Check-in [191f8b29bc]
Overview
Comment:Improved key and iv storage to use zero padded buffer to ensure no buffer overrun in OpenSSL API if string pointer is used. Added cipher default option for encrypt and decrypt. Pass data as last arg without -data option.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | crypto
Files: files | file ages | folders
SHA3-256: 191f8b29bcc65c287bbc1992f4af579dbde3afbbb5872866fda2e77fd1f1c0dd
User & Date: bohagan on 2023-12-04 00:30:53
Other Links: branch diff | manifest | tags
Context
2023-12-04
03:56
Split list operations into separate functions to make it easier for OpenSSL 3.0 changes. Added pkey list function. Added mac info and pkey info placeholder functions. More checks for NULL pointers. Moved legacy load ciphers and digest to init routine. check-in: 9e6e94200c user: bohagan tags: crypto
00:30
Improved key and iv storage to use zero padded buffer to ensure no buffer overrun in OpenSSL API if string pointer is used. Added cipher default option for encrypt and decrypt. Pass data as last arg without -data option. check-in: 191f8b29bc user: bohagan tags: crypto
2023-12-03
05:44
Updated documentation for encrypt and decrypt commands check-in: 193afd38ea user: bohagan tags: crypto
Changes
134
135
136
137
138
139
140
141
142



143
144
145




146
147
148
149
150
151

152
153
154

155
156
157
158
159
160
161
162
163
164
165
166






























167
168
169
170
171
172
173
134
135
136
137
138
139
140


141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

156
157
158

159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208







-
-
+
+
+



+
+
+
+





-
+


-
+












+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+







 *	No result or error message
 *
 *-------------------------------------------------------------------
 */
int EncryptInitialize(Tcl_Interp *interp, int type, EVP_CIPHER_CTX **ctx,
	Tcl_Obj *cipherObj, Tcl_Obj *keyObj, Tcl_Obj *ivObj) {
    const EVP_CIPHER *cipher;
    char *cipherName =  NULL, *key = NULL, *iv = NULL;
    int cipher_len = 0, key_len = 0, iv_len = 0, res;
    char *cipherName =  NULL, *keyString = NULL, *ivString = NULL;
    int cipher_len = 0, key_len = 0, iv_len = 0, res, max;
    unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];

    dprintf("Called");

    /* Init buffers */
    memset(key, 0, EVP_MAX_KEY_LENGTH);
    memset(iv, 0, EVP_MAX_IV_LENGTH);

    /* Get encryption parameters */
    if (cipherObj != NULL) {
	cipherName = Tcl_GetStringFromObj(cipherObj, &cipher_len);
    }
    if (keyObj != NULL) {
	key = Tcl_GetStringFromObj(keyObj, &key_len);
	keyString = Tcl_GetByteArrayFromObj(keyObj, &key_len);
    }
    if (ivObj != NULL) {
	iv = Tcl_GetStringFromObj(ivObj, &iv_len);
	ivString = Tcl_GetByteArrayFromObj(ivObj, &iv_len);
    }

    /* Get cipher name */
#if OPENSSL_VERSION_NUMBER < 0x30000000L
    cipher = EVP_get_cipherbyname(cipherName);
#else
    cipher = EVP_CIPHER_fetch(NULL, cipherName, NULL);
#endif
    if (cipher == NULL) {
	Tcl_AppendResult(interp, "Invalid cipher: \"", cipherName, "\"", NULL);
	return TCL_ERROR;
    }

    if (key_len > 0) {
#if OPENSSL_VERSION_NUMBER < 0x30000000L
	max = EVP_CIPHER_key_length(cipher);
#else
	max = EVP_CIPHER_get_key_length(cipher);
#endif
	if (max == 0) {
	} else if (key_len <= max) {
	    memcpy((void *) key, (const void *) keyString, (size_t) key_len);
	} else {
	    Tcl_SetObjResult(interp, Tcl_ObjPrintf("Key too long. Must be <= %d bytes", max));
	    return TCL_ERROR;
	}
    }

    if (iv_len > 0) {
#if OPENSSL_VERSION_NUMBER < 0x30000000L
	max = EVP_CIPHER_iv_length(cipher);
#else
	max = EVP_CIPHER_get_iv_length(cipher);
#endif
	if (max == 0) {
	} else if (iv_len <= max) {
	    memcpy((void *) iv, (const void *) ivString, (size_t) iv_len);
	} else {
	    Tcl_SetObjResult(interp, Tcl_ObjPrintf("IV too long. Must be <= %d bytes", max));
	    return TCL_ERROR;
	}
    }

    /* Create and initialize the context */
    if((*ctx = EVP_CIPHER_CTX_new()) == NULL) {
	Tcl_AppendResult(interp, "Memory allocation error", (char *) NULL);
	return TCL_ERROR;
    }

1175
1176
1177
1178
1179
1180
1181
1182

1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194









1195
1196

1197
1198
1199
1200
1201
1202
1203
1210
1211
1212
1213
1214
1215
1216

1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239

1240
1241
1242
1243
1244
1245
1246
1247







-
+












+
+
+
+
+
+
+
+
+

-
+







 *
 *-------------------------------------------------------------------
 */
static int EncryptMain(int type, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) {
    Tcl_Obj *cipherObj = NULL, *cmdObj = NULL, *dataObj = NULL, *digestObj = NULL;
    Tcl_Obj *inFileObj = NULL, *outFileObj = NULL, *keyObj = NULL, *ivObj = NULL, *macObj = NULL;
    const char *channel = NULL, *opt;
    int res;
    int idx, res, start = 1;

    dprintf("Called");

    /* Clear interp result */
    Tcl_ResetResult(interp);

    /* Validate arg count */
    if (objc < 3 || objc > 12) {
	Tcl_WrongNumArgs(interp, 1, objv, "-cipher name ?-digest name? -key key ?-iv string? ?-mac name? [-channel chan | -command cmdName | -infile filename -outfile filename | -data data]");
	return TCL_ERROR;
    }

    /* Special case of first arg is cipher */
    opt = Tcl_GetStringFromObj(objv[start], NULL);
    if (opt[0] != '-') {
	if (type == TYPE_ENCRYPT || type == TYPE_DECRYPT) {
	    cipherObj = objv[start];
	    start++;
	}
    }

    /* Get options */
    for (int idx = 1; idx < objc; idx++) {
    for (idx = start; idx < objc; idx++) {
	opt = Tcl_GetStringFromObj(objv[idx], NULL);

	if (opt[0] != '-') {
	    break;
	}

	OPTSTR("-chan", channel);
1211
1212
1213
1214
1215
1216
1217





1218
1219
1220
1221
1222
1223
1224
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273







+
+
+
+
+







	OPTOBJ("-key", keyObj);
	OPTOBJ("-iv", ivObj);
	OPTOBJ("-mac", macObj);

	OPTBAD("option", "-chan, -channel, -cipher, -command, -data, -digest, -infile, -key, -iv, -mac, -outfile");
	return TCL_ERROR;
    }

    /* If only 1 arg left, it's the data */
    if (idx < objc && dataObj == NULL) {
	dataObj = objv[idx];
    }

    /* Check for required options */
    if (cipherObj == NULL) {
	Tcl_AppendResult(interp, "No cipher", NULL);
    } else if (keyObj == NULL) {
	Tcl_AppendResult(interp, "No key", NULL);
	return TCL_ERROR;