1 /* ====================================================================
2 * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 *
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in
13 * the documentation and/or other materials provided with the
14 * distribution.
15 *
16 * 3. All advertising materials mentioning features or use of this
17 * software must display the following acknowledgment:
18 * "This product includes software developed by the OpenSSL Project
19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20 *
21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22 * endorse or promote products derived from this software without
23 * prior written permission. For written permission, please contact
24 * openssl-core@openssl.org.
25 *
26 * 5. Products derived from this software may not be called "OpenSSL"
27 * nor may "OpenSSL" appear in their names without prior written
28 * permission of the OpenSSL Project.
29 *
30 * 6. Redistributions of any form whatsoever must retain the following
31 * acknowledgment:
32 * "This product includes software developed by the OpenSSL Project
33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34 *
35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46 * OF THE POSSIBILITY OF SUCH DAMAGE.
47 * ==================================================================== */
48
49 #include <openssl/evp.h>
50
51 #include <string.h>
52
53 #include <openssl/aes.h>
54 #include <openssl/cipher.h>
55
56 #include "../../crypto/fipsmodule/cipher/internal.h"
57 #include "../../crypto/fipsmodule/modes/internal.h"
58
59
60 typedef struct xts128_context {
61 AES_KEY *key1, *key2;
62 block128_f block1, block2;
63 } XTS128_CONTEXT;
64
CRYPTO_xts128_encrypt(const XTS128_CONTEXT * ctx,const uint8_t iv[16],const uint8_t * inp,uint8_t * out,size_t len,int enc)65 static size_t CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx,
66 const uint8_t iv[16], const uint8_t *inp,
67 uint8_t *out, size_t len, int enc) {
68 union {
69 uint64_t u[2];
70 uint32_t d[4];
71 uint8_t c[16];
72 } tweak, scratch;
73 unsigned int i;
74
75 if (len < 16) {
76 return 0;
77 }
78
79 OPENSSL_memcpy(tweak.c, iv, 16);
80
81 (*ctx->block2)(tweak.c, tweak.c, ctx->key2);
82
83 if (!enc && (len % 16)) {
84 len -= 16;
85 }
86
87 while (len >= 16) {
88 OPENSSL_memcpy(scratch.c, inp, 16);
89 scratch.u[0] ^= tweak.u[0];
90 scratch.u[1] ^= tweak.u[1];
91 (*ctx->block1)(scratch.c, scratch.c, ctx->key1);
92 scratch.u[0] ^= tweak.u[0];
93 scratch.u[1] ^= tweak.u[1];
94 OPENSSL_memcpy(out, scratch.c, 16);
95 inp += 16;
96 out += 16;
97 len -= 16;
98
99 if (len == 0) {
100 return 1;
101 }
102
103 unsigned int carry, res;
104
105 res = 0x87 & (((int)tweak.d[3]) >> 31);
106 carry = (unsigned int)(tweak.u[0] >> 63);
107 tweak.u[0] = (tweak.u[0] << 1) ^ res;
108 tweak.u[1] = (tweak.u[1] << 1) | carry;
109 }
110 if (enc) {
111 for (i = 0; i < len; ++i) {
112 uint8_t c = inp[i];
113 out[i] = scratch.c[i];
114 scratch.c[i] = c;
115 }
116 scratch.u[0] ^= tweak.u[0];
117 scratch.u[1] ^= tweak.u[1];
118 (*ctx->block1)(scratch.c, scratch.c, ctx->key1);
119 scratch.u[0] ^= tweak.u[0];
120 scratch.u[1] ^= tweak.u[1];
121 OPENSSL_memcpy(out - 16, scratch.c, 16);
122 } else {
123 union {
124 uint64_t u[2];
125 uint8_t c[16];
126 } tweak1;
127
128 unsigned int carry, res;
129
130 res = 0x87 & (((int)tweak.d[3]) >> 31);
131 carry = (unsigned int)(tweak.u[0] >> 63);
132 tweak1.u[0] = (tweak.u[0] << 1) ^ res;
133 tweak1.u[1] = (tweak.u[1] << 1) | carry;
134 OPENSSL_memcpy(scratch.c, inp, 16);
135 scratch.u[0] ^= tweak1.u[0];
136 scratch.u[1] ^= tweak1.u[1];
137 (*ctx->block1)(scratch.c, scratch.c, ctx->key1);
138 scratch.u[0] ^= tweak1.u[0];
139 scratch.u[1] ^= tweak1.u[1];
140
141 for (i = 0; i < len; ++i) {
142 uint8_t c = inp[16 + i];
143 out[16 + i] = scratch.c[i];
144 scratch.c[i] = c;
145 }
146 scratch.u[0] ^= tweak.u[0];
147 scratch.u[1] ^= tweak.u[1];
148 (*ctx->block1)(scratch.c, scratch.c, ctx->key1);
149 scratch.u[0] ^= tweak.u[0];
150 scratch.u[1] ^= tweak.u[1];
151 OPENSSL_memcpy(out, scratch.c, 16);
152 }
153
154 return 1;
155 }
156
157 typedef struct {
158 union {
159 double align;
160 AES_KEY ks;
161 } ks1, ks2; // AES key schedules to use
162 XTS128_CONTEXT xts;
163 } EVP_AES_XTS_CTX;
164
aes_xts_init_key(EVP_CIPHER_CTX * ctx,const uint8_t * key,const uint8_t * iv,int enc)165 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
166 const uint8_t *iv, int enc) {
167 EVP_AES_XTS_CTX *xctx = reinterpret_cast<EVP_AES_XTS_CTX *>(ctx->cipher_data);
168 if (!iv && !key) {
169 return 1;
170 }
171
172 if (key) {
173 // key_len is two AES keys
174 if (enc) {
175 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
176 xctx->xts.block1 = AES_encrypt;
177 } else {
178 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
179 xctx->xts.block1 = AES_decrypt;
180 }
181
182 AES_set_encrypt_key(key + ctx->key_len / 2, ctx->key_len * 4,
183 &xctx->ks2.ks);
184 xctx->xts.block2 = AES_encrypt;
185 xctx->xts.key1 = &xctx->ks1.ks;
186 }
187
188 if (iv) {
189 xctx->xts.key2 = &xctx->ks2.ks;
190 OPENSSL_memcpy(ctx->iv, iv, 16);
191 }
192
193 return 1;
194 }
195
aes_xts_cipher(EVP_CIPHER_CTX * ctx,uint8_t * out,const uint8_t * in,size_t len)196 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in,
197 size_t len) {
198 EVP_AES_XTS_CTX *xctx = reinterpret_cast<EVP_AES_XTS_CTX *>(ctx->cipher_data);
199 if (!xctx->xts.key1 || !xctx->xts.key2 || !out || !in ||
200 len < AES_BLOCK_SIZE ||
201 !CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len, ctx->encrypt)) {
202 return 0;
203 }
204 return 1;
205 }
206
aes_xts_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)207 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) {
208 EVP_AES_XTS_CTX *xctx = reinterpret_cast<EVP_AES_XTS_CTX *>(c->cipher_data);
209 if (type == EVP_CTRL_COPY) {
210 EVP_CIPHER_CTX *out = reinterpret_cast<EVP_CIPHER_CTX *>(ptr);
211 EVP_AES_XTS_CTX *xctx_out =
212 reinterpret_cast<EVP_AES_XTS_CTX *>(out->cipher_data);
213 if (xctx->xts.key1) {
214 if (xctx->xts.key1 != &xctx->ks1.ks) {
215 return 0;
216 }
217 xctx_out->xts.key1 = &xctx_out->ks1.ks;
218 }
219 if (xctx->xts.key2) {
220 if (xctx->xts.key2 != &xctx->ks2.ks) {
221 return 0;
222 }
223 xctx_out->xts.key2 = &xctx_out->ks2.ks;
224 }
225 return 1;
226 } else if (type != EVP_CTRL_INIT) {
227 return -1;
228 }
229 // key1 and key2 are used as an indicator both key and IV are set
230 xctx->xts.key1 = NULL;
231 xctx->xts.key2 = NULL;
232 return 1;
233 }
234
235 static const EVP_CIPHER aes_256_xts = {
236 /* nid= */ NID_aes_256_xts,
237 /* block_size= */ 1,
238 /* key_len= */ 64 /* 2 AES-256 keys */,
239 /* iv_len= */ 16,
240 /* ctx_size= */ sizeof(EVP_AES_XTS_CTX),
241 /* flags= */ EVP_CIPH_XTS_MODE | EVP_CIPH_CUSTOM_IV |
242 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
243 EVP_CIPH_CUSTOM_COPY,
244 /* init= */ aes_xts_init_key,
245 /* cipher= */ aes_xts_cipher,
246 /* cleanup= */ nullptr,
247 /* ctrl= */ aes_xts_ctrl,
248 };
249
EVP_aes_256_xts(void)250 const EVP_CIPHER *EVP_aes_256_xts(void) { return &aes_256_xts; }
251