Home Explore Help
Register Sign In
packages
/
crypto
0
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: a57398324d
Branches Tags
crypto
/
xts
/
xts.go

xts.go 4.8 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147 
  1. // Copyright 2012 The Go Authors. All rights reserved.
    2. 

  2. // Use of this source code is governed by a BSD-style
    3. 

  3. // license that can be found in the LICENSE file.
    4. 

  4. 

  5. // Package xts implements the XTS cipher mode as specified in IEEE P1619/D16.
    6. 

  6. //
    7. 

  7. // XTS mode is typically used for disk encryption, which presents a number of
    8. 

  8. // novel problems that make more common modes inapplicable. The disk is
    9. 

  9. // conceptually an array of sectors and we must be able to encrypt and decrypt
    10. 

  10. // a sector in isolation. However, an attacker must not be able to transpose
    11. 

  11. // two sectors of plaintext by transposing their ciphertext.
    12. 

  12. //
    13. 

  13. // XTS wraps a block cipher with Rogaway's XEX mode in order to build a
    14. 

  14. // tweakable block cipher. This allows each sector to have a unique tweak and
    15. 

  15. // effectively create a unique key for each sector.
    16. 

  16. //
    17. 

  17. // XTS does not provide any authentication. An attacker can manipulate the
    18. 

  18. // ciphertext and randomise a block (16 bytes) of the plaintext. This package
    19. 

  19. // does not implement ciphertext-stealing so sectors must be a multiple of 16
    20. 

  20. // bytes.
    21. 

  21. //
    22. 

  22. // Note that XTS is usually not appropriate for any use besides disk encryption.
    23. 

  23. // Most users should use an AEAD mode like GCM (from crypto/cipher.NewGCM) instead.
    24. 

  24. package xts // import "golang.org/x/crypto/xts"
    25. 

  25. 

  26. import (
    27. 

  27. 	"crypto/cipher"
    28. 

  28. 	"encoding/binary"
    29. 

  29. 	"errors"
    30. 

  30. 

  31. 	"golang.org/x/crypto/internal/subtle"
    32. 

  32. )
    33. 

  33. 

  34. // Cipher contains an expanded key structure. It doesn't contain mutable state
    35. 

  35. // and therefore can be used concurrently.
    36. 

  36. type Cipher struct {
    37. 

  37. 	k1, k2 cipher.Block
    38. 

  38. }
    39. 

  39. 

  40. // blockSize is the block size that the underlying cipher must have. XTS is
    41. 

  41. // only defined for 16-byte ciphers.
    42. 

  42. const blockSize = 16
    43. 

  43. 

  44. // NewCipher creates a Cipher given a function for creating the underlying
    45. 

  45. // block cipher (which must have a block size of 16 bytes). The key must be
    46. 

  46. // twice the length of the underlying cipher's key.
    47. 

  47. func NewCipher(cipherFunc func([]byte) (cipher.Block, error), key []byte) (c *Cipher, err error) {
    48. 

  48. 	c = new(Cipher)
    49. 

  49. 	if c.k1, err = cipherFunc(key[:len(key)/2]); err != nil {
    50. 

  50. 		return
    51. 

  51. 	}
    52. 

  52. 	c.k2, err = cipherFunc(key[len(key)/2:])
    53. 

  53. 

  54. 	if c.k1.BlockSize() != blockSize {
    55. 

  55. 		err = errors.New("xts: cipher does not have a block size of 16")
    56. 

  56. 	}
    57. 

  57. 

  58. 	return
    59. 

  59. }
    60. 

  60. 

  61. // Encrypt encrypts a sector of plaintext and puts the result into ciphertext.
    62. 

  62. // Plaintext and ciphertext must overlap entirely or not at all.
    63. 

  63. // Sectors must be a multiple of 16 bytes and less than 2²⁴ bytes.
    64. 

  64. func (c *Cipher) Encrypt(ciphertext, plaintext []byte, sectorNum uint64) {
    65. 

  65. 	if len(ciphertext) < len(plaintext) {
    66. 

  66. 		panic("xts: ciphertext is smaller than plaintext")
    67. 

  67. 	}
    68. 

  68. 	if len(plaintext)%blockSize != 0 {
    69. 

  69. 		panic("xts: plaintext is not a multiple of the block size")
    70. 

  70. 	}
    71. 

  71. 	if subtle.InexactOverlap(ciphertext[:len(plaintext)], plaintext) {
    72. 

  72. 		panic("xts: invalid buffer overlap")
    73. 

  73. 	}
    74. 

  74. 

  75. 	var tweak [blockSize]byte
    76. 

  76. 	binary.LittleEndian.PutUint64(tweak[:8], sectorNum)
    77. 

  77. 

  78. 	c.k2.Encrypt(tweak[:], tweak[:])
    79. 

  79. 

  80. 	for len(plaintext) > 0 {
    81. 

  81. 		for j := range tweak {
    82. 

  82. 			ciphertext[j] = plaintext[j] ^ tweak[j]
    83. 

  83. 		}
    84. 

  84. 		c.k1.Encrypt(ciphertext, ciphertext)
    85. 

  85. 		for j := range tweak {
    86. 

  86. 			ciphertext[j] ^= tweak[j]
    87. 

  87. 		}
    88. 

  88. 		plaintext = plaintext[blockSize:]
    89. 

  89. 		ciphertext = ciphertext[blockSize:]
    90. 

  90. 

  91. 		mul2(&tweak)
    92. 

  92. 	}
    93. 

  93. }
    94. 

  94. 

  95. // Decrypt decrypts a sector of ciphertext and puts the result into plaintext.
    96. 

  96. // Plaintext and ciphertext must overlap entirely or not at all.
    97. 

  97. // Sectors must be a multiple of 16 bytes and less than 2²⁴ bytes.
    98. 

  98. func (c *Cipher) Decrypt(plaintext, ciphertext []byte, sectorNum uint64) {
    99. 

  99. 	if len(plaintext) < len(ciphertext) {
    100. 

  100. 		panic("xts: plaintext is smaller than ciphertext")
    101. 

  101. 	}
    102. 

  102. 	if len(ciphertext)%blockSize != 0 {
    103. 

  103. 		panic("xts: ciphertext is not a multiple of the block size")
    104. 

  104. 	}
    105. 

  105. 	if subtle.InexactOverlap(plaintext[:len(ciphertext)], ciphertext) {
    106. 

  106. 		panic("xts: invalid buffer overlap")
    107. 

  107. 	}
    108. 

  108. 

  109. 	var tweak [blockSize]byte
    110. 

  110. 	binary.LittleEndian.PutUint64(tweak[:8], sectorNum)
    111. 

  111. 

  112. 	c.k2.Encrypt(tweak[:], tweak[:])
    113. 

  113. 

  114. 	for len(ciphertext) > 0 {
    115. 

  115. 		for j := range tweak {
    116. 

  116. 			plaintext[j] = ciphertext[j] ^ tweak[j]
    117. 

  117. 		}
    118. 

  118. 		c.k1.Decrypt(plaintext, plaintext)
    119. 

  119. 		for j := range tweak {
    120. 

  120. 			plaintext[j] ^= tweak[j]
    121. 

  121. 		}
    122. 

  122. 		plaintext = plaintext[blockSize:]
    123. 

  123. 		ciphertext = ciphertext[blockSize:]
    124. 

  124. 

  125. 		mul2(&tweak)
    126. 

  126. 	}
    127. 

  127. }
    128. 

  128. 

  129. // mul2 multiplies tweak by 2 in GF(2¹²⁸) with an irreducible polynomial of
    130. 

  130. // x¹²⁸ + x⁷ + x² + x + 1.
    131. 

  131. func mul2(tweak *[blockSize]byte) {
    132. 

  132. 	var carryIn byte
    133. 

  133. 	for j := range tweak {
    134. 

  134. 		carryOut := tweak[j] >> 7
    135. 

  135. 		tweak[j] = (tweak[j] << 1) + carryIn
    136. 

  136. 		carryIn = carryOut
    137. 

  137. 	}
    138. 

  138. 	if carryIn != 0 {
    139. 

  139. 		// If we have a carry bit then we need to subtract a multiple
    140. 

  140. 		// of the irreducible polynomial (x¹²⁸ + x⁷ + x² + x + 1).
    141. 

  141. 		// By dropping the carry bit, we're subtracting the x^128 term
    142. 

  142. 		// so all that remains is to subtract x⁷ + x² + x + 1.
    143. 

  143. 		// Subtraction (and addition) in this representation is just
    144. 

  144. 		// XOR.
    145. 

  145. 		tweak[0] ^= 1<<7 | 1<<2 | 1<<1 | 1
    146. 

  146. 	}
    147. 

  147. }
    148.