aes: Add AES-XTS cipher block mode

Add XEX-based tweaked-codebook mode with ciphertext stealing (XTS) for
use with AES.
This commit is contained in:
Jaeden Amero 2018-04-28 15:02:45 +01:00
parent 49411ccd0d
commit 9d3eba4666
4 changed files with 434 additions and 0 deletions

View file

@ -88,6 +88,18 @@ typedef struct
} }
mbedtls_aes_context; mbedtls_aes_context;
#if defined(MBEDTLS_CIPHER_MODE_XTS)
/**
* \brief The AES XTS context-type definition.
*/
typedef struct
{
mbedtls_aes_context crypt; /*!< The AES context to use for AES block
encryption or decryption. */
mbedtls_aes_context tweak; /*!< The AES context used for tweak computation. */
} mbedtls_aes_xts_context;
#endif /* MBEDTLS_CIPHER_MODE_XTS */
#else /* MBEDTLS_AES_ALT */ #else /* MBEDTLS_AES_ALT */
#include "aes_alt.h" #include "aes_alt.h"
#endif /* MBEDTLS_AES_ALT */ #endif /* MBEDTLS_AES_ALT */
@ -109,6 +121,25 @@ void mbedtls_aes_init( mbedtls_aes_context *ctx );
*/ */
void mbedtls_aes_free( mbedtls_aes_context *ctx ); void mbedtls_aes_free( mbedtls_aes_context *ctx );
#if defined(MBEDTLS_CIPHER_MODE_XTS)
/**
* \brief This function initializes the specified AES XTS context.
*
* It must be the first API called before using
* the context.
*
* \param ctx The AES XTS context to initialize.
*/
void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx );
/**
* \brief This function releases and clears the specified AES XTS context.
*
* \param ctx The AES XTS context to clear.
*/
void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx );
#endif /* MBEDTLS_CIPHER_MODE_XTS */
/** /**
* \brief This function sets the encryption key. * \brief This function sets the encryption key.
* *
@ -141,6 +172,44 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key, int mbedtls_aes_setkey_dec( mbedtls_aes_context *ctx, const unsigned char *key,
unsigned int keybits ); unsigned int keybits );
#if defined(MBEDTLS_CIPHER_MODE_XTS)
/**
* \brief This function sets the encryption key.
*
* \param ctx The AES XTS context to which the key should be bound.
* \param key The encryption key. This is comprised of the XTS key1
* concatenated with the XTS key2.
* \param keybits The size of data passed in bits. Valid options are:
* <ul><li>256 bits</li>
* <li>384 bits</li>
* <li>512 bits</li></ul>
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
*/
int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
const unsigned char *key,
unsigned int keybits );
/**
* \brief This function sets the decryption key.
*
* \param ctx The AES XTS context to which the key should be bound.
* \param key The decryption key. This is comprised of the XTS key1
* concatenated with the XTS key2.
* \param keybits The size of data passed. Valid options are:
* <ul><li>256 bits</li>
* <li>384 bits</li>
* <li>512 bits</li></ul>
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_AES_INVALID_KEY_LENGTH on failure.
*/
int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
const unsigned char *key,
unsigned int keybits );
#endif /* MBEDTLS_CIPHER_MODE_XTS */
/** /**
* \brief This function performs an AES single-block encryption or * \brief This function performs an AES single-block encryption or
* decryption operation. * decryption operation.
@ -333,6 +402,44 @@ int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
unsigned char *output ); unsigned char *output );
#endif /* MBEDTLS_CIPHER_MODE_CTR */ #endif /* MBEDTLS_CIPHER_MODE_CTR */
#if defined(MBEDTLS_CIPHER_MODE_XTS)
/**
* \brief This function performs an AES-XTS encryption or decryption
* operation for an entire XTS sector.
*
* AES-XTS encrypts or decrypts blocks based on their location as
* defined by a sector number. These must be provided by \p sector.
*
* NIST SP 800-38E limits the maximum size of a data unit to 2**20
* AES blocks. If the data unit is larger than this, this function
* returns #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH.
*
* \param ctx The AES XTS context to use for AES XTS operations.
* \param mode The AES operation: #MBEDTLS_AES_ENCRYPT or
* #MBEDTLS_AES_DECRYPT.
* \param length The length of both an entire sector and the input data
* in bytes. The length must be at least 16 bytes. The
* length does not need to be a multiple of 16 bytes.
* \param data_unit The data unit (commonly a block device sector) address
* in byte array form. The least significant byte must be
* at sector[0]. The most significant byte must be at
* sector[15]. Array must be 16 bytes in length.
* \param input The buffer holding the input data.
* \param output The buffer holding the output data.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH if length smaller
* than an AES block in size (16 bytes) or if the length is
* larger than 2**20 blocks.
*/
int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
int mode,
size_t length,
const unsigned char data_unit[16],
const unsigned char *input,
unsigned char *output );
#endif /* MBEDTLS_CIPHER_MODE_XTS */
/** /**
* \brief Internal AES block encryption function. This is only * \brief Internal AES block encryption function. This is only
* exposed to allow overriding it using * exposed to allow overriding it using

View file

@ -509,6 +509,14 @@
*/ */
#define MBEDTLS_CIPHER_MODE_CTR #define MBEDTLS_CIPHER_MODE_CTR
/**
* \def MBEDTLS_CIPHER_MODE_XTS
*
* Enable XEX-based tweaked-codebook mode with ciphertext stealing mode (XTS)
* for symmetric ciphers.
*/
#define MBEDTLS_CIPHER_MODE_XTS
/** /**
* \def MBEDTLS_CIPHER_NULL_CIPHER * \def MBEDTLS_CIPHER_NULL_CIPHER
* *

View file

@ -521,6 +521,20 @@ void mbedtls_aes_free( mbedtls_aes_context *ctx )
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) ); mbedtls_platform_zeroize( ctx, sizeof( mbedtls_aes_context ) );
} }
#if defined(MBEDTLS_CIPHER_MODE_XTS)
void mbedtls_aes_xts_init( mbedtls_aes_xts_context *ctx )
{
mbedtls_aes_init( &ctx->crypt );
mbedtls_aes_init( &ctx->tweak );
}
void mbedtls_aes_xts_free( mbedtls_aes_xts_context *ctx )
{
mbedtls_aes_free( &ctx->crypt );
mbedtls_aes_free( &ctx->tweak );
}
#endif /* MBEDTLS_CIPHER_MODE_XTS */
/* /*
* AES key schedule (encryption) * AES key schedule (encryption)
*/ */
@ -702,6 +716,45 @@ exit:
return( ret ); return( ret );
} }
#if defined(MBEDTLS_CIPHER_MODE_XTS)
static int mbedtls_aes_xts_setkey( mbedtls_aes_xts_context *ctx,
const unsigned char *key,
unsigned int keybits,
int (*setkey1)( mbedtls_aes_context *ctx,
const unsigned char *key,
unsigned int keybits ) )
{
const unsigned int key1bits = keybits / 2;
const unsigned int key2bits = keybits / 2;
const unsigned int key1bytes = key1bits / 8;
const unsigned char *key1 = &key[0];
const unsigned char *key2 = &key[key1bytes];
int ret;
ret = mbedtls_aes_setkey_enc( &ctx->tweak, key2, key2bits );
if( ret )
return( ret );
return( setkey1( &ctx->crypt, key1, key1bits ) );
}
int mbedtls_aes_xts_setkey_enc( mbedtls_aes_xts_context *ctx,
const unsigned char *key,
unsigned int keybits)
{
return mbedtls_aes_xts_setkey( ctx, key, keybits, mbedtls_aes_setkey_enc );
}
int mbedtls_aes_xts_setkey_dec( mbedtls_aes_xts_context *ctx,
const unsigned char *key,
unsigned int keybits)
{
return mbedtls_aes_xts_setkey( ctx, key, keybits, mbedtls_aes_setkey_dec );
}
#endif /* MBEDTLS_CIPHER_MODE_XTS */
#endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */ #endif /* !MBEDTLS_AES_SETKEY_DEC_ALT */
#define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \
@ -1099,6 +1152,132 @@ int mbedtls_aes_crypt_ctr( mbedtls_aes_context *ctx,
} }
#endif /* MBEDTLS_CIPHER_MODE_CTR */ #endif /* MBEDTLS_CIPHER_MODE_CTR */
#if defined(MBEDTLS_CIPHER_MODE_XTS)
/*
* AES-XTS buffer encryption/decryption
*/
/* Multiplication by x in the Galois field of GF(2^n) (aka 2, or left shift) */
static void multiply_by_x_gf128( const unsigned char *in, unsigned char *out )
{
size_t i;
const unsigned char overflow = in[15] >> 0x07;
/* XXX speed up multiplication by going 32-bit at a time instead of 8-bit
* */
/* Don't we already have functions that can multiply n-bit numbers
* efficiently? bignum... mpi... Maybe AES NI can do this multiplication
* (galois field 128 multiplication by x, or some sort of lfsr))?*/
/* Feedback polynomial: x**128 + x**7 + x**3 + x + 1 (0b10000111)*/
i = 16;
while( --i ) {
const unsigned char carry = in[i - 1] >> 0x07;
out[i] = (in[i] << 1) | carry;
}
out[0] = (in[0] << 1) ^ (overflow ? 0x87 : 0x00);
}
int mbedtls_aes_crypt_xts( mbedtls_aes_xts_context *ctx,
int mode,
size_t length,
const unsigned char data_unit[16],
const unsigned char *input,
unsigned char *output )
{
size_t blocks = length / 16;
size_t leftover = length % 16;
unsigned char tweak[16];
unsigned char tweak_tmp[16];
unsigned char tmp[16];
/* Sectors must be at least 16 bytes. */
if( length < 16)
return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
/* NIST SP 80-38E disallows data units larger than 2**20 blocks. */
if( (blocks > 0x100000) || (blocks == 0x100000 && leftover > 0))
return MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH;
/* Compute the tweak. */
memcpy( tweak, data_unit, sizeof(tweak) );
mbedtls_aes_crypt_ecb( &ctx->tweak, MBEDTLS_AES_ENCRYPT, tweak, tweak );
while( blocks-- ) {
size_t i;
/* XXX Code review: Sucks to have conditionals inside this loop.
* Suggestions as to whether its worth extracting this outside the toop
* are welcome. */
if( leftover && ( mode == MBEDTLS_AES_DECRYPT ) && blocks == 0 )
{
/* We are on the last block in a decrypt operation that has
* leftover bytes, so we need to use the next tweak for this block,
* and this tweak for the lefover bytes. Save the current tweak for
* the leftovers and then update the current tweak for use on this,
* the last full block. */
memcpy( tweak_tmp, tweak, sizeof(tweak));
multiply_by_x_gf128( tweak, tweak );
}
/* XXX Code review: Don't we have any functions to more efficiently xor
* big nums together than byte-by-byte? */
for( i = 0; i < 16; i++ )
tmp[i] = input[i] ^ tweak[i];
mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
for( i = 0; i < 16; i++ )
output[i] = tmp[i] ^ tweak[i];
/* Update the tweak for the next block */
multiply_by_x_gf128( tweak, tweak );
output += 16;
input += 16;
}
if( leftover )
{
/* If we are on the leftover bytes in a decrypt operation, we need to
* use the previous tweak for these bytes (as saved in tweak_tmp). */
unsigned char *t = mode == MBEDTLS_AES_DECRYPT ? tweak_tmp : tweak;
/* We are now on the final part of the data unit, which doesn't divide
* evenly by 16. It's time for ciphertext stealing. */
size_t i;
unsigned char *prev_output = output - 16;
/* Copy ciphertext bytes from previous block to our output for each
* byte of cyphertext we won't steal. At the same time, the remainder
* of input for this final round (since the loop bounds are the same).
* */
/* XXX if we use faster xor functions later here, we'll likely have to
* break apart the loop. we might not be able to use faster xor, since
* the leftovers could be any number of bytes (not multiples of
* 16) (our faster xor would need to support aligned and unaligned
* sizes) */
for( i = 0; i < leftover; i++ )
{
output[i] = prev_output[i];
tmp[i] = input[i] ^ t[i];
}
/* Copy ciphertext bytes from the previous block for input in this round. */
for( ; i < 16; i++)
tmp[i] = prev_output[i] ^ t[i];
mbedtls_aes_crypt_ecb( &ctx->crypt, mode, tmp, tmp );
/* Write the result back to the previous block, overriding the previous
* output we copied. */
for( i = 0; i < 16; i++ )
prev_output[i] = tmp[i] ^ t[i];
}
return( 0 );
}
#endif /* MBEDTLS_CIPHER_MODE_XTS */
#endif /* !MBEDTLS_AES_ALT */ #endif /* !MBEDTLS_AES_ALT */
#if defined(MBEDTLS_SELF_TEST) #if defined(MBEDTLS_SELF_TEST)
@ -1278,6 +1457,74 @@ static const int aes_test_ctr_len[3] =
{ 16, 32, 36 }; { 16, 32, 36 };
#endif /* MBEDTLS_CIPHER_MODE_CTR */ #endif /* MBEDTLS_CIPHER_MODE_CTR */
#if defined(MBEDTLS_CIPHER_MODE_XTS)
/*
* AES-XTS test vectors from:
*
* IEEE P1619/D16 Annex B
* https://web.archive.org/web/20150629024421/http://grouper.ieee.org/groups/1619/email/pdf00086.pdf
* (Archived from original at http://grouper.ieee.org/groups/1619/email/pdf00086.pdf)
*/
static const unsigned char aes_test_xts_key[][32] =
{
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
{ 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
{ 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9, 0xf8,
0xf7, 0xf6, 0xf5, 0xf4, 0xf3, 0xf2, 0xf1, 0xf0,
0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22 },
};
static const unsigned char aes_test_xts_pt32[][32] =
{
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
{ 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
{ 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44,
0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44, 0x44 },
};
static const unsigned char aes_test_xts_ct32[][32] =
{
{ 0x91, 0x7c, 0xf6, 0x9e, 0xbd, 0x68, 0xb2, 0xec,
0x9b, 0x9f, 0xe9, 0xa3, 0xea, 0xdd, 0xa6, 0x92,
0xcd, 0x43, 0xd2, 0xf5, 0x95, 0x98, 0xed, 0x85,
0x8c, 0x02, 0xc2, 0x65, 0x2f, 0xbf, 0x92, 0x2e },
{ 0xc4, 0x54, 0x18, 0x5e, 0x6a, 0x16, 0x93, 0x6e,
0x39, 0x33, 0x40, 0x38, 0xac, 0xef, 0x83, 0x8b,
0xfb, 0x18, 0x6f, 0xff, 0x74, 0x80, 0xad, 0xc4,
0x28, 0x93, 0x82, 0xec, 0xd6, 0xd3, 0x94, 0xf0 },
{ 0xaf, 0x85, 0x33, 0x6b, 0x59, 0x7a, 0xfc, 0x1a,
0x90, 0x0b, 0x2e, 0xb2, 0x1e, 0xc9, 0x49, 0xd2,
0x92, 0xdf, 0x4c, 0x04, 0x7e, 0x0b, 0x21, 0x53,
0x21, 0x86, 0xa5, 0x97, 0x1a, 0x22, 0x7a, 0x89 },
};
static const unsigned char aes_test_xts_data_unit[][16] =
{
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
{ 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
{ 0x33, 0x33, 0x33, 0x33, 0x33, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
};
#endif /* MBEDTLS_CIPHER_MODE_XTS */
/* /*
* Checkup routine * Checkup routine
*/ */
@ -1301,6 +1548,9 @@ int mbedtls_aes_self_test( int verbose )
int len; int len;
unsigned char nonce_counter[16]; unsigned char nonce_counter[16];
unsigned char stream_block[16]; unsigned char stream_block[16];
#endif
#if defined(MBEDTLS_CIPHER_MODE_XTS)
mbedtls_aes_xts_context ctx_xts;
#endif #endif
mbedtls_aes_context ctx; mbedtls_aes_context ctx;
@ -1558,6 +1808,72 @@ int mbedtls_aes_self_test( int verbose )
mbedtls_printf( "\n" ); mbedtls_printf( "\n" );
#endif /* MBEDTLS_CIPHER_MODE_CTR */ #endif /* MBEDTLS_CIPHER_MODE_CTR */
#if defined(MBEDTLS_CIPHER_MODE_XTS)
{
static const int num_tests =
sizeof(aes_test_xts_key) / sizeof(*aes_test_xts_key);
/*
* XTS mode
*/
mbedtls_aes_xts_init( &ctx_xts );
for( i = 0; i < num_tests << 1; i++ )
{
const unsigned char *data_unit;
u = i >> 1;
mode = i & 1;
if( verbose != 0 )
mbedtls_printf( " AES-XTS-128 (%s): ",
( mode == MBEDTLS_AES_DECRYPT ) ? "dec" : "enc" );
memset( key, 0, sizeof( key ) );
memcpy( key, aes_test_xts_key[u], 32 );
data_unit = aes_test_xts_data_unit[u];
len = sizeof( *aes_test_xts_ct32 );
if( mode == MBEDTLS_AES_DECRYPT )
{
ret = mbedtls_aes_xts_setkey_dec( &ctx_xts, key, 256 );
if( ret )
goto exit;
memcpy( buf, aes_test_xts_ct32[u], len );
aes_tests = aes_test_xts_pt32[u];
}
else
{
ret = mbedtls_aes_xts_setkey_enc( &ctx_xts, key, 256 );
if( ret )
goto exit;
memcpy( buf, aes_test_xts_pt32[u], len );
aes_tests = aes_test_xts_ct32[u];
}
ret = mbedtls_aes_crypt_xts( &ctx_xts, mode, len, data_unit,
buf, buf );
if( ret != 0 )
goto exit;
if( memcmp( buf, aes_tests, len ) != 0 )
{
ret = 1;
goto exit;
}
if( verbose != 0 )
mbedtls_printf( "passed\n" );
}
if( verbose != 0 )
mbedtls_printf( "\n" );
mbedtls_aes_xts_free( &ctx_xts );
}
#endif /* MBEDTLS_CIPHER_MODE_XTS */
ret = 0; ret = 0;
exit: exit:

View file

@ -252,6 +252,9 @@ static const char *features[] = {
#if defined(MBEDTLS_CIPHER_MODE_CTR) #if defined(MBEDTLS_CIPHER_MODE_CTR)
"MBEDTLS_CIPHER_MODE_CTR", "MBEDTLS_CIPHER_MODE_CTR",
#endif /* MBEDTLS_CIPHER_MODE_CTR */ #endif /* MBEDTLS_CIPHER_MODE_CTR */
#if defined(MBEDTLS_CIPHER_MODE_XTS)
"MBEDTLS_CIPHER_MODE_XTS",
#endif /* MBEDTLS_CIPHER_MODE_XTS */
#if defined(MBEDTLS_CIPHER_NULL_CIPHER) #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
"MBEDTLS_CIPHER_NULL_CIPHER", "MBEDTLS_CIPHER_NULL_CIPHER",
#endif /* MBEDTLS_CIPHER_NULL_CIPHER */ #endif /* MBEDTLS_CIPHER_NULL_CIPHER */