Encrypted data as a string

Question

I am quite new to encryption and C language so this is maybe an obvious issue, but I find no way of solving the problem.

I am making an application on C and using openssl for encryption in Linux.

I got from this url an example of C code that allows to encrypt and decrypt a string with SHA: http://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption

#include <openssl/conf.h>
#include <openssl/evp.h>
#include <openssl/err.h>
#include <string.h>

int main(int arc, char *argv[])
{
  unsigned char *key = "01234567890123456789012345678901";
  unsigned char *iv = "01234567890123456";
  /* Message to be encrypted */
  unsigned char *plaintext = "The quick brown fox jumps over the lazy dog";
  unsigned char ciphertext[128];
  unsigned char decryptedtext[128];
  int decryptedtext_len, ciphertext_len;

  ERR_load_crypto_strings();
  OpenSSL_add_all_algorithms();
  OPENSSL_config(NULL);

  ciphertext_len = encrypt(plaintext, strlen(plaintext), key, iv,ciphertext);

  printf("Ciphertext is:\n");
  BIO_dump_fp(stdout, ciphertext, ciphertext_len);

  EVP_cleanup();
  ERR_free_strings();

  return 0;
}


int encrypt(unsigned char *plaintext, int plaintext_len, unsigned char *key,
  unsigned char *iv, unsigned char *ciphertext)
{
  EVP_CIPHER_CTX *ctx;
  int len;
  int ciphertext_len;

  /* Create and initialise the context */
  if(!(ctx = EVP_CIPHER_CTX_new())) handleErrors();

  if(1 != EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv))
    handleErrors();

  if(1 != EVP_EncryptUpdate(ctx, ciphertext, &len, plaintext, plaintext_len))
    handleErrors();
  ciphertext_len = len;

  if(1 != EVP_EncryptFinal_ex(ctx, ciphertext + len, &len)) handleErrors();
  ciphertext_len += len;

  EVP_CIPHER_CTX_free(ctx);
  return ciphertext_len;
}

I works fine and I have made it work perfectly. What I have seen is that I need to handle that encripted result as a string and append it to a bigger string (actually an SQL command). The code is called like this:

ciphertext_len = encrypt(it, strlen(it), key, iv,ciphertext);
strcat(bigstring,ciphertext);

When I have tried to do this all the string got altered and unusable. I suposse that the problem comes from binary data being treated as chars, and this includes control characters as or backspaces.

Is there a way of treating this encrypted data as a String without altering it? Should I use another kind of encryption instead?

Answer 1

If you are working with binary data you must not use str* functions but mem* functions, like memcpy(3) in your case.

For your SQL query, I suggested you to use something else than a string query. For example with mysql I suggest you a prepared statement (http://dev.mysql.com/doc/refman/5.1/en/mysql-stmt-execute.html)

Another solution could be to encode your encrypted (binary) data in hex or base64.

Answer 2

ciphertext[128] is not a string and string functions like strcat(bigstring,ciphertext); should not be expected to work with it.

In C, "A string is a contiguous sequence of characters terminated by and including the first null character." ciphertext[128] may have embedded '\0' in it (@James Black) and/or may not have a terminating '\0'.

Perform the concatenation another way, maybe:

memcpy(bigstring, &ciphertext[bigstring_len], ciphertext_len);
bigstring_len += ciphertext_len;

Answer 3

It might not be related to your issue but it would be safer to use:

strncat

To ensure you are copying not less or more bytes than you want. Also you may want to double-check your types : strcat takes char* as arguments.

Answer 4

Assuming that on printing both the two strings you are trying to concatenate, the answer has no garbage values etc, instead of going to the trouble of using a different encryption(notice the spelling), why not work the other way around and try to write your own concatenate function? It'll work easier for you. I'll be glad to help you with it if you'd like.