Make all the AEGIS-MAC tests pass in pure-rust

Author: jedisct1

src/c/libaegis

@@ -152,7 +152,7 @@ mod basic_tests {
         assert_eq!(m2, m);
     }
 
-    #[cfg(not(feature = "pure-rust"))]
+    #[cfg(feature = "std")]
     #[test]
     fn test_aegis128l_mac() {
         use crate::aegis128l::Aegis128LMac;

src/lib.rs

@@ -156,6 +156,52 @@ impl State {
         }
         tag
     }
+
+    #[inline(always)]
+    fn mac_finalize<const TAG_BYTES: usize>(&mut self, data_len: usize) -> Tag<TAG_BYTES> {
+        let tmp = {
+            let blocks = &self.blocks;
+            let mut sizes = [0u8; 16];
+            sizes[..8].copy_from_slice(&(data_len as u64 * 8).to_le_bytes());
+            sizes[8..16].copy_from_slice(&(TAG_BYTES as u64 * 8).to_le_bytes());
+            AesBlock::from_bytes(&sizes).xor(blocks[2])
+        };
+        for _ in 0..7 {
+            self.update(tmp, tmp);
+        }
+        let blocks = &self.blocks;
+        let mut tag = [0u8; TAG_BYTES];
+        match TAG_BYTES {
+            16 => tag.copy_from_slice(
+                &blocks[0]
+                    .xor(blocks[1])
+                    .xor(blocks[2])
+                    .xor(blocks[3])
+                    .xor(blocks[4])
+                    .xor(blocks[5])
+                    .xor(blocks[6])
+                    .to_bytes(),
+            ),
+            32 => {
+                tag[..16].copy_from_slice(
+                    &blocks[0]
+                        .xor(blocks[1])
+                        .xor(blocks[2])
+                        .xor(blocks[3])
+                        .to_bytes(),
+                );
+                tag[16..].copy_from_slice(
+                    &blocks[4]
+                        .xor(blocks[5])
+                        .xor(blocks[6])
+                        .xor(blocks[7])
+                        .to_bytes(),
+                );
+            }
+            _ => unreachable!(),
+        }
+        tag
+    }
 }
 
 /// Tag length in bits must be 128 or 256
@@ -357,3 +403,103 @@ impl<const TAG_BYTES: usize> Aegis128L<TAG_BYTES> {
         Ok(())
     }
 }
+
+/// AEGIS-128L MAC with incremental update support.
+///
+/// The state can be cloned to authenticate multiple messages with the same key.
+///
+/// 256-bit output tags are recommended for security.
+///
+/// Note that AEGIS is not a hash function. It is a MAC that requires a secret key.
+/// Inputs leading to a state collision can be efficiently computed if the key is known.
+#[derive(Clone)]
+pub struct Aegis128LMac<const TAG_BYTES: usize> {
+    state: State,
+    buf: [u8; 32],
+    buf_len: usize,
+    msg_len: usize,
+}
+
+impl<const TAG_BYTES: usize> Aegis128LMac<TAG_BYTES> {
+    /// Initializes the MAC state with a key.
+    ///
+    /// The state can be cloned to authenticate multiple messages with the same key.
+    pub fn new(key: &Key) -> Self {
+        let nonce = [0u8; 16];
+        Self::new_with_nonce(key, &nonce)
+    }
+
+    /// Initializes the MAC state with a key and a nonce.
+    ///
+    /// The state can be cloned to authenticate multiple messages with the same key.
+    pub fn new_with_nonce(key: &Key, nonce: &Nonce) -> Self {
+        assert!(
+            TAG_BYTES == 16 || TAG_BYTES == 32,
+            "Invalid tag length, must be 16 or 32"
+        );
+        Aegis128LMac {
+            state: State::new(key, nonce),
+            buf: [0u8; 32],
+            buf_len: 0,
+            msg_len: 0,
+        }
+    }
+
+    /// Updates the MAC state with a message.
+    ///
+    /// This function can be called multiple times to update the MAC state with additional data.
+    pub fn update(&mut self, data: &[u8]) {
+        self.msg_len += data.len();
+        let mut offset = 0;
+
+        // Process buffered data first
+        if self.buf_len > 0 {
+            let needed = 32 - self.buf_len;
+            if data.len() < needed {
+                self.buf[self.buf_len..self.buf_len + data.len()].copy_from_slice(data);
+                self.buf_len += data.len();
+                return;
+            }
+            self.buf[self.buf_len..].copy_from_slice(&data[..needed]);
+            self.state.absorb(&self.buf);
+            self.buf_len = 0;
+            offset = needed;
+        }
+
+        // Process full blocks
+        while offset + 32 <= data.len() {
+            let mut block = [0u8; 32];
+            block.copy_from_slice(&data[offset..offset + 32]);
+            self.state.absorb(&block);
+            offset += 32;
+        }
+
+        // Buffer remaining
+        if offset < data.len() {
+            self.buf_len = data.len() - offset;
+            self.buf[..self.buf_len].copy_from_slice(&data[offset..]);
+        }
+    }
+
+    /// Finalizes the MAC and returns the authentication tag.
+    pub fn finalize(mut self) -> Tag<TAG_BYTES> {
+        if self.buf_len > 0 || self.msg_len == 0 {
+            self.buf[self.buf_len..].fill(0);
+            self.state.absorb(&self.buf);
+        }
+        self.state.mac_finalize::<TAG_BYTES>(self.msg_len)
+    }
+
+    /// Verifies the authentication tag.
+    pub fn verify(self, expected: &Tag<TAG_BYTES>) -> Result<(), Error> {
+        let tag = self.finalize();
+        let mut acc = 0u8;
+        for (a, b) in tag.iter().zip(expected.iter()) {
+            acc |= a ^ b;
+        }
+        if acc != 0 {
+            return Err(Error::InvalidTag);
+        }
+        Ok(())
+    }
+}

src/pure_rust/aegis128l.rs

@@ -235,6 +235,79 @@ impl State {
         }
         tag
     }
+
+    #[inline(always)]
+    fn mac_finalize<const TAG_BYTES: usize>(&mut self, data_len: usize) -> Tag<TAG_BYTES> {
+        let mut sizes = [0u8; 16];
+        sizes[..8].copy_from_slice(&(data_len as u64 * 8).to_le_bytes());
+        sizes[8..16].copy_from_slice(&(TAG_BYTES as u64 * 8).to_le_bytes());
+        let u = AesBlock::from_bytes(&sizes);
+
+        let (s20, s21) = self.s2.as_blocks();
+        let t0 = s20.xor(u);
+        let t1 = s21.xor(u);
+        let t = AesBlock2::from_blocks(t0, t1);
+
+        for _ in 0..7 {
+            self.update(t, t);
+        }
+
+        let (s00, s01) = self.s0.as_blocks();
+        let (s10, s11) = self.s1.as_blocks();
+        let (s20, s21) = self.s2.as_blocks();
+        let (s30, s31) = self.s3.as_blocks();
+        let (s40, s41) = self.s4.as_blocks();
+        let (s50, s51) = self.s5.as_blocks();
+        let (s60, s61) = self.s6.as_blocks();
+        let (_s70, s71) = self.s7.as_blocks();
+        let zeros = AesBlock::from_bytes(&[0u8; 16]);
+
+        if TAG_BYTES == 16 {
+            let tag0 = s00.xor(s10).xor(s20).xor(s30).xor(s40).xor(s50).xor(s60);
+            let tag1 = s01.xor(s11).xor(s21).xor(s31).xor(s41).xor(s51).xor(s61);
+            let m0 = AesBlock2::from_blocks(tag0, zeros);
+            let m1 = AesBlock2::from_blocks(tag1, zeros);
+            self.update(m0, m1);
+        } else {
+            let tag1_lo = s01.xor(s11).xor(s21).xor(s31);
+            let tag1_hi = s41.xor(s51).xor(s61).xor(s71);
+            let m0 = AesBlock2::from_blocks(tag1_lo, zeros);
+            let m1 = AesBlock2::from_blocks(tag1_hi, zeros);
+            self.update(m0, m1);
+        }
+
+        let (s20, _) = self.s2.as_blocks();
+        let mut extra_sizes = [0u8; 16];
+        extra_sizes[..8].copy_from_slice(&2u64.to_le_bytes());
+        extra_sizes[8..16].copy_from_slice(&(TAG_BYTES as u64 * 8).to_le_bytes());
+        let extra_block = s20.xor(AesBlock::from_bytes(&extra_sizes));
+        let extra = AesBlock2::from_blocks(extra_block, zeros);
+
+        for _ in 0..7 {
+            self.update(extra, extra);
+        }
+
+        let (s00, _) = self.s0.as_blocks();
+        let (s10, _) = self.s1.as_blocks();
+        let (s20, _) = self.s2.as_blocks();
+        let (s30, _) = self.s3.as_blocks();
+        let (s40, _) = self.s4.as_blocks();
+        let (s50, _) = self.s5.as_blocks();
+        let (s60, _) = self.s6.as_blocks();
+        let (s70, _) = self.s7.as_blocks();
+
+        let mut tag = [0u8; TAG_BYTES];
+        if TAG_BYTES == 16 {
+            let final_tag = s00.xor(s10).xor(s20).xor(s30).xor(s40).xor(s50).xor(s60);
+            tag.copy_from_slice(&final_tag.to_bytes());
+        } else {
+            let final_lo = s00.xor(s10).xor(s20).xor(s30);
+            let final_hi = s40.xor(s50).xor(s60).xor(s70);
+            tag[..16].copy_from_slice(&final_lo.to_bytes());
+            tag[16..].copy_from_slice(&final_hi.to_bytes());
+        }
+        tag
+    }
 }
 
 /// AEGIS-128X2 authenticated encryption
@@ -503,7 +576,7 @@ impl<const TAG_BYTES: usize> Aegis128X2Mac<TAG_BYTES> {
             self.buf[self.buf_len..].fill(0);
             self.state.absorb(&self.buf);
         }
-        self.state.mac::<TAG_BYTES>(0, self.msg_len)
+        self.state.mac_finalize::<TAG_BYTES>(self.msg_len)
     }
 
     pub fn verify(self, expected: &Tag<TAG_BYTES>) -> Result<(), Error> {

src/pure_rust/aegis128x2.rs

@@ -277,6 +277,102 @@ impl State {
         }
         tag
     }
+
+    #[inline(always)]
+    fn mac_finalize<const TAG_BYTES: usize>(&mut self, data_len: usize) -> Tag<TAG_BYTES> {
+        let mut sizes = [0u8; 16];
+        sizes[..8].copy_from_slice(&(data_len as u64 * 8).to_le_bytes());
+        sizes[8..16].copy_from_slice(&(TAG_BYTES as u64 * 8).to_le_bytes());
+        let u = AesBlock::from_bytes(&sizes);
+
+        let (s20, s21, s22, s23) = self.s2.as_blocks();
+        let t0 = s20.xor(u);
+        let t1 = s21.xor(u);
+        let t2 = s22.xor(u);
+        let t3 = s23.xor(u);
+        let t = AesBlock4::from_blocks(t0, t1, t2, t3);
+
+        for _ in 0..7 {
+            self.update(t, t);
+        }
+
+        let (s00, s01, s02, s03) = self.s0.as_blocks();
+        let (s10, s11, s12, s13) = self.s1.as_blocks();
+        let (s20, s21, s22, s23) = self.s2.as_blocks();
+        let (s30, s31, s32, s33) = self.s3.as_blocks();
+        let (s40, s41, s42, s43) = self.s4.as_blocks();
+        let (s50, s51, s52, s53) = self.s5.as_blocks();
+        let (s60, s61, s62, s63) = self.s6.as_blocks();
+        let (_s70, s71, s72, s73) = self.s7.as_blocks();
+
+        let zeros = AesBlock::from_bytes(&[0u8; 16]);
+
+        if TAG_BYTES == 16 {
+            let tag0 = s00.xor(s10).xor(s20).xor(s30).xor(s40).xor(s50).xor(s60);
+            let tag1 = s01.xor(s11).xor(s21).xor(s31).xor(s41).xor(s51).xor(s61);
+            let tag2 = s02.xor(s12).xor(s22).xor(s32).xor(s42).xor(s52).xor(s62);
+            let tag3 = s03.xor(s13).xor(s23).xor(s33).xor(s43).xor(s53).xor(s63);
+
+            let m0 = AesBlock4::from_blocks(tag0, zeros, zeros, zeros);
+            let m1 = AesBlock4::from_blocks(tag1, zeros, zeros, zeros);
+            self.update(m0, m1);
+
+            let m0 = AesBlock4::from_blocks(tag2, zeros, zeros, zeros);
+            let m1 = AesBlock4::from_blocks(tag3, zeros, zeros, zeros);
+            self.update(m0, m1);
+        } else {
+            let tag1_lo = s01.xor(s11).xor(s21).xor(s31);
+            let tag1_hi = s41.xor(s51).xor(s61).xor(s71);
+            let tag2_lo = s02.xor(s12).xor(s22).xor(s32);
+            let tag2_hi = s42.xor(s52).xor(s62).xor(s72);
+            let tag3_lo = s03.xor(s13).xor(s23).xor(s33);
+            let tag3_hi = s43.xor(s53).xor(s63).xor(s73);
+
+            let m0 = AesBlock4::from_blocks(tag1_lo, zeros, zeros, zeros);
+            let m1 = AesBlock4::from_blocks(tag1_hi, zeros, zeros, zeros);
+            self.update(m0, m1);
+
+            let m0 = AesBlock4::from_blocks(tag2_lo, zeros, zeros, zeros);
+            let m1 = AesBlock4::from_blocks(tag2_hi, zeros, zeros, zeros);
+            self.update(m0, m1);
+
+            let m0 = AesBlock4::from_blocks(tag3_lo, zeros, zeros, zeros);
+            let m1 = AesBlock4::from_blocks(tag3_hi, zeros, zeros, zeros);
+            self.update(m0, m1);
+        }
+
+        let (s20, _, _, _) = self.s2.as_blocks();
+        let mut extra_sizes = [0u8; 16];
+        extra_sizes[..8].copy_from_slice(&4u64.to_le_bytes());
+        extra_sizes[8..16].copy_from_slice(&(TAG_BYTES as u64 * 8).to_le_bytes());
+        let extra_block = s20.xor(AesBlock::from_bytes(&extra_sizes));
+        let extra = AesBlock4::from_blocks(extra_block, zeros, zeros, zeros);
+
+        for _ in 0..7 {
+            self.update(extra, extra);
+        }
+
+        let (s00, _, _, _) = self.s0.as_blocks();
+        let (s10, _, _, _) = self.s1.as_blocks();
+        let (s20, _, _, _) = self.s2.as_blocks();
+        let (s30, _, _, _) = self.s3.as_blocks();
+        let (s40, _, _, _) = self.s4.as_blocks();
+        let (s50, _, _, _) = self.s5.as_blocks();
+        let (s60, _, _, _) = self.s6.as_blocks();
+        let (s70, _, _, _) = self.s7.as_blocks();
+
+        let mut tag = [0u8; TAG_BYTES];
+        if TAG_BYTES == 16 {
+            let final_tag = s00.xor(s10).xor(s20).xor(s30).xor(s40).xor(s50).xor(s60);
+            tag.copy_from_slice(&final_tag.to_bytes());
+        } else {
+            let final_lo = s00.xor(s10).xor(s20).xor(s30);
+            let final_hi = s40.xor(s50).xor(s60).xor(s70);
+            tag[..16].copy_from_slice(&final_lo.to_bytes());
+            tag[16..].copy_from_slice(&final_hi.to_bytes());
+        }
+        tag
+    }
 }
 
 /// AEGIS-128X4 authenticated encryption
@@ -545,7 +641,7 @@ impl<const TAG_BYTES: usize> Aegis128X4Mac<TAG_BYTES> {
             self.buf[self.buf_len..].fill(0);
             self.state.absorb(&self.buf);
         }
-        self.state.mac::<TAG_BYTES>(0, self.msg_len)
+        self.state.mac_finalize::<TAG_BYTES>(self.msg_len)
     }
 
     pub fn verify(self, expected: &Tag<TAG_BYTES>) -> Result<(), Error> {