Working version of libexim-encrypt-dlfunc-decrypt-secretbox

2025-12-06 06:53:56 +01:00 · 2021-09-11 02:06:19 +02:00
parent 41e7c43ab8
commit ad3437f5df
2 changed files with 47 additions and 21 deletions
--- a/src/common.c
+++ b/src/common.c
@ -58,17 +58,14 @@ typedef struct {
    size_t length;
 } Password;

-Password base64_decode_string(const char *input) {
-    Password p;
+void base64_decode_string(const char *input, unsigned char **outstring, size_t *outlen) {
    size_t input_len = strlen(input);
    size_t outmaxlen = input_len / 4 * 3;
-    p.string = malloc(outmaxlen);
-    int b64err = sodium_base642bin(p.string, outmaxlen, (const char *) input, input_len,
-                                   NULL, &p.length, NULL, sodium_base64_VARIANT_ORIGINAL);
+    *outstring = malloc(outmaxlen * sizeof(unsigned char));
+    int b64err = sodium_base642bin(*outstring, outmaxlen, (const char *) input, input_len,
+                                   NULL, outlen, NULL, sodium_base64_VARIANT_ORIGINAL);
    if (b64err != 0) {
        fprintf(stderr, "[ERROR] Unable to base64-decode the password\n");
        exit(EXIT_FAILURE);
    }
-
-    return p;
 }
--- a/src/libexim-encrypt-dlfunc-decrypt-secretbox.c
+++ b/src/libexim-encrypt-dlfunc-decrypt-secretbox.c
@ -30,11 +30,11 @@ typedef enum {
 } seen_args;

 int main(int argc, char *argv[]) {
-    char* prog_basename = basename(argv[0]);
+    char *prog_basename = basename(argv[0]);
    int opt;
    char *cipherstring;
-    size_t pwlen;
-    char *b64password;
+    size_t password_len;
+    char *password;
    char *password_env;

    seen_args mode = NONE;
@ -57,9 +57,9 @@ int main(int argc, char *argv[]) {
    // check environment for LIBEXIM_PASSWORD
    password_env = getenv(ENVVAR_PASSWORD_NAME);
    if (password_env != NULL && strlen(password_env) > 0) {
-        pwlen = strlen(password_env);
-        b64password = malloc(pwlen + 1);
-        strncpy(b64password, password_env, pwlen);
+        password_len = strlen((const char *) password_env);
+        password = malloc(password_len + 1);
+        strncpy(password, password_env, password_len);
        mode |= PASSENV;
    }

@ -69,9 +69,9 @@ int main(int argc, char *argv[]) {
                              long_options, &long_index)) != -1) {
        switch (opt) {
            case 'p':
-                pwlen = strlen(optarg);
-                b64password = malloc(pwlen + 1);
-                strncpy(b64password, optarg, pwlen);
+                password_len = strlen((const char *) optarg);
+                password = malloc(password_len + 1);
+                strncpy(password, optarg, password_len);
                mode |= PASSARG;
                break;
            case 'f':
@ -96,16 +96,45 @@ int main(int argc, char *argv[]) {
        exit(EXIT_FAILURE);
    }

-    // fail if neither argument nor filename is present
+    // fail if neither argument nor filename for ciphertext is present
    if (input == NONE) {
        fprintf(stderr, "[ERROR] Please specify a ciphertext source.\n\n");
        print_usage(prog_basename);
        exit(EXIT_FAILURE);
    }

-    // base64-decode password
-    Password p;
-    p = base64_decode_string(b64password);
+    // Derive key from the password.
+    unsigned char keybytes[crypto_secretbox_KEYBYTES];
+    sodium_memzero(keybytes, crypto_secretbox_KEYBYTES);
+    crypto_generichash(keybytes, crypto_secretbox_KEYBYTES,
+                       (unsigned char *) password, password_len, NULL, 0);

-    printf("»%s« [%zu]\n", p.string, p.length);
+    // base64-decode input
+    unsigned char *ciphertext;
+    size_t ciphertext_len;
+    base64_decode_string(cipherstring, &ciphertext, &ciphertext_len);
+
+    // extract nonce
+    unsigned char nonce[crypto_secretbox_NONCEBYTES];
+    memcpy(nonce, ciphertext, crypto_secretbox_NONCEBYTES);
+
+    // prepare buffer for cleartext
+    if (ciphertext_len < crypto_secretbox_NONCEBYTES + crypto_secretbox_MACBYTES) {
+        fprintf(stderr, "[ERROR] Ciphertext is too small to contain any data.\n\n");
+        exit(EXIT_FAILURE);
+    }
+    size_t cleartext_len = ciphertext_len - crypto_secretbox_NONCEBYTES - crypto_secretbox_MACBYTES;
+    unsigned char *cleartext = (unsigned char *) malloc(cleartext_len + 1);
+    sodium_memzero(cleartext, cleartext_len + 1);
+
+    // decrypt
+    if (crypto_secretbox_open_easy(cleartext, &ciphertext[crypto_secretbox_NONCEBYTES],
+                                   ciphertext_len - crypto_secretbox_NONCEBYTES, nonce, keybytes) == 0) {
+    } else {
+        fprintf(stderr, "[ERROR] Unable to decrypt message.\n\n");
+        exit(EXIT_FAILURE);
+    }
+
+    // print cleartext to stdout
+    fprintf(stdout, "%s", (const char *) cleartext);
 }