From 2e655d63410012ec68036df7735f0bd30fc46e54 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Tue, 29 Mar 2022 18:25:47 +0200 Subject: [PATCH] Fixes with AES encryption Signed-off-by: Pol Henarejos --- src/hsm/dkek.c | 2 +- src/hsm/hash_utils.c | 5 +++-- src/hsm/sc_hsm.c | 8 -------- 3 files changed, 4 insertions(+), 11 deletions(-) diff --git a/src/hsm/dkek.c b/src/hsm/dkek.c index 08f3b98..3126e42 100644 --- a/src/hsm/dkek.c +++ b/src/hsm/dkek.c @@ -238,7 +238,7 @@ int dkek_encode_key(void *key_ctx, int key_type, uint8_t *out, size_t *out_len) if (kb_len < kb_len_pad) { kb[kb_len] = 0x80; } - int r = aes_encrypt(kenc, NULL, 32, HSM_AES_MODE_CBC, kb, kb_len_pad); + int r = aes_encrypt(kenc, NULL, 256, HSM_AES_MODE_CBC, kb, kb_len_pad); if (r != HSM_OK) return r; diff --git a/src/hsm/hash_utils.c b/src/hsm/hash_utils.c index e7e81eb..f9ff93a 100644 --- a/src/hsm/hash_utils.c +++ b/src/hsm/hash_utils.c @@ -103,12 +103,13 @@ int aes_decrypt(const uint8_t *key, const uint8_t *iv, int key_size, int mode, u return HSM_EXEC_ERROR; if (mode == HSM_AES_MODE_CBC) return mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_DECRYPT, len, tmp_iv, data, data); + r = mbedtls_aes_setkey_enc(&aes, key, key_size); //CFB requires set_enc instead set_dec return mbedtls_aes_crypt_cfb128(&aes, MBEDTLS_AES_DECRYPT, len, &iv_offset, tmp_iv, data, data); } int aes_encrypt_cfb_256(const uint8_t *key, const uint8_t *iv, uint8_t *data, int len) { - return aes_encrypt(key, iv, 32, HSM_AES_MODE_CFB, data, len); + return aes_encrypt(key, iv, 256, HSM_AES_MODE_CFB, data, len); } int aes_decrypt_cfb_256(const uint8_t *key, const uint8_t *iv, uint8_t *data, int len) { - return aes_decrypt(key, iv, 32, HSM_AES_MODE_CFB, data, len); + return aes_decrypt(key, iv, 256, HSM_AES_MODE_CFB, data, len); } \ No newline at end of file diff --git a/src/hsm/sc_hsm.c b/src/hsm/sc_hsm.c index 98484e2..6ecbad3 100644 --- a/src/hsm/sc_hsm.c +++ b/src/hsm/sc_hsm.c @@ -1130,8 +1130,6 @@ static int cmd_key_gen() { int load_private_key_rsa(mbedtls_rsa_context *ctx, file_t *fkey) { int key_size = file_read_uint16(fkey->data); - if (load_dkek() != HSM_OK) - return SW_EXEC_ERROR(); uint8_t *kdata = (uint8_t *)calloc(1,key_size); memcpy(kdata, file_read(fkey->data+2), key_size); if (dkek_decrypt(kdata, key_size) != 0) { @@ -1170,8 +1168,6 @@ int load_private_key_rsa(mbedtls_rsa_context *ctx, file_t *fkey) { int load_private_key_ecdsa(mbedtls_ecdsa_context *ctx, file_t *fkey) { int key_size = file_read_uint16(fkey->data); - if (load_dkek() != HSM_OK) - return HSM_EXEC_ERROR; uint8_t *kdata = (uint8_t *)calloc(1,key_size); memcpy(kdata, file_read(fkey->data+2), key_size); if (dkek_decrypt(kdata, key_size) != 0) { @@ -1384,8 +1380,6 @@ static int cmd_decrypt_asym() { else if (P2(apdu) == ALGO_EC_DH) { mbedtls_ecdh_context ctx; int key_size = file_read_uint16(ef->data); - if (load_dkek() != HSM_OK) - return SW_EXEC_ERROR(); uint8_t *kdata = (uint8_t *)calloc(1,key_size); memcpy(kdata, file_read(ef->data+2), key_size); if (dkek_decrypt(kdata, key_size) != 0) { @@ -1440,8 +1434,6 @@ static int cmd_cipher_sym() { return SW_WRONG_LENGTH(); } int key_size = file_read_uint16(ef->data); - if (load_dkek() != HSM_OK) - return SW_EXEC_ERROR(); uint8_t kdata[32]; //maximum AES key size memcpy(kdata, file_read(ef->data+2), key_size); if (dkek_decrypt(kdata, key_size) != 0) {