Botan  2.8.0
Crypto and TLS for C++11
xts.cpp
Go to the documentation of this file.
1 /*
2 * XTS Mode
3 * (C) 2009,2013 Jack Lloyd
4 * (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/xts.h>
10 #include <botan/internal/poly_dbl.h>
11 
12 namespace Botan {
13 
14 XTS_Mode::XTS_Mode(BlockCipher* cipher) : m_cipher(cipher)
15  {
16  if(poly_double_supported_size(m_cipher->block_size()) == false)
17  {
18  throw Invalid_Argument("Cannot use " + cipher->name() + " with XTS");
19  }
20 
21  m_tweak_cipher.reset(m_cipher->clone());
22  }
23 
25  {
26  m_cipher->clear();
27  m_tweak_cipher->clear();
28  reset();
29  }
30 
32  {
33  m_tweak.clear();
34  }
35 
36 std::string XTS_Mode::name() const
37  {
38  return cipher().name() + "/XTS";
39  }
40 
42  {
43  return cipher().parallel_bytes();
44  }
45 
47  {
48  return cipher().block_size() + 1;
49  }
50 
52  {
53  return cipher().key_spec().multiple(2);
54  }
55 
57  {
58  return cipher().block_size();
59  }
60 
61 bool XTS_Mode::valid_nonce_length(size_t n) const
62  {
63  return cipher().block_size() == n;
64  }
65 
66 void XTS_Mode::key_schedule(const uint8_t key[], size_t length)
67  {
68  const size_t key_half = length / 2;
69 
70  if(length % 2 == 1 || !m_cipher->valid_keylength(key_half))
71  throw Invalid_Key_Length(name(), length);
72 
73  m_cipher->set_key(key, key_half);
74  m_tweak_cipher->set_key(&key[key_half], key_half);
75  }
76 
77 void XTS_Mode::start_msg(const uint8_t nonce[], size_t nonce_len)
78  {
79  if(!valid_nonce_length(nonce_len))
80  throw Invalid_IV_Length(name(), nonce_len);
81 
82  m_tweak.resize(update_granularity());
83  copy_mem(m_tweak.data(), nonce, nonce_len);
84  m_tweak_cipher->encrypt(m_tweak.data());
85 
86  update_tweak(0);
87  }
88 
89 void XTS_Mode::update_tweak(size_t which)
90  {
91  const size_t BS = m_tweak_cipher->block_size();
92 
93  if(which > 0)
94  poly_double_n_le(m_tweak.data(), &m_tweak[(which-1)*BS], BS);
95 
96  const size_t blocks_in_tweak = update_granularity() / BS;
97 
98  for(size_t i = 1; i < blocks_in_tweak; ++i)
99  poly_double_n_le(&m_tweak[i*BS], &m_tweak[(i-1)*BS], BS);
100  }
101 
102 size_t XTS_Encryption::output_length(size_t input_length) const
103  {
104  return input_length;
105  }
106 
107 size_t XTS_Encryption::process(uint8_t buf[], size_t sz)
108  {
110  const size_t BS = cipher().block_size();
111 
112  BOTAN_ASSERT(sz % BS == 0, "Input is full blocks");
113  size_t blocks = sz / BS;
114 
115  const size_t blocks_in_tweak = update_granularity() / BS;
116 
117  while(blocks)
118  {
119  const size_t to_proc = std::min(blocks, blocks_in_tweak);
120 
121  cipher().encrypt_n_xex(buf, tweak(), to_proc);
122 
123  buf += to_proc * BS;
124  blocks -= to_proc;
125 
126  update_tweak(to_proc);
127  }
128 
129  return sz;
130  }
131 
132 void XTS_Encryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
133  {
134  BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
135  const size_t sz = buffer.size() - offset;
136  uint8_t* buf = buffer.data() + offset;
137 
138  BOTAN_ASSERT(sz >= minimum_final_size(), "Have sufficient final input in XTS encrypt");
139 
140  const size_t BS = cipher().block_size();
141 
142  if(sz % BS == 0)
143  {
144  update(buffer, offset);
145  }
146  else
147  {
148  // steal ciphertext
149  const size_t full_blocks = ((sz / BS) - 1) * BS;
150  const size_t final_bytes = sz - full_blocks;
151  BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
152 
153  secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
154  buffer.resize(full_blocks + offset);
155  update(buffer, offset);
156 
157  xor_buf(last, tweak(), BS);
158  cipher().encrypt(last);
159  xor_buf(last, tweak(), BS);
160 
161  for(size_t i = 0; i != final_bytes - BS; ++i)
162  {
163  last[i] ^= last[i + BS];
164  last[i + BS] ^= last[i];
165  last[i] ^= last[i + BS];
166  }
167 
168  xor_buf(last, tweak() + BS, BS);
169  cipher().encrypt(last);
170  xor_buf(last, tweak() + BS, BS);
171 
172  buffer += last;
173  }
174  }
175 
176 size_t XTS_Decryption::output_length(size_t input_length) const
177  {
178  return input_length;
179  }
180 
181 size_t XTS_Decryption::process(uint8_t buf[], size_t sz)
182  {
184  const size_t BS = cipher().block_size();
185 
186  BOTAN_ASSERT(sz % BS == 0, "Input is full blocks");
187  size_t blocks = sz / BS;
188 
189  const size_t blocks_in_tweak = update_granularity() / BS;
190 
191  while(blocks)
192  {
193  const size_t to_proc = std::min(blocks, blocks_in_tweak);
194 
195  cipher().decrypt_n_xex(buf, tweak(), to_proc);
196 
197  buf += to_proc * BS;
198  blocks -= to_proc;
199 
200  update_tweak(to_proc);
201  }
202 
203  return sz;
204  }
205 
206 void XTS_Decryption::finish(secure_vector<uint8_t>& buffer, size_t offset)
207  {
208  BOTAN_ASSERT(buffer.size() >= offset, "Offset is sane");
209  const size_t sz = buffer.size() - offset;
210  uint8_t* buf = buffer.data() + offset;
211 
212  BOTAN_ASSERT(sz >= minimum_final_size(), "Have sufficient final input in XTS decrypt");
213 
214  const size_t BS = cipher().block_size();
215 
216  if(sz % BS == 0)
217  {
218  update(buffer, offset);
219  }
220  else
221  {
222  // steal ciphertext
223  const size_t full_blocks = ((sz / BS) - 1) * BS;
224  const size_t final_bytes = sz - full_blocks;
225  BOTAN_ASSERT(final_bytes > BS && final_bytes < 2*BS, "Left over size in expected range");
226 
227  secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
228  buffer.resize(full_blocks + offset);
229  update(buffer, offset);
230 
231  xor_buf(last, tweak() + BS, BS);
232  cipher().decrypt(last);
233  xor_buf(last, tweak() + BS, BS);
234 
235  for(size_t i = 0; i != final_bytes - BS; ++i)
236  {
237  last[i] ^= last[i + BS];
238  last[i + BS] ^= last[i];
239  last[i] ^= last[i + BS];
240  }
241 
242  xor_buf(last, tweak(), BS);
243  cipher().decrypt(last);
244  xor_buf(last, tweak(), BS);
245 
246  buffer += last;
247  }
248  }
249 
250 }
size_t process(uint8_t buf[], size_t size) override
Definition: xts.cpp:107
size_t parallel_bytes() const
Definition: block_cipher.h:63
void update_tweak(size_t last_used)
Definition: xts.cpp:89
size_t default_nonce_length() const override
Definition: xts.cpp:56
void update(secure_vector< uint8_t > &buffer, size_t offset=0)
Definition: cipher_mode.h:112
const BlockCipher & cipher() const
Definition: xts.h:46
#define BOTAN_STATE_CHECK(expr)
Definition: assert.h:49
const uint8_t * tweak() const
Definition: xts.h:42
void decrypt(const uint8_t in[], uint8_t out[]) const
Definition: block_cipher.h:91
size_t output_length(size_t input_length) const override
Definition: xts.cpp:176
std::string name() const override
Definition: xts.cpp:36
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
Definition: xts.cpp:132
size_t output_length(size_t input_length) const override
Definition: xts.cpp:102
bool valid_nonce_length(size_t n) const override
Definition: xts.cpp:61
XTS_Mode(BlockCipher *cipher)
Definition: xts.cpp:14
void xor_buf(uint8_t out[], const uint8_t in[], size_t length)
Definition: mem_ops.h:174
virtual std::string name() const =0
void finish(secure_vector< uint8_t > &final_block, size_t offset=0) override
Definition: xts.cpp:206
virtual void encrypt_n_xex(uint8_t data[], const uint8_t mask[], size_t blocks) const
Definition: block_cipher.h:172
void clear() override
Definition: xts.cpp:24
void poly_double_n_le(uint8_t out[], const uint8_t in[], size_t n)
Definition: poly_dbl.cpp:84
void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:108
Definition: alg_id.cpp:13
Key_Length_Specification key_spec() const override
Definition: xts.cpp:51
void encrypt(const uint8_t in[], uint8_t out[]) const
Definition: block_cipher.h:81
virtual Key_Length_Specification key_spec() const =0
bool tweak_set() const
Definition: xts.h:44
size_t minimum_final_size() const override
Definition: xts.cpp:46
Key_Length_Specification multiple(size_t n) const
Definition: key_spec.h:87
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:88
size_t update_granularity() const override
Definition: xts.cpp:41
size_t process(uint8_t buf[], size_t size) override
Definition: xts.cpp:181
void reset() override
Definition: xts.cpp:31
virtual size_t block_size() const =0
bool poly_double_supported_size(size_t n)
Definition: poly_dbl.h:22
virtual void decrypt_n_xex(uint8_t data[], const uint8_t mask[], size_t blocks) const
Definition: block_cipher.h:182