From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44061) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aeT6A-00014q-Cz for qemu-devel@nongnu.org; Fri, 11 Mar 2016 14:51:47 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aeT65-0003Vv-Vv for qemu-devel@nongnu.org; Fri, 11 Mar 2016 14:51:46 -0500 References: <1456747261-22032-1-git-send-email-berrange@redhat.com> <1456747261-22032-10-git-send-email-berrange@redhat.com> From: Eric Blake Message-ID: <56E321C1.8090607@redhat.com> Date: Fri, 11 Mar 2016 12:51:29 -0700 MIME-Version: 1.0 In-Reply-To: <1456747261-22032-10-git-send-email-berrange@redhat.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="SCrdBkNWlLvX09uhnHnUJJvXWudBBTsBw" Subject: Re: [Qemu-devel] [PATCH v4 09/26] crypto: import an implementation of the XTS cipher mode List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" , qemu-devel@nongnu.org Cc: Fam Zheng , qemu-block@nongnu.org This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --SCrdBkNWlLvX09uhnHnUJJvXWudBBTsBw Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 02/29/2016 05:00 AM, Daniel P. Berrange wrote: > The XTS (XEX with tweaked-codebook and ciphertext stealing) > cipher mode is commonly used in full disk encryption. There > is unfortunately no implementation of it in either libgcrypt > or nettle, so we need to provide our own. >=20 > The libtomcrypt project provides a repository of crypto > algorithms under a choice of either "public domain" or > the "what the fuck public license". >=20 > So this impl is taken from the libtomcrypt GIT repo and > adapted to be compatible with the way we need to call > ciphers provided by nettle/gcrypt. >=20 > Signed-off-by: Daniel P. Berrange > --- > +++ b/crypto/xts.c > @@ -0,0 +1,256 @@ > +/* > + * QEMU Crypto XTS cipher mode > + * > + * Copyright (c) 2015 Red Hat, Inc. Want to add 2016? > + > +#include "qemu/osdep.h" > +#include "crypto/xts.h" > + > +static void xts_mult_x(uint8_t *I) > +{ > + int x; > + uint8_t t, tt; > + > + for (x =3D t =3D 0; x < 16; x++) { > + tt =3D I[x] >> 7; > + I[x] =3D ((I[x] << 1) | t) & 0xFF; Why '& 0xf'f? I[x] is already an 8-bit field. But since it is a direct copy from https://github.com/libtom/libtomcrypt/blob/develop/src/modes/xts/xts_mult= _x.c, I won't reject it. (I could understand the mask if the original code were using uint_fast8_t for speed at the expense of worrying about potential padding bits, but no one does that in crypto...) > +/** > + * xts_tweak_uncrypt: > + * @param ctxt: the cipher context > + * @param func: the cipher function > + * @src: buffer providing the cipher text of XTS_BLOCK_SIZE bytes > + * @dst: buffer to output the plain text of XTS_BLOCK_SIZE bytes > + * @iv: the initialization vector tweak of XTS_BLOCK_SIZE bytes > + * > + * Decrypt data with a tweak > + */ > +static void xts_tweak_decrypt(const void *ctx, > + xts_cipher_func *func, > + const uint8_t *src, > + uint8_t *dst, > + uint8_t *iv) > +{ > + unsigned long x; > + > + /* tweak encrypt block i */ > +#ifdef LTC_FAST > + for (x =3D 0; x < XTS_BLOCK_SIZE; x +=3D sizeof(LTC_FAST_TYPE)) { > + *((LTC_FAST_TYPE *)&dst[x]) =3D > + *((LTC_FAST_TYPE *)&src[x]) ^ *((LTC_FAST_TYPE *)&iv[x]); > + } Nothing in our configure sets LTC_FAST and friends; should we just nuke these expressions as dead code? I see the point of what it is trying to do: if the data is aligned (or if the processor doesn't care about alignment), then vectorize it... > +#else > + for (x =3D 0; x < XTS_BLOCK_SIZE; x++) { > + dst[x] =3D src[x] ^ iv[x]; > + } =2E..but we've already argued that the compiler should be able to auto-vectorize, or at least that hot-path tweaking can be done later. > +void xts_decrypt(const void *datactx, > + const void *tweakctx, > + > + /* if length not divide XTS_BLOCK_SIZE then */ > + if (mo > 0) { If length is not a multiple of XTS_BLOCK_SIZE, then > +void xts_encrypt(const void *datactx, > + const void *tweakctx, > + > + /* if length not divide XTS_BLOCK_SIZE then */ and again > +++ b/include/crypto/xts.h > @@ -0,0 +1,86 @@ > +/* > + * QEMU Crypto XTS cipher mode > + * > + * Copyright (c) 2015 Red Hat, Inc. 2016 > +++ b/tests/test-crypto-xts.c > @@ -0,0 +1,423 @@ > +/* > + * QEMU Crypto XTS cipher mode > + * > + * Copyright (c) 2015 Red Hat, Inc. and again Modulo comment tweaks and a decision about whether to nuke LTC_FAST, Reviewed-by: Eric Blake --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --SCrdBkNWlLvX09uhnHnUJJvXWudBBTsBw Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJW4yHBAAoJEKeha0olJ0NqpUMH/0ZSy1dOHD8kNZXmMESZM2Aa voed/9JJjnq8fyXy5b7tQpZtObPyGJPQhrfah/dFQpWvHE7tk1jN47z09BVz/8v6 wbJYu2uQw55+S56m6XAaH3Gm+UOm6ONZcSmGqgRCo668uvFq0tWcwfNWKdLQtO80 YbxJe4bvMGqyc9OmTCyV6aTh+DSbYuGTr3E77JPcO1KWZ/j5TeGVGAwa444fT7r6 lGyZkfw2lx5n+A0fnYQiewBOd7hyFonrxnlXyZ+FzUK3aPAoiN6O6BWaCrx8tpI8 ++XP9pJuRpCG4vsNVlMTUFkm87/cBgrlclV8u7FhK61IJEDf1pyooCHSwHVZYpk= =Zs/q -----END PGP SIGNATURE----- --SCrdBkNWlLvX09uhnHnUJJvXWudBBTsBw--