OpenSSL 内存 BIO 和部分密码块

发布于 2024-12-07 12:43:13 字数 1171 浏览 1 评论 0原文

我在一个架构中使用 OpenSSL，该架构要求我在本地执行加密和解密。

解密函数获取一个在连接另一端加密的缓冲区。加密/解密过程通常工作正常，但对于缓冲区包含部分密码块的情况。

我想我的问题归结为：令 s 为 SSL 对象， buf 为内存缓冲区或加密数据。我为了解密它所做的事情（减去错误处理，线程安全，内存安全等）是沿着

int decDataBufSize = 1000000; //approximation of length of decrypted data
int8_t* decData = (int8_t*)malloc(decDataBufSize*sizeof(int8_t)); //room for the decrypted data to be written into
BIO* bio = BIO_new_mem_buf(encData, decDataBufSize); //set up BIO pointing to the encrypted data
int decDataLength;
BIO_set_close(bio, BIO_NOCLOSE); //This means OpenSSL doesn't try to free the encrypted data buffer
int totalDecData = 0;
for(int remaining_length = buffie->getBuffer()->limit() ; remaining_length > 0 ; )
{
    SSL_set_bio(ssl, bio, bio);
    remaining_length -= BIO_pending(bio);
    int decDataLength = SSL_read(ssl, decData + totalDecData, decDataBufSize - totalDecData);
    totalDecData += decDataLength;
    remaining_length += BIO_pending(bio);
}
return decData;

这似乎工作正常，但对于我在缓冲区中有一部分块的情况。我知道，如果我使用套接字而不是内存 BIO，我会得到一个 SSL_ERROR_WANT_READ，但就我而言，我得到一个最简洁的 SSL_ERROR_SSL（解密失败或坏记录 mac）。

有什么方法可以提前验证我是否拥有完整的区块？

提前致谢

原文

I'm using OpenSSL in an architecture which requires me to perform encryption and decryption locally.

The decryption function gets a buffer which was encrypted on the other side of the connection.
The encryption/decryption process usually works fine, but for the case where the buffer contains a partial cipher block.

I guess my issue boils down to this:
Let s be an SSL object and buf be a memory buffer or encrypted data.
What I do in order to decrypt it (minus error handling, thread safety, memory safety, etc.) is along the lines of

int decDataBufSize = 1000000; //approximation of length of decrypted data
int8_t* decData = (int8_t*)malloc(decDataBufSize*sizeof(int8_t)); //room for the decrypted data to be written into
BIO* bio = BIO_new_mem_buf(encData, decDataBufSize); //set up BIO pointing to the encrypted data
int decDataLength;
BIO_set_close(bio, BIO_NOCLOSE); //This means OpenSSL doesn't try to free the encrypted data buffer
int totalDecData = 0;
for(int remaining_length = buffie->getBuffer()->limit() ; remaining_length > 0 ; )
{
    SSL_set_bio(ssl, bio, bio);
    remaining_length -= BIO_pending(bio);
    int decDataLength = SSL_read(ssl, decData + totalDecData, decDataBufSize - totalDecData);
    totalDecData += decDataLength;
    remaining_length += BIO_pending(bio);
}
return decData;

This seems to be working fine but for the case where I have a part of a block in the buffer.
I know that, had I worked with a socket instead of a memory BIO, I'd get an SSL_ERROR_WANT_READ, but in my case I get a most laconic SSL_ERROR_SSL (decryption failed or bad record mac).

Is there any way I could verify in advance that I have a full block?

Thanks in advance

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

关于从前 2024-12-14 12:43:13

显然解决方案在于BIO_get_mem_data。

大致如下：
#定义 DEC_BUF_SIZE 1000000
静态int buffer_length；
静态 int8_t* 部分块；

int8_t* decrypt(int8_t* ecnData) { 
    int decDataBufSize = 1000000; //approximation of length of decrypted data
    int8_t* decData = (int8_t*)malloc(decDataBufSize*sizeof(int8_t)); //room for the decrypted data to be written into
    if (buffer_length == 0) /*prepend the contents of partial_block to encData somehow*/;
    BIO* bio = BIO_new_mem_buf(encData, decDataBufSize); //set up BIO pointing to the encrypted data
    int decDataLength;
    BIO_set_close(bio, BIO_NOCLOSE); //This means OpenSSL doesn't try to free the encrypted data buffer
    int totalDecData = 0;
    for(int remaining_length = buffie->getBuffer()->limit() ; remaining_length > 0 ; ) {
        buffer_length = BIO_get_mem_data(bio,&partial_block);
        SSL_set_bio(ssl, bio, bio);
        remaining_length -= BIO_pending(bio);
        int decDataLength = SSL_read(ssl, decData + totalDecData, decDataBufSize - totalDecData);
        totalDecData += decDataLength;
        remaining_length += BIO_pending(bio);
    }
return decData;
}

Apparently the solution lies in BIO_get_mem_data.

Something along the lines of:
#define DEC_BUF_SIZE 1000000
static int buffer_length;
static int8_t* partial_block;

int8_t* decrypt(int8_t* ecnData) { 
    int decDataBufSize = 1000000; //approximation of length of decrypted data
    int8_t* decData = (int8_t*)malloc(decDataBufSize*sizeof(int8_t)); //room for the decrypted data to be written into
    if (buffer_length == 0) /*prepend the contents of partial_block to encData somehow*/;
    BIO* bio = BIO_new_mem_buf(encData, decDataBufSize); //set up BIO pointing to the encrypted data
    int decDataLength;
    BIO_set_close(bio, BIO_NOCLOSE); //This means OpenSSL doesn't try to free the encrypted data buffer
    int totalDecData = 0;
    for(int remaining_length = buffie->getBuffer()->limit() ; remaining_length > 0 ; ) {
        buffer_length = BIO_get_mem_data(bio,&partial_block);
        SSL_set_bio(ssl, bio, bio);
        remaining_length -= BIO_pending(bio);
        int decDataLength = SSL_read(ssl, decData + totalDecData, decDataBufSize - totalDecData);
        totalDecData += decDataLength;
        remaining_length += BIO_pending(bio);
    }
return decData;
}

回复收藏 0 原文

~没有更多了~