mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-25 16:05:43 +01:00
Implement AES-XTS mode
XTS mode is fully known as "xor-encrypt-xor with ciphertext-stealing". This is the generalization of the XEX mode. This implementation is limited to an 8-bits (1 byte) boundary, which doesn't seem to be what was thought considering some test vectors [1]. This commit comes with tests, extracted from [1], and benchmarks. Although, benchmarks aren't really nice here, as they work with a buffer of a multiple of 16 bytes, which isn't a challenge for XTS compared to XEX. [1] http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSTestVectors.zip
This commit is contained in:
parent
380162c34c
commit
5f77801ac3
@ -237,6 +237,34 @@ int mbedtls_aes_crypt_xex( mbedtls_aes_context *crypt_ctx,
|
||||
unsigned char *output );
|
||||
#endif /* MBEDTLS_CIPHER_MODE_XEX */
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_MODE_XTS)
|
||||
/**
|
||||
* \brief AES-XTS buffer encryption/decryption
|
||||
* Length should be greater or equal than the block size (16
|
||||
* bytes, 128 bits)
|
||||
*
|
||||
* Warning: The bits_length parameter must given be in bits, not bytes like the
|
||||
* other modes
|
||||
*
|
||||
* \param crypt_ctx AES context for encrypting data
|
||||
* \param tweak_ctx AES context for xor-ing with data
|
||||
* \param mode MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
|
||||
* \param bits_length length of the input data (in bits)
|
||||
* \param iv initialization vector
|
||||
* \param input buffer holding the input data
|
||||
* \param output buffer holding the output data
|
||||
*
|
||||
* \return 0 if successful, or MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
|
||||
*/
|
||||
int mbedtls_aes_crypt_xts( mbedtls_aes_context *crypt_ctx,
|
||||
mbedtls_aes_context *tweak_ctx,
|
||||
int mode,
|
||||
size_t bits_length,
|
||||
unsigned char iv[16],
|
||||
const unsigned char *input,
|
||||
unsigned char *output );
|
||||
#endif /* MBEDTLS_CIPHER_MODE_XTS */
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_MODE_CFB)
|
||||
/**
|
||||
* \brief This function performs an AES-CFB128 encryption or decryption
|
||||
|
@ -508,6 +508,14 @@
|
||||
*/
|
||||
#define MBEDTLS_CIPHER_MODE_XEX
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_CIPHER_MODE_XTS
|
||||
*
|
||||
* Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for symmetric
|
||||
* ciphers.
|
||||
*/
|
||||
#define MBEDTLS_CIPHER_MODE_XTS
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_CIPHER_MODE_OFB
|
||||
*
|
||||
|
141
library/aes.c
141
library/aes.c
@ -44,7 +44,7 @@
|
||||
#include "mbedtls/aesni.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_MODE_XEX)
|
||||
#if defined(MBEDTLS_CIPHER_MODE_XEX) || defined(MBEDTLS_CIPHER_MODE_XTS)
|
||||
#include "mbedtls/gf128mul.h"
|
||||
#endif
|
||||
|
||||
@ -1045,6 +1045,145 @@ first:
|
||||
}
|
||||
#endif /* MBEDTLS_CIPHER_MODE_XEX */
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_MODE_XTS)
|
||||
/*
|
||||
* AES-XTS buffer encryption/decryption
|
||||
*/
|
||||
int mbedtls_aes_crypt_xts( mbedtls_aes_context *crypt_ctx,
|
||||
mbedtls_aes_context *tweak_ctx,
|
||||
int mode,
|
||||
size_t bits_length,
|
||||
unsigned char iv[16],
|
||||
const unsigned char *input,
|
||||
unsigned char *output )
|
||||
{
|
||||
union xts_buf128 {
|
||||
uint8_t u8[16];
|
||||
uint64_t u64[2];
|
||||
};
|
||||
|
||||
union xts_buf128 scratch;
|
||||
union xts_buf128 cts_scratch;
|
||||
union xts_buf128 t_buf;
|
||||
union xts_buf128 cts_t_buf;
|
||||
union xts_buf128 *inbuf;
|
||||
union xts_buf128 *outbuf;
|
||||
|
||||
size_t length = bits_length / 8;
|
||||
size_t nblk = length / 16;
|
||||
size_t remn = length % 16;
|
||||
|
||||
inbuf = (union xts_buf128*)input;
|
||||
outbuf = (union xts_buf128*)output;
|
||||
|
||||
/* For performing the ciphertext-stealing operation, we have to get at least
|
||||
* one complete block */
|
||||
if( length < 16 )
|
||||
return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
|
||||
|
||||
|
||||
mbedtls_aes_crypt_ecb( tweak_ctx, MBEDTLS_AES_ENCRYPT, iv, t_buf.u8 );
|
||||
|
||||
if( mode == MBEDTLS_AES_DECRYPT && remn )
|
||||
{
|
||||
if( nblk == 1 )
|
||||
goto decrypt_only_one_full_block;
|
||||
nblk--;
|
||||
}
|
||||
|
||||
goto first;
|
||||
|
||||
do
|
||||
{
|
||||
mbedtls_gf128mul_x_ble( t_buf.u8, t_buf.u8 );
|
||||
|
||||
first:
|
||||
/* PP <- T xor P */
|
||||
scratch.u64[0] = (uint64_t)( inbuf->u64[0] ^ t_buf.u64[0] );
|
||||
scratch.u64[1] = (uint64_t)( inbuf->u64[1] ^ t_buf.u64[1] );
|
||||
|
||||
/* CC <- E(Key2,PP) */
|
||||
mbedtls_aes_crypt_ecb( crypt_ctx, mode, scratch.u8, outbuf->u8 );
|
||||
|
||||
/* C <- T xor CC */
|
||||
outbuf->u64[0] = (uint64_t)( outbuf->u64[0] ^ t_buf.u64[0] );
|
||||
outbuf->u64[1] = (uint64_t)( outbuf->u64[1] ^ t_buf.u64[1] );
|
||||
|
||||
inbuf += 1;
|
||||
outbuf += 1;
|
||||
nblk -= 1;
|
||||
} while( nblk > 0 );
|
||||
|
||||
/* Ciphertext stealing, if necessary */
|
||||
if( remn != 0 )
|
||||
{
|
||||
outbuf = (union xts_buf128*)output;
|
||||
inbuf = (union xts_buf128*)input;
|
||||
nblk = length / 16;
|
||||
|
||||
if( mode == MBEDTLS_AES_ENCRYPT )
|
||||
{
|
||||
memcpy( cts_scratch.u8, (uint8_t*)&inbuf[nblk], remn );
|
||||
memcpy( cts_scratch.u8 + remn, ((uint8_t*)&outbuf[nblk - 1]) + remn, 16 - remn );
|
||||
memcpy( (uint8_t*)&outbuf[nblk], (uint8_t*)&outbuf[nblk - 1], remn );
|
||||
|
||||
mbedtls_gf128mul_x_ble( t_buf.u8, t_buf.u8 );
|
||||
|
||||
/* PP <- T xor P */
|
||||
scratch.u64[0] = (uint64_t)( cts_scratch.u64[0] ^ t_buf.u64[0] );
|
||||
scratch.u64[1] = (uint64_t)( cts_scratch.u64[1] ^ t_buf.u64[1] );
|
||||
|
||||
/* CC <- E(Key2,PP) */
|
||||
mbedtls_aes_crypt_ecb( crypt_ctx, mode, scratch.u8, scratch.u8 );
|
||||
|
||||
/* C <- T xor CC */
|
||||
outbuf[nblk - 1].u64[0] = (uint64_t)( scratch.u64[0] ^ t_buf.u64[0] );
|
||||
outbuf[nblk - 1].u64[1] = (uint64_t)( scratch.u64[1] ^ t_buf.u64[1] );
|
||||
}
|
||||
else /* AES_DECRYPT */
|
||||
{
|
||||
mbedtls_gf128mul_x_ble( t_buf.u8, t_buf.u8 );
|
||||
|
||||
decrypt_only_one_full_block:
|
||||
cts_t_buf.u64[0] = t_buf.u64[0];
|
||||
cts_t_buf.u64[1] = t_buf.u64[1];
|
||||
|
||||
mbedtls_gf128mul_x_ble( t_buf.u8, t_buf.u8 );
|
||||
|
||||
/* PP <- T xor P */
|
||||
scratch.u64[0] = (uint64_t)( inbuf[nblk - 1].u64[0] ^ t_buf.u64[0] );
|
||||
scratch.u64[1] = (uint64_t)( inbuf[nblk - 1].u64[1] ^ t_buf.u64[1] );
|
||||
|
||||
/* CC <- E(Key2,PP) */
|
||||
mbedtls_aes_crypt_ecb( crypt_ctx, mode, scratch.u8, scratch.u8 );
|
||||
|
||||
/* C <- T xor CC */
|
||||
cts_scratch.u64[0] = (uint64_t)( scratch.u64[0] ^ t_buf.u64[0] );
|
||||
cts_scratch.u64[1] = (uint64_t)( scratch.u64[1] ^ t_buf.u64[1] );
|
||||
|
||||
|
||||
memcpy( (uint8_t*)&inbuf[nblk - 1], (uint8_t*)&inbuf[nblk], remn );
|
||||
memcpy( (uint8_t*)&inbuf[nblk - 1] + remn, cts_scratch.u8 + remn, 16 - remn );
|
||||
memcpy( (uint8_t*)&outbuf[nblk], cts_scratch.u8, remn );
|
||||
|
||||
|
||||
/* PP <- T xor P */
|
||||
scratch.u64[0] = (uint64_t)( inbuf[nblk - 1].u64[0] ^ cts_t_buf.u64[0] );
|
||||
scratch.u64[1] = (uint64_t)( inbuf[nblk - 1].u64[1] ^ cts_t_buf.u64[1] );
|
||||
|
||||
/* CC <- E(Key2,PP) */
|
||||
mbedtls_aes_crypt_ecb( crypt_ctx, mode, scratch.u8, scratch.u8 );
|
||||
|
||||
/* C <- T xor CC */
|
||||
outbuf[nblk - 1].u64[0] = (uint64_t)( scratch.u64[0] ^ cts_t_buf.u64[0] );
|
||||
outbuf[nblk - 1].u64[1] = (uint64_t)( scratch.u64[1] ^ cts_t_buf.u64[1] );
|
||||
}
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_CIPHER_MODE_XTS */
|
||||
|
||||
#if defined(MBEDTLS_CIPHER_MODE_CFB)
|
||||
/*
|
||||
* AES-CFB128 buffer encryption/decryption
|
||||
|
@ -252,6 +252,9 @@ static const char *features[] = {
|
||||
#if defined(MBEDTLS_CIPHER_MODE_XEX)
|
||||
"MBEDTLS_CIPHER_MODE_XEX",
|
||||
#endif /* MBEDTLS_CIPHER_MODE_XEX */
|
||||
#if defined(MBEDTLS_CIPHER_MODE_XTS)
|
||||
"MBEDTLS_CIPHER_MODE_XTS",
|
||||
#endif /* MBEDTLS_CIPHER_MODE_XTS */
|
||||
#if defined(MBEDTLS_CIPHER_MODE_OFB)
|
||||
"MBEDTLS_CIPHER_MODE_OFB",
|
||||
#endif /* MBEDTLS_CIPHER_MODE_OFB */
|
||||
|
@ -99,8 +99,8 @@ int main( void )
|
||||
#define OPTIONS \
|
||||
"md4, md5, ripemd160, sha1, sha256, sha512,\n" \
|
||||
"arc4, des3, des, camellia, blowfish,\n" \
|
||||
"aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, des3_cmac,\n" \
|
||||
"havege, ctr_drbg, hmac_drbg\n" \
|
||||
"aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, aes_xts,\n" \
|
||||
"des3_cmac, havege, ctr_drbg, hmac_drbg\n" \
|
||||
"rsa, dhm, ecdsa, ecdh.\n"
|
||||
|
||||
#if defined(MBEDTLS_ERROR_C)
|
||||
@ -233,8 +233,8 @@ unsigned char buf[BUFSIZE];
|
||||
typedef struct {
|
||||
char md4, md5, ripemd160, sha1, sha256, sha512,
|
||||
arc4, des3, des,
|
||||
aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, des3_cmac,
|
||||
aria, camellia, blowfish,
|
||||
aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, aes_xts,
|
||||
des3_cmac, aria, camellia, blowfish,
|
||||
havege, ctr_drbg, hmac_drbg,
|
||||
rsa, dhm, ecdsa, ecdh;
|
||||
} todo_list;
|
||||
@ -281,6 +281,8 @@ int main( int argc, char *argv[] )
|
||||
todo.aes_cbc = 1;
|
||||
else if( strcmp( argv[i], "aes_xex" ) == 0 )
|
||||
todo.aes_xex = 1;
|
||||
else if( strcmp( argv[i], "aes_xts" ) == 0 )
|
||||
todo.aes_xts = 1;
|
||||
else if( strcmp( argv[i], "aes_gcm" ) == 0 )
|
||||
todo.aes_gcm = 1;
|
||||
else if( strcmp( argv[i], "aes_ccm" ) == 0 )
|
||||
@ -451,6 +453,29 @@ int main( int argc, char *argv[] )
|
||||
mbedtls_aes_free( &tweak_ctx );
|
||||
}
|
||||
#endif
|
||||
#if defined(MBEDTLS_CIPHER_MODE_XTS)
|
||||
if( todo.aes_xts )
|
||||
{
|
||||
int keysize;
|
||||
mbedtls_aes_context crypt_ctx, tweak_ctx;
|
||||
mbedtls_aes_init( &crypt_ctx );
|
||||
mbedtls_aes_init( &tweak_ctx );
|
||||
for( keysize = 128; keysize <= 256; keysize += 64 )
|
||||
{
|
||||
mbedtls_snprintf( title, sizeof( title ), "AES-XTS-%d", keysize );
|
||||
|
||||
memset( buf, 0, sizeof( buf ) );
|
||||
memset( tmp, 0, sizeof( tmp ) );
|
||||
mbedtls_aes_setkey_enc( &crypt_ctx, tmp, keysize );
|
||||
mbedtls_aes_setkey_enc( &tweak_ctx, tmp, keysize );
|
||||
|
||||
TIME_AND_TSC( title,
|
||||
mbedtls_aes_crypt_xts( &crypt_ctx, &tweak_ctx, MBEDTLS_AES_ENCRYPT, BUFSIZE * 8, tmp, buf, buf ) );
|
||||
}
|
||||
mbedtls_aes_free( &crypt_ctx );
|
||||
mbedtls_aes_free( &tweak_ctx );
|
||||
}
|
||||
#endif
|
||||
#if defined(MBEDTLS_GCM_C)
|
||||
if( todo.aes_gcm )
|
||||
{
|
||||
|
@ -49,6 +49,7 @@ add_test_suite(aes aes.cbc)
|
||||
add_test_suite(aes aes.cfb)
|
||||
add_test_suite(aes aes.rest)
|
||||
add_test_suite(aes aes.xex)
|
||||
add_test_suite(aes aes.xts)
|
||||
add_test_suite(arc4)
|
||||
add_test_suite(aria)
|
||||
add_test_suite(asn1write)
|
||||
|
@ -225,6 +225,80 @@ exit:
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_XTS */
|
||||
void aes_encrypt_xts( char *hex_key_string, char *hex_iv_string,
|
||||
char *hex_src_string, char *hex_dst_string,
|
||||
int data_unit_len, int xts_result )
|
||||
{
|
||||
unsigned char key_str[100] = { 0, };
|
||||
unsigned char iv_str[100] = { 0, };
|
||||
unsigned char src_str[100] = { 0, };
|
||||
unsigned char dst_str[100] = { 0, };
|
||||
unsigned char output[100] = { 0, };
|
||||
mbedtls_aes_context crypt_ctx, tweak_ctx;
|
||||
int key_len, data_len;
|
||||
|
||||
mbedtls_aes_init( &crypt_ctx );
|
||||
mbedtls_aes_init( &tweak_ctx );
|
||||
|
||||
key_len = unhexify( key_str, hex_key_string );
|
||||
unhexify( iv_str, hex_iv_string );
|
||||
data_len = unhexify( src_str, hex_src_string );
|
||||
|
||||
mbedtls_aes_setkey_enc( &crypt_ctx, key_str, ( key_len * 8 ) / 2 );
|
||||
mbedtls_aes_setkey_enc( &tweak_ctx, key_str + key_len / 2, ( key_len * 8 ) / 2 );
|
||||
|
||||
TEST_ASSERT( mbedtls_aes_crypt_xts( &crypt_ctx, &tweak_ctx, MBEDTLS_AES_ENCRYPT, data_unit_len, iv_str, src_str, output ) == xts_result );
|
||||
if( xts_result == 0 )
|
||||
{
|
||||
hexify( dst_str, output, data_len );
|
||||
|
||||
TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
|
||||
}
|
||||
|
||||
exit:
|
||||
mbedtls_aes_free( &crypt_ctx );
|
||||
mbedtls_aes_free( &tweak_ctx );
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_XTS */
|
||||
void aes_decrypt_xts( char *hex_key_string, char *hex_iv_string,
|
||||
char *hex_src_string, char *hex_dst_string,
|
||||
int data_unit_len, int xts_result )
|
||||
{
|
||||
unsigned char key_str[100] = { 0, };
|
||||
unsigned char iv_str[100] = { 0, };
|
||||
unsigned char src_str[100] = { 0, };
|
||||
unsigned char dst_str[100] = { 0, };
|
||||
unsigned char output[100] = { 0, };
|
||||
mbedtls_aes_context crypt_ctx, tweak_ctx;
|
||||
int key_len, data_len;
|
||||
|
||||
mbedtls_aes_init( &crypt_ctx );
|
||||
mbedtls_aes_init( &tweak_ctx );
|
||||
|
||||
key_len = unhexify( key_str, hex_key_string );
|
||||
unhexify( iv_str, hex_iv_string );
|
||||
data_len = unhexify( src_str, hex_src_string );
|
||||
|
||||
mbedtls_aes_setkey_dec( &crypt_ctx, key_str, ( key_len * 8 ) / 2 );
|
||||
mbedtls_aes_setkey_enc( &tweak_ctx, key_str + key_len / 2, ( key_len * 8 ) / 2 );
|
||||
|
||||
TEST_ASSERT( mbedtls_aes_crypt_xts( &crypt_ctx, &tweak_ctx, MBEDTLS_AES_DECRYPT, data_unit_len, iv_str, src_str, output ) == xts_result );
|
||||
if( xts_result == 0 )
|
||||
{
|
||||
hexify( dst_str, output, data_len );
|
||||
|
||||
TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
|
||||
}
|
||||
|
||||
exit:
|
||||
mbedtls_aes_free( &crypt_ctx );
|
||||
mbedtls_aes_free( &tweak_ctx );
|
||||
}
|
||||
/* END_CASE */
|
||||
|
||||
/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */
|
||||
void aes_encrypt_cfb128( char *hex_key_string, char *hex_iv_string,
|
||||
char *hex_src_string, char *hex_dst_string )
|
||||
|
4200
tests/suites/test_suite_aes.xts.data
Normal file
4200
tests/suites/test_suite_aes.xts.data
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user