/src/botan/src/lib/modes/aead/eax/eax.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * EAX Mode Encryption |
3 | | * (C) 1999-2007 Jack Lloyd |
4 | | * (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity |
5 | | * |
6 | | * Botan is released under the Simplified BSD License (see license.txt) |
7 | | */ |
8 | | |
9 | | #include <botan/internal/eax.h> |
10 | | |
11 | | #include <botan/internal/cmac.h> |
12 | | #include <botan/internal/ct_utils.h> |
13 | | #include <botan/internal/ctr.h> |
14 | | #include <botan/internal/fmt.h> |
15 | | |
16 | | namespace Botan { |
17 | | |
18 | | namespace { |
19 | | |
20 | | /* |
21 | | * EAX MAC-based PRF |
22 | | */ |
23 | | secure_vector<uint8_t> eax_prf( |
24 | 0 | uint8_t tag, size_t block_size, MessageAuthenticationCode& mac, const uint8_t in[], size_t length) { |
25 | 0 | for(size_t i = 0; i != block_size - 1; ++i) { |
26 | 0 | mac.update(0); |
27 | 0 | } |
28 | 0 | mac.update(tag); |
29 | 0 | mac.update(in, length); |
30 | 0 | return mac.final(); |
31 | 0 | } |
32 | | |
33 | | } // namespace |
34 | | |
35 | | /* |
36 | | * EAX_Mode Constructor |
37 | | */ |
38 | | EAX_Mode::EAX_Mode(std::unique_ptr<BlockCipher> cipher, size_t tag_size) : |
39 | 0 | m_tag_size(tag_size), |
40 | 0 | m_cipher(std::move(cipher)), |
41 | 0 | m_ctr(std::make_unique<CTR_BE>(m_cipher->new_object())), |
42 | 0 | m_cmac(std::make_unique<CMAC>(m_cipher->new_object())) { |
43 | 0 | if(m_tag_size < 8 || m_tag_size > m_cmac->output_length()) { |
44 | 0 | throw Invalid_Argument(fmt("Tag size {} is not allowed for {}", tag_size, name())); |
45 | 0 | } |
46 | 0 | } |
47 | | |
48 | 0 | void EAX_Mode::clear() { |
49 | 0 | m_cipher->clear(); |
50 | 0 | m_ctr->clear(); |
51 | 0 | m_cmac->clear(); |
52 | 0 | reset(); |
53 | 0 | } |
54 | | |
55 | 0 | void EAX_Mode::reset() { |
56 | 0 | m_ad_mac.clear(); |
57 | 0 | m_nonce_mac.clear(); |
58 | | |
59 | | // Clear out any data added to the CMAC calculation |
60 | 0 | try { |
61 | 0 | m_cmac->final(); |
62 | 0 | } catch(Key_Not_Set&) {} |
63 | 0 | } |
64 | | |
65 | 0 | std::string EAX_Mode::name() const { |
66 | 0 | return (m_cipher->name() + "/EAX"); |
67 | 0 | } |
68 | | |
69 | 0 | size_t EAX_Mode::update_granularity() const { |
70 | 0 | return 1; |
71 | 0 | } |
72 | | |
73 | 0 | size_t EAX_Mode::ideal_granularity() const { |
74 | 0 | return m_cipher->parallel_bytes(); |
75 | 0 | } |
76 | | |
77 | 0 | Key_Length_Specification EAX_Mode::key_spec() const { |
78 | 0 | return m_ctr->key_spec(); |
79 | 0 | } |
80 | | |
81 | 0 | bool EAX_Mode::has_keying_material() const { |
82 | 0 | return m_ctr->has_keying_material() && m_cmac->has_keying_material(); |
83 | 0 | } |
84 | | |
85 | | /* |
86 | | * Set the EAX key |
87 | | */ |
88 | 0 | void EAX_Mode::key_schedule(std::span<const uint8_t> key) { |
89 | | /* |
90 | | * These could share the key schedule, which is one nice part of EAX, |
91 | | * but it's much easier to ignore that here... |
92 | | */ |
93 | 0 | m_ctr->set_key(key); |
94 | 0 | m_cmac->set_key(key); |
95 | 0 | } |
96 | | |
97 | | /* |
98 | | * Set the EAX associated data |
99 | | */ |
100 | 0 | void EAX_Mode::set_associated_data_n(size_t idx, std::span<const uint8_t> ad) { |
101 | 0 | BOTAN_ARG_CHECK(idx == 0, "EAX: cannot handle non-zero index in set_associated_data_n"); |
102 | 0 | if(m_nonce_mac.empty() == false) { |
103 | 0 | throw Invalid_State("Cannot set AD for EAX while processing a message"); |
104 | 0 | } |
105 | 0 | m_ad_mac = eax_prf(1, block_size(), *m_cmac, ad.data(), ad.size()); |
106 | 0 | } |
107 | | |
108 | 0 | void EAX_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) { |
109 | 0 | if(!valid_nonce_length(nonce_len)) { |
110 | 0 | throw Invalid_IV_Length(name(), nonce_len); |
111 | 0 | } |
112 | | |
113 | 0 | m_nonce_mac = eax_prf(0, block_size(), *m_cmac, nonce, nonce_len); |
114 | |
|
115 | 0 | m_ctr->set_iv(m_nonce_mac.data(), m_nonce_mac.size()); |
116 | |
|
117 | 0 | for(size_t i = 0; i != block_size() - 1; ++i) { |
118 | 0 | m_cmac->update(0); |
119 | 0 | } |
120 | 0 | m_cmac->update(2); |
121 | 0 | } |
122 | | |
123 | 0 | size_t EAX_Encryption::process_msg(uint8_t buf[], size_t sz) { |
124 | 0 | BOTAN_STATE_CHECK(!m_nonce_mac.empty()); |
125 | 0 | m_ctr->cipher(buf, buf, sz); |
126 | 0 | m_cmac->update(buf, sz); |
127 | 0 | return sz; |
128 | 0 | } |
129 | | |
130 | 0 | void EAX_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) { |
131 | 0 | BOTAN_STATE_CHECK(!m_nonce_mac.empty()); |
132 | 0 | update(buffer, offset); |
133 | |
|
134 | 0 | secure_vector<uint8_t> data_mac = m_cmac->final(); |
135 | 0 | xor_buf(data_mac, m_nonce_mac, data_mac.size()); |
136 | |
|
137 | 0 | if(m_ad_mac.empty()) { |
138 | 0 | m_ad_mac = eax_prf(1, block_size(), *m_cmac, nullptr, 0); |
139 | 0 | } |
140 | |
|
141 | 0 | xor_buf(data_mac, m_ad_mac, data_mac.size()); |
142 | |
|
143 | 0 | buffer += std::make_pair(data_mac.data(), tag_size()); |
144 | |
|
145 | 0 | m_nonce_mac.clear(); |
146 | 0 | } |
147 | | |
148 | 0 | size_t EAX_Decryption::process_msg(uint8_t buf[], size_t sz) { |
149 | 0 | BOTAN_STATE_CHECK(!m_nonce_mac.empty()); |
150 | 0 | m_cmac->update(buf, sz); |
151 | 0 | m_ctr->cipher(buf, buf, sz); |
152 | 0 | return sz; |
153 | 0 | } |
154 | | |
155 | 0 | void EAX_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) { |
156 | 0 | BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range"); |
157 | 0 | const size_t sz = buffer.size() - offset; |
158 | 0 | uint8_t* buf = buffer.data() + offset; |
159 | |
|
160 | 0 | BOTAN_ARG_CHECK(sz >= tag_size(), "input did not include the tag"); |
161 | |
|
162 | 0 | const size_t remaining = sz - tag_size(); |
163 | |
|
164 | 0 | if(remaining) { |
165 | 0 | m_cmac->update(buf, remaining); |
166 | 0 | m_ctr->cipher(buf, buf, remaining); |
167 | 0 | } |
168 | |
|
169 | 0 | const uint8_t* included_tag = &buf[remaining]; |
170 | |
|
171 | 0 | secure_vector<uint8_t> mac = m_cmac->final(); |
172 | 0 | mac ^= m_nonce_mac; |
173 | |
|
174 | 0 | if(m_ad_mac.empty()) { |
175 | 0 | m_ad_mac = eax_prf(1, block_size(), *m_cmac, nullptr, 0); |
176 | 0 | } |
177 | |
|
178 | 0 | mac ^= m_ad_mac; |
179 | |
|
180 | 0 | const bool accept_mac = CT::is_equal(mac.data(), included_tag, tag_size()).as_bool(); |
181 | |
|
182 | 0 | buffer.resize(offset + remaining); |
183 | |
|
184 | 0 | m_nonce_mac.clear(); |
185 | |
|
186 | 0 | if(!accept_mac) { |
187 | 0 | throw Invalid_Authentication_Tag("EAX tag check failed"); |
188 | 0 | } |
189 | 0 | } |
190 | | |
191 | | } // namespace Botan |