Merge remote-tracking branch 'benma/rust-ctaes'

Author: benma

.gitmodules

@@ -1,9 +1,6 @@
 [submodule "external/cryptoauthlib"]
 	path = external/cryptoauthlib
 	url = https://github.com/BitBoxSwiss/cryptoauthlib.git
-[submodule "external/ctaes"]
-	path = external/ctaes
-	url = https://github.com/BitBoxSwiss/ctaes.git
 [submodule "external/libwally-core"]
 	path = external/libwally-core
 	url = https://github.com/BitBoxSwiss/libwally-core.git

external/CMakeLists.txt

@@ -253,11 +253,6 @@ set_property(TARGET fatfs PROPERTY INTERFACE_LINK_LIBRARIES "")
 target_include_directories(fatfs SYSTEM PUBLIC fatfs/source)
 target_compile_options(fatfs PRIVATE -Wno-switch-default)
 
-add_library(ctaes
-  ctaes/ctaes.c
-)
-target_include_directories(ctaes SYSTEM PUBLIC ctaes)
-
 add_library(rtt
   SEGGER_RTT_V796b/RTT/SEGGER_RTT.c
 )

external/ctaes

@@ -485,7 +485,6 @@ if(CMAKE_CROSSCOMPILING)
         optiga
         cryptoauthlib
         fatfs
-        ctaes
         c
         samd51a-ds
         asf4-drivers-min

src/CMakeLists.txt

@@ -13,154 +13,34 @@
 // limitations under the License.
 
 #include "cipher.h"
-#include <ctaes.h>
-
-#include <stdlib.h>
-#include <string.h>
 
 #include <random.h>
-#include <util.h>
-#include <wally_crypto.h>
+#include <rust/rust.h>
 
 #ifdef TESTING
 #include <mock_cipher.h>
 #endif
 
-#define N_BLOCK (16U)
-// Used to sanity-check input to avoid large stack allocations
-#define CIPHER_MAX_ALLOC (200U)
-
-static bool _derive_hmac_keys(
-    const uint8_t* secret,
-    uint8_t* encryption_key_out,
-    uint8_t* authentication_key_out)
-{
-    uint8_t hash[64];
-    UTIL_CLEANUP_64(hash);
-    if (wally_sha512(secret, 32, hash, sizeof(hash)) != WALLY_OK) {
-        return false;
-    }
-    memcpy(encryption_key_out, hash, 32);
-    memcpy(authentication_key_out, hash + 32, 32);
-    return true;
-}
-
-// out_len must be at least in_len + N_BLOCK + N_BLOCK
-// necessary in_len/out_len range checks are done in cipher_aes_hmac_encrypt().
-static bool _aes_encrypt(
-    const uint8_t* in,
+bool cipher_aes_hmac_encrypt(
+    const unsigned char* in,
     size_t in_len,
     uint8_t* out,
     size_t* out_len,
-    const uint8_t* key)
+    const uint8_t* secret)
 {
-    if (in_len > CIPHER_MAX_ALLOC) {
-        return false;
-    }
-    size_t padlen = N_BLOCK - in_len % N_BLOCK;
-    size_t inpadlen = in_len + padlen;
-    uint8_t inpad[inpadlen];
-    *out_len = inpadlen + N_BLOCK;
-
-    // PKCS7 padding
-    memcpy(inpad, in, in_len);
-    for (size_t i = 0; i < padlen; i++) {
-        inpad[in_len + i] = padlen;
-    }
-
     uint8_t iv[32] = {0}; // only 16 bytes needed for IV.
 #ifdef TESTING
     cipher_mock_iv(iv);
 #else
     random_32_bytes(iv);
 #endif
-    memcpy(out, iv, N_BLOCK);
-
-    AES256_CBC_ctx ctx = {0};
-    AES256_CBC_init(&ctx, key, iv);
-    AES256_CBC_encrypt(&ctx, inpadlen / N_BLOCK, out + N_BLOCK, inpad);
-    *out_len = inpadlen + N_BLOCK;
-
-    util_zero(inpad, inpadlen);
-    util_zero(&ctx, sizeof(ctx));
-    return true;
-}
-
-bool cipher_aes_hmac_encrypt(
-    const unsigned char* in,
-    size_t in_len,
-    uint8_t* out,
-    size_t* out_len,
-    const uint8_t* secret)
-{
-    // in_len + iv + pad + hmac
-    if (*out_len != in_len + N_BLOCK + N_BLOCK + 32) {
-        return false;
-    }
-    uint8_t encryption_key[32];
-    UTIL_CLEANUP_32(encryption_key);
-    uint8_t authentication_key[32];
-    UTIL_CLEANUP_32(authentication_key);
-    if (!_derive_hmac_keys(secret, encryption_key, authentication_key)) {
-        return false;
-    }
-
-    size_t encrypt_len = in_len + 32;
-    if (!_aes_encrypt(in, in_len, out, &encrypt_len, encryption_key)) {
-        return false;
-    }
-
-    *out_len = encrypt_len + 32;
-
-    return wally_hmac_sha256(
-               authentication_key,
-               sizeof(authentication_key),
-               out,
-               encrypt_len,
-               out + encrypt_len,
-               32) == WALLY_OK;
-}
-
-// necessary in_len/out_len range checks are done in cipher_aes_hmac_decrypt().
-static bool _aes_decrypt(
-    const uint8_t* in,
-    size_t in_len,
-    uint8_t* out,
-    size_t* out_len,
-    const uint8_t* key)
-{
-    if (in_len > CIPHER_MAX_ALLOC) {
-        return false;
-    }
-    uint8_t dec_pad[in_len - N_BLOCK];
-    const uint8_t* iv = in; // first 16 bytes
-
-    AES256_CBC_ctx ctx = {0};
-    AES256_CBC_init(&ctx, key, iv);
-    AES256_CBC_decrypt(&ctx, in_len / N_BLOCK - 1, dec_pad, in + N_BLOCK);
-
-    // Strip PKCS7 padding
-    uint8_t padlen = dec_pad[in_len - N_BLOCK - 1];
-    if (padlen > N_BLOCK) {
-        goto error;
-    }
-    if (in_len < N_BLOCK + padlen) {
-        goto error;
-    }
-    for (size_t i = 0; i < padlen; i++) {
-        if (dec_pad[in_len - N_BLOCK - 1 - i] != padlen) {
-            goto error;
-        }
-    }
-    memcpy(out, dec_pad, in_len - N_BLOCK - padlen);
-    *out_len = in_len - N_BLOCK - padlen;
-    util_zero(dec_pad, sizeof(dec_pad));
-    util_zero(&ctx, sizeof(ctx));
+    rust_cipher_encrypt(
+        rust_util_bytes(iv, 16),
+        rust_util_bytes(secret, 32),
+        rust_util_bytes(in, in_len),
+        rust_util_bytes_mut(out, *out_len),
+        out_len);
     return true;
-error:
-    util_zero(dec_pad, sizeof(dec_pad));
-    util_zero(&ctx, sizeof(ctx));
-    return false;
 }
 
 bool cipher_aes_hmac_decrypt(
@@ -170,38 +50,9 @@ bool cipher_aes_hmac_decrypt(
     size_t* out_len,
     const uint8_t* key)
 {
-    // iv + pad + hmac
-    if (in_len < N_BLOCK + N_BLOCK + 32) {
-        return false;
-    }
-    // have space for at least in_len - iv - hmac
-    if (*out_len != in_len - N_BLOCK - 32) {
-        return false;
-    }
-
-    uint8_t encryption_key[32];
-    UTIL_CLEANUP_32(encryption_key);
-    uint8_t authentication_key[32];
-    UTIL_CLEANUP_32(authentication_key);
-
-    if (!_derive_hmac_keys(key, encryption_key, authentication_key)) {
-        return false;
-    }
-
-    uint8_t hmac[32];
-    UTIL_CLEANUP_32(hmac);
-    if (wally_hmac_sha256(
-            authentication_key,
-            sizeof(authentication_key),
-            in,
-            in_len - sizeof(hmac),
-            hmac,
-            sizeof(hmac)) != WALLY_OK) {
-        return false;
-    }
-
-    if (!MEMEQ(hmac, in + in_len - sizeof(hmac), sizeof(hmac))) {
-        return false;
-    }
-    return _aes_decrypt(in, in_len - sizeof(hmac), out, out_len, encryption_key);
+    return rust_cipher_decrypt(
+        rust_util_bytes(key, 32),
+        rust_util_bytes(in, in_len),
+        rust_util_bytes_mut(out, *out_len),
+        out_len);
 }

src/cipher/cipher.c

@@ -23,6 +23,7 @@ members = [
     "bitbox02-sys",
     "erc20_params",
     "streaming-silent-payments",
+    "bitbox-aes",
 ]
 
 resolver = "2"
@@ -73,3 +74,7 @@ codegen-units = 1
 panic = 'unwind'
 # Set to false to potentially reduce binary size
 incremental = true
+
+[profile.test]
+debug-assertions = true
+overflow-checks = true

src/rust/Cargo.lock

@@ -0,0 +1 @@
+target

src/rust/Cargo.toml

@@ -0,0 +1,35 @@
+# Copyright 2025 Shift Cryptos AG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[package]
+name = "bitbox-aes"
+version = "0.1.0"
+authors = ["Shift Crypto AG <[email protected]>"]
+edition = "2024"
+license = "Apache-2.0"
+
+[dependencies]
+bitbox02 = { path = "../bitbox02", optional = true }
+sha2 = { workspace = true }
+hmac = { version = "0.12", default-features = false, features = ["reset"] }
+ctaes = { version = "0.1.0" }
+zeroize = { workspace = true }
+
+[features]
+# We use wally_sha512 over `sha2::Sha512`, which bloats the binary by an additional ~12.7kB (at the
+# time of writing).  This should be enabled for production builds until we can get rid of
+# wally_sha512 completely.  This feature exists so `cargo test` works.
+use-wally-sha512 = [
+  "dep:bitbox02",
+]