Remove internal AES implementation and replace it with use of libcrypto

Author: TomasKorbar

CMakeLists.txt

@@ -24,6 +24,11 @@ if(BUILD_DOCS OR BUILD_DOCSONLY)
     add_subdirectory(docs)
 endif()
 
+find_library(CRYPTO_LIB crypto)
+if(NOT CRYPTO_LIB)
+  message(FATAL_ERROR "crypto library not found")
+endif()
+
 if(NOT BUILD_DOCSONLY)
     include(CMake/_Include.cmake)
 

include/libhashkit-1.0/hashkit.h

@@ -35,6 +35,8 @@
 #include <libhashkit-1.0/strerror.h>
 #include <libhashkit-1.0/string.h>
 
+#include <openssl/evp.h>
+
 struct hashkit_st {
   struct hashkit_function_st {
     hashkit_hash_fn function;
@@ -49,7 +51,9 @@ struct hashkit_st {
     bool is_allocated : 1;
   } options;
 
-  void *_key;
+  bool use_encryption;
+  EVP_CIPHER_CTX *encryption_context;
+  EVP_CIPHER_CTX *decryption_context;
 };
 
 #ifdef __cplusplus
@@ -75,7 +79,7 @@ HASHKIT_API
 hashkit_string_st *hashkit_decrypt(hashkit_st *, const char *source, size_t source_length);
 
 HASHKIT_API
-bool hashkit_key(hashkit_st *, const char *key, const size_t key_length);
+bool hashkit_initialize_encryption(hashkit_st *kit, const char *key, const size_t key_length);
 
 #ifdef __cplusplus
 } // extern "C"

src/libhashkit/CMakeLists.txt

@@ -17,7 +17,6 @@ set(libhashkit_sources
         murmur3.cc
         murmur3_api.cc
         one_at_a_time.cc
-        rijndael.cc
         str_algorithm.cc
         strerror.cc
         string.cc
@@ -39,6 +38,8 @@ target_include_directories(libhashkit PUBLIC
         $<BUILD_INTERFACE:${CMAKE_SOURCE_DIR}/include>
         $<BUILD_INTERFACE:${CMAKE_BINARY_DIR}/include>
         $<INSTALL_INTERFACE:include>)
+target_link_libraries(libhashkit PUBLIC -lcrypto)
+
 configure_file(hashkitcon.h.in hashkitcon.h @ONLY)
 
 install(TARGETS libhashkit EXPORT libhashkit-targets

src/libhashkit/aes.cc

@@ -15,128 +15,95 @@
 
 #include "libhashkit/common.h"
 
-#include "libhashkit/rijndael.hpp"
-
 #include <cstring>
 
-#define AES_KEY_LENGTH 256 /* 128, 192, 256 */
-#define AES_BLOCK_SIZE 16
-
-enum encrypt_t { AES_ENCRYPT, AES_DECRYPT };
-
-struct _key_t {
-  int nr;
-  uint32_t rk[4 * (AES_MAXNR + 1)];
-};
-
-struct aes_key_t {
-  _key_t encode_key;
-  _key_t decode_key;
-};
+#define DIGEST_ROUNDS 5
 
-aes_key_t *aes_create_key(const char *key, const size_t key_length) {
-  aes_key_t *_aes_key = (aes_key_t *) (calloc(1, sizeof(aes_key_t)));
-  if (_aes_key) {
-    uint8_t rkey[AES_KEY_LENGTH / 8];
-    uint8_t *rkey_end = rkey + AES_KEY_LENGTH / 8;
-    const char *key_end = key + key_length;
+#define AES_KEY_NBYTES 32
+#define AES_IV_NBYTES 32
 
-    memset(rkey, 0, sizeof(rkey)); /* Set initial key  */
-
-    uint8_t *ptr = rkey;
-    const char *sptr = key;
-    for (; sptr < key_end; ptr++, sptr++) {
-      if (ptr == rkey_end) {
-        ptr = rkey; /*  Just loop over tmp_key until we used all key */
-      }
-      *ptr ^= (uint8_t)(*sptr);
-    }
-
-    _aes_key->decode_key.nr = rijndaelKeySetupDec(_aes_key->decode_key.rk, rkey, AES_KEY_LENGTH);
-    _aes_key->encode_key.nr = rijndaelKeySetupEnc(_aes_key->encode_key.rk, rkey, AES_KEY_LENGTH);
+bool aes_initialize(const unsigned char *key, const size_t key_length,
+                    EVP_CIPHER_CTX *encryption_context,
+                    EVP_CIPHER_CTX *decryption_context) {
+  unsigned char aes_key[AES_KEY_NBYTES];
+  unsigned char aes_iv[AES_IV_NBYTES];
+  if (aes_key == NULL || aes_iv == NULL) {
+    return false;
   }
 
-  return _aes_key;
-}
-
-aes_key_t *aes_clone_key(aes_key_t *_aes_key) {
-  if (_aes_key == NULL) {
-    return NULL;
+  int i = EVP_BytesToKey(EVP_aes_256_cbc(), EVP_sha256(), NULL, key, key_length,
+                         DIGEST_ROUNDS, aes_key, aes_iv);
+  if (i != AES_KEY_NBYTES) {
+    return false;
   }
 
-  aes_key_t *_aes_clone_key = (aes_key_t *) (calloc(1, sizeof(aes_key_t)));
-  if (_aes_clone_key) {
-    memcpy(_aes_clone_key, _aes_key, sizeof(aes_key_t));
+  if (EVP_CIPHER_CTX_init(encryption_context) != 1 ||
+      EVP_EncryptInit_ex(encryption_context, EVP_aes_256_cbc(), NULL, key,
+                         aes_iv) != 1 ||
+      EVP_CIPHER_CTX_init(decryption_context) != 1 ||
+      EVP_DecryptInit_ex(decryption_context, EVP_aes_256_cbc(), NULL, key,
+                         aes_iv) != 1) {
+    return false;
   }
-
-  return _aes_clone_key;
+  return true;
 }
 
-hashkit_string_st *aes_encrypt(aes_key_t *_aes_key, const char *source, size_t source_length) {
-  if (_aes_key == NULL) {
+hashkit_string_st *aes_encrypt(EVP_CIPHER_CTX *encryption_context,
+                               const unsigned char *source,
+                               size_t source_length) {
+  int cipher_length =
+      source_length + EVP_CIPHER_CTX_block_size(encryption_context);
+  int final_length = 0;
+  unsigned char *cipher_text = (unsigned char *)malloc(cipher_length);
+  if (cipher_text == NULL) {
     return NULL;
   }
-
-  size_t num_blocks = source_length / AES_BLOCK_SIZE;
-
-  hashkit_string_st *destination = hashkit_string_create(source_length);
-  if (destination) {
-    char *dest = hashkit_string_c_str_mutable(destination);
-
-    for (size_t x = num_blocks; x > 0; x--) /* Encode complete blocks */ {
-      rijndaelEncrypt(_aes_key->encode_key.rk, _aes_key->encode_key.nr, (const uint8_t *) (source),
-                      (uint8_t *) (dest));
-      source += AES_BLOCK_SIZE;
-      dest += AES_BLOCK_SIZE;
-    }
-
-    uint8_t block[AES_BLOCK_SIZE];
-    char pad_len = AES_BLOCK_SIZE - (source_length - AES_BLOCK_SIZE * num_blocks);
-    memcpy(block, source, 16 - pad_len);
-    memset(block + AES_BLOCK_SIZE - pad_len, pad_len, pad_len);
-    rijndaelEncrypt(_aes_key->encode_key.rk, _aes_key->encode_key.nr, block, (uint8_t *) (dest));
-    hashkit_string_set_length(destination, AES_BLOCK_SIZE * (num_blocks + 1));
+  if (EVP_EncryptInit_ex(encryption_context, NULL, NULL, NULL, NULL) != 1 ||
+      EVP_EncryptUpdate(encryption_context, cipher_text, &cipher_length, source,
+                        source_length) != 1 ||
+      EVP_EncryptFinal_ex(encryption_context, cipher_text + cipher_length,
+                          &final_length) != 1) {
+    free(cipher_text);
+    return NULL;
   }
 
+  hashkit_string_st *destination =
+      hashkit_string_create(cipher_length + final_length);
+  if (destination == NULL) {
+    return NULL;
+  }
+  char *dest = hashkit_string_c_str_mutable(destination);
+  memcpy(dest, cipher_text, cipher_length + final_length);
+  hashkit_string_set_length(destination, cipher_length + final_length);
   return destination;
 }
 
-hashkit_string_st *aes_decrypt(aes_key_t *_aes_key, const char *source, size_t source_length) {
-  if (_aes_key == NULL) {
+hashkit_string_st *aes_decrypt(EVP_CIPHER_CTX *decryption_context,
+                               const unsigned char *source,
+                               size_t source_length) {
+  int plain_text_length = source_length;
+  int final_length = 0;
+  unsigned char *plain_text = (unsigned char *)malloc(plain_text_length);
+  if (plain_text == NULL) {
     return NULL;
   }
-
-  size_t num_blocks = source_length / AES_BLOCK_SIZE;
-  if ((source_length != num_blocks * AES_BLOCK_SIZE) or num_blocks == 0) {
+  if (EVP_DecryptInit_ex(decryption_context, NULL, NULL, NULL, NULL) != 1 ||
+      EVP_DecryptUpdate(decryption_context, plain_text, &plain_text_length,
+                        source, source_length) != 1 ||
+      EVP_DecryptFinal_ex(decryption_context, plain_text + plain_text_length,
+                          &final_length) != 1) {
+    free(plain_text);
     return NULL;
   }
 
-  hashkit_string_st *destination = hashkit_string_create(source_length);
-  if (destination) {
-    char *dest = hashkit_string_c_str_mutable(destination);
-
-    for (size_t x = num_blocks - 1; x > 0; x--) {
-      rijndaelDecrypt(_aes_key->decode_key.rk, _aes_key->decode_key.nr, (const uint8_t *) (source),
-                      (uint8_t *) (dest));
-      source += AES_BLOCK_SIZE;
-      dest += AES_BLOCK_SIZE;
-    }
-
-    uint8_t block[AES_BLOCK_SIZE];
-    rijndaelDecrypt(_aes_key->decode_key.rk, _aes_key->decode_key.nr, (const uint8_t *) (source),
-                    block);
-    /* Use last char in the block as size */
-    unsigned int pad_len = (unsigned int) (unsigned char) (block[AES_BLOCK_SIZE - 1]);
-    if (pad_len > AES_BLOCK_SIZE) {
-      hashkit_string_free(destination);
-      return NULL;
-    }
-
-    /* We could also check whole padding but we do not really need this */
-
-    memcpy(dest, block, AES_BLOCK_SIZE - pad_len);
-    hashkit_string_set_length(destination, AES_BLOCK_SIZE * num_blocks - pad_len);
+  hashkit_string_st *destination =
+      hashkit_string_create(plain_text_length + final_length);
+  if (destination == NULL) {
+    return NULL;
   }
-
+  char *dest = hashkit_string_c_str_mutable(destination);
+  memcpy(dest, plain_text, plain_text_length + final_length);
+  hashkit_string_set_length(destination, plain_text_length + final_length);
   return destination;
 }
+

src/libhashkit/aes.h

@@ -15,12 +15,14 @@
 
 #pragma once
 
-struct aes_key_t;
+hashkit_string_st *aes_encrypt(EVP_CIPHER_CTX *encryption_context,
+                               const unsigned char *source,
+                               size_t source_length);
 
-hashkit_string_st *aes_encrypt(aes_key_t *_aes_key, const char *source, size_t source_length);
+hashkit_string_st *aes_decrypt(EVP_CIPHER_CTX *decryption_context,
+                               const unsigned char *source,
+                               size_t source_length);
 
-hashkit_string_st *aes_decrypt(aes_key_t *_aes_key, const char *source, size_t source_length);
-
-aes_key_t *aes_create_key(const char *key, const size_t key_length);
-
-aes_key_t *aes_clone_key(aes_key_t *_aes_key);
+bool aes_initialize(const unsigned char *key, const size_t key_length,
+                    EVP_CIPHER_CTX *encryption_context,
+                    EVP_CIPHER_CTX *decryption_context);

src/libhashkit/encrypt.cc

@@ -15,20 +15,26 @@
 
 #include "libhashkit/common.h"
 
-hashkit_string_st *hashkit_encrypt(hashkit_st *kit, const char *source, size_t source_length) {
-  return aes_encrypt(static_cast<aes_key_t *>(kit->_key), source, source_length);
+hashkit_string_st *hashkit_encrypt(hashkit_st *kit, const char *source,
+                                   size_t source_length) {
+  return aes_encrypt(kit->encryption_context, (const unsigned char *)source,
+                     source_length);
 }
 
-hashkit_string_st *hashkit_decrypt(hashkit_st *kit, const char *source, size_t source_length) {
-  return aes_decrypt(static_cast<aes_key_t *>(kit->_key), source, source_length);
+hashkit_string_st *hashkit_decrypt(hashkit_st *kit, const char *source,
+                                   size_t source_length) {
+  return aes_decrypt(kit->decryption_context, (const unsigned char *)source,
+                     source_length);
 }
 
-bool hashkit_key(hashkit_st *kit, const char *key, const size_t key_length) {
-  if (kit->_key) {
-    free(kit->_key);
+bool hashkit_initialize_encryption(hashkit_st *kit, const char *key,
+                                   const size_t key_length) {
+  kit->encryption_context = EVP_CIPHER_CTX_new();
+  kit->decryption_context = EVP_CIPHER_CTX_new();
+  if (kit->encryption_context == NULL || kit->decryption_context == NULL) {
+    return false;
   }
-
-  kit->_key = aes_create_key(key, key_length);
-
-  return bool(kit->_key);
-}
+  return kit->use_encryption =
+             aes_initialize((const unsigned char *)key, key_length,
+                            kit->encryption_context, kit->decryption_context);
+}

src/libhashkit/hashkit.cc

@@ -15,6 +15,8 @@
 
 #include "libhashkit/common.h"
 
+#include <openssl/evp.h>
+
 static inline void _hashkit_init(hashkit_st *self) {
   self->base_hash.function = hashkit_one_at_a_time;
   self->base_hash.context = NULL;
@@ -23,7 +25,7 @@ static inline void _hashkit_init(hashkit_st *self) {
   self->distribution_hash.context = NULL;
 
   self->flags.is_base_same_distributed = true;
-  self->_key = NULL;
+  self->use_encryption = false;
 }
 
 static inline hashkit_st *_hashkit_create(hashkit_st *self) {
@@ -53,9 +55,10 @@ hashkit_st *hashkit_create(hashkit_st *self) {
 }
 
 void hashkit_free(hashkit_st *self) {
-  if (self and self->_key) {
-    free(self->_key);
-    self->_key = NULL;
+  if (self and self->use_encryption) {
+    EVP_CIPHER_CTX_free(self->encryption_context);
+    EVP_CIPHER_CTX_free(self->decryption_context);
+    self->use_encryption = false;
   }
 
   if (hashkit_is_allocated(self)) {
@@ -79,7 +82,18 @@ hashkit_st *hashkit_clone(hashkit_st *destination, const hashkit_st *source) {
   destination->base_hash = source->base_hash;
   destination->distribution_hash = source->distribution_hash;
   destination->flags = source->flags;
-  destination->_key = aes_clone_key(static_cast<aes_key_t *>(source->_key));
+  destination->use_encryption = source->use_encryption;
+  if (destination->use_encryption) {
+    destination->encryption_context = EVP_CIPHER_CTX_new();
+    destination->decryption_context = EVP_CIPHER_CTX_new();
+    if (destination->encryption_context == NULL ||
+        destination->decryption_context == NULL)
+      return NULL;
+    EVP_CIPHER_CTX_copy(destination->encryption_context,
+                        source->encryption_context);
+    EVP_CIPHER_CTX_copy(destination->decryption_context,
+                        source->decryption_context);
+  }
 
   return destination;
 }