1 /* ====================================================================
2 * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 *
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in
13 * the documentation and/or other materials provided with the
14 * distribution.
15 *
16 * 3. All advertising materials mentioning features or use of this
17 * software must display the following acknowledgment:
18 * "This product includes software developed by the OpenSSL Project
19 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
20 *
21 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
22 * endorse or promote products derived from this software without
23 * prior written permission. For written permission, please contact
24 * [email protected].
25 *
26 * 5. Products derived from this software may not be called "OpenSSL"
27 * nor may "OpenSSL" appear in their names without prior written
28 * permission of the OpenSSL Project.
29 *
30 * 6. Redistributions of any form whatsoever must retain the following
31 * acknowledgment:
32 * "This product includes software developed by the OpenSSL Project
33 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
34 *
35 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
36 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
37 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
38 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
39 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
40 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
41 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
42 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
43 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
44 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
45 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
46 * OF THE POSSIBILITY OF SUCH DAMAGE.
47 * ==================================================================== */
48
49 #include <openssl/evp.h>
50
51 #include <string.h>
52
53 #include <openssl/aes.h>
54 #include <openssl/cipher.h>
55
56 #include "../../crypto/fipsmodule/cipher/internal.h"
57 #include "../../crypto/fipsmodule/modes/internal.h"
58
59
60 typedef struct xts128_context {
61 AES_KEY *key1, *key2;
62 block128_f block1, block2;
63 } XTS128_CONTEXT;
64
CRYPTO_xts128_encrypt(const XTS128_CONTEXT * ctx,const uint8_t iv[16],const uint8_t * inp,uint8_t * out,size_t len,int enc)65 static size_t CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx,
66 const uint8_t iv[16], const uint8_t *inp,
67 uint8_t *out, size_t len, int enc) {
68 union {
69 uint64_t u[2];
70 uint32_t d[4];
71 uint8_t c[16];
72 } tweak, scratch;
73 unsigned int i;
74
75 if (len < 16) return 0;
76
77 OPENSSL_memcpy(tweak.c, iv, 16);
78
79 (*ctx->block2)(tweak.c, tweak.c, ctx->key2);
80
81 if (!enc && (len % 16)) len -= 16;
82
83 while (len >= 16) {
84 OPENSSL_memcpy(scratch.c, inp, 16);
85 scratch.u[0] ^= tweak.u[0];
86 scratch.u[1] ^= tweak.u[1];
87 (*ctx->block1)(scratch.c, scratch.c, ctx->key1);
88 scratch.u[0] ^= tweak.u[0];
89 scratch.u[1] ^= tweak.u[1];
90 OPENSSL_memcpy(out, scratch.c, 16);
91 inp += 16;
92 out += 16;
93 len -= 16;
94
95 if (len == 0) return 1;
96
97 unsigned int carry, res;
98
99 res = 0x87 & (((int)tweak.d[3]) >> 31);
100 carry = (unsigned int)(tweak.u[0] >> 63);
101 tweak.u[0] = (tweak.u[0] << 1) ^ res;
102 tweak.u[1] = (tweak.u[1] << 1) | carry;
103 }
104 if (enc) {
105 for (i = 0; i < len; ++i) {
106 uint8_t c = inp[i];
107 out[i] = scratch.c[i];
108 scratch.c[i] = c;
109 }
110 scratch.u[0] ^= tweak.u[0];
111 scratch.u[1] ^= tweak.u[1];
112 (*ctx->block1)(scratch.c, scratch.c, ctx->key1);
113 scratch.u[0] ^= tweak.u[0];
114 scratch.u[1] ^= tweak.u[1];
115 OPENSSL_memcpy(out - 16, scratch.c, 16);
116 } else {
117 union {
118 uint64_t u[2];
119 uint8_t c[16];
120 } tweak1;
121
122 unsigned int carry, res;
123
124 res = 0x87 & (((int)tweak.d[3]) >> 31);
125 carry = (unsigned int)(tweak.u[0] >> 63);
126 tweak1.u[0] = (tweak.u[0] << 1) ^ res;
127 tweak1.u[1] = (tweak.u[1] << 1) | carry;
128 OPENSSL_memcpy(scratch.c, inp, 16);
129 scratch.u[0] ^= tweak1.u[0];
130 scratch.u[1] ^= tweak1.u[1];
131 (*ctx->block1)(scratch.c, scratch.c, ctx->key1);
132 scratch.u[0] ^= tweak1.u[0];
133 scratch.u[1] ^= tweak1.u[1];
134
135 for (i = 0; i < len; ++i) {
136 uint8_t c = inp[16 + i];
137 out[16 + i] = scratch.c[i];
138 scratch.c[i] = c;
139 }
140 scratch.u[0] ^= tweak.u[0];
141 scratch.u[1] ^= tweak.u[1];
142 (*ctx->block1)(scratch.c, scratch.c, ctx->key1);
143 scratch.u[0] ^= tweak.u[0];
144 scratch.u[1] ^= tweak.u[1];
145 OPENSSL_memcpy(out, scratch.c, 16);
146 }
147
148 return 1;
149 }
150
151 typedef struct {
152 union {
153 double align;
154 AES_KEY ks;
155 } ks1, ks2; // AES key schedules to use
156 XTS128_CONTEXT xts;
157 } EVP_AES_XTS_CTX;
158
aes_xts_init_key(EVP_CIPHER_CTX * ctx,const uint8_t * key,const uint8_t * iv,int enc)159 static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key,
160 const uint8_t *iv, int enc) {
161 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
162 if (!iv && !key) {
163 return 1;
164 }
165
166 if (key) {
167 // key_len is two AES keys
168 if (enc) {
169 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
170 xctx->xts.block1 = AES_encrypt;
171 } else {
172 AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1.ks);
173 xctx->xts.block1 = AES_decrypt;
174 }
175
176 AES_set_encrypt_key(key + ctx->key_len / 2,
177 ctx->key_len * 4, &xctx->ks2.ks);
178 xctx->xts.block2 = AES_encrypt;
179 xctx->xts.key1 = &xctx->ks1.ks;
180 }
181
182 if (iv) {
183 xctx->xts.key2 = &xctx->ks2.ks;
184 OPENSSL_memcpy(ctx->iv, iv, 16);
185 }
186
187 return 1;
188 }
189
aes_xts_cipher(EVP_CIPHER_CTX * ctx,uint8_t * out,const uint8_t * in,size_t len)190 static int aes_xts_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out,
191 const uint8_t *in, size_t len) {
192 EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
193 if (!xctx->xts.key1 ||
194 !xctx->xts.key2 ||
195 !out ||
196 !in ||
197 len < AES_BLOCK_SIZE ||
198 !CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len, ctx->encrypt)) {
199 return 0;
200 }
201 return 1;
202 }
203
aes_xts_ctrl(EVP_CIPHER_CTX * c,int type,int arg,void * ptr)204 static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) {
205 EVP_AES_XTS_CTX *xctx = c->cipher_data;
206 if (type == EVP_CTRL_COPY) {
207 EVP_CIPHER_CTX *out = ptr;
208 EVP_AES_XTS_CTX *xctx_out = out->cipher_data;
209 if (xctx->xts.key1) {
210 if (xctx->xts.key1 != &xctx->ks1.ks) {
211 return 0;
212 }
213 xctx_out->xts.key1 = &xctx_out->ks1.ks;
214 }
215 if (xctx->xts.key2) {
216 if (xctx->xts.key2 != &xctx->ks2.ks) {
217 return 0;
218 }
219 xctx_out->xts.key2 = &xctx_out->ks2.ks;
220 }
221 return 1;
222 } else if (type != EVP_CTRL_INIT) {
223 return -1;
224 }
225 // key1 and key2 are used as an indicator both key and IV are set
226 xctx->xts.key1 = NULL;
227 xctx->xts.key2 = NULL;
228 return 1;
229 }
230
231 static const EVP_CIPHER aes_256_xts = {
232 .nid = NID_aes_256_xts,
233 .block_size = 1,
234 .key_len = 64 /* 2 AES-256 keys */,
235 .iv_len = 16,
236 .ctx_size = sizeof(EVP_AES_XTS_CTX),
237 .flags = EVP_CIPH_XTS_MODE | EVP_CIPH_CUSTOM_IV |
238 EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT |
239 EVP_CIPH_CUSTOM_COPY,
240 .init = aes_xts_init_key,
241 .cipher = aes_xts_cipher,
242 .ctrl = aes_xts_ctrl};
243
EVP_aes_256_xts(void)244 const EVP_CIPHER *EVP_aes_256_xts(void) { return &aes_256_xts; }
245