Move remaining variants to the new MAC API and construction

src/aegis128x2/aegis128x2_common.h

@@ -407,8 +407,8 @@ typedef struct _aegis128x2_state {
 } _aegis128x2_state;
 
 typedef struct _aegis128x2_mac_state {
-    aegis_blocks blocks0;
     aegis_blocks blocks;
+    aegis_blocks blocks0;
     uint8_t      buf[RATE];
     uint64_t     adlen;
     size_t       pos;

src/aegis128x4/aegis128x4_common.h

@@ -422,8 +422,8 @@ typedef struct _aegis128x4_state {
 } _aegis128x4_state;
 
 typedef struct _aegis128x4_mac_state {
-    aegis_blocks blocks0;
     aegis_blocks blocks;
+    aegis_blocks blocks0;
     uint8_t      buf[RATE];
     uint64_t     adlen;
     size_t       pos;

src/aegis256/aegis256_common.h

@@ -289,8 +289,8 @@ typedef struct _aegis256_state {
 } _aegis256_state;
 
 typedef struct _aegis256_mac_state {
-    aegis_blocks blocks0;
     aegis_blocks blocks;
+    aegis_blocks blocks0;
     uint8_t      buf[RATE];
     uint64_t     adlen;
     size_t       pos;

src/aegis256x2/aegis256x2.c

@@ -176,19 +176,19 @@ aegis256x2_decrypt_unauthenticated(uint8_t *m, const uint8_t *c, size_t clen, co
 }
 
 void
-aegis256x2_mac_init(aegis256x2_state *st_, const uint8_t *k, const uint8_t *npub)
+aegis256x2_mac_init(aegis256x2_mac_state *st_, const uint8_t *k, const uint8_t *npub)
 {
-    implementation->state_init(st_, NULL, 0, npub, k);
+    implementation->state_mac_init(st_, npub, k);
 }
 
 int
-aegis256x2_mac_update(aegis256x2_state *st_, const uint8_t *m, size_t mlen)
+aegis256x2_mac_update(aegis256x2_mac_state *st_, const uint8_t *m, size_t mlen)
 {
     return implementation->state_mac_update(st_, m, mlen);
 }
 
 int
-aegis256x2_mac_final(aegis256x2_state *st_, uint8_t *mac, size_t maclen)
+aegis256x2_mac_final(aegis256x2_mac_state *st_, uint8_t *mac, size_t maclen)
 {
     if (maclen != 16 && maclen != 32) {
         errno = EINVAL;
@@ -198,7 +198,7 @@ aegis256x2_mac_final(aegis256x2_state *st_, uint8_t *mac, size_t maclen)
 }
 
 int
-aegis256x2_mac_verify(aegis256x2_state *st_, const uint8_t *mac, size_t maclen)
+aegis256x2_mac_verify(aegis256x2_mac_state *st_, const uint8_t *mac, size_t maclen)
 {
     uint8_t expected_mac[32];
 
@@ -216,9 +216,15 @@ aegis256x2_mac_verify(aegis256x2_state *st_, const uint8_t *mac, size_t maclen)
 }
 
 void
-aegis256x2_mac_state_clone(aegis256x2_state *dst, const aegis256x2_state *src)
+aegis256x2_mac_reset(aegis256x2_mac_state *st_)
 {
-    implementation->state_clone(dst, src);
+    implementation->state_mac_reset(st_);
+}
+
+void
+aegis256x2_mac_state_clone(aegis256x2_mac_state *dst, const aegis256x2_mac_state *src)
+{
+    implementation->state_mac_clone(dst, src);
 }
 
 int

src/aegis256x2/aegis256x2_aesni.c

@@ -93,9 +93,11 @@ struct aegis256x2_implementation aegis256x2_aesni_implementation = {
     .state_encrypt_final           = state_encrypt_final,
     .state_decrypt_detached_update = state_decrypt_detached_update,
     .state_decrypt_detached_final  = state_decrypt_detached_final,
+    .state_mac_init                = state_mac_init,
     .state_mac_update              = state_mac_update,
     .state_mac_final               = state_mac_final,
-    .state_clone                   = state_clone,
+    .state_mac_reset               = state_mac_reset,
+    .state_mac_clone               = state_mac_clone,
 };
 
 #    ifdef __clang__

src/aegis256x2/aegis256x2_altivec.c

@@ -91,9 +91,11 @@ struct aegis256x2_implementation aegis256x2_altivec_implementation = {
     .state_encrypt_final           = state_encrypt_final,
     .state_decrypt_detached_update = state_decrypt_detached_update,
     .state_decrypt_detached_final  = state_decrypt_detached_final,
+    .state_mac_init                = state_mac_init,
     .state_mac_update              = state_mac_update,
     .state_mac_final               = state_mac_final,
-    .state_clone                   = state_clone,
+    .state_mac_reset               = state_mac_reset,
+    .state_mac_clone               = state_mac_clone,
 };
 
 #    ifdef __clang__

src/aegis256x2/aegis256x2_armcrypto.c

@@ -99,9 +99,11 @@ struct aegis256x2_implementation aegis256x2_armcrypto_implementation = {
     .state_encrypt_final           = state_encrypt_final,
     .state_decrypt_detached_update = state_decrypt_detached_update,
     .state_decrypt_detached_final  = state_decrypt_detached_final,
+    .state_mac_init                = state_mac_init,
     .state_mac_update              = state_mac_update,
     .state_mac_final               = state_mac_final,
-    .state_clone                   = state_clone,
+    .state_mac_reset               = state_mac_reset,
+    .state_mac_clone               = state_mac_clone,
 };
 
 #    ifdef __clang__

src/aegis256x2/aegis256x2_avx2.c

@@ -61,9 +61,11 @@ struct aegis256x2_implementation aegis256x2_avx2_implementation = {
     .state_encrypt_final           = state_encrypt_final,
     .state_decrypt_detached_update = state_decrypt_detached_update,
     .state_decrypt_detached_final  = state_decrypt_detached_final,
+    .state_mac_init                = state_mac_init,
     .state_mac_update              = state_mac_update,
     .state_mac_final               = state_mac_final,
-    .state_clone                   = state_clone,
+    .state_mac_reset               = state_mac_reset,
+    .state_mac_clone               = state_mac_clone,
 };
 
 #        ifdef __clang__

src/aegis256x2/aegis256x2_common.h

@@ -178,6 +178,74 @@ aegis256x2_declast(uint8_t *const dst, const uint8_t *const src, size_t len,
     aegis256x2_update(state, msg);
 }
 
+static void
+aegis256x2_mac_nr(uint8_t *mac, size_t maclen, uint64_t adlen, aes_block_t *state)
+{
+    uint8_t     t[2 * AES_BLOCK_LENGTH];
+    uint8_t     r[RATE];
+    aes_block_t tmp;
+    int         i;
+    const int   d = AES_BLOCK_LENGTH / 16;
+
+    tmp = AES_BLOCK_LOAD_64x2(0, adlen << 3);
+    tmp = AES_BLOCK_XOR(tmp, state[3]);
+
+    for (i = 0; i < 7; i++) {
+        aegis256x2_update(state, tmp);
+    }
+
+    memset(r, 0, sizeof r);
+    if (maclen == 16) {
+#if AES_BLOCK_LENGTH > 16
+        tmp = AES_BLOCK_XOR(state[5], state[4]);
+        tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_XOR(state[3], state[2]));
+        tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_XOR(state[1], state[0]));
+        AES_BLOCK_STORE(t, tmp);
+
+        for (i = 1; i < d; i++) {
+            memcpy(r, t + i * 16, 16);
+            aegis256x2_absorb(r, state);
+        }
+        tmp = AES_BLOCK_LOAD_64x2(d, maclen);
+        tmp = AES_BLOCK_XOR(tmp, state[3]);
+        for (i = 0; i < 7; i++) {
+            aegis256x2_update(state, tmp);
+        }
+#endif
+        tmp = AES_BLOCK_XOR(state[5], state[4]);
+        tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_XOR(state[3], state[2]));
+        tmp = AES_BLOCK_XOR(tmp, AES_BLOCK_XOR(state[1], state[0]));
+        AES_BLOCK_STORE(t, tmp);
+        memcpy(mac, t, 16);
+    } else if (maclen == 32) {
+#if AES_BLOCK_LENGTH > 16
+        tmp = AES_BLOCK_XOR(state[2], AES_BLOCK_XOR(state[1], state[0]));
+        AES_BLOCK_STORE(t, tmp);
+        tmp = AES_BLOCK_XOR(state[5], AES_BLOCK_XOR(state[4], state[3]));
+        AES_BLOCK_STORE(t + AES_BLOCK_LENGTH, tmp);
+        for (i = 1; i < d; i++) {
+            memcpy(r, t + i * 16, 16);
+            aegis256x2_absorb(r, state);
+            memcpy(r, t + AES_BLOCK_LENGTH + i * 16, 16);
+            aegis256x2_absorb(r, state);
+        }
+        tmp = AES_BLOCK_LOAD_64x2(d, maclen);
+        tmp = AES_BLOCK_XOR(tmp, state[3]);
+        for (i = 0; i < 7; i++) {
+            aegis256x2_update(state, tmp);
+        }
+#endif
+        tmp = AES_BLOCK_XOR(state[2], AES_BLOCK_XOR(state[1], state[0]));
+        AES_BLOCK_STORE(t, tmp);
+        memcpy(mac, t, 16);
+        tmp = AES_BLOCK_XOR(state[5], AES_BLOCK_XOR(state[4], state[3]));
+        AES_BLOCK_STORE(t, tmp);
+        memcpy(mac + 16, t, 16);
+    } else {
+        memset(mac, 0, maclen);
+    }
+}
+
 static int
 encrypt_detached(uint8_t *c, uint8_t *mac, size_t maclen, const uint8_t *m, size_t mlen,
                  const uint8_t *ad, size_t adlen, const uint8_t *npub, const uint8_t *k)
@@ -337,6 +405,14 @@ typedef struct _aegis256x2_state {
     size_t       pos;
 } _aegis256x2_state;
 
+typedef struct _aegis256x2_mac_state {
+    aegis_blocks blocks;
+    aegis_blocks blocks0;
+    uint8_t      buf[RATE];
+    uint64_t     adlen;
+    size_t       pos;
+} _aegis256x2_mac_state;
+
 static void
 state_init(aegis256x2_state *st_, const uint8_t *ad, size_t adlen, const uint8_t *npub,
            const uint8_t *k)
@@ -605,13 +681,33 @@ state_decrypt_detached_final(aegis256x2_state *st_, uint8_t *m, size_t mlen_max,
     return ret;
 }
 
+static void
+state_mac_init(aegis256x2_mac_state *st_, const uint8_t *npub, const uint8_t *k)
+{
+    aegis_blocks                 blocks;
+    _aegis256x2_mac_state *const st =
+        (_aegis256x2_mac_state *) ((((uintptr_t) &st_->opaque) + (ALIGNMENT - 1)) &
+                                   ~(uintptr_t) (ALIGNMENT - 1));
+
+    COMPILER_ASSERT((sizeof *st) + ALIGNMENT <= sizeof *st_);
+    st->pos = 0;
+
+    memcpy(blocks, st->blocks, sizeof blocks);
+
+    aegis256x2_init(k, npub, blocks);
+
+    memcpy(st->blocks0, blocks, sizeof blocks);
+    memcpy(st->blocks, blocks, sizeof blocks);
+    st->adlen = 0;
+}
+
 static int
-state_mac_update(aegis256x2_state *st_, const uint8_t *ad, size_t adlen)
+state_mac_update(aegis256x2_mac_state *st_, const uint8_t *ad, size_t adlen)
 {
-    aegis_blocks             blocks;
-    _aegis256x2_state *const st =
-        (_aegis256x2_state *) ((((uintptr_t) &st_->opaque) + (ALIGNMENT - 1)) &
-                               ~(uintptr_t) (ALIGNMENT - 1));
+    aegis_blocks                 blocks;
+    _aegis256x2_mac_state *const st =
+        (_aegis256x2_mac_state *) ((((uintptr_t) &st_->opaque) + (ALIGNMENT - 1)) &
+                                   ~(uintptr_t) (ALIGNMENT - 1));
     size_t i;
     size_t left;
 
@@ -653,12 +749,12 @@ state_mac_update(aegis256x2_state *st_, const uint8_t *ad, size_t adlen)
 }
 
 static int
-state_mac_final(aegis256x2_state *st_, uint8_t *mac, size_t maclen)
+state_mac_final(aegis256x2_mac_state *st_, uint8_t *mac, size_t maclen)
 {
-    aegis_blocks             blocks;
-    _aegis256x2_state *const st =
-        (_aegis256x2_state *) ((((uintptr_t) &st_->opaque) + (ALIGNMENT - 1)) &
-                               ~(uintptr_t) (ALIGNMENT - 1));
+    aegis_blocks                 blocks;
+    _aegis256x2_mac_state *const st =
+        (_aegis256x2_mac_state *) ((((uintptr_t) &st_->opaque) + (ALIGNMENT - 1)) &
+                                   ~(uintptr_t) (ALIGNMENT - 1));
     size_t left;
 
     memcpy(blocks, st->blocks, sizeof blocks);
@@ -668,21 +764,32 @@ state_mac_final(aegis256x2_state *st_, uint8_t *mac, size_t maclen)
         memset(st->buf + left, 0, RATE - left);
         aegis256x2_absorb(st->buf, blocks);
     }
-    aegis256x2_mac(mac, maclen, st->adlen, 0, blocks);
+    aegis256x2_mac_nr(mac, maclen, st->adlen, blocks);
 
     memcpy(st->blocks, blocks, sizeof blocks);
 
     return 0;
 }
 
 static void
-state_clone(aegis256x2_state *dst, const aegis256x2_state *src)
+state_mac_reset(aegis256x2_mac_state *st_)
 {
-    _aegis256x2_state *const dst_ =
-        (_aegis256x2_state *) ((((uintptr_t) &dst->opaque) + (ALIGNMENT - 1)) &
-                               ~(uintptr_t) (ALIGNMENT - 1));
-    const _aegis256x2_state *const src_ =
-        (const _aegis256x2_state *) ((((uintptr_t) &src->opaque) + (ALIGNMENT - 1)) &
-                                     ~(uintptr_t) (ALIGNMENT - 1));
+    _aegis256x2_mac_state *const st =
+        (_aegis256x2_mac_state *) ((((uintptr_t) &st_->opaque) + (ALIGNMENT - 1)) &
+                                   ~(uintptr_t) (ALIGNMENT - 1));
+    st->adlen = 0;
+    st->pos   = 0;
+    memcpy(st->blocks, st->blocks0, sizeof(aegis_blocks));
+}
+
+static void
+state_mac_clone(aegis256x2_mac_state *dst, const aegis256x2_mac_state *src)
+{
+    _aegis256x2_mac_state *const dst_ =
+        (_aegis256x2_mac_state *) ((((uintptr_t) &dst->opaque) + (ALIGNMENT - 1)) &
+                                   ~(uintptr_t) (ALIGNMENT - 1));
+    const _aegis256x2_mac_state *const src_ =
+        (const _aegis256x2_mac_state *) ((((uintptr_t) &src->opaque) + (ALIGNMENT - 1)) &
+                                         ~(uintptr_t) (ALIGNMENT - 1));
     *dst_ = *src_;
 }

src/aegis256x2/aegis256x2_soft.c

@@ -85,9 +85,11 @@ struct aegis256x2_implementation aegis256x2_soft_implementation = {
     .state_encrypt_final           = state_encrypt_final,
     .state_decrypt_detached_update = state_decrypt_detached_update,
     .state_decrypt_detached_final  = state_decrypt_detached_final,
+    .state_mac_init                = state_mac_init,
     .state_mac_update              = state_mac_update,
     .state_mac_final               = state_mac_final,
-    .state_clone                   = state_clone,
+    .state_mac_reset               = state_mac_reset,
+    .state_mac_clone               = state_mac_clone,
 };
 
 #endif

src/aegis256x2/implementations.h

@@ -29,9 +29,12 @@ typedef struct aegis256x2_implementation {
                                          size_t *written, const uint8_t *c, size_t clen);
     int (*state_decrypt_detached_final)(aegis256x2_state *st_, uint8_t *m, size_t mlen_max,
                                         size_t *written, const uint8_t *mac, size_t maclen);
-    int (*state_mac_update)(aegis256x2_state *st_, const uint8_t *ad, size_t adlen);
-    int (*state_mac_final)(aegis256x2_state *st_, uint8_t *mac, size_t maclen);
-    void (*state_clone)(aegis256x2_state *dst, const aegis256x2_state *src);
+    void (*state_mac_init)(aegis256x2_mac_state *st_, const uint8_t *npub, const uint8_t *k);
+    int (*state_mac_update)(aegis256x2_mac_state *st_, const uint8_t *ad, size_t adlen);
+    int (*state_mac_final)(aegis256x2_mac_state *st_, uint8_t *mac, size_t maclen);
+    void (*state_mac_reset)(aegis256x2_mac_state *st);
+    void (*state_mac_clone)(aegis256x2_mac_state *dst, const aegis256x2_mac_state *src);
+
 } aegis256x2_implementation;
 
 #endif