TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-crypto / 2682edf205177a9639d2126238d6f83e19fd5d71 / . / programs / aes / aescrypt2.c
blob: 36dabe9403a16bb9e636bd29281691b0774ab330 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * AES-256 file encryption program
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21
Nicholas Wilson2682edf2017-12-05 12:08:15 +0000[diff] [blame^]22/* Enable definition of fileno() even when compiling with -std=c99. Must be
23 * set before config.h, which pulls in glibc's features.h indirectly.
24 * Harmless on other platforms. */
25#define _POSIX_C_SOURCE 1
26
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]27#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]28#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]29#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]30#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]31#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]32
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]33#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]34#include "mbedtls/platform.h"
Rich Evansf90016a2015-01-19 14:26:37 +0000[diff] [blame]35#else
Rich Evans18b78c72015-02-11 14:06:19 +0000[diff] [blame]36#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]37#define mbedtls_fprintf fprintf
38#define mbedtls_printf printf
Rich Evans18b78c72015-02-11 14:06:19 +0000[diff] [blame]39#endif
40
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]41#include "mbedtls/aes.h"
Manuel Pégourié-Gonnard003b3b12015-03-24 18:22:59 +0100[diff] [blame]42#include "mbedtls/md.h"
Rich Evans18b78c72015-02-11 14:06:19 +0000[diff] [blame]43
44#include <stdio.h>
45#include <stdlib.h>
46#include <string.h>
Rich Evansf90016a2015-01-19 14:26:37 +0000[diff] [blame]47
Paul Bakker494c0b82011-04-24 15:30:07 +0000[diff] [blame]48#if defined(_WIN32)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]49#include <windows.h>
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]50#if !defined(_WIN32_WCE)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]51#include <io.h>
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]52#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]53#else
54#include <sys/types.h>
55#include <unistd.h>
56#endif
57
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]58#define MODE_ENCRYPT 0
59#define MODE_DECRYPT 1
60
61#define USAGE \
62 "\n aescrypt2 <mode> <input filename> <output filename> <key>\n" \
63 "\n <mode>: 0 = encrypt, 1 = decrypt\n" \
64 "\n example: aescrypt2 0 file file.aes hex:E76B2413958B00E193\n" \
65 "\n"
66
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]67#if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_SHA256_C) || \
68 !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_MD_C)
Rich Evans85b05ec2015-02-12 11:37:29 +0000[diff] [blame]69int main( void )
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]70{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]71 mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_SHA256_C "
72 "and/or MBEDTLS_FS_IO and/or MBEDTLS_MD_C "
Manuel Pégourié-Gonnard003b3b12015-03-24 18:22:59 +0100[diff] [blame]73 "not defined.\n");
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]74 return( 0 );
75}
76#else
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]77int main( int argc, char *argv[] )
78{
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]79 int ret = 1;
80
Simon Butcher0e7d3872016-08-30 14:25:24 +0100[diff] [blame]81 unsigned int i, n;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]82 int mode, lastn;
83 size_t keylen;
Paul Bakker20a78082011-01-21 09:32:12 +0000[diff] [blame]84 FILE *fkey, *fin = NULL, *fout = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]85
86 char *p;
Hanno Beckerce37e622017-06-27 08:24:34 +0100[diff] [blame]87
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]88 unsigned char IV[16];
Hanno Beckerce37e622017-06-27 08:24:34 +0100[diff] [blame]89 unsigned char tmp[16];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]90 unsigned char key[512];
91 unsigned char digest[32];
92 unsigned char buffer[1024];
Manuel Pégourié-Gonnard291f9af2013-10-28 12:51:32 +0100[diff] [blame]93 unsigned char diff;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]94
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]95 mbedtls_aes_context aes_ctx;
96 mbedtls_md_context_t sha_ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]97
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]98#if defined(_WIN32_WCE)
99 long filesize, offset;
100#elif defined(_WIN32)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]101 LARGE_INTEGER li_size;
102 __int64 filesize, offset;
103#else
104 off_t filesize, offset;
105#endif
106
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]107 mbedtls_aes_init( &aes_ctx );
108 mbedtls_md_init( &sha_ctx );
Manuel Pégourié-Gonnard003b3b12015-03-24 18:22:59 +0100[diff] [blame]109
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]110 ret = mbedtls_md_setup( &sha_ctx, mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 ), 1 );
Manuel Pégourié-Gonnard003b3b12015-03-24 18:22:59 +0100[diff] [blame]111 if( ret != 0 )
112 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]113 mbedtls_printf( " ! mbedtls_md_setup() returned -0x%04x\n", -ret );
Manuel Pégourié-Gonnard003b3b12015-03-24 18:22:59 +0100[diff] [blame]114 goto exit;
115 }
Paul Bakker8cfd9d82014-06-18 11:16:11 +0200[diff] [blame]116
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]117 /*
118 * Parse the command-line arguments.
119 */
120 if( argc != 5 )
121 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]122 mbedtls_printf( USAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]123
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]124#if defined(_WIN32)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]125 mbedtls_printf( "\n Press Enter to exit this program.\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]126 fflush( stdout ); getchar();
127#endif
128
129 goto exit;
130 }
131
132 mode = atoi( argv[1] );
Hanno Beckerce37e622017-06-27 08:24:34 +0100[diff] [blame]133 memset( IV, 0, sizeof( IV ) );
134 memset( key, 0, sizeof( key ) );
135 memset( digest, 0, sizeof( digest ) );
136 memset( buffer, 0, sizeof( buffer ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]137
138 if( mode != MODE_ENCRYPT && mode != MODE_DECRYPT )
139 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]140 mbedtls_fprintf( stderr, "invalide operation mode\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]141 goto exit;
142 }
143
144 if( strcmp( argv[2], argv[3] ) == 0 )
145 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]146 mbedtls_fprintf( stderr, "input and output filenames must differ\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]147 goto exit;
148 }
149
150 if( ( fin = fopen( argv[2], "rb" ) ) == NULL )
151 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]152 mbedtls_fprintf( stderr, "fopen(%s,rb) failed\n", argv[2] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]153 goto exit;
154 }
155
156 if( ( fout = fopen( argv[3], "wb+" ) ) == NULL )
157 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]158 mbedtls_fprintf( stderr, "fopen(%s,wb+) failed\n", argv[3] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]159 goto exit;
160 }
161
162 /*
Hanno Becker840bace2017-06-27 11:36:21 +0100[diff] [blame]163 * Read the secret key from file or command line
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]164 */
165 if( ( fkey = fopen( argv[4], "rb" ) ) != NULL )
166 {
167 keylen = fread( key, 1, sizeof( key ), fkey );
168 fclose( fkey );
169 }
170 else
171 {
172 if( memcmp( argv[4], "hex:", 4 ) == 0 )
173 {
174 p = &argv[4][4];
175 keylen = 0;
176
177 while( sscanf( p, "%02X", &n ) > 0 &&
178 keylen < (int) sizeof( key ) )
179 {
180 key[keylen++] = (unsigned char) n;
181 p += 2;
182 }
183 }
184 else
185 {
186 keylen = strlen( argv[4] );
187
188 if( keylen > (int) sizeof( key ) )
189 keylen = (int) sizeof( key );
190
191 memcpy( key, argv[4], keylen );
192 }
193 }
194
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]195#if defined(_WIN32_WCE)
196 filesize = fseek( fin, 0L, SEEK_END );
197#else
198#if defined(_WIN32)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]199 /*
200 * Support large files (> 2Gb) on Win32
201 */
202 li_size.QuadPart = 0;
203 li_size.LowPart =
204 SetFilePointer( (HANDLE) _get_osfhandle( _fileno( fin ) ),
205 li_size.LowPart, &li_size.HighPart, FILE_END );
206
207 if( li_size.LowPart == 0xFFFFFFFF && GetLastError() != NO_ERROR )
208 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]209 mbedtls_fprintf( stderr, "SetFilePointer(0,FILE_END) failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]210 goto exit;
211 }
212
213 filesize = li_size.QuadPart;
214#else
215 if( ( filesize = lseek( fileno( fin ), 0, SEEK_END ) ) < 0 )
216 {
217 perror( "lseek" );
218 goto exit;
219 }
220#endif
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]221#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]222
223 if( fseek( fin, 0, SEEK_SET ) < 0 )
224 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]225 mbedtls_fprintf( stderr, "fseek(0,SEEK_SET) failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]226 goto exit;
227 }
228
229 if( mode == MODE_ENCRYPT )
230 {
231 /*
232 * Generate the initialization vector as:
233 * IV = SHA-256( filesize || filename )[0..15]
234 */
235 for( i = 0; i < 8; i++ )
236 buffer[i] = (unsigned char)( filesize >> ( i << 3 ) );
237
238 p = argv[2];
239
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]240 mbedtls_md_starts( &sha_ctx );
241 mbedtls_md_update( &sha_ctx, buffer, 8 );
242 mbedtls_md_update( &sha_ctx, (unsigned char *) p, strlen( p ) );
243 mbedtls_md_finish( &sha_ctx, digest );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]244
245 memcpy( IV, digest, 16 );
246
247 /*
248 * The last four bits in the IV are actually used
249 * to store the file size modulo the AES block size.
250 */
251 lastn = (int)( filesize & 0x0F );
252
253 IV[15] = (unsigned char)
254 ( ( IV[15] & 0xF0 ) | lastn );
255
256 /*
257 * Append the IV at the beginning of the output.
258 */
259 if( fwrite( IV, 1, 16, fout ) != 16 )
260 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]261 mbedtls_fprintf( stderr, "fwrite(%d bytes) failed\n", 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]262 goto exit;
263 }
264
265 /*
266 * Hash the IV and the secret key together 8192 times
267 * using the result to setup the AES context and HMAC.
268 */
269 memset( digest, 0, 32 );
270 memcpy( digest, IV, 16 );
271
272 for( i = 0; i < 8192; i++ )
273 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]274 mbedtls_md_starts( &sha_ctx );
275 mbedtls_md_update( &sha_ctx, digest, 32 );
276 mbedtls_md_update( &sha_ctx, key, keylen );
277 mbedtls_md_finish( &sha_ctx, digest );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]278 }
279
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]280 mbedtls_aes_setkey_enc( &aes_ctx, digest, 256 );
281 mbedtls_md_hmac_starts( &sha_ctx, digest, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]282
283 /*
284 * Encrypt and write the ciphertext.
285 */
286 for( offset = 0; offset < filesize; offset += 16 )
287 {
288 n = ( filesize - offset > 16 ) ? 16 : (int)
289 ( filesize - offset );
290
291 if( fread( buffer, 1, n, fin ) != (size_t) n )
292 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]293 mbedtls_fprintf( stderr, "fread(%d bytes) failed\n", n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]294 goto exit;
295 }
296
297 for( i = 0; i < 16; i++ )
298 buffer[i] = (unsigned char)( buffer[i] ^ IV[i] );
299
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]300 mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, buffer, buffer );
301 mbedtls_md_hmac_update( &sha_ctx, buffer, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]302
303 if( fwrite( buffer, 1, 16, fout ) != 16 )
304 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]305 mbedtls_fprintf( stderr, "fwrite(%d bytes) failed\n", 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]306 goto exit;
307 }
308
309 memcpy( IV, buffer, 16 );
310 }
311
312 /*
313 * Finally write the HMAC.
314 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]315 mbedtls_md_hmac_finish( &sha_ctx, digest );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]316
317 if( fwrite( digest, 1, 32, fout ) != 32 )
318 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]319 mbedtls_fprintf( stderr, "fwrite(%d bytes) failed\n", 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]320 goto exit;
321 }
322 }
323
324 if( mode == MODE_DECRYPT )
325 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]326 /*
327 * The encrypted file must be structured as follows:
328 *
329 * 00 .. 15 Initialization Vector
330 * 16 .. 31 AES Encrypted Block #1
331 * ..
332 * N*16 .. (N+1)*16 - 1 AES Encrypted Block #N
333 * (N+1)*16 .. (N+1)*16 + 32 HMAC-SHA-256(ciphertext)
334 */
335 if( filesize < 48 )
336 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]337 mbedtls_fprintf( stderr, "File too short to be encrypted.\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]338 goto exit;
339 }
340
341 if( ( filesize & 0x0F ) != 0 )
342 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]343 mbedtls_fprintf( stderr, "File size not a multiple of 16.\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]344 goto exit;
345 }
346
347 /*
Paul Bakker60b1d102013-10-29 10:02:51 +0100[diff] [blame]348 * Subtract the IV + HMAC length.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]349 */
350 filesize -= ( 16 + 32 );
351
352 /*
353 * Read the IV and original filesize modulo 16.
354 */
355 if( fread( buffer, 1, 16, fin ) != 16 )
356 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]357 mbedtls_fprintf( stderr, "fread(%d bytes) failed\n", 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]358 goto exit;
359 }
360
361 memcpy( IV, buffer, 16 );
362 lastn = IV[15] & 0x0F;
363
364 /*
365 * Hash the IV and the secret key together 8192 times
366 * using the result to setup the AES context and HMAC.
367 */
368 memset( digest, 0, 32 );
369 memcpy( digest, IV, 16 );
370
371 for( i = 0; i < 8192; i++ )
372 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]373 mbedtls_md_starts( &sha_ctx );
374 mbedtls_md_update( &sha_ctx, digest, 32 );
375 mbedtls_md_update( &sha_ctx, key, keylen );
376 mbedtls_md_finish( &sha_ctx, digest );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]377 }
378
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]379 mbedtls_aes_setkey_dec( &aes_ctx, digest, 256 );
380 mbedtls_md_hmac_starts( &sha_ctx, digest, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]381
382 /*
383 * Decrypt and write the plaintext.
384 */
385 for( offset = 0; offset < filesize; offset += 16 )
386 {
387 if( fread( buffer, 1, 16, fin ) != 16 )
388 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]389 mbedtls_fprintf( stderr, "fread(%d bytes) failed\n", 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]390 goto exit;
391 }
392
393 memcpy( tmp, buffer, 16 );
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]394
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]395 mbedtls_md_hmac_update( &sha_ctx, buffer, 16 );
396 mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_DECRYPT, buffer, buffer );
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]397
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]398 for( i = 0; i < 16; i++ )
399 buffer[i] = (unsigned char)( buffer[i] ^ IV[i] );
400
401 memcpy( IV, tmp, 16 );
402
403 n = ( lastn > 0 && offset == filesize - 16 )
404 ? lastn : 16;
405
406 if( fwrite( buffer, 1, n, fout ) != (size_t) n )
407 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]408 mbedtls_fprintf( stderr, "fwrite(%d bytes) failed\n", n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]409 goto exit;
410 }
411 }
412
413 /*
414 * Verify the message authentication code.
415 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]416 mbedtls_md_hmac_finish( &sha_ctx, digest );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]417
418 if( fread( buffer, 1, 32, fin ) != 32 )
419 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]420 mbedtls_fprintf( stderr, "fread(%d bytes) failed\n", 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]421 goto exit;
422 }
423
Manuel Pégourié-Gonnard291f9af2013-10-28 12:51:32 +0100[diff] [blame]424 /* Use constant-time buffer comparison */
425 diff = 0;
426 for( i = 0; i < 32; i++ )
427 diff |= digest[i] ^ buffer[i];
428
429 if( diff != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]430 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]431 mbedtls_fprintf( stderr, "HMAC check failed: wrong key, "
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]432 "or file corrupted.\n" );
433 goto exit;
434 }
435 }
436
437 ret = 0;
438
439exit:
Paul Bakker6d440322011-02-06 12:49:19 +0000[diff] [blame]440 if( fin )
441 fclose( fin );
442 if( fout )
443 fclose( fout );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]444
Hanno Beckerce37e622017-06-27 08:24:34 +0100[diff] [blame]445 /* Zeroize all command line arguments to also cover
446 the case when the user has missed or reordered some,
447 in which case the key might not be in argv[4]. */
448 for( i = 0; i < (unsigned int) argc; i++ )
449 memset( argv[i], 0, strlen( argv[i] ) );
450
451 memset( IV, 0, sizeof( IV ) );
452 memset( key, 0, sizeof( key ) );
453 memset( tmp, 0, sizeof( tmp ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]454 memset( buffer, 0, sizeof( buffer ) );
455 memset( digest, 0, sizeof( digest ) );
456
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]457 mbedtls_aes_free( &aes_ctx );
458 mbedtls_md_free( &sha_ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]459
460 return( ret );
461}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]462#endif /* MBEDTLS_AES_C && MBEDTLS_SHA256_C && MBEDTLS_FS_IO */