commit 5f77801ac3f6212f66547df93c11d8add3261878
author Aorimn <aorimn@gmail.com> Thu Jun 09 23:22:58 2016 +0200
committer Jaeden Amero <jaeden.amero@arm.com> Wed Jun 13 12:03:27 2018 +0100
tree a42c6e51668e99272ff6709d05fea958eb5ec9ce
parent 380162c34c7a43818968b718a151717350ae7bef

Implement AES-XTS mode

XTS mode is fully known as "xor-encrypt-xor with ciphertext-stealing".
This is the generalization of the XEX mode.
This implementation is limited to an 8-bits (1 byte) boundary, which
doesn't seem to be what was thought considering some test vectors [1].

This commit comes with tests, extracted from [1], and benchmarks.
Although, benchmarks aren't really nice here, as they work with a buffer
of a multiple of 16 bytes, which isn't a challenge for XTS compared to
XEX.

[1] http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSTestVectors.zip

tests/suites/test_suite_aes.function

diff --git a/tests/suites/test_suite_aes.function b/tests/suites/test_suite_aes.function
index 947976a..71633dd 100644
--- a/tests/suites/test_suite_aes.function
+++ b/tests/suites/test_suite_aes.function
@@ -225,6 +225,80 @@
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_XTS */
+void aes_encrypt_xts( char *hex_key_string, char *hex_iv_string,
+                      char *hex_src_string, char *hex_dst_string,
+                      int data_unit_len, int xts_result )
+{
+    unsigned char key_str[100] = { 0, };
+    unsigned char iv_str[100]  = { 0, };
+    unsigned char src_str[100] = { 0, };
+    unsigned char dst_str[100] = { 0, };
+    unsigned char output[100]  = { 0, };
+    mbedtls_aes_context crypt_ctx, tweak_ctx;
+    int key_len, data_len;
+
+    mbedtls_aes_init( &crypt_ctx );
+    mbedtls_aes_init( &tweak_ctx );
+
+    key_len = unhexify( key_str, hex_key_string );
+    unhexify( iv_str, hex_iv_string );
+    data_len = unhexify( src_str, hex_src_string );
+
+    mbedtls_aes_setkey_enc( &crypt_ctx, key_str,               ( key_len * 8 ) / 2 );
+    mbedtls_aes_setkey_enc( &tweak_ctx, key_str + key_len / 2, ( key_len * 8 ) / 2 );
+
+    TEST_ASSERT( mbedtls_aes_crypt_xts( &crypt_ctx, &tweak_ctx, MBEDTLS_AES_ENCRYPT, data_unit_len, iv_str, src_str, output ) == xts_result );
+    if( xts_result == 0 )
+    {
+        hexify( dst_str, output, data_len );
+
+        TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+    }
+
+exit:
+    mbedtls_aes_free( &crypt_ctx );
+    mbedtls_aes_free( &tweak_ctx );
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_XTS */
+void aes_decrypt_xts( char *hex_key_string, char *hex_iv_string,
+                      char *hex_src_string, char *hex_dst_string,
+                      int data_unit_len, int xts_result )
+{
+    unsigned char key_str[100] = { 0, };
+    unsigned char iv_str[100]  = { 0, };
+    unsigned char src_str[100] = { 0, };
+    unsigned char dst_str[100] = { 0, };
+    unsigned char output[100]  = { 0, };
+    mbedtls_aes_context crypt_ctx, tweak_ctx;
+    int key_len, data_len;
+
+    mbedtls_aes_init( &crypt_ctx );
+    mbedtls_aes_init( &tweak_ctx );
+
+    key_len = unhexify( key_str, hex_key_string );
+    unhexify( iv_str, hex_iv_string );
+    data_len = unhexify( src_str, hex_src_string );
+
+    mbedtls_aes_setkey_dec( &crypt_ctx, key_str,               ( key_len * 8 ) / 2 );
+    mbedtls_aes_setkey_enc( &tweak_ctx, key_str + key_len / 2, ( key_len * 8 ) / 2 );
+
+	TEST_ASSERT( mbedtls_aes_crypt_xts( &crypt_ctx, &tweak_ctx, MBEDTLS_AES_DECRYPT, data_unit_len, iv_str, src_str, output ) == xts_result );
+    if( xts_result == 0 )
+    {
+        hexify( dst_str, output, data_len );
+
+        TEST_ASSERT( strcmp( (char *) dst_str, hex_dst_string ) == 0 );
+    }
+
+exit:
+    mbedtls_aes_free( &crypt_ctx );
+    mbedtls_aes_free( &tweak_ctx );
+}
+/* END_CASE */
+
 /* BEGIN_CASE depends_on:MBEDTLS_CIPHER_MODE_CFB */
 void aes_encrypt_cfb128( char *hex_key_string, char *hex_iv_string,
                          char *hex_src_string, char *hex_dst_string )