1/* $OpenBSD: umac.c,v 1.2 2007/09/12 19:39:19 stevesk Exp $ */
2/* -----------------------------------------------------------------------
3 *
4 * umac.c -- C Implementation UMAC Message Authentication
5 *
6 * Version 0.93b of rfc4418.txt -- 2006 July 18
7 *
8 * For a full description of UMAC message authentication see the UMAC
9 * world-wide-web page at http://www.cs.ucdavis.edu/~rogaway/umac
--- 121 unchanged lines hidden (view full) ---
131static UINT32 LOAD_UINT32_REVERSED(void *ptr)
132{
133 UINT32 temp = *(UINT32 *)ptr;
134 temp = (temp >> 24) | ((temp & 0x00FF0000) >> 8 )
135 | ((temp & 0x0000FF00) << 8 ) | (temp << 24);
136 return (UINT32)temp;
137}
138
139static void STORE_UINT32_REVERSED(void *ptr, UINT32 x)
140{
141 UINT32 i = (UINT32)x;
142 *(UINT32 *)ptr = (i >> 24) | ((i & 0x00FF0000) >> 8 )
143 | ((i & 0x0000FF00) << 8 ) | (i << 24);
144}
145#endif /* HAVE_SWAP32 */
146
147/* The following definitions use the above reversal-primitives to do the right
148 * thing on endian specific load and stores.
149 */
150
151#if (__LITTLE_ENDIAN__)
152#define LOAD_UINT32_LITTLE(ptr) (*(UINT32 *)(ptr))
--- 21 unchanged lines hidden (view full) ---
174#define aes_encryption(in,out,int_key) \
175 AES_encrypt((u_char *)(in),(u_char *)(out),(AES_KEY *)int_key)
176#define aes_key_setup(key,int_key) \
177 AES_set_encrypt_key((u_char *)(key),UMAC_KEY_LEN*8,int_key)
178
179/* The user-supplied UMAC key is stretched using AES in a counter
180 * mode to supply all random bits needed by UMAC. The kdf function takes
181 * an AES internal key representation 'key' and writes a stream of
182 * 'nbytes' bytes to the memory pointed at by 'buffer_ptr'. Each distinct
183 * 'ndx' causes a distinct byte stream.
184 */
185static void kdf(void *buffer_ptr, aes_int_key key, UINT8 ndx, int nbytes)
186{
187 UINT8 in_buf[AES_BLOCK_LEN] = {0};
188 UINT8 out_buf[AES_BLOCK_LEN];
189 UINT8 *dst_buf = (UINT8 *)buffer_ptr;
190 int i;
191
192 /* Setup the initial value */
193 in_buf[AES_BLOCK_LEN-9] = ndx;
194 in_buf[AES_BLOCK_LEN-1] = i = 1;
195
196 while (nbytes >= AES_BLOCK_LEN) {
197 aes_encryption(in_buf, out_buf, key);
--- 341 unchanged lines hidden (view full) ---
539 UINT8 *key;
540
541 key = hc->nh_key + hc->bytes_hashed;
542 nh_aux(key, buf, hc->state, nbytes);
543}
544
545/* ---------------------------------------------------------------------- */
546
547static void endian_convert(void *buf, UWORD bpw, UINT32 num_bytes)
548/* We endian convert the keys on little-endian computers to */
549/* compensate for the lack of big-endian memory reads during hashing. */
550{
551 UWORD iters = num_bytes / bpw;
552 if (bpw == 4) {
553 UINT32 *p = (UINT32 *)buf;
554 do {
--- 6 unchanged lines hidden (view full) ---
561 do {
562 t = LOAD_UINT32_REVERSED(p+1);
563 p[1] = LOAD_UINT32_REVERSED(p);
564 p[0] = t;
565 p += 2;
566 } while (--iters);
567 }
568}
569#if (__LITTLE_ENDIAN__)
570#define endian_convert_if_le(x,y,z) endian_convert((x),(y),(z))
571#else
572#define endian_convert_if_le(x,y,z) do{}while(0) /* Do nothing */
573#endif
574
575/* ---------------------------------------------------------------------- */
576
577static void nh_reset(nh_ctx *hc)
--- 460 unchanged lines hidden (view full) ---
1038/* ---------------------------------------------------------------------- */
1039
1040static int uhash_update(uhash_ctx_t ctx, u_char *input, long len)
1041/* Given len bytes of data, we parse it into L1_KEY_LEN chunks and
1042 * hash each one with NH, calling the polyhash on each NH output.
1043 */
1044{
1045 UWORD bytes_hashed, bytes_remaining;
1046 UINT8 nh_result[STREAMS*sizeof(UINT64)];
1047
1048 if (ctx->msg_len + len <= L1_KEY_LEN) {
1049 nh_update(&ctx->hash, (UINT8 *)input, len);
1050 ctx->msg_len += len;
1051 } else {
1052
1053 bytes_hashed = ctx->msg_len % L1_KEY_LEN;
1054 if (ctx->msg_len == L1_KEY_LEN)
--- 35 unchanged lines hidden (view full) ---
1090 return (1);
1091}
1092
1093/* ---------------------------------------------------------------------- */
1094
1095static int uhash_final(uhash_ctx_t ctx, u_char *res)
1096/* Incorporate any pending data, pad, and generate tag */
1097{
1098 UINT8 nh_result[STREAMS*sizeof(UINT64)];
1099
1100 if (ctx->msg_len > L1_KEY_LEN) {
1101 if (ctx->msg_len % L1_KEY_LEN) {
1102 nh_final(&ctx->hash, nh_result);
1103 poly_hash(ctx,(UINT32 *)nh_result);
1104 }
1105 ip_long(ctx, res);
1106 } else {
--- 167 unchanged lines hidden ---
2/* -----------------------------------------------------------------------
3 *
4 * umac.c -- C Implementation UMAC Message Authentication
5 *
6 * Version 0.93b of rfc4418.txt -- 2006 July 18
7 *
8 * For a full description of UMAC message authentication see the UMAC
9 * world-wide-web page at http://www.cs.ucdavis.edu/~rogaway/umac
--- 121 unchanged lines hidden (view full) ---
131static UINT32 LOAD_UINT32_REVERSED(void *ptr)
132{
133 UINT32 temp = *(UINT32 *)ptr;
134 temp = (temp >> 24) | ((temp & 0x00FF0000) >> 8 )
135 | ((temp & 0x0000FF00) << 8 ) | (temp << 24);
136 return (UINT32)temp;
137}
138
139static void STORE_UINT32_REVERSED(void *ptr, UINT32 x)
140{
141 UINT32 i = (UINT32)x;
142 *(UINT32 *)ptr = (i >> 24) | ((i & 0x00FF0000) >> 8 )
143 | ((i & 0x0000FF00) << 8 ) | (i << 24);
144}
145#endif /* HAVE_SWAP32 */
146
147/* The following definitions use the above reversal-primitives to do the right
148 * thing on endian specific load and stores.
149 */
150
151#if (__LITTLE_ENDIAN__)
152#define LOAD_UINT32_LITTLE(ptr) (*(UINT32 *)(ptr))
--- 21 unchanged lines hidden (view full) ---
174#define aes_encryption(in,out,int_key) \
175 AES_encrypt((u_char *)(in),(u_char *)(out),(AES_KEY *)int_key)
176#define aes_key_setup(key,int_key) \
177 AES_set_encrypt_key((u_char *)(key),UMAC_KEY_LEN*8,int_key)
178
179/* The user-supplied UMAC key is stretched using AES in a counter
180 * mode to supply all random bits needed by UMAC. The kdf function takes
181 * an AES internal key representation 'key' and writes a stream of
182 * 'nbytes' bytes to the memory pointed at by 'buffer_ptr'. Each distinct
183 * 'ndx' causes a distinct byte stream.
184 */
185static void kdf(void *buffer_ptr, aes_int_key key, UINT8 ndx, int nbytes)
186{
187 UINT8 in_buf[AES_BLOCK_LEN] = {0};
188 UINT8 out_buf[AES_BLOCK_LEN];
189 UINT8 *dst_buf = (UINT8 *)buffer_ptr;
190 int i;
191
192 /* Setup the initial value */
193 in_buf[AES_BLOCK_LEN-9] = ndx;
194 in_buf[AES_BLOCK_LEN-1] = i = 1;
195
196 while (nbytes >= AES_BLOCK_LEN) {
197 aes_encryption(in_buf, out_buf, key);
--- 341 unchanged lines hidden (view full) ---
539 UINT8 *key;
540
541 key = hc->nh_key + hc->bytes_hashed;
542 nh_aux(key, buf, hc->state, nbytes);
543}
544
545/* ---------------------------------------------------------------------- */
546
547static void endian_convert(void *buf, UWORD bpw, UINT32 num_bytes)
548/* We endian convert the keys on little-endian computers to */
549/* compensate for the lack of big-endian memory reads during hashing. */
550{
551 UWORD iters = num_bytes / bpw;
552 if (bpw == 4) {
553 UINT32 *p = (UINT32 *)buf;
554 do {
--- 6 unchanged lines hidden (view full) ---
561 do {
562 t = LOAD_UINT32_REVERSED(p+1);
563 p[1] = LOAD_UINT32_REVERSED(p);
564 p[0] = t;
565 p += 2;
566 } while (--iters);
567 }
568}
569#if (__LITTLE_ENDIAN__)
570#define endian_convert_if_le(x,y,z) endian_convert((x),(y),(z))
571#else
572#define endian_convert_if_le(x,y,z) do{}while(0) /* Do nothing */
573#endif
574
575/* ---------------------------------------------------------------------- */
576
577static void nh_reset(nh_ctx *hc)
--- 460 unchanged lines hidden (view full) ---
1038/* ---------------------------------------------------------------------- */
1039
1040static int uhash_update(uhash_ctx_t ctx, u_char *input, long len)
1041/* Given len bytes of data, we parse it into L1_KEY_LEN chunks and
1042 * hash each one with NH, calling the polyhash on each NH output.
1043 */
1044{
1045 UWORD bytes_hashed, bytes_remaining;
1046 UINT8 nh_result[STREAMS*sizeof(UINT64)];
1047
1048 if (ctx->msg_len + len <= L1_KEY_LEN) {
1049 nh_update(&ctx->hash, (UINT8 *)input, len);
1050 ctx->msg_len += len;
1051 } else {
1052
1053 bytes_hashed = ctx->msg_len % L1_KEY_LEN;
1054 if (ctx->msg_len == L1_KEY_LEN)
--- 35 unchanged lines hidden (view full) ---
1090 return (1);
1091}
1092
1093/* ---------------------------------------------------------------------- */
1094
1095static int uhash_final(uhash_ctx_t ctx, u_char *res)
1096/* Incorporate any pending data, pad, and generate tag */
1097{
1098 UINT8 nh_result[STREAMS*sizeof(UINT64)];
1099
1100 if (ctx->msg_len > L1_KEY_LEN) {
1101 if (ctx->msg_len % L1_KEY_LEN) {
1102 nh_final(&ctx->hash, nh_result);
1103 poly_hash(ctx,(UINT32 *)nh_result);
1104 }
1105 ip_long(ctx, res);
1106 } else {
--- 167 unchanged lines hidden ---