commit 5f77801ac3f6212f66547df93c11d8add3261878
author Aorimn <aorimn@gmail.com> Thu Jun 09 23:22:58 2016 +0200
committer Jaeden Amero <jaeden.amero@arm.com> Wed Jun 13 12:03:27 2018 +0100
tree a42c6e51668e99272ff6709d05fea958eb5ec9ce
parent 380162c34c7a43818968b718a151717350ae7bef

Implement AES-XTS mode

XTS mode is fully known as "xor-encrypt-xor with ciphertext-stealing".
This is the generalization of the XEX mode.
This implementation is limited to an 8-bits (1 byte) boundary, which
doesn't seem to be what was thought considering some test vectors [1].

This commit comes with tests, extracted from [1], and benchmarks.
Although, benchmarks aren't really nice here, as they work with a buffer
of a multiple of 16 bytes, which isn't a challenge for XTS compared to
XEX.

[1] http://csrc.nist.gov/groups/STM/cavp/documents/aes/XTSTestVectors.zip

programs/test/benchmark.c

diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c
index ec5794e..c9241cb 100644
--- a/programs/test/benchmark.c
+++ b/programs/test/benchmark.c
@@ -99,8 +99,8 @@
 #define OPTIONS                                                         \
     "md4, md5, ripemd160, sha1, sha256, sha512,\n"                      \
     "arc4, des3, des, camellia, blowfish,\n"                            \
-    "aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, des3_cmac,\n"        \
-    "havege, ctr_drbg, hmac_drbg\n"                                     \
+    "aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, aes_xts,\n"          \
+    "des3_cmac, havege, ctr_drbg, hmac_drbg\n"                          \
     "rsa, dhm, ecdsa, ecdh.\n"
 
 #if defined(MBEDTLS_ERROR_C)
@@ -233,8 +233,8 @@
 typedef struct {
     char md4, md5, ripemd160, sha1, sha256, sha512,
          arc4, des3, des,
-         aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, des3_cmac,
-         aria, camellia, blowfish,
+         aes_cbc, aes_gcm, aes_ccm, aes_cmac, aes_xex, aes_xts,
+         des3_cmac, aria, camellia, blowfish,
          havege, ctr_drbg, hmac_drbg,
          rsa, dhm, ecdsa, ecdh;
 } todo_list;
@@ -281,6 +281,8 @@
                 todo.aes_cbc = 1;
             else if( strcmp( argv[i], "aes_xex" ) == 0 )
                 todo.aes_xex = 1;
+            else if( strcmp( argv[i], "aes_xts" ) == 0 )
+                todo.aes_xts = 1;
             else if( strcmp( argv[i], "aes_gcm" ) == 0 )
                 todo.aes_gcm = 1;
             else if( strcmp( argv[i], "aes_ccm" ) == 0 )
@@ -451,6 +453,29 @@
         mbedtls_aes_free( &tweak_ctx );
     }
 #endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+    if( todo.aes_xts )
+    {
+        int keysize;
+        mbedtls_aes_context crypt_ctx, tweak_ctx;
+        mbedtls_aes_init( &crypt_ctx );
+        mbedtls_aes_init( &tweak_ctx );
+        for( keysize = 128; keysize <= 256; keysize += 64 )
+        {
+            mbedtls_snprintf( title, sizeof( title ), "AES-XTS-%d", keysize );
+
+            memset( buf, 0, sizeof( buf ) );
+            memset( tmp, 0, sizeof( tmp ) );
+            mbedtls_aes_setkey_enc( &crypt_ctx, tmp, keysize );
+            mbedtls_aes_setkey_enc( &tweak_ctx, tmp, keysize );
+
+            TIME_AND_TSC( title,
+                mbedtls_aes_crypt_xts( &crypt_ctx, &tweak_ctx, MBEDTLS_AES_ENCRYPT, BUFSIZE * 8, tmp, buf, buf ) );
+        }
+        mbedtls_aes_free( &crypt_ctx );
+        mbedtls_aes_free( &tweak_ctx );
+    }
+#endif
 #if defined(MBEDTLS_GCM_C)
     if( todo.aes_gcm )
     {