|
|
@@ -0,0 +1,138 @@
|
|
|
+// Copyright 2012 The Go Authors. All rights reserved.
|
|
|
+// Use of this source code is governed by a BSD-style
|
|
|
+// license that can be found in the LICENSE file.
|
|
|
+
|
|
|
+// Package xts implements the XTS cipher mode as specified in IEEE P1619/D16.
|
|
|
+//
|
|
|
+// XTS mode is typically used for disk encryption, which presents a number of
|
|
|
+// novel problems that make more common modes inapplicable. The disk is
|
|
|
+// conceptually an array of sectors and we must be able to encrypt and decrypt
|
|
|
+// a sector in isolation. However, an attacker must not be able to transpose
|
|
|
+// two sectors of plaintext by transposing their ciphertext.
|
|
|
+//
|
|
|
+// XTS wraps a block cipher with Rogaway's XEX mode in order to build a
|
|
|
+// tweakable block cipher. This allows each sector to have a unique tweak and
|
|
|
+// effectively create a unique key for each sector.
|
|
|
+//
|
|
|
+// XTS does not provide any authentication. An attacker can manipulate the
|
|
|
+// ciphertext and randomise a block (16 bytes) of the plaintext.
|
|
|
+//
|
|
|
+// (Note: this package does not implement ciphertext-stealing so sectors must
|
|
|
+// be a multiple of 16 bytes.)
|
|
|
+package xts
|
|
|
+
|
|
|
+import (
|
|
|
+ "crypto/cipher"
|
|
|
+ "errors"
|
|
|
+)
|
|
|
+
|
|
|
+// Cipher contains an expanded key structure. It doesn't contain mutable state
|
|
|
+// and therefore can be used concurrently.
|
|
|
+type Cipher struct {
|
|
|
+ k1, k2 cipher.Block
|
|
|
+}
|
|
|
+
|
|
|
+// blockSize is the block size that the underlying cipher must have. XTS is
|
|
|
+// only defined for 16-byte ciphers.
|
|
|
+const blockSize = 16
|
|
|
+
|
|
|
+// NewCipher creates a Cipher given a function for creating the underlying
|
|
|
+// block cipher (which must have a block size of 16 bytes). The key must be
|
|
|
+// twice the length of the underlying cipher's key.
|
|
|
+func NewCipher(cipherFunc func([]byte) (cipher.Block, error), key []byte) (c *Cipher, err error) {
|
|
|
+ c = new(Cipher)
|
|
|
+ if c.k1, err = cipherFunc(key[:len(key)/2]); err != nil {
|
|
|
+ return
|
|
|
+ }
|
|
|
+ c.k2, err = cipherFunc(key[len(key)/2:])
|
|
|
+
|
|
|
+ if c.k1.BlockSize() != blockSize {
|
|
|
+ err = errors.New("xts: cipher does not have a block size of 16")
|
|
|
+ }
|
|
|
+
|
|
|
+ return
|
|
|
+}
|
|
|
+
|
|
|
+// Encrypt encrypts a sector of plaintext and puts the result into ciphertext.
|
|
|
+// Plaintext and ciphertext may be the same slice but should not overlap.
|
|
|
+// Sectors must be a multiple of 16 bytes and less than 2²⁴ bytes.
|
|
|
+func (c *Cipher) Encrypt(ciphertext, plaintext []byte, sectorNum uint64) {
|
|
|
+ if len(ciphertext) < len(plaintext) {
|
|
|
+ panic("xts: ciphertext is smaller than plaintext")
|
|
|
+ }
|
|
|
+ if len(plaintext)%blockSize != 0 {
|
|
|
+ panic("xts: plaintext is not a multiple of the block size")
|
|
|
+ }
|
|
|
+
|
|
|
+ var tweak [blockSize]byte
|
|
|
+ for i := 0; i < 8; i++ {
|
|
|
+ tweak[i] = byte(sectorNum)
|
|
|
+ sectorNum >>= 8
|
|
|
+ }
|
|
|
+
|
|
|
+ c.k2.Encrypt(tweak[:], tweak[:])
|
|
|
+
|
|
|
+ for i := 0; i < len(plaintext); i += blockSize {
|
|
|
+ for j := 0; j < blockSize; j++ {
|
|
|
+ ciphertext[i+j] = plaintext[i+j] ^ tweak[j]
|
|
|
+ }
|
|
|
+ c.k1.Encrypt(ciphertext[i:], ciphertext[i:])
|
|
|
+ for j := 0; j < blockSize; j++ {
|
|
|
+ ciphertext[i+j] ^= tweak[j]
|
|
|
+ }
|
|
|
+
|
|
|
+ mul2(&tweak)
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+// Decrypt decrypts a sector of ciphertext and puts the result into plaintext.
|
|
|
+// Plaintext and ciphertext may be the same slice but should not overlap.
|
|
|
+// Sectors must be a multiple of 16 bytes and less than 2²⁴ bytes.
|
|
|
+func (c *Cipher) Decrypt(plaintext, ciphertext []byte, sectorNum uint64) {
|
|
|
+ if len(plaintext) < len(ciphertext) {
|
|
|
+ panic("xts: plaintext is smaller than ciphertext")
|
|
|
+ }
|
|
|
+ if len(ciphertext)%blockSize != 0 {
|
|
|
+ panic("xts: ciphertext is not a multiple of the block size")
|
|
|
+ }
|
|
|
+
|
|
|
+ var tweak [blockSize]byte
|
|
|
+ for i := 0; i < 8; i++ {
|
|
|
+ tweak[i] = byte(sectorNum)
|
|
|
+ sectorNum >>= 8
|
|
|
+ }
|
|
|
+
|
|
|
+ c.k2.Encrypt(tweak[:], tweak[:])
|
|
|
+
|
|
|
+ for i := 0; i < len(plaintext); i += blockSize {
|
|
|
+ for j := 0; j < blockSize; j++ {
|
|
|
+ plaintext[i+j] = ciphertext[i+j] ^ tweak[j]
|
|
|
+ }
|
|
|
+ c.k1.Decrypt(plaintext[i:], plaintext[i:])
|
|
|
+ for j := 0; j < blockSize; j++ {
|
|
|
+ plaintext[i+j] ^= tweak[j]
|
|
|
+ }
|
|
|
+
|
|
|
+ mul2(&tweak)
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+// mul2 multiplies tweak by 2 in GF(2¹²⁸) with an irreducible polynomial of
|
|
|
+// x¹²⁸ + x⁷ + x² + x + 1.
|
|
|
+func mul2(tweak *[blockSize]byte) {
|
|
|
+ var carryIn byte
|
|
|
+ for j := range tweak {
|
|
|
+ carryOut := tweak[j] >> 7
|
|
|
+ tweak[j] = (tweak[j] << 1) + carryIn
|
|
|
+ carryIn = carryOut
|
|
|
+ }
|
|
|
+ if carryIn != 0 {
|
|
|
+ // If we have a carry bit then we need to subtract a multiple
|
|
|
+ // of the irreducible polynomial (x¹²⁸ + x⁷ + x² + x + 1).
|
|
|
+ // By dropping the carry bit, we're subtracting the x^128 term
|
|
|
+ // so all that remains is to subtract x⁷ + x² + x + 1.
|
|
|
+ // Subtraction (and addition) in this representation is just
|
|
|
+ // XOR.
|
|
|
+ tweak[0] ^= 1<<7 | 1<<2 | 1<<1 | 1
|
|
|
+ }
|
|
|
+}
|
Adam Langley