3 EAX mode, see http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf
5 Copyright (C) 2013 Niels Möller
7 This file is part of GNU Nettle.
9 GNU Nettle is free software: you can redistribute it and/or
10 modify it under the terms of either:
12 * the GNU Lesser General Public License as published by the Free
13 Software Foundation; either version 3 of the License, or (at your
14 option) any later version.
18 * the GNU General Public License as published by the Free
19 Software Foundation; either version 2 of the License, or (at your
20 option) any later version.
22 or both in parallel, as here.
24 GNU Nettle is distributed in the hope that it will be useful,
25 but WITHOUT ANY WARRANTY; without even the implied warranty of
26 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
27 General Public License for more details.
29 You should have received copies of the GNU General Public License and
30 the GNU Lesser General Public License along with this program. If
31 not, see http://www.gnu.org/licenses/.
43 #include "block-internal.h"
48 omac_init (union nettle_block16 *state, unsigned t)
50 memset (state->b, 0, EAX_BLOCK_SIZE - 1);
51 state->b[EAX_BLOCK_SIZE - 1] = t;
55 omac_update (union nettle_block16 *state, const struct eax_key *key,
56 const void *cipher, nettle_cipher_func *f,
57 size_t length, const uint8_t *data)
59 for (; length >= EAX_BLOCK_SIZE;
60 length -= EAX_BLOCK_SIZE, data += EAX_BLOCK_SIZE)
62 f (cipher, EAX_BLOCK_SIZE, state->b, state->b);
63 memxor (state->b, data, EAX_BLOCK_SIZE);
67 /* Allowed only for the last call */
68 f (cipher, EAX_BLOCK_SIZE, state->b, state->b);
69 memxor (state->b, data, length);
70 state->b[length] ^= 0x80;
71 /* XOR with (P ^ B), since the digest processing
72 * unconditionally XORs with B */
73 block16_xor (state, &key->pad_partial);
78 omac_final (union nettle_block16 *state, const struct eax_key *key,
79 const void *cipher, nettle_cipher_func *f)
81 block16_xor (state, &key->pad_block);
82 f (cipher, EAX_BLOCK_SIZE, state->b, state->b);
86 eax_set_key (struct eax_key *key, const void *cipher, nettle_cipher_func *f)
88 static const union nettle_block16 zero_block;
89 f (cipher, EAX_BLOCK_SIZE, key->pad_block.b, zero_block.b);
90 block16_mulx_be (&key->pad_block, &key->pad_block);
91 block16_mulx_be (&key->pad_partial, &key->pad_block);
92 block16_xor (&key->pad_partial, &key->pad_block);
96 eax_set_nonce (struct eax_ctx *eax, const struct eax_key *key,
97 const void *cipher, nettle_cipher_func *f,
98 size_t nonce_length, const uint8_t *nonce)
100 omac_init (&eax->omac_nonce, 0);
101 omac_update (&eax->omac_nonce, key, cipher, f, nonce_length, nonce);
102 omac_final (&eax->omac_nonce, key, cipher, f);
103 memcpy (eax->ctr.b, eax->omac_nonce.b, EAX_BLOCK_SIZE);
105 omac_init (&eax->omac_data, 1);
106 omac_init (&eax->omac_message, 2);
110 eax_update (struct eax_ctx *eax, const struct eax_key *key,
111 const void *cipher, nettle_cipher_func *f,
112 size_t data_length, const uint8_t *data)
114 omac_update (&eax->omac_data, key, cipher, f, data_length, data);
118 eax_encrypt (struct eax_ctx *eax, const struct eax_key *key,
119 const void *cipher, nettle_cipher_func *f,
120 size_t length, uint8_t *dst, const uint8_t *src)
122 ctr_crypt (cipher, f, EAX_BLOCK_SIZE, eax->ctr.b, length, dst, src);
123 omac_update (&eax->omac_message, key, cipher, f, length, dst);
127 eax_decrypt (struct eax_ctx *eax, const struct eax_key *key,
128 const void *cipher, nettle_cipher_func *f,
129 size_t length, uint8_t *dst, const uint8_t *src)
131 omac_update (&eax->omac_message, key, cipher, f, length, src);
132 ctr_crypt (cipher, f, EAX_BLOCK_SIZE, eax->ctr.b, length, dst, src);
136 eax_digest (struct eax_ctx *eax, const struct eax_key *key,
137 const void *cipher, nettle_cipher_func *f,
138 size_t length, uint8_t *digest)
141 assert (length <= EAX_BLOCK_SIZE);
142 omac_final (&eax->omac_data, key, cipher, f);
143 omac_final (&eax->omac_message, key, cipher, f);
145 block16_xor (&eax->omac_nonce, &eax->omac_data);
146 memxor3 (digest, eax->omac_nonce.b, eax->omac_message.b, length);