Implement AES-XTS mode

XTS mode is fully known as "xor-encrypt-xor with ciphertext-stealing". This is the generalization of the XEX mode. This implementation is limited to an 8-bits (1 byte) boundary, which doesn't seem to be what was thought considering some test vectors [1]. This commit comes with tests, extracted from [1], and benchmarks. Although, benchmarks aren't really nice here, as they work with a buffer of a multiple of 16 bytes, which isn't a challenge for XTS compared to XEX. [1] http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSTestVectors.zip
2016-06-09 23:22:58 +02:00 · 2016-06-09 23:22:58 +02:00 · 5f77801ac3
commit 5f77801ac3
parent 380162c34c
8 changed files with 4483 additions and 5 deletions
--- a/include/mbedtls/aes.h
+++ b/include/mbedtls/aes.h
@ -237,6 +237,34 @@ int mbedtls_aes_crypt_xex( mbedtls_aes_context *crypt_ctx,
                    unsigned char *output );
 #endif /* MBEDTLS_CIPHER_MODE_XEX */

+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/**
+ * \brief           AES-XTS buffer encryption/decryption
+ *                  Length should be greater or equal than the block size (16
+ *                  bytes, 128 bits)
+ *
+ * Warning: The bits_length parameter must given be in bits, not bytes like the
+ * other modes
+ *
+ * \param crypt_ctx AES context for encrypting data
+ * \param tweak_ctx AES context for xor-ing with data
+ * \param mode      MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
+ * \param bits_length length of the input data (in bits)
+ * \param iv        initialization vector
+ * \param input     buffer holding the input data
+ * \param output    buffer holding the output data
+ *
+ * \return         0 if successful, or MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
+ */
+int mbedtls_aes_crypt_xts( mbedtls_aes_context *crypt_ctx,
+                    mbedtls_aes_context *tweak_ctx,
+                    int mode,
+                    size_t bits_length,
+                    unsigned char iv[16],
+                    const unsigned char *input,
+                    unsigned char *output );
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
 /**
 * \brief This function performs an AES-CFB128 encryption or decryption
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -508,6 +508,14 @@
 */
 #define MBEDTLS_CIPHER_MODE_XEX

+/**
+ * \def MBEDTLS_CIPHER_MODE_XTS
+ *
+ * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for symmetric
+ * ciphers.
+ */
+#define MBEDTLS_CIPHER_MODE_XTS
+
 /**
 * \def MBEDTLS_CIPHER_MODE_OFB
 *
--- a/library/aes.c
+++ b/library/aes.c
@ -44,7 +44,7 @@
 #include "mbedtls/aesni.h"
 #endif

-#if defined(MBEDTLS_CIPHER_MODE_XEX)
+#if defined(MBEDTLS_CIPHER_MODE_XEX) || defined(MBEDTLS_CIPHER_MODE_XTS)
 #include "mbedtls/gf128mul.h"
 #endif

@ -1045,6 +1045,145 @@ first:
 }
 #endif /* MBEDTLS_CIPHER_MODE_XEX */

+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+/*
+ * AES-XTS buffer encryption/decryption
+ */
+int mbedtls_aes_crypt_xts( mbedtls_aes_context *crypt_ctx,
+                    mbedtls_aes_context *tweak_ctx,
+                    int mode,
+                    size_t bits_length,
+                    unsigned char iv[16],
+                    const unsigned char *input,
+                    unsigned char *output )
+{
+    union xts_buf128 {
+        uint8_t  u8[16];
+        uint64_t u64[2];
+    };
+
+    union xts_buf128 scratch;
+    union xts_buf128 cts_scratch;
+    union xts_buf128 t_buf;
+    union xts_buf128 cts_t_buf;
+    union xts_buf128 *inbuf;
+    union xts_buf128 *outbuf;
+
+    size_t length = bits_length / 8;
+    size_t nblk   = length / 16;
+    size_t remn   = length % 16;
+
+    inbuf = (union xts_buf128*)input;
+    outbuf = (union xts_buf128*)output;
+
+    /* For performing the ciphertext-stealing operation, we have to get at least
+     * one complete block */
+    if( length < 16 )
+        return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
+
+
+    mbedtls_aes_crypt_ecb( tweak_ctx, MBEDTLS_AES_ENCRYPT, iv, t_buf.u8 );
+
+    if( mode == MBEDTLS_AES_DECRYPT && remn )
+    {
+        if( nblk == 1 )
+            goto decrypt_only_one_full_block;
+        nblk--;
+    }
+
+    goto first;
+
+    do
+    {
+        mbedtls_gf128mul_x_ble( t_buf.u8, t_buf.u8 );
+
+first:
+        /* PP <- T xor P */
+        scratch.u64[0] = (uint64_t)( inbuf->u64[0] ^ t_buf.u64[0] );
+        scratch.u64[1] = (uint64_t)( inbuf->u64[1] ^ t_buf.u64[1] );
+
+        /* CC <- E(Key2,PP) */
+        mbedtls_aes_crypt_ecb( crypt_ctx, mode, scratch.u8, outbuf->u8 );
+
+        /* C <- T xor CC */
+        outbuf->u64[0] = (uint64_t)( outbuf->u64[0] ^ t_buf.u64[0] );
+        outbuf->u64[1] = (uint64_t)( outbuf->u64[1] ^ t_buf.u64[1] );
+
+        inbuf  += 1;
+        outbuf += 1;
+        nblk   -= 1;
+    } while( nblk > 0 );
+
+    /* Ciphertext stealing, if necessary */
+    if( remn != 0 )
+    {
+        outbuf = (union xts_buf128*)output;
+        inbuf =  (union xts_buf128*)input;
+        nblk = length / 16;
+
+        if( mode == MBEDTLS_AES_ENCRYPT )
+        {
+            memcpy( cts_scratch.u8,          (uint8_t*)&inbuf[nblk],              remn );
+            memcpy( cts_scratch.u8 + remn,  ((uint8_t*)&outbuf[nblk - 1]) + remn, 16 - remn );
+            memcpy( (uint8_t*)&outbuf[nblk], (uint8_t*)&outbuf[nblk - 1],         remn );
+
+            mbedtls_gf128mul_x_ble( t_buf.u8, t_buf.u8 );
+
+            /* PP <- T xor P */
+            scratch.u64[0] = (uint64_t)( cts_scratch.u64[0] ^ t_buf.u64[0] );
+            scratch.u64[1] = (uint64_t)( cts_scratch.u64[1] ^ t_buf.u64[1] );
+
+            /* CC <- E(Key2,PP) */
+            mbedtls_aes_crypt_ecb( crypt_ctx, mode, scratch.u8, scratch.u8 );
+
+            /* C <- T xor CC */
+            outbuf[nblk - 1].u64[0] = (uint64_t)( scratch.u64[0] ^ t_buf.u64[0] );
+            outbuf[nblk - 1].u64[1] = (uint64_t)( scratch.u64[1] ^ t_buf.u64[1] );
+        }
+        else /* AES_DECRYPT */
+        {
+            mbedtls_gf128mul_x_ble( t_buf.u8, t_buf.u8 );
+
+decrypt_only_one_full_block:
+            cts_t_buf.u64[0] = t_buf.u64[0];
+            cts_t_buf.u64[1] = t_buf.u64[1];
+
+            mbedtls_gf128mul_x_ble( t_buf.u8, t_buf.u8 );
+
+            /* PP <- T xor P */
+            scratch.u64[0] = (uint64_t)( inbuf[nblk - 1].u64[0] ^ t_buf.u64[0] );
+            scratch.u64[1] = (uint64_t)( inbuf[nblk - 1].u64[1] ^ t_buf.u64[1] );
+
+            /* CC <- E(Key2,PP) */
+            mbedtls_aes_crypt_ecb( crypt_ctx, mode, scratch.u8, scratch.u8 );
+
+            /* C <- T xor CC */
+            cts_scratch.u64[0] = (uint64_t)( scratch.u64[0] ^ t_buf.u64[0] );
+            cts_scratch.u64[1] = (uint64_t)( scratch.u64[1] ^ t_buf.u64[1] );
+
+
+            memcpy( (uint8_t*)&inbuf[nblk - 1], (uint8_t*)&inbuf[nblk], remn );
+            memcpy( (uint8_t*)&inbuf[nblk - 1] + remn, cts_scratch.u8 + remn, 16 - remn );
+            memcpy( (uint8_t*)&outbuf[nblk], cts_scratch.u8, remn );
+
+
+            /* PP <- T xor P */
+            scratch.u64[0] = (uint64_t)( inbuf[nblk - 1].u64[0] ^ cts_t_buf.u64[0] );
+            scratch.u64[1] = (uint64_t)( inbuf[nblk - 1].u64[1] ^ cts_t_buf.u64[1] );
+
+            /* CC <- E(Key2,PP) */
+            mbedtls_aes_crypt_ecb( crypt_ctx, mode, scratch.u8, scratch.u8 );
+
+            /* C <- T xor CC */
+            outbuf[nblk - 1].u64[0] = (uint64_t)( scratch.u64[0] ^ cts_t_buf.u64[0] );
+            outbuf[nblk - 1].u64[1] = (uint64_t)( scratch.u64[1] ^ cts_t_buf.u64[1] );
+        }
+    }
+
+    return( 0 );
+}
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
+
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
 /*
 * AES-CFB128 buffer encryption/decryption
--- a/library/version_features.c
+++ b/library/version_features.c
@ -252,6 +252,9 @@ static const char *features[] = {
 #if defined(MBEDTLS_CIPHER_MODE_XEX)
    "MBEDTLS_CIPHER_MODE_XEX",
 #endif /* MBEDTLS_CIPHER_MODE_XEX */
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    "MBEDTLS_CIPHER_MODE_XTS",
+#endif /* MBEDTLS_CIPHER_MODE_XTS */
 #if defined(MBEDTLS_CIPHER_MODE_OFB)
    "MBEDTLS_CIPHER_MODE_OFB",
 #endif /* MBEDTLS_CIPHER_MODE_OFB */
--- a/programs/test/benchmark.c
+++ b/programs/test/benchmark.c
@ -99,8 +99,8 @@ int main( void )
 #define OPTIONS                                                         \
    "md4, md5, ripemd160, sha1, sha256, sha512,\n"                      \
    "arc4, des3, des, camellia, blowfish,\n"                            \
-    "aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, des3_cmac,\n"        \
-    "havege, ctr_drbg, hmac_drbg\n"                                     \
+    "aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, aes_xts,\n"          \
+    "des3_cmac, havege, ctr_drbg, hmac_drbg\n"                          \
    "rsa, dhm, ecdsa, ecdh.\n"

 #if defined(MBEDTLS_ERROR_C)
@ -233,8 +233,8 @@ unsigned char buf[BUFSIZE];
 typedef struct {
    char md4, md5, ripemd160, sha1, sha256, sha512,
         arc4, des3, des,
-         aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, des3_cmac,
-         aria, camellia, blowfish,
+         aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, aes_xts,
+         des3_cmac, aria, camellia, blowfish,
         havege, ctr_drbg, hmac_drbg,
         rsa, dhm, ecdsa, ecdh;
 } todo_list;
@ -281,6 +281,8 @@ int main( int argc, char *argv[] )
                todo.aes_cbc = 1;
            else if( strcmp( argv[i], "aes_xex" ) == 0 )
                todo.aes_xex = 1;
+            else if( strcmp( argv[i], "aes_xts" ) == 0 )
+                todo.aes_xts = 1;
            else if( strcmp( argv[i], "aes_gcm" ) == 0 )
                todo.aes_gcm = 1;
            else if( strcmp( argv[i], "aes_ccm" ) == 0 )
@ -451,6 +453,29 @@ int main( int argc, char *argv[] )
        mbedtls_aes_free( &tweak_ctx );
    }
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    if( todo.aes_xts )
+    {
+        int keysize;
+        mbedtls_aes_context crypt_ctx, tweak_ctx;
+        mbedtls_aes_init( &crypt_ctx );
+        mbedtls_aes_init( &tweak_ctx );
+        for( keysize = 128; keysize <= 256; keysize += 64 )
+        {
+            mbedtls_snprintf( title, sizeof( title ), "AES-XTS-%d", keysize );
+
+            memset( buf, 0, sizeof( buf ) );
+            memset( tmp, 0, sizeof( tmp ) );
+            mbedtls_aes_setkey_enc( &crypt_ctx, tmp, keysize );
+            mbedtls_aes_setkey_enc( &tweak_ctx, tmp, keysize );
+
+            TIME_AND_TSC( title,
+                mbedtls_aes_crypt_xts( &crypt_ctx, &tweak_ctx, MBEDTLS_AES_ENCRYPT, BUFSIZE * 8, tmp, buf, buf ) );
+        }
+        mbedtls_aes_free( &crypt_ctx );
+        mbedtls_aes_free( &tweak_ctx );
+    }
+#endif
 #if defined(MBEDTLS_GCM_C)
    if( todo.aes_gcm )
    {
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@ -49,6 +49,7 @@ add_test_suite(aes aes.cbc)
 add_test_suite(aes aes.cfb)
 add_test_suite(aes aes.rest)
 add_test_suite(aes aes.xex)
+add_test_suite(aes aes.xts)
 add_test_suite(arc4)
 add_test_suite(aria)
 add_test_suite(asn1write)
--- a/tests/suites/test_suite_aes.function
+++ b/tests/suites/test_suite_aes.function
@ -225,6 +225,80 @@ exit:
 }
 /* END_CASE */

+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_XTS */
+void aes_encrypt_xts( char *hex_key_string, char *hex_iv_string,
+                      char *hex_src_string, char *hex_dst_string,
+                      int data_unit_len, int xts_result )
+{
+    unsigned char key_str[100] = { 0, };
+    unsigned char iv_str[100]  = { 0, };
+    unsigned char src_str[100] = { 0, };
+    unsigned char dst_str[100] = { 0, };
+    unsigned char output[100]  = { 0, };
+    mbedtls_aes_context crypt_ctx, tweak_ctx;
+    int key_len, data_len;
+
+    mbedtls_aes_init( &crypt_ctx );
+    mbedtls_aes_init( &tweak_ctx );
+
+    key_len = unhexify( key_str, hex_key_string );
+    unhexify( iv_str, hex_iv_string );
+    data_len = unhexify( src_str, hex_src_string );
+
+    mbedtls_aes_setkey_enc( &crypt_ctx, key_str,               ( key_len * 8 ) / 2 );
+    mbedtls_aes_setkey_enc( &tweak_ctx, key_str + key_len / 2, ( key_len * 8 ) / 2 );
+
+    TEST_ASSERT( mbedtls_aes_crypt_xts( &crypt_ctx, &tweak_ctx, MBEDTLS_AES_ENCRYPT, data_unit_len, iv_str, src_str, output ) == xts_result );
+    if( xts_result == 0 )
+    {
+        hexify( dst_str, output, data_len );
+
+        TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+    }
+
+exit:
+    mbedtls_aes_free( &crypt_ctx );
+    mbedtls_aes_free( &tweak_ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_XTS */
+void aes_decrypt_xts( char *hex_key_string, char *hex_iv_string,
+                      char *hex_src_string, char *hex_dst_string,
+                      int data_unit_len, int xts_result )
+{
+    unsigned char key_str[100] = { 0, };
+    unsigned char iv_str[100]  = { 0, };
+    unsigned char src_str[100] = { 0, };
+    unsigned char dst_str[100] = { 0, };
+    unsigned char output[100]  = { 0, };
+    mbedtls_aes_context crypt_ctx, tweak_ctx;
+    int key_len, data_len;
+
+    mbedtls_aes_init( &crypt_ctx );
+    mbedtls_aes_init( &tweak_ctx );
+
+    key_len = unhexify( key_str, hex_key_string );
+    unhexify( iv_str, hex_iv_string );
+    data_len = unhexify( src_str, hex_src_string );
+
+    mbedtls_aes_setkey_dec( &crypt_ctx, key_str,               ( key_len * 8 ) / 2 );
+    mbedtls_aes_setkey_enc( &tweak_ctx, key_str + key_len / 2, ( key_len * 8 ) / 2 );
+
+	TEST_ASSERT( mbedtls_aes_crypt_xts( &crypt_ctx, &tweak_ctx, MBEDTLS_AES_DECRYPT, data_unit_len, iv_str, src_str, output ) == xts_result );
+    if( xts_result == 0 )
+    {
+        hexify( dst_str, output, data_len );
+
+        TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+    }
+
+exit:
+    mbedtls_aes_free( &crypt_ctx );
+    mbedtls_aes_free( &tweak_ctx );
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */
 void aes_encrypt_cfb128( char *hex_key_string, char *hex_iv_string,
                         char *hex_src_string, char *hex_dst_string )
--- a/tests/suites/test_suite_aes.xts.data
+++ b/tests/suites/test_suite_aes.xts.data