doxygen/xts_8cpp_source.html

/*

* XTS Mode

* (C) 2009,2013 Jack Lloyd

* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/internal/xts.h>


#include <botan/internal/fmt.h>

#include <botan/internal/poly_dbl.h>


namespace Botan {


XTS_Mode::XTS_Mode(std::unique_ptr<BlockCipher> cipher) :

      m_cipher(std::move(cipher)),

      m_cipher_block_size(m_cipher->block_size()),

      m_cipher_parallelism(m_cipher->parallel_bytes()),

      m_tweak_blocks(m_cipher_parallelism / m_cipher_block_size) {

   if(poly_double_supported_size(m_cipher_block_size) == false) {

      throw Invalid_Argument(fmt("Cannot use {} with XTS", m_cipher->name()));

   }


   m_tweak_cipher = m_cipher->new_object();

}


void XTS_Mode::clear() {

   m_cipher->clear();

   m_tweak_cipher->clear();

   reset();

}


size_t XTS_Mode::update_granularity() const {

   return m_cipher_block_size;

}


size_t XTS_Mode::ideal_granularity() const {

   return m_cipher_parallelism;

}


void XTS_Mode::reset() {

   m_tweak.clear();

}


std::string XTS_Mode::name() const {

   return cipher().name() + "/XTS";

}


size_t XTS_Mode::minimum_final_size() const {

   return cipher_block_size();

}


Key_Length_Specification XTS_Mode::key_spec() const {

   return cipher().key_spec().multiple(2);

}


size_t XTS_Mode::default_nonce_length() const {

   return cipher_block_size();

}


bool XTS_Mode::valid_nonce_length(size_t n) const {

   return n <= cipher_block_size();

}


bool XTS_Mode::has_keying_material() const {

   return m_cipher->has_keying_material() && m_tweak_cipher->has_keying_material();

}


void XTS_Mode::key_schedule(std::span<const uint8_t> key) {

   const size_t key_half = key.size() / 2;


   if(key.size() % 2 == 1 || !m_cipher->valid_keylength(key_half)) {

      throw Invalid_Key_Length(name(), key.size());

   }


   m_cipher->set_key(key.first(key_half));

   m_tweak_cipher->set_key(key.last(key_half));

}


void XTS_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {

   if(!valid_nonce_length(nonce_len)) {

      throw Invalid_IV_Length(name(), nonce_len);

   }


   m_tweak.resize(m_cipher_parallelism);

   clear_mem(m_tweak.data(), m_tweak.size());

   copy_mem(m_tweak.data(), nonce, nonce_len);

   m_tweak_cipher->encrypt(m_tweak.data());


   update_tweak(0);

}


void XTS_Mode::update_tweak(size_t which) {

   const size_t BS = m_tweak_cipher->block_size();


   if(which > 0) {

      poly_double_n_le(m_tweak.data(), &m_tweak[(which - 1) * BS], BS);

   }


   const size_t blocks_in_tweak = tweak_blocks();


   xts_update_tweak_block(m_tweak.data(), BS, blocks_in_tweak);

}


size_t XTS_Encryption::output_length(size_t input_length) const {

   return input_length;

}


size_t XTS_Encryption::process_msg(uint8_t buf[], size_t sz) {

   BOTAN_STATE_CHECK(tweak_set());

   const size_t BS = cipher_block_size();


   BOTAN_ARG_CHECK(sz % BS == 0, "Input is not full blocks");

   size_t blocks = sz / BS;


   const size_t blocks_in_tweak = tweak_blocks();


   while(blocks) {

      const size_t to_proc = std::min(blocks, blocks_in_tweak);


      cipher().encrypt_n_xex(buf, tweak(), to_proc);


      buf += to_proc * BS;

      blocks -= to_proc;


      update_tweak(to_proc);

   }


   return sz;

}


void XTS_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {

   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");

   const size_t sz = buffer.size() - offset;

   uint8_t* buf = buffer.data() + offset;


   BOTAN_ARG_CHECK(sz >= minimum_final_size(), "missing sufficient final input in XTS encrypt");


   const size_t BS = cipher_block_size();


   if(sz % BS == 0) {

      update(buffer, offset);

   } else {

      // steal ciphertext

      const size_t full_blocks = ((sz / BS) - 1) * BS;

      const size_t final_bytes = sz - full_blocks;

      BOTAN_ASSERT(final_bytes > BS && final_bytes < 2 * BS, "Left over size in expected range");


      secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);

      buffer.resize(full_blocks + offset);

      update(buffer, offset);


      xor_buf(last, tweak(), BS);

      cipher().encrypt(last);

      xor_buf(last, tweak(), BS);


      for(size_t i = 0; i != final_bytes - BS; ++i) {

         last[i] ^= last[i + BS];

         last[i + BS] ^= last[i];

         last[i] ^= last[i + BS];

      }


      xor_buf(last, tweak() + BS, BS);

      cipher().encrypt(last);

      xor_buf(last, tweak() + BS, BS);


      buffer += last;

   }

}


size_t XTS_Decryption::output_length(size_t input_length) const {

   return input_length;

}


size_t XTS_Decryption::process_msg(uint8_t buf[], size_t sz) {

   BOTAN_STATE_CHECK(tweak_set());

   const size_t BS = cipher_block_size();


   BOTAN_ARG_CHECK(sz % BS == 0, "Input is not full blocks");

   size_t blocks = sz / BS;


   const size_t blocks_in_tweak = tweak_blocks();


   while(blocks) {

      const size_t to_proc = std::min(blocks, blocks_in_tweak);


      cipher().decrypt_n_xex(buf, tweak(), to_proc);


      buf += to_proc * BS;

      blocks -= to_proc;


      update_tweak(to_proc);

   }


   return sz;

}


void XTS_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {

   BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");

   const size_t sz = buffer.size() - offset;

   uint8_t* buf = buffer.data() + offset;


   BOTAN_ARG_CHECK(sz >= minimum_final_size(), "missing sufficient final input in XTS decrypt");


   const size_t BS = cipher_block_size();


   if(sz % BS == 0) {

      update(buffer, offset);

   } else {

      // steal ciphertext

      const size_t full_blocks = ((sz / BS) - 1) * BS;

      const size_t final_bytes = sz - full_blocks;

      BOTAN_ASSERT(final_bytes > BS && final_bytes < 2 * BS, "Left over size in expected range");


      secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);

      buffer.resize(full_blocks + offset);

      update(buffer, offset);


      xor_buf(last, tweak() + BS, BS);

      cipher().decrypt(last);

      xor_buf(last, tweak() + BS, BS);


      for(size_t i = 0; i != final_bytes - BS; ++i) {

         last[i] ^= last[i + BS];

         last[i + BS] ^= last[i];

         last[i] ^= last[i + BS];

      }


      xor_buf(last, tweak(), BS);

      cipher().decrypt(last);

      xor_buf(last, tweak(), BS);


      buffer += last;

   }

}


}  // namespace Botan

BOTAN_STATE_CHECK
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:41

BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29

BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:50

Botan::BlockCipher::encrypt
void encrypt(const uint8_t in[], uint8_t out[]) const
Definition block_cipher.h:75

Botan::BlockCipher::decrypt
void decrypt(const uint8_t in[], uint8_t out[]) const
Definition block_cipher.h:84

Botan::BlockCipher::encrypt_n_xex
virtual void encrypt_n_xex(uint8_t data[], const uint8_t mask[], size_t blocks) const
Definition block_cipher.h:152

Botan::BlockCipher::decrypt_n_xex
virtual void decrypt_n_xex(uint8_t data[], const uint8_t mask[], size_t blocks) const
Definition block_cipher.h:159

Botan::Invalid_Argument
Definition exceptn.h:131

Botan::Invalid_Key_Length
Definition exceptn.h:153

Botan::Key_Length_Specification
Definition sym_algo.h:21

Botan::Key_Length_Specification::multiple
Key_Length_Specification multiple(size_t n) const
Definition sym_algo.h:66

Botan::SymmetricAlgorithm::name
virtual std::string name() const =0

Botan::SymmetricAlgorithm::key_spec
virtual Key_Length_Specification key_spec() const =0

Botan::XTS_Decryption::output_length
size_t output_length(size_t input_length) const override
Definition xts.cpp:172

Botan::XTS_Encryption::output_length
size_t output_length(size_t input_length) const override
Definition xts.cpp:106

Botan::XTS_Mode::reset
void reset() final
Definition xts.cpp:42

Botan::XTS_Mode::tweak
const uint8_t * tweak() const
Definition xts.h:45

Botan::XTS_Mode::ideal_granularity
size_t ideal_granularity() const final
Definition xts.cpp:38

Botan::XTS_Mode::name
std::string name() const final
Definition xts.cpp:46

Botan::XTS_Mode::default_nonce_length
size_t default_nonce_length() const final
Definition xts.cpp:58

Botan::XTS_Mode::cipher_block_size
size_t cipher_block_size() const
Definition xts.h:55

Botan::XTS_Mode::update_granularity
size_t update_granularity() const final
Definition xts.cpp:34

Botan::XTS_Mode::has_keying_material
bool has_keying_material() const final
Definition xts.cpp:66

Botan::XTS_Mode::clear
void clear() final
Definition xts.cpp:28

Botan::XTS_Mode::XTS_Mode
XTS_Mode(std::unique_ptr< BlockCipher > cipher)
Definition xts.cpp:16

Botan::XTS_Mode::cipher
const BlockCipher & cipher() const
Definition xts.h:51

Botan::XTS_Mode::tweak_blocks
size_t tweak_blocks() const
Definition xts.h:49

Botan::XTS_Mode::key_spec
Key_Length_Specification key_spec() const final
Definition xts.cpp:54

Botan::XTS_Mode::update_tweak
void update_tweak(size_t last_used)
Definition xts.cpp:94

Botan::XTS_Mode::tweak_set
bool tweak_set() const
Definition xts.h:47

Botan::XTS_Mode::valid_nonce_length
bool valid_nonce_length(size_t n) const final
Definition xts.cpp:62

Botan::XTS_Mode::minimum_final_size
size_t minimum_final_size() const final
Definition xts.cpp:50

update
int(* update)(CTX *, const void *, CC_LONG len)
Definition commoncrypto_hash.cpp:28

Botan
Definition alg_id.cpp:13

Botan::xts_update_tweak_block
void xts_update_tweak_block(uint8_t tweak[], size_t BS, size_t blocks_in_tweak)
Definition poly_dbl.cpp:119

Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53

Botan::poly_double_n_le
void poly_double_n_le(uint8_t out[], const uint8_t in[], size_t n)
Definition poly_dbl.cpp:100

Botan::xor_buf
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:341

Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61

Botan::poly_double_supported_size
bool poly_double_supported_size(size_t n)
Definition poly_dbl.h:22

Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:146

Botan::clear_mem
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:120