Implement AES-XTS mode

XTS mode is fully known as "xor-encrypt-xor with ciphertext-stealing". This is the generalization of the XEX mode. This implementation is limited to an 8-bits (1 byte) boundary, which doesn't seem to be what was thought considering some test vectors [1]. This commit comes with tests, extracted from [1], and benchmarks. Although, benchmarks aren't really nice here, as they work with a buffer of a multiple of 16 bytes, which isn't a challenge for XTS compared to XEX. [1] http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSTestVectors.zip
2025-11-04 04:32:24 -05:00 · 2016-06-09 23:22:58 +02:00 · 2016-06-09 23:22:58 +02:00 · 5f77801ac3
commit 5f77801ac3
parent 380162c34c
8 changed files with 4483 additions and 5 deletions
--- a/include/mbedtls/aes.h
+++ b/include/mbedtls/aes.h
@ -237,6 +237,34 @@ int mbedtls_aes_crypt_xex( mbedtls_aes_context *crypt_ctx,
                    unsigned char *output );
 #endif /* MBEDTLS_CIPHER_MODE_XEX */
 #if defined(MBEDTLS_CIPHER_MODE_XTS)
 /**
 * \brief           AES-XTS buffer encryption/decryption
 *                  Length should be greater or equal than the block size (16
 *                  bytes, 128 bits)
 *
 * Warning: The bits_length parameter must given be in bits, not bytes like the
 * other modes
 *
 * \param crypt_ctx AES context for encrypting data
 * \param tweak_ctx AES context for xor-ing with data
 * \param mode      MBEDTLS_AES_ENCRYPT or MBEDTLS_AES_DECRYPT
 * \param bits_length length of the input data (in bits)
 * \param iv        initialization vector
 * \param input     buffer holding the input data
 * \param output    buffer holding the output data
 *
 * \return         0 if successful, or MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH
 */
 int mbedtls_aes_crypt_xts( mbedtls_aes_context *crypt_ctx,
                    mbedtls_aes_context *tweak_ctx,
                    int mode,
                    size_t bits_length,
                    unsigned char iv[16],
                    const unsigned char *input,
                    unsigned char *output );
 #endif /* MBEDTLS_CIPHER_MODE_XTS */
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
 /**
 * \brief This function performs an AES-CFB128 encryption or decryption
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -508,6 +508,14 @@
 */
 #define MBEDTLS_CIPHER_MODE_XEX
 /**
 * \def MBEDTLS_CIPHER_MODE_XTS
 *
 * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for symmetric
 * ciphers.
 */
 #define MBEDTLS_CIPHER_MODE_XTS
 /**
 * \def MBEDTLS_CIPHER_MODE_OFB
 *
--- a/library/aes.c
+++ b/library/aes.c
@ -44,7 +44,7 @@
 #include "mbedtls/aesni.h"
 #endif
-#if defined(MBEDTLS_CIPHER_MODE_XEX)
+#if defined(MBEDTLS_CIPHER_MODE_XEX) || defined(MBEDTLS_CIPHER_MODE_XTS)
 #include "mbedtls/gf128mul.h"
 #endif
@ -1045,6 +1045,145 @@ first:
 }
 #endif /* MBEDTLS_CIPHER_MODE_XEX */
 #if defined(MBEDTLS_CIPHER_MODE_XTS)
 /*
 * AES-XTS buffer encryption/decryption
 */
 int mbedtls_aes_crypt_xts( mbedtls_aes_context *crypt_ctx,
                    mbedtls_aes_context *tweak_ctx,
                    int mode,
                    size_t bits_length,
                    unsigned char iv[16],
                    const unsigned char *input,
                    unsigned char *output )
 {
    union xts_buf128 {
        uint8_t  u8[16];
        uint64_t u64[2];
    };
    union xts_buf128 scratch;
    union xts_buf128 cts_scratch;
    union xts_buf128 t_buf;
    union xts_buf128 cts_t_buf;
    union xts_buf128 *inbuf;
    union xts_buf128 *outbuf;
    size_t length = bits_length / 8;
    size_t nblk   = length / 16;
    size_t remn   = length % 16;
    inbuf = (union xts_buf128*)input;
    outbuf = (union xts_buf128*)output;
    /* For performing the ciphertext-stealing operation, we have to get at least
     * one complete block */
    if( length < 16 )
        return( MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH );
    mbedtls_aes_crypt_ecb( tweak_ctx, MBEDTLS_AES_ENCRYPT, iv, t_buf.u8 );
    if( mode == MBEDTLS_AES_DECRYPT && remn )
    {
        if( nblk == 1 )
            goto decrypt_only_one_full_block;
        nblk--;
    }
    goto first;
    do
    {
        mbedtls_gf128mul_x_ble( t_buf.u8, t_buf.u8 );
 first:
        /* PP <- T xor P */
        scratch.u64[0] = (uint64_t)( inbuf->u64[0] ^ t_buf.u64[0] );
        scratch.u64[1] = (uint64_t)( inbuf->u64[1] ^ t_buf.u64[1] );
        /* CC <- E(Key2,PP) */
        mbedtls_aes_crypt_ecb( crypt_ctx, mode, scratch.u8, outbuf->u8 );
        /* C <- T xor CC */
        outbuf->u64[0] = (uint64_t)( outbuf->u64[0] ^ t_buf.u64[0] );
        outbuf->u64[1] = (uint64_t)( outbuf->u64[1] ^ t_buf.u64[1] );
        inbuf  += 1;
        outbuf += 1;
        nblk   -= 1;
    } while( nblk > 0 );
    /* Ciphertext stealing, if necessary */
    if( remn != 0 )
    {
        outbuf = (union xts_buf128*)output;
        inbuf =  (union xts_buf128*)input;
        nblk = length / 16;
        if( mode == MBEDTLS_AES_ENCRYPT )
        {
            memcpy( cts_scratch.u8,          (uint8_t*)&inbuf[nblk],              remn );
            memcpy( cts_scratch.u8 + remn,  ((uint8_t*)&outbuf[nblk - 1]) + remn, 16 - remn );
            memcpy( (uint8_t*)&outbuf[nblk], (uint8_t*)&outbuf[nblk - 1],         remn );
            mbedtls_gf128mul_x_ble( t_buf.u8, t_buf.u8 );
            /* PP <- T xor P */
            scratch.u64[0] = (uint64_t)( cts_scratch.u64[0] ^ t_buf.u64[0] );
            scratch.u64[1] = (uint64_t)( cts_scratch.u64[1] ^ t_buf.u64[1] );
            /* CC <- E(Key2,PP) */
            mbedtls_aes_crypt_ecb( crypt_ctx, mode, scratch.u8, scratch.u8 );
            /* C <- T xor CC */
            outbuf[nblk - 1].u64[0] = (uint64_t)( scratch.u64[0] ^ t_buf.u64[0] );
            outbuf[nblk - 1].u64[1] = (uint64_t)( scratch.u64[1] ^ t_buf.u64[1] );
        }
        else /* AES_DECRYPT */
        {
            mbedtls_gf128mul_x_ble( t_buf.u8, t_buf.u8 );
 decrypt_only_one_full_block:
            cts_t_buf.u64[0] = t_buf.u64[0];
            cts_t_buf.u64[1] = t_buf.u64[1];
            mbedtls_gf128mul_x_ble( t_buf.u8, t_buf.u8 );
            /* PP <- T xor P */
            scratch.u64[0] = (uint64_t)( inbuf[nblk - 1].u64[0] ^ t_buf.u64[0] );
            scratch.u64[1] = (uint64_t)( inbuf[nblk - 1].u64[1] ^ t_buf.u64[1] );
            /* CC <- E(Key2,PP) */
            mbedtls_aes_crypt_ecb( crypt_ctx, mode, scratch.u8, scratch.u8 );
            /* C <- T xor CC */
            cts_scratch.u64[0] = (uint64_t)( scratch.u64[0] ^ t_buf.u64[0] );
            cts_scratch.u64[1] = (uint64_t)( scratch.u64[1] ^ t_buf.u64[1] );
            memcpy( (uint8_t*)&inbuf[nblk - 1], (uint8_t*)&inbuf[nblk], remn );
            memcpy( (uint8_t*)&inbuf[nblk - 1] + remn, cts_scratch.u8 + remn, 16 - remn );
            memcpy( (uint8_t*)&outbuf[nblk], cts_scratch.u8, remn );
            /* PP <- T xor P */
            scratch.u64[0] = (uint64_t)( inbuf[nblk - 1].u64[0] ^ cts_t_buf.u64[0] );
            scratch.u64[1] = (uint64_t)( inbuf[nblk - 1].u64[1] ^ cts_t_buf.u64[1] );
            /* CC <- E(Key2,PP) */
            mbedtls_aes_crypt_ecb( crypt_ctx, mode, scratch.u8, scratch.u8 );
            /* C <- T xor CC */
            outbuf[nblk - 1].u64[0] = (uint64_t)( scratch.u64[0] ^ cts_t_buf.u64[0] );
            outbuf[nblk - 1].u64[1] = (uint64_t)( scratch.u64[1] ^ cts_t_buf.u64[1] );
        }
    }
    return( 0 );
 }
 #endif /* MBEDTLS_CIPHER_MODE_XTS */
 #if defined(MBEDTLS_CIPHER_MODE_CFB)
 /*
 * AES-CFB128 buffer encryption/decryption
--- a/library/version_features.c
+++ b/library/version_features.c
@ -252,6 +252,9 @@ static const char *features[] = {
 #if defined(MBEDTLS_CIPHER_MODE_XEX)
    "MBEDTLS_CIPHER_MODE_XEX",
 #endif /* MBEDTLS_CIPHER_MODE_XEX */
 #if defined(MBEDTLS_CIPHER_MODE_XTS)
    "MBEDTLS_CIPHER_MODE_XTS",
 #endif /* MBEDTLS_CIPHER_MODE_XTS */
 #if defined(MBEDTLS_CIPHER_MODE_OFB)
    "MBEDTLS_CIPHER_MODE_OFB",
 #endif /* MBEDTLS_CIPHER_MODE_OFB */
--- a/programs/test/benchmark.c
+++ b/programs/test/benchmark.c
@ -99,8 +99,8 @@ int main( void )
 #define OPTIONS                                                         \
    "md4, md5, ripemd160, sha1, sha256, sha512,\n"                      \
    "arc4, des3, des, camellia, blowfish,\n"                            \
-    "aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, des3_cmac,\n"        \
+    "aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, aes_xts,\n"          \
-    "havege, ctr_drbg, hmac_drbg\n"                                     \
+    "des3_cmac, havege, ctr_drbg, hmac_drbg\n"                          \
    "rsa, dhm, ecdsa, ecdh.\n"
 #if defined(MBEDTLS_ERROR_C)
@ -233,8 +233,8 @@ unsigned char buf[BUFSIZE];
 typedef struct {
    char md4, md5, ripemd160, sha1, sha256, sha512,
         arc4, des3, des,
-         aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, des3_cmac,
+         aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, aes_xts,
-         aria, camellia, blowfish,
+         des3_cmac, aria, camellia, blowfish,
         havege, ctr_drbg, hmac_drbg,
         rsa, dhm, ecdsa, ecdh;
 } todo_list;
@ -281,6 +281,8 @@ int main( int argc, char *argv[] )
                todo.aes_cbc = 1;
            else if( strcmp( argv[i], "aes_xex" ) == 0 )
                todo.aes_xex = 1;
            else if( strcmp( argv[i], "aes_xts" ) == 0 )
                todo.aes_xts = 1;
            else if( strcmp( argv[i], "aes_gcm" ) == 0 )
                todo.aes_gcm = 1;
            else if( strcmp( argv[i], "aes_ccm" ) == 0 )
@ -451,6 +453,29 @@ int main( int argc, char *argv[] )
        mbedtls_aes_free( &tweak_ctx );
    }
 #endif
 #if defined(MBEDTLS_CIPHER_MODE_XTS)
    if( todo.aes_xts )
    {
        int keysize;
        mbedtls_aes_context crypt_ctx, tweak_ctx;
        mbedtls_aes_init( &crypt_ctx );
        mbedtls_aes_init( &tweak_ctx );
        for( keysize = 128; keysize <= 256; keysize += 64 )
        {
            mbedtls_snprintf( title, sizeof( title ), "AES-XTS-%d", keysize );
            memset( buf, 0, sizeof( buf ) );
            memset( tmp, 0, sizeof( tmp ) );
            mbedtls_aes_setkey_enc( &crypt_ctx, tmp, keysize );
            mbedtls_aes_setkey_enc( &tweak_ctx, tmp, keysize );
            TIME_AND_TSC( title,
                mbedtls_aes_crypt_xts( &crypt_ctx, &tweak_ctx, MBEDTLS_AES_ENCRYPT, BUFSIZE * 8, tmp, buf, buf ) );
        }
        mbedtls_aes_free( &crypt_ctx );
        mbedtls_aes_free( &tweak_ctx );
    }
 #endif
 #if defined(MBEDTLS_GCM_C)
    if( todo.aes_gcm )
    {
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@ -49,6 +49,7 @@ add_test_suite(aes aes.cbc)
 add_test_suite(aes aes.cfb)
 add_test_suite(aes aes.rest)
 add_test_suite(aes aes.xex)
 add_test_suite(aes aes.xts)
 add_test_suite(arc4)
 add_test_suite(aria)
 add_test_suite(asn1write)
--- a/tests/suites/test_suite_aes.function
+++ b/tests/suites/test_suite_aes.function
@ -225,6 +225,80 @@ exit:
 }
 /* END_CASE */
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_XTS */
 void aes_encrypt_xts( char *hex_key_string, char *hex_iv_string,
                      char *hex_src_string, char *hex_dst_string,
                      int data_unit_len, int xts_result )
 {
    unsigned char key_str[100] = { 0, };
    unsigned char iv_str[100]  = { 0, };
    unsigned char src_str[100] = { 0, };
    unsigned char dst_str[100] = { 0, };
    unsigned char output[100]  = { 0, };
    mbedtls_aes_context crypt_ctx, tweak_ctx;
    int key_len, data_len;
    mbedtls_aes_init( &crypt_ctx );
    mbedtls_aes_init( &tweak_ctx );
    key_len = unhexify( key_str, hex_key_string );
    unhexify( iv_str, hex_iv_string );
    data_len = unhexify( src_str, hex_src_string );
    mbedtls_aes_setkey_enc( &crypt_ctx, key_str,               ( key_len * 8 ) / 2 );
    mbedtls_aes_setkey_enc( &tweak_ctx, key_str + key_len / 2, ( key_len * 8 ) / 2 );
    TEST_ASSERT( mbedtls_aes_crypt_xts( &crypt_ctx, &tweak_ctx, MBEDTLS_AES_ENCRYPT, data_unit_len, iv_str, src_str, output ) == xts_result );
    if( xts_result == 0 )
    {
        hexify( dst_str, output, data_len );
        TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
    }
 exit:
    mbedtls_aes_free( &crypt_ctx );
    mbedtls_aes_free( &tweak_ctx );
 }
 /* END_CASE */
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_XTS */
 void aes_decrypt_xts( char *hex_key_string, char *hex_iv_string,
                      char *hex_src_string, char *hex_dst_string,
                      int data_unit_len, int xts_result )
 {
    unsigned char key_str[100] = { 0, };
    unsigned char iv_str[100]  = { 0, };
    unsigned char src_str[100] = { 0, };
    unsigned char dst_str[100] = { 0, };
    unsigned char output[100]  = { 0, };
    mbedtls_aes_context crypt_ctx, tweak_ctx;
    int key_len, data_len;
    mbedtls_aes_init( &crypt_ctx );
    mbedtls_aes_init( &tweak_ctx );
    key_len = unhexify( key_str, hex_key_string );
    unhexify( iv_str, hex_iv_string );
    data_len = unhexify( src_str, hex_src_string );
    mbedtls_aes_setkey_dec( &crypt_ctx, key_str,               ( key_len * 8 ) / 2 );
    mbedtls_aes_setkey_enc( &tweak_ctx, key_str + key_len / 2, ( key_len * 8 ) / 2 );
 	TEST_ASSERT( mbedtls_aes_crypt_xts( &crypt_ctx, &tweak_ctx, MBEDTLS_AES_DECRYPT, data_unit_len, iv_str, src_str, output ) == xts_result );
    if( xts_result == 0 )
    {
        hexify( dst_str, output, data_len );
        TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
    }
 exit:
    mbedtls_aes_free( &crypt_ctx );
    mbedtls_aes_free( &tweak_ctx );
 }
 /* END_CASE */
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */
 void aes_encrypt_cfb128( char *hex_key_string, char *hex_iv_string,
                         char *hex_src_string, char *hex_dst_string )
--- a/tests/suites/test_suite_aes.xts.data
+++ b/tests/suites/test_suite_aes.xts.data