1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147

#![no_std]

//! This eax implementation uses a block cipher in counter mode for encryption
//! and the block cipher in CBC mode to generate the OMAC/CMAC/CBCMAC.
//!
//! EAX is an AEAD (Authenticated Encryption with Associated Data) encryption
//! scheme.

#[cfg(test)]
#[macro_use]
extern crate std;

use block_cipher_trait::generic_array::functional::FunctionalSequence;
use block_cipher_trait::generic_array::typenum::U16;
use block_cipher_trait::generic_array::{ArrayLength, GenericArray};
use block_cipher_trait::BlockCipher;
use cmac::crypto_mac::MacResult;
use cmac::{Cmac, Mac};
use ctr::stream_cipher::{NewStreamCipher, SyncStreamCipher};
use subtle::ConstantTimeEq;

pub struct Eax<C: BlockCipher<BlockSize = U16> + Clone>
where C::ParBlocks: ArrayLength<GenericArray<u8, U16>>
{
	phantom: core::marker::PhantomData<C>,
}

impl<C: BlockCipher<BlockSize = U16> + Clone> Eax<C>
where C::ParBlocks: ArrayLength<GenericArray<u8, U16>>
{
	/// Encrypt and authenticate data.
	///
	/// # Arguments
	/// - `key`: The key to use for encryption.
	/// - `nonce`: The nonce to use for encryption.
	/// - `header`: Associated data, which will also be authenticated.
	/// - `data`: The data which will be encrypted in-place.
	///
	/// # Return value
	/// tag/mac
	pub fn encrypt(
		key: &GenericArray<u8, C::KeySize>,
		nonce: &GenericArray<u8, C::KeySize>,
		header: &[u8],
		data: &mut [u8],
	) -> GenericArray<u8, <Cmac<C> as Mac>::OutputSize>
	{
		// https://crypto.stackexchange.com/questions/26948/eax-cipher-mode-with-nonce-equal-header
		// has an explanation of eax.

		// l = block cipher size = 128 (for AES-128) = 16 byte
		// 1. n ← OMAC(0 || Nonce)
		// (the 0 means the number zero in l bits)
		let n = Self::cmac_with_iv(key, 0, nonce).code();

		// 2. h ← OMAC(1 || associated data)
		let h = Self::cmac_with_iv(key, 1, header).code();

		// 3. enc ← CTR(M) using n as iv
		let mut cipher = ctr::Ctr128::<C>::new(key, &n);
		cipher.apply_keystream(data);

		// 4. c ← OMAC(2 || enc)
		let c = Self::cmac_with_iv(key, 2, data).code();

		// 5. tag ← n ^ h ^ c
		// (^ means xor)
		n.zip(h, |a, b| a ^ b).zip(c, |a, b| a ^ b)
	}

	/// Check authentication and decrypt data.
	pub fn decrypt(
		key: &GenericArray<u8, C::KeySize>,
		nonce: &GenericArray<u8, C::KeySize>,
		header: &[u8],
		data: &mut [u8],
		mac: &[u8],
	) -> Result<(), cmac::crypto_mac::MacError>
	{
		// 2. n ← OMAC(0 || Nonce)
		let n = Self::cmac_with_iv(key, 0, nonce).code();

		// 2. h ← OMAC(1 || associated data)
		let h = Self::cmac_with_iv(key, 1, header).code();

		// 4. c ← OMAC(2 || enc)
		let c = Self::cmac_with_iv(key, 2, data).code();

		let mac2 = n.zip(h, |a, b| a ^ b).zip(c, |a, b| a ^ b);

		// Take only the needed length
		let mac2 = &mac2[..mac.len()];

		// Check mac using secure comparison
		if mac.ct_eq(mac2).unwrap_u8() != 1 {
			return Err(cmac::crypto_mac::MacError);
		}

		// Decrypt
		let mut cipher = ctr::Ctr128::<C>::new(key, &n);
		cipher.apply_keystream(data);
		Ok(())
	}

	/// CMAC/OMAC1
	///
	/// To avoid constructing new buffers on the heap, an iv encoded into 16
	/// bytes is prepended inside this function.
	fn cmac_with_iv(
		key: &GenericArray<u8, C::KeySize>,
		iv: u8,
		data: &[u8],
	) -> MacResult<<Cmac<C> as Mac>::OutputSize>
	{
		let mut mac = Cmac::<C>::new(key);
		mac.input(&[0; 15]);
		mac.input(&[iv]);
		mac.input(data);

		mac.result()
	}
}

#[cfg(test)]
mod test {
	use super::*;

	use std::prelude::v1::*;
	use quickcheck::quickcheck;

	#[test]
	fn known_data() {
		let mut data = [1, 2, 3, 4, 5];
		let mac = Eax::<aes::Aes128>::encrypt(&[0; 16].into(), &[0; 16].into(), &[1, 2, 3, 4], &mut data);
		assert_eq!(mac.as_slice(), &[232, 88, 147, 206, 130, 126, 14, 121, 62, 127, 33, 233, 239, 81, 51, 177]);
		assert_eq!(&data, &[182, 81, 68, 170, 62]);
	}

	quickcheck! {
		fn roundtrip(data: Vec<u8>) -> bool {
			let mut enc = data.clone();
			let mac = Eax::<aes::Aes128>::encrypt(&[0; 16].into(), &[0; 16].into(), &[1, 2, 3, 4], &mut enc);
			Eax::<aes::Aes128>::decrypt(&[0; 16].into(), &[0; 16].into(), &[1, 2, 3, 4], &mut enc, &mac).unwrap();
			data == enc
		}
	}
}