Permalink
Browse files

Merge #7689: Replace OpenSSL AES with ctaes-based version

723779c build: Enumerate ctaes rather than globbing (Cory Fields)
34ed64a crypter: add tests for crypter (Cory Fields)
0a36b9a crypter: shuffle Makefile so that crypto can be used by the wallet (Cory Fields)
976f9ec crypter: add a BytesToKey clone to replace the use of openssl (Cory Fields)
9049cde crypter: hook up the new aes cbc classes (Cory Fields)
fb96831 crypter: constify encrypt/decrypt (Cory Fields)
1c391a5 crypter: fix the stored initialization vector size (Cory Fields)
daa3841 crypto: add aes cbc tests (Cory Fields)
27a212d crypto: add AES 128/256 CBC classes (Cory Fields)
6bec172 Add ctaes-based constant time AES implementation (Pieter Wuille)
a545127 Squashed 'src/crypto/ctaes/' content from commit cd3c3ac (Pieter Wuille)
  • Loading branch information...
sipa committed Jun 1, 2016
2 parents 01d8359 + 723779c commit b89ef131147f71a96152a7b5c4374266cdf539b2
View
@@ -15,13 +15,12 @@ LIBUNIVALUE = $(UNIVALUE_LIBS)
endif
BITCOIN_CONFIG_INCLUDES=-I$(builddir)/config
BITCOIN_INCLUDES=-I$(builddir) -I$(builddir)/obj $(BOOST_CPPFLAGS) $(LEVELDB_CPPFLAGS) $(CRYPTO_CFLAGS) $(SSL_CFLAGS)
BITCOIN_INCLUDES=-I$(builddir) -I$(builddir)/obj $(BDB_CPPFLAGS) $(BOOST_CPPFLAGS) $(LEVELDB_CPPFLAGS) $(CRYPTO_CFLAGS) $(SSL_CFLAGS)
BITCOIN_INCLUDES += -I$(srcdir)/secp256k1/include
BITCOIN_INCLUDES += $(UNIVALUE_CFLAGS)
LIBBITCOIN_SERVER=libbitcoin_server.a
LIBBITCOIN_WALLET=libbitcoin_wallet.a
LIBBITCOIN_COMMON=libbitcoin_common.a
LIBBITCOIN_CONSENSUS=libbitcoin_consensus.a
LIBBITCOIN_CLI=libbitcoin_cli.a
@@ -30,32 +29,32 @@ LIBBITCOIN_CRYPTO=crypto/libbitcoin_crypto.a
LIBBITCOINQT=qt/libbitcoinqt.a
LIBSECP256K1=secp256k1/libsecp256k1.la
if ENABLE_ZMQ
LIBBITCOIN_ZMQ=libbitcoin_zmq.a
endif
if BUILD_BITCOIN_LIBS
LIBBITCOINCONSENSUS=libbitcoinconsensus.la
endif
if ENABLE_WALLET
LIBBITCOIN_WALLET=libbitcoin_wallet.a
endif
$(LIBSECP256K1): $(wildcard secp256k1/src/*) $(wildcard secp256k1/include/*)
$(AM_V_at)$(MAKE) $(AM_MAKEFLAGS) -C $(@D) $(@F)
# Make is not made aware of per-object dependencies to avoid limiting building parallelization
# But to build the less dependent modules first, we manually select their order here:
EXTRA_LIBRARIES += \
crypto/libbitcoin_crypto.a \
libbitcoin_util.a \
libbitcoin_common.a \
libbitcoin_consensus.a \
libbitcoin_server.a \
libbitcoin_cli.a
if ENABLE_WALLET
BITCOIN_INCLUDES += $(BDB_CPPFLAGS)
EXTRA_LIBRARIES += libbitcoin_wallet.a
endif
if ENABLE_ZMQ
EXTRA_LIBRARIES += libbitcoin_zmq.a
endif
$(LIBBITCOIN_CRYPTO) \
$(LIBBITCOIN_UTIL) \
$(LIBBITCOIN_COMMON) \
$(LIBBITCOIN_CONSENSUS) \
$(LIBBITCOIN_SERVER) \
$(LIBBITCOIN_CLI) \
$(LIBBITCOIN_WALLET) \
$(LIBBITCOIN_ZMQ)
if BUILD_BITCOIN_LIBS
lib_LTLIBRARIES = libbitcoinconsensus.la
LIBBITCOINCONSENSUS=libbitcoinconsensus.la
else
LIBBITCOINCONSENSUS=
endif
lib_LTLIBRARIES = $(LIBBITCOINCONSENSUS)
bin_PROGRAMS =
TESTS =
@@ -196,8 +195,6 @@ libbitcoin_server_a_SOURCES = \
$(BITCOIN_CORE_H)
if ENABLE_ZMQ
LIBBITCOIN_ZMQ=libbitcoin_zmq.a
libbitcoin_zmq_a_CPPFLAGS = $(BITCOIN_INCLUDES) $(ZMQ_CFLAGS)
libbitcoin_zmq_a_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
libbitcoin_zmq_a_SOURCES = \
@@ -225,6 +222,8 @@ libbitcoin_wallet_a_SOURCES = \
crypto_libbitcoin_crypto_a_CPPFLAGS = $(AM_CPPFLAGS) $(BITCOIN_CONFIG_INCLUDES)
crypto_libbitcoin_crypto_a_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
crypto_libbitcoin_crypto_a_SOURCES = \
crypto/aes.cpp \
crypto/aes.h \
crypto/common.h \
crypto/hmac_sha256.cpp \
crypto/hmac_sha256.h \
@@ -345,21 +344,15 @@ bitcoind_LDADD = \
$(LIBBITCOIN_COMMON) \
$(LIBUNIVALUE) \
$(LIBBITCOIN_UTIL) \
$(LIBBITCOIN_WALLET) \
$(LIBBITCOIN_ZMQ) \
$(LIBBITCOIN_CONSENSUS) \
$(LIBBITCOIN_CRYPTO) \
$(LIBLEVELDB) \
$(LIBMEMENV) \
$(LIBSECP256K1)
if ENABLE_ZMQ
bitcoind_LDADD += $(LIBBITCOIN_ZMQ) $(ZMQ_LIBS)
endif
if ENABLE_WALLET
bitcoind_LDADD += libbitcoin_wallet.a
endif
bitcoind_LDADD += $(BOOST_LIBS) $(BDB_LIBS) $(SSL_LIBS) $(CRYPTO_LIBS) $(MINIUPNPC_LIBS) $(EVENT_PTHREADS_LIBS) $(EVENT_LIBS)
bitcoind_LDADD += $(BOOST_LIBS) $(BDB_LIBS) $(SSL_LIBS) $(CRYPTO_LIBS) $(MINIUPNPC_LIBS) $(EVENT_PTHREADS_LIBS) $(EVENT_LIBS) $(ZMQ_LIBS)
# bitcoin-cli binary #
bitcoin_cli_SOURCES = bitcoin-cli.cpp
@@ -418,6 +411,12 @@ libbitcoinconsensus_la_CXXFLAGS = $(AM_CXXFLAGS) $(PIE_FLAGS)
endif
#
CTAES_DIST = crypto/ctaes/bench.c
CTAES_DIST += crypto/ctaes/ctaes.c
CTAES_DIST += crypto/ctaes/ctaes.h
CTAES_DIST += crypto/ctaes/README.md
CTAES_DIST += crypto/ctaes/test.c
CLEANFILES = leveldb/libleveldb.a leveldb/libmemenv.a
CLEANFILES += $(EXTRA_LIBRARIES)
CLEANFILES += *.gcda *.gcno
@@ -435,7 +434,7 @@ CLEANFILES += zmq/*.gcda zmq/*.gcno
DISTCLEANFILES = obj/build.h
EXTRA_DIST = leveldb
EXTRA_DIST = leveldb $(CTAES_DIST)
clean-local:
-$(MAKE) -C leveldb clean
@@ -95,6 +95,7 @@ BITCOIN_TESTS += \
wallet/test/wallet_test_fixture.h \
wallet/test/accounting_tests.cpp \
wallet/test/wallet_tests.cpp \
wallet/test/crypto_tests.cpp \
wallet/test/rpc_wallet_tests.cpp
endif
View
@@ -0,0 +1,217 @@
// Copyright (c) 2016 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
#include "aes.h"
#include "crypto/common.h"
#include <assert.h>
#include <string.h>
extern "C" {
#include "crypto/ctaes/ctaes.c"
}
AES128Encrypt::AES128Encrypt(const unsigned char key[16])
{
AES128_init(&ctx, key);
}
AES128Encrypt::~AES128Encrypt()
{
memset(&ctx, 0, sizeof(ctx));
}
void AES128Encrypt::Encrypt(unsigned char ciphertext[16], const unsigned char plaintext[16]) const
{
AES128_encrypt(&ctx, 1, ciphertext, plaintext);
}
AES128Decrypt::AES128Decrypt(const unsigned char key[16])
{
AES128_init(&ctx, key);
}
AES128Decrypt::~AES128Decrypt()
{
memset(&ctx, 0, sizeof(ctx));
}
void AES128Decrypt::Decrypt(unsigned char plaintext[16], const unsigned char ciphertext[16]) const
{
AES128_decrypt(&ctx, 1, plaintext, ciphertext);
}
AES256Encrypt::AES256Encrypt(const unsigned char key[32])
{
AES256_init(&ctx, key);
}
AES256Encrypt::~AES256Encrypt()
{
memset(&ctx, 0, sizeof(ctx));
}
void AES256Encrypt::Encrypt(unsigned char ciphertext[16], const unsigned char plaintext[16]) const
{
AES256_encrypt(&ctx, 1, ciphertext, plaintext);
}
AES256Decrypt::AES256Decrypt(const unsigned char key[32])
{
AES256_init(&ctx, key);
}
AES256Decrypt::~AES256Decrypt()
{
memset(&ctx, 0, sizeof(ctx));
}
void AES256Decrypt::Decrypt(unsigned char plaintext[16], const unsigned char ciphertext[16]) const
{
AES256_decrypt(&ctx, 1, plaintext, ciphertext);
}
template <typename T>
static int CBCEncrypt(const T& enc, const unsigned char iv[AES_BLOCKSIZE], const unsigned char* data, int size, bool pad, unsigned char* out)
{
int written = 0;
int padsize = size % AES_BLOCKSIZE;
unsigned char mixed[AES_BLOCKSIZE];
if (!data || !size || !out)
return 0;
if (!pad && padsize != 0)
return 0;
memcpy(mixed, iv, AES_BLOCKSIZE);
// Write all but the last block
while (written + AES_BLOCKSIZE <= size) {
for (int i = 0; i != AES_BLOCKSIZE; i++)
mixed[i] ^= *data++;
enc.Encrypt(out + written, mixed);
memcpy(mixed, out + written, AES_BLOCKSIZE);
written += AES_BLOCKSIZE;
}
if (pad) {
// For all that remains, pad each byte with the value of the remaining
// space. If there is none, pad by a full block.
for (int i = 0; i != padsize; i++)
mixed[i] ^= *data++;
for (int i = padsize; i != AES_BLOCKSIZE; i++)
mixed[i] ^= AES_BLOCKSIZE - padsize;
enc.Encrypt(out + written, mixed);
written += AES_BLOCKSIZE;
}
return written;
}
template <typename T>
static int CBCDecrypt(const T& dec, const unsigned char iv[AES_BLOCKSIZE], const unsigned char* data, int size, bool pad, unsigned char* out)
{
unsigned char padsize = 0;
int written = 0;
bool fail = false;
const unsigned char* prev = iv;
if (!data || !size || !out)
return 0;
if (size % AES_BLOCKSIZE != 0)
return 0;
// Decrypt all data. Padding will be checked in the output.
while (written != size) {
dec.Decrypt(out, data + written);
for (int i = 0; i != AES_BLOCKSIZE; i++)
*out++ ^= prev[i];
prev = data + written;
written += AES_BLOCKSIZE;
}
// When decrypting padding, attempt to run in constant-time
if (pad) {
// If used, padding size is the value of the last decrypted byte. For
// it to be valid, It must be between 1 and AES_BLOCKSIZE.
padsize = *--out;
fail = !padsize | (padsize > AES_BLOCKSIZE);
// If not well-formed, treat it as though there's no padding.
padsize *= !fail;
// All padding must equal the last byte otherwise it's not well-formed
for (int i = AES_BLOCKSIZE; i != 0; i--)
fail |= ((i > AES_BLOCKSIZE - padsize) & (*out-- != padsize));
written -= padsize;
}
return written * !fail;
}
AES256CBCEncrypt::AES256CBCEncrypt(const unsigned char key[AES256_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)
: enc(key), pad(padIn)
{
memcpy(iv, ivIn, AES_BLOCKSIZE);
}
int AES256CBCEncrypt::Encrypt(const unsigned char* data, int size, unsigned char* out) const
{
return CBCEncrypt(enc, iv, data, size, pad, out);
}
AES256CBCEncrypt::~AES256CBCEncrypt()
{
memset(iv, 0, sizeof(iv));
}
AES256CBCDecrypt::AES256CBCDecrypt(const unsigned char key[AES256_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)
: dec(key), pad(padIn)
{
memcpy(iv, ivIn, AES_BLOCKSIZE);
}
int AES256CBCDecrypt::Decrypt(const unsigned char* data, int size, unsigned char* out) const
{
return CBCDecrypt(dec, iv, data, size, pad, out);
}
AES256CBCDecrypt::~AES256CBCDecrypt()
{
memset(iv, 0, sizeof(iv));
}
AES128CBCEncrypt::AES128CBCEncrypt(const unsigned char key[AES128_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)
: enc(key), pad(padIn)
{
memcpy(iv, ivIn, AES_BLOCKSIZE);
}
AES128CBCEncrypt::~AES128CBCEncrypt()
{
memset(iv, 0, AES_BLOCKSIZE);
}
int AES128CBCEncrypt::Encrypt(const unsigned char* data, int size, unsigned char* out) const
{
return CBCEncrypt(enc, iv, data, size, pad, out);
}
AES128CBCDecrypt::AES128CBCDecrypt(const unsigned char key[AES128_KEYSIZE], const unsigned char ivIn[AES_BLOCKSIZE], bool padIn)
: dec(key), pad(padIn)
{
memcpy(iv, ivIn, AES_BLOCKSIZE);
}
AES128CBCDecrypt::~AES128CBCDecrypt()
{
memset(iv, 0, AES_BLOCKSIZE);
}
int AES128CBCDecrypt::Decrypt(const unsigned char* data, int size, unsigned char* out) const
{
return CBCDecrypt(dec, iv, data, size, pad, out);
}
Oops, something went wrong.

0 comments on commit b89ef13

Please sign in to comment.