Move lib into src

3 files changed, 291 insertions, 0 deletions

diff --git a/src/lib/modes/aead/eax/eax.cpp b/src/lib/modes/aead/eax/eax.cpp
new file mode 100644
index 000000000..249bf5f7e
--- /dev/null
+++ b/src/lib/modes/aead/eax/eax.cpp
@@ -0,0 +1,170 @@
+/*
+* EAX Mode Encryption
+* (C) 1999-2007 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#include <botan/eax.h>
+#include <botan/cmac.h>
+#include <botan/ctr.h>
+#include <botan/parsing.h>
+#include <botan/internal/xor_buf.h>
+#include <algorithm>
+
+namespace Botan {
+
+namespace {
+
+/*
+* EAX MAC-based PRF
+*/
+secure_vector<byte> eax_prf(byte tag, size_t block_size,
+                           MessageAuthenticationCode& mac,
+                           const byte in[], size_t length)
+   {
+   for(size_t i = 0; i != block_size - 1; ++i)
+      mac.update(0);
+   mac.update(tag);
+   mac.update(in, length);
+   return mac.final();
+   }
+
+}
+
+/*
+* EAX_Mode Constructor
+*/
+EAX_Mode::EAX_Mode(BlockCipher* cipher, size_t tag_size) :
+   m_tag_size(tag_size ? tag_size : cipher->block_size()),
+   m_cipher(cipher),
+   m_ctr(new CTR_BE(m_cipher->clone())),
+   m_cmac(new CMAC(m_cipher->clone()))
+   {
+   if(m_tag_size < 8 || m_tag_size > m_cmac->output_length())
+      throw Invalid_Argument(name() + ": Bad tag size " + std::to_string(tag_size));
+   }
+
+void EAX_Mode::clear()
+   {
+   m_cipher.reset();
+   m_ctr.reset();
+   m_cmac.reset();
+   zeroise(m_ad_mac);
+   zeroise(m_nonce_mac);
+   }
+
+std::string EAX_Mode::name() const
+   {
+   return (m_cipher->name() + "/EAX");
+   }
+
+size_t EAX_Mode::update_granularity() const
+   {
+   return 8 * m_cipher->parallel_bytes();
+   }
+
+Key_Length_Specification EAX_Mode::key_spec() const
+   {
+   return m_cipher->key_spec();
+   }
+
+/*
+* Set the EAX key
+*/
+void EAX_Mode::key_schedule(const byte key[], size_t length)
+   {
+   /*
+   * These could share the key schedule, which is one nice part of EAX,
+   * but it's much easier to ignore that here...
+   */
+   m_ctr->set_key(key, length);
+   m_cmac->set_key(key, length);
+
+   m_ad_mac = eax_prf(1, block_size(), *m_cmac, nullptr, 0);
+   }
+
+/*
+* Set the EAX associated data
+*/
+void EAX_Mode::set_associated_data(const byte ad[], size_t length)
+   {
+   m_ad_mac = eax_prf(1, block_size(), *m_cmac, ad, length);
+   }
+
+secure_vector<byte> EAX_Mode::start(const byte nonce[], size_t nonce_len)
+   {
+   if(!valid_nonce_length(nonce_len))
+      throw Invalid_IV_Length(name(), nonce_len);
+
+   m_nonce_mac = eax_prf(0, block_size(), *m_cmac, nonce, nonce_len);
+
+   m_ctr->set_iv(&m_nonce_mac[0], m_nonce_mac.size());
+
+   for(size_t i = 0; i != block_size() - 1; ++i)
+      m_cmac->update(0);
+   m_cmac->update(2);
+
+   return secure_vector<byte>();
+   }
+
+void EAX_Encryption::update(secure_vector<byte>& buffer, size_t offset)
+   {
+   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
+   const size_t sz = buffer.size() - offset;
+   byte* buf = &buffer[offset];
+
+   m_ctr->cipher(buf, buf, sz);
+   m_cmac->update(buf, sz);
+   }
+
+void EAX_Encryption::finish(secure_vector<byte>& buffer, size_t offset)
+   {
+   update(buffer, offset);
+
+   secure_vector<byte> data_mac = m_cmac->final();
+   xor_buf(data_mac, m_nonce_mac, data_mac.size());
+   xor_buf(data_mac, m_ad_mac, data_mac.size());
+
+   buffer += std::make_pair(&data_mac[0], tag_size());
+   }
+
+void EAX_Decryption::update(secure_vector<byte>& buffer, size_t offset)
+   {
+   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
+   const size_t sz = buffer.size() - offset;
+   byte* buf = &buffer[offset];
+
+   m_cmac->update(buf, sz);
+   m_ctr->cipher(buf, buf, sz);
+   }
+
+void EAX_Decryption::finish(secure_vector<byte>& buffer, size_t offset)
+   {
+   BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
+   const size_t sz = buffer.size() - offset;
+   byte* buf = &buffer[offset];
+
+   BOTAN_ASSERT(sz >= tag_size(), "Have the tag as part of final input");
+
+   const size_t remaining = sz - tag_size();
+
+   if(remaining)
+      {
+      m_cmac->update(buf, remaining);
+      m_ctr->cipher(buf, buf, remaining);
+      }
+
+   const byte* included_tag = &buf[remaining];
+
+   secure_vector<byte> mac = m_cmac->final();
+   mac ^= m_nonce_mac;
+   mac ^= m_ad_mac;
+
+   if(!same_mem(&mac[0], included_tag, tag_size()))
+      throw Integrity_Failure("EAX tag check failed");
+
+   buffer.resize(offset + remaining);
+   }
+
+}
diff --git a/src/lib/modes/aead/eax/eax.h b/src/lib/modes/aead/eax/eax.h
new file mode 100644
index 000000000..224fb5298
--- /dev/null
+++ b/src/lib/modes/aead/eax/eax.h
@@ -0,0 +1,114 @@
+/*
+* EAX Mode
+* (C) 1999-2007,2013 Jack Lloyd
+*
+* Distributed under the terms of the Botan license
+*/
+
+#ifndef BOTAN_AEAD_EAX_H__
+#define BOTAN_AEAD_EAX_H__
+
+#include <botan/aead.h>
+#include <botan/block_cipher.h>
+#include <botan/stream_cipher.h>
+#include <botan/mac.h>
+#include <memory>
+
+namespace Botan {
+
+/**
+* EAX base class
+*/
+class BOTAN_DLL EAX_Mode : public AEAD_Mode
+   {
+   public:
+      secure_vector<byte> start(const byte nonce[], size_t nonce_len) override;
+
+      void set_associated_data(const byte ad[], size_t ad_len) override;
+
+      std::string name() const override;
+
+      size_t update_granularity() const;
+
+      Key_Length_Specification key_spec() const override;
+
+      // EAX supports arbitrary nonce lengths
+      bool valid_nonce_length(size_t) const override { return true; }
+
+      size_t tag_size() const { return m_tag_size; }
+
+      void clear();
+   protected:
+      void key_schedule(const byte key[], size_t length) override;
+
+      /**
+      * @param cipher the cipher to use
+      * @param tag_size is how big the auth tag will be
+      */
+      EAX_Mode(BlockCipher* cipher, size_t tag_size);
+
+      size_t block_size() const { return m_cipher->block_size(); }
+
+      size_t m_tag_size;
+
+      std::unique_ptr<BlockCipher> m_cipher;
+      std::unique_ptr<StreamCipher> m_ctr;
+      std::unique_ptr<MessageAuthenticationCode> m_cmac;
+
+      secure_vector<byte> m_ad_mac;
+
+      secure_vector<byte> m_nonce_mac;
+   };
+
+/**
+* EAX Encryption
+*/
+class BOTAN_DLL EAX_Encryption : public EAX_Mode
+   {
+   public:
+      /**
+      * @param cipher a 128-bit block cipher
+      * @param tag_size is how big the auth tag will be
+      */
+      EAX_Encryption(BlockCipher* cipher, size_t tag_size = 0) :
+         EAX_Mode(cipher, tag_size) {}
+
+      size_t output_length(size_t input_length) const override
+         { return input_length + tag_size(); }
+
+      size_t minimum_final_size() const override { return 0; }
+
+      void update(secure_vector<byte>& blocks, size_t offset = 0) override;
+
+      void finish(secure_vector<byte>& final_block, size_t offset = 0) override;
+   };
+
+/**
+* EAX Decryption
+*/
+class BOTAN_DLL EAX_Decryption : public EAX_Mode
+   {
+   public:
+      /**
+      * @param cipher a 128-bit block cipher
+      * @param tag_size is how big the auth tag will be
+      */
+      EAX_Decryption(BlockCipher* cipher, size_t tag_size = 0) :
+         EAX_Mode(cipher, tag_size) {}
+
+      size_t output_length(size_t input_length) const override
+         {
+         BOTAN_ASSERT(input_length > tag_size(), "Sufficient input");
+         return input_length - tag_size();
+         }
+
+      size_t minimum_final_size() const override { return tag_size(); }
+
+      void update(secure_vector<byte>& blocks, size_t offset = 0) override;
+
+      void finish(secure_vector<byte>& final_block, size_t offset = 0) override;
+   };
+
+}
+
+#endif
diff --git a/src/lib/modes/aead/eax/info.txt b/src/lib/modes/aead/eax/info.txt
new file mode 100644
index 000000000..75775fa16
--- /dev/null
+++ b/src/lib/modes/aead/eax/info.txt
@@ -0,0 +1,7 @@
+define AEAD_EAX 20131128
+
+<requires>
+block
+cmac
+ctr
+</requires>