eax: Authenticate before decrypting in lib.rs, as before

Brings back the old behavior - it's harder to misuse but separates the
implementations of online and offline variants.

eax/src/lib.rs

@@ -148,18 +148,31 @@ where
         associated_data: &[u8],
         buffer: &mut [u8],
     ) -> Result<Tag, Error> {
-        use online::{EaxOnline, Encrypt};
-
         if buffer.len() as u64 > P_MAX || associated_data.len() as u64 > A_MAX {
             return Err(Error);
         }
 
-        let mut eax = EaxOnline::<Cipher, Encrypt>::with_key_and_nonce(&self.key, nonce);
+        // https://crypto.stackexchange.com/questions/26948/eax-cipher-mode-with-nonce-equal-header
+        // has an explanation of eax.
+
+        // l = block cipher size = 128 (for AES-128) = 16 byte
+        // 1. n ← OMAC(0 || Nonce)
+        // (the 0 means the number zero in l bits)
+        let n = Self::cmac_with_iv(&self.key, 0, nonce);
+
+        // 2. h ← OMAC(1 || associated data)
+        let h = Self::cmac_with_iv(&self.key, 1, associated_data);
+
+        // 3. enc ← CTR(M) using n as iv
+        let mut cipher = ctr::Ctr128::<Cipher>::from_block_cipher(Cipher::new(&self.key), &n);
+        cipher.apply_keystream(buffer);
 
-        eax.update_assoc(associated_data);
-        eax.encrypt(buffer);
+        // 4. c ← OMAC(2 || enc)
+        let c = Self::cmac_with_iv(&self.key, 2, buffer);
 
-        Ok(eax.finish())
+        // 5. tag ← n ^ h ^ c
+        // (^ means xor)
+        Ok(n.zip(h, |a, b| a ^ b).zip(c, |a, b| a ^ b))
     }
 
     fn decrypt_in_place_detached(
@@ -169,17 +182,57 @@ where
         buffer: &mut [u8],
         tag: &Tag,
     ) -> Result<(), Error> {
-        use online::{Decrypt, EaxOnline};
-
         if buffer.len() as u64 > C_MAX || associated_data.len() as u64 > A_MAX {
             return Err(Error);
         }
 
-        let mut eax = EaxOnline::<Cipher, Decrypt>::with_key_and_nonce(&self.key, nonce);
+        // 1. n ← OMAC(0 || Nonce)
+        let n = Self::cmac_with_iv(&self.key, 0, nonce);
+
+        // 2. h ← OMAC(1 || associated data)
+        let h = Self::cmac_with_iv(&self.key, 1, associated_data);
+
+        // 4. c ← OMAC(2 || enc)
+        let c = Self::cmac_with_iv(&self.key, 2, buffer);
+
+        // 5. tag ← n ^ h ^ c
+        // (^ means xor)
+        let expected_tag = n.zip(h, |a, b| a ^ b).zip(c, |a, b| a ^ b);
 
-        eax.update_assoc(associated_data);
-        eax.decrypt(buffer);
+        let expected_tag = &expected_tag[..tag.len()];
 
-        eax.finish(tag)
+        // Check mac using secure comparison
+        use subtle::ConstantTimeEq;
+        if expected_tag.ct_eq(tag).unwrap_u8() == 1 {
+            // Decrypt
+            let mut cipher = ctr::Ctr128::<Cipher>::from_block_cipher(Cipher::new(&self.key), &n);
+            cipher.apply_keystream(buffer);
+            Ok(())
+        } else {
+            Err(Error)
+        }
+    }
+}
+
+impl<Cipher> Eax<Cipher>
+where
+    Cipher: BlockCipher<BlockSize = U16> + NewBlockCipher + Clone,
+    Cipher::ParBlocks: ArrayLength<Block<Cipher>>,
+{
+    /// CMAC/OMAC1
+    ///
+    /// To avoid constructing new buffers on the heap, an iv encoded into 16
+    /// bytes is prepended inside this function.
+    fn cmac_with_iv(
+        key: &GenericArray<u8, Cipher::KeySize>,
+        iv: u8,
+        data: &[u8],
+    ) -> GenericArray<u8, <Cmac<Cipher> as Mac>::OutputSize> {
+        let mut mac = Cmac::<Cipher>::new(key);
+        mac.update(&[0; 15]);
+        mac.update(&[iv]);
+        mac.update(data);
+
+        mac.finalize().into_bytes()
     }
 }