提交 32a2d8dd 编写于 作者: D Dr. Stephen Henson

Provisional AES XTS support.

上级 4bd1e895
...@@ -4,6 +4,11 @@ ...@@ -4,6 +4,11 @@
Changes between 1.0.1 and 1.1.0 [xx XXX xxxx] Changes between 1.0.1 and 1.1.0 [xx XXX xxxx]
*) Provisional XTS support. Note: this does increase the maximum key
length from 32 to 64 bytes but there should be no binary compatibility
issues as existing applications will never use XTS mode.
[Steve Henson]
*) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies *) Extensive reorganisation of FIPS PRNG behaviour. Remove all dependencies
to OpenSSL RAND code and replace with a tiny FIPS RAND API which also to OpenSSL RAND code and replace with a tiny FIPS RAND API which also
performs algorithm blocking for unapproved PRNG types. Also do not performs algorithm blocking for unapproved PRNG types. Also do not
......
...@@ -459,4 +459,103 @@ static const EVP_CIPHER aes_256_gcm_cipher= ...@@ -459,4 +459,103 @@ static const EVP_CIPHER aes_256_gcm_cipher=
const EVP_CIPHER *EVP_aes_256_gcm (void) const EVP_CIPHER *EVP_aes_256_gcm (void)
{ return &aes_256_gcm_cipher; } { return &aes_256_gcm_cipher; }
typedef struct
{
/* AES key schedules to use */
AES_KEY ks1, ks2;
XTS128_CONTEXT xts;
} EVP_AES_XTS_CTX;
static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
{
EVP_AES_XTS_CTX *xctx = c->cipher_data;
if (type != EVP_CTRL_INIT)
return -1;
/* key1 and key2 are used as an indicator both key and IV are set */
xctx->xts.key1 = NULL;
xctx->xts.key2 = NULL;
xctx->xts.block1 = (block128_f)AES_encrypt;
xctx->xts.block2 = (block128_f)AES_encrypt;
return 1;
}
static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
if (!iv && !key)
return 1;
if (key)
{
AES_set_encrypt_key(key, ctx->key_len * 8, &xctx->ks1);
AES_set_encrypt_key(key + ctx->key_len, ctx->key_len * 8,
&xctx->ks2);
xctx->xts.key1 = &xctx->ks1;
xctx->xts.block1 = (block128_f)AES_encrypt;
xctx->xts.block2 = (block128_f)AES_encrypt;
}
if (iv)
{
xctx->xts.key2 = &xctx->ks2;
memcpy(ctx->iv, iv, 16);
}
return 1;
}
static int aes_xts(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, size_t len)
{
EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
if (!xctx->xts.key1 || !xctx->xts.key2)
return -1;
if (!out || !in)
return -1;
if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
ctx->encrypt))
return -1;
return len;
}
static const EVP_CIPHER aes_128_xts_cipher=
{
NID_aes_128_xts,16,32,16,
EVP_CIPH_XTS_MODE|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT,
aes_xts_init_key,
aes_xts,
0,
sizeof(EVP_AES_XTS_CTX),
NULL,
NULL,
aes_xts_ctrl,
NULL
};
const EVP_CIPHER *EVP_aes_128_xts (void)
{ return &aes_128_xts_cipher; }
static const EVP_CIPHER aes_256_xts_cipher=
{
NID_aes_256_xts,16,64,16,
EVP_CIPH_XTS_MODE|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1
| EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER
| EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT,
aes_xts_init_key,
aes_xts,
0,
sizeof(EVP_AES_XTS_CTX),
NULL,
NULL,
aes_xts_ctrl,
NULL
};
const EVP_CIPHER *EVP_aes_256_xts (void)
{ return &aes_256_xts_cipher; }
#endif #endif
...@@ -83,7 +83,7 @@ ...@@ -83,7 +83,7 @@
#define EVP_RC5_32_12_16_KEY_SIZE 16 #define EVP_RC5_32_12_16_KEY_SIZE 16
*/ */
#define EVP_MAX_MD_SIZE 64 /* longest known is SHA512 */ #define EVP_MAX_MD_SIZE 64 /* longest known is SHA512 */
#define EVP_MAX_KEY_LENGTH 32 #define EVP_MAX_KEY_LENGTH 64
#define EVP_MAX_IV_LENGTH 16 #define EVP_MAX_IV_LENGTH 16
#define EVP_MAX_BLOCK_LENGTH 32 #define EVP_MAX_BLOCK_LENGTH 32
...@@ -330,6 +330,8 @@ struct evp_cipher_st ...@@ -330,6 +330,8 @@ struct evp_cipher_st
#define EVP_CIPH_OFB_MODE 0x4 #define EVP_CIPH_OFB_MODE 0x4
#define EVP_CIPH_CTR_MODE 0x5 #define EVP_CIPH_CTR_MODE 0x5
#define EVP_CIPH_GCM_MODE 0x6 #define EVP_CIPH_GCM_MODE 0x6
#define EVP_CIPH_CCM_MODE 0x7
#define EVP_CIPH_XTS_MODE 0x10001
#define EVP_CIPH_MODE 0xF0007 #define EVP_CIPH_MODE 0xF0007
/* Set if variable length cipher */ /* Set if variable length cipher */
#define EVP_CIPH_VARIABLE_LENGTH 0x8 #define EVP_CIPH_VARIABLE_LENGTH 0x8
...@@ -788,6 +790,7 @@ const EVP_CIPHER *EVP_aes_128_cfb128(void); ...@@ -788,6 +790,7 @@ const EVP_CIPHER *EVP_aes_128_cfb128(void);
const EVP_CIPHER *EVP_aes_128_ofb(void); const EVP_CIPHER *EVP_aes_128_ofb(void);
const EVP_CIPHER *EVP_aes_128_ctr(void); const EVP_CIPHER *EVP_aes_128_ctr(void);
const EVP_CIPHER *EVP_aes_128_gcm(void); const EVP_CIPHER *EVP_aes_128_gcm(void);
const EVP_CIPHER *EVP_aes_128_xts(void);
const EVP_CIPHER *EVP_aes_192_ecb(void); const EVP_CIPHER *EVP_aes_192_ecb(void);
const EVP_CIPHER *EVP_aes_192_cbc(void); const EVP_CIPHER *EVP_aes_192_cbc(void);
const EVP_CIPHER *EVP_aes_192_cfb1(void); const EVP_CIPHER *EVP_aes_192_cfb1(void);
...@@ -806,6 +809,7 @@ const EVP_CIPHER *EVP_aes_256_cfb128(void); ...@@ -806,6 +809,7 @@ const EVP_CIPHER *EVP_aes_256_cfb128(void);
const EVP_CIPHER *EVP_aes_256_ofb(void); const EVP_CIPHER *EVP_aes_256_ofb(void);
const EVP_CIPHER *EVP_aes_256_ctr(void); const EVP_CIPHER *EVP_aes_256_ctr(void);
const EVP_CIPHER *EVP_aes_256_gcm(void); const EVP_CIPHER *EVP_aes_256_gcm(void);
const EVP_CIPHER *EVP_aes_256_xts(void);
#endif #endif
#ifndef OPENSSL_NO_CAMELLIA #ifndef OPENSSL_NO_CAMELLIA
const EVP_CIPHER *EVP_camellia_128_ecb(void); const EVP_CIPHER *EVP_camellia_128_ecb(void);
......
...@@ -21,9 +21,9 @@ TEST= ...@@ -21,9 +21,9 @@ TEST=
APPS= APPS=
LIB=$(TOP)/libcrypto.a LIB=$(TOP)/libcrypto.a
LIBSRC= cbc128.c ctr128.c cts128.c cfb128.c ofb128.c gcm128.c LIBSRC= cbc128.c ctr128.c cts128.c cfb128.c ofb128.c gcm128.c xts128.c
LIBOBJ= cbc128.o ctr128.o cts128.o cfb128.o ofb128.o gcm128.o \ LIBOBJ= cbc128.o ctr128.o cts128.o cfb128.o ofb128.o gcm128.o \
$(MODES_ASM_OBJ) xts128.o $(MODES_ASM_OBJ)
SRC= $(LIBSRC) SRC= $(LIBSRC)
......
...@@ -104,3 +104,9 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx,const unsigned char *tag, ...@@ -104,3 +104,9 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx,const unsigned char *tag,
size_t len); size_t len);
void CRYPTO_gcm128_tag(GCM128_CONTEXT *ctx, unsigned char *tag, size_t len); void CRYPTO_gcm128_tag(GCM128_CONTEXT *ctx, unsigned char *tag, size_t len);
void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx); void CRYPTO_gcm128_release(GCM128_CONTEXT *ctx);
typedef struct xts128_context XTS128_CONTEXT;
int CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char *iv,
const unsigned char *inp, unsigned char *out,
size_t len, int enc);
...@@ -116,3 +116,9 @@ struct gcm128_context { ...@@ -116,3 +116,9 @@ struct gcm128_context {
block128_f block; block128_f block;
void *key; void *key;
}; };
struct xts128_context {
void *key1, *key2;
block128_f block1,block2;
};
...@@ -58,12 +58,7 @@ ...@@ -58,12 +58,7 @@
#endif #endif
#include <assert.h> #include <assert.h>
typedef struct { int CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char *iv,
void *key1, *key2;
block128_f block1,block2;
} XTS128_CONTEXT;
int CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, u64 secno,
const unsigned char *inp, unsigned char *out, const unsigned char *inp, unsigned char *out,
size_t len, int enc) size_t len, int enc)
{ {
...@@ -73,15 +68,7 @@ int CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, u64 secno, ...@@ -73,15 +68,7 @@ int CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, u64 secno,
if (len<16) return -1; if (len<16) return -1;
if (is_endian.little) { memcpy(tweak.c, iv, 16);
tweak.u[0] = secno;
tweak.u[1] = 0;
}
else {
PUTU32(tweak.c,secno);
PUTU32(tweak.c+4,secno>>32);
tweak.u[1] = 0;
}
(*ctx->block2)(tweak.c,tweak.c,ctx->key2); (*ctx->block2)(tweak.c,tweak.c,ctx->key2);
......
...@@ -62,9 +62,9 @@ ...@@ -62,9 +62,9 @@
* [including the GNU Public Licence.] * [including the GNU Public Licence.]
*/ */
#define NUM_NID 913 #define NUM_NID 915
#define NUM_SN 906 #define NUM_SN 908
#define NUM_LN 906 #define NUM_LN 908
#define NUM_OBJ 856 #define NUM_OBJ 856
static const unsigned char lvalues[5971]={ static const unsigned char lvalues[5971]={
...@@ -2395,6 +2395,8 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={ ...@@ -2395,6 +2395,8 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={
NID_anyExtendedKeyUsage,4,&(lvalues[5948]),0}, NID_anyExtendedKeyUsage,4,&(lvalues[5948]),0},
{"MGF1","mgf1",NID_mgf1,9,&(lvalues[5952]),0}, {"MGF1","mgf1",NID_mgf1,9,&(lvalues[5952]),0},
{"RSASSA-PSS","rsassaPss",NID_rsassaPss,9,&(lvalues[5961]),0}, {"RSASSA-PSS","rsassaPss",NID_rsassaPss,9,&(lvalues[5961]),0},
{"AES-128-XTS","aes-128-xts",NID_aes_128_xts,0,NULL,0},
{"AES-256-XTS","aes-256-xts",NID_aes_256_xts,0,NULL,0},
}; };
static const unsigned int sn_objs[NUM_SN]={ static const unsigned int sn_objs[NUM_SN]={
...@@ -2406,6 +2408,7 @@ static const unsigned int sn_objs[NUM_SN]={ ...@@ -2406,6 +2408,7 @@ static const unsigned int sn_objs[NUM_SN]={
904, /* "AES-128-CTR" */ 904, /* "AES-128-CTR" */
418, /* "AES-128-ECB" */ 418, /* "AES-128-ECB" */
420, /* "AES-128-OFB" */ 420, /* "AES-128-OFB" */
913, /* "AES-128-XTS" */
423, /* "AES-192-CBC" */ 423, /* "AES-192-CBC" */
425, /* "AES-192-CFB" */ 425, /* "AES-192-CFB" */
651, /* "AES-192-CFB1" */ 651, /* "AES-192-CFB1" */
...@@ -2420,6 +2423,7 @@ static const unsigned int sn_objs[NUM_SN]={ ...@@ -2420,6 +2423,7 @@ static const unsigned int sn_objs[NUM_SN]={
906, /* "AES-256-CTR" */ 906, /* "AES-256-CTR" */
426, /* "AES-256-ECB" */ 426, /* "AES-256-ECB" */
428, /* "AES-256-OFB" */ 428, /* "AES-256-OFB" */
914, /* "AES-256-XTS" */
91, /* "BF-CBC" */ 91, /* "BF-CBC" */
93, /* "BF-CFB" */ 93, /* "BF-CFB" */
92, /* "BF-ECB" */ 92, /* "BF-ECB" */
...@@ -3459,6 +3463,7 @@ static const unsigned int ln_objs[NUM_LN]={ ...@@ -3459,6 +3463,7 @@ static const unsigned int ln_objs[NUM_LN]={
418, /* "aes-128-ecb" */ 418, /* "aes-128-ecb" */
895, /* "aes-128-gcm" */ 895, /* "aes-128-gcm" */
420, /* "aes-128-ofb" */ 420, /* "aes-128-ofb" */
913, /* "aes-128-xts" */
423, /* "aes-192-cbc" */ 423, /* "aes-192-cbc" */
899, /* "aes-192-ccm" */ 899, /* "aes-192-ccm" */
425, /* "aes-192-cfb" */ 425, /* "aes-192-cfb" */
...@@ -3477,6 +3482,7 @@ static const unsigned int ln_objs[NUM_LN]={ ...@@ -3477,6 +3482,7 @@ static const unsigned int ln_objs[NUM_LN]={
426, /* "aes-256-ecb" */ 426, /* "aes-256-ecb" */
901, /* "aes-256-gcm" */ 901, /* "aes-256-gcm" */
428, /* "aes-256-ofb" */ 428, /* "aes-256-ofb" */
914, /* "aes-256-xts" */
376, /* "algorithm" */ 376, /* "algorithm" */
484, /* "associatedDomain" */ 484, /* "associatedDomain" */
485, /* "associatedName" */ 485, /* "associatedName" */
......
...@@ -2735,6 +2735,14 @@ ...@@ -2735,6 +2735,14 @@
#define LN_aes_256_ctr "aes-256-ctr" #define LN_aes_256_ctr "aes-256-ctr"
#define NID_aes_256_ctr 906 #define NID_aes_256_ctr 906
#define SN_aes_128_xts "AES-128-XTS"
#define LN_aes_128_xts "aes-128-xts"
#define NID_aes_128_xts 913
#define SN_aes_256_xts "AES-256-XTS"
#define LN_aes_256_xts "aes-256-xts"
#define NID_aes_256_xts 914
#define SN_des_cfb1 "DES-CFB1" #define SN_des_cfb1 "DES-CFB1"
#define LN_des_cfb1 "des-cfb1" #define LN_des_cfb1 "des-cfb1"
#define NID_des_cfb1 656 #define NID_des_cfb1 656
......
...@@ -910,3 +910,5 @@ id_camellia256_wrap 909 ...@@ -910,3 +910,5 @@ id_camellia256_wrap 909
anyExtendedKeyUsage 910 anyExtendedKeyUsage 910
mgf1 911 mgf1 911
rsassaPss 912 rsassaPss 912
aes_128_xts 913
aes_256_xts 914
...@@ -892,6 +892,8 @@ aes 48 : id-aes256-wrap-pad ...@@ -892,6 +892,8 @@ aes 48 : id-aes256-wrap-pad
: AES-128-CTR : aes-128-ctr : AES-128-CTR : aes-128-ctr
: AES-192-CTR : aes-192-ctr : AES-192-CTR : aes-192-ctr
: AES-256-CTR : aes-256-ctr : AES-256-CTR : aes-256-ctr
: AES-128-XTS : aes-128-xts
: AES-256-XTS : aes-256-xts
: DES-CFB1 : des-cfb1 : DES-CFB1 : des-cfb1
: DES-CFB8 : des-cfb8 : DES-CFB8 : des-cfb8
: DES-EDE3-CFB1 : des-ede3-cfb1 : DES-EDE3-CFB1 : des-ede3-cfb1
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册