Merge branch 'mbedtls'

Replace Crypto++ 5.6.2 with Mbed TLS 3.6.0 Newer compilers are starting to show the age of the crypto library we've been using, as it is sometimes a pain to recompile compass lately. So, the tracked version of Crypto++ was at least due for an upgrade. However, I plan to soon begin reimplementing compass in C. So, I'm taking this opportunity to first just migrate the cryptography library to a newer C alternative. This branch does so, and integrates its use into the current C++ version of compass. * mbedtls: Remove unnecessary exception handler catch block Refactor random password generation to use mbedtls entropy source Refactor SHA256 function to use mbedtls Refactor AES functions to use mbedtls Add Mbedtls library Remove Crypto++ library
author: Malfurious <m@lfurio.us> 2024-10-24 06:44:24 -0400
committer: Malfurious <m@lfurio.us> 2024-10-24 06:44:24 -0400
commit: 512aa4c77b3dc0d72db713a9215ff65a98a99ec3 (patch)
tree: 6db82e0109dc987b5b021f81d4e8a0926eb75ff7 /Cryptor.cpp
parent: 428471d39fb8c205a9fad899c88c30a2cb7df685 (diff)
parent: 10affea371406c0ae4c080e5a19390a8e9bd154b (diff)
download: compass-512aa4c77b3dc0d72db713a9215ff65a98a99ec3.tar.gz
compass-512aa4c77b3dc0d72db713a9215ff65a98a99ec3.zip
1 files changed, 110 insertions, 45 deletions
diff --git a/Cryptor.cpp b/Cryptor.cpp
index 57ded9a..9db2bdc 100644
--- a/Cryptor.cpp
+++ b/Cryptor.cpp
@@ -1,54 +1,98 @@
 #include "Cryptor.h"
 
 bool Cryptor::haveKey = false;
-unsigned char Cryptor::key[CryptoPP::AES::DEFAULT_KEYLENGTH];
+unsigned char Cryptor::key[AES_BLOCK_LENGTH];
+
+static void toHex(char *output, const void *input, size_t size) {
+	const unsigned char *_input = (const unsigned char *)input;
+	for (size_t i = 0; i < size; i++) {
+		sprintf(output+(i*2), "%02hhX", _input[i]);
+	}
+}
+
+static void fromHex(void *output, const char *input) {
+	unsigned char *_output = (unsigned char *)output;
+	size_t size = strlen(input);
+	if (size & 1) {
+		throw 1;
+	} else {
+		size /= 2;
+	}
+	for (size_t i = 0; i < size; i++) {
+		if (sscanf(input+(i*2), "%02hhx", &_output[i]) != 1) {
+			throw 1;
+		}
+	}
+}
 
 void Cryptor::encryptAndSave(std::string remoteHost, std::string port, std::string directory, std::string payload) {
 	// Key
-	if (!haveKey)
+	if (!haveKey) {
 		assembleKey(true);
+	}
 
 	// IV
-	unsigned char iv[CryptoPP::AES::BLOCKSIZE];
-	CryptoPP::AutoSeededRandomPool randl;
-	randl.GenerateBlock(iv, sizeof(iv));
+	unsigned char iv[AES_BLOCK_LENGTH];
+	generateRandom(iv, sizeof(iv));
 
 	// Encrypt
-	std::string cipher;
-	CryptoPP::CBC_Mode<CryptoPP::AES>::Encryption enc(key, sizeof(key), iv);
-	CryptoPP::StringSource(payload, true, new CryptoPP::StreamTransformationFilter(enc, new CryptoPP::StringSink(cipher)));
+	size_t ciphertextLen = 0;
+	unsigned char *ciphertext = new unsigned char[payload.size() + 64];
+	const mbedtls_cipher_info_t *cipherInfo = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_CBC);
+	mbedtls_cipher_context_t cipher;
+
+	mbedtls_cipher_init(&cipher);
+	mbedtls_cipher_setup(&cipher, cipherInfo);
+	mbedtls_cipher_setkey(&cipher, key, sizeof(key)*8, MBEDTLS_ENCRYPT);
+	mbedtls_cipher_set_padding_mode(&cipher, MBEDTLS_PADDING_PKCS7);
+	mbedtls_cipher_crypt(&cipher, iv, sizeof(iv),
+			(const unsigned char *)payload.c_str(), payload.size(),
+			ciphertext, &ciphertextLen);
+	mbedtls_cipher_free(&cipher);
 
 	// Save Data
-	std::string encIV, encCipher;
-	CryptoPP::StringSource(iv, sizeof(iv), true, new CryptoPP::HexEncoder(new CryptoPP::StringSink(encIV)));
-	CryptoPP::StringSource(cipher, true, new CryptoPP::HexEncoder(new CryptoPP::StringSink(encCipher)));
+	char encIV[(AES_BLOCK_LENGTH * 2) + 1];
+	char *encCipher = new char[(ciphertextLen * 2) + 1];
+	toHex(encIV, iv, sizeof(iv));
+	toHex(encCipher, ciphertext, ciphertextLen);
+	std::string _encIV(encIV);
+	std::string _encCipher(encCipher);
+
+	delete[] encCipher;
+	delete[] ciphertext;
+
 	if (remoteHost == "") {
-		if (directory[directory.size() - 1] != '/') directory += "/";
+		if (directory[directory.size() - 1] != '/') {
+			directory += "/";
+		}
 		directory += KEYCHAIN_FILE;
 		std::ofstream f(directory.c_str());
-		f << encIV << std::endl;
-		f << encCipher << std::endl;
+		f << _encIV << std::endl;
+		f << _encCipher << std::endl;
 		f.close();
-	}
-	else {
+	} else {
 		Socket s;
 		std::string err = "";
 		s.conn(remoteHost, port);
 		s.sendline("store");
 		s.sendline(directory);
-		s.sendline(encIV);
-		s.sendline(encCipher);
+		s.sendline(_encIV);
+		s.sendline(_encCipher);
 		err = s.readline();
 		s.clo();
-		if (err != "OK") throw 1;
+		if (err != "OK") {
+			throw 1;
+		}
 	}
 }
 
 std::string Cryptor::loadAndDecrypt(std::string remoteHost, std::string port, std::string directory) {
 	// Load Data
-	std::string encIV, encCipher, ivstr, cipher;
+	std::string encIV, encCipher;
 	if (remoteHost == "") {
-		if (directory[directory.size() - 1] != '/') directory += "/";
+		if (directory[directory.size() - 1] != '/') {
+			directory += "/";
+		}
 		directory += KEYCHAIN_FILE;
 		std::ifstream f(directory.c_str());
 		if (!f.good()) {
@@ -58,8 +102,7 @@ std::string Cryptor::loadAndDecrypt(std::string remoteHost, std::string port, st
 		f >> encIV;
 		f >> encCipher;
 		f.close();
-	}
-	else {
+	} else {
 		Socket s;
 		std::string err = "";
 		s.conn(remoteHost, port);
@@ -74,29 +117,43 @@ std::string Cryptor::loadAndDecrypt(std::string remoteHost, std::string port, st
 		encCipher = s.readline();
 		s.clo();
 	}
-	CryptoPP::StringSource(encIV, true, new CryptoPP::HexDecoder(new CryptoPP::StringSink(ivstr)));
-	CryptoPP::StringSource(encCipher, true, new CryptoPP::HexDecoder(new CryptoPP::StringSink(cipher)));
+
+	// Decode data
+	unsigned char *ciphertext = new unsigned char[encCipher.size() / 2];
+	unsigned char iv[AES_BLOCK_LENGTH];
+	fromHex(ciphertext, encCipher.c_str());
+	fromHex(iv, encIV.c_str());
 
 	// Key
-	if (!haveKey)
+	if (!haveKey) {
 		assembleKey();
-
-	// IV
-	unsigned char iv[CryptoPP::AES::BLOCKSIZE];
-	memcpy(iv, ivstr.c_str(), ivstr.size());
+	}
 
 	// Decrypt
-	std::string payload;
-	CryptoPP::CBC_Mode<CryptoPP::AES>::Decryption dec(key, sizeof(key), iv);
-	CryptoPP::StringSource(cipher, true, new CryptoPP::StreamTransformationFilter(dec, new CryptoPP::StringSink(payload)));
+	size_t plaintextLen = 0;
+	char *plaintext = new char[(encCipher.size() / 2) + 64];
+	const mbedtls_cipher_info_t *cipherInfo = mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_CBC);
+	mbedtls_cipher_context_t cipher;
+
+	mbedtls_cipher_init(&cipher);
+	mbedtls_cipher_setup(&cipher, cipherInfo);
+	mbedtls_cipher_setkey(&cipher, key, sizeof(key)*8, MBEDTLS_DECRYPT);
+	mbedtls_cipher_set_padding_mode(&cipher, MBEDTLS_PADDING_PKCS7);
+	mbedtls_cipher_crypt(&cipher, iv, sizeof(iv),
+			ciphertext, (encCipher.size() / 2),
+			(unsigned char *)plaintext, &plaintextLen);
+	mbedtls_cipher_free(&cipher);
+
+	std::string payload(plaintext, plaintextLen);
+
+	delete[] plaintext;
+	delete[] ciphertext;
 
 	return payload;
 }
 
 std::string Cryptor::createRandomPassword(PasswordSpec spec) {
-	CryptoPP::AutoSeededRandomPool randl;
 	std::string password;
-
 	std::vector<char> validChars;
 
 	// Always allow lower-case alphabetic characters
@@ -149,14 +206,11 @@ std::string Cryptor::createRandomPassword(PasswordSpec spec) {
 			validChars.push_back('0' + i);
 	}
 
-
 	// Build string
 	for (int i = 0; i < spec.ml; i++) {
-		unsigned char r[1];
-		char c;
-		randl.GenerateBlock(r, sizeof(r));
-		c = validChars[r[0] % validChars.size()];
-		password += c;
+		unsigned char c;
+		generateRandom(&c, sizeof(c));
+		password += validChars[c % validChars.size()];
 	}
 
 	return password;
@@ -167,13 +221,24 @@ void Cryptor::rekey() {
 }
 
 void Cryptor::sha256(std::string str) {
-	CryptoPP::SHA256 hash;
-	std::string rtr;
-	CryptoPP::StringSource(str, true, new CryptoPP::HashFilter(hash, new CryptoPP::StringSink(rtr), false, CryptoPP::AES::DEFAULT_KEYLENGTH));
-	memcpy(key, rtr.c_str(), rtr.size());
+	unsigned char hashbuf[32];
+	mbedtls_sha256((const unsigned char *)str.c_str(), str.size(), hashbuf, 0);
+	memcpy(key, hashbuf, sizeof(key));
 	haveKey = true;
 }
 
+void Cryptor::generateRandom(void *output, size_t size) {
+	mbedtls_entropy_context entropy;
+	mbedtls_ctr_drbg_context random;
+
+	mbedtls_entropy_init(&entropy);
+	mbedtls_ctr_drbg_init(&random);
+	mbedtls_ctr_drbg_seed(&random, mbedtls_entropy_func, &entropy, NULL, 0);
+	mbedtls_ctr_drbg_random(&random, (unsigned char *)output, size);
+	mbedtls_ctr_drbg_free(&random);
+	mbedtls_entropy_free(&entropy);
+}
+
 std::string Cryptor::readPassword(bool confirm) {
 	std::string password;
author	Malfurious <m@lfurio.us>	2024-10-24 06:44:24 -0400
committer	Malfurious <m@lfurio.us>	2024-10-24 06:44:24 -0400
commit	512aa4c77b3dc0d72db713a9215ff65a98a99ec3 (patch)
tree	6db82e0109dc987b5b021f81d4e8a0926eb75ff7 /Cryptor.cpp
parent	428471d39fb8c205a9fad899c88c30a2cb7df685 (diff)
parent	10affea371406c0ae4c080e5a19390a8e9bd154b (diff)
download	compass-512aa4c77b3dc0d72db713a9215ff65a98a99ec3.tar.gz compass-512aa4c77b3dc0d72db713a9215ff65a98a99ec3.zip