aes_rval aes_decrypt_key(const void *in_key, int key_len, aes_decrypt_ctx cx[1]) { switch(key_len) { #ifdef AES_ERR_CHK case 16: case 128: return aes_decrypt_key128(in_key, cx); case 24: case 192: return aes_decrypt_key192(in_key, cx); case 32: case 256: return aes_decrypt_key256(in_key, cx); default: return aes_error; #else case 16: case 128: aes_decrypt_key128(in_key, cx); return; case 24: case 192: aes_decrypt_key192(in_key, cx); return; case 32: case 256: aes_decrypt_key256(in_key, cx); return; #endif } }
aes_rval aes_decrypt_key(const unsigned char *key, int key_len, aes_decrypt_ctx cx[1]) { switch(key_len) { #if defined( AES_ERR_CHK ) case 16: case 128: return aes_decrypt_key128(key, cx); case 24: case 192: return aes_decrypt_key192(key, cx); case 32: case 256: return aes_decrypt_key256(key, cx); default: return aes_error; #else case 16: case 128: aes_decrypt_key128(key, cx); return; case 24: case 192: aes_decrypt_key192(key, cx); return; case 32: case 256: aes_decrypt_key256(key, cx); return; #endif } }
/* Return values: 0 = success, ERR_CIPHER_INIT_FAILURE (fatal), ERR_CIPHER_INIT_WEAK_KEY (non-fatal) */ int CipherInit (int cipher, unsigned char *key, unsigned __int8 *ks) { int retVal = ERR_SUCCESS; switch (cipher) { case AES: #ifndef TC_WINDOWS_BOOT if (aes_encrypt_key256 (key, (aes_encrypt_ctx *) ks) != EXIT_SUCCESS) return ERR_CIPHER_INIT_FAILURE; if (aes_decrypt_key256 (key, (aes_decrypt_ctx *) (ks + sizeof(aes_encrypt_ctx))) != EXIT_SUCCESS) return ERR_CIPHER_INIT_FAILURE; #else if (aes_set_key (key, (length_type) CipherGetKeySize(AES), (aes_context *) ks) != 0) return ERR_CIPHER_INIT_FAILURE; #endif break; case SERPENT: serpent_set_key (key, CipherGetKeySize(SERPENT) * 8, ks); break; case TWOFISH: twofish_set_key ((TwofishInstance *)ks, (const u4byte *)key, CipherGetKeySize(TWOFISH) * 8); break; #ifndef TC_WINDOWS_BOOT case BLOWFISH: /* Deprecated/legacy */ BlowfishSetKey ((BF_KEY *)ks, CipherGetKeySize(BLOWFISH), key); break; case CAST: /* Deprecated/legacy */ Cast5SetKey ((CAST_KEY *) ks, CipherGetKeySize(CAST), key); break; case TRIPLEDES: /* Deprecated/legacy */ TripleDesSetKey (key, CipherGetKeySize (TRIPLEDES), (TDES_KEY *) ks); // Verify whether all three DES keys are mutually different if (((*((__int64 *) key) ^ *((__int64 *) key+1)) & 0xFEFEFEFEFEFEFEFEULL) == 0 || ((*((__int64 *) key+1) ^ *((__int64 *) key+2)) & 0xFEFEFEFEFEFEFEFEULL) == 0 || ((*((__int64 *) key) ^ *((__int64 *) key+2)) & 0xFEFEFEFEFEFEFEFEULL) == 0) retVal = ERR_CIPHER_INIT_WEAK_KEY; // Non-fatal error break; #endif // TC_WINDOWS_BOOT default: // Unknown/wrong cipher ID return ERR_CIPHER_INIT_FAILURE; } return retVal; }
/* Return values: 0 = success, ERR_CIPHER_INIT_FAILURE (fatal), ERR_CIPHER_INIT_WEAK_KEY (non-fatal) */ int CipherInit (int cipher, unsigned char *key, unsigned __int8 *ks) { int retVal = ERR_SUCCESS; switch (cipher) { case AES: #ifndef TC_WINDOWS_BOOT if (aes_encrypt_key256 (key, (aes_encrypt_ctx *) ks) != EXIT_SUCCESS) return ERR_CIPHER_INIT_FAILURE; if (aes_decrypt_key256 (key, (aes_decrypt_ctx *) (ks + sizeof(aes_encrypt_ctx))) != EXIT_SUCCESS) return ERR_CIPHER_INIT_FAILURE; #else if (aes_set_key (key, (length_type) CipherGetKeySize(AES), (aes_context *) ks) != 0) return ERR_CIPHER_INIT_FAILURE; #endif break; case SERPENT: serpent_set_key (key, ks); break; case TWOFISH: twofish_set_key ((TwofishInstance *)ks, (const u4byte *)key); break; default: // Unknown/wrong cipher ID return ERR_CIPHER_INIT_FAILURE; } return retVal; }
void CipherAES::SetCipherKey (const byte *key) { if (aes_encrypt_key256 (key, (aes_encrypt_ctx *) ScheduledKey.Ptr()) != EXIT_SUCCESS) throw CipherInitError (SRC_POS); if (aes_decrypt_key256 (key, (aes_decrypt_ctx *) (ScheduledKey.Ptr() + sizeof (aes_encrypt_ctx))) != EXIT_SUCCESS) throw CipherInitError (SRC_POS); }
void fsm_msgCipherKeyValue(CipherKeyValue *msg) { if (!msg->has_key) { fsm_sendFailure(FailureType_Failure_SyntaxError, "No key provided"); return; } if (!msg->has_value) { fsm_sendFailure(FailureType_Failure_SyntaxError, "No value provided"); return; } if (msg->value.size % 16) { fsm_sendFailure(FailureType_Failure_SyntaxError, "Value length must be a multiple of 16"); return; } if (!protectPin(true)) { layoutHome(); return; } HDNode *node = fsm_getRootNode(); if (!node) return; fsm_deriveKey(node, msg->address_n, msg->address_n_count); bool encrypt = msg->has_encrypt && msg->encrypt; bool ask_on_encrypt = msg->has_ask_on_encrypt && msg->ask_on_encrypt; bool ask_on_decrypt = msg->has_ask_on_decrypt && msg->ask_on_decrypt; if ((encrypt && ask_on_encrypt) || (!encrypt && ask_on_decrypt)) { layoutCipherKeyValue(encrypt, msg->key); if (!protectButton(ButtonRequestType_ButtonRequest_Other, false)) { fsm_sendFailure(FailureType_Failure_ActionCancelled, "CipherKeyValue cancelled"); layoutHome(); return; } } uint8_t data[256 + 4]; strlcpy((char *)data, msg->key, sizeof(data)); strlcat((char *)data, ask_on_encrypt ? "E1" : "E0", sizeof(data)); strlcat((char *)data, ask_on_decrypt ? "D1" : "D0", sizeof(data)); hmac_sha512(node->private_key, 32, data, strlen((char *)data), data); RESP_INIT(Success); if (encrypt) { aes_encrypt_ctx ctx; aes_encrypt_key256(data, &ctx); aes_cbc_encrypt(msg->value.bytes, resp->payload.bytes, msg->value.size, data + 32, &ctx); } else { aes_decrypt_ctx ctx; aes_decrypt_key256(data, &ctx); aes_cbc_decrypt(msg->value.bytes, resp->payload.bytes, msg->value.size, data + 32, &ctx); } resp->has_payload = true; resp->payload.size = msg->value.size; msg_write(MessageType_MessageType_Success, resp); layoutHome(); }
AES_RETURN aes_decrypt_key(const unsigned char *key, int key_len, aes_decrypt_ctx cx[1]) { switch(key_len) { case 16: case 128: return aes_decrypt_key128(key, cx); case 24: case 192: return aes_decrypt_key192(key, cx); case 32: case 256: return aes_decrypt_key256(key, cx); default: return EXIT_FAILURE; } }
int EAInit (unsigned char *key, unsigned __int8 *ks) { aes_init(); if (aes_encrypt_key256 (key, (aes_encrypt_ctx *) ks) != EXIT_SUCCESS) return ERR_CIPHER_INIT_FAILURE; if (aes_decrypt_key256 (key, (aes_decrypt_ctx *) (ks + sizeof (aes_encrypt_ctx))) != EXIT_SUCCESS) return ERR_CIPHER_INIT_FAILURE; return ERR_SUCCESS; }
bool storage_getRootNode(HDNode *node) { // root node is properly cached if (sessionRootNodeCached) { memcpy(node, &sessionRootNode, sizeof(HDNode)); return true; } // if storage has node, decrypt and use it if (storage.has_node) { if (!protectPassphrase()) { return false; } if (hdnode_from_xprv(storage.node.depth, storage.node.fingerprint, storage.node.child_num, storage.node.chain_code.bytes, storage.node.private_key.bytes, &sessionRootNode) == 0) { return false; } if (storage.has_passphrase_protection && storage.passphrase_protection && strlen(sessionPassphrase)) { // decrypt hd node uint8_t secret[64]; uint8_t salt[12]; memcpy(salt, "TREZORHD", 8); layoutProgressSwipe("Waking up", 0); pbkdf2_hmac_sha512((const uint8_t *)sessionPassphrase, strlen(sessionPassphrase), salt, 8, BIP39_PBKDF2_ROUNDS, secret, 64, get_root_node_callback); aes_decrypt_ctx ctx; aes_decrypt_key256(secret, &ctx); aes_cbc_decrypt(sessionRootNode.chain_code, sessionRootNode.chain_code, 32, secret + 32, &ctx); aes_cbc_decrypt(sessionRootNode.private_key, sessionRootNode.private_key, 32, secret + 32, &ctx); } memcpy(node, &sessionRootNode, sizeof(HDNode)); sessionRootNodeCached = true; return true; } // if storage has mnemonic, convert it to node and use it if (storage.has_mnemonic) { if (!protectPassphrase()) { return false; } uint8_t seed[64]; layoutProgressSwipe("Waking up", 0); mnemonic_to_seed(storage.mnemonic, sessionPassphrase, seed, get_root_node_callback); // BIP-0039 if (hdnode_from_seed(seed, sizeof(seed), &sessionRootNode) == 0) { return false; } memcpy(node, &sessionRootNode, sizeof(HDNode)); sessionRootNodeCached = true; return true; } return false; }
int EAInit (int ea, unsigned char *key, unsigned __int8 *ks) { #ifdef GST_WINDOWS_BOOT_AES aes_init(); if (aes_encrypt_key256 (key, (aes_encrypt_ctx *) ks) != EXIT_SUCCESS) return ERR_CIPHER_INIT_FAILURE; if (aes_decrypt_key256 (key, (aes_decrypt_ctx *) (ks + sizeof (aes_encrypt_ctx))) != EXIT_SUCCESS) return ERR_CIPHER_INIT_FAILURE; #elif defined (GST_WINDOWS_BOOT_SERPENT) serpent_set_key (key, 32 * 8, ks); #elif defined (GST_WINDOWS_BOOT_TWOFISH) twofish_set_key ((TwofishInstance *)ks, (const u4byte *)key, 32 * 8); #endif return ERR_SUCCESS; }
/* * Expand the cipher key into the decryption key schedule. * * Return the number of rounds for the given cipher key size. * The size of the key schedule depends on the number of rounds * (which can be computed from the size of the key), i.e. 4 * (Nr + 1). * * Parameters: * rk AES key schedule 32-bit array to be initialized * cipherKey User key * keyBits AES key size (128, 192, or 256 bits) */ int rijndael_key_setup_dec_amd64(uint32_t rk[], const uint32_t cipherKey[], int keyBits) { switch (keyBits) { case 128: aes_decrypt_key128((unsigned char *)&cipherKey[0], rk); return (10); case 192: aes_decrypt_key192((unsigned char *)&cipherKey[0], rk); return (12); case 256: aes_decrypt_key256((unsigned char *)&cipherKey[0], rk); return (14); default: /* should never get here */ break; } return (0); }
static bool aes_operation(bool encrypt, const uint8_t *kek, size_t kek_len, uint8_t *block) { uint64_t iv[2] = { 0 }; if (encrypt) { aes_encrypt_ctx encrypt_ctx[1]; switch(kek_len) { #if AES128_KEK case 16: aes_encrypt_key128(kek, encrypt_ctx); break; #endif #if AES192_KEK case 24: aes_encrypt_key192(kek, encrypt_ctx); break; #endif #if AES256_KEK case 32: aes_encrypt_key256(kek, encrypt_ctx); break; #endif default: return false; } aes_encrypt_cbc(block, (uint8_t*)iv, 1, block, encrypt_ctx); } else { aes_decrypt_ctx decrypt_ctx[1]; switch(kek_len) { #if AES128_KEK case 16: aes_decrypt_key128(kek, decrypt_ctx); break; #endif #if AES192_KEK case 24: aes_decrypt_key192(kek, decrypt_ctx); break; #endif #if AES256_KEK case 32: aes_decrypt_key256(kek, decrypt_ctx); break; #endif default: return false; } aes_decrypt_cbc(block, (uint8_t*)iv, 1, block, decrypt_ctx); } return true; }
/* * storage_get_root_node() - Returns root node of device * * INPUT * - node: where to put the node that is found * OUTPUT * true/false whether root node was found */ bool storage_get_root_node(HDNode *node) { // root node is properly cached if(sessionRootNodeCached) { memcpy(node, &sessionRootNode, sizeof(HDNode)); return true; } // if storage has node, decrypt and use it if(shadow_config.storage.has_node) { if(!passphrase_protect()) { return false; } layout_loading(); if(hdnode_from_xprv(shadow_config.storage.node.depth, shadow_config.storage.node.fingerprint, shadow_config.storage.node.child_num, shadow_config.storage.node.chain_code.bytes, shadow_config.storage.node.private_key.bytes, &sessionRootNode) == 0) { return false; } if(shadow_config.storage.has_passphrase_protection && shadow_config.storage.passphrase_protection && strlen(sessionPassphrase)) { // decrypt hd node uint8_t secret[64]; /* Length of salt + 4 bytes are needed as workspace by pbkdf2_hmac_sha512 */ uint8_t salt[strlen(PBKDF2_HMAC_SHA512_SALT) + 4]; memcpy((char *)salt, PBKDF2_HMAC_SHA512_SALT, strlen(PBKDF2_HMAC_SHA512_SALT)); animating_progress_handler(); pbkdf2_hmac_sha512((const uint8_t *)sessionPassphrase, strlen(sessionPassphrase), salt, strlen(PBKDF2_HMAC_SHA512_SALT), BIP39_PBKDF2_ROUNDS, secret, 64, get_root_node_callback); aes_decrypt_ctx ctx; aes_decrypt_key256(secret, &ctx); aes_cbc_decrypt(sessionRootNode.chain_code, sessionRootNode.chain_code, 32, secret + 32, &ctx); aes_cbc_decrypt(sessionRootNode.private_key, sessionRootNode.private_key, 32, secret + 32, &ctx); } memcpy(node, &sessionRootNode, sizeof(HDNode)); sessionRootNodeCached = true; return true; } // if storage has mnemonic, convert it to node and use it if(shadow_config.storage.has_mnemonic) { if(!passphrase_protect()) { return false; } if(storage_get_root_node_cache(node)) { return true; } layout_loading(); uint8_t seed[64]; animating_progress_handler(); mnemonic_to_seed(shadow_config.storage.mnemonic, sessionPassphrase, seed, get_root_node_callback); // BIP-0039 if(hdnode_from_seed(seed, sizeof(seed), &sessionRootNode) == 0) { return false; } storage_set_root_node_cache(&sessionRootNode); memcpy(node, &sessionRootNode, sizeof(HDNode)); sessionRootNodeCached = true; return true; } return false; }
void fsm_msgCipherKeyValue(CipherKeyValue *msg) { if (!storage_is_initialized()) { fsm_sendFailure(FailureType_Failure_NotInitialized, "Device not initialized"); return; } if(!msg->has_key) { fsm_sendFailure(FailureType_Failure_SyntaxError, "No key provided"); return; } if(!msg->has_value) { fsm_sendFailure(FailureType_Failure_SyntaxError, "No value provided"); return; } if(msg->value.size % 16) { fsm_sendFailure(FailureType_Failure_SyntaxError, "Value length must be a multiple of 16"); return; } if(!pin_protect_cached()) { go_home(); return; } const HDNode *node = fsm_getDerivedNode(msg->address_n, msg->address_n_count); if(!node) { return; } bool encrypt = msg->has_encrypt && msg->encrypt; bool ask_on_encrypt = msg->has_ask_on_encrypt && msg->ask_on_encrypt; bool ask_on_decrypt = msg->has_ask_on_decrypt && msg->ask_on_decrypt; if((encrypt && ask_on_encrypt) || (!encrypt && ask_on_decrypt)) { if(!confirm_cipher(encrypt, msg->key)) { fsm_sendFailure(FailureType_Failure_ActionCancelled, "CipherKeyValue cancelled"); go_home(); return; } } uint8_t data[256 + 4]; strlcpy((char *)data, msg->key, sizeof(data)); strlcat((char *)data, ask_on_encrypt ? "E1" : "E0", sizeof(data)); strlcat((char *)data, ask_on_decrypt ? "D1" : "D0", sizeof(data)); hmac_sha512(node->private_key, 32, data, strlen((char *)data), data); RESP_INIT(CipheredKeyValue); if(encrypt) { aes_encrypt_ctx ctx; aes_encrypt_key256(data, &ctx); aes_cbc_encrypt(msg->value.bytes, resp->value.bytes, msg->value.size, ((msg->iv.size == 16) ? (msg->iv.bytes) : (data + 32)), &ctx); } else { aes_decrypt_ctx ctx; aes_decrypt_key256(data, &ctx); aes_cbc_decrypt(msg->value.bytes, resp->value.bytes, msg->value.size, ((msg->iv.size == 16) ? (msg->iv.bytes) : (data + 32)), &ctx); } resp->has_value = true; resp->value.size = msg->value.size; msg_write(MessageType_MessageType_CipheredKeyValue, resp); go_home(); }