EAX.cpp

/*
 * Copyright (C) 2015 Southern Storm Software, Pty Ltd.
 *
 * Permission is hereby granted, free of charge, to any person obtaining a
 * copy of this software and associated documentation files (the "Software"),
 * to deal in the Software without restriction, including without limitation
 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
 * and/or sell copies of the Software, and to permit persons to whom the
 * Software is furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included
 * in all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
 * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
 * DEALINGS IN THE SOFTWARE.
 */

#include "EAX.h"
#include "Crypto.h"
#include <string.h>

EAXCommon::EAXCommon()
    : blockCipher(0)
{
    state.encPosn = 0;
    state.authPosn = 0;
    state.authMode = 0;
}

EAXCommon::~EAXCommon()
{
    clean(state);
}

size_t EAXCommon::keySize() const
{
    return blockCipher->keySize();
}

size_t EAXCommon::ivSize() const
{
    // Can use any size but 16 is recommended.
    return 16;
}

size_t EAXCommon::tagSize() const
{
    // Tags can be up to 16 bytes in length.
    return 16;
}

bool EAXCommon::setKey(const uint8_t *key, size_t len)
{
    return blockCipher->setKey(key, len);
}

bool EAXCommon::setIV(const uint8_t *iv, size_t len)
{
    // Must have at least 1 byte for the IV.
    if (!len)
        return false;

    // Hash the IV to create the initial nonce for CTR mode.  Also creates B.
    omacInitFirst(state.counter);
    omacUpdate(state.counter, iv, len);
    omacFinal(state.counter);

    // The tag is initially the nonce value.  Will be XOR'ed with
    // the hash of the authenticated and encrypted data later.
    memcpy(state.tag, state.counter, 16);

    // Start the hashing context for the authenticated data.
    omacInit(state.hash, 1);
    state.encPosn = 16;
    state.authMode = 1;

    // The EAX context is ready to go.
    return true;
}

void EAXCommon::encrypt(uint8_t *output, const uint8_t *input, size_t len)
{
    if (state.authMode)
        closeAuthData();
    encryptCTR(output, input, len);
    omacUpdate(state.hash, output, len);
}

void EAXCommon::decrypt(uint8_t *output, const uint8_t *input, size_t len)
{
    if (state.authMode)
        closeAuthData();
    omacUpdate(state.hash, input, len);
    encryptCTR(output, input, len);
}

void EAXCommon::addAuthData(const void *data, size_t len)
{
    if (state.authMode)
        omacUpdate(state.hash, (const uint8_t *)data, len);
}

void EAXCommon::computeTag(void *tag, size_t len)
{
    closeTag();
    if (len > 16)
        len = 16;
    memcpy(tag, state.tag, len);
}

bool EAXCommon::checkTag(const void *tag, size_t len)
{
    // Can never match if the expected tag length is too long.
    if (len > 16)
        return false;

    // Compute the final tag and check it.
    closeTag();
    return secure_compare(state.tag, tag, len);
}

void EAXCommon::clear()
{
    clean(state);
}

// Doubles a 128-bit value in the GF(2^128) field.
static void gfDouble(uint8_t value[16])
{
    uint16_t temp = 0;
    for (uint8_t index = 16; index > 0; ) {
        --index;
        temp |= (((uint16_t)(value[index])) << 1);
        value[index] = (uint8_t)temp;
        temp >>= 8;
    }
    value[15] ^= (uint8_t)((-temp) & 0x87);
}

void EAXCommon::omacInitFirst(uint8_t omac[16])
{
    // Start the OMAC context for the nonce.  We assume that the
    // data that follows will be at least 1 byte in length so that
    // we can encrypt the zeroes now to derive the B value.
    memset(omac, 0, 16);
    blockCipher->encryptBlock(omac, omac);
    state.authPosn = 0;

    // Generate the B value from the encrypted block of zeroes.
    // We will need this later when finalising the OMAC hashes.
    memcpy(state.b, omac, 16);
    gfDouble(state.b);
}

void EAXCommon::omacInit(uint8_t omac[16], uint8_t t)
{
    memset(omac, 0, 15);
    omac[15] = t;
    state.authPosn = 16;
}

void EAXCommon::omacUpdate(uint8_t omac[16], const uint8_t *data, size_t len)
{
    while (len > 0) {
        // Encrypt the current block if it is already full.
        if (state.authPosn == 16) {
            blockCipher->encryptBlock(omac, omac);
            state.authPosn = 0;
        }

        // XOR the incoming data with the current block.
        uint8_t size = 16 - state.authPosn;
        if (size > len)
            size = (uint8_t)len;
        for (uint8_t index = 0; index < size; ++index)
            omac[(state.authPosn)++] ^= data[index];

        // Move onto the next block.
        len -= size;
        data += size;
    }
}

void EAXCommon::omacFinal(uint8_t omac[16])
{
    // Apply padding if necessary.
    if (state.authPosn != 16) {
        // Need padding: XOR with P = 2 * B.
        uint8_t p[16];
        memcpy(p, state.b, 16);
        gfDouble(p);
        omac[state.authPosn] ^= 0x80;
        for (uint8_t index = 0; index < 16; ++index)
            omac[index] ^= p[index];
        clean(p);
    } else {
        // No padding necessary: XOR with B.
        for (uint8_t index = 0; index < 16; ++index)
            omac[index] ^= state.b[index];
    }

    // Encrypt the hash to get the final OMAC value.
    blockCipher->encryptBlock(omac, omac);
}

void EAXCommon::closeAuthData()
{
    // Finalise the OMAC hash and XOR it with the final tag.
    omacFinal(state.hash);
    for (uint8_t index = 0; index < 16; ++index)
        state.tag[index] ^= state.hash[index];
    state.authMode = 0;

    // Initialise the hashing context for the ciphertext data.
    omacInit(state.hash, 2);
}

void EAXCommon::encryptCTR(uint8_t *output, const uint8_t *input, size_t len)
{
    while (len > 0) {
        // Do we need to start a new block?
        if (state.encPosn == 16) {
            // Encrypt the counter to create the next keystream block.
            blockCipher->encryptBlock(state.stream, state.counter);
            state.encPosn = 0;

            // Increment the counter, taking care not to reveal
            // any timing information about the starting value.
            // We iterate through the entire counter region even
            // if we could stop earlier because a byte is non-zero.
            uint16_t temp = 1;
            uint8_t index = 16;
            while (index > 0) {
                --index;
                temp += state.counter[index];
                state.counter[index] = (uint8_t)temp;
                temp >>= 8;
            }
        }

        // Encrypt/decrypt the current input block.
        uint8_t size = 16 - state.encPosn;
        if (size > len)
            size = (uint8_t)len;
        for (uint8_t index = 0; index < size; ++index)
            output[index] = input[index] ^ state.stream[(state.encPosn)++];

        // Move onto the next block.
        len -= size;
        input += size;
        output += size;
    }
}

void EAXCommon::closeTag()
{
    // If we were only authenticating, then close off auth mode.
    if (state.authMode)
        closeAuthData();

    // Finalise the hash over the ciphertext and XOR with the final tag.
    omacFinal(state.hash);
    for (uint8_t index = 0; index < 16; ++index)
        state.tag[index] ^= state.hash[index];
}