数据加密与安全专题《mbedtls工具篇，实用教程4@对称加密算法，AES128算法应用》

什么是对称加密

对称加密算法是一种使用相同的密钥加密明文和解密密文的密码算法，通信双方持有相同的密钥，该密钥被称为共享密钥或对称密钥。第三方窃听到密文后，由于没有密钥，没法解密得到原文。对称加密算法单次只能处理一个固定长度得分组数据，例如AES算法单次只能加密或加密128位数据。当然实际场景中被AES加密或解密得消息长度往往不是128位或者128位的整倍，于是AES算法制定了分组密码模式和消息填充方法。

如上电脑A向电脑B的密文传输过程：

• 电脑A使用共享密钥先对明文进行加密，得到密文
• 电脑A向电脑B发送密文
• 电脑B接收到密文后，使用共享密钥对密文进行解密，得到明文
• 第三方窃听者截获到密文，但是由于没有共享密钥，解密失败，得到一堆加密后的乱码，没有任何参考意义

分组密码模式

• ECB（电子密码本）模式，需要填充

电子密码本（Electronic Codebook）模式是最简单的分组加密模式，将明文进行分组加密，加密结果为密码分组，ECB模式过于简单，存在明显确点，在安全性要求较高的场合一般不使用。

• CBC（密码分组链接）模式，需要填充和IV 

密码分组链接（Cipher Block Chaining）模式中，每一组明文在加密前都与前面的密文分组进行异或操作。由于第一个明文分组前面没有密文分组，所以需要准备一个与密文分组长度相等的比特序列来代替密文分组，这个比特序列被称为初始化向量（Initialization Vector），简称IV。（注意：需要加密、解密双方都是用同样的IV值，否则解密失败）

• CTR（计数器）模式，不需要填充

计数器模式使用与分组长度相同的计数值参与运算，典型的实现方法是通过对逐次累加的计数器进行加密来生成密钥流，通过加密计数器得到的密钥流与明文分组进行异或运算，得到密文分组

与ECB模式和CRC模式相比，CTR模式具有几个优点：

• 软件效率：支持并行计算，提高效率，节省时间
• 随机访问特性：部分密文分组受到破坏也不会影响到其他密文分组的解密过程
• 简单性：CTR模式仅需要加密算法，不需要解密算法，不需要对明文进行填充处理（若明文长度不是分组长度的整数倍，假设最后一个明文分组的长度为L位，那么最后一个明文分组只需与计数器加密结果的左侧L位异或，获得的密文分组长度也就是L位，这种算法结构使得CRT模式不需要对明文进行填充）

消息填充方法

上面说到ECB和CBC模式需要进行消息填充，常用的填充方案有几种，这里介绍下PKCS7填充方法，简记，缺多少填多少，缺什么填什么。

• 例如AES128算法中，分组长度为16字节，若待加密明文为28字节，则需要在明文末尾填充4字节04，使其达到分组长度的整数倍（128bit整数倍）
• 若待加密数据刚好是16字节，需要在明文后面额外填充16字节，并将其全部填充为16（注意，解密需要使用对应的填充方案还原原数据长度，剔除解密内容里面的填充字节，得到原文）

mbedtls工具对称加密算法，AES128算法的实现

AES128算法，参照路径mbedtls/programs/aes/aescrypt2.c

/*
 *  AES-256 file encryption program
 *
 *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
 *  SPDX-License-Identifier: Apache-2.0
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
 *  not use this file except in compliance with the License.
 *  You may obtain a copy of the License at
 *
 *  http://www.apache.org/licenses/LICENSE-2.0
 *
 *  Unless required by applicable law or agreed to in writing, software
 *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 *  This file is part of mbed TLS (https://tls.mbed.org)
 */
/* Enable definition of fileno() even when compiling with -std=c99. Must be
 * set before config.h, which pulls in glibc's features.h indirectly.
 * Harmless on other platforms. */
#define _POSIX_C_SOURCE 1
 
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
 
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#include <stdio.h>
#include <stdlib.h>
#define mbedtls_fprintf         fprintf
#define mbedtls_printf          printf
#define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
#define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
#endif /* MBEDTLS_PLATFORM_C */
 
#include "mbedtls/aes.h"
#include "mbedtls/md.h"
 
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
#if defined(_WIN32)
#include <windows.h>
#if !defined(_WIN32_WCE)
#include <io.h>
#endif
#else
#include <sys/types.h>
#include <unistd.h>
#endif
 
#define MODE_ENCRYPT    0
#define MODE_DECRYPT    1
 
#define USAGE   \
    "\n  aescrypt2 <mode> <input filename> <output filename> <key>\n" \
    "\n   <mode>: 0 = encrypt, 1 = decrypt\n" \
    "\n  example: aescrypt2 0 file file.aes hex:E76B2413958B00E193\n" \
    "\n"
 
#if !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_SHA256_C) || \
    !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_MD_C)
int main( void )
{
    mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_SHA256_C "
                    "and/or MBEDTLS_FS_IO and/or MBEDTLS_MD_C "
                    "not defined.\n");
    return( 0 );
}
#else
int main( int argc, char *argv[] )
{
    int ret = 0;
    int exit_code = MBEDTLS_EXIT_FAILURE;
 
    unsigned int i, n;
    int mode, lastn;
    size_t keylen;
    FILE *fkey, *fin = NULL, *fout = NULL;
 
    char *p;
 
    unsigned char IV[16];
    unsigned char tmp[16];
    unsigned char key[512];
    unsigned char digest[32];
    unsigned char buffer[1024];
    unsigned char diff;
 
    mbedtls_aes_context aes_ctx;
    mbedtls_md_context_t sha_ctx;
 
#if defined(_WIN32_WCE)
    long filesize, offset;
#elif defined(_WIN32)
       LARGE_INTEGER li_size;
    __int64 filesize, offset;
#else
      off_t filesize, offset;
#endif
 
    mbedtls_aes_init( &aes_ctx );
    mbedtls_md_init( &sha_ctx );
 
    ret = mbedtls_md_setup( &sha_ctx, mbedtls_md_info_from_type( MBEDTLS_MD_SHA256 ), 1 );
    if( ret != 0 )
    {
        mbedtls_printf( "  ! mbedtls_md_setup() returned -0x%04x\n", -ret );
        goto exit;
    }
 
    /*
     * Parse the command-line arguments.
     */
    if( argc != 5 )
    {
        mbedtls_printf( USAGE );
 
#if defined(_WIN32)
        mbedtls_printf( "\n  Press Enter to exit this program.\n" );
        fflush( stdout ); getchar();
#endif
 
        goto exit;
    }
 
    mode = atoi( argv[1] );
    memset( IV,     0, sizeof( IV ) );
    memset( key,    0, sizeof( key ) );
    memset( digest, 0, sizeof( digest ) );
    memset( buffer, 0, sizeof( buffer ) );
 
    if( mode != MODE_ENCRYPT && mode != MODE_DECRYPT )
    {
        mbedtls_fprintf( stderr, "invalide operation mode\n" );
        goto exit;
    }
 
    if( strcmp( argv[2], argv[3] ) == 0 )
    {
        mbedtls_fprintf( stderr, "input and output filenames must differ\n" );
        goto exit;
    }
 
    if( ( fin = fopen( argv[2], "rb" ) ) == NULL )
    {
        mbedtls_fprintf( stderr, "fopen(%s,rb) failed\n", argv[2] );
        goto exit;
    }
 
    if( ( fout = fopen( argv[3], "wb+" ) ) == NULL )
    {
        mbedtls_fprintf( stderr, "fopen(%s,wb+) failed\n", argv[3] );
        goto exit;
    }
 
    /*
     * Read the secret key from file or command line
     */
    if( ( fkey = fopen( argv[4], "rb" ) ) != NULL )
    {
        keylen = fread( key, 1, sizeof( key ), fkey );
        fclose( fkey );
    }
    else
    {
        if( memcmp( argv[4], "hex:", 4 ) == 0 )
        {
            p = &argv[4][4];
            keylen = 0;
 
            while( sscanf( p, "%02X", &n ) > 0 &&
                   keylen < (int) sizeof( key ) )
            {
                key[keylen++] = (unsigned char) n;
                p += 2;
            }
        }
        else
        {
            keylen = strlen( argv[4] );
 
            if( keylen > (int) sizeof( key ) )
                keylen = (int) sizeof( key );
 
            memcpy( key, argv[4], keylen );
        }
    }
 
#if defined(_WIN32_WCE)
    filesize = fseek( fin, 0L, SEEK_END );
#else
#if defined(_WIN32)
    /*
     * Support large files (> 2Gb) on Win32
     */
    li_size.QuadPart = 0;
    li_size.LowPart  =
        SetFilePointer( (HANDLE) _get_osfhandle( _fileno( fin ) ),
                        li_size.LowPart, &li_size.HighPart, FILE_END );
 
    if( li_size.LowPart == 0xFFFFFFFF && GetLastError() != NO_ERROR )
    {
        mbedtls_fprintf( stderr, "SetFilePointer(0,FILE_END) failed\n" );
        goto exit;
    }
 
    filesize = li_size.QuadPart;
#else
    if( ( filesize = lseek( fileno( fin ), 0, SEEK_END ) ) < 0 )
    {
        perror( "lseek" );
        goto exit;
    }
#endif
#endif
 
    if( fseek( fin, 0, SEEK_SET ) < 0 )
    {
        mbedtls_fprintf( stderr, "fseek(0,SEEK_SET) failed\n" );
        goto exit;
    }
 
    if( mode == MODE_ENCRYPT )
    {
        /*
         * Generate the initialization vector as:
         * IV = SHA-256( filesize || filename )[0..15]
         */
        for( i = 0; i < 8; i++ )
            buffer[i] = (unsigned char)( filesize >> ( i << 3 ) );
        p = argv[2];
 
        mbedtls_md_starts( &sha_ctx );
        mbedtls_md_update( &sha_ctx, buffer, 8 );
        mbedtls_md_update( &sha_ctx, (unsigned char *) p, strlen( p ) );
        mbedtls_md_finish( &sha_ctx, digest );
 
        memcpy( IV, digest, 16 );
 
        /*
         * The last four bits in the IV are actually used
         * to store the file size modulo the AES block size.
         */
        lastn = (int)( filesize & 0x0F );
 
        IV[15] = (unsigned char)
            ( ( IV[15] & 0xF0 ) | lastn );
 
        /*
         * Append the IV at the beginning of the output.
         */
        if( fwrite( IV, 1, 16, fout ) != 16 )
        {
            mbedtls_fprintf( stderr, "fwrite(%d bytes) failed\n", 16 );
            goto exit;
        }
 
        /*
         * Hash the IV and the secret key together 8192 times
         * using the result to setup the AES context and HMAC.
         */
        memset( digest, 0,  32 );
        memcpy( digest, IV, 16 );
 
        for( i = 0; i < 8192; i++ )
        {
            mbedtls_md_starts( &sha_ctx );
            mbedtls_md_update( &sha_ctx, digest, 32 );
            mbedtls_md_update( &sha_ctx, key, keylen );
            mbedtls_md_finish( &sha_ctx, digest );
        }
 
        mbedtls_aes_setkey_enc( &aes_ctx, digest, 256 );
        mbedtls_md_hmac_starts( &sha_ctx, digest, 32 );
 
        /*
         * Encrypt and write the ciphertext.
         */
        for( offset = 0; offset < filesize; offset += 16 )
        {
            n = ( filesize - offset > 16 ) ? 16 : (int)
                ( filesize - offset );
 
            if( fread( buffer, 1, n, fin ) != (size_t) n )
            {
                mbedtls_fprintf( stderr, "fread(%d bytes) failed\n", n );
                goto exit;
            }
 
            for( i = 0; i < 16; i++ )
                buffer[i] = (unsigned char)( buffer[i] ^ IV[i] );
 
            mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_ENCRYPT, buffer, buffer );
            mbedtls_md_hmac_update( &sha_ctx, buffer, 16 );
 
            if( fwrite( buffer, 1, 16, fout ) != 16 )
            {
                mbedtls_fprintf( stderr, "fwrite(%d bytes) failed\n", 16 );
                goto exit;
            }
 
            memcpy( IV, buffer, 16 );
        }
 
        /*
         * Finally write the HMAC.
         */
        mbedtls_md_hmac_finish( &sha_ctx, digest );
 
        if( fwrite( digest, 1, 32, fout ) != 32 )
        {
            mbedtls_fprintf( stderr, "fwrite(%d bytes) failed\n", 16 );
            goto exit;
        }
    }
 
    if( mode == MODE_DECRYPT )
    {
        /*
         *  The encrypted file must be structured as follows:
         *
         *        00 .. 15              Initialization Vector
         *        16 .. 31              AES Encrypted Block #1
         *           ..
         *      N*16 .. (N+1)*16 - 1    AES Encrypted Block #N
         *  (N+1)*16 .. (N+1)*16 + 32   HMAC-SHA-256(ciphertext)
         */
        if( filesize < 48 )
        {
            mbedtls_fprintf( stderr, "File too short to be encrypted.\n" );
            goto exit;
        }
 
        if( ( filesize & 0x0F ) != 0 )
        {
            mbedtls_fprintf( stderr, "File size not a multiple of 16.\n" );
            goto exit;
        }
 
        /*
         * Subtract the IV + HMAC length.
         */
        filesize -= ( 16 + 32 );
 
        /*
         * Read the IV and original filesize modulo 16.
         */
        if( fread( buffer, 1, 16, fin ) != 16 )
        {
            mbedtls_fprintf( stderr, "fread(%d bytes) failed\n", 16 );
            goto exit;
        }
 
        memcpy( IV, buffer, 16 );
        lastn = IV[15] & 0x0F;
 
        /*
         * Hash the IV and the secret key together 8192 times
         * using the result to setup the AES context and HMAC.
         */
        memset( digest, 0,  32 );
        memcpy( digest, IV, 16 );
 
        for( i = 0; i < 8192; i++ )
        {
            mbedtls_md_starts( &sha_ctx );
            mbedtls_md_update( &sha_ctx, digest, 32 );
            mbedtls_md_update( &sha_ctx, key, keylen );
            mbedtls_md_finish( &sha_ctx, digest );
        }
 
        mbedtls_aes_setkey_dec( &aes_ctx, digest, 256 );
        mbedtls_md_hmac_starts( &sha_ctx, digest, 32 );
 
        /*
         * Decrypt and write the plaintext.
         */
        for( offset = 0; offset < filesize; offset += 16 )
        {
            if( fread( buffer, 1, 16, fin ) != 16 )
            {
                mbedtls_fprintf( stderr, "fread(%d bytes) failed\n", 16 );
                goto exit;
            }
 
            memcpy( tmp, buffer, 16 );
 
            mbedtls_md_hmac_update( &sha_ctx, buffer, 16 );
            mbedtls_aes_crypt_ecb( &aes_ctx, MBEDTLS_AES_DECRYPT, buffer, buffer );
 
            for( i = 0; i < 16; i++ )
                buffer[i] = (unsigned char)( buffer[i] ^ IV[i] );
 
            memcpy( IV, tmp, 16 );
 
            n = ( lastn > 0 && offset == filesize - 16 )
                ? lastn : 16;
 
            if( fwrite( buffer, 1, n, fout ) != (size_t) n )
            {
                mbedtls_fprintf( stderr, "fwrite(%d bytes) failed\n", n );
                goto exit;
            }
        }
 
        /*
         * Verify the message authentication code.
         */
        mbedtls_md_hmac_finish( &sha_ctx, digest );
 
        if( fread( buffer, 1, 32, fin ) != 32 )
        {
            mbedtls_fprintf( stderr, "fread(%d bytes) failed\n", 32 );
            goto exit;
        }
 
        /* Use constant-time buffer comparison */
        diff = 0;
        for( i = 0; i < 32; i++ )
            diff |= digest[i] ^ buffer[i];
 
        if( diff != 0 )
        {
            mbedtls_fprintf( stderr, "HMAC check failed: wrong key, "
                             "or file corrupted.\n" );
            goto exit;
        }
    }
 
    exit_code = MBEDTLS_EXIT_SUCCESS;
 
exit:
    if( fin )
        fclose( fin );
    if( fout )
        fclose( fout );
 
    /* Zeroize all command line arguments to also cover
       the case when the user has missed or reordered some,
       in which case the key might not be in argv[4]. */
    for( i = 0; i < (unsigned int) argc; i++ )
        memset( argv[i], 0, strlen( argv[i] ) );
 
    memset( IV,     0, sizeof( IV ) );
    memset( key,    0, sizeof( key ) );
    memset( tmp,    0, sizeof( tmp ) );
    memset( buffer, 0, sizeof( buffer ) );
    memset( digest, 0, sizeof( digest ) );
 
    mbedtls_aes_free( &aes_ctx );
    mbedtls_md_free( &sha_ctx );
 
    return( exit_code );
}
#endif /* MBEDTLS_AES_C && MBEDTLS_SHA256_C && MBEDTLS_FS_IO */

使用示例：（注意模式与填充方法，新人经常在这里犯错）

开发过程中的排错方法：

• 确认双方都是使用AES128对称解密算法
• 确认双方密钥的正确性，建议统一转化成二进制数据来排查，注意大端/小端问题
• 确认使用的分组模式一致，使用ECB、CBC模式注意填充方法一致，使用CBC同时要求IV一致