Start revamping the MAC API

aegis-aead · Dec 4, 2024 · f9cf01d · f9cf01d
1 parent 91e4817
commit f9cf01d
Show file tree

Hide file tree

Showing 9 changed files with 104 additions and 40 deletions.
diff --git a/src/aegis128l/aegis128l.c b/src/aegis128l/aegis128l.c
@@ -175,20 +175,20 @@ aegis128l_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t clen, con
 }
 
 void
-aegis128l_mac_init(aegis128l_state *st_, const uint8_t *k, const uint8_t *npub)
+aegis128l_mac_init(aegis128l_mac_state *st_, const uint8_t *k, const uint8_t *npub)
 {
     memset(st_, 0, sizeof *st_);
-    implementation->state_init(st_, NULL, 0, npub, k);
+    implementation->state_mac_init(st_, npub, k);
 }
 
 int
-aegis128l_mac_update(aegis128l_state *st_, const uint8_t *m, size_t mlen)
+aegis128l_mac_update(aegis128l_mac_state *st_, const uint8_t *m, size_t mlen)
 {
     return implementation->state_mac_update(st_, m, mlen);
 }
 
 int
-aegis128l_mac_final(aegis128l_state *st_, uint8_t *mac, size_t maclen)
+aegis128l_mac_final(aegis128l_mac_state *st_, uint8_t *mac, size_t maclen)
 {
     if (maclen != 16 && maclen != 32) {
         errno = EINVAL;
@@ -198,7 +198,7 @@ aegis128l_mac_final(aegis128l_state *st_, uint8_t *mac, size_t maclen)
 }
 
 int
-aegis128l_mac_verify(aegis128l_state *st_, const uint8_t *mac, size_t maclen)
+aegis128l_mac_verify(aegis128l_mac_state *st_, const uint8_t *mac, size_t maclen)
 {
     uint8_t expected_mac[32];
 
@@ -216,9 +216,15 @@ aegis128l_mac_verify(aegis128l_state *st_, const uint8_t *mac, size_t maclen)
 }
 
 void
-aegis128l_mac_state_clone(aegis128l_state *dst, const aegis128l_state *src)
+aegis128l_mac_reset(aegis128l_mac_state *st_)
 {
-    implementation->state_clone(dst, src);
+    implementation->state_mac_reset(st_);
+}
+
+void
+aegis128l_mac_state_clone(aegis128l_mac_state *dst, const aegis128l_mac_state *src)
+{
+    implementation->state_mac_state_clone(dst, src);
 }
 
 int

diff --git a/src/aegis128l/aegis128l_aesni.c b/src/aegis128l/aegis128l_aesni.c
@@ -63,9 +63,11 @@ struct aegis128l_implementation aegis128l_aesni_implementation = {
     .state_encrypt_final           = state_encrypt_final,
     .state_decrypt_detached_update = state_decrypt_detached_update,
     .state_decrypt_detached_final  = state_decrypt_detached_final,
+    .state_mac_init                = state_mac_init,
     .state_mac_update              = state_mac_update,
     .state_mac_final               = state_mac_final,
-    .state_clone                   = state_clone,
+    .state_mac_reset               = state_mac_reset,
+    .state_mac_state_clone         = state_mac_state_clone,
 };
 
 #    ifdef __clang__

diff --git a/src/aegis128l/aegis128l_altivec.c b/src/aegis128l/aegis128l_altivec.c
@@ -60,9 +60,11 @@ struct aegis128l_implementation aegis128l_altivec_implementation = {
     .state_encrypt_final           = state_encrypt_final,
     .state_decrypt_detached_update = state_decrypt_detached_update,
     .state_decrypt_detached_final  = state_decrypt_detached_final,
+    .state_mac_init                = state_mac_init,
     .state_mac_update              = state_mac_update,
     .state_mac_final               = state_mac_final,
-    .state_clone                   = state_clone,
+    .state_mac_reset               = state_mac_reset,
+    .state_mac_state_clone         = state_mac_state_clone,
 };
 
 #    ifdef __clang__

diff --git a/src/aegis128l/aegis128l_armcrypto.c b/src/aegis128l/aegis128l_armcrypto.c
@@ -67,9 +67,11 @@ struct aegis128l_implementation aegis128l_armcrypto_implementation = {
     .state_encrypt_final           = state_encrypt_final,
     .state_decrypt_detached_update = state_decrypt_detached_update,
     .state_decrypt_detached_final  = state_decrypt_detached_final,
+    .state_mac_init                = state_mac_init,
     .state_mac_update              = state_mac_update,
     .state_mac_final               = state_mac_final,
-    .state_clone                   = state_clone,
+    .state_mac_reset               = state_mac_reset,
+    .state_mac_state_clone         = state_mac_state_clone,
 };
 
 #    ifdef __clang__

diff --git a/src/aegis128l/aegis128l_common.h b/src/aegis128l/aegis128l_common.h
@@ -303,6 +303,14 @@ typedef struct _aegis128l_state {
     size_t       pos;
 } _aegis128l_state;
 
+typedef struct _aegis128l_mac_state {
+    aegis_blocks blocks0;
+    aegis_blocks blocks;
+    uint8_t      buf[RATE];
+    uint64_t     adlen;
+    size_t       pos;
+} _aegis128l_mac_state;
+
 static void
 state_init(aegis128l_state *st_, const uint8_t *ad, size_t adlen, const uint8_t *npub,
            const uint8_t *k)
@@ -570,13 +578,34 @@ state_decrypt_detached_final(aegis128l_state *st_, uint8_t *m, size_t mlen_max,
     return ret;
 }
 
+static void
+state_mac_init(aegis128l_mac_state *st_, const uint8_t *npub, const uint8_t *k)
+{
+    aegis_blocks                blocks;
+    _aegis128l_mac_state *const st =
+        (_aegis128l_mac_state *) ((((uintptr_t) &st_->opaque) + (ALIGNMENT - 1)) &
+                                  ~(uintptr_t) (ALIGNMENT - 1));
+    size_t i;
+
+    COMPILER_ASSERT((sizeof *st) + ALIGNMENT <= sizeof *st_);
+    st->pos = 0;
+
+    memcpy(blocks, st->blocks, sizeof blocks);
+
+    aegis128l_init(k, npub, blocks);
+
+    memcpy(st->blocks0, blocks, sizeof blocks);
+    memcpy(st->blocks, blocks, sizeof blocks);
+    st->adlen = 0;
+}
+
 static int
-state_mac_update(aegis128l_state *st_, const uint8_t *ad, size_t adlen)
+state_mac_update(aegis128l_mac_state *st_, const uint8_t *ad, size_t adlen)
 {
-    aegis_blocks            blocks;
-    _aegis128l_state *const st =
-        (_aegis128l_state *) ((((uintptr_t) &st_->opaque) + (ALIGNMENT - 1)) &
-                              ~(uintptr_t) (ALIGNMENT - 1));
+    aegis_blocks                blocks;
+    _aegis128l_mac_state *const st =
+        (_aegis128l_mac_state *) ((((uintptr_t) &st_->opaque) + (ALIGNMENT - 1)) &
+                                  ~(uintptr_t) (ALIGNMENT - 1));
     size_t i;
     size_t left;
 
@@ -620,12 +649,12 @@ state_mac_update(aegis128l_state *st_, const uint8_t *ad, size_t adlen)
 }
 
 static int
-state_mac_final(aegis128l_state *st_, uint8_t *mac, size_t maclen)
+state_mac_final(aegis128l_mac_state *st_, uint8_t *mac, size_t maclen)
 {
-    aegis_blocks            blocks;
-    _aegis128l_state *const st =
-        (_aegis128l_state *) ((((uintptr_t) &st_->opaque) + (ALIGNMENT - 1)) &
-                              ~(uintptr_t) (ALIGNMENT - 1));
+    aegis_blocks                blocks;
+    _aegis128l_mac_state *const st =
+        (_aegis128l_mac_state *) ((((uintptr_t) &st_->opaque) + (ALIGNMENT - 1)) &
+                                  ~(uintptr_t) (ALIGNMENT - 1));
     size_t left;
 
     memcpy(blocks, st->blocks, sizeof blocks);
@@ -643,13 +672,24 @@ state_mac_final(aegis128l_state *st_, uint8_t *mac, size_t maclen)
 }
 
 static void
-state_clone(aegis128l_state *dst, const aegis128l_state *src)
+state_mac_reset(aegis128l_mac_state *st_)
 {
-    _aegis128l_state *const dst_ =
-        (_aegis128l_state *) ((((uintptr_t) &dst->opaque) + (ALIGNMENT - 1)) &
-                              ~(uintptr_t) (ALIGNMENT - 1));
-    const _aegis128l_state *const src_ =
-        (const _aegis128l_state *) ((((uintptr_t) &src->opaque) + (ALIGNMENT - 1)) &
-                                    ~(uintptr_t) (ALIGNMENT - 1));
+    _aegis128l_mac_state *const st =
+        (_aegis128l_mac_state *) ((((uintptr_t) &st_->opaque) + (ALIGNMENT - 1)) &
+                                  ~(uintptr_t) (ALIGNMENT - 1));
+    st->adlen = 0;
+    st->pos   = 0;
+    memcpy(st->blocks, st->blocks0, sizeof(aegis_blocks));
+}
+
+static void
+state_mac_state_clone(aegis128l_mac_state *dst, const aegis128l_mac_state *src)
+{
+    _aegis128l_mac_state *const dst_ =
+        (_aegis128l_mac_state *) ((((uintptr_t) &dst->opaque) + (ALIGNMENT - 1)) &
+                                  ~(uintptr_t) (ALIGNMENT - 1));
+    const _aegis128l_mac_state *const src_ =
+        (const _aegis128l_mac_state *) ((((uintptr_t) &src->opaque) + (ALIGNMENT - 1)) &
+                                        ~(uintptr_t) (ALIGNMENT - 1));
     *dst_ = *src_;
-}
+}
diff --git a/src/aegis128l/implementations.h b/src/aegis128l/implementations.h
@@ -29,9 +29,11 @@ typedef struct aegis128l_implementation {
                                          size_t *written, const uint8_t *c, size_t clen);
     int (*state_decrypt_detached_final)(aegis128l_state *st_, uint8_t *m, size_t mlen_max,
                                         size_t *written, const uint8_t *mac, size_t maclen);
-    int (*state_mac_update)(aegis128l_state *st_, const uint8_t *ad, size_t adlen);
-    int (*state_mac_final)(aegis128l_state *st_, uint8_t *mac, size_t maclen);
-    void (*state_clone)(aegis128l_state *dst, const aegis128l_state *src);
+    void (*state_mac_init)(aegis128l_mac_state *st_, const uint8_t *npub, const uint8_t *k);
+    int (*state_mac_update)(aegis128l_mac_state *st_, const uint8_t *ad, size_t adlen);
+    int (*state_mac_final)(aegis128l_mac_state *st_, uint8_t *mac, size_t maclen);
+    void (*state_mac_reset)(aegis128l_mac_state *st);
+    void (*state_mac_state_clone)(aegis128l_mac_state *dst, const aegis128l_mac_state *src);
 } aegis128l_implementation;
 
 #endif
diff --git a/src/include/aegis128l.h b/src/include/aegis128l.h
@@ -31,6 +31,11 @@ typedef struct aegis128l_state {
     CRYPTO_ALIGN(32) uint8_t opaque[256];
 } aegis128l_state;
 
+/* An AEGIS state, only for MAC updates */
+typedef struct aegis128l_mac_state {
+    CRYPTO_ALIGN(32) uint8_t opaque[512];
+} aegis128l_mac_state;
+
 /* The length of an AEGIS key, in bytes */
 size_t aegis128l_keybytes(void);
 
@@ -267,7 +272,7 @@ void aegis128l_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t clen
  * with `aegis128l_mac_state_clone()`. It is only safe to copy a state directly without using
  * the clone function if the state is guaranteed to be properly aligned.
  */
-void aegis128l_mac_init(aegis128l_state *st_, const uint8_t *k, const uint8_t *npub);
+void aegis128l_mac_init(aegis128l_mac_state *st_, const uint8_t *k, const uint8_t *npub);
 
 /*
  * Update the MAC state with input data.
@@ -280,7 +285,7 @@ void aegis128l_mac_init(aegis128l_state *st_, const uint8_t *k, const uint8_t *n
  *
  * Once the full input has been absorb, call either `_mac_final` or `_mac_verify`.
  */
-int aegis128l_mac_update(aegis128l_state *st_, const uint8_t *m, size_t mlen);
+int aegis128l_mac_update(aegis128l_mac_state *st_, const uint8_t *m, size_t mlen);
 
 /*
  * Finalize the MAC and generate the authentication tag.
@@ -289,7 +294,7 @@ int aegis128l_mac_update(aegis128l_state *st_, const uint8_t *m, size_t mlen);
  * mac: authentication tag output buffer
  * maclen: length of the authentication tag to generate (16 or 32. 32 is recommended).
  */
-int aegis128l_mac_final(aegis128l_state *st_, uint8_t *mac, size_t maclen);
+int aegis128l_mac_final(aegis128l_mac_state *st_, uint8_t *mac, size_t maclen);
 
 /*
  * Verify a MAC in constant time.
@@ -300,7 +305,12 @@ int aegis128l_mac_final(aegis128l_state *st_, uint8_t *mac, size_t maclen);
  *
  * Returns 0 if the tag is authentic, -1 otherwise.
  */
-int aegis128l_mac_verify(aegis128l_state *st_, const uint8_t *mac, size_t maclen);
+int aegis128l_mac_verify(aegis128l_mac_state *st_, const uint8_t *mac, size_t maclen);
+
+/*
+ * Reset an AEGIS_MAC state.
+ */
+void aegis128l_mac_reset(aegis128l_mac_state *st_);
 
 /*
  * Clone an AEGIS-MAC state.
@@ -310,7 +320,7 @@ int aegis128l_mac_verify(aegis128l_state *st_, const uint8_t *mac, size_t maclen
  *
  * This function MUST be used in order to clone states.
  */
-void aegis128l_mac_state_clone(aegis128l_state *dst, const aegis128l_state *src);
+void aegis128l_mac_state_clone(aegis128l_mac_state *dst, const aegis128l_mac_state *src);
 
 #ifdef __cplusplus
 }

diff --git a/src/test/benchmark.zig b/src/test/benchmark.zig
@@ -204,7 +204,7 @@ fn bench_aegis128l_mac() !void {
     var key: [aegis.aegis128l_KEYBYTES]u8 = undefined;
     var nonce: [aegis.aegis128l_NPUBBYTES]u8 = undefined;
     var buf: [msg_len]u8 = undefined;
-    var st0: aegis.aegis128l_state = undefined;
+    var st0: aegis.aegis128l_mac_state = undefined;
 
     random.bytes(&key);
     random.bytes(&nonce);
@@ -214,7 +214,7 @@ fn bench_aegis128l_mac() !void {
     var timer = try Timer.start();
     const start = timer.lap();
     for (0..iterations) |_| {
-        var st: aegis.aegis128l_state = undefined;
+        var st: aegis.aegis128l_mac_state = undefined;
         aegis.aegis128l_mac_state_clone(&st, &st0);
         _ = aegis.aegis128l_mac_update(&st, &buf, msg_len);
         _ = aegis.aegis128l_mac_final(&st, &buf, aegis.aegis128l_ABYTES_MAX);

diff --git a/src/test/main.zig b/src/test/main.zig
@@ -630,10 +630,10 @@ test "aegis128l - MAC" {
     const nonce = [_]u8{0} ** 16;
     const msg = [_]u8{ 1, 2, 3 } ** 100;
     const msg2 = [_]u8{ 4, 5, 6, 7, 8 } ** 100 ++ [_]u8{0};
-    var st0: aegis.aegis128l_state = undefined;
+    var st0: aegis.aegis128l_mac_state = undefined;
     aegis.aegis128l_mac_init(&st0, &key, &nonce);
 
-    var st: aegis.aegis128l_state = undefined;
+    var st: aegis.aegis128l_mac_state = undefined;
     aegis.aegis128l_mac_state_clone(&st, &st0);
     var ret = aegis.aegis128l_mac_update(&st, &msg, msg.len);
     try testing.expectEqual(ret, 0);