2

I am working with Openssl 0.9.8k, using the EVP API in my project to encrypt/decrypt data with AES256CBC.

TIll now i am taking the Password input from user using fgets(pwd,pwd_len,stdin).

Is there any function available with openssl which facilitates secure password input. I tried searching on net but could not find any.(openssl documentation itself is not sufficient)

Any suggestions or pointers towards any documentation will be highly appreciated.

NOTE:: If there is no function as such with Openssl, can someone please suggest me the possible security loopholes that can be exploited in taking the password in my current approach from stdin using fgets so that i can write my own custom function for this.

many thanks

abhi
  • 3,476
  • 5
  • 41
  • 58
  • Since the problem is one of terminal programming and not covered by OpenSSL, I'm marking this as a duplicate of [C command-line password input](http://stackoverflow.com/questions/1786532/c-command-line-password-input) and [Getting a password in C without using getpass](http://stackoverflow.com/questions/1196418/getting-a-password-in-c-without-using-getpass-3). – Kerrek SB May 12 '12 at 23:00

1 Answers1

2

openssl will prompt the user for a password if you use the pem routines to open a password-protected file - it's described at http://www.openssl.org/docs/crypto/pem.html (search for "prompt"). those functions also allow you to specify a callback routine that does the prompting; the default callback is the one that prompts the user.

what i can't find is any documentation for the default callback routine - i think you will need to go hunting in the code. but if you just wanted to read a password-protected file then the above may be sufficient.

andrew cooke
  • 45,717
  • 10
  • 93
  • 143
  • thanks for the reply.. i will look into that. Also while going through the EVP api source i came accross a file EVP_key.c in openssl/crypto/evp where i found 3 functions defined which are EVP_set_pw_prompt() EVP_get_pwd_prompt() and EVP_read_pw_string().. but could not find any documentaion for them.Any idea about them.. Many thanks – abhi May 13 '12 at 16:02
  • not really. i would guess that they are similar (set allowing the callback to be set). maybe read_pwd_string is what you need? best to just read the code... (sometimes with openssl it is worth writing a small program that calls the routine and then stepping through in the debugger - that helps resolve what the mess of different pointers all mean). – andrew cooke May 13 '12 at 16:05
  • ohh thanks a ton. i will start off with writing a code for it..though after googling for it this is the most logical link i could lay my hands on http://www.umich.edu/~x509/ssleay/evp_passwd.html – abhi May 13 '12 at 16:09