Coverage Report

Created: 2024-11-29 06:10

/src/botan/src/lib/modes/aead/eax/eax.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* EAX Mode Encryption
3
* (C) 1999-2007 Jack Lloyd
4
* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/internal/eax.h>
10
11
#include <botan/internal/cmac.h>
12
#include <botan/internal/ct_utils.h>
13
#include <botan/internal/ctr.h>
14
#include <botan/internal/fmt.h>
15
16
namespace Botan {
17
18
namespace {
19
20
/*
21
* EAX MAC-based PRF
22
*/
23
secure_vector<uint8_t> eax_prf(
24
0
   uint8_t tag, size_t block_size, MessageAuthenticationCode& mac, const uint8_t in[], size_t length) {
25
0
   for(size_t i = 0; i != block_size - 1; ++i) {
26
0
      mac.update(0);
27
0
   }
28
0
   mac.update(tag);
29
0
   mac.update(in, length);
30
0
   return mac.final();
31
0
}
32
33
}  // namespace
34
35
/*
36
* EAX_Mode Constructor
37
*/
38
EAX_Mode::EAX_Mode(std::unique_ptr<BlockCipher> cipher, size_t tag_size) :
39
0
      m_tag_size(tag_size),
40
0
      m_cipher(std::move(cipher)),
41
0
      m_ctr(std::make_unique<CTR_BE>(m_cipher->new_object())),
42
0
      m_cmac(std::make_unique<CMAC>(m_cipher->new_object())) {
43
0
   if(m_tag_size < 8 || m_tag_size > m_cmac->output_length()) {
44
0
      throw Invalid_Argument(fmt("Tag size {} is not allowed for {}", tag_size, name()));
45
0
   }
46
0
}
47
48
0
void EAX_Mode::clear() {
49
0
   m_cipher->clear();
50
0
   m_ctr->clear();
51
0
   m_cmac->clear();
52
0
   reset();
53
0
}
54
55
0
void EAX_Mode::reset() {
56
0
   m_ad_mac.clear();
57
0
   m_nonce_mac.clear();
58
59
   // Clear out any data added to the CMAC calculation
60
0
   try {
61
0
      m_cmac->final();
62
0
   } catch(Key_Not_Set&) {}
63
0
}
64
65
0
std::string EAX_Mode::name() const {
66
0
   return (m_cipher->name() + "/EAX");
67
0
}
68
69
0
size_t EAX_Mode::update_granularity() const {
70
0
   return 1;
71
0
}
72
73
0
size_t EAX_Mode::ideal_granularity() const {
74
0
   return m_cipher->parallel_bytes();
75
0
}
76
77
0
Key_Length_Specification EAX_Mode::key_spec() const {
78
0
   return m_ctr->key_spec();
79
0
}
80
81
0
bool EAX_Mode::has_keying_material() const {
82
0
   return m_ctr->has_keying_material() && m_cmac->has_keying_material();
83
0
}
84
85
/*
86
* Set the EAX key
87
*/
88
0
void EAX_Mode::key_schedule(std::span<const uint8_t> key) {
89
   /*
90
   * These could share the key schedule, which is one nice part of EAX,
91
   * but it's much easier to ignore that here...
92
   */
93
0
   m_ctr->set_key(key);
94
0
   m_cmac->set_key(key);
95
0
}
96
97
/*
98
* Set the EAX associated data
99
*/
100
0
void EAX_Mode::set_associated_data_n(size_t idx, std::span<const uint8_t> ad) {
101
0
   BOTAN_ARG_CHECK(idx == 0, "EAX: cannot handle non-zero index in set_associated_data_n");
102
0
   if(m_nonce_mac.empty() == false) {
103
0
      throw Invalid_State("Cannot set AD for EAX while processing a message");
104
0
   }
105
0
   m_ad_mac = eax_prf(1, block_size(), *m_cmac, ad.data(), ad.size());
106
0
}
107
108
0
void EAX_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {
109
0
   if(!valid_nonce_length(nonce_len)) {
110
0
      throw Invalid_IV_Length(name(), nonce_len);
111
0
   }
112
113
0
   m_nonce_mac = eax_prf(0, block_size(), *m_cmac, nonce, nonce_len);
114
115
0
   m_ctr->set_iv(m_nonce_mac.data(), m_nonce_mac.size());
116
117
0
   for(size_t i = 0; i != block_size() - 1; ++i) {
118
0
      m_cmac->update(0);
119
0
   }
120
0
   m_cmac->update(2);
121
0
}
122
123
0
size_t EAX_Encryption::process_msg(uint8_t buf[], size_t sz) {
124
0
   BOTAN_STATE_CHECK(!m_nonce_mac.empty());
125
0
   m_ctr->cipher(buf, buf, sz);
126
0
   m_cmac->update(buf, sz);
127
0
   return sz;
128
0
}
129
130
0
void EAX_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
131
0
   BOTAN_STATE_CHECK(!m_nonce_mac.empty());
132
0
   update(buffer, offset);
133
134
0
   secure_vector<uint8_t> data_mac = m_cmac->final();
135
0
   xor_buf(data_mac, m_nonce_mac, data_mac.size());
136
137
0
   if(m_ad_mac.empty()) {
138
0
      m_ad_mac = eax_prf(1, block_size(), *m_cmac, nullptr, 0);
139
0
   }
140
141
0
   xor_buf(data_mac, m_ad_mac, data_mac.size());
142
143
0
   buffer += std::make_pair(data_mac.data(), tag_size());
144
145
0
   m_nonce_mac.clear();
146
0
}
147
148
0
size_t EAX_Decryption::process_msg(uint8_t buf[], size_t sz) {
149
0
   BOTAN_STATE_CHECK(!m_nonce_mac.empty());
150
0
   m_cmac->update(buf, sz);
151
0
   m_ctr->cipher(buf, buf, sz);
152
0
   return sz;
153
0
}
154
155
0
void EAX_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
156
0
   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
157
0
   const size_t sz = buffer.size() - offset;
158
0
   uint8_t* buf = buffer.data() + offset;
159
160
0
   BOTAN_ARG_CHECK(sz >= tag_size(), "input did not include the tag");
161
162
0
   const size_t remaining = sz - tag_size();
163
164
0
   if(remaining) {
165
0
      m_cmac->update(buf, remaining);
166
0
      m_ctr->cipher(buf, buf, remaining);
167
0
   }
168
169
0
   const uint8_t* included_tag = &buf[remaining];
170
171
0
   secure_vector<uint8_t> mac = m_cmac->final();
172
0
   mac ^= m_nonce_mac;
173
174
0
   if(m_ad_mac.empty()) {
175
0
      m_ad_mac = eax_prf(1, block_size(), *m_cmac, nullptr, 0);
176
0
   }
177
178
0
   mac ^= m_ad_mac;
179
180
0
   const bool accept_mac = CT::is_equal(mac.data(), included_tag, tag_size()).as_bool();
181
182
0
   buffer.resize(offset + remaining);
183
184
0
   m_nonce_mac.clear();
185
186
0
   if(!accept_mac) {
187
0
      throw Invalid_Authentication_Tag("EAX tag check failed");
188
0
   }
189
0
}
190
191
}  // namespace Botan