shithub: riscv

Download patch

ref: c021390e218066ca01828917dd940dff26ceff3b
parent: 77757dbdb197f09454c73e285439b810030b9414
author: cinap_lenrek <[email protected]>
date: Sun Oct 29 17:49:24 EDT 2017

libsec: rewrite aex_xts_encrypt()/aes_xts_decrypt()

the previous implementation was not portable at all, assuming
little endian in gf_mulx() and that one can cast unaligned
pointers to ulong in xor128(). also the error code is likely
to be ignored, so better abort() when the length is not a
multiple of the AES block size.

we also pass in full AESstate structures now instead of
the expanded key longs, so that we do not need to hardcode
the number of rounds. this allows each indiviaul keys to
be bigger than 128 bit.

--- a/sys/include/ape/libsec.h
+++ b/sys/include/ape/libsec.h
@@ -509,8 +509,8 @@
 PEMChain*readcertchain(char *filename);
 
 /* aes_xts.c */
-int aes_xts_encrypt(ulong tweak[], ulong ecb[], uvlong sectorNumber, uchar *input, uchar *output, ulong len) ;
-int aes_xts_decrypt(ulong tweak[], ulong ecb[], uvlong sectorNumber, uchar *input, uchar *output, ulong len);
+void aes_xts_encrypt(AESstate *tweak, AESstate *ecb, uvlong sectorNumber, uchar *input, uchar *output, ulong len);
+void aes_xts_decrypt(AESstate *tweak, AESstate *ecb, uvlong sectorNumber, uchar *input, uchar *output, ulong len);
 
 typedef struct ECpoint{
 	int inf;
--- a/sys/include/libsec.h
+++ b/sys/include/libsec.h
@@ -502,8 +502,8 @@
 PEMChain*readcertchain(char *filename);
 
 /* aes_xts.c */
-int aes_xts_encrypt(ulong tweak[], ulong ecb[], uvlong sectorNumber, uchar *input, uchar *output, ulong len) ;
-int aes_xts_decrypt(ulong tweak[], ulong ecb[], uvlong sectorNumber, uchar *input, uchar *output, ulong len);
+void aes_xts_encrypt(AESstate *tweak, AESstate *ecb, uvlong sectorNumber, uchar *input, uchar *output, ulong len);
+void aes_xts_decrypt(AESstate *tweak, AESstate *ecb, uvlong sectorNumber, uchar *input, uchar *output, ulong len);
 
 typedef struct ECpoint{
 	int inf;
--- a/sys/src/libsec/port/aes_xts.c
+++ b/sys/src/libsec/port/aes_xts.c
@@ -1,70 +1,83 @@
-// Author Taru Karttunen <[email protected]>
-// This file can be used as both Public Domain or Creative Commons CC0.
 #include "os.h"
 #include <libsec.h>
 
+/* little-endian data order */
+#define	GET4(p)		((p)[0]|((p)[1]<<8)|((p)[2]<<16)|((p)[3]<<24))
+#define	PUT4(p,v)	(p)[0]=(v);(p)[1]=(v)>>8;(p)[2]=(v)>>16;(p)[3]=(v)>>24
+
 static void
-xor128(uchar *o, uchar *i1, uchar *i2) {
-	((ulong*)o)[0] = ((ulong*)i1)[0] ^ ((ulong*)i2)[0];
-	((ulong*)o)[1] = ((ulong*)i1)[1] ^ ((ulong*)i2)[1];
-	((ulong*)o)[2] = ((ulong*)i1)[2] ^ ((ulong*)i2)[2];
-	((ulong*)o)[3] = ((ulong*)i1)[3] ^ ((ulong*)i2)[3];
+gf_mulx(uchar *x)
+{
+	ulong t0, t1, t2, t3, t4;
+
+	t0 = GET4(x);
+	t1 = GET4(x+4);
+	t2 = GET4(x+8);
+	t3 = GET4(x+12);
+
+	t4 =             (t3 >> 31);
+	t3 = (t3 << 1) | (t2 >> 31);
+	t2 = (t2 << 1) | (t1 >> 31);
+	t1 = (t1 << 1) | (t0 >> 31);
+	t0 = (t0 << 1) ^ (t4*135);
+
+	PUT4(x, t0);
+	PUT4(x+4, t1);
+	PUT4(x+8, t2);
+	PUT4(x+12, t3);
 }
 
 static void
-gf_mulx(uchar *x) {
-    ulong t = ((((ulong*)(x))[3] & 0x80000000u) ? 0x00000087u : 0);;
-    ((ulong*)(x))[3] = (((ulong*)(x))[3] << 1) | (((ulong*)(x))[2] & 0x80000000u ? 1 : 0);
-    ((ulong*)(x))[2] = (((ulong*)(x))[2] << 1) | (((ulong*)(x))[1] & 0x80000000u ? 1 : 0);
-    ((ulong*)(x))[1] = (((ulong*)(x))[1] << 1) | (((ulong*)(x))[0] & 0x80000000u ? 1 : 0);
-    ((ulong*)(x))[0] = (((ulong*)(x))[0] << 1) ^ t;
+xor128(uchar *o, uchar *i1, uchar *i2)
+{
+	int i;
 
+	for(i=0; i<16; i++)
+		o[i] = i1[i] ^ i2[i];
 }
 
-int
-aes_xts_encrypt(ulong tweak[], ulong ecb[], uvlong sectorNumber, uchar *input, uchar *output, ulong len) {
-	uchar T[16], x[16];
-	int i;
-	
-	if(len % 16 != 0)
-		return -1;
+static void
+setupT(AESstate *tweak, uvlong sectorNumber, uchar T[AESbsize])
+{
+	PUT4(T+0, (ulong)sectorNumber), sectorNumber >>= 32;
+	PUT4(T+4, (ulong)sectorNumber);
+	PUT4(T+8, 0);
+	PUT4(T+12, 0);
+	aes_encrypt(tweak->ekey, tweak->rounds, T, T);
+}
 
-	for(i=0; i<AESbsize; i++) {
-		T[i] = (uchar)(sectorNumber & 0xFF);
-		sectorNumber = sectorNumber >> 8;
-	}
+void
+aes_xts_encrypt(AESstate *tweak, AESstate *ecb,
+	uvlong sectorNumber, uchar *input, uchar *output, ulong len)
+{
+	uchar T[AESbsize], x[AESbsize];
 	
-	aes_encrypt(tweak, 10, T, T);
+	if(len % AESbsize)
+		abort();
 
-	for (i=0; i<len; i+=AESbsize) {
-		xor128(&x[0], &input[i], &T[0]);
-		aes_encrypt(ecb, 10, x, x);
-		xor128(&output[i], &x[0], &T[0]);
-		gf_mulx(&T[0]);
+	setupT(tweak, sectorNumber, T);
+	for (; len > 0; len -= AESbsize, input += AESbsize, output += AESbsize) {
+		xor128(x, input, T);
+		aes_encrypt(ecb->ekey, ecb->rounds, x, x);
+		xor128(output, x, T);
+		gf_mulx(T);
 	}
-	return 0;
 }
 
-int
-aes_xts_decrypt(ulong tweak[], ulong ecb[], uvlong sectorNumber, uchar *input, uchar *output, ulong len) {
-	uchar T[16], x[16];
-	int i;
+void
+aes_xts_decrypt(AESstate *tweak, AESstate *ecb,
+	uvlong sectorNumber, uchar *input, uchar *output, ulong len)
+{
+	uchar T[AESbsize], x[AESbsize];
 	
-	if(len % 16 != 0)
-		return -1;
+	if(len % AESbsize)
+		abort();
 
-	for(i=0; i<AESbsize; i++) {
-		T[i] = (uchar)(sectorNumber & 0xFF);
-		sectorNumber = sectorNumber >> 8;
+	setupT(tweak, sectorNumber, T);
+	for (; len > 0; len -= AESbsize, input += AESbsize, output += AESbsize) {
+		xor128(x, input, T);
+		aes_decrypt(ecb->dkey, ecb->rounds, x, x);
+		xor128(output, x, T);
+		gf_mulx(T);
 	}
-	
-	aes_encrypt(tweak, 10, T, T);
-
-	for (i=0; i<len; i+=AESbsize) {
-		xor128(&x[0], &input[i], &T[0]);
-		aes_decrypt(ecb, 10, x, x);
-		xor128(&output[i], &x[0], &T[0]);
-		gf_mulx(&T[0]);
-	}
-	return 0;
 }