/* ecrypt-sync-ae.h *//*  * Header file for synchronous stream ciphers with authentication * mechanism.  *  * *** Please only edit parts marked with "[edit]". *** */#ifndef ECRYPT_SYNC_AE#define ECRYPT_SYNC_AE#include "ecrypt-portable.h"/* ------------------------------------------------------------------------- *//* Cipher parameters *//*  * The name of your cipher. */#define ECRYPT_NAME "Phelix"    /* [edit] */ #define ECRYPT_PROFILE "SW"/* * Specify which key, IV, and MAC sizes are supported by your * cipher. A user should be able to enumerate the supported sizes by * running the following code: * * for (i = 0; ECRYPT_KEYSIZE(i) <= ECRYPT_MAXKEYSIZE; ++i) *   { *     keysize = ECRYPT_KEYSIZE(i); * *     ... *   } * * All sizes are in bits. */#define ECRYPT_MAXKEYSIZE 256                 /* [edit] */#define ECRYPT_KEYSIZE(i) (128 + (i)*64)      /* [edit] */#define ECRYPT_MAXIVSIZE  128                 /* [edit] */#define ECRYPT_IVSIZE(i)  (128 + (i)*32)      /* [edit] */#define ECRYPT_MAXMACSIZE 128                 /* [edit] */#define ECRYPT_MACSIZE(i) (64 + (i)*16)       /* [edit] *//* ------------------------------------------------------------------------- *//* Data structures *//*  * ECRYPT_AE_ctx is the structure containing the representation of the * internal state of your cipher.  * * If your cipher also supports unauthenticated encryption, and you * want to allow the user to call the unauthenticated functions * declared in "ecrypt-sync.h" as well, you might want to set the * ECRYPT_SUPPORTS_UAE flag and define the ECRYPT_AE_ctx context as an * extension of the ECRYPT_ctx structure defined in "ecrypt-sync.h". */#undef ECRYPT_SUPPORTS_UAE                    /* [edit] */#ifndef ECRYPT_SUPPORTS_UAEtypedef struct{  /*    * [edit]   *   * In case your implementation does NOT support unauthenticated   * encryption, put here all state variable needed during the   * authenticated encryption process. If it does, use the structure   * below.   */    struct          /* key schedule (no change after SetupNonce)    */        {        u32 keySize;        /* initial key size, in bits: 0..256    */        u32 macSize;        /* mac tag     size, in bits: 0..128    */        u32 X_1_bump;       /* 4*(keySize/8)+256*(macSize mod 128)  */        u32 X_0[8];         /* processed working key material       */        u32 X_1[8];        } ks;               /* ks --> "key schedule" */    struct          /* internal cipher state (varies during block) */        {        u32 oldZ[4];        /* previous four Z_4 values for output  */        u32 Z[5];           /* 5 internal state words (160 bits)    */        u32 i;              /* block number                         */        u32 aadLen[2];      /* 64-bit aadLen counter (LSW first)    */        u32 msgLen;         /* low 32 bits of msgLen                */        u32 aadXor;         /* aadXor constant                      */        } cs;               /* cs --> "cipher state"                */} ECRYPT_AE_ctx;#else#include "ecrypt-sync.h"typedef struct{  /*   * [edit]   *   * In case your implementation does support unauthenticated   * encryption, put here all additional state variables (if any)   * needed to generate the MAC.   */} ECRYPT_macctx;typedef struct{  ECRYPT_ctx ctx;  ECRYPT_macctx macctx;} ECRYPT_AE_ctx;#endif/* ------------------------------------------------------------------------- *//* Mandatory functions *//* * Key and message independent initialization. This function will be * called once when the program starts (e.g., to build expanded S-box * tables). */void ECRYPT_init(void);/* * Key setup. It is the user's responsibility to select the values of * keysize, ivsize, and macsize from the set of supported values * specified above. */void ECRYPT_AE_keysetup(  ECRYPT_AE_ctx* ctx,   const u8* key,   u32 keysize,                /* Key size in bits. */   u32 ivsize,                 /* IV size in bits. */   u32 macsize);               /* MAC size in bits. */ /* * IV setup. After having called ECRYPT_AE_keysetup(), the user is * allowed to call ECRYPT_AE_ivsetup() different times in order to * encrypt/decrypt different messages with the same key but different * IV's. */void ECRYPT_AE_ivsetup(  ECRYPT_AE_ctx* ctx,   const u8* iv);/* * Authenticated encryption/decryption of arbitrary length messages. * * For efficiency reasons, the API provides two types of authenticated * encrypt/decrypt functions. The ECRYPT_AE_encrypt_bytes() function * (declared here) encrypts byte strings of arbitrary length, while * the ECRYPT_AE_encrypt_blocks() function (defined later) only * accepts lengths which are multiples of ECRYPT_BLOCKLENGTH. *  * The user is allowed to make multiple calls to * ECRYPT_AE_encrypt_blocks() to incrementally encrypt a long message, * but he is NOT allowed to make additional encryption calls once he * has called ECRYPT_AE_encrypt_bytes() (unless he starts a new * message of course). For example, this sequence of calls is * acceptable: * * ECRYPT_AE_keysetup(); * * ECRYPT_AE_ivsetup(); * ECRYPT_AE_encrypt_blocks(); * ECRYPT_AE_encrypt_blocks(); * ECRYPT_AE_encrypt_bytes(); * ECRYPT_AE_finalize(); * * ECRYPT_AE_ivsetup(); * ECRYPT_AE_encrypt_blocks(); * ECRYPT_AE_encrypt_blocks(); * ECRYPT_AE_finalize(); * * ECRYPT_AE_ivsetup(); * ECRYPT_AE_encrypt_bytes(); * ECRYPT_AE_finalize(); *  * The following sequence is not: * * ECRYPT_AE_keysetup(); * ECRYPT_AE_ivsetup(); * ECRYPT_AE_encrypt_blocks(); * ECRYPT_AE_encrypt_bytes(); * ECRYPT_AE_encrypt_blocks(); * ECRYPT_AE_finalize(); *//* * By default ECRYPT_AE_encrypt_bytes() and ECRYPT_AE_decrypt_bytes() * are defined as macros which redirect the call to a single function * ECRYPT_AE_process_bytes(). If you want to provide separate * encryption and decryption functions, please undef * ECRYPT_HAS_SINGLE_BYTE_FUNCTION. */#undef ECRYPT_HAS_SINGLE_BYTE_FUNCTION       /* [edit] */#ifdef ECRYPT_HAS_SINGLE_BYTE_FUNCTION#define ECRYPT_AE_encrypt_bytes(ctx, plaintext, ciphertext, msglen)   \  ECRYPT_AE_process_bytes(0, ctx, plaintext, ciphertext, msglen)#define ECRYPT_AE_decrypt_bytes(ctx, ciphertext, plaintext, msglen)   \  ECRYPT_AE_process_bytes(1, ctx, ciphertext, plaintext, msglen)void ECRYPT_AE_process_bytes(  int action,                 /* 0 = encrypt; 1 = decrypt; */  ECRYPT_AE_ctx* ctx,   const u8* input,   u8* output,   u32 msglen);                /* Message length in bytes. */ #elsevoid ECRYPT_AE_encrypt_bytes(  ECRYPT_AE_ctx* ctx,   const u8* plaintext,   u8* ciphertext,   u32 msglen);                /* Message length in bytes. */ void ECRYPT_AE_decrypt_bytes(  ECRYPT_AE_ctx* ctx,   const u8* ciphertext,   u8* plaintext,   u32 msglen);                /* Message length in bytes. */ #endif/* * MAC output. The ECRYPT_AE_finalize() function produces a MAC, and * is to be called both after the encryption and the decryption of a * message. The user is supposed to check whether both MAC's are * identical and to delete all decrypted text if they are not. */void ECRYPT_AE_finalize(  ECRYPT_AE_ctx* ctx,  u8* mac);/* ------------------------------------------------------------------------- *//* Optional features *//*  * Please set the ECRYPT_SUPPORTS_AAD flag if your cipher can * authenticate associated data (without encrypting it). The function * ECRYPT_AE_authenticate_x() will be called (possibly multiple times) * before any call to ECRYPT_AE_encrypt_x(). The function has both a * byte and a block version (defined later), which are intended to be * used in the same way as the encryption function above. */#define ECRYPT_SUPPORTS_AAD                    /* [edit] */#ifdef ECRYPT_SUPPORTS_AAD/* * If ECRYPT_SUPPORTS_INCREMENTAL_AAD flag is NOT set, the user is * only allowed to call ECRYPT_AE_authenticate_x() once. This * restriction is important for schemes which need to know the length * of the complete AAD in advance. */#define ECRYPT_SUPPORTS_INCREMENTAL_AAD       /* [edit] */void ECRYPT_AE_authenticate_bytes(  ECRYPT_AE_ctx* ctx,  const u8* aad,  u32 aadlen);                /* Length of associated data in bytes. */#endif/* ------------------------------------------------------------------------- *//* Optional optimizations *//*  * By default, the functions in this section are implemented using * calls to functions declared above. However, you might want to * implement them differently for performance reasons. *//* * All-in-one authenticated encryption/decryption of (short) packets. * * The default definitions of these functions can be found in * "ecrypt-sync-ae.c". If you want to implement them differently, * please undef the ECRYPT_USES_DEFAULT_ALL_IN_ONE flag. */#undef ECRYPT_USES_DEFAULT_ALL_IN_ONE        /* [edit] *//* * Undef ECRYPT_HAS_SINGLE_PACKET_FUNCTION if you want to provide * separate packet encryption and decryption functions. */#undef ECRYPT_HAS_SINGLE_PACKET_FUNCTION     /* [edit] */#ifdef ECRYPT_HAS_SINGLE_PACKET_FUNCTION#define ECRYPT_AE_encrypt_packet(                                     \    ctx, iv, aad, aadlen, plaintext, ciphertext, mglen, mac)          \  ECRYPT_AE_process_packet(0,                                         \    ctx, iv, aad, aadlen, plaintext, ciphertext, mglen, mac)#define ECRYPT_AE_decrypt_packet(                                     \    ctx, iv, aad, aadlen, ciphertext, plaintext, mglen, mac)          \  ECRYPT_AE_process_packet(1,                                         \    ctx, iv, aad, aadlen, ciphertext, plaintext, mglen, mac)void ECRYPT_AE_process_packet(  int action,                 /* 0 = encrypt; 1 = decrypt; */  ECRYPT_AE_ctx* ctx,   const u8* iv,  const u8* aad,  u32 aadlen,  const u8* input,   u8* output,   u32 msglen,  u8* mac);#elsevoid ECRYPT_AE_encrypt_packet(  ECRYPT_AE_ctx* ctx,   const u8* iv,  const u8* aad,  u32 aadlen,  const u8* plaintext,   u8* ciphertext,   u32 msglen,  u8* mac);void ECRYPT_AE_decrypt_packet(  ECRYPT_AE_ctx* ctx,   const u8* iv,  const u8* aad,  u32 aadlen,  const u8* ciphertext,   u8* plaintext,   u32 msglen,  u8* mac);#endif/* * Authenticated encryption/decryption of blocks. *  * By default, these functions are defined as macros. If you want to * provide a different implementation, please undef the * ECRYPT_USES_DEFAULT_BLOCK_MACROS flag and implement the functions * declared below. */#define ECRYPT_BLOCKLENGTH 4                  /* [edit] */#define ECRYPT_USES_DEFAULT_BLOCK_MACROS      /* [edit] */#ifdef ECRYPT_USES_DEFAULT_BLOCK_MACROS#define ECRYPT_AE_encrypt_blocks(ctx, plaintext, ciphertext, blocks)  \  ECRYPT_AE_encrypt_bytes(ctx, plaintext, ciphertext,                 \    (blocks) * ECRYPT_BLOCKLENGTH)#define ECRYPT_AE_decrypt_blocks(ctx, ciphertext, plaintext, blocks)  \  ECRYPT_AE_decrypt_bytes(ctx, ciphertext, plaintext,                 \    (blocks) * ECRYPT_BLOCKLENGTH)#ifdef ECRYPT_SUPPORTS_AAD#define ECRYPT_AE_authenticate_blocks(ctx, aad, blocks)               \  ECRYPT_AE_authenticate_bytes(ctx, aad,                              \    (blocks) * ECRYPT_BLOCKLENGTH)#endif#else/* * Undef ECRYPT_HAS_SINGLE_BLOCK_FUNCTION if you want to provide * separate block encryption and decryption functions. */#define ECRYPT_HAS_SINGLE_BLOCK_FUNCTION      /* [edit] */#ifdef ECRYPT_HAS_SINGLE_BLOCK_FUNCTION#define ECRYPT_AE_encrypt_blocks(ctx, plaintext, ciphertext, blocks)  \  ECRYPT_AE_process_blocks(0, ctx, plaintext, ciphertext, blocks)#define ECRYPT_AE_decrypt_blocks(ctx, ciphertext, plaintext, blocks)  \  ECRYPT_AE_process_blocks(1, ctx, ciphertext, plaintext, blocks)void ECRYPT_AE_process_blocks(  int action,                 /* 0 = encrypt; 1 = decrypt; */  ECRYPT_AE_ctx* ctx,   const u8* input,   u8* output,   u32 blocks);                /* Message length in blocks. */#elsevoid ECRYPT_AE_encrypt_blocks(  ECRYPT_AE_ctx* ctx,   const u8* plaintext,   u8* ciphertext,   u32 blocks);                /* Message length in blocks. */ void ECRYPT_AE_decrypt_blocks(  ECRYPT_AE_ctx* ctx,   const u8* ciphertext,   u8* plaintext,   u32 blocks);                /* Message length in blocks. */ #endif#ifdef ECRYPT_SUPPORTS_AADvoid ECRYPT_AE_authenticate_blocks(  ECRYPT_AE_ctx* ctx,  const u8* aad,  u32 blocks);                /* Message length in blocks. */ #endif#endif/* * If your cipher can be implemented in different ways, you can use * the ECRYPT_VARIANT parameter to allow the user to choose between * them at compile time (e.g., gcc -DECRYPT_VARIANT=3 ...). Please * only use this possibility if you really think it could make a * significant difference and keep the number of variants * (ECRYPT_MAXVARIANT) as small as possible (definitely not more than * 10). Note also that all variants should have exactly the same * external interface (i.e., the same ECRYPT_BLOCKLENGTH, etc.).  */#define ECRYPT_MAXVARIANT 1                   /* [edit] */#ifndef ECRYPT_VARIANT#define ECRYPT_VARIANT 1#endif#if (ECRYPT_VARIANT > ECRYPT_MAXVARIANT)#error this variant does not exist#endif/* ------------------------------------------------------------------------- */#endif