From 6cf83aa33073da3d009079e89b820984cefea7f8 Mon Sep 17 00:00:00 2001
From: Kévin Le Gouguec <kevin.legouguec@airbus.com>
Date: Mon, 26 Nov 2018 15:00:07 +0100
Subject: Implémentation du mode ΘCB3 : déchiffrement
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Avec une suite de test qui passe.
---
 crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c | 83 +++++++++++++++++++-----
 1 file changed, 66 insertions(+), 17 deletions(-)

(limited to 'crypto_aead')

diff --git a/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c b/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c
index 8ec8295..3226be3 100644
--- a/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c
+++ b/crypto_aead/lilliputaei128v1/ref/lilliput-ae-i.c
@@ -6,6 +6,12 @@
 #include "lilliput-ae.h"
 
 
+static const uint8_t _0n[BLOCK_BYTES] = {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+
 static uint8_t _upper_nibble(uint8_t i)
 {
     return i >> 4;
@@ -16,12 +22,20 @@ static uint8_t _lower_nibble(uint8_t i)
     return i & 0x0f;
 }
 
-static void _lilliput_tbc(const uint8_t key[KEY_BYTES],
-                          const uint8_t tweak[TWEAK_BYTES],
-                          const uint8_t message[BLOCK_BYTES],
-                          uint8_t ciphertext[BLOCK_BYTES])
+static void _encrypt(const uint8_t K[KEY_BYTES],
+                     const uint8_t T[TWEAK_BYTES],
+                     const uint8_t M[BLOCK_BYTES],
+                     uint8_t C[BLOCK_BYTES])
+{
+    lilliput_tbc_encrypt(K, T, M, C, NULL);
+}
+
+static void _decrypt(const uint8_t K[KEY_BYTES],
+                     const uint8_t T[TWEAK_BYTES],
+                     const uint8_t C[BLOCK_BYTES],
+                     uint8_t M[BLOCK_BYTES])
 {
-    lilliput_tbc_encrypt(key, tweak, message, ciphertext, NULL);
+    lilliput_tbc_decrypt(K, T, C, M, NULL);
 }
 
 static void _xor_into(uint8_t dest[BLOCK_BYTES], const uint8_t src[BLOCK_BYTES])
@@ -128,7 +142,7 @@ static void _process_associated_data(
     for (size_t i=0; i<l_a; i++)
     {
         _fill_ad_tweak(0x2, i, tweak);
-        _lilliput_tbc(key, tweak, &A[i*BLOCK_BYTES], Ek_Ai);
+        _encrypt(key, tweak, &A[i*BLOCK_BYTES], Ek_Ai);
         _xor_into(Auth, Ek_Ai);
     }
 
@@ -137,7 +151,7 @@ static void _process_associated_data(
         uint8_t A_rest[BLOCK_BYTES];
         _pad10(rest, &A[l_a*BLOCK_BYTES], A_rest);
         _fill_ad_tweak(0x6, l_a, tweak);
-        _lilliput_tbc(key, tweak, A_rest, Ek_Ai);
+        _encrypt(key, tweak, A_rest, Ek_Ai);
         _xor_into(Auth, Ek_Ai);
     }
 }
@@ -164,30 +178,28 @@ static void _encrypt_message(
     {
         _xor_into(checksum, &M[j*BLOCK_BYTES]);
         _fill_msg_tweak(0x0, N, j, tweak);
-        _lilliput_tbc(key, tweak, &M[j*BLOCK_BYTES], &C[j*BLOCK_BYTES]);
+        _encrypt(key, tweak, &M[j*BLOCK_BYTES], &C[j*BLOCK_BYTES]);
     }
 
     if (rest == 0)
     {
         _fill_msg_tweak(0x1, N, l-1, tweak);
-        _lilliput_tbc(key, tweak, checksum, Final);
+        _encrypt(key, tweak, checksum, Final);
     }
     else
     {
         uint8_t M_rest[BLOCK_BYTES];
         uint8_t Pad[BLOCK_BYTES];
-        uint8_t _0n[BLOCK_BYTES] = {
-            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-        };
 
         _pad10(rest, &M[l*BLOCK_BYTES], M_rest);
+        _xor_into(checksum, M_rest);
+
         _fill_msg_tweak(0x4, N, l, tweak);
-        _lilliput_tbc(key, tweak, _0n, Pad);
+        _encrypt(key, tweak, _0n, Pad);
         _xor_arrays(rest, &C[l*BLOCK_BYTES], &M[l*BLOCK_BYTES], Pad);
 
         _fill_msg_tweak(0x5, N, l, tweak);
-        _lilliput_tbc(key, tweak, checksum, Final);
+        _encrypt(key, tweak, checksum, Final);
     }
 }
 
@@ -200,14 +212,51 @@ static void _decrypt_message(
     uint8_t       Final[BLOCK_BYTES]
 )
 {
+    size_t l = C_len / BLOCK_BYTES;
+    size_t rest = C_len % BLOCK_BYTES;
+
+    uint8_t tweak[TWEAK_BYTES];
+    uint8_t checksum[BLOCK_BYTES];
+
+    memset(tweak, 0, TWEAK_BYTES);
+    memset(checksum, 0, BLOCK_BYTES);
+
+    for (size_t j=0; j<l; j++)
+    {
+        _fill_msg_tweak(0x0, N, j, tweak);
+        _decrypt(key, tweak, &C[j*BLOCK_BYTES], &M[j*BLOCK_BYTES]);
+        _xor_into(checksum, &M[j*BLOCK_BYTES]);
+    }
+
+    if (rest == 0)
+    {
+        _fill_msg_tweak(0x1, N, l-1, tweak);
+        _encrypt(key, tweak, checksum, Final);
+    }
+    else
+    {
+        uint8_t M_rest[BLOCK_BYTES];
+        uint8_t Pad[BLOCK_BYTES];
+
+        _fill_msg_tweak(0x4, N, l, tweak);
+        _encrypt(key, tweak, _0n, Pad);
+        _xor_arrays(rest, &M[l*BLOCK_BYTES], &C[l*BLOCK_BYTES], Pad);
+
+        _pad10(rest, &M[l*BLOCK_BYTES], M_rest);
+        _xor_into(checksum, M_rest);
+
+        _fill_msg_tweak(0x5, N, l, tweak);
+        _encrypt(key, tweak, checksum, Final);
+    }
 }
 
 static void _generate_tag(
-    const uint8_t final[BLOCK_BYTES],
-    const uint8_t auth[BLOCK_BYTES],
+    const uint8_t Final[BLOCK_BYTES],
+    const uint8_t Auth[BLOCK_BYTES],
     uint8_t       tag[TAG_BYTES]
 )
 {
+    _xor_arrays(TAG_BYTES, tag, Final, Auth);
 }
 
 
-- 
cgit v1.2.3