#if !BESTHTTP_DISABLE_ALTERNATE_SSL && (!UNITY_WEBGL || UNITY_EDITOR)
using System;
using Org.BouncyCastle.Crypto.Macs;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Utilities;
namespace Org.BouncyCastle.Crypto.Modes
{
/**
* A Two-Pass Authenticated-Encryption Scheme Optimized for Simplicity and
* Efficiency - by M. Bellare, P. Rogaway, D. Wagner.
*
* http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf
*
* EAX is an AEAD scheme based on CTR and OMAC1/CMAC, that uses a single block
* cipher to encrypt and authenticate data. It's on-line (the length of a
* message isn't needed to begin processing it), has good performances, it's
* simple and provably secure (provided the underlying block cipher is secure).
*
* Of course, this implementations is NOT thread-safe.
*/
public class EaxBlockCipher
: IAeadBlockCipher
{
private enum Tag : byte { N, H, C };
private SicBlockCipher cipher;
private bool forEncryption;
private int blockSize;
private IMac mac;
private byte[] nonceMac;
private byte[] associatedTextMac;
private byte[] macBlock;
private int macSize;
private byte[] bufBlock;
private int bufOff;
private bool cipherInitialized;
private byte[] initialAssociatedText;
/**
* Constructor that accepts an instance of a block cipher engine.
*
* @param cipher the engine to use
*/
public EaxBlockCipher(
IBlockCipher cipher)
{
blockSize = cipher.GetBlockSize();
mac = new CMac(cipher);
macBlock = new byte[blockSize];
associatedTextMac = new byte[mac.GetMacSize()];
nonceMac = new byte[mac.GetMacSize()];
this.cipher = new SicBlockCipher(cipher);
}
public virtual string AlgorithmName
{
get { return cipher.GetUnderlyingCipher().AlgorithmName + "/EAX"; }
}
public virtual IBlockCipher GetUnderlyingCipher()
{
return cipher;
}
public virtual int GetBlockSize()
{
return cipher.GetBlockSize();
}
public virtual void Init(
bool forEncryption,
ICipherParameters parameters)
{
this.forEncryption = forEncryption;
byte[] nonce;
ICipherParameters keyParam;
if (parameters is AeadParameters)
{
AeadParameters param = (AeadParameters) parameters;
nonce = param.GetNonce();
initialAssociatedText = param.GetAssociatedText();
macSize = param.MacSize / 8;
keyParam = param.Key;
}
else if (parameters is ParametersWithIV)
{
ParametersWithIV param = (ParametersWithIV) parameters;
nonce = param.GetIV();
initialAssociatedText = null;
macSize = mac.GetMacSize() / 2;
keyParam = param.Parameters;
}
else
{
throw new ArgumentException("invalid parameters passed to EAX");
}
bufBlock = new byte[forEncryption ? blockSize : (blockSize + macSize)];
byte[] tag = new byte[blockSize];
// Key reuse implemented in CBC mode of underlying CMac
mac.Init(keyParam);
tag[blockSize - 1] = (byte)Tag.N;
mac.BlockUpdate(tag, 0, blockSize);
mac.BlockUpdate(nonce, 0, nonce.Length);
mac.DoFinal(nonceMac, 0);
// Same BlockCipher underlies this and the mac, so reuse last key on cipher
cipher.Init(true, new ParametersWithIV(null, nonceMac));
Reset();
}
private void InitCipher()
{
if (cipherInitialized)
{
return;
}
cipherInitialized = true;
mac.DoFinal(associatedTextMac, 0);
byte[] tag = new byte[blockSize];
tag[blockSize - 1] = (byte)Tag.C;
mac.BlockUpdate(tag, 0, blockSize);
}
private void CalculateMac()
{
byte[] outC = new byte[blockSize];
mac.DoFinal(outC, 0);
for (int i = 0; i < macBlock.Length; i++)
{
macBlock[i] = (byte)(nonceMac[i] ^ associatedTextMac[i] ^ outC[i]);
}
}
public virtual void Reset()
{
Reset(true);
}
private void Reset(
bool clearMac)
{
cipher.Reset(); // TODO Redundant since the mac will reset it?
mac.Reset();
bufOff = 0;
Array.Clear(bufBlock, 0, bufBlock.Length);
if (clearMac)
{
Array.Clear(macBlock, 0, macBlock.Length);
}
byte[] tag = new byte[blockSize];
tag[blockSize - 1] = (byte)Tag.H;
mac.BlockUpdate(tag, 0, blockSize);
cipherInitialized = false;
if (initialAssociatedText != null)
{
ProcessAadBytes(initialAssociatedText, 0, initialAssociatedText.Length);
}
}
public virtual void ProcessAadByte(byte input)
{
if (cipherInitialized)
{
throw new InvalidOperationException("AAD data cannot be added after encryption/decryption processing has begun.");
}
mac.Update(input);
}
public virtual void ProcessAadBytes(byte[] inBytes, int inOff, int len)
{
if (cipherInitialized)
{
throw new InvalidOperationException("AAD data cannot be added after encryption/decryption processing has begun.");
}
mac.BlockUpdate(inBytes, inOff, len);
}
public virtual int ProcessByte(
byte input,
byte[] outBytes,
int outOff)
{
InitCipher();
return Process(input, outBytes, outOff);
}
public virtual int ProcessBytes(
byte[] inBytes,
int inOff,
int len,
byte[] outBytes,
int outOff)
{
InitCipher();
int resultLen = 0;
for (int i = 0; i != len; i++)
{
resultLen += Process(inBytes[inOff + i], outBytes, outOff + resultLen);
}
return resultLen;
}
public virtual int DoFinal(
byte[] outBytes,
int outOff)
{
InitCipher();
int extra = bufOff;
byte[] tmp = new byte[bufBlock.Length];
bufOff = 0;
if (forEncryption)
{
Check.OutputLength(outBytes, outOff, extra + macSize, "Output buffer too short");
cipher.ProcessBlock(bufBlock, 0, tmp, 0);
Array.Copy(tmp, 0, outBytes, outOff, extra);
mac.BlockUpdate(tmp, 0, extra);
CalculateMac();
Array.Copy(macBlock, 0, outBytes, outOff + extra, macSize);
Reset(false);
return extra + macSize;
}
else
{
if (extra < macSize)
throw new InvalidCipherTextException("data too short");
Check.OutputLength(outBytes, outOff, extra - macSize, "Output buffer too short");
if (extra > macSize)
{
mac.BlockUpdate(bufBlock, 0, extra - macSize);
cipher.ProcessBlock(bufBlock, 0, tmp, 0);
Array.Copy(tmp, 0, outBytes, outOff, extra - macSize);
}
CalculateMac();
if (!VerifyMac(bufBlock, extra - macSize))
throw new InvalidCipherTextException("mac check in EAX failed");
Reset(false);
return extra - macSize;
}
}
public virtual byte[] GetMac()
{
byte[] mac = new byte[macSize];
Array.Copy(macBlock, 0, mac, 0, macSize);
return mac;
}
public virtual int GetUpdateOutputSize(
int len)
{
int totalData = len + bufOff;
if (!forEncryption)
{
if (totalData < macSize)
{
return 0;
}
totalData -= macSize;
}
return totalData - totalData % blockSize;
}
public virtual int GetOutputSize(
int len)
{
int totalData = len + bufOff;
if (forEncryption)
{
return totalData + macSize;
}
return totalData < macSize ? 0 : totalData - macSize;
}
private int Process(
byte b,
byte[] outBytes,
int outOff)
{
bufBlock[bufOff++] = b;
if (bufOff == bufBlock.Length)
{
Check.OutputLength(outBytes, outOff, blockSize, "Output buffer is too short");
// TODO Could move the ProcessByte(s) calls to here
// InitCipher();
int size;
if (forEncryption)
{
size = cipher.ProcessBlock(bufBlock, 0, outBytes, outOff);
mac.BlockUpdate(outBytes, outOff, blockSize);
}
else
{
mac.BlockUpdate(bufBlock, 0, blockSize);
size = cipher.ProcessBlock(bufBlock, 0, outBytes, outOff);
}
bufOff = 0;
if (!forEncryption)
{
Array.Copy(bufBlock, blockSize, bufBlock, 0, macSize);
bufOff = macSize;
}
return size;
}
return 0;
}
private bool VerifyMac(byte[] mac, int off)
{
int nonEqual = 0;
for (int i = 0; i < macSize; i++)
{
nonEqual |= (macBlock[i] ^ mac[off + i]);
}
return nonEqual == 0;
}
}
}
#endif