lbrycrd/src/crypto/aes.cpp

// Copyright (c) 2016-2017 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.

#include <crypto/aes.h>
#include <crypto/common.h>

#include <assert.h>
#include <string.h>

extern "C" {
#include <crypto/ctaes/ctaes.c>
}

AES128Encrypt::AES128Encrypt(const unsigned char key[16])
{
    AES128_init(&ctx, key);
}

AES128Encrypt::~AES128Encrypt()
{
    memset(&ctx, 0, sizeof(ctx));
}

void AES128Encrypt::Encrypt(unsigned char ciphertext[16], const unsigned char plaintext[16]) const
{
    AES128_encrypt(&ctx, 1, ciphertext, plaintext);
}

AES128Decrypt::AES128Decrypt(const unsigned char key[16])
{
    AES128_init(&ctx, key);
}

AES128Decrypt::~AES128Decrypt()
{
    memset(&ctx, 0, sizeof(ctx));
}

void AES128Decrypt::Decrypt(unsigned char plaintext[16], const unsigned char ciphertext[16]) const
{
    AES128_decrypt(&ctx, 1, plaintext, ciphertext);
}

AES256Encrypt::AES256Encrypt(const unsigned char key[32])
{
    AES256_init(&ctx, key);
}

AES256Encrypt::~AES256Encrypt()
{
    memset(&ctx, 0, sizeof(ctx));
}

void AES256Encrypt::Encrypt(unsigned char ciphertext[16], const unsigned char plaintext[16]) const
{
    AES256_encrypt(&ctx, 1, ciphertext, plaintext);
}

AES256Decrypt::AES256Decrypt(const unsigned char key[32])
{
    AES256_init(&ctx, key);
}

AES256Decrypt::~AES256Decrypt()
{
    memset(&ctx, 0, sizeof(ctx));
}

void AES256Decrypt::Decrypt(unsigned char plaintext[16], const unsigned char ciphertext[16]) const
{
    AES256_decrypt(&ctx, 1, plaintext, ciphertext);
}


template <typename T>
static int CBCEncrypt(const T& enc, const unsigned char iv[AES_BLOCKSIZE], const unsigned char* data, int size, bool pad, unsigned char* out)
{
    int written = 0;
    int padsize = size % AES_BLOCKSIZE;
    unsigned char mixed[AES_BLOCKSIZE];

    if (!data || !size || !out)
        return 0;

    if (!pad && padsize != 0)
        return 0;

    memcpy(mixed, iv, AES_BLOCKSIZE);

    // Write all but the last block
    while (written + AES_BLOCKSIZE <= size) {
        for (int i = 0; i != AES_BLOCKSIZE; i++)
            mixed[i] ^= *data++;
        enc.Encrypt(out + written, mixed);
        memcpy(mixed, out + written, AES_BLOCKSIZE);
        written += AES_BLOCKSIZE;
    }
    if (pad) {
        // For all that remains, pad each byte with the value of the remaining
        // space. If there is none, pad by a full block.
        for (int i = 0; i != padsize; i++)
            mixed[i] ^= *data++;
        for (int i = padsize; i != AES_BLOCKSIZE; i++)
            mixed[i] ^= AES_BLOCKSIZE - padsize;
        enc.Encrypt(out + written, mixed);
        written += AES_BLOCKSIZE;
    }
    return written;
}

template <typename T>
static int CBCDecrypt(const T& dec, const unsigned char iv[AES_BLOCKSIZE], const unsigned char* data, int size, bool pad, unsigned char* out)
{
    int written = 0;
    bool fail = false;
    const unsigned char* prev = iv;

    if (!data || !size || !out)
        return 0;

    if (size % AES_BLOCKSIZE != 0)
        return 0;

    // Decrypt all data. Padding will be checked in the output.
    while (written != size) {
        dec.Decrypt(out, data + written);
        for (int i = 0; i != AES_BLOCKSIZE; i++)
            *out++ ^= prev[i];
        prev = data + written;
        written += AES_BLOCKSIZE;
    }

    // When decrypting padding, attempt to run in constant-time
    if (pad) {
        // If used, padding size is the value of the last decrypted byte. For
        // it to be valid, It must be between 1 and AES_BLOCKSIZE.
        unsigned char padsize = *--out;
        fail = !padsize | (padsize > AES_BLOCKSIZE);

        // If not well-formed, treat it as though there's no padding.
        padsize *= !fail;

        // All padding must equal the last byte otherwise it's not well-formed
        for (int i = AES_BLOCKSIZE; i != 0; i--)
            fail |= ((i > AES_BLOCKSIZE - padsize) & (*out-- != padsize));

        written -= padsize;
    }
    return written * !fail;
}

AES256CBCEncrypt::AES256CBCEncrypt(const unsigned char key[AES256_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)
    : enc(key), pad(padIn)
{
    memcpy(iv, ivIn, AES_BLOCKSIZE);
}

int AES256CBCEncrypt::Encrypt(const unsigned char* data, int size, unsigned char* out) const
{
    return CBCEncrypt(enc, iv, data, size, pad, out);
}

AES256CBCEncrypt::~AES256CBCEncrypt()
{
    memset(iv, 0, sizeof(iv));
}

AES256CBCDecrypt::AES256CBCDecrypt(const unsigned char key[AES256_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)
    : dec(key), pad(padIn)
{
    memcpy(iv, ivIn, AES_BLOCKSIZE);
}


int AES256CBCDecrypt::Decrypt(const unsigned char* data, int size, unsigned char* out) const
{
    return CBCDecrypt(dec, iv, data, size, pad, out);
}

AES256CBCDecrypt::~AES256CBCDecrypt()
{
    memset(iv, 0, sizeof(iv));
}

AES128CBCEncrypt::AES128CBCEncrypt(const unsigned char key[AES128_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)
    : enc(key), pad(padIn)
{
    memcpy(iv, ivIn, AES_BLOCKSIZE);
}

AES128CBCEncrypt::~AES128CBCEncrypt()
{
    memset(iv, 0, AES_BLOCKSIZE);
}

int AES128CBCEncrypt::Encrypt(const unsigned char* data, int size, unsigned char* out) const
{
    return CBCEncrypt(enc, iv, data, size, pad, out);
}

AES128CBCDecrypt::AES128CBCDecrypt(const unsigned char key[AES128_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)
    : dec(key), pad(padIn)
{
    memcpy(iv, ivIn, AES_BLOCKSIZE);
}

AES128CBCDecrypt::~AES128CBCDecrypt()
{
    memset(iv, 0, AES_BLOCKSIZE);
}

int AES128CBCDecrypt::Decrypt(const unsigned char* data, int size, unsigned char* out) const
{
    return CBCDecrypt(dec, iv, data, size, pad, out);
}
Increment MIT Licence copyright header year on files modified in 2017 2018-01-02 18:12:05 +01:00			`// Copyright (c) 2016-2017 The Bitcoin Core developers`
Add ctaes-based constant time AES implementation 2016-03-30 15:37:41 +02:00			`// Distributed under the MIT software license, see the accompanying`
			`// file COPYING or http://www.opensource.org/licenses/mit-license.php.`

scripted-diff: Replace #include "" with #include <> (ryanofsky) -BEGIN VERIFY SCRIPT- for f in \ src/.cpp \ src/.h \ src/bench/.cpp \ src/bench/.h \ src/compat/.cpp \ src/compat/.h \ src/consensus/.cpp \ src/consensus/.h \ src/crypto/.cpp \ src/crypto/.h \ src/crypto/ctaes/.h \ src/policy/.cpp \ src/policy/.h \ src/primitives/.cpp \ src/primitives/.h \ src/qt/.cpp \ src/qt/.h \ src/qt/test/.cpp \ src/qt/test/.h \ src/rpc/.cpp \ src/rpc/.h \ src/script/.cpp \ src/script/.h \ src/support/.cpp \ src/support/.h \ src/support/allocators/.h \ src/test/.cpp \ src/test/.h \ src/wallet/.cpp \ src/wallet/.h \ src/wallet/test/.cpp \ src/wallet/test/.h \ src/zmq/.cpp \ src/zmq/.h do base=${f%/}/ relbase=${base#src/} sed -i "s:#include \"\(.\)\"\(.*\):if test -e \$base'\\1'; then echo \"#include <\"\$relbase\"\\1>\\2\"; else echo \"#include <\\1>\\2\"; fi:e" $f done -END VERIFY SCRIPT- 2017-11-10 01:57:53 +01:00			`#include <crypto/aes.h>`
			`#include <crypto/common.h>`
Add ctaes-based constant time AES implementation 2016-03-30 15:37:41 +02:00
			`#include <assert.h>`
			`#include <string.h>`

			`extern "C" {`
scripted-diff: Replace #include "" with #include <> (ryanofsky) -BEGIN VERIFY SCRIPT- for f in \ src/.cpp \ src/.h \ src/bench/.cpp \ src/bench/.h \ src/compat/.cpp \ src/compat/.h \ src/consensus/.cpp \ src/consensus/.h \ src/crypto/.cpp \ src/crypto/.h \ src/crypto/ctaes/.h \ src/policy/.cpp \ src/policy/.h \ src/primitives/.cpp \ src/primitives/.h \ src/qt/.cpp \ src/qt/.h \ src/qt/test/.cpp \ src/qt/test/.h \ src/rpc/.cpp \ src/rpc/.h \ src/script/.cpp \ src/script/.h \ src/support/.cpp \ src/support/.h \ src/support/allocators/.h \ src/test/.cpp \ src/test/.h \ src/wallet/.cpp \ src/wallet/.h \ src/wallet/test/.cpp \ src/wallet/test/.h \ src/zmq/.cpp \ src/zmq/.h do base=${f%/}/ relbase=${base#src/} sed -i "s:#include \"\(.\)\"\(.*\):if test -e \$base'\\1'; then echo \"#include <\"\$relbase\"\\1>\\2\"; else echo \"#include <\\1>\\2\"; fi:e" $f done -END VERIFY SCRIPT- 2017-11-10 01:57:53 +01:00			`#include <crypto/ctaes/ctaes.c>`
Add ctaes-based constant time AES implementation 2016-03-30 15:37:41 +02:00			`}`

			`AES128Encrypt::AES128Encrypt(const unsigned char key[16])`
			`{`
			`AES128_init(&ctx, key);`
			`}`

			`AES128Encrypt::~AES128Encrypt()`
			`{`
			`memset(&ctx, 0, sizeof(ctx));`
			`}`

			`void AES128Encrypt::Encrypt(unsigned char ciphertext[16], const unsigned char plaintext[16]) const`
			`{`
			`AES128_encrypt(&ctx, 1, ciphertext, plaintext);`
			`}`

			`AES128Decrypt::AES128Decrypt(const unsigned char key[16])`
			`{`
			`AES128_init(&ctx, key);`
			`}`

			`AES128Decrypt::~AES128Decrypt()`
			`{`
			`memset(&ctx, 0, sizeof(ctx));`
			`}`

			`void AES128Decrypt::Decrypt(unsigned char plaintext[16], const unsigned char ciphertext[16]) const`
			`{`
			`AES128_decrypt(&ctx, 1, plaintext, ciphertext);`
			`}`

			`AES256Encrypt::AES256Encrypt(const unsigned char key[32])`
			`{`
			`AES256_init(&ctx, key);`
			`}`

			`AES256Encrypt::~AES256Encrypt()`
			`{`
			`memset(&ctx, 0, sizeof(ctx));`
			`}`

			`void AES256Encrypt::Encrypt(unsigned char ciphertext[16], const unsigned char plaintext[16]) const`
			`{`
			`AES256_encrypt(&ctx, 1, ciphertext, plaintext);`
			`}`

			`AES256Decrypt::AES256Decrypt(const unsigned char key[32])`
			`{`
			`AES256_init(&ctx, key);`
			`}`

			`AES256Decrypt::~AES256Decrypt()`
			`{`
			`memset(&ctx, 0, sizeof(ctx));`
			`}`

			`void AES256Decrypt::Decrypt(unsigned char plaintext[16], const unsigned char ciphertext[16]) const`
			`{`
			`AES256_decrypt(&ctx, 1, plaintext, ciphertext);`
			`}`
crypto: add AES 128/256 CBC classes The output should always match openssl's, even for failed operations. Even for a decrypt with broken padding, the output is always deterministic (and attemtps to be constant-time). 2015-03-20 05:49:13 +01:00

			`template <typename T>`
			`static int CBCEncrypt(const T& enc, const unsigned char iv[AES_BLOCKSIZE], const unsigned char* data, int size, bool pad, unsigned char* out)`
			`{`
			`int written = 0;`
			`int padsize = size % AES_BLOCKSIZE;`
			`unsigned char mixed[AES_BLOCKSIZE];`

			`if (!data \|\| !size \|\| !out)`
			`return 0;`

			`if (!pad && padsize != 0)`
			`return 0;`

			`memcpy(mixed, iv, AES_BLOCKSIZE);`

			`// Write all but the last block`
			`while (written + AES_BLOCKSIZE <= size) {`
			`for (int i = 0; i != AES_BLOCKSIZE; i++)`
			`mixed[i] ^= *data++;`
			`enc.Encrypt(out + written, mixed);`
			`memcpy(mixed, out + written, AES_BLOCKSIZE);`
			`written += AES_BLOCKSIZE;`
			`}`
			`if (pad) {`
			`// For all that remains, pad each byte with the value of the remaining`
			`// space. If there is none, pad by a full block.`
			`for (int i = 0; i != padsize; i++)`
			`mixed[i] ^= *data++;`
			`for (int i = padsize; i != AES_BLOCKSIZE; i++)`
			`mixed[i] ^= AES_BLOCKSIZE - padsize;`
			`enc.Encrypt(out + written, mixed);`
			`written += AES_BLOCKSIZE;`
			`}`
			`return written;`
			`}`

			`template <typename T>`
			`static int CBCDecrypt(const T& dec, const unsigned char iv[AES_BLOCKSIZE], const unsigned char* data, int size, bool pad, unsigned char* out)`
			`{`
			`int written = 0;`
			`bool fail = false;`
			`const unsigned char* prev = iv;`

			`if (!data \|\| !size \|\| !out)`
			`return 0;`

			`if (size % AES_BLOCKSIZE != 0)`
			`return 0;`

			`// Decrypt all data. Padding will be checked in the output.`
			`while (written != size) {`
			`dec.Decrypt(out, data + written);`
			`for (int i = 0; i != AES_BLOCKSIZE; i++)`
			`*out++ ^= prev[i];`
			`prev = data + written;`
			`written += AES_BLOCKSIZE;`
			`}`

			`// When decrypting padding, attempt to run in constant-time`
			`if (pad) {`
			`// If used, padding size is the value of the last decrypted byte. For`
			`// it to be valid, It must be between 1 and AES_BLOCKSIZE.`
Limit variable scope 2017-06-04 22:45:22 +02:00			`unsigned char padsize = *--out;`
crypto: add AES 128/256 CBC classes The output should always match openssl's, even for failed operations. Even for a decrypt with broken padding, the output is always deterministic (and attemtps to be constant-time). 2015-03-20 05:49:13 +01:00			`fail = !padsize \| (padsize > AES_BLOCKSIZE);`

			`// If not well-formed, treat it as though there's no padding.`
			`padsize *= !fail;`

			`// All padding must equal the last byte otherwise it's not well-formed`
			`for (int i = AES_BLOCKSIZE; i != 0; i--)`
			`fail \|= ((i > AES_BLOCKSIZE - padsize) & (*out-- != padsize));`

			`written -= padsize;`
			`}`
			`return written * !fail;`
			`}`

			`AES256CBCEncrypt::AES256CBCEncrypt(const unsigned char key[AES256_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)`
			`: enc(key), pad(padIn)`
			`{`
			`memcpy(iv, ivIn, AES_BLOCKSIZE);`
			`}`

			`int AES256CBCEncrypt::Encrypt(const unsigned char* data, int size, unsigned char* out) const`
			`{`
			`return CBCEncrypt(enc, iv, data, size, pad, out);`
			`}`

			`AES256CBCEncrypt::~AES256CBCEncrypt()`
			`{`
			`memset(iv, 0, sizeof(iv));`
			`}`

			`AES256CBCDecrypt::AES256CBCDecrypt(const unsigned char key[AES256_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)`
			`: dec(key), pad(padIn)`
			`{`
			`memcpy(iv, ivIn, AES_BLOCKSIZE);`
			`}`


			`int AES256CBCDecrypt::Decrypt(const unsigned char* data, int size, unsigned char* out) const`
			`{`
			`return CBCDecrypt(dec, iv, data, size, pad, out);`
			`}`

			`AES256CBCDecrypt::~AES256CBCDecrypt()`
			`{`
			`memset(iv, 0, sizeof(iv));`
			`}`

			`AES128CBCEncrypt::AES128CBCEncrypt(const unsigned char key[AES128_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)`
			`: enc(key), pad(padIn)`
			`{`
			`memcpy(iv, ivIn, AES_BLOCKSIZE);`
			`}`

			`AES128CBCEncrypt::~AES128CBCEncrypt()`
			`{`
			`memset(iv, 0, AES_BLOCKSIZE);`
			`}`

			`int AES128CBCEncrypt::Encrypt(const unsigned char* data, int size, unsigned char* out) const`
			`{`
			`return CBCEncrypt(enc, iv, data, size, pad, out);`
			`}`

			`AES128CBCDecrypt::AES128CBCDecrypt(const unsigned char key[AES128_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)`
			`: dec(key), pad(padIn)`
			`{`
			`memcpy(iv, ivIn, AES_BLOCKSIZE);`
			`}`

			`AES128CBCDecrypt::~AES128CBCDecrypt()`
			`{`
			`memset(iv, 0, AES_BLOCKSIZE);`
			`}`

			`int AES128CBCDecrypt::Decrypt(const unsigned char* data, int size, unsigned char* out) const`
			`{`
			`return CBCDecrypt(dec, iv, data, size, pad, out);`
			`}`