1 /* ====================================================================
2 * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 *
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in
13 * the documentation and/or other materials provided with the
14 * distribution.
15 *
16 * 3. All advertising materials mentioning features or use of this
17 * software must display the following acknowledgment:
18 * "This product includes software developed by the OpenSSL Project
19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20 *
21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22 * endorse or promote products derived from this software without
23 * prior written permission. For written permission, please contact
24 * openssl-core@openssl.org.
25 *
26 * 5. Products derived from this software may not be called "OpenSSL"
27 * nor may "OpenSSL" appear in their names without prior written
28 * permission of the OpenSSL Project.
29 *
30 * 6. Redistributions of any form whatsoever must retain the following
31 * acknowledgment:
32 * "This product includes software developed by the OpenSSL Project
33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34 *
35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46 * OF THE POSSIBILITY OF SUCH DAMAGE.
47 * ==================================================================== */
48
49 #include <openssl/evp.h>
50
51 #include <string.h>
52
53 #include <openssl/aes.h>
54 #include <openssl/cipher.h>
55
56 #include "../crypto/fipsmodule/modes/internal.h"
57
58
59 typedef struct xts128_context {
60 AES_KEY *key1, *key2;
61 block128_f block1, block2;
62 } XTS128_CONTEXT;
63
CRYPTO_xts128_encrypt(const XTS128_CONTEXT * ctx,const uint8_t iv[16],const uint8_t * inp,uint8_t * out,size_t len,int enc)64 static size_t CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx,
65 const uint8_t iv[16], const uint8_t *inp,
66 uint8_t *out, size_t len, int enc) {
67 union {
68 uint64_t u[2];
69 uint32_t d[4];
70 uint8_t c[16];
71 } tweak, scratch;
72 unsigned int i;
73
74 if (len < 16) return 0;
75
76 OPENSSL_memcpy(tweak.c, iv, 16);
77
78 (*ctx->block2)(tweak.c, tweak.c, ctx->key2);
79
80 if (!enc && (len % 16)) len -= 16;
81
82 while (len >= 16) {
83 OPENSSL_memcpy(scratch.c, inp, 16);
84 scratch.u[0] ^= tweak.u[0];
85 scratch.u[1] ^= tweak.u[1];
86 (*ctx->block1)(scratch.c, scratch.c, ctx->key1);
87 scratch.u[0] ^= tweak.u[0];
88 scratch.u[1] ^= tweak.u[1];
89 OPENSSL_memcpy(out, scratch.c, 16);
90 inp += 16;
91 out += 16;
92 len -= 16;
93
94 if (len == 0) return 1;
95
96 unsigned int carry, res;
97
98 res = 0x87 & (((int)tweak.d[3]) >> 31);
99 carry = (unsigned int)(tweak.u[0] >> 63);
100 tweak.u[0] = (tweak.u[0] << 1) ^ res;
101 tweak.u[1] = (tweak.u[1] << 1) | carry;
102 }
103 if (enc) {
104 for (i = 0; i < len; ++i) {
105 uint8_t c = inp[i];
106 out[i] = scratch.c[i];
107 scratch.c[i] = c;
108 }
109 scratch.u[0] ^= tweak.u[0];
110 scratch.u[1] ^= tweak.u[1];
111 (*ctx->block1)(scratch.c, scratch.c, ctx->key1);
112 scratch.u[0] ^= tweak.u[0];
113 scratch.u[1] ^= tweak.u[1];
114 OPENSSL_memcpy(out - 16, scratch.c, 16);
115 } else {
116 union {
117 uint64_t u[2];
118 uint8_t c[16];
119 } tweak1;
120
121 unsigned int carry, res;
122
123 res = 0x87 & (((int)tweak.d[3]) >> 31);
124 carry = (unsigned int)(tweak.u[0] >> 63);
125 tweak1.u[0] = (tweak.u[0] << 1) ^ res;
126 tweak1.u[1] = (tweak.u[1] << 1) | carry;
127 OPENSSL_memcpy(scratch.c, inp, 16);
128 scratch.u[0] ^= tweak1.u[0];
129 scratch.u[1] ^= tweak1.u[1];
130 (*ctx->block1)(scratch.c, scratch.c, ctx->key1);
131 scratch.u[0] ^= tweak1.u[0];
132 scratch.u[1] ^= tweak1.u[1];
133
134 for (i = 0; i < len; ++i) {
135 uint8_t c = inp[16 + i];
136 out[16 + i] = scratch.c[i];
137 scratch.c[i] = c;
138 }
139 scratch.u[0] ^= tweak.u[0];
140 scratch.u[1] ^= tweak.u[1];
141 (*ctx->block1)(scratch.c, scratch.c, ctx->key1);
142 scratch.u[0] ^= tweak.u[0];
143 scratch.u[1] ^= tweak.u[1];
144 OPENSSL_memcpy(out, scratch.c, 16);
145 }
146
147 return 1;
148 }
149
150 typedef struct {
151 union {
152 double align;
153 AES_KEY ks;
154 } ks1, ks2; // AES key schedules to use
155 XTS128_CONTEXT xts;
156 } EVP_AES_XTS_CTX;
157
aes_xts_init_key(EVP_CIPHER_CTX * ctx,const uint8_t * key,const uint8_t * iv,int enc)158 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
159 const uint8_t *iv, int enc) {
160 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
161 if (!iv && !key) {
162 return 1;
163 }
164
165 if (key) {
166 // key_len is two AES keys
167 if (enc) {
168 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
169 xctx->xts.block1 = AES_encrypt;
170 } else {
171 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
172 xctx->xts.block1 = AES_decrypt;
173 }
174
175 AES_set_encrypt_key(key + ctx->key_len / 2,
176 ctx->key_len * 4, &xctx->ks2.ks);
177 xctx->xts.block2 = AES_encrypt;
178 xctx->xts.key1 = &xctx->ks1.ks;
179 }
180
181 if (iv) {
182 xctx->xts.key2 = &xctx->ks2.ks;
183 OPENSSL_memcpy(ctx->iv, iv, 16);
184 }
185
186 return 1;
187 }
188
aes_xts_cipher(EVP_CIPHER_CTX * ctx,uint8_t * out,const uint8_t * in,size_t len)189 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out,
190 const uint8_t *in, size_t len) {
191 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
192 if (!xctx->xts.key1 ||
193 !xctx->xts.key2 ||
194 !out ||
195 !in ||
196 len < AES_BLOCK_SIZE ||
197 !CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len, ctx->encrypt)) {
198 return 0;
199 }
200 return 1;
201 }
202
aes_xts_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)203 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) {
204 EVP_AES_XTS_CTX *xctx = c->cipher_data;
205 if (type == EVP_CTRL_COPY) {
206 EVP_CIPHER_CTX *out = ptr;
207 EVP_AES_XTS_CTX *xctx_out = out->cipher_data;
208 if (xctx->xts.key1) {
209 if (xctx->xts.key1 != &xctx->ks1.ks) {
210 return 0;
211 }
212 xctx_out->xts.key1 = &xctx_out->ks1.ks;
213 }
214 if (xctx->xts.key2) {
215 if (xctx->xts.key2 != &xctx->ks2.ks) {
216 return 0;
217 }
218 xctx_out->xts.key2 = &xctx_out->ks2.ks;
219 }
220 return 1;
221 } else if (type != EVP_CTRL_INIT) {
222 return -1;
223 }
224 // key1 and key2 are used as an indicator both key and IV are set
225 xctx->xts.key1 = NULL;
226 xctx->xts.key2 = NULL;
227 return 1;
228 }
229
230 static const EVP_CIPHER aes_256_xts = {
231 NID_aes_256_xts, 1 /* block_size */, 64 /* key_size (2 AES keys) */,
232 16 /* iv_len */, sizeof(EVP_AES_XTS_CTX),
233 EVP_CIPH_XTS_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_ALWAYS_CALL_INIT |
234 EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY,
235 NULL /* app_data */, aes_xts_init_key, aes_xts_cipher,
236 NULL /* cleanup */, aes_xts_ctrl};
237
EVP_aes_256_xts(void)238 const EVP_CIPHER *EVP_aes_256_xts(void) { return &aes_256_xts; }
239