Merge branch 'prerelease'

sjlombardo · sjlombardo · commit 50376d07a591 · 2020-11-24T13:31:55.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,12 @@
 # SQLCipher Change Log
 All notable changes to this project will be documented in this file.
 
+## [4.4.2] - (November 2020 - [4.4.2 changes])
+- Improve error handling to resolve potential corruption if an encryption operation failed while operating in WAL mode
+- Changes to OpenSSL library cryptographic provider to reduce initialization complexity
+- Adjust cipher_integrity_check to skip locking page to avoid a spurious error report for very large databases
+- Miscellaneous code and comment cleanup
+
 ## [4.4.1] - (October 2020 - [4.4.1 changes])
 - Updates baseline to upstream SQLite 3.33.0
 - Fixes double-free bug in cipher_default_plaintext_header_size
@@ -171,7 +177,9 @@ All notable changes to this project will be documented in this file.
 ### Security
 - Change KDF iteration length from 4,000 to 64,000
 
-[unreleased]: https://github.com/sqlcipher/sqlcipher/compare/v4.4.1...prerelease
+[unreleased]: https://github.com/sqlcipher/sqlcipher/compare/v4.4.2...prerelease
+[4.4.2]: https://github.com/sqlcipher/sqlcipher/tree/v4.4.2
+[4.4.2 changes]: https://github.com/sqlcipher/sqlcipher/compare/v4.4.0...v4.4.2
 [4.4.1]: https://github.com/sqlcipher/sqlcipher/tree/v4.4.1
 [4.4.1 changes]: https://github.com/sqlcipher/sqlcipher/compare/v4.4.0...v4.4.1
 [4.4.0]: https://github.com/sqlcipher/sqlcipher/tree/v4.4.0
diff --git a/SQLCipher.podspec.json b/SQLCipher.podspec.json
@@ -15,10 +15,10 @@
   "requires_arc": false,
   "source": {
     "git": "https://github.com/sqlcipher/sqlcipher.git",
-    "tag": "v4.4.1"
+    "tag": "v4.4.2"
   },
   "summary": "Full Database Encryption for SQLite.",
-  "version": "4.4.1",
+  "version": "4.4.2",
   "subspecs": [
     {
       "compiler_flags": [
diff --git a/src/crypto.c b/src/crypto.c
@@ -39,6 +39,11 @@
 #include "sqlcipher_ext.h"
 #endif
 
+#ifdef SQLCIPHER_TEST
+static int cipher_fail_next_encrypt = 0;
+static int cipher_fail_next_decrypt = 0;
+#endif
+
 /* Generate code to return a string value */
 static void codec_vdbe_return_string(Parse *pParse, const char *zLabel, const char *value, int value_type){
   Vdbe *v = sqlite3GetVdbe(pParse);
@@ -110,6 +115,24 @@ int sqlcipher_codec_pragma(sqlite3* db, int iDb, Parse *pParse, const char *zLef
         codec_vdbe_return_string(pParse, "cipher_license", license_result, P4_DYNAMIC);
       }
   } else
+#endif
+#ifdef SQLCIPHER_TEST
+  if( sqlite3StrICmp(zLeft,"cipher_fail_next_encrypt")==0 ){
+    if( zRight ) {
+      cipher_fail_next_encrypt = sqlite3GetBoolean(zRight,1);
+    } else {
+      char *fail = sqlite3_mprintf("%d", cipher_fail_next_encrypt);
+      codec_vdbe_return_string(pParse, "cipher_fail_next_encrypt", fail, P4_DYNAMIC);
+    }
+  }else
+  if( sqlite3StrICmp(zLeft,"cipher_fail_next_decrypt")==0 ){
+    if( zRight ) {
+      cipher_fail_next_decrypt = sqlite3GetBoolean(zRight,1);
+    } else {
+      char *fail = sqlite3_mprintf("%d", cipher_fail_next_decrypt);
+      codec_vdbe_return_string(pParse, "cipher_fail_next_decrypt", fail, P4_DYNAMIC);
+    }
+  }else
 #endif
   if( sqlite3StrICmp(zLeft, "cipher_fips_status")== 0 && !zRight ){
     if(ctx) {
@@ -685,6 +708,9 @@ static void* sqlite3Codec(void *iCtx, void *data, Pgno pgno, int mode) {
         memcpy(buffer, plaintext_header_sz ? pData : (void *) SQLITE_FILE_HEADER, offset); 
 
       rc = sqlcipher_page_cipher(ctx, cctx, pgno, CIPHER_DECRYPT, page_sz - offset, pData + offset, (unsigned char*)buffer + offset);
+#ifdef SQLCIPHER_TEST
+      if(cipher_fail_next_decrypt) rc = SQLITE_ERROR;
+#endif
       if(rc != SQLITE_OK) { /* clear results of failed cipher operation and set error */
         sqlcipher_memset((unsigned char*) buffer+offset, 0, page_sz-offset);
         sqlcipher_codec_ctx_set_error(ctx, rc);
@@ -707,9 +733,13 @@ static void* sqlite3Codec(void *iCtx, void *data, Pgno pgno, int mode) {
         memcpy(buffer, plaintext_header_sz ? pData : kdf_salt, offset); 
       }
       rc = sqlcipher_page_cipher(ctx, cctx, pgno, CIPHER_ENCRYPT, page_sz - offset, pData + offset, (unsigned char*)buffer + offset);
+#ifdef SQLCIPHER_TEST
+      if(cipher_fail_next_encrypt) rc = SQLITE_ERROR;
+#endif
       if(rc != SQLITE_OK) { /* clear results of failed cipher operation and set error */
         sqlcipher_memset((unsigned char*)buffer+offset, 0, page_sz-offset);
         sqlcipher_codec_ctx_set_error(ctx, rc);
+        return NULL;
       }
       return buffer; /* return persistent buffer data, pData remains intact */
       break;
@@ -939,8 +969,6 @@ void sqlite3CodecGetKey(sqlite3* db, int nDb, void **zKey, int *nKey) {
   }
 }
 
-#ifndef OMIT_EXPORT
-
 /*
  * Implementation of an "export" function that allows a caller
  * to duplicate the main database to an attached database. This is intended
@@ -1146,8 +1174,5 @@ void sqlcipher_exportFunc(sqlite3_context *context, int argc, sqlite3_value **ar
     }
   }
 }
-
 #endif
-
 /* END SQLCIPHER */
-#endif
diff --git a/src/crypto.h b/src/crypto.h
@@ -59,7 +59,7 @@ void sqlite3pager_reset(Pager *pPager);
 #define CIPHER_STR(s) #s
 
 #ifndef CIPHER_VERSION_NUMBER
-#define CIPHER_VERSION_NUMBER 4.4.1
+#define CIPHER_VERSION_NUMBER 4.4.2
 #endif
 
 #ifndef CIPHER_VERSION_BUILD
diff --git a/src/crypto_impl.c b/src/crypto_impl.c
@@ -1278,6 +1278,9 @@ int sqlcipher_codec_ctx_integrity_check(codec_ctx *ctx, Parse *pParse, char *col
     int payload_sz = ctx->page_sz - ctx->reserve_sz + ctx->iv_sz;
     int read_sz = ctx->page_sz;
 
+    /* skip integrity check on PAGER_MJ_PGNO since it will have no valid content */
+    if(sqlite3pager_is_mj_pgno(ctx->pBt->pBt->pPager, page)) continue;
+
     if(page==1) {
       int page1_offset = ctx->plaintext_header_sz ? ctx->plaintext_header_sz : FILE_HEADER_SZ;
       read_sz = read_sz - page1_offset;
diff --git a/src/crypto_openssl.c b/src/crypto_openssl.c
@@ -40,11 +40,6 @@
 #include <openssl/hmac.h>
 #include <openssl/err.h>
 
-typedef struct {
-  EVP_CIPHER *evp_cipher;
-} openssl_ctx;
-
-static unsigned int openssl_external_init = 0;
 static unsigned int openssl_init_count = 0;
 
 #if (defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
@@ -85,7 +80,7 @@ static int sqlcipher_openssl_add_random(void *ctx, void *buffer, int length) {
   return SQLITE_OK;
 }
 
-#define OPENSSL_CIPHER "aes-256-cbc"
+#define OPENSSL_CIPHER EVP_aes_256_cbc()
 
 
 /* activate and initialize sqlcipher. Most importantly, this will automatically
@@ -103,13 +98,6 @@ static int sqlcipher_openssl_activate(void *ctx) {
   sqlite3_mutex_enter(sqlcipher_mutex(SQLCIPHER_MUTEX_PROVIDER_ACTIVATE));
   CODEC_TRACE_MUTEX("sqlcipher_openssl_activate: entered SQLCIPHER_MUTEX_PROVIDER_ACTIVATE\n");
 
-  if(openssl_init_count == 0 && EVP_get_cipherbyname(OPENSSL_CIPHER) != NULL) {
-    /* if openssl has not yet been initialized by this library, but 
-       a call to get_cipherbyname works, then the openssl library
-       has been initialized externally already. */
-    openssl_external_init = 1;
-  }
-
 #ifdef SQLCIPHER_FIPS
   if(!FIPS_mode()){
     if(!FIPS_mode_set(1)){
@@ -126,13 +114,6 @@ static int sqlcipher_openssl_activate(void *ctx) {
   }
 #endif
 
-  if(openssl_init_count == 0 && openssl_external_init == 0)  {
-    /* if the library was not externally initialized, then should be now */
-#if (defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
-    OpenSSL_add_all_algorithms();
-#endif
-  } 
-
   openssl_init_count++; 
   CODEC_TRACE_MUTEX("sqlcipher_openssl_activate: leaving SQLCIPHER_MUTEX_PROVIDER_ACTIVATE\n");
   sqlite3_mutex_leave(sqlcipher_mutex(SQLCIPHER_MUTEX_PROVIDER_ACTIVATE));
@@ -147,22 +128,8 @@ static int sqlcipher_openssl_deactivate(void *ctx) {
   CODEC_TRACE_MUTEX("sqlcipher_openssl_deactivate: entering SQLCIPHER_MUTEX_PROVIDER_ACTIVATE\n");
   sqlite3_mutex_enter(sqlcipher_mutex(SQLCIPHER_MUTEX_PROVIDER_ACTIVATE));
   CODEC_TRACE_MUTEX("sqlcipher_openssl_deactivate: entered SQLCIPHER_MUTEX_PROVIDER_ACTIVATE\n");
-  openssl_init_count--;
 
-  if(openssl_init_count == 0) {
-    if(openssl_external_init == 0) {
-    /* if OpenSSL hasn't be initialized externally, and the counter reaches zero 
-       after it's decremented, release EVP memory
-       Note: this code will only be reached if OpensSSL_add_all_algorithms()
-       is called by SQLCipher internally. This should prevent SQLCipher from 
-       "cleaning up" openssl when it was initialized externally by the program */
-#if (defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
-      EVP_cleanup();
-#endif
-    } else {
-      openssl_external_init = 0;
-    }
-  } 
+  openssl_init_count--;
 
   CODEC_TRACE_MUTEX("sqlcipher_openssl_deactivate: leaving SQLCIPHER_MUTEX_PROVIDER_ACTIVATE\n");
   sqlite3_mutex_leave(sqlcipher_mutex(SQLCIPHER_MUTEX_PROVIDER_ACTIVATE));
@@ -267,7 +234,7 @@ static int sqlcipher_openssl_cipher(void *ctx, int mode, unsigned char *key, int
   int tmp_csz, csz, rc = SQLITE_OK;
   EVP_CIPHER_CTX* ectx = EVP_CIPHER_CTX_new();
   if(ectx == NULL) goto error;
-  if(!EVP_CipherInit_ex(ectx, ((openssl_ctx *)ctx)->evp_cipher, NULL, NULL, NULL, mode)) goto error; 
+  if(!EVP_CipherInit_ex(ectx, OPENSSL_CIPHER, NULL, NULL, NULL, mode)) goto error;
   if(!EVP_CIPHER_CTX_set_padding(ectx, 0)) goto error; /* no padding */
   if(!EVP_CipherInit_ex(ectx, NULL, NULL, key, iv, mode)) goto error;
   if(!EVP_CipherUpdate(ectx, out, &tmp_csz, in, in_sz)) goto error;
@@ -286,19 +253,19 @@ static int sqlcipher_openssl_cipher(void *ctx, int mode, unsigned char *key, int
 }
 
 static const char* sqlcipher_openssl_get_cipher(void *ctx) {
-  return OBJ_nid2sn(EVP_CIPHER_nid(((openssl_ctx *)ctx)->evp_cipher));
+  return OBJ_nid2sn(EVP_CIPHER_nid(OPENSSL_CIPHER));
 }
 
 static int sqlcipher_openssl_get_key_sz(void *ctx) {
-  return EVP_CIPHER_key_length(((openssl_ctx *)ctx)->evp_cipher);
+  return EVP_CIPHER_key_length(OPENSSL_CIPHER);
 }
 
 static int sqlcipher_openssl_get_iv_sz(void *ctx) {
-  return EVP_CIPHER_iv_length(((openssl_ctx *)ctx)->evp_cipher);
+  return EVP_CIPHER_iv_length(OPENSSL_CIPHER);
 }
 
 static int sqlcipher_openssl_get_block_sz(void *ctx) {
-  return EVP_CIPHER_block_size(((openssl_ctx *)ctx)->evp_cipher);
+  return EVP_CIPHER_block_size(OPENSSL_CIPHER);
 }
 
 static int sqlcipher_openssl_get_hmac_sz(void *ctx, int algorithm) {
@@ -318,21 +285,11 @@ static int sqlcipher_openssl_get_hmac_sz(void *ctx, int algorithm) {
 }
 
 static int sqlcipher_openssl_ctx_init(void **ctx) {
-  openssl_ctx *o_ctx;
-
-  *ctx = sqlcipher_malloc(sizeof(openssl_ctx));
-  if(*ctx == NULL) return SQLITE_NOMEM;
-  sqlcipher_openssl_activate(*ctx);
-  
-  o_ctx = (openssl_ctx *)*ctx;
-  o_ctx->evp_cipher = (EVP_CIPHER *) EVP_get_cipherbyname(OPENSSL_CIPHER);
-  return o_ctx->evp_cipher != NULL ? SQLITE_OK : SQLITE_ERROR;
+  return sqlcipher_openssl_activate(*ctx);
 }
 
 static int sqlcipher_openssl_ctx_free(void **ctx) {
-  sqlcipher_openssl_deactivate(*ctx);
-  sqlcipher_free(*ctx, sizeof(openssl_ctx));
-  return SQLITE_OK;
+  return sqlcipher_openssl_deactivate(NULL);
 }
 
 static int sqlcipher_openssl_fips_status(void *ctx) {
diff --git a/src/func.c b/src/func.c
@@ -1824,12 +1824,10 @@ void sqlite3RegisterPerConnectionBuiltinFunctions(sqlite3 *db){
   }
 /* BEGIN SQLCIPHER */
 #ifdef SQLITE_HAS_CODEC
-#ifndef OMIT_EXPORT
   {
     extern void sqlcipher_exportFunc(sqlite3_context *, int, sqlite3_value **);
     sqlite3CreateFunc(db, "sqlcipher_export", -1, SQLITE_TEXT, 0, sqlcipher_exportFunc, 0, 0, 0, 0, 0);
   }
-#endif
 #ifdef SQLCIPHER_EXT
 #include "sqlcipher_funcs_init.h"
 #endif
diff --git a/src/shell.c.in b/src/shell.c.in
@@ -11118,7 +11118,7 @@ int SQLITE_CDECL wmain(int argc, wchar_t **wargv){
 #else
       printf("%s %s\n", sqlite3_libversion(), sqlite3_sourceid());
 #endif
-/* BEGIN SQLCIPHER */
+/* END SQLCIPHER */
       return 0;
     }else if( strcmp(z,"-interactive")==0 ){
       stdin_is_interactive = 1;
diff --git a/src/sqlite.h.in b/src/sqlite.h.in
@@ -5993,7 +5993,7 @@ void sqlite3_activate_see(
   const char *zPassPhrase        /* Activation phrase */
 );
 #endif
-/* BEGIN SQLCIPHER */
+/* END SQLCIPHER */
 
 #ifdef SQLITE_ENABLE_CEROD
 /*
diff --git a/src/tclsqlite.c b/src/tclsqlite.c
@@ -3727,7 +3727,7 @@ static int SQLITE_TCLAPI DbMain(
   void *pKey = 0;
   int nKey = 0;
 #endif
-/* BEGIN SQLCIPHER */
+/* END SQLCIPHER */
   int rc;
 
   /* In normal use, each TCL interpreter runs in a single thread.  So
diff --git a/test/sqlcipher-codecerror.test b/test/sqlcipher-codecerror.test
diff --git a/test/sqlcipher-integrity.test b/test/sqlcipher-integrity.test
diff --git a/test/sqlcipher-pragmas.test b/test/sqlcipher-pragmas.test
diff --git a/test/sqlcipher.test b/test/sqlcipher.test

Original file line number	Diff line number	Diff line change
`@@ -1824,12 +1824,10 @@ void sqlite3RegisterPerConnectionBuiltinFunctions(sqlite3 *db){`
`1824`	`1824`	`}`
`1825`	`1825`	`/* BEGIN SQLCIPHER */`
`1826`	`1826`	`#ifdef SQLITE_HAS_CODEC`
`1827`		`-#ifndef OMIT_EXPORT`
`1828`	`1827`	`{`
`1829`	`1828`	`extern void sqlcipher_exportFunc(sqlite3_context , int, sqlite3_value *);`
`1830`	`1829`	`sqlite3CreateFunc(db, "sqlcipher_export", -1, SQLITE_TEXT, 0, sqlcipher_exportFunc, 0, 0, 0, 0, 0);`
`1831`	`1830`	`}`
`1832`		`-#endif`
`1833`	`1831`	`#ifdef SQLCIPHER_EXT`
`1834`	`1832`	`#include "sqlcipher_funcs_init.h"`
`1835`	`1833`	`#endif`