Overview
Comment: | Improved key and iv storage to use zero padded buffer to ensure no buffer overrun in OpenSSL API if string pointer is used. Added cipher default option for encrypt and decrypt. Pass data as last arg without -data option. |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | crypto |
Files: | files | file ages | folders |
SHA3-256: |
191f8b29bcc65c287bbc1992f4af579d |
User & Date: | bohagan on 2023-12-04 00:30:53 |
Other Links: | branch diff | manifest | tags |
Context
2023-12-04
| ||
03:56 | Split list operations into separate functions to make it easier for OpenSSL 3.0 changes. Added pkey list function. Added mac info and pkey info placeholder functions. More checks for NULL pointers. Moved legacy load ciphers and digest to init routine. check-in: 9e6e94200c user: bohagan tags: crypto | |
00:30 | Improved key and iv storage to use zero padded buffer to ensure no buffer overrun in OpenSSL API if string pointer is used. Added cipher default option for encrypt and decrypt. Pass data as last arg without -data option. check-in: 191f8b29bc user: bohagan tags: crypto | |
2023-12-03
| ||
05:44 | Updated documentation for encrypt and decrypt commands check-in: 193afd38ea user: bohagan tags: crypto | |
Changes
Modified generic/tlsEncrypt.c from [ad8deb9393] to [2a45eea685].
︙ | ︙ | |||
134 135 136 137 138 139 140 | * No result or error message * *------------------------------------------------------------------- */ int EncryptInitialize(Tcl_Interp *interp, int type, EVP_CIPHER_CTX **ctx, Tcl_Obj *cipherObj, Tcl_Obj *keyObj, Tcl_Obj *ivObj) { const EVP_CIPHER *cipher; | | | > > > > > | | > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 | * No result or error message * *------------------------------------------------------------------- */ int EncryptInitialize(Tcl_Interp *interp, int type, EVP_CIPHER_CTX **ctx, Tcl_Obj *cipherObj, Tcl_Obj *keyObj, Tcl_Obj *ivObj) { const EVP_CIPHER *cipher; char *cipherName = NULL, *keyString = NULL, *ivString = NULL; int cipher_len = 0, key_len = 0, iv_len = 0, res, max; unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; dprintf("Called"); /* Init buffers */ memset(key, 0, EVP_MAX_KEY_LENGTH); memset(iv, 0, EVP_MAX_IV_LENGTH); /* Get encryption parameters */ if (cipherObj != NULL) { cipherName = Tcl_GetStringFromObj(cipherObj, &cipher_len); } if (keyObj != NULL) { keyString = Tcl_GetByteArrayFromObj(keyObj, &key_len); } if (ivObj != NULL) { ivString = Tcl_GetByteArrayFromObj(ivObj, &iv_len); } /* Get cipher name */ #if OPENSSL_VERSION_NUMBER < 0x30000000L cipher = EVP_get_cipherbyname(cipherName); #else cipher = EVP_CIPHER_fetch(NULL, cipherName, NULL); #endif if (cipher == NULL) { Tcl_AppendResult(interp, "Invalid cipher: \"", cipherName, "\"", NULL); return TCL_ERROR; } if (key_len > 0) { #if OPENSSL_VERSION_NUMBER < 0x30000000L max = EVP_CIPHER_key_length(cipher); #else max = EVP_CIPHER_get_key_length(cipher); #endif if (max == 0) { } else if (key_len <= max) { memcpy((void *) key, (const void *) keyString, (size_t) key_len); } else { Tcl_SetObjResult(interp, Tcl_ObjPrintf("Key too long. Must be <= %d bytes", max)); return TCL_ERROR; } } if (iv_len > 0) { #if OPENSSL_VERSION_NUMBER < 0x30000000L max = EVP_CIPHER_iv_length(cipher); #else max = EVP_CIPHER_get_iv_length(cipher); #endif if (max == 0) { } else if (iv_len <= max) { memcpy((void *) iv, (const void *) ivString, (size_t) iv_len); } else { Tcl_SetObjResult(interp, Tcl_ObjPrintf("IV too long. Must be <= %d bytes", max)); return TCL_ERROR; } } /* Create and initialize the context */ if((*ctx = EVP_CIPHER_CTX_new()) == NULL) { Tcl_AppendResult(interp, "Memory allocation error", (char *) NULL); return TCL_ERROR; } |
︙ | ︙ | |||
1175 1176 1177 1178 1179 1180 1181 | * *------------------------------------------------------------------- */ static int EncryptMain(int type, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) { Tcl_Obj *cipherObj = NULL, *cmdObj = NULL, *dataObj = NULL, *digestObj = NULL; Tcl_Obj *inFileObj = NULL, *outFileObj = NULL, *keyObj = NULL, *ivObj = NULL, *macObj = NULL; const char *channel = NULL, *opt; | | > > > > > > > > > | | 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 | * *------------------------------------------------------------------- */ static int EncryptMain(int type, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) { Tcl_Obj *cipherObj = NULL, *cmdObj = NULL, *dataObj = NULL, *digestObj = NULL; Tcl_Obj *inFileObj = NULL, *outFileObj = NULL, *keyObj = NULL, *ivObj = NULL, *macObj = NULL; const char *channel = NULL, *opt; int idx, res, start = 1; dprintf("Called"); /* Clear interp result */ Tcl_ResetResult(interp); /* Validate arg count */ if (objc < 3 || objc > 12) { Tcl_WrongNumArgs(interp, 1, objv, "-cipher name ?-digest name? -key key ?-iv string? ?-mac name? [-channel chan | -command cmdName | -infile filename -outfile filename | -data data]"); return TCL_ERROR; } /* Special case of first arg is cipher */ opt = Tcl_GetStringFromObj(objv[start], NULL); if (opt[0] != '-') { if (type == TYPE_ENCRYPT || type == TYPE_DECRYPT) { cipherObj = objv[start]; start++; } } /* Get options */ for (idx = start; idx < objc; idx++) { opt = Tcl_GetStringFromObj(objv[idx], NULL); if (opt[0] != '-') { break; } OPTSTR("-chan", channel); |
︙ | ︙ | |||
1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 | OPTOBJ("-key", keyObj); OPTOBJ("-iv", ivObj); OPTOBJ("-mac", macObj); OPTBAD("option", "-chan, -channel, -cipher, -command, -data, -digest, -infile, -key, -iv, -mac, -outfile"); return TCL_ERROR; } /* Check for required options */ if (cipherObj == NULL) { Tcl_AppendResult(interp, "No cipher", NULL); } else if (keyObj == NULL) { Tcl_AppendResult(interp, "No key", NULL); return TCL_ERROR; | > > > > > | 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 | OPTOBJ("-key", keyObj); OPTOBJ("-iv", ivObj); OPTOBJ("-mac", macObj); OPTBAD("option", "-chan, -channel, -cipher, -command, -data, -digest, -infile, -key, -iv, -mac, -outfile"); return TCL_ERROR; } /* If only 1 arg left, it's the data */ if (idx < objc && dataObj == NULL) { dataObj = objv[idx]; } /* Check for required options */ if (cipherObj == NULL) { Tcl_AppendResult(interp, "No cipher", NULL); } else if (keyObj == NULL) { Tcl_AppendResult(interp, "No key", NULL); return TCL_ERROR; |
︙ | ︙ |