 h3 += MUL64((k9 + d1), (k13 + d5)); 444 h3 += MUL64((k9 + d1), (k13 + d5));
445 445
446 h1 += MUL64((k2 + d2), (k6 + d6)); 446 h1 += MUL64((k2 + d2), (k6 + d6));
447 h2 += MUL64((k6 + d2), (k10 + d6)); 447 h2 += MUL64((k6 + d2), (k10 + d6));
448 h3 += MUL64((k10 + d2), (k14 + d6)); 448 h3 += MUL64((k10 + d2), (k14 + d6));
449 449
450 h1 += MUL64((k3 + d3), (k7 + d7)); 450 h1 += MUL64((k3 + d3), (k7 + d7));
451 h2 += MUL64((k7 + d3), (k11 + d7)); 451 h2 += MUL64((k7 + d3), (k11 + d7));
452 h3 += MUL64((k11 + d3), (k15 + d7)); 452 h3 += MUL64((k11 + d3), (k15 + d7));
453 453
454 k0 = k8; k1 = k9; k2 = k10; k3 = k11; 454 k0 = k8; k1 = k9; k2 = k10; k3 = k11;
455 k4 = k12; k5 = k13; k6 = k14; k7 = k15; 455 k4 = k12; k5 = k13; k6 = k14; k7 = k15;
456 456
457 d += 8; 457 d += 8;
458 k += 8; 458 k += 8;
459 } while (--c); 459 } while (--c);
@@ -477,7 +477,7 @@ static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen)
477 UINT32 k0,k1,k2,k3,k4,k5,k6,k7, 477 UINT32 k0,k1,k2,k3,k4,k5,k6,k7,
478 k8,k9,k10,k11,k12,k13,k14,k15, 478 k8,k9,k10,k11,k12,k13,k14,k15,
479 k16,k17,k18,k19; 479 k16,k17,k18,k19;
480 480
481 h1 = *((UINT64 *)hp); 481 h1 = *((UINT64 *)hp);
482 h2 = *((UINT64 *)hp + 1); 482 h2 = *((UINT64 *)hp + 1);
483 h3 = *((UINT64 *)hp + 2); 483 h3 = *((UINT64 *)hp + 2);
@@ -492,31 +492,31 @@ static void nh_aux(void *kp, const void *dp, void *hp, UINT32 dlen)
492 k8 = *(k+8); k9 = *(k+9); k10 = *(k+10); k11 = *(k+11); 492 k8 = *(k+8); k9 = *(k+9); k10 = *(k+10); k11 = *(k+11);
493 k12 = *(k+12); k13 = *(k+13); k14 = *(k+14); k15 = *(k+15); 493 k12 = *(k+12); k13 = *(k+13); k14 = *(k+14); k15 = *(k+15);
494 k16 = *(k+16); k17 = *(k+17); k18 = *(k+18); k19 = *(k+19); 494 k16 = *(k+16); k17 = *(k+17); k18 = *(k+18); k19 = *(k+19);
495 495
496 h1 += MUL64((k0 + d0), (k4 + d4)); 496 h1 += MUL64((k0 + d0), (k4 + d4));
497 h2 += MUL64((k4 + d0), (k8 + d4)); 497 h2 += MUL64((k4 + d0), (k8 + d4));
498 h3 += MUL64((k8 + d0), (k12 + d4)); 498 h3 += MUL64((k8 + d0), (k12 + d4));
499 h4 += MUL64((k12 + d0), (k16 + d4)); 499 h4 += MUL64((k12 + d0), (k16 + d4));
500 500
501 h1 += MUL64((k1 + d1), (k5 + d5)); 501 h1 += MUL64((k1 + d1), (k5 + d5));
502 h2 += MUL64((k5 + d1), (k9 + d5)); 502 h2 += MUL64((k5 + d1), (k9 + d5));
503 h3 += MUL64((k9 + d1), (k13 + d5)); 503 h3 += MUL64((k9 + d1), (k13 + d5));
504 h4 += MUL64((k13 + d1), (k17 + d5)); 504 h4 += MUL64((k13 + d1), (k17 + d5));
505 505
506 h1 += MUL64((k2 + d2), (k6 + d6)); 506 h1 += MUL64((k2 + d2), (k6 + d6));
507 h2 += MUL64((k6 + d2), (k10 + d6)); 507 h2 += MUL64((k6 + d2), (k10 + d6));
508 h3 += MUL64((k10 + d2), (k14 + d6)); 508 h3 += MUL64((k10 + d2), (k14 + d6));
509 h4 += MUL64((k14 + d2), (k18 + d6)); 509 h4 += MUL64((k14 + d2), (k18 + d6));
510 510
511 h1 += MUL64((k3 + d3), (k7 + d7)); 511 h1 += MUL64((k3 + d3), (k7 + d7));
512 h2 += MUL64((k7 + d3), (k11 + d7)); 512 h2 += MUL64((k7 + d3), (k11 + d7));
513 h3 += MUL64((k11 + d3), (k15 + d7)); 513 h3 += MUL64((k11 + d3), (k15 + d7));
514 h4 += MUL64((k15 + d3), (k19 + d7)); 514 h4 += MUL64((k15 + d3), (k19 + d7));
515 515
516 k0 = k8; k1 = k9; k2 = k10; k3 = k11; 516 k0 = k8; k1 = k9; k2 = k10; k3 = k11;
517 k4 = k12; k5 = k13; k6 = k14; k7 = k15; 517 k4 = k12; k5 = k13; k6 = k14; k7 = k15;
518 k8 = k16; k9 = k17; k10 = k18; k11 = k19; 518 k8 = k16; k9 = k17; k10 = k18; k11 = k19;
519 519
520 d += 8; 520 d += 8;
521 k += 8; 521 k += 8;
522 } while (--c); 522 } while (--c);
@@ -541,7 +541,7 @@ static void nh_transform(nh_ctx *hc, const UINT8 *buf, UINT32 nbytes)
541 */ 541 */
542{ 542{
543 UINT8 *key; 543 UINT8 *key;
544 544
545 key = hc->nh_key + hc->bytes_hashed; 545 key = hc->nh_key + hc->bytes_hashed;
546 nh_aux(key, buf, hc->state, nbytes); 546 nh_aux(key, buf, hc->state, nbytes);
547} 547}
@@ -613,7 +613,7 @@ static void nh_update(nh_ctx *hc, const UINT8 *buf, UINT32 nbytes)
613/* even multiple of HASH_BUF_BYTES. */ 613/* even multiple of HASH_BUF_BYTES. */
614{ 614{
615 UINT32 i,j; 615 UINT32 i,j;
616 616
617 j = hc->next_data_empty; 617 j = hc->next_data_empty;
618 if ((j + nbytes) >= HASH_BUF_BYTES) { 618 if ((j + nbytes) >= HASH_BUF_BYTES) {
619 if (j) { 619 if (j) {
@@ -677,12 +677,12 @@ static void nh_final(nh_ctx *hc, UINT8 *result)
677 if (hc->next_data_empty != 0) { 677 if (hc->next_data_empty != 0) {
678 nh_len = ((hc->next_data_empty + (L1_PAD_BOUNDARY - 1)) & 678 nh_len = ((hc->next_data_empty + (L1_PAD_BOUNDARY - 1)) &
679 ~(L1_PAD_BOUNDARY - 1)); 679 ~(L1_PAD_BOUNDARY - 1));
680 zero_pad(hc->data + hc->next_data_empty, 680 zero_pad(hc->data + hc->next_data_empty,
681 nh_len - hc->next_data_empty); 681 nh_len - hc->next_data_empty);
682 nh_transform(hc, hc->data, nh_len); 682 nh_transform(hc, hc->data, nh_len);
683 hc->bytes_hashed += hc->next_data_empty; 683 hc->bytes_hashed += hc->next_data_empty;
684 } else if (hc->bytes_hashed == 0) { 684 } else if (hc->bytes_hashed == 0) {
685 nh_len = L1_PAD_BOUNDARY; 685 nh_len = L1_PAD_BOUNDARY;
686 zero_pad(hc->data, L1_PAD_BOUNDARY); 686 zero_pad(hc->data, L1_PAD_BOUNDARY);
687 nh_transform(hc, hc->data, nh_len); 687 nh_transform(hc, hc->data, nh_len);
688 } 688 }
@@ -711,10 +711,10 @@ static void nh(nh_ctx *hc, const UINT8 *buf, UINT32 padded_len,
711 */ 711 */
712{ 712{
713 UINT32 nbits; 713 UINT32 nbits;
714 714
715 /* Initialize the hash state */ 715 /* Initialize the hash state */
716 nbits = (unpadded_len << 3); 716 nbits = (unpadded_len << 3);
717 717
718 ((UINT64 *)result)[0] = nbits; 718 ((UINT64 *)result)[0] = nbits;
719#if (UMAC_OUTPUT_LEN >= 8) 719#if (UMAC_OUTPUT_LEN >= 8)
720 ((UINT64 *)result)[1] = nbits; 720 ((UINT64 *)result)[1] = nbits;
@@ -725,7 +725,7 @@ static void nh(nh_ctx *hc, const UINT8 *buf, UINT32 padded_len,
725#if (UMAC_OUTPUT_LEN == 16) 725#if (UMAC_OUTPUT_LEN == 16)
726 ((UINT64 *)result)[3] = nbits; 726 ((UINT64 *)result)[3] = nbits;
727#endif 727#endif
728 728
729 nh_aux(hc->nh_key, buf, result, padded_len); 729 nh_aux(hc->nh_key, buf, result, padded_len);
730} 730}
731 731
@@ -744,16 +744,16 @@ static void nh(nh_ctx *hc, const UINT8 *buf, UINT32 padded_len,
744 * buffers are presented sequentially. In the sequential interface, the 744 * buffers are presented sequentially. In the sequential interface, the
745 * UHASH client calls the routine uhash_update() as many times as necessary. 745 * UHASH client calls the routine uhash_update() as many times as necessary.
746 * When there is no more data to be fed to UHASH, the client calls 746 * When there is no more data to be fed to UHASH, the client calls
747 * uhash_final() which 747 * uhash_final() which
748 * calculates the UHASH output. Before beginning another UHASH calculation 748 * calculates the UHASH output. Before beginning another UHASH calculation
749 * the uhash_reset() routine must be called. The all-at-once UHASH routine, 749 * the uhash_reset() routine must be called. The all-at-once UHASH routine,
750 * uhash(), is equivalent to the sequence of calls uhash_update() and 750 * uhash(), is equivalent to the sequence of calls uhash_update() and
751 * uhash_final(); however it is optimized and should be 751 * uhash_final(); however it is optimized and should be
752 * used whenever the sequential interface is not necessary. 752 * used whenever the sequential interface is not necessary.
753 * 753 *
754 * The routine uhash_init() initializes the uhash_ctx data structure and 754 * The routine uhash_init() initializes the uhash_ctx data structure and
755 * must be called once, before any other UHASH routine. 755 * must be called once, before any other UHASH routine.
756 */ 756 */
757 757
758/* ---------------------------------------------------------------------- */ 758/* ---------------------------------------------------------------------- */
759/* ----- Constants and uhash_ctx ---------------------------------------- */ 759/* ----- Constants and uhash_ctx ---------------------------------------- */
@@ -802,13 +802,13 @@ static UINT64 poly64(UINT64 cur, UINT64 key, UINT64 data)
802 x_lo, 802 x_lo,
803 x_hi; 803 x_hi;
804 UINT64 X,T,res; 804 UINT64 X,T,res;
805 805
806 X = MUL64(key_hi, cur_lo) + MUL64(cur_hi, key_lo); 806 X = MUL64(key_hi, cur_lo) + MUL64(cur_hi, key_lo);
807 x_lo = (UINT32)X; 807 x_lo = (UINT32)X;
808 x_hi = (UINT32)(X >> 32); 808 x_hi = (UINT32)(X >> 32);
809 809
810 res = (MUL64(key_hi, cur_hi) + x_hi) * 59 + MUL64(key_lo, cur_lo); 810 res = (MUL64(key_hi, cur_hi) + x_hi) * 59 + MUL64(key_lo, cur_lo);
811 811
812 T = ((UINT64)x_lo << 32); 812 T = ((UINT64)x_lo << 32);
813 res += T; 813 res += T;
814 if (res < T) 814 if (res < T)
@@ -832,10 +832,10 @@ static void poly_hash(uhash_ctx_t hc, UINT32 data_in[])
832{ 832{
833 int i; 833 int i;
834 UINT64 *data=(UINT64*)data_in; 834 UINT64 *data=(UINT64*)data_in;
835 835
836 for (i = 0; i < STREAMS; i++) { 836 for (i = 0; i < STREAMS; i++) {
837 if ((UINT32)(data[i] >> 32) == 0xfffffffful) { 837 if ((UINT32)(data[i] >> 32) == 0xfffffffful) {
838 hc->poly_accum[i] = poly64(hc->poly_accum[i], 838 hc->poly_accum[i] = poly64(hc->poly_accum[i],
839 hc->poly_key_8[i], p64 - 1); 839 hc->poly_key_8[i], p64 - 1);
840 hc->poly_accum[i] = poly64(hc->poly_accum[i], 840 hc->poly_accum[i] = poly64(hc->poly_accum[i],
841 hc->poly_key_8[i], (data[i] - 59)); 841 hc->poly_key_8[i], (data[i] - 59));
@@ -862,7 +862,7 @@ static UINT64 ip_aux(UINT64 t, UINT64 *ipkp, UINT64 data)
862 t = t + ipkp[1] * (UINT64)(UINT16)(data >> 32); 862 t = t + ipkp[1] * (UINT64)(UINT16)(data >> 32);
863 t = t + ipkp[2] * (UINT64)(UINT16)(data >> 16); 863 t = t + ipkp[2] * (UINT64)(UINT16)(data >> 16);
864 t = t + ipkp[3] * (UINT64)(UINT16)(data); 864 t = t + ipkp[3] * (UINT64)(UINT16)(data);
865 865
866 return t; 866 return t;
867} 867}
868 868
@@ -870,7 +870,7 @@ static UINT32 ip_reduce_p36(UINT64 t)
870{ 870{
871/* Divisionless modular reduction */ 871/* Divisionless modular reduction */
872 UINT64 ret; 872 UINT64 ret;
873 873
874 ret = (t & m36) + 5 * (t >> 36); 874 ret = (t & m36) + 5 * (t >> 36);
875 if (ret >= p36) 875 if (ret >= p36)
876 ret -= p36; 876 ret -= p36;
@@ -888,7 +888,7 @@ static void ip_short(uhash_ctx_t ahc, UINT8 *nh_res, u_char *res)
888{ 888{
889 UINT64 t; 889 UINT64 t;
890 UINT64 *nhp = (UINT64 *)nh_res; 890 UINT64 *nhp = (UINT64 *)nh_res;
891 891
892 t = ip_aux(0,ahc->ip_keys, nhp[0]); 892 t = ip_aux(0,ahc->ip_keys, nhp[0]);
893 STORE_UINT32_BIG((UINT32 *)res+0, ip_reduce_p36(t) ^ ahc->ip_trans[0]); 893 STORE_UINT32_BIG((UINT32 *)res+0, ip_reduce_p36(t) ^ ahc->ip_trans[0]);
894#if (UMAC_OUTPUT_LEN >= 8) 894#if (UMAC_OUTPUT_LEN >= 8)
@@ -919,7 +919,7 @@ static void ip_long(uhash_ctx_t ahc, u_char *res)
919 if (ahc->poly_accum[i] >= p64) 919 if (ahc->poly_accum[i] >= p64)
920 ahc->poly_accum[i] -= p64; 920 ahc->poly_accum[i] -= p64;
921 t = ip_aux(0,ahc->ip_keys+(i*4), ahc->poly_accum[i]); 921 t = ip_aux(0,ahc->ip_keys+(i*4), ahc->poly_accum[i]);
922 STORE_UINT32_BIG((UINT32 *)res+i, 922 STORE_UINT32_BIG((UINT32 *)res+i,
923 ip_reduce_p36(t) ^ ahc->ip_trans[i]); 923 ip_reduce_p36(t) ^ ahc->ip_trans[i]);
924 } 924 }
925} 925}
@@ -958,13 +958,13 @@ static void uhash_init(uhash_ctx_t ahc, aes_int_key prf_key)
958{ 958{
959 int i; 959 int i;
960 UINT8 buf[(8*STREAMS+4)*sizeof(UINT64)]; 960 UINT8 buf[(8*STREAMS+4)*sizeof(UINT64)];
961 961
962 /* Zero the entire uhash context */ 962 /* Zero the entire uhash context */
963 memset(ahc, 0, sizeof(uhash_ctx)); 963 memset(ahc, 0, sizeof(uhash_ctx));
964 964
965 /* Initialize the L1 hash */ 965 /* Initialize the L1 hash */
966 nh_init(&ahc->hash, prf_key); 966 nh_init(&ahc->hash, prf_key);
967 967
968 /* Setup L2 hash variables */ 968 /* Setup L2 hash variables */
969 kdf(buf, prf_key, 2, sizeof(buf)); /* Fill buffer with index 1 key */ 969 kdf(buf, prf_key, 2, sizeof(buf)); /* Fill buffer with index 1 key */
970 for (i = 0; i < STREAMS; i++) { 970 for (i = 0; i < STREAMS; i++) {
@@ -978,17 +978,17 @@ static void uhash_init(uhash_ctx_t ahc, aes_int_key prf_key)
978 ahc->poly_key_8[i] &= ((UINT64)0x01ffffffu << 32) + 0x01ffffffu; 978 ahc->poly_key_8[i] &= ((UINT64)0x01ffffffu << 32) + 0x01ffffffu;
979 ahc->poly_accum[i] = 1; /* Our polyhash prepends a non-zero word */ 979 ahc->poly_accum[i] = 1; /* Our polyhash prepends a non-zero word */
980 } 980 }
981 981
982 /* Setup L3-1 hash variables */ 982 /* Setup L3-1 hash variables */
983 kdf(buf, prf_key, 3, sizeof(buf)); /* Fill buffer with index 2 key */ 983 kdf(buf, prf_key, 3, sizeof(buf)); /* Fill buffer with index 2 key */
984 for (i = 0; i < STREAMS; i++) 984 for (i = 0; i < STREAMS; i++)
985 memcpy(ahc->ip_keys+4*i, buf+(8*i+4)*sizeof(UINT64), 985 memcpy(ahc->ip_keys+4*i, buf+(8*i+4)*sizeof(UINT64),
986 4*sizeof(UINT64)); 986 4*sizeof(UINT64));
987 endian_convert_if_le(ahc->ip_keys, sizeof(UINT64), 987 endian_convert_if_le(ahc->ip_keys, sizeof(UINT64),
988 sizeof(ahc->ip_keys)); 988 sizeof(ahc->ip_keys));
989 for (i = 0; i < STREAMS*4; i++) 989 for (i = 0; i < STREAMS*4; i++)
990 ahc->ip_keys[i] %= p36; /* Bring into Z_p36 */ 990 ahc->ip_keys[i] %= p36; /* Bring into Z_p36 */
991 991
992 /* Setup L3-2 hash variables */ 992 /* Setup L3-2 hash variables */
993 /* Fill buffer with index 4 key */ 993 /* Fill buffer with index 4 key */
994 kdf(ahc->ip_trans, prf_key, 4, STREAMS * sizeof(UINT32)); 994 kdf(ahc->ip_trans, prf_key, 4, STREAMS * sizeof(UINT32));
@@ -1006,7 +1006,7 @@ static uhash_ctx_t uhash_alloc(u_char key[])
1006 uhash_ctx_t ctx; 1006 uhash_ctx_t ctx;
1007 u_char bytes_to_add; 1007 u_char bytes_to_add;
1008 aes_int_key prf_key; 1008 aes_int_key prf_key;
1009 1009
1010 ctx = (uhash_ctx_t)malloc(sizeof(uhash_ctx)+ALLOC_BOUNDARY); 1010 ctx = (uhash_ctx_t)malloc(sizeof(uhash_ctx)+ALLOC_BOUNDARY);
1011 if (ctx) { 1011 if (ctx) {
1012 if (ALLOC_BOUNDARY) { 1012 if (ALLOC_BOUNDARY) {
@@ -1029,7 +1029,7 @@ static int uhash_free(uhash_ctx_t ctx)
1029{ 1029{
1030/* Free memory allocated by uhash_alloc */ 1030/* Free memory allocated by uhash_alloc */
1031 u_char bytes_to_sub; 1031 u_char bytes_to_sub;
1032 1032
1033 if (ctx) { 1033 if (ctx) {
1034 if (ALLOC_BOUNDARY) { 1034 if (ALLOC_BOUNDARY) {
1035 bytes_to_sub = *((u_char *)ctx - 1); 1035 bytes_to_sub = *((u_char *)ctx - 1);
@@ -1050,12 +1050,12 @@ static int uhash_update(uhash_ctx_t ctx, const u_char *input, long len)
1050 UWORD bytes_hashed, bytes_remaining; 1050 UWORD bytes_hashed, bytes_remaining;
1051 UINT64 result_buf[STREAMS]; 1051 UINT64 result_buf[STREAMS];
1052 UINT8 *nh_result = (UINT8 *)&result_buf; 1052 UINT8 *nh_result = (UINT8 *)&result_buf;
1053 1053
1054 if (ctx->msg_len + len <= L1_KEY_LEN) { 1054 if (ctx->msg_len + len <= L1_KEY_LEN) {
1055 nh_update(&ctx->hash, (const UINT8 *)input, len); 1055 nh_update(&ctx->hash, (const UINT8 *)input, len);
1056 ctx->msg_len += len; 1056 ctx->msg_len += len;
1057 } else { 1057 } else {
1058 1058
1059 bytes_hashed = ctx->msg_len % L1_KEY_LEN; 1059 bytes_hashed = ctx->msg_len % L1_KEY_LEN;
1060 if (ctx->msg_len == L1_KEY_LEN) 1060 if (ctx->msg_len == L1_KEY_LEN)
1061 bytes_hashed = L1_KEY_LEN; 1061 bytes_hashed = L1_KEY_LEN;
@@ -1128,15 +1128,15 @@ static int uhash(uhash_ctx_t ahc, u_char *msg, long len, u_char *res)
1128 UINT8 nh_result[STREAMS*sizeof(UINT64)]; 1128 UINT8 nh_result[STREAMS*sizeof(UINT64)];
1129 UINT32 nh_len; 1129 UINT32 nh_len;
1130 int extra_zeroes_needed; 1130 int extra_zeroes_needed;
1131 1131
1132 /* If the message to be hashed is no longer than L1_HASH_LEN, we skip 1132 /* If the message to be hashed is no longer than L1_HASH_LEN, we skip
1133 * the polyhash. 1133 * the polyhash.
1134 */ 1134 */
1135 if (len <= L1_KEY_LEN) { 1135 if (len <= L1_KEY_LEN) {
1136 if (len == 0) /* If zero length messages will not */ 1136 if (len == 0) /* If zero length messages will not */
1137 nh_len = L1_PAD_BOUNDARY; /* be seen, comment out this case */ 1137 nh_len = L1_PAD_BOUNDARY; /* be seen, comment out this case */
1138 else 1138 else
1139 nh_len = ((len + (L1_PAD_BOUNDARY - 1)) & ~(L1_PAD_BOUNDARY - 1)); 1139 nh_len = ((len + (L1_PAD_BOUNDARY - 1)) & ~(L1_PAD_BOUNDARY - 1));
1140 extra_zeroes_needed = nh_len - len; 1140 extra_zeroes_needed = nh_len - len;
1141 zero_pad((UINT8 *)msg + len, extra_zeroes_needed); 1141 zero_pad((UINT8 *)msg + len, extra_zeroes_needed);
1142 nh(&ahc->hash, (UINT8 *)msg, nh_len, len, nh_result); 1142 nh(&ahc->hash, (UINT8 *)msg, nh_len, len, nh_result);
@@ -1161,7 +1161,7 @@ static int uhash(uhash_ctx_t ahc, u_char *msg, long len, u_char *res)
1161 1161
1162 ip_long(ahc, res); 1162 ip_long(ahc, res);
1163 } 1163 }
1164 1164
1165 uhash_reset(ahc); 1165 uhash_reset(ahc);
1166 return 1; 1166 return 1;
1167} 1167}
@@ -1175,9 +1175,9 @@ static int uhash(uhash_ctx_t ahc, u_char *msg, long len, u_char *res)
1175 1175
1176/* The UMAC interface has two interfaces, an all-at-once interface where 1176/* The UMAC interface has two interfaces, an all-at-once interface where
1177 * the entire message to be authenticated is passed to UMAC in one buffer, 1177 * the entire message to be authenticated is passed to UMAC in one buffer,
1178 * and a sequential interface where the message is presented a little at a 1178 * and a sequential interface where the message is presented a little at a
1179 * time. The all-at-once is more optimaized than the sequential version and 1179 * time. The all-at-once is more optimaized than the sequential version and
1180 * should be preferred when the sequential interface is not required. 1180 * should be preferred when the sequential interface is not required.
1181 */ 1181 */
1182struct umac_ctx { 1182struct umac_ctx {
1183 uhash_ctx hash; /* Hash function for message compression */ 1183 uhash_ctx hash; /* Hash function for message compression */
@@ -1213,14 +1213,14 @@ int umac_delete(struct umac_ctx *ctx)
1213/* ---------------------------------------------------------------------- */ 1213/* ---------------------------------------------------------------------- */
1214 1214
1215struct umac_ctx *umac_new(const u_char key[]) 1215struct umac_ctx *umac_new(const u_char key[])
1216/* Dynamically allocate a umac_ctx struct, initialize variables, 1216/* Dynamically allocate a umac_ctx struct, initialize variables,
1217 * generate subkeys from key. Align to 16-byte boundary. 1217 * generate subkeys from key. Align to 16-byte boundary.
1218 */ 1218 */
1219{ 1219{
1220 struct umac_ctx *ctx, *octx; 1220 struct umac_ctx *ctx, *octx;
1221 size_t bytes_to_add; 1221 size_t bytes_to_add;
1222 aes_int_key prf_key; 1222 aes_int_key prf_key;
1223 1223
1224 octx = ctx = xcalloc(1, sizeof(*ctx) + ALLOC_BOUNDARY); 1224 octx = ctx = xcalloc(1, sizeof(*ctx) + ALLOC_BOUNDARY);
1225 if (ctx) { 1225 if (ctx) {
1226 if (ALLOC_BOUNDARY) { 1226 if (ALLOC_BOUNDARY) {
@@ -1234,7 +1234,7 @@ struct umac_ctx *umac_new(const u_char key[])
1234 uhash_init(&ctx->hash, prf_key); 1234 uhash_init(&ctx->hash, prf_key);
1235 explicit_bzero(prf_key, sizeof(prf_key)); 1235 explicit_bzero(prf_key, sizeof(prf_key));
1236 } 1236 }
1237 1237
1238 return (ctx); 1238 return (ctx);
1239} 1239}
1240 1240
@@ -1245,7 +1245,7 @@ int umac_final(struct umac_ctx *ctx, u_char tag[], const u_char nonce[8])
1245{ 1245{
1246 uhash_final(&ctx->hash, (u_char *)tag); 1246 uhash_final(&ctx->hash, (u_char *)tag);
1247 pdf_gen_xor(&ctx->pdf, (const UINT8 *)nonce, (UINT8 *)tag); 1247 pdf_gen_xor(&ctx->pdf, (const UINT8 *)nonce, (UINT8 *)tag);
1248 1248
1249 return (1); 1249 return (1);
1250} 1250}
1251 1251
@@ -1263,14 +1263,14 @@ int umac_update(struct umac_ctx *ctx, const u_char *input, long len)
1263/* ---------------------------------------------------------------------- */ 1263/* ---------------------------------------------------------------------- */
1264 1264
1265#if 0 1265#if 0
1266int umac(struct umac_ctx *ctx, u_char *input, 1266int umac(struct umac_ctx *ctx, u_char *input,
1267 long len, u_char tag[], 1267 long len, u_char tag[],
1268 u_char nonce[8]) 1268 u_char nonce[8])
1269/* All-in-one version simply calls umac_update() and umac_final(). */ 1269/* All-in-one version simply calls umac_update() and umac_final(). */
1270{ 1270{
1271 uhash(&ctx->hash, input, len, (u_char *)tag); 1271 uhash(&ctx->hash, input, len, (u_char *)tag);
1272 pdf_gen_xor(&ctx->pdf, (UINT8 *)nonce, (UINT8 *)tag); 1272 pdf_gen_xor(&ctx->pdf, (UINT8 *)nonce, (UINT8 *)tag);
1273 1273
1274 return (1); 1274 return (1);
1275} 1275}
1276#endif 1276#endif