Botan 3.3.0
Crypto and TLS for C&
xts.cpp
Go to the documentation of this file.
1/*
2* XTS Mode
3* (C) 2009,2013 Jack Lloyd
4* (C) 2016 Daniel Neus, Rohde & Schwarz Cybersecurity
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/xts.h>
10
11#include <botan/internal/fmt.h>
12#include <botan/internal/poly_dbl.h>
13
14namespace Botan {
15
16XTS_Mode::XTS_Mode(std::unique_ptr<BlockCipher> cipher) :
17 m_cipher(std::move(cipher)),
18 m_cipher_block_size(m_cipher->block_size()),
19 m_cipher_parallelism(m_cipher->parallel_bytes()),
20 m_tweak_blocks(m_cipher_parallelism / m_cipher_block_size) {
21 if(poly_double_supported_size(m_cipher_block_size) == false) {
22 throw Invalid_Argument(fmt("Cannot use {} with XTS", m_cipher->name()));
23 }
24
25 m_tweak_cipher = m_cipher->new_object();
26}
27
29 m_cipher->clear();
30 m_tweak_cipher->clear();
31 reset();
32}
33
35 return m_cipher_block_size;
36}
37
39 return m_cipher_parallelism;
40}
41
43 m_tweak.clear();
44}
45
46std::string XTS_Mode::name() const {
47 return cipher().name() + "/XTS";
48}
49
51 return cipher_block_size();
52}
53
57
59 return cipher_block_size();
60}
61
62bool XTS_Mode::valid_nonce_length(size_t n) const {
63 return n <= cipher_block_size();
64}
65
67 return m_cipher->has_keying_material() && m_tweak_cipher->has_keying_material();
68}
69
70void XTS_Mode::key_schedule(std::span<const uint8_t> key) {
71 const size_t key_half = key.size() / 2;
72
73 if(key.size() % 2 == 1 || !m_cipher->valid_keylength(key_half)) {
74 throw Invalid_Key_Length(name(), key.size());
75 }
76
77 m_cipher->set_key(key.first(key_half));
78 m_tweak_cipher->set_key(key.last(key_half));
79}
80
81void XTS_Mode::start_msg(const uint8_t nonce[], size_t nonce_len) {
82 if(!valid_nonce_length(nonce_len)) {
83 throw Invalid_IV_Length(name(), nonce_len);
84 }
85
86 m_tweak.resize(m_cipher_parallelism);
87 clear_mem(m_tweak.data(), m_tweak.size());
88 copy_mem(m_tweak.data(), nonce, nonce_len);
89 m_tweak_cipher->encrypt(m_tweak.data());
90
91 update_tweak(0);
92}
93
94void XTS_Mode::update_tweak(size_t which) {
95 const size_t BS = m_tweak_cipher->block_size();
96
97 if(which > 0) {
98 poly_double_n_le(m_tweak.data(), &m_tweak[(which - 1) * BS], BS);
99 }
100
101 const size_t blocks_in_tweak = tweak_blocks();
102
103 for(size_t i = 1; i < blocks_in_tweak; ++i) {
104 poly_double_n_le(&m_tweak[i * BS], &m_tweak[(i - 1) * BS], BS);
105 }
106}
107
108size_t XTS_Encryption::output_length(size_t input_length) const {
109 return input_length;
110}
111
112size_t XTS_Encryption::process_msg(uint8_t buf[], size_t sz) {
114 const size_t BS = cipher_block_size();
115
116 BOTAN_ARG_CHECK(sz % BS == 0, "Input is not full blocks");
117 size_t blocks = sz / BS;
118
119 const size_t blocks_in_tweak = tweak_blocks();
120
121 while(blocks) {
122 const size_t to_proc = std::min(blocks, blocks_in_tweak);
123
124 cipher().encrypt_n_xex(buf, tweak(), to_proc);
125
126 buf += to_proc * BS;
127 blocks -= to_proc;
128
129 update_tweak(to_proc);
130 }
131
132 return sz;
133}
134
135void XTS_Encryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
136 BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
137 const size_t sz = buffer.size() - offset;
138 uint8_t* buf = buffer.data() + offset;
139
140 BOTAN_ARG_CHECK(sz >= minimum_final_size(), "missing sufficient final input in XTS encrypt");
141
142 const size_t BS = cipher_block_size();
143
144 if(sz % BS == 0) {
145 update(buffer, offset);
146 } else {
147 // steal ciphertext
148 const size_t full_blocks = ((sz / BS) - 1) * BS;
149 const size_t final_bytes = sz - full_blocks;
150 BOTAN_ASSERT(final_bytes > BS && final_bytes < 2 * BS, "Left over size in expected range");
151
152 secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
153 buffer.resize(full_blocks + offset);
154 update(buffer, offset);
155
156 xor_buf(last, tweak(), BS);
157 cipher().encrypt(last);
158 xor_buf(last, tweak(), BS);
159
160 for(size_t i = 0; i != final_bytes - BS; ++i) {
161 last[i] ^= last[i + BS];
162 last[i + BS] ^= last[i];
163 last[i] ^= last[i + BS];
164 }
165
166 xor_buf(last, tweak() + BS, BS);
167 cipher().encrypt(last);
168 xor_buf(last, tweak() + BS, BS);
169
170 buffer += last;
171 }
172}
173
174size_t XTS_Decryption::output_length(size_t input_length) const {
175 return input_length;
176}
177
178size_t XTS_Decryption::process_msg(uint8_t buf[], size_t sz) {
180 const size_t BS = cipher_block_size();
181
182 BOTAN_ARG_CHECK(sz % BS == 0, "Input is not full blocks");
183 size_t blocks = sz / BS;
184
185 const size_t blocks_in_tweak = tweak_blocks();
186
187 while(blocks) {
188 const size_t to_proc = std::min(blocks, blocks_in_tweak);
189
190 cipher().decrypt_n_xex(buf, tweak(), to_proc);
191
192 buf += to_proc * BS;
193 blocks -= to_proc;
194
195 update_tweak(to_proc);
196 }
197
198 return sz;
199}
200
201void XTS_Decryption::finish_msg(secure_vector<uint8_t>& buffer, size_t offset) {
202 BOTAN_ARG_CHECK(buffer.size() >= offset, "Offset is out of range");
203 const size_t sz = buffer.size() - offset;
204 uint8_t* buf = buffer.data() + offset;
205
206 BOTAN_ARG_CHECK(sz >= minimum_final_size(), "missing sufficient final input in XTS decrypt");
207
208 const size_t BS = cipher_block_size();
209
210 if(sz % BS == 0) {
211 update(buffer, offset);
212 } else {
213 // steal ciphertext
214 const size_t full_blocks = ((sz / BS) - 1) * BS;
215 const size_t final_bytes = sz - full_blocks;
216 BOTAN_ASSERT(final_bytes > BS && final_bytes < 2 * BS, "Left over size in expected range");
217
218 secure_vector<uint8_t> last(buf + full_blocks, buf + full_blocks + final_bytes);
219 buffer.resize(full_blocks + offset);
220 update(buffer, offset);
221
222 xor_buf(last, tweak() + BS, BS);
223 cipher().decrypt(last);
224 xor_buf(last, tweak() + BS, BS);
225
226 for(size_t i = 0; i != final_bytes - BS; ++i) {
227 last[i] ^= last[i + BS];
228 last[i + BS] ^= last[i];
229 last[i] ^= last[i + BS];
230 }
231
232 xor_buf(last, tweak(), BS);
233 cipher().decrypt(last);
234 xor_buf(last, tweak(), BS);
235
236 buffer += last;
237 }
238}
239
240} // namespace Botan
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:41
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:50
void encrypt(const uint8_t in[], uint8_t out[]) const
void decrypt(const uint8_t in[], uint8_t out[]) const
virtual void encrypt_n_xex(uint8_t data[], const uint8_t mask[], size_t blocks) const
virtual void decrypt_n_xex(uint8_t data[], const uint8_t mask[], size_t blocks) const
Key_Length_Specification multiple(size_t n) const
Definition sym_algo.h:66
virtual std::string name() const =0
virtual Key_Length_Specification key_spec() const =0
size_t output_length(size_t input_length) const override
Definition xts.cpp:174
size_t output_length(size_t input_length) const override
Definition xts.cpp:108
void reset() final
Definition xts.cpp:42
const uint8_t * tweak() const
Definition xts.h:45
size_t ideal_granularity() const final
Definition xts.cpp:38
std::string name() const final
Definition xts.cpp:46
size_t default_nonce_length() const final
Definition xts.cpp:58
size_t cipher_block_size() const
Definition xts.h:55
size_t update_granularity() const final
Definition xts.cpp:34
bool has_keying_material() const final
Definition xts.cpp:66
void clear() final
Definition xts.cpp:28
XTS_Mode(std::unique_ptr< BlockCipher > cipher)
Definition xts.cpp:16
const BlockCipher & cipher() const
Definition xts.h:51
size_t tweak_blocks() const
Definition xts.h:49
Key_Length_Specification key_spec() const final
Definition xts.cpp:54
void update_tweak(size_t last_used)
Definition xts.cpp:94
bool tweak_set() const
Definition xts.h:47
bool valid_nonce_length(size_t n) const final
Definition xts.cpp:62
size_t minimum_final_size() const final
Definition xts.cpp:50
int(* update)(CTX *, const void *, CC_LONG len)
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
void poly_double_n_le(uint8_t out[], const uint8_t in[], size_t n)
Definition poly_dbl.cpp:93
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:340
bool poly_double_supported_size(size_t n)
Definition poly_dbl.h:22
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:146
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:120