diff options
Diffstat (limited to 'src/lib/modes/aead/eax')
-rw-r--r-- | src/lib/modes/aead/eax/eax.cpp | 170 | ||||
-rw-r--r-- | src/lib/modes/aead/eax/eax.h | 114 | ||||
-rw-r--r-- | src/lib/modes/aead/eax/info.txt | 7 |
3 files changed, 291 insertions, 0 deletions
diff --git a/src/lib/modes/aead/eax/eax.cpp b/src/lib/modes/aead/eax/eax.cpp new file mode 100644 index 000000000..249bf5f7e --- /dev/null +++ b/src/lib/modes/aead/eax/eax.cpp @@ -0,0 +1,170 @@ +/* +* EAX Mode Encryption +* (C) 1999-2007 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#include <botan/eax.h> +#include <botan/cmac.h> +#include <botan/ctr.h> +#include <botan/parsing.h> +#include <botan/internal/xor_buf.h> +#include <algorithm> + +namespace Botan { + +namespace { + +/* +* EAX MAC-based PRF +*/ +secure_vector<byte> eax_prf(byte tag, size_t block_size, + MessageAuthenticationCode& mac, + const byte in[], size_t length) + { + for(size_t i = 0; i != block_size - 1; ++i) + mac.update(0); + mac.update(tag); + mac.update(in, length); + return mac.final(); + } + +} + +/* +* EAX_Mode Constructor +*/ +EAX_Mode::EAX_Mode(BlockCipher* cipher, size_t tag_size) : + m_tag_size(tag_size ? tag_size : cipher->block_size()), + m_cipher(cipher), + m_ctr(new CTR_BE(m_cipher->clone())), + m_cmac(new CMAC(m_cipher->clone())) + { + if(m_tag_size < 8 || m_tag_size > m_cmac->output_length()) + throw Invalid_Argument(name() + ": Bad tag size " + std::to_string(tag_size)); + } + +void EAX_Mode::clear() + { + m_cipher.reset(); + m_ctr.reset(); + m_cmac.reset(); + zeroise(m_ad_mac); + zeroise(m_nonce_mac); + } + +std::string EAX_Mode::name() const + { + return (m_cipher->name() + "/EAX"); + } + +size_t EAX_Mode::update_granularity() const + { + return 8 * m_cipher->parallel_bytes(); + } + +Key_Length_Specification EAX_Mode::key_spec() const + { + return m_cipher->key_spec(); + } + +/* +* Set the EAX key +*/ +void EAX_Mode::key_schedule(const byte key[], size_t length) + { + /* + * These could share the key schedule, which is one nice part of EAX, + * but it's much easier to ignore that here... + */ + m_ctr->set_key(key, length); + m_cmac->set_key(key, length); + + m_ad_mac = eax_prf(1, block_size(), *m_cmac, nullptr, 0); + } + +/* +* Set the EAX associated data +*/ +void EAX_Mode::set_associated_data(const byte ad[], size_t length) + { + m_ad_mac = eax_prf(1, block_size(), *m_cmac, ad, length); + } + +secure_vector<byte> EAX_Mode::start(const byte nonce[], size_t nonce_len) + { + if(!valid_nonce_length(nonce_len)) + throw Invalid_IV_Length(name(), nonce_len); + + m_nonce_mac = eax_prf(0, block_size(), *m_cmac, nonce, nonce_len); + + m_ctr->set_iv(&m_nonce_mac[0], m_nonce_mac.size()); + + for(size_t i = 0; i != block_size() - 1; ++i) + m_cmac->update(0); + m_cmac->update(2); + + return secure_vector<byte>(); + } + +void EAX_Encryption::update(secure_vector<byte>& buffer, size_t offset) + { + BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); + const size_t sz = buffer.size() - offset; + byte* buf = &buffer[offset]; + + m_ctr->cipher(buf, buf, sz); + m_cmac->update(buf, sz); + } + +void EAX_Encryption::finish(secure_vector<byte>& buffer, size_t offset) + { + update(buffer, offset); + + secure_vector<byte> data_mac = m_cmac->final(); + xor_buf(data_mac, m_nonce_mac, data_mac.size()); + xor_buf(data_mac, m_ad_mac, data_mac.size()); + + buffer += std::make_pair(&data_mac[0], tag_size()); + } + +void EAX_Decryption::update(secure_vector<byte>& buffer, size_t offset) + { + BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); + const size_t sz = buffer.size() - offset; + byte* buf = &buffer[offset]; + + m_cmac->update(buf, sz); + m_ctr->cipher(buf, buf, sz); + } + +void EAX_Decryption::finish(secure_vector<byte>& buffer, size_t offset) + { + BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane"); + const size_t sz = buffer.size() - offset; + byte* buf = &buffer[offset]; + + BOTAN_ASSERT(sz >= tag_size(), "Have the tag as part of final input"); + + const size_t remaining = sz - tag_size(); + + if(remaining) + { + m_cmac->update(buf, remaining); + m_ctr->cipher(buf, buf, remaining); + } + + const byte* included_tag = &buf[remaining]; + + secure_vector<byte> mac = m_cmac->final(); + mac ^= m_nonce_mac; + mac ^= m_ad_mac; + + if(!same_mem(&mac[0], included_tag, tag_size())) + throw Integrity_Failure("EAX tag check failed"); + + buffer.resize(offset + remaining); + } + +} diff --git a/src/lib/modes/aead/eax/eax.h b/src/lib/modes/aead/eax/eax.h new file mode 100644 index 000000000..224fb5298 --- /dev/null +++ b/src/lib/modes/aead/eax/eax.h @@ -0,0 +1,114 @@ +/* +* EAX Mode +* (C) 1999-2007,2013 Jack Lloyd +* +* Distributed under the terms of the Botan license +*/ + +#ifndef BOTAN_AEAD_EAX_H__ +#define BOTAN_AEAD_EAX_H__ + +#include <botan/aead.h> +#include <botan/block_cipher.h> +#include <botan/stream_cipher.h> +#include <botan/mac.h> +#include <memory> + +namespace Botan { + +/** +* EAX base class +*/ +class BOTAN_DLL EAX_Mode : public AEAD_Mode + { + public: + secure_vector<byte> start(const byte nonce[], size_t nonce_len) override; + + void set_associated_data(const byte ad[], size_t ad_len) override; + + std::string name() const override; + + size_t update_granularity() const; + + Key_Length_Specification key_spec() const override; + + // EAX supports arbitrary nonce lengths + bool valid_nonce_length(size_t) const override { return true; } + + size_t tag_size() const { return m_tag_size; } + + void clear(); + protected: + void key_schedule(const byte key[], size_t length) override; + + /** + * @param cipher the cipher to use + * @param tag_size is how big the auth tag will be + */ + EAX_Mode(BlockCipher* cipher, size_t tag_size); + + size_t block_size() const { return m_cipher->block_size(); } + + size_t m_tag_size; + + std::unique_ptr<BlockCipher> m_cipher; + std::unique_ptr<StreamCipher> m_ctr; + std::unique_ptr<MessageAuthenticationCode> m_cmac; + + secure_vector<byte> m_ad_mac; + + secure_vector<byte> m_nonce_mac; + }; + +/** +* EAX Encryption +*/ +class BOTAN_DLL EAX_Encryption : public EAX_Mode + { + public: + /** + * @param cipher a 128-bit block cipher + * @param tag_size is how big the auth tag will be + */ + EAX_Encryption(BlockCipher* cipher, size_t tag_size = 0) : + EAX_Mode(cipher, tag_size) {} + + size_t output_length(size_t input_length) const override + { return input_length + tag_size(); } + + size_t minimum_final_size() const override { return 0; } + + void update(secure_vector<byte>& blocks, size_t offset = 0) override; + + void finish(secure_vector<byte>& final_block, size_t offset = 0) override; + }; + +/** +* EAX Decryption +*/ +class BOTAN_DLL EAX_Decryption : public EAX_Mode + { + public: + /** + * @param cipher a 128-bit block cipher + * @param tag_size is how big the auth tag will be + */ + EAX_Decryption(BlockCipher* cipher, size_t tag_size = 0) : + EAX_Mode(cipher, tag_size) {} + + size_t output_length(size_t input_length) const override + { + BOTAN_ASSERT(input_length > tag_size(), "Sufficient input"); + return input_length - tag_size(); + } + + size_t minimum_final_size() const override { return tag_size(); } + + void update(secure_vector<byte>& blocks, size_t offset = 0) override; + + void finish(secure_vector<byte>& final_block, size_t offset = 0) override; + }; + +} + +#endif diff --git a/src/lib/modes/aead/eax/info.txt b/src/lib/modes/aead/eax/info.txt new file mode 100644 index 000000000..75775fa16 --- /dev/null +++ b/src/lib/modes/aead/eax/info.txt @@ -0,0 +1,7 @@ +define AEAD_EAX 20131128 + +<requires> +block +cmac +ctr +</requires> |