1 /* encrypt file by writing
3 16byte initialization vector,
4 AES-CBC(key, random | file),
5 HMAC_SHA1(md5(key), AES-CBC(random | file))
13 extern char* getpassm(char*);
15 enum{ CHK = 16, BUF = 4096 };
17 uchar v2hdr[AESbsize+1] = "AES CBC SHA1 2\n";
22 safewrite(uchar *buf, int n)
24 int i = Bwrite(&bout, buf, n);
28 fprint(2, "write error\n");
33 saferead(uchar *buf, int n)
35 int i = Bread(&bin, buf, n);
39 fprint(2, "read error\n");
44 main(int argc, char **argv)
46 int encrypt = 0; /* 0=decrypt, 1=encrypt */
47 int n, nkey, pass_stdin = 0;
49 uchar key[AESmaxkey], key2[SHA1dlen];
50 uchar buf[BUF+SHA1dlen]; /* assumption: CHK <= SHA1dlen */
63 fprint(2,"usage: %s -d < cipher.aes > clear.txt\n", argv0);
64 fprint(2," or: %s -e < clear.txt > cipher.aes\n", argv0);
67 Binit(&bin, 0, OREAD);
68 Binit(&bout, 1, OWRITE);
71 n = readn(3, buf, (sizeof buf)-1);
73 exits("usage: echo password |[3=1] auth/aescbc -i ...");
75 while(buf[n-1] == '\n')
78 pass = getpassm("aescbc key:");
81 exits("key too long");
82 strcpy((char*)buf, pass);
90 dstate = sha1((uchar*)"aescbc file", 11, nil, nil);
91 sha1(buf, n, key2, dstate);
92 memcpy(key, key2, 16);
94 md5(key, nkey, key2, 0); /* so even if HMAC_SHA1 is broken, encryption key is protected */
97 safewrite(v2hdr, AESbsize);
98 genrandom(buf,2*AESbsize); /* CBC is semantically secure if IV is unpredictable. */
99 setupAESstate(&aes, key, nkey, buf); /* use first AESbsize bytes as IV */
100 aesCBCencrypt(buf+AESbsize, AESbsize, &aes); /* use second AESbsize bytes as initial plaintext */
101 safewrite(buf, 2*AESbsize);
102 dstate = hmac_sha1(buf+AESbsize, AESbsize, key2, MD5dlen, 0, 0);
104 n = Bread(&bin, buf, BUF);
106 fprint(2,"read error\n");
109 aesCBCencrypt(buf, n, &aes);
111 dstate = hmac_sha1(buf, n, key2, MD5dlen, 0, dstate);
115 hmac_sha1(0, 0, key2, MD5dlen, buf, dstate);
116 safewrite(buf, SHA1dlen);
118 saferead(buf, AESbsize);
119 if(memcmp(buf, v2hdr, AESbsize) == 0){
120 saferead(buf, 2*AESbsize); /* read IV and random initial plaintext */
121 setupAESstate(&aes, key, nkey, buf);
122 dstate = hmac_sha1(buf+AESbsize, AESbsize, key2, MD5dlen, 0, 0);
123 aesCBCdecrypt(buf+AESbsize, AESbsize, &aes);
124 saferead(buf, SHA1dlen);
125 while((n = Bread(&bin, buf+SHA1dlen, BUF)) > 0){
126 dstate = hmac_sha1(buf, n, key2, MD5dlen, 0, dstate);
127 aesCBCdecrypt(buf, n, &aes);
129 memmove(buf, buf+n, SHA1dlen); /* these bytes are not yet decrypted */
131 hmac_sha1(0, 0, key2, MD5dlen, buf+SHA1dlen, dstate);
132 if(memcmp(buf, buf+SHA1dlen, SHA1dlen) != 0){
133 fprint(2,"decrypted file failed to authenticate\n");
134 exits("decrypted file failed to authenticate");
136 }else{ /* compatibility with past mistake */
137 // if file was encrypted with bad aescbc use this:
138 // memset(key, 0, AESmaxkey);
139 // else assume we're decrypting secstore files
140 setupAESstate(&aes, key, AESbsize, buf);
142 aesCBCdecrypt(buf, CHK, &aes);
143 while((n = Bread(&bin, buf+CHK, BUF)) > 0){
144 aesCBCdecrypt(buf+CHK, n, &aes);
146 memmove(buf, buf+n, CHK);
148 if(memcmp(buf, "XXXXXXXXXXXXXXXX", CHK) != 0){
149 fprint(2,"decrypted file failed to authenticate\n");
150 exits("decrypted file failed to authenticate");