1 /* ==================================================================== 2 * Copyright (c) 2011 The OpenSSL Project. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in 13 * the documentation and/or other materials provided with the 14 * distribution. 15 * 16 * 3. All advertising materials mentioning features or use of this 17 * software must display the following acknowledgment: 18 * "This product includes software developed by the OpenSSL Project 19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 20 * 21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 22 * endorse or promote products derived from this software without 23 * prior written permission. For written permission, please contact 24 * openssl-core (at) openssl.org. 25 * 26 * 5. Products derived from this software may not be called "OpenSSL" 27 * nor may "OpenSSL" appear in their names without prior written 28 * permission of the OpenSSL Project. 29 * 30 * 6. Redistributions of any form whatsoever must retain the following 31 * acknowledgment: 32 * "This product includes software developed by the OpenSSL Project 33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 34 * 35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 46 * OF THE POSSIBILITY OF SUCH DAMAGE. 47 * ==================================================================== */ 48 49 #include <openssl/evp.h> 50 51 #include <string.h> 52 53 #include <openssl/aes.h> 54 #include <openssl/cipher.h> 55 56 #include "../crypto/modes/internal.h" 57 58 59 typedef struct xts128_context { 60 void *key1, *key2; 61 block128_f block1, block2; 62 } XTS128_CONTEXT; 63 64 static size_t CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, 65 const uint8_t iv[16], const uint8_t *inp, 66 uint8_t *out, size_t len, int enc) { 67 union { 68 uint64_t u[2]; 69 uint32_t d[4]; 70 uint8_t c[16]; 71 } tweak, scratch; 72 unsigned int i; 73 74 if (len < 16) return 0; 75 76 memcpy(tweak.c, iv, 16); 77 78 (*ctx->block2)(tweak.c, tweak.c, ctx->key2); 79 80 if (!enc && (len % 16)) len -= 16; 81 82 while (len >= 16) { 83 #if STRICT_ALIGNMENT 84 memcpy(scratch.c, inp, 16); 85 scratch.u[0] ^= tweak.u[0]; 86 scratch.u[1] ^= tweak.u[1]; 87 #else 88 scratch.u[0] = ((uint64_t *)inp)[0] ^ tweak.u[0]; 89 scratch.u[1] = ((uint64_t *)inp)[1] ^ tweak.u[1]; 90 #endif 91 (*ctx->block1)(scratch.c, scratch.c, ctx->key1); 92 #if STRICT_ALIGNMENT 93 scratch.u[0] ^= tweak.u[0]; 94 scratch.u[1] ^= tweak.u[1]; 95 memcpy(out, scratch.c, 16); 96 #else 97 ((uint64_t *)out)[0] = scratch.u[0] ^= tweak.u[0]; 98 ((uint64_t *)out)[1] = scratch.u[1] ^= tweak.u[1]; 99 #endif 100 inp += 16; 101 out += 16; 102 len -= 16; 103 104 if (len == 0) return 1; 105 106 unsigned int carry, res; 107 108 res = 0x87 & (((int)tweak.d[3]) >> 31); 109 carry = (unsigned int)(tweak.u[0] >> 63); 110 tweak.u[0] = (tweak.u[0] << 1) ^ res; 111 tweak.u[1] = (tweak.u[1] << 1) | carry; 112 } 113 if (enc) { 114 for (i = 0; i < len; ++i) { 115 uint8_t c = inp[i]; 116 out[i] = scratch.c[i]; 117 scratch.c[i] = c; 118 } 119 scratch.u[0] ^= tweak.u[0]; 120 scratch.u[1] ^= tweak.u[1]; 121 (*ctx->block1)(scratch.c, scratch.c, ctx->key1); 122 scratch.u[0] ^= tweak.u[0]; 123 scratch.u[1] ^= tweak.u[1]; 124 memcpy(out - 16, scratch.c, 16); 125 } else { 126 union { 127 uint64_t u[2]; 128 uint8_t c[16]; 129 } tweak1; 130 131 unsigned int carry, res; 132 133 res = 0x87 & (((int)tweak.d[3]) >> 31); 134 carry = (unsigned int)(tweak.u[0] >> 63); 135 tweak1.u[0] = (tweak.u[0] << 1) ^ res; 136 tweak1.u[1] = (tweak.u[1] << 1) | carry; 137 #if STRICT_ALIGNMENT 138 memcpy(scratch.c, inp, 16); 139 scratch.u[0] ^= tweak1.u[0]; 140 scratch.u[1] ^= tweak1.u[1]; 141 #else 142 scratch.u[0] = ((uint64_t *)inp)[0] ^ tweak1.u[0]; 143 scratch.u[1] = ((uint64_t *)inp)[1] ^ tweak1.u[1]; 144 #endif 145 (*ctx->block1)(scratch.c, scratch.c, ctx->key1); 146 scratch.u[0] ^= tweak1.u[0]; 147 scratch.u[1] ^= tweak1.u[1]; 148 149 for (i = 0; i < len; ++i) { 150 uint8_t c = inp[16 + i]; 151 out[16 + i] = scratch.c[i]; 152 scratch.c[i] = c; 153 } 154 scratch.u[0] ^= tweak.u[0]; 155 scratch.u[1] ^= tweak.u[1]; 156 (*ctx->block1)(scratch.c, scratch.c, ctx->key1); 157 #if STRICT_ALIGNMENT 158 scratch.u[0] ^= tweak.u[0]; 159 scratch.u[1] ^= tweak.u[1]; 160 memcpy(out, scratch.c, 16); 161 #else 162 ((uint64_t *)out)[0] = scratch.u[0] ^ tweak.u[0]; 163 ((uint64_t *)out)[1] = scratch.u[1] ^ tweak.u[1]; 164 #endif 165 } 166 167 return 1; 168 } 169 170 typedef struct { 171 union { 172 double align; 173 AES_KEY ks; 174 } ks1, ks2; /* AES key schedules to use */ 175 XTS128_CONTEXT xts; 176 } EVP_AES_XTS_CTX; 177 178 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, 179 const uint8_t *iv, int enc) { 180 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 181 if (!iv && !key) { 182 return 1; 183 } 184 185 if (key) { 186 /* key_len is two AES keys */ 187 if (enc) { 188 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks); 189 xctx->xts.block1 = (block128_f) AES_encrypt; 190 } else { 191 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks); 192 xctx->xts.block1 = (block128_f) AES_decrypt; 193 } 194 195 AES_set_encrypt_key(key + ctx->key_len / 2, 196 ctx->key_len * 4, &xctx->ks2.ks); 197 xctx->xts.block2 = (block128_f) AES_encrypt; 198 xctx->xts.key1 = &xctx->ks1; 199 } 200 201 if (iv) { 202 xctx->xts.key2 = &xctx->ks2; 203 memcpy(ctx->iv, iv, 16); 204 } 205 206 return 1; 207 } 208 209 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, 210 const uint8_t *in, size_t len) { 211 EVP_AES_XTS_CTX *xctx = ctx->cipher_data; 212 if (!xctx->xts.key1 || 213 !xctx->xts.key2 || 214 !out || 215 !in || 216 len < AES_BLOCK_SIZE || 217 !CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len, ctx->encrypt)) { 218 return 0; 219 } 220 return 1; 221 } 222 223 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { 224 EVP_AES_XTS_CTX *xctx = c->cipher_data; 225 if (type == EVP_CTRL_COPY) { 226 EVP_CIPHER_CTX *out = ptr; 227 EVP_AES_XTS_CTX *xctx_out = out->cipher_data; 228 if (xctx->xts.key1) { 229 if (xctx->xts.key1 != &xctx->ks1) { 230 return 0; 231 } 232 xctx_out->xts.key1 = &xctx_out->ks1; 233 } 234 if (xctx->xts.key2) { 235 if (xctx->xts.key2 != &xctx->ks2) { 236 return 0; 237 } 238 xctx_out->xts.key2 = &xctx_out->ks2; 239 } 240 return 1; 241 } else if (type != EVP_CTRL_INIT) { 242 return -1; 243 } 244 /* key1 and key2 are used as an indicator both key and IV are set */ 245 xctx->xts.key1 = NULL; 246 xctx->xts.key2 = NULL; 247 return 1; 248 } 249 250 static const EVP_CIPHER aes_256_xts = { 251 NID_aes_256_xts, 1 /* block_size */, 64 /* key_size (2 AES keys) */, 252 16 /* iv_len */, sizeof(EVP_AES_XTS_CTX), 253 EVP_CIPH_XTS_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_ALWAYS_CALL_INIT | 254 EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY, 255 NULL /* app_data */, aes_xts_init_key, aes_xts_cipher, 256 NULL /* cleanup */, aes_xts_ctrl}; 257 258 const EVP_CIPHER *EVP_aes_256_xts(void) { return &aes_256_xts; } 259