AES-XTS on AArch64: Set w19 earlier before cipher-stealing of 1 block + tail. (#2785)

nebeid · web-flow · commit 3f282aa6fd16 · 2025-10-30T17:52:46.000-04:00
w19 was set to its fixed value 0x87 after the code jumps to the case of cipher stealing of 1 block and a tail. - This bug was introduced in [v1.62](https://github.com/aws/aws-lc/releases/tag/v1.62.0) in "Move udiv and sencond tweak calculations to when needed" by [@nebeid](https://github.com/nebeid) in [#2726](#2726) where the setting of w19 was moved past the branch to `.Lxts_enc_tail1x`. - Also the 3 test vectors that tested 1 block + tail were not lucky enough to exercise this issue which happens when the encrypted tweak, when shifted left by 1, results in a bit of 1, which, in turn, results in XORing the value 0x87 with the tweak. Testing: Added test vectors that failed with this bug (exercise the key/iv combination causing the failure) and now pass with the fix. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
diff --git a/crypto/fipsmodule/modes/xts_test.cc b/crypto/fipsmodule/modes/xts_test.cc
@@ -34,6 +34,7 @@ struct XTSTestCase {
 };
 
 static const XTSTestCase kXTSTestCases[] = {
+
     // Test vectors from OpenSSL 1.1.1d.
     // plaintext length = 32 blocks = 512 bytes
     {
@@ -238,6 +239,17 @@ static const XTSTestCase kXTSTestCases[] = {
         "000102030405060708090a0b0c0d0e0f101112131415",
         "75e8188bcce59ada939f57de2cb9a489c30ca8f2ed57",
     },
+    // ACCP test vector
+    // https://github.com/corretto/amazon-corretto-crypto-provider/blob/a4c4876cceb6b3b8209b2a5cb57a2f38622146b9/tst/com/amazon/corretto/crypto/provider/test/AesXtsTest.java#L415
+    // len = 24 bytes = 1 block + 8 bytes
+    {
+        "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"
+        "202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F",
+        "000102030405060708090A0B0C0D0E0F",
+        "000102030405060708090A0B0C0D0E0F1011121314151617",
+        "770407bac58070c22a0d2b1c8b0ad644b82298441f93d2a0",
+    },
+
     // https://github.com/BrianGladman/modes/blob/master/testvals/xts.6#L433
     // VEC 45, len = 31 bytes = 1 block + 15 bytes
     {
@@ -290,6 +302,18 @@ static const XTSTestCase kXTSTestCases[] = {
         "6f229c1b60833e2a50a041b360d991814c6ec7f3199d8b2482f5b19b64c32013"
         "a679f1361a011bf37b2e1565"
     },
+    // Same key and tweak as ACCP test vectore above for
+    // len = 40 bytes = 2 blocks + 8 bytes
+    {
+        "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"
+        "202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F",
+        "000102030405060708090A0B0C0D0E0F",
+        "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"
+        "202122232425262F",
+        "b82298441f93d2a0ad34668c7df66e4c8544720992ae2ecc0462c41fa816109f"
+        "9ce4d6a936a41f0f",
+    },
+
     // len = 51 bytes = 3 blocks + 3 bytes
     {
         "fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0"
diff --git a/third_party/s2n-bignum/s2n-bignum-to-be-imported/arm/aes/aes-xts-enc.S b/third_party/s2n-bignum/s2n-bignum-to-be-imported/arm/aes/aes-xts-enc.S
@@ -104,6 +104,7 @@ S2N_BN_SYMBOL(aes_hw_xts_encrypt):
 
 // Encryption
 .Lxts_enc:
+        mov   w19, #0x87
         cmp x2, #0x20
         b.lo .Lxts_enc_tail1x   // when input = 1 with tail
 
@@ -112,7 +113,6 @@ S2N_BN_SYMBOL(aes_hw_xts_encrypt):
         // the five ivs stored into, v6.16b,v8.16b,v9.16b,v10.16b,v11.16b
         fmov  x9, d6
         fmov  x10, v6.d[1]
-        mov   w19, #0x87
         tweak(d8, v8.d[1])
 
         cmp x2, #0x30
