/root/bitcoin/src/crypto/aes.cpp
Line | Count | Source |
1 | | // Copyright (c) 2016-present The Bitcoin Core developers |
2 | | // Distributed under the MIT software license, see the accompanying |
3 | | // file COPYING or http://www.opensource.org/licenses/mit-license.php. |
4 | | |
5 | | #include <crypto/aes.h> |
6 | | #include <support/allocators/secure.h> |
7 | | |
8 | | #include <cstring> |
9 | | |
10 | | extern "C" { |
11 | | #include <crypto/ctaes/ctaes.c> |
12 | | } |
13 | | |
14 | | AES256Encrypt::AES256Encrypt(const unsigned char key[32]) |
15 | 0 | { |
16 | 0 | ctx = allocator.allocate(1); |
17 | 0 | AES256_init(ctx, key); |
18 | 0 | } |
19 | | |
20 | | AES256Encrypt::~AES256Encrypt() |
21 | 0 | { |
22 | 0 | allocator.deallocate(ctx, 1); |
23 | 0 | } |
24 | | |
25 | | void AES256Encrypt::Encrypt(unsigned char ciphertext[16], const unsigned char plaintext[16]) const |
26 | 0 | { |
27 | 0 | AES256_encrypt(ctx, 1, ciphertext, plaintext); |
28 | 0 | } |
29 | | |
30 | | AES256Decrypt::AES256Decrypt(const unsigned char key[32]) |
31 | 0 | { |
32 | 0 | ctx = allocator.allocate(1); |
33 | 0 | AES256_init(ctx, key); |
34 | 0 | } |
35 | | |
36 | | AES256Decrypt::~AES256Decrypt() |
37 | 0 | { |
38 | 0 | allocator.deallocate(ctx, 1); |
39 | 0 | } |
40 | | |
41 | | void AES256Decrypt::Decrypt(unsigned char plaintext[16], const unsigned char ciphertext[16]) const |
42 | 0 | { |
43 | 0 | AES256_decrypt(ctx, 1, plaintext, ciphertext); |
44 | 0 | } |
45 | | |
46 | | |
47 | | template <typename T> |
48 | | static int CBCEncrypt(const T& enc, const unsigned char iv[AES_BLOCKSIZE], const unsigned char* data, int size, bool pad, unsigned char* out) |
49 | 0 | { |
50 | 0 | int written = 0; |
51 | 0 | int padsize = size % AES_BLOCKSIZE; |
52 | 0 | unsigned char mixed[AES_BLOCKSIZE]; |
53 | |
|
54 | 0 | if (!data || !size || !out) |
55 | 0 | return 0; |
56 | | |
57 | 0 | if (!pad && padsize != 0) |
58 | 0 | return 0; |
59 | | |
60 | 0 | memcpy(mixed, iv, AES_BLOCKSIZE); |
61 | | |
62 | | // Write all but the last block |
63 | 0 | while (written + AES_BLOCKSIZE <= size) { |
64 | 0 | for (int i = 0; i != AES_BLOCKSIZE; i++) |
65 | 0 | mixed[i] ^= *data++; |
66 | 0 | enc.Encrypt(out + written, mixed); |
67 | 0 | memcpy(mixed, out + written, AES_BLOCKSIZE); |
68 | 0 | written += AES_BLOCKSIZE; |
69 | 0 | } |
70 | 0 | if (pad) { |
71 | | // For all that remains, pad each byte with the value of the remaining |
72 | | // space. If there is none, pad by a full block. |
73 | 0 | for (int i = 0; i != padsize; i++) |
74 | 0 | mixed[i] ^= *data++; |
75 | 0 | for (int i = padsize; i != AES_BLOCKSIZE; i++) |
76 | 0 | mixed[i] ^= AES_BLOCKSIZE - padsize; |
77 | 0 | enc.Encrypt(out + written, mixed); |
78 | 0 | written += AES_BLOCKSIZE; |
79 | 0 | } |
80 | 0 | return written; |
81 | 0 | } |
82 | | |
83 | | template <typename T> |
84 | | static int CBCDecrypt(const T& dec, const unsigned char iv[AES_BLOCKSIZE], const unsigned char* data, int size, bool pad, unsigned char* out) |
85 | 0 | { |
86 | 0 | int written = 0; |
87 | 0 | bool fail = false; |
88 | 0 | const unsigned char* prev = iv; |
89 | |
|
90 | 0 | if (!data || !size || !out) |
91 | 0 | return 0; |
92 | | |
93 | 0 | if (size % AES_BLOCKSIZE != 0) |
94 | 0 | return 0; |
95 | | |
96 | | // Decrypt all data. Padding will be checked in the output. |
97 | 0 | while (written != size) { |
98 | 0 | dec.Decrypt(out, data + written); |
99 | 0 | for (int i = 0; i != AES_BLOCKSIZE; i++) |
100 | 0 | *out++ ^= prev[i]; |
101 | 0 | prev = data + written; |
102 | 0 | written += AES_BLOCKSIZE; |
103 | 0 | } |
104 | | |
105 | | // When decrypting padding, attempt to run in constant-time |
106 | 0 | if (pad) { |
107 | | // If used, padding size is the value of the last decrypted byte. For |
108 | | // it to be valid, It must be between 1 and AES_BLOCKSIZE. |
109 | 0 | unsigned char padsize = *--out; |
110 | 0 | fail = !padsize | (padsize > AES_BLOCKSIZE); |
111 | | |
112 | | // If not well-formed, treat it as though there's no padding. |
113 | 0 | padsize *= !fail; |
114 | | |
115 | | // All padding must equal the last byte otherwise it's not well-formed |
116 | 0 | for (int i = AES_BLOCKSIZE; i != 0; i--) |
117 | 0 | fail |= ((i > AES_BLOCKSIZE - padsize) & (*out-- != padsize)); |
118 | |
|
119 | 0 | written -= padsize; |
120 | 0 | } |
121 | 0 | return written * !fail; |
122 | 0 | } |
123 | | |
124 | | AES256CBCEncrypt::AES256CBCEncrypt(const unsigned char key[AES256_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn) |
125 | 0 | : enc(key), pad(padIn) |
126 | 0 | { |
127 | 0 | iv = allocator.allocate(AES_BLOCKSIZE); |
128 | 0 | memcpy(iv, ivIn, AES_BLOCKSIZE); |
129 | 0 | } |
130 | | |
131 | | int AES256CBCEncrypt::Encrypt(const unsigned char* data, int size, unsigned char* out) const |
132 | 0 | { |
133 | 0 | return CBCEncrypt(enc, iv, data, size, pad, out); |
134 | 0 | } |
135 | | |
136 | | AES256CBCEncrypt::~AES256CBCEncrypt() |
137 | 0 | { |
138 | 0 | allocator.deallocate(iv, AES_BLOCKSIZE); |
139 | 0 | } |
140 | | |
141 | | AES256CBCDecrypt::AES256CBCDecrypt(const unsigned char key[AES256_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn) |
142 | 0 | : dec(key), pad(padIn) |
143 | 0 | { |
144 | 0 | iv = allocator.allocate(AES_BLOCKSIZE); |
145 | 0 | memcpy(iv, ivIn, AES_BLOCKSIZE); |
146 | 0 | } |
147 | | |
148 | | |
149 | | int AES256CBCDecrypt::Decrypt(const unsigned char* data, int size, unsigned char* out) const |
150 | 0 | { |
151 | 0 | return CBCDecrypt(dec, iv, data, size, pad, out); |
152 | 0 | } |
153 | | |
154 | | AES256CBCDecrypt::~AES256CBCDecrypt() |
155 | 0 | { |
156 | 0 | allocator.deallocate(iv, AES_BLOCKSIZE); |
157 | 0 | } |