From 5a2a9781534370bc3060ae58cc6b89d4a262bfcf Mon Sep 17 00:00:00 2001
From: Kévin Le Gouguec <kevin.legouguec@airbus.com>
Date: Mon, 26 Nov 2018 10:59:54 +0100
Subject: Implémentation du mode ΘCB3 : chiffrement - message
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reste le tweak.

Au passage, 2-3 nettoyages (const-correctness, renommages de variables
et suppressions  de constantes pour  essayer d'être plus proche  de la
spec visuellement).
---
 crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c | 79 ++++++++++++++++++------
 crypto_aead/lilliputaei128v1/ref/lilliput-ae.h   |  1 +
 2 files changed, 61 insertions(+), 19 deletions(-)

diff --git a/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c b/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c
index a464196..96b0505 100644
--- a/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c
+++ b/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c
@@ -6,14 +6,6 @@
 #include "lilliput-ae.h"
 
 
-/* Most-significant nibbles for tweak values */
-#define TWEAK_AD                 0x2
-#define TWEAK_AD_PADDING         0x6
-#define TWEAK_MESSAGE            0x0
-#define TWEAK_MESSAGE_NO_PADDING 0x1
-#define TWEAK_MESSAGE_PADDING    0x5
-
-
 static void _lilliput_tbc(const uint8_t key[KEY_BYTES],
                           const uint8_t tweak[TWEAK_BYTES],
                           const uint8_t message[BLOCK_BYTES],
@@ -22,12 +14,18 @@ static void _lilliput_tbc(const uint8_t key[KEY_BYTES],
     lilliput_tbc_encrypt(key, tweak, message, ciphertext, NULL);
 }
 
-static void _xor_into(uint8_t dest[BLOCK_BYTES], uint8_t src[BLOCK_BYTES])
+static void _xor_into(uint8_t dest[BLOCK_BYTES], const uint8_t src[BLOCK_BYTES])
 {
     for (size_t i=0; i<BLOCK_BYTES; i++)
         dest[i] ^= src[i];
 }
 
+static void _xor_arrays(size_t len, uint8_t out[len], const uint8_t a[len], const uint8_t b[len])
+{
+    for (size_t i=0; i<len; i++)
+        out[i] = a[i] ^ b[i];
+}
+
 static void _pad10(size_t len, const uint8_t buf[len], uint8_t padded[BLOCK_BYTES])
 {
     /* Assume that len<BLOCK_BYTES. */
@@ -63,6 +61,11 @@ static void _fill_ad_tweak(uint8_t prefix, uint64_t block_nb, uint8_t tweak[TWEA
     tweak[TWEAK_BYTES-1] ^= prefix << 4;
 }
 
+static void _fill_msg_tweak(uint8_t prefix, const uint8_t N[NONCE_BYTES],
+                            uint64_t block_nb, uint8_t tweak[TWEAK_BYTES])
+{
+}
+
 static void _process_associated_data(
     const uint8_t key[KEY_BYTES],
     size_t A_len, const uint8_t A[A_len],
@@ -80,7 +83,7 @@ static void _process_associated_data(
 
     for (size_t i=0; i<l_a; i++)
     {
-        _fill_ad_tweak(TWEAK_AD, i, tweak);
+        _fill_ad_tweak(0x2, i, tweak);
         _lilliput_tbc(key, tweak, &A[i*BLOCK_BYTES], Ek_Ai);
         _xor_into(Auth, Ek_Ai);
     }
@@ -89,7 +92,7 @@ static void _process_associated_data(
     {
         uint8_t A_rest[BLOCK_BYTES];
         _pad10(rest, &A[l_a*BLOCK_BYTES], A_rest);
-        _fill_ad_tweak(TWEAK_AD_PADDING, l_a, tweak);
+        _fill_ad_tweak(0x6, l_a, tweak);
         _lilliput_tbc(key, tweak, A_rest, Ek_Ai);
         _xor_into(Auth, Ek_Ai);
     }
@@ -97,22 +100,60 @@ static void _process_associated_data(
 
 static void _encrypt_message(
     const uint8_t key[KEY_BYTES],
-    size_t message_len, const uint8_t message[message_len],
-    const uint8_t nonce[NONCE_BYTES],
+    size_t M_len, const uint8_t M[M_len],
+    const uint8_t N[NONCE_BYTES],
 
-    size_t *ciphertext_len, uint8_t ciphertext[message_len+BLOCK_BYTES],
-    uint8_t final[BLOCK_BYTES]
+    size_t *C_len, uint8_t C[M_len+BLOCK_BYTES],
+    uint8_t Final[BLOCK_BYTES]
 )
 {
+    size_t l = M_len / BLOCK_BYTES;
+    size_t rest = M_len % BLOCK_BYTES;
+
+    uint8_t tweak[TWEAK_BYTES];
+    uint8_t checksum[BLOCK_BYTES];
+
+    memset(tweak, 0, TWEAK_BYTES);
+    memset(checksum, 0, BLOCK_BYTES);
+
+    for (size_t j=0; j<l; j++)
+    {
+        _xor_into(checksum, &M[j*BLOCK_BYTES]);
+        _fill_msg_tweak(0x0, N, j, tweak);
+        _lilliput_tbc(key, tweak, &M[j*BLOCK_BYTES], &C[j*BLOCK_BYTES]);
+    }
+
+    if (rest == 0)
+    {
+        _fill_msg_tweak(0x1, N, l-1, tweak);
+        _lilliput_tbc(key, tweak, checksum, Final);
+    }
+    else
+    {
+        uint8_t M_rest[BLOCK_BYTES];
+        uint8_t Pad[BLOCK_BYTES];
+        uint8_t _0n[BLOCK_BYTES] = {
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+        };
+
+        _pad10(rest, &M[l*BLOCK_BYTES], M_rest);
+        _fill_msg_tweak(0x4, N, l, tweak);
+        _lilliput_tbc(key, tweak, _0n, Pad);
+        _xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Pad);
+
+        _fill_msg_tweak(0x5, N, l, tweak);
+        _lilliput_tbc(key, tweak, checksum, Final);
+    }
 }
 
 static void _decrypt_message(
     const uint8_t key[KEY_BYTES],
-    size_t ciphertext_len, const uint8_t ciphertext[ciphertext_len],
-    const uint8_t nonce[NONCE_BYTES],
+    size_t C_len, const uint8_t C[C_len],
+    const uint8_t N[NONCE_BYTES],
 
-    size_t *message_len, uint8_t message[ciphertext_len],
-    uint8_t final[BLOCK_BYTES]
+    size_t *M_len, uint8_t M[C_len],
+    uint8_t Final[BLOCK_BYTES]
 )
 {
 }
diff --git a/crypto_aead/lilliputaei128v1/ref/lilliput-ae.h b/crypto_aead/lilliputaei128v1/ref/lilliput-ae.h
index d5c19b3..6e9d735 100644
--- a/crypto_aead/lilliputaei128v1/ref/lilliput-ae.h
+++ b/crypto_aead/lilliputaei128v1/ref/lilliput-ae.h
@@ -8,6 +8,7 @@
 #include "parameters.h"
 
 
+/* TODO: replace c_len with m_len */
 void lilliput_ae_encrypt(
     size_t message_len,   const uint8_t message[message_len],
     size_t auth_data_len, const uint8_t auth_data[auth_data_len],
-- 
cgit v1.2.3