Botan  2.0.1
Crypto and TLS for C++11
xts.cpp
Go to the documentation of this file.
1 /*
2 * XTS Mode
3 * (C) 2009,2013 Jack Lloyd
4 * (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/xts.h>
10 #include <botan/loadstor.h>
11 
12 namespace Botan {
13 
14 namespace {
15 
16 void poly_double_128(uint8_t out[], const uint8_t in[])
17  {
18  uint64_t X0 = load_le<uint64_t>(in, 0);
19  uint64_t X1 = load_le<uint64_t>(in, 1);
20 
21  const bool carry = static_cast<bool>((X1 >> 63) != 0);
22 
23  X1 = (X1 << 1) | (X0 >> 63);
24  X0 = (X0 << 1);
25 
26  if(carry)
27  X0 ^= 0x87;
28 
29  store_le(out, X0, X1);
30  }
31 
32 void poly_double_64(uint8_t out[], const uint8_t in[])
33  {
34  uint64_t X = load_le<uint64_t>(in, 0);
35  const bool carry = static_cast<bool>((X >> 63) != 0);
36  X <<= 1;
37  if(carry)
38  X ^= 0x1B;
39  store_le(X, out);
40  }
41 
42 inline void poly_double(uint8_t out[], const uint8_t in[], size_t size)
43  {
44  if(size == 8)
45  poly_double_64(out, in);
46  else
47  poly_double_128(out, in);
48  }
49 
50 }
51 
52 XTS_Mode::XTS_Mode(BlockCipher* cipher) : m_cipher(cipher)
53  {
54  if(m_cipher->block_size() != 8 && m_cipher->block_size() != 16)
55  throw Invalid_Argument("Bad cipher for XTS: " + cipher->name());
56 
57  m_tweak_cipher.reset(m_cipher->clone());
58  m_tweak.resize(update_granularity());
59  }
60 
61 void XTS_Mode::clear()
62  {
63  m_cipher->clear();
64  m_tweak_cipher->clear();
65  reset();
66  }
67 
68 void XTS_Mode::reset()
69  {
70  zeroise(m_tweak);
71  }
72 
73 std::string XTS_Mode::name() const
74  {
75  return cipher().name() + "/XTS";
76  }
77 
78 size_t XTS_Mode::update_granularity() const
79  {
80  return cipher().parallel_bytes();
81  }
82 
83 size_t XTS_Mode::minimum_final_size() const
84  {
85  return cipher().block_size() + 1;
86  }
87 
88 Key_Length_Specification XTS_Mode::key_spec() const
89  {
90  return cipher().key_spec().multiple(2);
91  }
92 
93 size_t XTS_Mode::default_nonce_length() const
94  {
95  return cipher().block_size();
96  }
97 
98 bool XTS_Mode::valid_nonce_length(size_t n) const
99  {
100  return cipher().block_size() == n;
101  }
102 
103 void XTS_Mode::key_schedule(const uint8_t key[], size_t length)
104  {
105  const size_t key_half = length / 2;
106 
107  if(length % 2 == 1 || !m_cipher->valid_keylength(key_half))
108  throw Invalid_Key_Length(name(), length);
109 
110  m_cipher->set_key(key, key_half);
111  m_tweak_cipher->set_key(&key[key_half], key_half);
112  }
113 
114 void XTS_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
115  {
116  if(!valid_nonce_length(nonce_len))
117  throw Invalid_IV_Length(name(), nonce_len);
118 
119  copy_mem(m_tweak.data(), nonce, nonce_len);
120  m_tweak_cipher->encrypt(m_tweak.data());
121 
122  update_tweak(0);
123  }
124 
125 void XTS_Mode::update_tweak(size_t which)
126  {
127  const size_t BS = m_tweak_cipher->block_size();
128 
129  if(which > 0)
130  poly_double(m_tweak.data(), &m_tweak[(which-1)*BS], BS);
131 
132  const size_t blocks_in_tweak = update_granularity() / BS;
133 
134  for(size_t i = 1; i < blocks_in_tweak; ++i)
135  poly_double(&m_tweak[i*BS], &m_tweak[(i-1)*BS], BS);
136  }
137 
138 size_t XTS_Encryption::output_length(size_t input_length) const
139  {
140  return input_length;
141  }
142 
143 size_t XTS_Encryption::process(uint8_t buf[], size_t sz)
144  {
145  const size_t BS = cipher().block_size();
146 
147  BOTAN_ASSERT(sz % BS == 0, "Input is full blocks");
148  size_t blocks = sz / BS;
149 
150  const size_t blocks_in_tweak = update_granularity() / BS;
151 
152  while(blocks)
153  {
154  const size_t to_proc = std::min(blocks, blocks_in_tweak);
155  const size_t to_proc_bytes = to_proc * BS;
156 
157  xor_buf(buf, tweak(), to_proc_bytes);
158  cipher().encrypt_n(buf, buf, to_proc);
159  xor_buf(buf, tweak(), to_proc_bytes);
160 
161  buf += to_proc * BS;
162  blocks -= to_proc;
163 
164  update_tweak(to_proc);
165  }
166 
167  return sz;
168  }
169 
170 void XTS_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
171  {
172  BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
173  const size_t sz = buffer.size() - offset;
174  uint8_t* buf = buffer.data() + offset;
175 
176  BOTAN_ASSERT(sz >= minimum_final_size(), "Have sufficient final input");
177 
178  const size_t BS = cipher().block_size();
179 
180  if(sz % BS == 0)
181  {
182  update(buffer, offset);
183  }
184  else
185  {
186  // steal ciphertext
187  const size_t full_blocks = ((sz / BS) - 1) * BS;
188  const size_t final_bytes = sz - full_blocks;
189  BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
190 
191  secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
192  buffer.resize(full_blocks + offset);
193  update(buffer, offset);
194 
195  xor_buf(last, tweak(), BS);
196  cipher().encrypt(last);
197  xor_buf(last, tweak(), BS);
198 
199  for(size_t i = 0; i != final_bytes - BS; ++i)
200  {
201  last[i] ^= last[i + BS];
202  last[i + BS] ^= last[i];
203  last[i] ^= last[i + BS];
204  }
205 
206  xor_buf(last, tweak() + BS, BS);
207  cipher().encrypt(last);
208  xor_buf(last, tweak() + BS, BS);
209 
210  buffer += last;
211  }
212  }
213 
214 size_t XTS_Decryption::output_length(size_t input_length) const
215  {
216  return input_length;
217  }
218 
219 size_t XTS_Decryption::process(uint8_t buf[], size_t sz)
220  {
221  const size_t BS = cipher().block_size();
222 
223  BOTAN_ASSERT(sz % BS == 0, "Input is full blocks");
224  size_t blocks = sz / BS;
225 
226  const size_t blocks_in_tweak = update_granularity() / BS;
227 
228  while(blocks)
229  {
230  const size_t to_proc = std::min(blocks, blocks_in_tweak);
231  const size_t to_proc_bytes = to_proc * BS;
232 
233  xor_buf(buf, tweak(), to_proc_bytes);
234  cipher().decrypt_n(buf, buf, to_proc);
235  xor_buf(buf, tweak(), to_proc_bytes);
236 
237  buf += to_proc * BS;
238  blocks -= to_proc;
239 
240  update_tweak(to_proc);
241  }
242 
243  return sz;
244  }
245 
246 void XTS_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
247  {
248  BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
249  const size_t sz = buffer.size() - offset;
250  uint8_t* buf = buffer.data() + offset;
251 
252  BOTAN_ASSERT(sz >= minimum_final_size(), "Have sufficient final input");
253 
254  const size_t BS = cipher().block_size();
255 
256  if(sz % BS == 0)
257  {
258  update(buffer, offset);
259  }
260  else
261  {
262  // steal ciphertext
263  const size_t full_blocks = ((sz / BS) - 1) * BS;
264  const size_t final_bytes = sz - full_blocks;
265  BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
266 
267  secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
268  buffer.resize(full_blocks + offset);
269  update(buffer, offset);
270 
271  xor_buf(last, tweak() + BS, BS);
272  cipher().decrypt(last);
273  xor_buf(last, tweak() + BS, BS);
274 
275  for(size_t i = 0; i != final_bytes - BS; ++i)
276  {
277  last[i] ^= last[i + BS];
278  last[i + BS] ^= last[i];
279  last[i] ^= last[i + BS];
280  }
281 
282  xor_buf(last, tweak(), BS);
283  cipher().decrypt(last);
284  xor_buf(last, tweak(), BS);
285 
286  buffer += last;
287  }
288  }
289 
290 }
Botan::xor_buf
void xor_buf(T out[], const T in[], size_t length)
Definition: mem_ops.h:115
Botan::XTS_Encryption::process
size_t process(uint8_t buf[], size_t size) override
Definition: xts.cpp:143
Botan::Invalid_Argument
Definition: exceptn.h:34
Botan::BlockCipher::parallel_bytes
size_t parallel_bytes() const
Definition: block_cipher.h:62
Botan::Invalid_Key_Length
Definition: exceptn.h:98
Botan::XTS_Mode::update_tweak
void update_tweak(size_t last_used)
Definition: xts.cpp:125
Botan::XTS_Mode::default_nonce_length
size_t default_nonce_length() const override
Definition: xts.cpp:93
Botan::BlockCipher::decrypt_n
virtual void decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const =0
Botan::Cipher_Mode::update
void update(secure_vector< uint8_t > &buffer, size_t offset=0)
Definition: cipher_mode.h:81
Botan::Key_Length_Specification
Definition: key_spec.h:18
Botan::XTS_Mode::cipher
const BlockCipher & cipher() const
Definition: xts.h:44
Botan::XTS_Mode::tweak
const uint8_t * tweak() const
Definition: xts.h:42
Botan::Invalid_IV_Length
Definition: exceptn.h:109
Botan::BlockCipher::decrypt
void decrypt(const uint8_t in[], uint8_t out[]) const
Definition: block_cipher.h:90
Botan::XTS_Decryption::output_length
size_t output_length(size_t input_length) const override
Definition: xts.cpp:214
Botan::XTS_Mode::name
std::string name() const override
Definition: xts.cpp:73
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:27
Botan::XTS_Encryption::finish
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
Definition: xts.cpp:170
Botan::XTS_Encryption::output_length
size_t output_length(size_t input_length) const override
Definition: xts.cpp:138
Botan::XTS_Mode::valid_nonce_length
bool valid_nonce_length(size_t n) const override
Definition: xts.cpp:98
Botan::XTS_Mode::XTS_Mode
XTS_Mode(BlockCipher *cipher)
Definition: xts.cpp:52
Botan::SymmetricAlgorithm::name
virtual std::string name() const =0
Botan::XTS_Decryption::finish
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
Definition: xts.cpp:246
Botan::XTS_Mode::clear
void clear() override
Definition: xts.cpp:61
Botan::load_le< uint64_t >
uint64_t load_le< uint64_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:243
Botan::copy_mem
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:68
Botan
Definition: alg_id.cpp:13
Botan::XTS_Mode::key_spec
Key_Length_Specification key_spec() const override
Definition: xts.cpp:88
Botan::BlockCipher::encrypt_n
virtual void encrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const =0
Botan::BlockCipher::encrypt
void encrypt(const uint8_t in[], uint8_t out[]) const
Definition: block_cipher.h:80
Botan::SymmetricAlgorithm::key_spec
virtual Key_Length_Specification key_spec() const =0
Botan::XTS_Mode::minimum_final_size
size_t minimum_final_size() const override
Definition: xts.cpp:83
Botan::CT::min
T min(T a, T b)
Definition: ct_utils.h:180
Botan::Key_Length_Specification::multiple
Key_Length_Specification multiple(size_t n) const
Definition: key_spec.h:87
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:121
Botan::XTS_Mode::update_granularity
size_t update_granularity() const override
Definition: xts.cpp:78
Botan::XTS_Decryption::process
size_t process(uint8_t buf[], size_t size) override
Definition: xts.cpp:219
Botan::XTS_Mode::reset
void reset() override
Definition: xts.cpp:68
Botan::BlockCipher::block_size
virtual size_t block_size() const =0
Botan::store_le
void store_le(uint16_t in, uint8_t out[2])
Definition: loadstor.h:457
Botan::zeroise
void zeroise(std::vector< T, Alloc > &vec)
Definition: secmem.h:211
Generated by   doxygen 1.8.13