Implement AES-XTS mode

XTS mode is fully known as "xor-encrypt-xor with ciphertext-stealing". This is the generalization of the XEX mode. This implementation is limited to an 8-bits (1 byte) boundary, which doesn't seem to be what was thought considering some test vectors [1]. This commit comes with tests, extracted from [1], and benchmarks. Although, benchmarks aren't really nice here, as they work with a buffer of a multiple of 16 bytes, which isn't a challenge for XTS compared to XEX. [1] http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSTestVectors.zip
2025-12-27 01:36:59 +01:00 · 2016-06-09 23:22:58 +02:00 · 2016-06-09 23:22:58 +02:00 · 5f77801ac3
commit 5f77801ac3
parent 380162c34c
8 changed files with 4483 additions and 5 deletions
--- a/tests/suites/test_suite_aes.function
+++ b/tests/suites/test_suite_aes.function
@ -225,6 +225,80 @@ exit:
 }
 /* END_CASE */

+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_XTS */
+void aes_encrypt_xts( char *hex_key_string, char *hex_iv_string,
+                      char *hex_src_string, char *hex_dst_string,
+                      int data_unit_len, int xts_result )
+{
+    unsigned char key_str[100] = { 0, };
+    unsigned char iv_str[100]  = { 0, };
+    unsigned char src_str[100] = { 0, };
+    unsigned char dst_str[100] = { 0, };
+    unsigned char output[100]  = { 0, };
+    mbedtls_aes_context crypt_ctx, tweak_ctx;
+    int key_len, data_len;
+
+    mbedtls_aes_init( &crypt_ctx );
+    mbedtls_aes_init( &tweak_ctx );
+
+    key_len = unhexify( key_str, hex_key_string );
+    unhexify( iv_str, hex_iv_string );
+    data_len = unhexify( src_str, hex_src_string );
+
+    mbedtls_aes_setkey_enc( &crypt_ctx, key_str,               ( key_len * 8 ) / 2 );
+    mbedtls_aes_setkey_enc( &tweak_ctx, key_str + key_len / 2, ( key_len * 8 ) / 2 );
+
+    TEST_ASSERT( mbedtls_aes_crypt_xts( &crypt_ctx, &tweak_ctx, MBEDTLS_AES_ENCRYPT, data_unit_len, iv_str, src_str, output ) == xts_result );
+    if( xts_result == 0 )
+    {
+        hexify( dst_str, output, data_len );
+
+        TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+    }
+
+exit:
+    mbedtls_aes_free( &crypt_ctx );
+    mbedtls_aes_free( &tweak_ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_XTS */
+void aes_decrypt_xts( char *hex_key_string, char *hex_iv_string,
+                      char *hex_src_string, char *hex_dst_string,
+                      int data_unit_len, int xts_result )
+{
+    unsigned char key_str[100] = { 0, };
+    unsigned char iv_str[100]  = { 0, };
+    unsigned char src_str[100] = { 0, };
+    unsigned char dst_str[100] = { 0, };
+    unsigned char output[100]  = { 0, };
+    mbedtls_aes_context crypt_ctx, tweak_ctx;
+    int key_len, data_len;
+
+    mbedtls_aes_init( &crypt_ctx );
+    mbedtls_aes_init( &tweak_ctx );
+
+    key_len = unhexify( key_str, hex_key_string );
+    unhexify( iv_str, hex_iv_string );
+    data_len = unhexify( src_str, hex_src_string );
+
+    mbedtls_aes_setkey_dec( &crypt_ctx, key_str,               ( key_len * 8 ) / 2 );
+    mbedtls_aes_setkey_enc( &tweak_ctx, key_str + key_len / 2, ( key_len * 8 ) / 2 );
+
+	TEST_ASSERT( mbedtls_aes_crypt_xts( &crypt_ctx, &tweak_ctx, MBEDTLS_AES_DECRYPT, data_unit_len, iv_str, src_str, output ) == xts_result );
+    if( xts_result == 0 )
+    {
+        hexify( dst_str, output, data_len );
+
+        TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+    }
+
+exit:
+    mbedtls_aes_free( &crypt_ctx );
+    mbedtls_aes_free( &tweak_ctx );
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */
 void aes_encrypt_cfb128( char *hex_key_string, char *hex_iv_string,
                         char *hex_src_string, char *hex_dst_string )