/src/libgcrypt/cipher/cipher-xts.c

Source (jump to first uncovered line)
/* cipher-xts.c  - XTS mode implementation
 * Copyright (C) 2017 Jussi Kivilinna <jussi.kivilinna@iki.fi>
 *
 * This file is part of Libgcrypt.
 *
 * Libgcrypt is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Lesser general Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * Libgcrypt is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this program; if not, see <http://www.gnu.org/licenses/>.
 */

#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#include "g10lib.h"
#include "cipher.h"
#include "bufhelp.h"
#include "./cipher-internal.h"


static inline void xts_gfmul_byA (unsigned char *out, const unsigned char *in)
{
  u64 hi = buf_get_le64 (in + 8);
  u64 lo = buf_get_le64 (in + 0);
  u64 carry = -(hi >> 63) & 0x87;

  hi = (hi << 1) + (lo >> 63);
  lo = (lo << 1) ^ carry;

  buf_put_le64 (out + 8, hi);
  buf_put_le64 (out + 0, lo);
}


static inline void xts_inc128 (unsigned char *seqno)
{
  u64 lo = buf_get_le64 (seqno + 0);
  u64 hi = buf_get_le64 (seqno + 8);

  hi += !(++lo);

  buf_put_le64 (seqno + 0, lo);
  buf_put_le64 (seqno + 8, hi);
}


gcry_err_code_t
_gcry_cipher_xts_crypt (gcry_cipher_hd_t c,
      unsigned char *outbuf, size_t outbuflen,
      const unsigned char *inbuf, size_t inbuflen,
      int encrypt)
{
  gcry_cipher_encrypt_t tweak_fn = c->spec->encrypt;
  gcry_cipher_encrypt_t crypt_fn =
    encrypt ? c->spec->encrypt : c->spec->decrypt;
  union
  {
    cipher_context_alignment_t xcx;
    byte x1[GCRY_XTS_BLOCK_LEN];
    u64 x64[GCRY_XTS_BLOCK_LEN / sizeof(u64)];
  } tmp;
  unsigned int burn, nburn;
  size_t nblocks;

  if (c->spec->blocksize != GCRY_XTS_BLOCK_LEN)
    return GPG_ERR_CIPHER_ALGO;
  if (outbuflen < inbuflen)
    return GPG_ERR_BUFFER_TOO_SHORT;
  if (inbuflen < GCRY_XTS_BLOCK_LEN)
    return GPG_ERR_BUFFER_TOO_SHORT;

  /* Data-unit max length: 2^20 blocks. */
  if (inbuflen > GCRY_XTS_BLOCK_LEN << 20)
    return GPG_ERR_INV_LENGTH;

  nblocks = inbuflen / GCRY_XTS_BLOCK_LEN;
  nblocks -= !encrypt && (inbuflen % GCRY_XTS_BLOCK_LEN) != 0;

  /* Generate first tweak value.  */
  burn = tweak_fn (c->u_mode.xts.tweak_context, c->u_ctr.ctr, c->u_iv.iv);

  /* Use a bulk method if available.  */
  if (nblocks && c->bulk.xts_crypt)
    {
      c->bulk.xts_crypt (&c->context.c, c->u_ctr.ctr, outbuf, inbuf, nblocks,
       encrypt);
      inbuf  += nblocks * GCRY_XTS_BLOCK_LEN;
      outbuf += nblocks * GCRY_XTS_BLOCK_LEN;
      inbuflen -= nblocks * GCRY_XTS_BLOCK_LEN;
      nblocks = 0;
    }

  /* If we don't have a bulk method use the standard method.  We also
    use this method for the a remaining partial block.  */

  while (nblocks)
    {
      /* Xor-Encrypt/Decrypt-Xor block. */
      cipher_block_xor (tmp.x64, inbuf, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN);
      nburn = crypt_fn (&c->context.c, tmp.x1, tmp.x1);
      burn = nburn > burn ? nburn : burn;
      cipher_block_xor (outbuf, tmp.x64, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN);

      outbuf += GCRY_XTS_BLOCK_LEN;
      inbuf += GCRY_XTS_BLOCK_LEN;
      inbuflen -= GCRY_XTS_BLOCK_LEN;
      nblocks--;

      /* Generate next tweak. */
      xts_gfmul_byA (c->u_ctr.ctr, c->u_ctr.ctr);
    }

  /* Handle remaining data with ciphertext stealing. */
  if (inbuflen)
    {
      if (!encrypt)
  {
    gcry_assert (inbuflen > GCRY_XTS_BLOCK_LEN);
    gcry_assert (inbuflen < GCRY_XTS_BLOCK_LEN * 2);

    /* Generate last tweak. */
    xts_gfmul_byA (tmp.x1, c->u_ctr.ctr);

    /* Decrypt last block first. */
    cipher_block_xor (outbuf, inbuf, tmp.x64, GCRY_XTS_BLOCK_LEN);
    nburn = crypt_fn (&c->context.c, outbuf, outbuf);
    burn = nburn > burn ? nburn : burn;
    cipher_block_xor (outbuf, outbuf, tmp.x64, GCRY_XTS_BLOCK_LEN);

    inbuflen -= GCRY_XTS_BLOCK_LEN;
    inbuf += GCRY_XTS_BLOCK_LEN;
    outbuf += GCRY_XTS_BLOCK_LEN;
  }

      gcry_assert (inbuflen < GCRY_XTS_BLOCK_LEN);
      outbuf -= GCRY_XTS_BLOCK_LEN;

      /* Steal ciphertext from previous block. */
      cipher_block_cpy (tmp.x64, outbuf, GCRY_XTS_BLOCK_LEN);
      buf_cpy (tmp.x64, inbuf, inbuflen);
      buf_cpy (outbuf + GCRY_XTS_BLOCK_LEN, outbuf, inbuflen);

      /* Decrypt/Encrypt last block. */
      cipher_block_xor (tmp.x64, tmp.x64, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN);
      nburn = crypt_fn (&c->context.c, tmp.x1, tmp.x1);
      burn = nburn > burn ? nburn : burn;
      cipher_block_xor (outbuf, tmp.x64, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN);
    }

  /* Auto-increment data-unit sequence number */
  xts_inc128 (c->u_iv.iv);

  wipememory (&tmp, sizeof(tmp));
  wipememory (c->u_ctr.ctr, sizeof(c->u_ctr.ctr));

  if (burn > 0)
    _gcry_burn_stack (burn + 4 * sizeof(void *));

  return 0;
}


gcry_err_code_t
_gcry_cipher_xts_encrypt (gcry_cipher_hd_t c,
                          unsigned char *outbuf, size_t outbuflen,
                          const unsigned char *inbuf, size_t inbuflen)
{
  return _gcry_cipher_xts_crypt (c, outbuf, outbuflen, inbuf, inbuflen, 1);
}


gcry_err_code_t
_gcry_cipher_xts_decrypt (gcry_cipher_hd_t c,
                          unsigned char *outbuf, size_t outbuflen,
                          const unsigned char *inbuf, size_t inbuflen)
{
  return _gcry_cipher_xts_crypt (c, outbuf, outbuflen, inbuf, inbuflen, 0);
}

Line	Count	Source (jump to first uncovered line)
1		/* cipher-xts.c - XTS mode implementation
2		* Copyright (C) 2017 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3		*
4		* This file is part of Libgcrypt.
5		*
6		* Libgcrypt is free software; you can redistribute it and/or modify
7		* it under the terms of the GNU Lesser general Public License as
8		* published by the Free Software Foundation; either version 2.1 of
9		* the License, or (at your option) any later version.
10		*
11		* Libgcrypt is distributed in the hope that it will be useful,
12		* but WITHOUT ANY WARRANTY; without even the implied warranty of
13		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14		* GNU Lesser General Public License for more details.
15		*
16		* You should have received a copy of the GNU Lesser General Public
17		* License along with this program; if not, see <http://www.gnu.org/licenses/>.
18		*/
19
20		#include <config.h>
21		#include <stdio.h>
22		#include <stdlib.h>
23		#include <string.h>
24		#include <errno.h>
25
26		#include "g10lib.h"
27		#include "cipher.h"
28		#include "bufhelp.h"
29		#include "./cipher-internal.h"
30
31
32		static inline void xts_gfmul_byA (unsigned char out, const unsigned char in)
33	0	{
34	0	u64 hi = buf_get_le64 (in + 8);
35	0	u64 lo = buf_get_le64 (in + 0);
36	0	u64 carry = -(hi >> 63) & 0x87;
37
38	0	hi = (hi << 1) + (lo >> 63);
39	0	lo = (lo << 1) ^ carry;
40
41	0	buf_put_le64 (out + 8, hi);
42	0	buf_put_le64 (out + 0, lo);
43	0	}
44
45
46		static inline void xts_inc128 (unsigned char *seqno)
47	0	{
48	0	u64 lo = buf_get_le64 (seqno + 0);
49	0	u64 hi = buf_get_le64 (seqno + 8);
50
51	0	hi += !(++lo);
52
53	0	buf_put_le64 (seqno + 0, lo);
54	0	buf_put_le64 (seqno + 8, hi);
55	0	}
56
57
58		gcry_err_code_t
59		_gcry_cipher_xts_crypt (gcry_cipher_hd_t c,
60		unsigned char *outbuf, size_t outbuflen,
61		const unsigned char *inbuf, size_t inbuflen,
62		int encrypt)
63	0	{
64	0	gcry_cipher_encrypt_t tweak_fn = c->spec->encrypt;
65	0	gcry_cipher_encrypt_t crypt_fn =
66	0	encrypt ? c->spec->encrypt : c->spec->decrypt;
67	0	union
68	0	{
69	0	cipher_context_alignment_t xcx;
70	0	byte x1[GCRY_XTS_BLOCK_LEN];
71	0	u64 x64[GCRY_XTS_BLOCK_LEN / sizeof(u64)];
72	0	} tmp;
73	0	unsigned int burn, nburn;
74	0	size_t nblocks;
75
76	0	if (c->spec->blocksize != GCRY_XTS_BLOCK_LEN)
77	0	return GPG_ERR_CIPHER_ALGO;
78	0	if (outbuflen < inbuflen)
79	0	return GPG_ERR_BUFFER_TOO_SHORT;
80	0	if (inbuflen < GCRY_XTS_BLOCK_LEN)
81	0	return GPG_ERR_BUFFER_TOO_SHORT;
82
83		/* Data-unit max length: 2^20 blocks. */
84	0	if (inbuflen > GCRY_XTS_BLOCK_LEN << 20)
85	0	return GPG_ERR_INV_LENGTH;
86
87	0	nblocks = inbuflen / GCRY_XTS_BLOCK_LEN;
88	0	nblocks -= !encrypt && (inbuflen % GCRY_XTS_BLOCK_LEN) != 0;
89
90		/* Generate first tweak value. */
91	0	burn = tweak_fn (c->u_mode.xts.tweak_context, c->u_ctr.ctr, c->u_iv.iv);
92
93		/* Use a bulk method if available. */
94	0	if (nblocks && c->bulk.xts_crypt)
95	0	{
96	0	c->bulk.xts_crypt (&c->context.c, c->u_ctr.ctr, outbuf, inbuf, nblocks,
97	0	encrypt);
98	0	inbuf += nblocks * GCRY_XTS_BLOCK_LEN;
99	0	outbuf += nblocks * GCRY_XTS_BLOCK_LEN;
100	0	inbuflen -= nblocks * GCRY_XTS_BLOCK_LEN;
101	0	nblocks = 0;
102	0	}
103
104		/* If we don't have a bulk method use the standard method. We also
105		use this method for the a remaining partial block. */
106
107	0	while (nblocks)
108	0	{
109		/* Xor-Encrypt/Decrypt-Xor block. */
110	0	cipher_block_xor (tmp.x64, inbuf, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN);
111	0	nburn = crypt_fn (&c->context.c, tmp.x1, tmp.x1);
112	0	burn = nburn > burn ? nburn : burn;
113	0	cipher_block_xor (outbuf, tmp.x64, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN);
114
115	0	outbuf += GCRY_XTS_BLOCK_LEN;
116	0	inbuf += GCRY_XTS_BLOCK_LEN;
117	0	inbuflen -= GCRY_XTS_BLOCK_LEN;
118	0	nblocks--;
119
120		/* Generate next tweak. */
121	0	xts_gfmul_byA (c->u_ctr.ctr, c->u_ctr.ctr);
122	0	}
123
124		/* Handle remaining data with ciphertext stealing. */
125	0	if (inbuflen)
126	0	{
127	0	if (!encrypt)
128	0	{
129	0	gcry_assert (inbuflen > GCRY_XTS_BLOCK_LEN);
130	0	gcry_assert (inbuflen < GCRY_XTS_BLOCK_LEN * 2);
131
132		/* Generate last tweak. */
133	0	xts_gfmul_byA (tmp.x1, c->u_ctr.ctr);
134
135		/* Decrypt last block first. */
136	0	cipher_block_xor (outbuf, inbuf, tmp.x64, GCRY_XTS_BLOCK_LEN);
137	0	nburn = crypt_fn (&c->context.c, outbuf, outbuf);
138	0	burn = nburn > burn ? nburn : burn;
139	0	cipher_block_xor (outbuf, outbuf, tmp.x64, GCRY_XTS_BLOCK_LEN);
140
141	0	inbuflen -= GCRY_XTS_BLOCK_LEN;
142	0	inbuf += GCRY_XTS_BLOCK_LEN;
143	0	outbuf += GCRY_XTS_BLOCK_LEN;
144	0	}
145
146	0	gcry_assert (inbuflen < GCRY_XTS_BLOCK_LEN);
147	0	outbuf -= GCRY_XTS_BLOCK_LEN;
148
149		/* Steal ciphertext from previous block. */
150	0	cipher_block_cpy (tmp.x64, outbuf, GCRY_XTS_BLOCK_LEN);
151	0	buf_cpy (tmp.x64, inbuf, inbuflen);
152	0	buf_cpy (outbuf + GCRY_XTS_BLOCK_LEN, outbuf, inbuflen);
153
154		/* Decrypt/Encrypt last block. */
155	0	cipher_block_xor (tmp.x64, tmp.x64, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN);
156	0	nburn = crypt_fn (&c->context.c, tmp.x1, tmp.x1);
157	0	burn = nburn > burn ? nburn : burn;
158	0	cipher_block_xor (outbuf, tmp.x64, c->u_ctr.ctr, GCRY_XTS_BLOCK_LEN);
159	0	}
160
161		/* Auto-increment data-unit sequence number */
162	0	xts_inc128 (c->u_iv.iv);
163
164	0	wipememory (&tmp, sizeof(tmp));
165	0	wipememory (c->u_ctr.ctr, sizeof(c->u_ctr.ctr));
166
167	0	if (burn > 0)
168	0	_gcry_burn_stack (burn + 4 * sizeof(void *));
169
170	0	return 0;
171	0	}
172
173
174		gcry_err_code_t
175		_gcry_cipher_xts_encrypt (gcry_cipher_hd_t c,
176		unsigned char *outbuf, size_t outbuflen,
177		const unsigned char *inbuf, size_t inbuflen)
178	0	{
179	0	return _gcry_cipher_xts_crypt (c, outbuf, outbuflen, inbuf, inbuflen, 1);
180	0	}
181
182
183		gcry_err_code_t
184		_gcry_cipher_xts_decrypt (gcry_cipher_hd_t c,
185		unsigned char *outbuf, size_t outbuflen,
186		const unsigned char *inbuf, size_t inbuflen)
187	0	{
188	0	return _gcry_cipher_xts_crypt (c, outbuf, outbuflen, inbuf, inbuflen, 0);
189	0	}

Coverage Report

Created: 2022-12-08 06:10