/tmp/bitcoin/src/wallet/crypter.cpp

Source
// Copyright (c) 2009-present The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.

#include <wallet/crypter.h>

#include <common/system.h>
#include <crypto/aes.h>
#include <crypto/sha512.h>

#include <type_traits>
#include <vector>

namespace wallet {
int CCrypter::BytesToKeySHA512AES(const std::span<const unsigned char> salt, const SecureString& key_data, int count, unsigned char* key, unsigned char* iv) const
{
    // This mimics the behavior of openssl's EVP_BytesToKey with an aes256cbc
    // cipher and sha512 message digest. Because sha512's output size (64b) is
    // greater than the aes256 block size (16b) + aes256 key size (32b),
    // there's no need to process more than once (D_0).

    if(!count || !key || !iv)
        return 0;

    unsigned char buf[CSHA512::OUTPUT_SIZE];
    CSHA512 di;

    di.Write(UCharCast(key_data.data()), key_data.size());
    di.Write(salt.data(), salt.size());
    di.Finalize(buf);

    for(int i = 0; i != count - 1; i++)
        di.Reset().Write(buf, sizeof(buf)).Finalize(buf);

    memcpy(key, buf, WALLET_CRYPTO_KEY_SIZE);
    memcpy(iv, buf + WALLET_CRYPTO_KEY_SIZE, WALLET_CRYPTO_IV_SIZE);
    memory_cleanse(buf, sizeof(buf));
    return WALLET_CRYPTO_KEY_SIZE;
}

bool CCrypter::SetKeyFromPassphrase(const SecureString& key_data, const std::span<const unsigned char> salt, const unsigned int rounds, const unsigned int derivation_method)
{
    if (rounds < 1 || salt.size() != WALLET_CRYPTO_SALT_SIZE) {
        return false;
    }

    int i = 0;
    if (derivation_method == 0) {
        i = BytesToKeySHA512AES(salt, key_data, rounds, vchKey.data(), vchIV.data());
    }

    if (i != (int)WALLET_CRYPTO_KEY_SIZE)
    {
        memory_cleanse(vchKey.data(), vchKey.size());
        memory_cleanse(vchIV.data(), vchIV.size());
        return false;
    }

    fKeySet = true;
    return true;
}

bool CCrypter::SetKey(const CKeyingMaterial& new_key, const std::span<const unsigned char> new_iv)
{
    if (new_key.size() != WALLET_CRYPTO_KEY_SIZE || new_iv.size() != WALLET_CRYPTO_IV_SIZE) {
        return false;
    }

    memcpy(vchKey.data(), new_key.data(), new_key.size());
    memcpy(vchIV.data(), new_iv.data(), new_iv.size());

    fKeySet = true;
    return true;
}

bool CCrypter::Encrypt(const CKeyingMaterial& vchPlaintext, std::vector<unsigned char> &vchCiphertext) const
{
    if (!fKeySet)
        return false;

    // max ciphertext len for a n bytes of plaintext is
    // n + AES_BLOCKSIZE bytes
    vchCiphertext.resize(vchPlaintext.size() + AES_BLOCKSIZE);

    AES256CBCEncrypt enc(vchKey.data(), vchIV.data(), true);
    size_t nLen = enc.Encrypt(vchPlaintext.data(), vchPlaintext.size(), vchCiphertext.data());
    if(nLen < vchPlaintext.size())
        return false;
    vchCiphertext.resize(nLen);

    return true;
}

bool CCrypter::Decrypt(const std::span<const unsigned char> ciphertext, CKeyingMaterial& plaintext) const
{
    if (!fKeySet)
        return false;

    // plaintext will always be equal to or lesser than length of ciphertext
    plaintext.resize(ciphertext.size());

    AES256CBCDecrypt dec(vchKey.data(), vchIV.data(), true);
    int len = dec.Decrypt(ciphertext.data(), ciphertext.size(), plaintext.data());
    if (len == 0) {
        return false;
    }
    plaintext.resize(len);
    return true;
}

bool EncryptSecret(const CKeyingMaterial& vMasterKey, const CKeyingMaterial &vchPlaintext, const uint256& nIV, std::vector<unsigned char> &vchCiphertext)
{
    CCrypter cKeyCrypter;
    std::vector<unsigned char> chIV(WALLET_CRYPTO_IV_SIZE);
    memcpy(chIV.data(), &nIV, WALLET_CRYPTO_IV_SIZE);
    if(!cKeyCrypter.SetKey(vMasterKey, chIV))
        return false;
    return cKeyCrypter.Encrypt(vchPlaintext, vchCiphertext);
}

bool DecryptSecret(const CKeyingMaterial& master_key, const std::span<const unsigned char> ciphertext, const uint256& iv, CKeyingMaterial& plaintext)
{
    CCrypter key_crypter;
    static_assert(WALLET_CRYPTO_IV_SIZE <= std::remove_reference_t<decltype(iv)>::size());
    const std::span iv_prefix{iv.data(), WALLET_CRYPTO_IV_SIZE};
    if (!key_crypter.SetKey(master_key, iv_prefix)) {
        return false;
    }
    return key_crypter.Decrypt(ciphertext, plaintext);
}

bool DecryptKey(const CKeyingMaterial& master_key, const std::span<const unsigned char> crypted_secret, const CPubKey& pub_key, CKey& key)
{
    CKeyingMaterial secret;
    if (!DecryptSecret(master_key, crypted_secret, pub_key.GetHash(), secret)) {
        return false;
    }

    if (secret.size() != 32) {
        return false;
    }

    key.Set(secret.begin(), secret.end(), pub_key.IsCompressed());
    return key.VerifyPubKey(pub_key);
}
} // namespace wallet

Line	Count	Source
1		// Copyright (c) 2009-present The Bitcoin Core developers
2		// Distributed under the MIT software license, see the accompanying
3		// file COPYING or http://www.opensource.org/licenses/mit-license.php.
4
5		#include <wallet/crypter.h>
6
7		#include <common/system.h>
8		#include <crypto/aes.h>
9		#include <crypto/sha512.h>
10
11		#include <type_traits>
12		#include <vector>
13
14		namespace wallet {
15		int CCrypter::BytesToKeySHA512AES(const std::span<const unsigned char> salt, const SecureString& key_data, int count, unsigned char* key, unsigned char* iv) const
16	231	{
17		// This mimics the behavior of openssl's EVP_BytesToKey with an aes256cbc
18		// cipher and sha512 message digest. Because sha512's output size (64b) is
19		// greater than the aes256 block size (16b) + aes256 key size (32b),
20		// there's no need to process more than once (D_0).
21
22	231	if(!count \|\| !key \|\| !iv)
23	0	return 0;
24
25	231	unsigned char buf[CSHA512::OUTPUT_SIZE];
26	231	CSHA512 di;
27
28	231	di.Write(UCharCast(key_data.data()), key_data.size());
29	231	di.Write(salt.data(), salt.size());
30	231	di.Finalize(buf);
31
32	7.30M	for(int i = 0; i != count - 1; i++)
33	7.30M	di.Reset().Write(buf, sizeof(buf)).Finalize(buf);
34
35	231	memcpy(key, buf, WALLET_CRYPTO_KEY_SIZE);
36	231	memcpy(iv, buf + WALLET_CRYPTO_KEY_SIZE, WALLET_CRYPTO_IV_SIZE);
37	231	memory_cleanse(buf, sizeof(buf));
38	231	return WALLET_CRYPTO_KEY_SIZE;
39	231	}
40
41		bool CCrypter::SetKeyFromPassphrase(const SecureString& key_data, const std::span<const unsigned char> salt, const unsigned int rounds, const unsigned int derivation_method)
42	231	{
43	231	if (rounds < 1 \|\| salt.size() != WALLET_CRYPTO_SALT_SIZE) {
44	0	return false;
45	0	}
46
47	231	int i = 0;
48	231	if (derivation_method == 0) {
49	231	i = BytesToKeySHA512AES(salt, key_data, rounds, vchKey.data(), vchIV.data());
50	231	}
51
52	231	if (i != (int)WALLET_CRYPTO_KEY_SIZE)
53	0	{
54	0	memory_cleanse(vchKey.data(), vchKey.size());
55	0	memory_cleanse(vchIV.data(), vchIV.size());
56	0	return false;
57	0	}
58
59	231	fKeySet = true;
60	231	return true;
61	231	}
62
63		bool CCrypter::SetKey(const CKeyingMaterial& new_key, const std::span<const unsigned char> new_iv)
64	3.27k	{
65	3.27k	if (new_key.size() != WALLET_CRYPTO_KEY_SIZE \|\| new_iv.size() != WALLET_CRYPTO_IV_SIZE) {
66	0	return false;
67	0	}
68
69	3.27k	memcpy(vchKey.data(), new_key.data(), new_key.size());
70	3.27k	memcpy(vchIV.data(), new_iv.data(), new_iv.size());
71
72	3.27k	fKeySet = true;
73	3.27k	return true;
74	3.27k	}
75
76		bool CCrypter::Encrypt(const CKeyingMaterial& vchPlaintext, std::vector<unsigned char> &vchCiphertext) const
77	3.62k	{
78	3.62k	if (!fKeySet)
79	0	return false;
80
81		// max ciphertext len for a n bytes of plaintext is
82		// n + AES_BLOCKSIZE bytes
83	3.62k	vchCiphertext.resize(vchPlaintext.size() + AES_BLOCKSIZE);
84
85	3.62k	AES256CBCEncrypt enc(vchKey.data(), vchIV.data(), true);
86	3.62k	size_t nLen = enc.Encrypt(vchPlaintext.data(), vchPlaintext.size(), vchCiphertext.data());
87	3.62k	if(nLen < vchPlaintext.size())
88	0	return false;
89	3.62k	vchCiphertext.resize(nLen);
90
91	3.62k	return true;
92	3.62k	}
93
94		bool CCrypter::Decrypt(const std::span<const unsigned char> ciphertext, CKeyingMaterial& plaintext) const
95	6.52k	{
96	6.52k	if (!fKeySet)
97	0	return false;
98
99		// plaintext will always be equal to or lesser than length of ciphertext
100	6.52k	plaintext.resize(ciphertext.size());
101
102	6.52k	AES256CBCDecrypt dec(vchKey.data(), vchIV.data(), true);
103	6.52k	int len = dec.Decrypt(ciphertext.data(), ciphertext.size(), plaintext.data());
104	6.52k	if (len == 0) {
105	114	return false;
106	114	}
107	6.41k	plaintext.resize(len);
108	6.41k	return true;
109	6.52k	}
110
111		bool EncryptSecret(const CKeyingMaterial& vMasterKey, const CKeyingMaterial &vchPlaintext, const uint256& nIV, std::vector<unsigned char> &vchCiphertext)
112	265	{
113	265	CCrypter cKeyCrypter;
114	265	std::vector<unsigned char> chIV(WALLET_CRYPTO_IV_SIZE);
115	265	memcpy(chIV.data(), &nIV, WALLET_CRYPTO_IV_SIZE);
116	265	if(!cKeyCrypter.SetKey(vMasterKey, chIV))
117	0	return false;
118	265	return cKeyCrypter.Encrypt(vchPlaintext, vchCiphertext);
119	265	}
120
121		bool DecryptSecret(const CKeyingMaterial& master_key, const std::span<const unsigned char> ciphertext, const uint256& iv, CKeyingMaterial& plaintext)
122	3.00k	{
123	3.00k	CCrypter key_crypter;
124	3.00k	static_assert(WALLET_CRYPTO_IV_SIZE <= std::remove_reference_t<decltype(iv)>::size());
125	3.00k	const std::span iv_prefix{iv.data(), WALLET_CRYPTO_IV_SIZE};
126	3.00k	if (!key_crypter.SetKey(master_key, iv_prefix)) {
127	0	return false;
128	0	}
129	3.00k	return key_crypter.Decrypt(ciphertext, plaintext);
130	3.00k	}
131
132		bool DecryptKey(const CKeyingMaterial& master_key, const std::span<const unsigned char> crypted_secret, const CPubKey& pub_key, CKey& key)
133	3.00k	{
134	3.00k	CKeyingMaterial secret;
135	3.00k	if (!DecryptSecret(master_key, crypted_secret, pub_key.GetHash(), secret)) {
136	0	return false;
137	0	}
138
139	3.00k	if (secret.size() != 32) {
140	0	return false;
141	0	}
142
143	3.00k	key.Set(secret.begin(), secret.end(), pub_key.IsCompressed());
144	3.00k	return key.VerifyPubKey(pub_key);
145	3.00k	}
146		} // namespace wallet

Coverage Report

Created: 2026-04-29 19:21