From fe904e50a463aa0765df687a146d698e041b4103 Mon Sep 17 00:00:00 2001
From: Kévin Le Gouguec <kevin.legouguec@airbus.com>
Date: Mon, 26 Nov 2018 10:04:57 +0100
Subject: Implémentation du mode ΘCB3 : chiffrement - données authentifiées
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c | 73 +++++++++++++++++++++---
 1 file changed, 64 insertions(+), 9 deletions(-)

diff --git a/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c b/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c
index f67be07..e5b27e5 100644
--- a/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c
+++ b/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c
@@ -6,6 +6,14 @@
 #include "lilliput-ae.h"
 
 
+/* Most-significant nibbles for tweak values */
+#define TWEAK_AD                 0x2
+#define TWEAK_AD_PADDING         0x6
+#define TWEAK_MESSAGE            0x0
+#define TWEAK_MESSAGE_NO_PADDING 0x1
+#define TWEAK_MESSAGE_PADDING    0x5
+
+
 static void _lilliput_tbc(const uint8_t key[KEY_BYTES],
                           const uint8_t tweak[TWEAK_BYTES],
                           const uint8_t message[BLOCK_BYTES],
@@ -20,23 +28,70 @@ static void _xor_into(size_t len, uint8_t dest[len], uint8_t src[len])
         dest[i] ^= src[i];
 }
 
+static void _pad10(size_t len, const uint8_t buf[len], uint8_t padded[BLOCK_BYTES])
+{
+    /* Assume that len<BLOCK_BYTES. */
+    memcpy(padded, buf, len);
+    padded[len] = 0x80;
+
+    if (len+1 < BLOCK_BYTES)
+    {
+        memset(padded+len+1, 0, BLOCK_BYTES-len-1);
+    }
+}
+
+static void _fill_ad_tweak(uint8_t prefix, uint64_t block_nb, uint8_t tweak[TWEAK_BYTES])
+{
+    /* The 128-bit tweak is filled as follows:
+     *
+     * - bits 127-124: constant 4-bit prefix
+     * - bits 123-0:   block number
+     *     - bits 123-64: 0-padding
+     *     - bits 63-0:   actual 64-bit block number
+     */
+
+    for (size_t i=0; i<sizeof(block_nb); i++)
+    {
+        uint64_t mask = (uint64_t)0xff << 8*i;
+        uint8_t b = (mask & block_nb) >> 8*i;
+
+        tweak[0] = b;
+    }
+
+    /* Assume bytes 8 to 15 have already been memset to 0. */
+
+    tweak[TWEAK_BYTES-1] ^= prefix << 4;
+}
+
 static void _process_associated_data(
     const uint8_t key[KEY_BYTES],
-    size_t auth_data_len, const uint8_t auth_data[auth_data_len],
-    uint8_t auth[BLOCK_BYTES]
+    size_t A_len, const uint8_t A[A_len],
+    uint8_t Auth[BLOCK_BYTES]
 )
 {
-    size_t l_a = auth_data_len / BLOCK_BYTES;
+    uint8_t Ek_Ai[BLOCK_BYTES];
+    uint8_t tweak[TWEAK_BYTES];
+
+    memset(tweak, 0, BLOCK_BYTES);
+    memset(Auth, 0, BLOCK_BYTES);
 
-    memset(auth, 0, BLOCK_BYTES);
+    size_t l_a = A_len / BLOCK_BYTES;
+    size_t rest = A_len % BLOCK_BYTES;
 
     for (size_t i=0; i<l_a; i++)
     {
-        uint8_t tweak[TWEAK_BYTES];
-        /* TODO: generate tweak */
-        uint8_t Ek_Ai[BLOCK_BYTES];
-        _lilliput_tbc(key, tweak, auth_data+i*BLOCK_BYTES, Ek_Ai);
-        _xor_into(BLOCK_BYTES, auth, Ek_Ai);
+        _fill_ad_tweak(TWEAK_AD, i, tweak);
+        _lilliput_tbc(key, tweak, &A[i*BLOCK_BYTES], Ek_Ai);
+        _xor_into(BLOCK_BYTES, Auth, Ek_Ai);
+    }
+
+    if (rest != 0)
+    {
+        uint8_t A_rest[BLOCK_BYTES];
+        _pad10(rest, &A[l_a*BLOCK_BYTES], A_rest);
+        _fill_ad_tweak(TWEAK_AD_PADDING, l_a, tweak);
+        _lilliput_tbc(key, tweak, A_rest, Ek_Ai);
+        _xor_into(BLOCK_BYTES, Auth, Ek_Ai);
     }
 }
 
-- 
cgit v1.2.3