I have a problem with openssl crypto library, after doing decryption even after exiting function scope, decrypted string is not removed from memory. My code:
int crypto::aes_decrypt(const crypto::vector<unsigned char> &data, const crypto::string &key, const crypto::string &iv,
crypto::vector<unsigned char> &decrypted) {
try {
int len;
int plaintext_len;
const auto *dataArr = data.data();
size_t dataLength = data.size();
if (key.length() != 32 || iv.length() != 16) {
return -1;
}
auto *plaintext = new unsigned char[dataLength + 16];
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
if (ctx == nullptr) {
return -2;
}
const auto *keyArr = reinterpret_cast<const unsigned char *>(key.data());
const auto *ivArr = reinterpret_cast<const unsigned char *>(iv.data());
/*
* Initialise the decryption operation. IMPORTANT - ensure you use a key
* and IV size appropriate for your cipher
* In this example we are using 256-bit AES (i.e. a 256-bit key). The
* IV size for *most* modes is the same as the block size. For AES this
* is 128 bits
*/
if (1 != EVP_CipherInit_ex(ctx, EVP_aes_256_cbc(), nullptr, keyArr, ivArr, 0)) {
EVP_CIPHER_CTX_free(ctx);
return -3;
}
/*
* Provide the message to be decrypted, and obtain the plaintext output.
* EVP_DecryptUpdate can be called multiple times if necessary.
*/
if (1 != EVP_DecryptUpdate(ctx, plaintext, &len, dataArr, dataLength)) {
EVP_CIPHER_CTX_free(ctx);
return -4;
}
plaintext_len = len;
/*
* Finalise the decryption. Further plaintext bytes may be written at
* this stage.
*/
if (1 != EVP_DecryptFinal_ex(ctx, plaintext + len, &len)) {
EVP_CIPHER_CTX_free(ctx);
return -5;
}
plaintext_len += len;
decrypted = crypto::vector<unsigned char>(plaintext, plaintext + plaintext_len);
/* Clean up */
EVP_CIPHER_CTX_free(ctx);
free(plaintext);
return 0;
} catch (exception &e) {
#ifdef DEBUG_SHARED_LIBRARIES
cout << "Error while aes decrypting: " << e.what() << endl;
#endif
return -99;
}
}
void test() {
string key = "abcdefghijklmnopabcdefghijklmnop";
string iv = "1234567890123456";
string b64 = "82fgiOvXUXrnkGeRsCjKgA==";
vector<unsigned char> decrypted;
int i = crypto::aes_decrypt(crypto::base64_decode(b64), key, iv, decrypted);
if (i != 0) {
cout << "Error: " << i << endl;
return;
}
string dec = {decrypted.begin(), decrypted.end()};
// cout << "Decrypted raw: " << string_utils::char_array_to_hex(decrypted.data(), decrypted.size()) << endl;
cout << "Decrypted: " << dec << endl;
cout << "Click to clear" << endl;
string input;
getline(cin, input);
}
I tried many combinations, but with string and vector still the same - decrypted string is still in memory
Before exiting function scope:
After exiting function scope:
and inside that memory dump:
and another:
Any suggestions how can i deal with it? I think its something wrong with aes decrypt implementation, because in memory dump there are many encryption methods related to openssl crypto library
I found what i was looking for here:
https://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption
typedef std::basic_string<char, std::char_traits<char>, zallocator<char> > secure_string;
that secure_string
is wiped out from memory when leaving the function scope.