1 /* 2 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include <stdlib.h> 12 #include <string.h> 13 #include <limits.h> 14 #include "apps.h" 15 #include "progs.h" 16 #include <openssl/bio.h> 17 #include <openssl/err.h> 18 #include <openssl/evp.h> 19 #include <openssl/objects.h> 20 #include <openssl/x509.h> 21 #include <openssl/rand.h> 22 #include <openssl/pem.h> 23 #ifndef OPENSSL_NO_COMP 24 # include <openssl/comp.h> 25 #endif 26 #include <ctype.h> 27 28 #undef SIZE 29 #undef BSIZE 30 #define SIZE (512) 31 #define BSIZE (8*1024) 32 33 static int set_hex(const char *in, unsigned char *out, int size); 34 static void show_ciphers(const OBJ_NAME *name, void *bio_); 35 36 struct doall_enc_ciphers { 37 BIO *bio; 38 int n; 39 }; 40 41 typedef enum OPTION_choice { 42 OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, 43 OPT_LIST, 44 OPT_E, OPT_IN, OPT_OUT, OPT_PASS, OPT_ENGINE, OPT_D, OPT_P, OPT_V, 45 OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A, 46 OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE, 47 OPT_UPPER_S, OPT_IV, OPT_MD, OPT_ITER, OPT_PBKDF2, OPT_CIPHER, 48 OPT_R_ENUM 49 } OPTION_CHOICE; 50 51 const OPTIONS enc_options[] = { 52 {"help", OPT_HELP, '-', "Display this summary"}, 53 {"ciphers", OPT_LIST, '-', "List ciphers"}, 54 {"in", OPT_IN, '<', "Input file"}, 55 {"out", OPT_OUT, '>', "Output file"}, 56 {"pass", OPT_PASS, 's', "Passphrase source"}, 57 {"e", OPT_E, '-', "Encrypt"}, 58 {"d", OPT_D, '-', "Decrypt"}, 59 {"p", OPT_P, '-', "Print the iv/key"}, 60 {"P", OPT_UPPER_P, '-', "Print the iv/key and exit"}, 61 {"v", OPT_V, '-', "Verbose output"}, 62 {"nopad", OPT_NOPAD, '-', "Disable standard block padding"}, 63 {"salt", OPT_SALT, '-', "Use salt in the KDF (default)"}, 64 {"nosalt", OPT_NOSALT, '-', "Do not use salt in the KDF"}, 65 {"debug", OPT_DEBUG, '-', "Print debug info"}, 66 {"a", OPT_A, '-', "Base64 encode/decode, depending on encryption flag"}, 67 {"base64", OPT_A, '-', "Same as option -a"}, 68 {"A", OPT_UPPER_A, '-', 69 "Used with -[base64|a] to specify base64 buffer as a single line"}, 70 {"bufsize", OPT_BUFSIZE, 's', "Buffer size"}, 71 {"k", OPT_K, 's', "Passphrase"}, 72 {"kfile", OPT_KFILE, '<', "Read passphrase from file"}, 73 {"K", OPT_UPPER_K, 's', "Raw key, in hex"}, 74 {"S", OPT_UPPER_S, 's', "Salt, in hex"}, 75 {"iv", OPT_IV, 's', "IV in hex"}, 76 {"md", OPT_MD, 's', "Use specified digest to create a key from the passphrase"}, 77 {"iter", OPT_ITER, 'p', "Specify the iteration count and force use of PBKDF2"}, 78 {"pbkdf2", OPT_PBKDF2, '-', "Use password-based key derivation function 2"}, 79 {"none", OPT_NONE, '-', "Don't encrypt"}, 80 {"", OPT_CIPHER, '-', "Any supported cipher"}, 81 OPT_R_OPTIONS, 82 #ifdef ZLIB 83 {"z", OPT_Z, '-', "Use zlib as the 'encryption'"}, 84 #endif 85 #ifndef OPENSSL_NO_ENGINE 86 {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, 87 #endif 88 {NULL} 89 }; 90 91 int enc_main(int argc, char **argv) 92 { 93 static char buf[128]; 94 static const char magic[] = "Salted__"; 95 ENGINE *e = NULL; 96 BIO *in = NULL, *out = NULL, *b64 = NULL, *benc = NULL, *rbio = 97 NULL, *wbio = NULL; 98 EVP_CIPHER_CTX *ctx = NULL; 99 const EVP_CIPHER *cipher = NULL, *c; 100 const EVP_MD *dgst = NULL; 101 char *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p; 102 char *infile = NULL, *outfile = NULL, *prog; 103 char *str = NULL, *passarg = NULL, *pass = NULL, *strbuf = NULL; 104 char mbuf[sizeof(magic) - 1]; 105 OPTION_CHOICE o; 106 int bsize = BSIZE, verbose = 0, debug = 0, olb64 = 0, nosalt = 0; 107 int enc = 1, printkey = 0, i, k; 108 int base64 = 0, informat = FORMAT_BINARY, outformat = FORMAT_BINARY; 109 int ret = 1, inl, nopad = 0; 110 unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; 111 unsigned char *buff = NULL, salt[PKCS5_SALT_LEN]; 112 int pbkdf2 = 0; 113 int iter = 0; 114 long n; 115 struct doall_enc_ciphers dec; 116 #ifdef ZLIB 117 int do_zlib = 0; 118 BIO *bzl = NULL; 119 #endif 120 121 /* first check the program name */ 122 prog = opt_progname(argv[0]); 123 if (strcmp(prog, "base64") == 0) { 124 base64 = 1; 125 #ifdef ZLIB 126 } else if (strcmp(prog, "zlib") == 0) { 127 do_zlib = 1; 128 #endif 129 } else { 130 cipher = EVP_get_cipherbyname(prog); 131 if (cipher == NULL && strcmp(prog, "enc") != 0) { 132 BIO_printf(bio_err, "%s is not a known cipher\n", prog); 133 goto end; 134 } 135 } 136 137 prog = opt_init(argc, argv, enc_options); 138 while ((o = opt_next()) != OPT_EOF) { 139 switch (o) { 140 case OPT_EOF: 141 case OPT_ERR: 142 opthelp: 143 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); 144 goto end; 145 case OPT_HELP: 146 opt_help(enc_options); 147 ret = 0; 148 goto end; 149 case OPT_LIST: 150 BIO_printf(bio_out, "Supported ciphers:\n"); 151 dec.bio = bio_out; 152 dec.n = 0; 153 OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, 154 show_ciphers, &dec); 155 BIO_printf(bio_out, "\n"); 156 ret = 0; 157 goto end; 158 case OPT_E: 159 enc = 1; 160 break; 161 case OPT_IN: 162 infile = opt_arg(); 163 break; 164 case OPT_OUT: 165 outfile = opt_arg(); 166 break; 167 case OPT_PASS: 168 passarg = opt_arg(); 169 break; 170 case OPT_ENGINE: 171 e = setup_engine(opt_arg(), 0); 172 break; 173 case OPT_D: 174 enc = 0; 175 break; 176 case OPT_P: 177 printkey = 1; 178 break; 179 case OPT_V: 180 verbose = 1; 181 break; 182 case OPT_NOPAD: 183 nopad = 1; 184 break; 185 case OPT_SALT: 186 nosalt = 0; 187 break; 188 case OPT_NOSALT: 189 nosalt = 1; 190 break; 191 case OPT_DEBUG: 192 debug = 1; 193 break; 194 case OPT_UPPER_P: 195 printkey = 2; 196 break; 197 case OPT_UPPER_A: 198 olb64 = 1; 199 break; 200 case OPT_A: 201 base64 = 1; 202 break; 203 case OPT_Z: 204 #ifdef ZLIB 205 do_zlib = 1; 206 #endif 207 break; 208 case OPT_BUFSIZE: 209 p = opt_arg(); 210 i = (int)strlen(p) - 1; 211 k = i >= 1 && p[i] == 'k'; 212 if (k) 213 p[i] = '\0'; 214 if (!opt_long(opt_arg(), &n) 215 || n < 0 || (k && n >= LONG_MAX / 1024)) 216 goto opthelp; 217 if (k) 218 n *= 1024; 219 bsize = (int)n; 220 break; 221 case OPT_K: 222 str = opt_arg(); 223 break; 224 case OPT_KFILE: 225 in = bio_open_default(opt_arg(), 'r', FORMAT_TEXT); 226 if (in == NULL) 227 goto opthelp; 228 i = BIO_gets(in, buf, sizeof(buf)); 229 BIO_free(in); 230 in = NULL; 231 if (i <= 0) { 232 BIO_printf(bio_err, 233 "%s Can't read key from %s\n", prog, opt_arg()); 234 goto opthelp; 235 } 236 while (--i > 0 && (buf[i] == '\r' || buf[i] == '\n')) 237 buf[i] = '\0'; 238 if (i <= 0) { 239 BIO_printf(bio_err, "%s: zero length password\n", prog); 240 goto opthelp; 241 } 242 str = buf; 243 break; 244 case OPT_UPPER_K: 245 hkey = opt_arg(); 246 break; 247 case OPT_UPPER_S: 248 hsalt = opt_arg(); 249 break; 250 case OPT_IV: 251 hiv = opt_arg(); 252 break; 253 case OPT_MD: 254 if (!opt_md(opt_arg(), &dgst)) 255 goto opthelp; 256 break; 257 case OPT_CIPHER: 258 if (!opt_cipher(opt_unknown(), &c)) 259 goto opthelp; 260 cipher = c; 261 break; 262 case OPT_ITER: 263 if (!opt_int(opt_arg(), &iter)) 264 goto opthelp; 265 pbkdf2 = 1; 266 break; 267 case OPT_PBKDF2: 268 pbkdf2 = 1; 269 if (iter == 0) /* do not overwrite a chosen value */ 270 iter = 10000; 271 break; 272 case OPT_NONE: 273 cipher = NULL; 274 break; 275 case OPT_R_CASES: 276 if (!opt_rand(o)) 277 goto end; 278 break; 279 } 280 } 281 if (opt_num_rest() != 0) { 282 BIO_printf(bio_err, "Extra arguments given.\n"); 283 goto opthelp; 284 } 285 286 if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { 287 BIO_printf(bio_err, "%s: AEAD ciphers not supported\n", prog); 288 goto end; 289 } 290 291 if (cipher && (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE)) { 292 BIO_printf(bio_err, "%s XTS ciphers not supported\n", prog); 293 goto end; 294 } 295 296 if (dgst == NULL) 297 dgst = EVP_sha256(); 298 299 if (iter == 0) 300 iter = 1; 301 302 /* It must be large enough for a base64 encoded line */ 303 if (base64 && bsize < 80) 304 bsize = 80; 305 if (verbose) 306 BIO_printf(bio_err, "bufsize=%d\n", bsize); 307 308 #ifdef ZLIB 309 if (!do_zlib) 310 #endif 311 if (base64) { 312 if (enc) 313 outformat = FORMAT_BASE64; 314 else 315 informat = FORMAT_BASE64; 316 } 317 318 strbuf = app_malloc(SIZE, "strbuf"); 319 buff = app_malloc(EVP_ENCODE_LENGTH(bsize), "evp buffer"); 320 321 if (infile == NULL) { 322 in = dup_bio_in(informat); 323 } else { 324 in = bio_open_default(infile, 'r', informat); 325 } 326 if (in == NULL) 327 goto end; 328 329 if (str == NULL && passarg != NULL) { 330 if (!app_passwd(passarg, NULL, &pass, NULL)) { 331 BIO_printf(bio_err, "Error getting password\n"); 332 goto end; 333 } 334 str = pass; 335 } 336 337 if ((str == NULL) && (cipher != NULL) && (hkey == NULL)) { 338 if (1) { 339 #ifndef OPENSSL_NO_UI_CONSOLE 340 for (;;) { 341 char prompt[200]; 342 343 BIO_snprintf(prompt, sizeof(prompt), "enter %s %s password:", 344 OBJ_nid2ln(EVP_CIPHER_nid(cipher)), 345 (enc) ? "encryption" : "decryption"); 346 strbuf[0] = '\0'; 347 i = EVP_read_pw_string((char *)strbuf, SIZE, prompt, enc); 348 if (i == 0) { 349 if (strbuf[0] == '\0') { 350 ret = 1; 351 goto end; 352 } 353 str = strbuf; 354 break; 355 } 356 if (i < 0) { 357 BIO_printf(bio_err, "bad password read\n"); 358 goto end; 359 } 360 } 361 } else { 362 #endif 363 BIO_printf(bio_err, "password required\n"); 364 goto end; 365 } 366 } 367 368 out = bio_open_default(outfile, 'w', outformat); 369 if (out == NULL) 370 goto end; 371 372 if (debug) { 373 BIO_set_callback(in, BIO_debug_callback); 374 BIO_set_callback(out, BIO_debug_callback); 375 BIO_set_callback_arg(in, (char *)bio_err); 376 BIO_set_callback_arg(out, (char *)bio_err); 377 } 378 379 rbio = in; 380 wbio = out; 381 382 #ifdef ZLIB 383 if (do_zlib) { 384 if ((bzl = BIO_new(BIO_f_zlib())) == NULL) 385 goto end; 386 if (debug) { 387 BIO_set_callback(bzl, BIO_debug_callback); 388 BIO_set_callback_arg(bzl, (char *)bio_err); 389 } 390 if (enc) 391 wbio = BIO_push(bzl, wbio); 392 else 393 rbio = BIO_push(bzl, rbio); 394 } 395 #endif 396 397 if (base64) { 398 if ((b64 = BIO_new(BIO_f_base64())) == NULL) 399 goto end; 400 if (debug) { 401 BIO_set_callback(b64, BIO_debug_callback); 402 BIO_set_callback_arg(b64, (char *)bio_err); 403 } 404 if (olb64) 405 BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); 406 if (enc) 407 wbio = BIO_push(b64, wbio); 408 else 409 rbio = BIO_push(b64, rbio); 410 } 411 412 if (cipher != NULL) { 413 /* 414 * Note that str is NULL if a key was passed on the command line, so 415 * we get no salt in that case. Is this a bug? 416 */ 417 if (str != NULL) { 418 /* 419 * Salt handling: if encrypting generate a salt and write to 420 * output BIO. If decrypting read salt from input BIO. 421 */ 422 unsigned char *sptr; 423 size_t str_len = strlen(str); 424 425 if (nosalt) { 426 sptr = NULL; 427 } else { 428 if (enc) { 429 if (hsalt) { 430 if (!set_hex(hsalt, salt, sizeof(salt))) { 431 BIO_printf(bio_err, "invalid hex salt value\n"); 432 goto end; 433 } 434 } else if (RAND_bytes(salt, sizeof(salt)) <= 0) { 435 goto end; 436 } 437 /* 438 * If -P option then don't bother writing 439 */ 440 if ((printkey != 2) 441 && (BIO_write(wbio, magic, 442 sizeof(magic) - 1) != sizeof(magic) - 1 443 || BIO_write(wbio, 444 (char *)salt, 445 sizeof(salt)) != sizeof(salt))) { 446 BIO_printf(bio_err, "error writing output file\n"); 447 goto end; 448 } 449 } else if (BIO_read(rbio, mbuf, sizeof(mbuf)) != sizeof(mbuf) 450 || BIO_read(rbio, 451 (unsigned char *)salt, 452 sizeof(salt)) != sizeof(salt)) { 453 BIO_printf(bio_err, "error reading input file\n"); 454 goto end; 455 } else if (memcmp(mbuf, magic, sizeof(magic) - 1)) { 456 BIO_printf(bio_err, "bad magic number\n"); 457 goto end; 458 } 459 sptr = salt; 460 } 461 462 if (pbkdf2 == 1) { 463 /* 464 * derive key and default iv 465 * concatenated into a temporary buffer 466 */ 467 unsigned char tmpkeyiv[EVP_MAX_KEY_LENGTH + EVP_MAX_IV_LENGTH]; 468 int iklen = EVP_CIPHER_key_length(cipher); 469 int ivlen = EVP_CIPHER_iv_length(cipher); 470 /* not needed if HASH_UPDATE() is fixed : */ 471 int islen = (sptr != NULL ? sizeof(salt) : 0); 472 if (!PKCS5_PBKDF2_HMAC(str, str_len, sptr, islen, 473 iter, dgst, iklen+ivlen, tmpkeyiv)) { 474 BIO_printf(bio_err, "PKCS5_PBKDF2_HMAC failed\n"); 475 goto end; 476 } 477 /* split and move data back to global buffer */ 478 memcpy(key, tmpkeyiv, iklen); 479 memcpy(iv, tmpkeyiv+iklen, ivlen); 480 } else { 481 BIO_printf(bio_err, "*** WARNING : " 482 "deprecated key derivation used.\n" 483 "Using -iter or -pbkdf2 would be better.\n"); 484 if (!EVP_BytesToKey(cipher, dgst, sptr, 485 (unsigned char *)str, str_len, 486 1, key, iv)) { 487 BIO_printf(bio_err, "EVP_BytesToKey failed\n"); 488 goto end; 489 } 490 } 491 /* 492 * zero the complete buffer or the string passed from the command 493 * line. 494 */ 495 if (str == strbuf) 496 OPENSSL_cleanse(str, SIZE); 497 else 498 OPENSSL_cleanse(str, str_len); 499 } 500 if (hiv != NULL) { 501 int siz = EVP_CIPHER_iv_length(cipher); 502 if (siz == 0) { 503 BIO_printf(bio_err, "warning: iv not used by this cipher\n"); 504 } else if (!set_hex(hiv, iv, siz)) { 505 BIO_printf(bio_err, "invalid hex iv value\n"); 506 goto end; 507 } 508 } 509 if ((hiv == NULL) && (str == NULL) 510 && EVP_CIPHER_iv_length(cipher) != 0) { 511 /* 512 * No IV was explicitly set and no IV was generated. 513 * Hence the IV is undefined, making correct decryption impossible. 514 */ 515 BIO_printf(bio_err, "iv undefined\n"); 516 goto end; 517 } 518 if (hkey != NULL) { 519 if (!set_hex(hkey, key, EVP_CIPHER_key_length(cipher))) { 520 BIO_printf(bio_err, "invalid hex key value\n"); 521 goto end; 522 } 523 /* wiping secret data as we no longer need it */ 524 OPENSSL_cleanse(hkey, strlen(hkey)); 525 } 526 527 if ((benc = BIO_new(BIO_f_cipher())) == NULL) 528 goto end; 529 530 /* 531 * Since we may be changing parameters work on the encryption context 532 * rather than calling BIO_set_cipher(). 533 */ 534 535 BIO_get_cipher_ctx(benc, &ctx); 536 537 if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) { 538 BIO_printf(bio_err, "Error setting cipher %s\n", 539 EVP_CIPHER_name(cipher)); 540 ERR_print_errors(bio_err); 541 goto end; 542 } 543 544 if (nopad) 545 EVP_CIPHER_CTX_set_padding(ctx, 0); 546 547 if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc)) { 548 BIO_printf(bio_err, "Error setting cipher %s\n", 549 EVP_CIPHER_name(cipher)); 550 ERR_print_errors(bio_err); 551 goto end; 552 } 553 554 if (debug) { 555 BIO_set_callback(benc, BIO_debug_callback); 556 BIO_set_callback_arg(benc, (char *)bio_err); 557 } 558 559 if (printkey) { 560 if (!nosalt) { 561 printf("salt="); 562 for (i = 0; i < (int)sizeof(salt); i++) 563 printf("%02X", salt[i]); 564 printf("\n"); 565 } 566 if (EVP_CIPHER_key_length(cipher) > 0) { 567 printf("key="); 568 for (i = 0; i < EVP_CIPHER_key_length(cipher); i++) 569 printf("%02X", key[i]); 570 printf("\n"); 571 } 572 if (EVP_CIPHER_iv_length(cipher) > 0) { 573 printf("iv ="); 574 for (i = 0; i < EVP_CIPHER_iv_length(cipher); i++) 575 printf("%02X", iv[i]); 576 printf("\n"); 577 } 578 if (printkey == 2) { 579 ret = 0; 580 goto end; 581 } 582 } 583 } 584 585 /* Only encrypt/decrypt as we write the file */ 586 if (benc != NULL) 587 wbio = BIO_push(benc, wbio); 588 589 while (BIO_pending(rbio) || !BIO_eof(rbio)) { 590 inl = BIO_read(rbio, (char *)buff, bsize); 591 if (inl <= 0) 592 break; 593 if (BIO_write(wbio, (char *)buff, inl) != inl) { 594 BIO_printf(bio_err, "error writing output file\n"); 595 goto end; 596 } 597 } 598 if (!BIO_flush(wbio)) { 599 BIO_printf(bio_err, "bad decrypt\n"); 600 goto end; 601 } 602 603 ret = 0; 604 if (verbose) { 605 BIO_printf(bio_err, "bytes read : %8ju\n", BIO_number_read(in)); 606 BIO_printf(bio_err, "bytes written: %8ju\n", BIO_number_written(out)); 607 } 608 end: 609 ERR_print_errors(bio_err); 610 OPENSSL_free(strbuf); 611 OPENSSL_free(buff); 612 BIO_free(in); 613 BIO_free_all(out); 614 BIO_free(benc); 615 BIO_free(b64); 616 #ifdef ZLIB 617 BIO_free(bzl); 618 #endif 619 release_engine(e); 620 OPENSSL_free(pass); 621 return ret; 622 } 623 624 static void show_ciphers(const OBJ_NAME *name, void *arg) 625 { 626 struct doall_enc_ciphers *dec = (struct doall_enc_ciphers *)arg; 627 const EVP_CIPHER *cipher; 628 629 if (!islower((unsigned char)*name->name)) 630 return; 631 632 /* Filter out ciphers that we cannot use */ 633 cipher = EVP_get_cipherbyname(name->name); 634 if (cipher == NULL || 635 (EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0 || 636 EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE) 637 return; 638 639 BIO_printf(dec->bio, "-%-25s", name->name); 640 if (++dec->n == 3) { 641 BIO_printf(dec->bio, "\n"); 642 dec->n = 0; 643 } else 644 BIO_printf(dec->bio, " "); 645 } 646 647 static int set_hex(const char *in, unsigned char *out, int size) 648 { 649 int i, n; 650 unsigned char j; 651 652 i = size * 2; 653 n = strlen(in); 654 if (n > i) { 655 BIO_printf(bio_err, "hex string is too long, ignoring excess\n"); 656 n = i; /* ignore exceeding part */ 657 } else if (n < i) { 658 BIO_printf(bio_err, "hex string is too short, padding with zero bytes to length\n"); 659 } 660 661 memset(out, 0, size); 662 for (i = 0; i < n; i++) { 663 j = (unsigned char)*in++; 664 if (!isxdigit(j)) { 665 BIO_printf(bio_err, "non-hex digit\n"); 666 return 0; 667 } 668 j = (unsigned char)OPENSSL_hexchar2int(j); 669 if (i & 1) 670 out[i / 2] |= j; 671 else 672 out[i / 2] = (j << 4); 673 } 674 return 1; 675 } 676