TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/mbedtls-2.1 / . / programs / aes / aescrypt2.c
blob: 939c927a9e9d1bb6573dce0142af94fc9e4a5536 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * AES-256 file encryption program
3 *
Manuel Pégourié-Gonnard6fb81872015-07-27 11:11:48 +0200[diff] [blame]4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +0200[diff] [blame]5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
Paul Bakkerb96f1542010-07-18 20:36:00 +0000[diff] [blame]18 *
Manuel Pégourié-Gonnardfe446432015-03-06 13:17:10 +0000[diff] [blame]19 * This file is part of mbed TLS (https://tls.mbed.org)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]20 */
21
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]22#if !defined(MBEDTLS_CONFIG_FILE)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]23#include "mbedtls/config.h"
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]24#else
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]25#include MBEDTLS_CONFIG_FILE
Manuel Pégourié-Gonnardcef4ad22014-04-29 12:39:06 +0200[diff] [blame]26#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]27
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]28#if defined(MBEDTLS_PLATFORM_C)
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]29#include "mbedtls/platform.h"
Rich Evansf90016a2015-01-19 14:26:37 +0000[diff] [blame]30#else
Rich Evans18b78c72015-02-11 14:06:19 +0000[diff] [blame]31#include <stdio.h>
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]32#define mbedtls_fprintf fprintf
33#define mbedtls_printf printf
Rich Evans18b78c72015-02-11 14:06:19 +0000[diff] [blame]34#endif
35
Manuel Pégourié-Gonnard7f809972015-03-09 17:05:11 +0000[diff] [blame]36#include "mbedtls/aes.h"
Manuel Pégourié-Gonnard003b3b12015-03-24 18:22:59 +0100[diff] [blame]37#include "mbedtls/md.h"
Rich Evans18b78c72015-02-11 14:06:19 +0000[diff] [blame]38
39#include <stdio.h>
40#include <stdlib.h>
41#include <string.h>
Rich Evansf90016a2015-01-19 14:26:37 +0000[diff] [blame]42
Paul Bakker494c0b82011-04-24 15:30:07 +0000[diff] [blame]43#if defined(_WIN32)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]44#include <windows.h>
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]45#if !defined(_WIN32_WCE)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]46#include <io.h>
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]47#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]48#else
49#include <sys/types.h>
50#include <unistd.h>
51#endif
52
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]53#define MODE_ENCRYPT 0
54#define MODE_DECRYPT 1
55
56#define USAGE \
57 "\n aescrypt2 <mode> <input filename> <output filename> <key>\n" \
58 "\n <mode>: 0 = encrypt, 1 = decrypt\n" \
59 "\n example: aescrypt2 0 file file.aes hex:E76B2413958B00E193\n" \
60 "\n"
61
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]62#if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_SHA256_C) || \
63 !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_MD_C)
Rich Evans85b05ec2015-02-12 11:37:29 +0000[diff] [blame]64int main( void )
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]65{
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]66 mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_SHA256_C "
67 "and/or MBEDTLS_FS_IO and/or MBEDTLS_MD_C "
Manuel Pégourié-Gonnard003b3b12015-03-24 18:22:59 +0100[diff] [blame]68 "not defined.\n");
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]69 return( 0 );
70}
71#else
Hanno Becker6a74b2f2018-10-12 16:46:37 +0100[diff] [blame]72
73/* Implementation that should never be optimized out by the compiler */
74static void mbedtls_zeroize( void *v, size_t n ) {
75 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
76}
77
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]78int main( int argc, char *argv[] )
79{
Paul Bakker5690efc2011-05-26 13:16:06 +0000[diff] [blame]80 int ret = 1;
81
82 int i, n;
Paul Bakker23986e52011-04-24 08:57:21 +0000[diff] [blame]83 int mode, lastn;
84 size_t keylen;
Paul Bakker20a78082011-01-21 09:32:12 +0000[diff] [blame]85 FILE *fkey, *fin = NULL, *fout = NULL;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]86
87 char *p;
Hanno Becker66daa682017-06-27 08:24:34 +0100[diff] [blame]88
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]89 unsigned char IV[16];
Hanno Becker66daa682017-06-27 08:24:34 +0100[diff] [blame]90 unsigned char tmp[16];
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]91 unsigned char key[512];
92 unsigned char digest[32];
93 unsigned char buffer[1024];
Manuel Pégourié-Gonnard291f9af2013-10-28 12:51:32 +0100[diff] [blame]94 unsigned char diff;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]95
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]96 mbedtls_aes_context aes_ctx;
97 mbedtls_md_context_t sha_ctx;
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]98
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]99#if defined(_WIN32_WCE)
100 long filesize, offset;
101#elif defined(_WIN32)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]102 LARGE_INTEGER li_size;
103 __int64 filesize, offset;
104#else
105 off_t filesize, offset;
106#endif
107
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]108 mbedtls_aes_init( &aes_ctx );
109 mbedtls_md_init( &sha_ctx );
Manuel Pégourié-Gonnard003b3b12015-03-24 18:22:59 +0100[diff] [blame]110
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]111 ret = mbedtls_md_setup( &sha_ctx, mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 ), 1 );
Manuel Pégourié-Gonnard003b3b12015-03-24 18:22:59 +0100[diff] [blame]112 if( ret != 0 )
113 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]114 mbedtls_printf( " ! mbedtls_md_setup() returned -0x%04x\n", -ret );
Manuel Pégourié-Gonnard003b3b12015-03-24 18:22:59 +0100[diff] [blame]115 goto exit;
116 }
Paul Bakker8cfd9d82014-06-18 11:16:11 +0200[diff] [blame]117
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]118 /*
119 * Parse the command-line arguments.
120 */
121 if( argc != 5 )
122 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]123 mbedtls_printf( USAGE );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]124
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]125#if defined(_WIN32)
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]126 mbedtls_printf( "\n Press Enter to exit this program.\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]127 fflush( stdout ); getchar();
128#endif
129
130 goto exit;
131 }
132
133 mode = atoi( argv[1] );
Hanno Becker66daa682017-06-27 08:24:34 +0100[diff] [blame]134 memset( IV, 0, sizeof( IV ) );
135 memset( key, 0, sizeof( key ) );
136 memset( digest, 0, sizeof( digest ) );
137 memset( buffer, 0, sizeof( buffer ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]138
139 if( mode != MODE_ENCRYPT && mode != MODE_DECRYPT )
140 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]141 mbedtls_fprintf( stderr, "invalide operation mode\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]142 goto exit;
143 }
144
145 if( strcmp( argv[2], argv[3] ) == 0 )
146 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]147 mbedtls_fprintf( stderr, "input and output filenames must differ\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]148 goto exit;
149 }
150
151 if( ( fin = fopen( argv[2], "rb" ) ) == NULL )
152 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]153 mbedtls_fprintf( stderr, "fopen(%s,rb) failed\n", argv[2] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]154 goto exit;
155 }
156
157 if( ( fout = fopen( argv[3], "wb+" ) ) == NULL )
158 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]159 mbedtls_fprintf( stderr, "fopen(%s,wb+) failed\n", argv[3] );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]160 goto exit;
161 }
162
163 /*
Hanno Becker09362012017-06-27 11:40:30 +0100[diff] [blame]164 * Read the secret key from file or command line
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]165 */
166 if( ( fkey = fopen( argv[4], "rb" ) ) != NULL )
167 {
168 keylen = fread( key, 1, sizeof( key ), fkey );
169 fclose( fkey );
170 }
171 else
172 {
173 if( memcmp( argv[4], "hex:", 4 ) == 0 )
174 {
175 p = &argv[4][4];
176 keylen = 0;
177
178 while( sscanf( p, "%02X", &n ) > 0 &&
179 keylen < (int) sizeof( key ) )
180 {
181 key[keylen++] = (unsigned char) n;
182 p += 2;
183 }
184 }
185 else
186 {
187 keylen = strlen( argv[4] );
188
189 if( keylen > (int) sizeof( key ) )
190 keylen = (int) sizeof( key );
191
192 memcpy( key, argv[4], keylen );
193 }
194 }
195
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]196#if defined(_WIN32_WCE)
197 filesize = fseek( fin, 0L, SEEK_END );
198#else
199#if defined(_WIN32)
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]200 /*
201 * Support large files (> 2Gb) on Win32
202 */
203 li_size.QuadPart = 0;
204 li_size.LowPart =
205 SetFilePointer( (HANDLE) _get_osfhandle( _fileno( fin ) ),
206 li_size.LowPart, &li_size.HighPart, FILE_END );
207
208 if( li_size.LowPart == 0xFFFFFFFF && GetLastError() != NO_ERROR )
209 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]210 mbedtls_fprintf( stderr, "SetFilePointer(0,FILE_END) failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]211 goto exit;
212 }
213
214 filesize = li_size.QuadPart;
215#else
216 if( ( filesize = lseek( fileno( fin ), 0, SEEK_END ) ) < 0 )
217 {
218 perror( "lseek" );
219 goto exit;
220 }
221#endif
Paul Bakkercce9d772011-11-18 14:26:47 +0000[diff] [blame]222#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]223
224 if( fseek( fin, 0, SEEK_SET ) < 0 )
225 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]226 mbedtls_fprintf( stderr, "fseek(0,SEEK_SET) failed\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]227 goto exit;
228 }
229
230 if( mode == MODE_ENCRYPT )
231 {
232 /*
233 * Generate the initialization vector as:
234 * IV = SHA-256( filesize || filename )[0..15]
235 */
236 for( i = 0; i < 8; i++ )
237 buffer[i] = (unsigned char)( filesize >> ( i << 3 ) );
238
239 p = argv[2];
240
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]241 mbedtls_md_starts( &sha_ctx );
242 mbedtls_md_update( &sha_ctx, buffer, 8 );
243 mbedtls_md_update( &sha_ctx, (unsigned char *) p, strlen( p ) );
244 mbedtls_md_finish( &sha_ctx, digest );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]245
246 memcpy( IV, digest, 16 );
247
248 /*
249 * The last four bits in the IV are actually used
250 * to store the file size modulo the AES block size.
251 */
252 lastn = (int)( filesize & 0x0F );
253
254 IV[15] = (unsigned char)
255 ( ( IV[15] & 0xF0 ) | lastn );
256
257 /*
258 * Append the IV at the beginning of the output.
259 */
260 if( fwrite( IV, 1, 16, fout ) != 16 )
261 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]262 mbedtls_fprintf( stderr, "fwrite(%d bytes) failed\n", 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]263 goto exit;
264 }
265
266 /*
267 * Hash the IV and the secret key together 8192 times
268 * using the result to setup the AES context and HMAC.
269 */
270 memset( digest, 0, 32 );
271 memcpy( digest, IV, 16 );
272
273 for( i = 0; i < 8192; i++ )
274 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]275 mbedtls_md_starts( &sha_ctx );
276 mbedtls_md_update( &sha_ctx, digest, 32 );
277 mbedtls_md_update( &sha_ctx, key, keylen );
278 mbedtls_md_finish( &sha_ctx, digest );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]279 }
280
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]281 mbedtls_aes_setkey_enc( &aes_ctx, digest, 256 );
282 mbedtls_md_hmac_starts( &sha_ctx, digest, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]283
284 /*
285 * Encrypt and write the ciphertext.
286 */
287 for( offset = 0; offset < filesize; offset += 16 )
288 {
289 n = ( filesize - offset > 16 ) ? 16 : (int)
290 ( filesize - offset );
291
292 if( fread( buffer, 1, n, fin ) != (size_t) n )
293 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]294 mbedtls_fprintf( stderr, "fread(%d bytes) failed\n", n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]295 goto exit;
296 }
297
298 for( i = 0; i < 16; i++ )
299 buffer[i] = (unsigned char)( buffer[i] ^ IV[i] );
300
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]301 mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, buffer, buffer );
302 mbedtls_md_hmac_update( &sha_ctx, buffer, 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]303
304 if( fwrite( buffer, 1, 16, fout ) != 16 )
305 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]306 mbedtls_fprintf( stderr, "fwrite(%d bytes) failed\n", 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]307 goto exit;
308 }
309
310 memcpy( IV, buffer, 16 );
311 }
312
313 /*
314 * Finally write the HMAC.
315 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]316 mbedtls_md_hmac_finish( &sha_ctx, digest );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]317
318 if( fwrite( digest, 1, 32, fout ) != 32 )
319 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]320 mbedtls_fprintf( stderr, "fwrite(%d bytes) failed\n", 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]321 goto exit;
322 }
323 }
324
325 if( mode == MODE_DECRYPT )
326 {
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]327 /*
328 * The encrypted file must be structured as follows:
329 *
330 * 00 .. 15 Initialization Vector
331 * 16 .. 31 AES Encrypted Block #1
332 * ..
333 * N*16 .. (N+1)*16 - 1 AES Encrypted Block #N
334 * (N+1)*16 .. (N+1)*16 + 32 HMAC-SHA-256(ciphertext)
335 */
336 if( filesize < 48 )
337 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]338 mbedtls_fprintf( stderr, "File too short to be encrypted.\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]339 goto exit;
340 }
341
342 if( ( filesize & 0x0F ) != 0 )
343 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]344 mbedtls_fprintf( stderr, "File size not a multiple of 16.\n" );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]345 goto exit;
346 }
347
348 /*
Paul Bakker60b1d102013-10-29 10:02:51 +0100[diff] [blame]349 * Subtract the IV + HMAC length.
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]350 */
351 filesize -= ( 16 + 32 );
352
353 /*
354 * Read the IV and original filesize modulo 16.
355 */
356 if( fread( buffer, 1, 16, fin ) != 16 )
357 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]358 mbedtls_fprintf( stderr, "fread(%d bytes) failed\n", 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]359 goto exit;
360 }
361
362 memcpy( IV, buffer, 16 );
363 lastn = IV[15] & 0x0F;
364
365 /*
366 * Hash the IV and the secret key together 8192 times
367 * using the result to setup the AES context and HMAC.
368 */
369 memset( digest, 0, 32 );
370 memcpy( digest, IV, 16 );
371
372 for( i = 0; i < 8192; i++ )
373 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]374 mbedtls_md_starts( &sha_ctx );
375 mbedtls_md_update( &sha_ctx, digest, 32 );
376 mbedtls_md_update( &sha_ctx, key, keylen );
377 mbedtls_md_finish( &sha_ctx, digest );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]378 }
379
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]380 mbedtls_aes_setkey_dec( &aes_ctx, digest, 256 );
381 mbedtls_md_hmac_starts( &sha_ctx, digest, 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]382
383 /*
384 * Decrypt and write the plaintext.
385 */
386 for( offset = 0; offset < filesize; offset += 16 )
387 {
388 if( fread( buffer, 1, 16, fin ) != 16 )
389 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]390 mbedtls_fprintf( stderr, "fread(%d bytes) failed\n", 16 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]391 goto exit;
392 }
393
394 memcpy( tmp, buffer, 16 );
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]395
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]396 mbedtls_md_hmac_update( &sha_ctx, buffer, 16 );
397 mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_DECRYPT, buffer, buffer );
Paul Bakker9e36f042013-06-30 14:34:05 +0200[diff] [blame]398
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]399 for( i = 0; i < 16; i++ )
400 buffer[i] = (unsigned char)( buffer[i] ^ IV[i] );
401
402 memcpy( IV, tmp, 16 );
403
404 n = ( lastn > 0 && offset == filesize - 16 )
405 ? lastn : 16;
406
407 if( fwrite( buffer, 1, n, fout ) != (size_t) n )
408 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]409 mbedtls_fprintf( stderr, "fwrite(%d bytes) failed\n", n );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]410 goto exit;
411 }
412 }
413
414 /*
415 * Verify the message authentication code.
416 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]417 mbedtls_md_hmac_finish( &sha_ctx, digest );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]418
419 if( fread( buffer, 1, 32, fin ) != 32 )
420 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]421 mbedtls_fprintf( stderr, "fread(%d bytes) failed\n", 32 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]422 goto exit;
423 }
424
Manuel Pégourié-Gonnard291f9af2013-10-28 12:51:32 +0100[diff] [blame]425 /* Use constant-time buffer comparison */
426 diff = 0;
427 for( i = 0; i < 32; i++ )
428 diff |= digest[i] ^ buffer[i];
429
430 if( diff != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]431 {
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]432 mbedtls_fprintf( stderr, "HMAC check failed: wrong key, "
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]433 "or file corrupted.\n" );
434 goto exit;
435 }
436 }
437
438 ret = 0;
439
440exit:
Paul Bakker6d440322011-02-06 12:49:19 +0000[diff] [blame]441 if( fin )
442 fclose( fin );
443 if( fout )
444 fclose( fout );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]445
Hanno Becker66daa682017-06-27 08:24:34 +0100[diff] [blame]446 /* Zeroize all command line arguments to also cover
447 the case when the user has missed or reordered some,
448 in which case the key might not be in argv[4]. */
449 for( i = 0; i < argc; i++ )
Hanno Becker6a74b2f2018-10-12 16:46:37 +0100[diff] [blame]450 mbedtls_zeroize( argv[i], strlen( argv[i] ) );
Hanno Becker66daa682017-06-27 08:24:34 +0100[diff] [blame]451
Hanno Becker6a74b2f2018-10-12 16:46:37 +0100[diff] [blame]452 mbedtls_zeroize( IV, sizeof( IV ) );
453 mbedtls_zeroize( key, sizeof( key ) );
454 mbedtls_zeroize( tmp, sizeof( tmp ) );
455 mbedtls_zeroize( buffer, sizeof( buffer ) );
456 mbedtls_zeroize( digest, sizeof( digest ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]457
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]458 mbedtls_aes_free( &aes_ctx );
459 mbedtls_md_free( &sha_ctx );
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]460
461 return( ret );
462}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200[diff] [blame]463#endif /* MBEDTLS_AES_C && MBEDTLS_SHA256_C && MBEDTLS_FS_IO */