import from branch_1_1:

[freeradius.git] / src / modules / rlm_eap / types / rlm_eap_psk / EAX.cpp

/*\r
 * EAX.cpp\r
 *\r
 * The EAX authenticated encryption mode of operation,\r
 * designed by M. Bellare, P. Rogaway and D. Wagner.\r
 *\r
 * @author Paulo S. L. M. Barreto\r
 *\r
 * @version 2.0\r
 *\r
 * This software is hereby placed in the public domain.\r
 *\r
 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS\r
 * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED\r
 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\r
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE\r
 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR\r
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF\r
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\r
 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\r
 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\r
 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,\r
 * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\r
 */\r
\r
#include <freeradius-devel/ident.h>\r
RCSID("$Id$")\r
\r
#include <assert.h>\r
#include <string.h>\r
#include <stdlib.h>\r
\r
#include "EAX.h"\r
\r
EAX::EAX() {\r
        _E = 0; // block cipher context\r
        tag_size = 0;\r
        block_size = 0;\r
        t_n = 0;      // [t]_n\r
        _C = 0;       // CTR context\r
        nt = 0;\r
        ht = 0;\r
        mt = 0;\r
}\r
\r
/*********************************************************************\r
 * Calls common to incremental and non-incremental API\r
 ********************************************************************/\r
\r
void EAX::initialize(const byte* K, uint k, uint t, BlockCipher* E) {\r
        if (E == 0) {\r
                throw "Invalid cipher";\r
        }\r
    if (K == 0) {\r
        throw "Invalid key size";\r
    }\r
    if (t > E->blockSize()) {\r
        throw "Invalid tag size";\r
    }\r
    _E = E;\r
    _E->makeKey(K, k, DIR_ENCRYPT);\r
    _C = new CTR(_E);\r
    tag_size = t;\r
    block_size = _E->blockSize();\r
    t_n = (byte *)calloc(block_size, 1);\r
    nt = (byte *)calloc(block_size, 1);\r
    ht = (byte *)calloc(block_size, 1);\r
    mt = (byte *)calloc(block_size, 1);\r
}\r
\r
/**\r
 * Session is over; destroy all key material and cleanup!\r
 */\r
EAX::~EAX() {\r
        if (_E != 0) {\r
                t_n[block_size - 1] = 0;\r
                delete _C;\r
                memset(nt, (byte)0, block_size);\r
                memset(ht, (byte)0, block_size);\r
                memset(mt, (byte)0, block_size);\r
        }\r
}\r
\r
/**\r
 * Supply a message header. The header "grows" with each call\r
 * until a eax_provide_header() call is made that follows a\r
 * eax_encrypt(), eax_decrypt(), eax_provide_plaintext(),\r
 * eax_provide_ciphertext() or eax_compute_plaintext() call.\r
 * That starts reinitializes the header.\r
 */\r
void EAX::provideHeader(const byte* H, uint h) {\r
    if (H == 0 && h > 0) {\r
        throw "Invalid header";\r
    }\r
    _H.update(H, h);\r
}\r
\r
\r
/*********************************************************************\r
 * All-in-one, non-incremental interface\r
 ********************************************************************/\r
\r
/**\r
 * Encrypt the given message with the given key, nonce and header.\r
 * Specify the header (if nonempty) with eax_provide_header().\r
 */\r
void EAX::encrypt(\r
        const byte* N,  // the nonce and\r
        uint n,         // its length (in bytes), and\r
        const byte* M,  // the plaintext and\r
        uint m,         // its length (in bytes).\r
        byte* C,        // The m-byte ciphertext\r
        byte* T) {      // and the tag T are returned.\r
    provideNonce(N, n);\r
    computeCiphertext(M, m, C);\r
    if (T != 0) {\r
        computeTag(T);\r
    }\r
}\r
\r
/**\r
 * Decrypt the given ciphertext with the given key, nonce and header.\r
 * Specify the header (if nonempty) with eax_provide_header().\r
 * Returns 1 for a valid ciphertext, 0 for an invalid ciphertext and for invalid or missing parameters.\r
 */\r
bool EAX::decrypt(\r
        const byte* N,  // the nonce and\r
        uint n,         // its length (in bytes), and\r
        const byte* C,  // the ciphertext and\r
        uint c,         // its length (in bytes), and\r
        const byte* T,  // the tag.\r
        byte* P) {      // if valid, return the c-byte plaintext.\r
    provideNonce(N, n);\r
    provideCiphertext(C, c);\r
    if (checkTag(T)) {\r
        computePlaintext(C, c, P);\r
        return true;\r
    } else {\r
        return false;\r
    }\r
}\r
\r
\r
/*********************************************************************\r
 * Incremental interface\r
 ********************************************************************/\r
\r
/**\r
 * Provide a nonce. For encryption, do this before calling\r
 * eax_compute_ciphertext() and eax_compute_tag();\r
 * for decryption, do this before calling\r
 * eax_provide_ciphertext(), eax_check_tag, or eax_compute_plaintext().\r
 */\r
void EAX::provideNonce(const byte* N, uint n) {\r
    if (N == 0 && n > 0) {\r
        throw "Invalid nonce";\r
    }\r
    // nonce OMAC:\r
    t_n[block_size - 1] = 0;\r
    _N.init(_E);\r
    _N.update(t_n, block_size);\r
    _N.update(N, n);\r
    _N.final(nt);\r
    _C->init(nt); // N <- OMAC_K^0(N)\r
    memset(nt, (byte)0, block_size);\r
    // header OMAC:\r
    t_n[block_size - 1] = 1;\r
    _H.init(_E);\r
    _H.update(t_n, block_size);\r
    // message OMAC:\r
    t_n[block_size - 1] = 2;\r
    _M.init(_E);\r
    _M.update(t_n, block_size);\r
}\r
\r
/**\r
 * Encrypt a message or a part of a message.\r
 * The nonce needs already to have been\r
 * specified by a call to eax_provide_nonce().\r
 */\r
void EAX::computeCiphertext(const byte* M, uint m, byte* C) {\r
    if (M == 0 && m > 0 ||\r
        C == 0) {\r
        throw "Invalid buffer(s)";\r
    }\r
    _C->update(M, m, C);\r
    _M.update(C, m);\r
}\r
\r
/**\r
 * Message and header finished: compute the authentication tag that is a part\r
 * of the complete ciphertext.\r
 */\r
void EAX::computeTag(byte* T) {     // compute the tag T.\r
    if (T == 0 && tag_size > 0) {\r
        throw "Invalid tag";\r
    }\r
    //assert(M.t < block_size);   // at least [t]_n must have been provided\r
    _N.final(nt);\r
    _H.final(ht);\r
    _M.final(mt);\r
    for (uint i = 0; i < tag_size; i++) {\r
        T[i] = (byte)(nt[i] ^ ht[i] ^ mt[i]);\r
    }\r
}\r
\r
/**\r
 * Supply the ciphertext, or the next piece of ciphertext.\r
 * This is used to check for the subsequent authenticity check eax_check_tag().\r
 */\r
void EAX::provideCiphertext(const byte* C, uint c) {\r
    if (C == 0 && c > 0) {\r
        throw "Invalid ciphertext";\r
    }\r
    _M.update(C, c);\r
}\r
\r
/**\r
 * The nonce, ciphertext and header have all been fully provided; check if\r
 * they are valid for the given tag.\r
 * Returns true for a valid ciphertext, false for an invalid ciphertext\r
 * (in which case plaintext/ciphertext might be zeroized as well).\r
 */\r
bool EAX::checkTag(const byte* T) {\r
    if (T == 0 && tag_size > 0) {\r
        throw "Invalid tag";\r
    }\r
    //assert(M.t < block_size);   // at least [t]_n must have been provided\r
    _N.final(nt);\r
    _H.final(ht);\r
    _M.final(mt);\r
    for (uint i = 0; i < tag_size; i++) {\r
        if (T[i] != (byte)(nt[i] ^ ht[i] ^ mt[i])) {\r
            return false;\r
        }\r
    }\r
    return true;\r
}\r
\r
/**\r
 * Recover the plaintext from the provided ciphertext.\r
 * A call to eax_provide_nonce() needs to precede this call.\r
 * The caller is responsible for separately checking if the ciphertext is valid.\r
 * Normally this would be done before computing the plaintext with\r
 * eax_compute_plaintext().\r
 */\r
void EAX::computePlaintext(const byte* C, uint c, byte* P) {\r
    if (C == 0 && c > 0 ||\r
        P == 0) {\r
        throw "Invalid buffer(s)";\r
    }\r
    _C->update(C, c, P);\r
}\r
\r