Home Explore Help
Sign In
baoxu
/
frp
1
0
Fork 0
Files
Branch: new
Branches Tags
frp
/
vendor
/
golang.org
/
x
/
crypto
/
xts
/
xts.go

xts.go 4.4 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137 
  1. // Copyright 2012 The Go Authors. All rights reserved.
    2. 

  2. // Use of this source code is governed by a BSD-style
    3. 

  3. // license that can be found in the LICENSE file.
    4. 

  4. 

  5. // Package xts implements the XTS cipher mode as specified in IEEE P1619/D16.
    6. 

  6. //
    7. 

  7. // XTS mode is typically used for disk encryption, which presents a number of
    8. 

  8. // novel problems that make more common modes inapplicable. The disk is
    9. 

  9. // conceptually an array of sectors and we must be able to encrypt and decrypt
    10. 

  10. // a sector in isolation. However, an attacker must not be able to transpose
    11. 

  11. // two sectors of plaintext by transposing their ciphertext.
    12. 

  12. //
    13. 

  13. // XTS wraps a block cipher with Rogaway's XEX mode in order to build a
    14. 

  14. // tweakable block cipher. This allows each sector to have a unique tweak and
    15. 

  15. // effectively create a unique key for each sector.
    16. 

  16. //
    17. 

  17. // XTS does not provide any authentication. An attacker can manipulate the
    18. 

  18. // ciphertext and randomise a block (16 bytes) of the plaintext.
    19. 

  19. //
    20. 

  20. // (Note: this package does not implement ciphertext-stealing so sectors must
    21. 

  21. // be a multiple of 16 bytes.)
    22. 

  22. package xts // import "golang.org/x/crypto/xts"
    23. 

  23. 

  24. import (
    25. 

  25. 	"crypto/cipher"
    26. 

  26. 	"encoding/binary"
    27. 

  27. 	"errors"
    28. 

  28. )
    29. 

  29. 

  30. // Cipher contains an expanded key structure. It doesn't contain mutable state
    31. 

  31. // and therefore can be used concurrently.
    32. 

  32. type Cipher struct {
    33. 

  33. 	k1, k2 cipher.Block
    34. 

  34. }
    35. 

  35. 

  36. // blockSize is the block size that the underlying cipher must have. XTS is
    37. 

  37. // only defined for 16-byte ciphers.
    38. 

  38. const blockSize = 16
    39. 

  39. 

  40. // NewCipher creates a Cipher given a function for creating the underlying
    41. 

  41. // block cipher (which must have a block size of 16 bytes). The key must be
    42. 

  42. // twice the length of the underlying cipher's key.
    43. 

  43. func NewCipher(cipherFunc func([]byte) (cipher.Block, error), key []byte) (c *Cipher, err error) {
    44. 

  44. 	c = new(Cipher)
    45. 

  45. 	if c.k1, err = cipherFunc(key[:len(key)/2]); err != nil {
    46. 

  46. 		return
    47. 

  47. 	}
    48. 

  48. 	c.k2, err = cipherFunc(key[len(key)/2:])
    49. 

  49. 

  50. 	if c.k1.BlockSize() != blockSize {
    51. 

  51. 		err = errors.New("xts: cipher does not have a block size of 16")
    52. 

  52. 	}
    53. 

  53. 

  54. 	return
    55. 

  55. }
    56. 

  56. 

  57. // Encrypt encrypts a sector of plaintext and puts the result into ciphertext.
    58. 

  58. // Plaintext and ciphertext may be the same slice but should not overlap.
    59. 

  59. // Sectors must be a multiple of 16 bytes and less than 2²⁴ bytes.
    60. 

  60. func (c *Cipher) Encrypt(ciphertext, plaintext []byte, sectorNum uint64) {
    61. 

  61. 	if len(ciphertext) < len(plaintext) {
    62. 

  62. 		panic("xts: ciphertext is smaller than plaintext")
    63. 

  63. 	}
    64. 

  64. 	if len(plaintext)%blockSize != 0 {
    65. 

  65. 		panic("xts: plaintext is not a multiple of the block size")
    66. 

  66. 	}
    67. 

  67. 

  68. 	var tweak [blockSize]byte
    69. 

  69. 	binary.LittleEndian.PutUint64(tweak[:8], sectorNum)
    70. 

  70. 

  71. 	c.k2.Encrypt(tweak[:], tweak[:])
    72. 

  72. 

  73. 	for len(plaintext) > 0 {
    74. 

  74. 		for j := range tweak {
    75. 

  75. 			ciphertext[j] = plaintext[j] ^ tweak[j]
    76. 

  76. 		}
    77. 

  77. 		c.k1.Encrypt(ciphertext, ciphertext)
    78. 

  78. 		for j := range tweak {
    79. 

  79. 			ciphertext[j] ^= tweak[j]
    80. 

  80. 		}
    81. 

  81. 		plaintext = plaintext[blockSize:]
    82. 

  82. 		ciphertext = ciphertext[blockSize:]
    83. 

  83. 

  84. 		mul2(&tweak)
    85. 

  85. 	}
    86. 

  86. }
    87. 

  87. 

  88. // Decrypt decrypts a sector of ciphertext and puts the result into plaintext.
    89. 

  89. // Plaintext and ciphertext may be the same slice but should not overlap.
    90. 

  90. // Sectors must be a multiple of 16 bytes and less than 2²⁴ bytes.
    91. 

  91. func (c *Cipher) Decrypt(plaintext, ciphertext []byte, sectorNum uint64) {
    92. 

  92. 	if len(plaintext) < len(ciphertext) {
    93. 

  93. 		panic("xts: plaintext is smaller than ciphertext")
    94. 

  94. 	}
    95. 

  95. 	if len(ciphertext)%blockSize != 0 {
    96. 

  96. 		panic("xts: ciphertext is not a multiple of the block size")
    97. 

  97. 	}
    98. 

  98. 

  99. 	var tweak [blockSize]byte
    100. 

  100. 	binary.LittleEndian.PutUint64(tweak[:8], sectorNum)
    101. 

  101. 

  102. 	c.k2.Encrypt(tweak[:], tweak[:])
    103. 

  103. 

  104. 	for len(ciphertext) > 0 {
    105. 

  105. 		for j := range tweak {
    106. 

  106. 			plaintext[j] = ciphertext[j] ^ tweak[j]
    107. 

  107. 		}
    108. 

  108. 		c.k1.Decrypt(plaintext, plaintext)
    109. 

  109. 		for j := range tweak {
    110. 

  110. 			plaintext[j] ^= tweak[j]
    111. 

  111. 		}
    112. 

  112. 		plaintext = plaintext[blockSize:]
    113. 

  113. 		ciphertext = ciphertext[blockSize:]
    114. 

  114. 

  115. 		mul2(&tweak)
    116. 

  116. 	}
    117. 

  117. }
    118. 

  118. 

  119. // mul2 multiplies tweak by 2 in GF(2¹²⁸) with an irreducible polynomial of
    120. 

  120. // x¹²⁸ + x⁷ + x² + x + 1.
    121. 

  121. func mul2(tweak *[blockSize]byte) {
    122. 

  122. 	var carryIn byte
    123. 

  123. 	for j := range tweak {
    124. 

  124. 		carryOut := tweak[j] >> 7
    125. 

  125. 		tweak[j] = (tweak[j] << 1) + carryIn
    126. 

  126. 		carryIn = carryOut
    127. 

  127. 	}
    128. 

  128. 	if carryIn != 0 {
    129. 

  129. 		// If we have a carry bit then we need to subtract a multiple
    130. 

  130. 		// of the irreducible polynomial (x¹²⁸ + x⁷ + x² + x + 1).
    131. 

  131. 		// By dropping the carry bit, we're subtracting the x^128 term
    132. 

  132. 		// so all that remains is to subtract x⁷ + x² + x + 1.
    133. 

  133. 		// Subtraction (and addition) in this representation is just
    134. 

  134. 		// XOR.
    135. 

  135. 		tweak[0] ^= 1<<7 | 1<<2 | 1<<1 | 1
    136. 

  136. 	}
    137. 

  137. }
    138.