The encryption routine takes two parameters – the file descriptors of input file and the output file to which the encrypted data is to be saved. It is always a good idea to zero-fill your buffers using the memset or bzero commands before using the buffers with data. This is especially important if you plan to reuse the buffers. In the program below, the input data is being encrypted in blocks of 1K each.
The steps for encryption are as follows :-
- Create a cipher context
- Initialize the cipher context with the values of Key and IV
- Call EVP_EncryptUpdate to encrypt successive blocks of 1k eack
- Call EVP_EncryptFinal to encrypt “leftover” data
- Finally call EVP_CIPHER_CTX_cleanup to discard all the sensitive information from memory
You may be wondering what “leftover” data is? As mentioned earlier, Blowfish encrypts information in blocks of 64-bit each. Sometimes we may not have 64 bits to make up a block. This may happen if the buffer size in the program below or the file/input data size is not a integral multiple of 8 bytes(64-bits).So accordingly the data is padded and then the partial block is encrypted using EVP_EncryptFinal. The length of the encoded data block is stored in the variable tlen and added to the final length.
int
encrypt (int infd, int outfd)
{
unsigned char outbuf[OP_SIZE];
int olen, tlen, n;
char inbuff[IP_SIZE];
EVP_CIPHER_CTX ctx;
EVP_CIPHER_CTX_init (& ctx);
EVP_EncryptInit (& ctx, EVP_bf_cbc (), key, iv);
for (;;)
{
bzero (& inbuff, IP_SIZE);
if ((n = read (infd, inbuff, IP_SIZE)) == -1)
{
perror ("read error");
break;
}
else if (n == 0)
break;
if (EVP_EncryptUpdate (& ctx, outbuf, & olen, inbuff, n) != 1)
{
printf ("error in encrypt update\n");
return 0;
}
if (EVP_EncryptFinal (& ctx, outbuf + olen, & tlen) != 1)
{
printf ("error in encrypt final\n");
return 0;
}
olen += tlen;
if ((n = write (outfd, outbuf, olen)) == -1)
perror ("write error");
}
EVP_CIPHER_CTX_cleanup (& ctx);
return 1;
}
When using the MSXML2 library, you typically load XML files from disk into a DOM (Document Object Model) object by creating an instance of IXMLDOMDocument and calling its load function—where you pass a BSTR representation of the file name. However, I had a situation recently where, due to security concerns, I needed to first decrypt the XML data in memory and then load that memory—without writing it to disk—into a DOM object. Surprisingly, I wasn’t able to find any open source examples of how to do this so I wrote a couple of helper functions to accomplish the task. Hopefully, these functions will help others that run into a similar situation.
Since Bruce Schneier introduced the Blowfish encryption algorithm in 1993, it�s had many implementations. I’ve personally found George Anescu’s work to be especially easy to use in scenarios where I’ve needed fast and reliable means of encrypting and decrypting data. Therefore, my functions work with data that is encrypted using his CBlowFish class.
The first thing I learned when searching for a solution is that the IXMLDOMDocument object supports a function called loadXML, which takes a BSTR value representing the XML to parse. Since I like to keep the client side as easy and clean as possible, I wanted the client to call a single function that would pretty much do everything. As a result, I created the DecryptFile2Bstr function, which takes an input file name and password (both char pointers) and returns a BSTR that can then be used with the IXMLDOMDocument::loadXML function:
BSTR DecryptFile2Bstr(char* inputFileName, char* password)
{
try
{
int requiredFileSize;
CBlowFish oBlowFish((unsigned char*)password, sizeof(password));
char *buffer = GetFormattedFileContent( inputFileName, requiredFileSize );
oBlowFish.Decrypt((unsigned char *)buffer, requiredFileSize);
return _com_util::ConvertStringToBSTR(buffer);
}
catch ( char *ex )
{
throw ex;
}
}
As you can see, the DecryptFile2Bstr function instantiates a CBlowFish object and then calls another helper function I wrote, GetFormattedFileContent, before invoking the CBlowFish::Decrypt function. As the data used by both the GetFormattedFileContent and CBlowFish::Decrypt functions is in the form of a char buffer, the DecryptFile2Bstr function calls the standard COM utility function ConvertStringToBSTR before returning to the caller.
The Blowfish algorithm is based on eight-byte blocks, so the GetFormattedFileContent function reads the data into memory accordingly. Note the padding at the end of the function to accommodate this rule:
char* GetFormattedFileContent(char *filePath, int &requiredFileSize)
{
FILE *fp = fopen(filePath, "r+b");
int fileSize = FileSize(fp);
int index = fileSize;
if ( (fileSize % 
!= 0 )
requiredFileSize = ((fileSize / + 1) * 8;
else
requiredFileSize = fileSize;
char *buffer = new char[requiredFileSize + 1];
fread(buffer, sizeof(char), fileSize, fp);
buffer[fileSize] = 0;
fclose(fp);
while (index < requiredFileSize)
buffer[index++] = 0;
return buffer;
}
int FileSize(FILE *fp)
{
char buffer[1];
int count = 0;
fseek(fp, 0, SEEK_SET);
while (fread(buffer, sizeof(buffer), 1, fp) != 0) count++;
fseek(fp, 0, SEEK_SET);
return count;
}
Using the DecryptFile2Bstr Function
Assuming your data has been encrypted using the CBlowFish class, you can load it into an XML DOM object with two lines of code:
#import <msxml4.dll> named_guids
using namespace MSXML2;
...
::CoInitialize(NULL);
MSXML2::IXMLDOMDocumentPtr plDomDocument;
HRESULT hr = plDomDocument.CreateInstance(MSXML2::CLSID_DOMDocument);
if (SUCCEEDED(hr))
{
// load the file as an XML document
BSTR xmlfile = DecryptFile2Bstr(L"MyFile.xml", DEFS_ENC_PASSWORD);
variant_t vResult = plDomDocument->loadXML(xmlfile);
...
Looking Ahead
Combining the MSMXL2 IXMLDOMDocument::loadXML with my helper functions, I was able to read the client’s sensitive data into memory and decrypt it without first having to decrypt it to disk. I’ve also extended these functions to include other helper functions that perform such tasks as decrypting a file with CBlowFish-encrypted data to a specified file (DecryptFile2File) and encrypting plain ASCII data to a CBlowFish-encrypted file (EncryptFile2File). If you have any need or interest in these functions, email me and I’ll also post them for public use.