1 /*
2 * AES-256 file encryption program
3 *
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 *
19 * This file is part of mbed TLS (https://tls.mbed.org)
20 */
21
22 /* Enable definition of fileno() even when compiling with -std=c99. Must be
23 * set before config.h, which pulls in glibc's features.h indirectly.
24 * Harmless on other platforms. */
25 #define _POSIX_C_SOURCE 1
26
27 #if !defined(MBEDTLS_CONFIG_FILE)
28 #include "mbedtls/config.h"
29 #else
30 #include MBEDTLS_CONFIG_FILE
31 #endif
32
33 #if defined(MBEDTLS_PLATFORM_C)
34 #include "mbedtls/platform.h"
35 #else
36 #include <stdio.h>
37 #include <stdlib.h>
38 #define mbedtls_fprintf fprintf
39 #define mbedtls_printf printf
40 #define mbedtls_exit exit
41 #define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
42 #define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
43 #endif /* MBEDTLS_PLATFORM_C */
44
45 #include "mbedtls/aes.h"
46 #include "mbedtls/md.h"
47 #include "mbedtls/platform_util.h"
48
49 #include <stdio.h>
50 #include <stdlib.h>
51 #include <string.h>
52
53 #if defined(_WIN32)
54 #include <windows.h>
55 #if !defined(_WIN32_WCE)
56 #include <io.h>
57 #endif
58 #else
59 #include <sys/types.h>
60 #include <unistd.h>
61 #endif
62
63 #define MODE_ENCRYPT 0
64 #define MODE_DECRYPT 1
65
66 #define USAGE \
67 "\n aescrypt2 <mode> <input filename> <output filename> <key>\n" \
68 "\n <mode>: 0 = encrypt, 1 = decrypt\n" \
69 "\n example: aescrypt2 0 file file.aes hex:E76B2413958B00E193\n" \
70 "\n"
71
72 #if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_SHA256_C) || \
73 !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_MD_C)
main(void)74 int main( void )
75 {
76 mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_SHA256_C "
77 "and/or MBEDTLS_FS_IO and/or MBEDTLS_MD_C "
78 "not defined.\n");
79 return( 0 );
80 }
81 #else
82
83 #if defined(MBEDTLS_CHECK_PARAMS)
84 #include "mbedtls/platform_util.h"
mbedtls_param_failed(const char * failure_condition,const char * file,int line)85 void mbedtls_param_failed( const char *failure_condition,
86 const char *file,
87 int line )
88 {
89 mbedtls_printf( "%s:%i: Input param failed - %s\n",
90 file, line, failure_condition );
91 mbedtls_exit( MBEDTLS_EXIT_FAILURE );
92 }
93 #endif
94
main(int argc,char * argv[])95 int main( int argc, char *argv[] )
96 {
97 int ret = 0;
98 int exit_code = MBEDTLS_EXIT_FAILURE;
99
100 unsigned int i, n;
101 int mode, lastn;
102 size_t keylen;
103 FILE *fkey, *fin = NULL, *fout = NULL;
104
105 char *p;
106
107 unsigned char IV[16];
108 unsigned char tmp[16];
109 unsigned char key[512];
110 unsigned char digest[32];
111 unsigned char buffer[1024];
112 unsigned char diff;
113
114 mbedtls_aes_context aes_ctx;
115 mbedtls_md_context_t sha_ctx;
116
117 #if defined(_WIN32_WCE)
118 long filesize, offset;
119 #elif defined(_WIN32)
120 LARGE_INTEGER li_size;
121 __int64 filesize, offset;
122 #else
123 off_t filesize, offset;
124 #endif
125
126 mbedtls_aes_init( &aes_ctx );
127 mbedtls_md_init( &sha_ctx );
128
129 ret = mbedtls_md_setup( &sha_ctx, mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 ), 1 );
130 if( ret != 0 )
131 {
132 mbedtls_printf( " ! mbedtls_md_setup() returned -0x%04x\n", -ret );
133 goto exit;
134 }
135
136 /*
137 * Parse the command-line arguments.
138 */
139 if( argc != 5 )
140 {
141 mbedtls_printf( USAGE );
142
143 #if defined(_WIN32)
144 mbedtls_printf( "\n Press Enter to exit this program.\n" );
145 fflush( stdout ); getchar();
146 #endif
147
148 goto exit;
149 }
150
151 mode = atoi( argv[1] );
152 memset( IV, 0, sizeof( IV ) );
153 memset( key, 0, sizeof( key ) );
154 memset( digest, 0, sizeof( digest ) );
155 memset( buffer, 0, sizeof( buffer ) );
156
157 if( mode != MODE_ENCRYPT && mode != MODE_DECRYPT )
158 {
159 mbedtls_fprintf( stderr, "invalide operation mode\n" );
160 goto exit;
161 }
162
163 if( strcmp( argv[2], argv[3] ) == 0 )
164 {
165 mbedtls_fprintf( stderr, "input and output filenames must differ\n" );
166 goto exit;
167 }
168
169 if( ( fin = fopen( argv[2], "rb" ) ) == NULL )
170 {
171 mbedtls_fprintf( stderr, "fopen(%s,rb) failed\n", argv[2] );
172 goto exit;
173 }
174
175 if( ( fout = fopen( argv[3], "wb+" ) ) == NULL )
176 {
177 mbedtls_fprintf( stderr, "fopen(%s,wb+) failed\n", argv[3] );
178 goto exit;
179 }
180
181 /*
182 * Read the secret key from file or command line
183 */
184 if( ( fkey = fopen( argv[4], "rb" ) ) != NULL )
185 {
186 keylen = fread( key, 1, sizeof( key ), fkey );
187 fclose( fkey );
188 }
189 else
190 {
191 if( memcmp( argv[4], "hex:", 4 ) == 0 )
192 {
193 p = &argv[4][4];
194 keylen = 0;
195
196 while( sscanf( p, "%02X", &n ) > 0 &&
197 keylen < (int) sizeof( key ) )
198 {
199 key[keylen++] = (unsigned char) n;
200 p += 2;
201 }
202 }
203 else
204 {
205 keylen = strlen( argv[4] );
206
207 if( keylen > (int) sizeof( key ) )
208 keylen = (int) sizeof( key );
209
210 memcpy( key, argv[4], keylen );
211 }
212 }
213
214 #if defined(_WIN32_WCE)
215 filesize = fseek( fin, 0L, SEEK_END );
216 #else
217 #if defined(_WIN32)
218 /*
219 * Support large files (> 2Gb) on Win32
220 */
221 li_size.QuadPart = 0;
222 li_size.LowPart =
223 SetFilePointer( (HANDLE) _get_osfhandle( _fileno( fin ) ),
224 li_size.LowPart, &li_size.HighPart, FILE_END );
225
226 if( li_size.LowPart == 0xFFFFFFFF && GetLastError() != NO_ERROR )
227 {
228 mbedtls_fprintf( stderr, "SetFilePointer(0,FILE_END) failed\n" );
229 goto exit;
230 }
231
232 filesize = li_size.QuadPart;
233 #else
234 if( ( filesize = lseek( fileno( fin ), 0, SEEK_END ) ) < 0 )
235 {
236 perror( "lseek" );
237 goto exit;
238 }
239 #endif
240 #endif
241
242 if( fseek( fin, 0, SEEK_SET ) < 0 )
243 {
244 mbedtls_fprintf( stderr, "fseek(0,SEEK_SET) failed\n" );
245 goto exit;
246 }
247
248 if( mode == MODE_ENCRYPT )
249 {
250 /*
251 * Generate the initialization vector as:
252 * IV = SHA-256( filesize || filename )[0..15]
253 */
254 for( i = 0; i < 8; i++ )
255 buffer[i] = (unsigned char)( filesize >> ( i << 3 ) );
256
257 p = argv[2];
258
259 mbedtls_md_starts( &sha_ctx );
260 mbedtls_md_update( &sha_ctx, buffer, 8 );
261 mbedtls_md_update( &sha_ctx, (unsigned char *) p, strlen( p ) );
262 mbedtls_md_finish( &sha_ctx, digest );
263
264 memcpy( IV, digest, 16 );
265
266 /*
267 * The last four bits in the IV are actually used
268 * to store the file size modulo the AES block size.
269 */
270 lastn = (int)( filesize & 0x0F );
271
272 IV[15] = (unsigned char)
273 ( ( IV[15] & 0xF0 ) | lastn );
274
275 /*
276 * Append the IV at the beginning of the output.
277 */
278 if( fwrite( IV, 1, 16, fout ) != 16 )
279 {
280 mbedtls_fprintf( stderr, "fwrite(%d bytes) failed\n", 16 );
281 goto exit;
282 }
283
284 /*
285 * Hash the IV and the secret key together 8192 times
286 * using the result to setup the AES context and HMAC.
287 */
288 memset( digest, 0, 32 );
289 memcpy( digest, IV, 16 );
290
291 for( i = 0; i < 8192; i++ )
292 {
293 mbedtls_md_starts( &sha_ctx );
294 mbedtls_md_update( &sha_ctx, digest, 32 );
295 mbedtls_md_update( &sha_ctx, key, keylen );
296 mbedtls_md_finish( &sha_ctx, digest );
297 }
298
299 mbedtls_aes_setkey_enc( &aes_ctx, digest, 256 );
300 mbedtls_md_hmac_starts( &sha_ctx, digest, 32 );
301
302 /*
303 * Encrypt and write the ciphertext.
304 */
305 for( offset = 0; offset < filesize; offset += 16 )
306 {
307 n = ( filesize - offset > 16 ) ? 16 : (int)
308 ( filesize - offset );
309
310 if( fread( buffer, 1, n, fin ) != (size_t) n )
311 {
312 mbedtls_fprintf( stderr, "fread(%d bytes) failed\n", n );
313 goto exit;
314 }
315
316 for( i = 0; i < 16; i++ )
317 buffer[i] = (unsigned char)( buffer[i] ^ IV[i] );
318
319 mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, buffer, buffer );
320 mbedtls_md_hmac_update( &sha_ctx, buffer, 16 );
321
322 if( fwrite( buffer, 1, 16, fout ) != 16 )
323 {
324 mbedtls_fprintf( stderr, "fwrite(%d bytes) failed\n", 16 );
325 goto exit;
326 }
327
328 memcpy( IV, buffer, 16 );
329 }
330
331 /*
332 * Finally write the HMAC.
333 */
334 mbedtls_md_hmac_finish( &sha_ctx, digest );
335
336 if( fwrite( digest, 1, 32, fout ) != 32 )
337 {
338 mbedtls_fprintf( stderr, "fwrite(%d bytes) failed\n", 16 );
339 goto exit;
340 }
341 }
342
343 if( mode == MODE_DECRYPT )
344 {
345 /*
346 * The encrypted file must be structured as follows:
347 *
348 * 00 .. 15 Initialization Vector
349 * 16 .. 31 AES Encrypted Block #1
350 * ..
351 * N*16 .. (N+1)*16 - 1 AES Encrypted Block #N
352 * (N+1)*16 .. (N+1)*16 + 32 HMAC-SHA-256(ciphertext)
353 */
354 if( filesize < 48 )
355 {
356 mbedtls_fprintf( stderr, "File too short to be encrypted.\n" );
357 goto exit;
358 }
359
360 if( ( filesize & 0x0F ) != 0 )
361 {
362 mbedtls_fprintf( stderr, "File size not a multiple of 16.\n" );
363 goto exit;
364 }
365
366 /*
367 * Subtract the IV + HMAC length.
368 */
369 filesize -= ( 16 + 32 );
370
371 /*
372 * Read the IV and original filesize modulo 16.
373 */
374 if( fread( buffer, 1, 16, fin ) != 16 )
375 {
376 mbedtls_fprintf( stderr, "fread(%d bytes) failed\n", 16 );
377 goto exit;
378 }
379
380 memcpy( IV, buffer, 16 );
381 lastn = IV[15] & 0x0F;
382
383 /*
384 * Hash the IV and the secret key together 8192 times
385 * using the result to setup the AES context and HMAC.
386 */
387 memset( digest, 0, 32 );
388 memcpy( digest, IV, 16 );
389
390 for( i = 0; i < 8192; i++ )
391 {
392 mbedtls_md_starts( &sha_ctx );
393 mbedtls_md_update( &sha_ctx, digest, 32 );
394 mbedtls_md_update( &sha_ctx, key, keylen );
395 mbedtls_md_finish( &sha_ctx, digest );
396 }
397
398 mbedtls_aes_setkey_dec( &aes_ctx, digest, 256 );
399 mbedtls_md_hmac_starts( &sha_ctx, digest, 32 );
400
401 /*
402 * Decrypt and write the plaintext.
403 */
404 for( offset = 0; offset < filesize; offset += 16 )
405 {
406 if( fread( buffer, 1, 16, fin ) != 16 )
407 {
408 mbedtls_fprintf( stderr, "fread(%d bytes) failed\n", 16 );
409 goto exit;
410 }
411
412 memcpy( tmp, buffer, 16 );
413
414 mbedtls_md_hmac_update( &sha_ctx, buffer, 16 );
415 mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_DECRYPT, buffer, buffer );
416
417 for( i = 0; i < 16; i++ )
418 buffer[i] = (unsigned char)( buffer[i] ^ IV[i] );
419
420 memcpy( IV, tmp, 16 );
421
422 n = ( lastn > 0 && offset == filesize - 16 )
423 ? lastn : 16;
424
425 if( fwrite( buffer, 1, n, fout ) != (size_t) n )
426 {
427 mbedtls_fprintf( stderr, "fwrite(%d bytes) failed\n", n );
428 goto exit;
429 }
430 }
431
432 /*
433 * Verify the message authentication code.
434 */
435 mbedtls_md_hmac_finish( &sha_ctx, digest );
436
437 if( fread( buffer, 1, 32, fin ) != 32 )
438 {
439 mbedtls_fprintf( stderr, "fread(%d bytes) failed\n", 32 );
440 goto exit;
441 }
442
443 /* Use constant-time buffer comparison */
444 diff = 0;
445 for( i = 0; i < 32; i++ )
446 diff |= digest[i] ^ buffer[i];
447
448 if( diff != 0 )
449 {
450 mbedtls_fprintf( stderr, "HMAC check failed: wrong key, "
451 "or file corrupted.\n" );
452 goto exit;
453 }
454 }
455
456 exit_code = MBEDTLS_EXIT_SUCCESS;
457
458 exit:
459 if( fin )
460 fclose( fin );
461 if( fout )
462 fclose( fout );
463
464 /* Zeroize all command line arguments to also cover
465 the case when the user has missed or reordered some,
466 in which case the key might not be in argv[4]. */
467 for( i = 0; i < (unsigned int) argc; i++ )
468 mbedtls_platform_zeroize( argv[i], strlen( argv[i] ) );
469
470 mbedtls_platform_zeroize( IV, sizeof( IV ) );
471 mbedtls_platform_zeroize( key, sizeof( key ) );
472 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
473 mbedtls_platform_zeroize( buffer, sizeof( buffer ) );
474 mbedtls_platform_zeroize( digest, sizeof( digest ) );
475
476 mbedtls_aes_free( &aes_ctx );
477 mbedtls_md_free( &sha_ctx );
478
479 return( exit_code );
480 }
481 #endif /* MBEDTLS_AES_C && MBEDTLS_SHA256_C && MBEDTLS_FS_IO */
482