1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26#include "qemu/osdep.h"
27#include "crypto/xts.h"
28
29static void xts_mult_x(uint8_t *I)
30{
31 int x;
32 uint8_t t, tt;
33
34 for (x = t = 0; x < 16; x++) {
35 tt = I[x] >> 7;
36 I[x] = ((I[x] << 1) | t) & 0xFF;
37 t = tt;
38 }
39 if (tt) {
40 I[0] ^= 0x87;
41 }
42}
43
44
45
46
47
48
49
50
51
52
53
54
55static void xts_tweak_decrypt(const void *ctx,
56 xts_cipher_func *func,
57 const uint8_t *src,
58 uint8_t *dst,
59 uint8_t *iv)
60{
61 unsigned long x;
62
63
64 for (x = 0; x < XTS_BLOCK_SIZE; x++) {
65 dst[x] = src[x] ^ iv[x];
66 }
67
68 func(ctx, XTS_BLOCK_SIZE, dst, dst);
69
70 for (x = 0; x < XTS_BLOCK_SIZE; x++) {
71 dst[x] = dst[x] ^ iv[x];
72 }
73
74
75 xts_mult_x(iv);
76}
77
78
79void xts_decrypt(const void *datactx,
80 const void *tweakctx,
81 xts_cipher_func *encfunc,
82 xts_cipher_func *decfunc,
83 uint8_t *iv,
84 size_t length,
85 uint8_t *dst,
86 const uint8_t *src)
87{
88 uint8_t PP[XTS_BLOCK_SIZE], CC[XTS_BLOCK_SIZE], T[XTS_BLOCK_SIZE];
89 unsigned long i, m, mo, lim;
90
91
92 m = length >> 4;
93 mo = length & 15;
94
95
96 g_assert(m != 0);
97
98 if (mo == 0) {
99 lim = m;
100 } else {
101 lim = m - 1;
102 }
103
104
105 encfunc(tweakctx, XTS_BLOCK_SIZE, T, iv);
106
107 for (i = 0; i < lim; i++) {
108 xts_tweak_decrypt(datactx, decfunc, src, dst, T);
109
110 src += XTS_BLOCK_SIZE;
111 dst += XTS_BLOCK_SIZE;
112 }
113
114
115 if (mo > 0) {
116 memcpy(CC, T, XTS_BLOCK_SIZE);
117 xts_mult_x(CC);
118
119
120 xts_tweak_decrypt(datactx, decfunc, src, PP, CC);
121
122
123 for (i = 0; i < mo; i++) {
124 CC[i] = src[XTS_BLOCK_SIZE + i];
125 dst[XTS_BLOCK_SIZE + i] = PP[i];
126 }
127 for (; i < XTS_BLOCK_SIZE; i++) {
128 CC[i] = PP[i];
129 }
130
131
132 xts_tweak_decrypt(datactx, decfunc, CC, dst, T);
133 }
134
135
136 decfunc(tweakctx, XTS_BLOCK_SIZE, iv, T);
137}
138
139
140
141
142
143
144
145
146
147
148
149
150static void xts_tweak_encrypt(const void *ctx,
151 xts_cipher_func *func,
152 const uint8_t *src,
153 uint8_t *dst,
154 uint8_t *iv)
155{
156 unsigned long x;
157
158
159 for (x = 0; x < XTS_BLOCK_SIZE; x++) {
160 dst[x] = src[x] ^ iv[x];
161 }
162
163 func(ctx, XTS_BLOCK_SIZE, dst, dst);
164
165 for (x = 0; x < XTS_BLOCK_SIZE; x++) {
166 dst[x] = dst[x] ^ iv[x];
167 }
168
169
170 xts_mult_x(iv);
171}
172
173
174void xts_encrypt(const void *datactx,
175 const void *tweakctx,
176 xts_cipher_func *encfunc,
177 xts_cipher_func *decfunc,
178 uint8_t *iv,
179 size_t length,
180 uint8_t *dst,
181 const uint8_t *src)
182{
183 uint8_t PP[XTS_BLOCK_SIZE], CC[XTS_BLOCK_SIZE], T[XTS_BLOCK_SIZE];
184 unsigned long i, m, mo, lim;
185
186
187 m = length >> 4;
188 mo = length & 15;
189
190
191 g_assert(m != 0);
192
193 if (mo == 0) {
194 lim = m;
195 } else {
196 lim = m - 1;
197 }
198
199
200 encfunc(tweakctx, XTS_BLOCK_SIZE, T, iv);
201
202 for (i = 0; i < lim; i++) {
203 xts_tweak_encrypt(datactx, encfunc, src, dst, T);
204
205 dst += XTS_BLOCK_SIZE;
206 src += XTS_BLOCK_SIZE;
207 }
208
209
210 if (mo > 0) {
211
212 xts_tweak_encrypt(datactx, encfunc, src, CC, T);
213
214
215 for (i = 0; i < mo; i++) {
216 PP[i] = src[XTS_BLOCK_SIZE + i];
217 dst[XTS_BLOCK_SIZE + i] = CC[i];
218 }
219
220 for (; i < XTS_BLOCK_SIZE; i++) {
221 PP[i] = CC[i];
222 }
223
224
225 xts_tweak_encrypt(datactx, encfunc, PP, dst, T);
226 }
227
228
229 decfunc(tweakctx, XTS_BLOCK_SIZE, iv, T);
230}
231