From 0303ec895f269b7d586045e76a8ed8a29b317588 Mon Sep 17 00:00:00 2001 From: clach04 Date: Sat, 24 Jan 2026 19:57:13 -0800 Subject: [PATCH 1/5] Fix issue #5 - printf stdint macro --- tests/tests.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/tests.c b/tests/tests.c index e1df47a..b4a33e2 100644 --- a/tests/tests.c +++ b/tests/tests.c @@ -266,7 +266,7 @@ static int p_encrypt_decrypt(void) fsize = 0; } if (DEBUG) { - printf(YELLOW "\tFile size:" BLUE " %lu bytes\n", fsize); + printf(YELLOW "\tFile size:" BLUE " %" PRIu64 " bytes\n", fsize); } fillrand(data, fsize); fillrand(key, KEY_SIZE); @@ -428,7 +428,7 @@ int p_password_enc_dec(void) } if (DEBUG) { - printf(YELLOW "\tFile size:" BLUE " %lu bytes\n", fsize); + printf(YELLOW "\tFile size:" BLUE " %" PRIu64 " bytes\n", fsize); } fillrand(data, fsize); From f6e4fe719c5be8b583c96829b838e986bd5fde9b Mon Sep 17 00:00:00 2001 From: clach04 Date: Sat, 24 Jan 2026 19:59:48 -0800 Subject: [PATCH 2/5] Ignore Windows EXEs and vim backup files --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 1ab7e1e..1b7de6a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,9 @@ kr +*.exe *.o *.profraw *.profdata +*~ tmp test.out cov From bfc6e19e6d06ea533edeefa03709534ed3c22a13 Mon Sep 17 00:00:00 2001 From: clach04 Date: Sat, 24 Jan 2026 20:33:06 -0800 Subject: [PATCH 3/5] Cleanup trailing blanks in source --- README.md | 6 +++--- src/kr.c | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index ba5fcf6..aee9fa0 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ AEAD interface of Monocypher to encrypt/decrypt files using `kr` offers two modes of operation: - Keyfile-based: a private key is stored on the user's machine and is used to - encrypt and decrypt files. + encrypt and decrypt files. - Passphrase-based: an encryption/decryption key is generated, on the fly, using Argon2i (with a random salt). @@ -65,7 +65,7 @@ _same_ pair (passphrase, userID) on every invocation. For example: ``` $ kr -guUSERID -p"PASS PHRASE" ~/key.sec ``` - Or + Or ``` $ kr -g --uid=USERID --passphrase="PASS PHRASE" ~/key.sec @@ -173,7 +173,7 @@ pipes: ``` $ echo 'Hello, world!' | kr -epPASS | kr -dpPASS ``` -or with keyfiles +or with keyfiles ``` $ echo 'Hello, world!' | kr -ek ~/.key.sec | kr -dk ~/.key.sec diff --git a/src/kr.c b/src/kr.c index 8e070a4..6ad0106 100644 --- a/src/kr.c +++ b/src/kr.c @@ -264,7 +264,7 @@ static enum error encrypt(FILE *in, FILE *out, const uint8_t key[KEY_SIZE], uint8_t *ad = (eof) ? END_TAG : NULL; // if last chunk, tag it. size_t adlen = (eof) ? 4 : 0; - // Arguments order: + // Arguments order: // ctx, cipher_text, mac, ad, ad_size, plain_text, text_size. // The mac comes after the encrypted chunk, thus: // - the mac is located at buf_out + len, and @@ -318,7 +318,7 @@ static enum error decrypt(FILE *in, FILE *out, const uint8_t key[KEY_SIZE], uint8_t *ad = (eof) ? END_TAG : 0; // last chunk should've been tagged. size_t adlen = (eof) ? 4 : 0; - // Arguments order: + // Arguments order: // ctx, plain_text, mac, ad, ad_size, cipher_text, text_size. // The read 'len' bytes from 'in' already includes the mac, thus: // - the mac is located at buf_in + len - MAC_SIZE, and @@ -343,7 +343,7 @@ static enum error decrypt(FILE *in, FILE *out, const uint8_t key[KEY_SIZE], } // Generate a key_size bytes key from a passphrase and a salt (random) -// using Argon2i (with configuration in 'config', inputs (password and salt) +// using Argon2i (with configuration in 'config', inputs (password and salt) // data in 'inputs'), and extras (key and ad). This needs a work area that // has to be allocated. If this allocation fails, securely wipe inputs and // extras and exit. @@ -448,7 +448,7 @@ static enum error read_keyfile(FILE *kf, uint8_t key[KEY_SIZE]) // Inspect the protection-version byte, and get its MSB. int protected = *version >> 7; if (!protected) { - // Key is not protected. Copy the last KEY_SIZE bytes. + // Key is not protected. Copy the last KEY_SIZE bytes. memcpy(key, fkey, KEY_SIZE); } else { // Ask the user to provide a passphrase to decrypt the key. @@ -722,7 +722,7 @@ int main(int argc, char *argv[]) BAIL(ERR_NO_RANDOM); } // If the key to be generated depends on a uid and a passphrase, - // generate a deterministic one with the same value when given + // generate a deterministic one with the same value when given // the same uid and passphrase. if (use_passphrase) { // Hash the uid to use it as a salt for key derivation. @@ -830,7 +830,7 @@ int main(int argc, char *argv[]) } // Clean everything and exit. -bail: +bail: // Safely wipe sensitive info. crypto_wipe(key, KEY_SIZE); crypto_wipe(passphrase, MAXPASS); From ea525fcfa22b75bc8eec88374a0114cc9e280b0c Mon Sep 17 00:00:00 2001 From: clach04 Date: Sat, 24 Jan 2026 20:45:52 -0800 Subject: [PATCH 4/5] Git ignore .bak files --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 1b7de6a..b626445 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ kr +*.bak *.exe *.o *.profraw From 9d339c1bfaa76eb5ff4cf9a01c70f49b469db3e2 Mon Sep 17 00:00:00 2001 From: clach04 Date: Sat, 24 Jan 2026 20:52:53 -0800 Subject: [PATCH 5/5] Implement issue #7 - environment variable passphrase support --- README.md | 21 +++++++++++++++++++-- kr.1 | 4 ++++ src/kr.c | 22 +++++++++++++++++++++- 3 files changed, 44 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index aee9fa0..355c294 100644 --- a/README.md +++ b/README.md @@ -133,7 +133,7 @@ $ kr --decrypt --keyfile ~/.key.sec inputfile outputfile Instead of using key files, we can use passphrases as follows: -##### Encryption `-e -p` +##### Encryption `-e -p` / `-e -E` ``` $ kr -e -p"PASS PHRASE" inputfile outputfile @@ -149,7 +149,15 @@ We can also use the long options: $ kr --encrypt --passphrase="PASS PHRASE" inputfile outputfile ``` -##### Decryption `-d -p` +Alternatively use `-E` / `--envvar` to pick up password from an operating +system environment variable: + +``` +$ env PASSPHRASE="PASS PHRASE" kr --encrypt -E=PASSPHRASE inputfile outputfile +$ env PASSPHRASE="PASS PHRASE" kr --encrypt --envvar=PASSPHRASE inputfile outputfile +``` + +##### Decryption `-d -p` / `-d -E` ``` $ kr -d -p"PASS PHRASE" inputfile outputfile @@ -165,6 +173,15 @@ Or using the long options: $ kr --decrypt --passphrase="PASS PHRASE" inputfile outputfile ``` +Alternatively use `-E` / `--envvar` to pick up password from an operating +system environment variable: + +``` +$ env PASSPHRASE="PASS PHRASE" kr --decrypt -E=PASSPHRASE inputfile outputfile +$ env PASSPHRASE="PASS PHRASE" kr --decrypt --envvar=PASSPHRASE inputfile outputfile +``` + + ### Support for streams `kr` is able to process streams as well. For instance, these examples with diff --git a/kr.1 b/kr.1 index 5e073bb..b941670 100644 --- a/kr.1 +++ b/kr.1 @@ -63,6 +63,10 @@ Use the passphrase \fB[pass]\fR for for operations. If the passphrase is not specified, prompt the user to type it (Twice for encryption and keyfile generation. Once for decryption). .TP +\fB\-E\fR, \fB\-\-envvar\fR \fI[pass]\fP +Use the passphrase contained in the operating system environment variable +\fB[pass]\fR for operations. +.TP \fB\-u\fR, \fB\-\-uid\fR \fI\fP Use \fB\fR for key generation (\fB\-g\fR). Use \fB\fR for reproductible key generation (\-g). When used, the program will ask for a diff --git a/src/kr.c b/src/kr.c index 6ad0106..397649c 100644 --- a/src/kr.c +++ b/src/kr.c @@ -50,7 +50,7 @@ // backward compatibility issues. #define PROG "kr" -#define PROG_VERSION "0.2" // The program's version. +#define PROG_VERSION "0.3" // The program's version. #define FILE_VERSION 0 // Encrypted files format version. #define KEYFILE_VERSION 0 // keyfiles format version. #define KEY_SIZE 32 @@ -221,6 +221,10 @@ static const char *usage[] = { " user to type it (Twice for encryption and", " keyfile generation. Once for decryption).", "", +" -E | --envvar=[pass] Use the passphrase contained in the operating", +" system environment variable [pass] for operations.", +" TODO doc priority versus passphrase", +"", " -u | --uid= Use for key generation (-g).", " When used, the program will ask for a passphrase", " in order to generate a deterministic key, i.e., ", @@ -581,6 +585,7 @@ int main(int argc, char *argv[]) {"decrypt", 'd', OPTPARSE_NONE}, {"keyfile", 'k', OPTPARSE_REQUIRED}, {"passphrase", 'p', OPTPARSE_OPTIONAL}, + {"envvar", 'E', OPTPARSE_OPTIONAL}, {"uid", 'u', OPTPARSE_REQUIRED}, {"keyedit", 'm', OPTPARSE_REQUIRED}, {"help", 'h', OPTPARSE_NONE}, @@ -602,6 +607,7 @@ int main(int argc, char *argv[]) char *keyfile = NULL; char *infile = NULL; char *outfile = NULL; + char *passphrase_env_ptr = NULL; FILE *kf = NULL; FILE *in = NULL; FILE *out = NULL; @@ -643,6 +649,20 @@ int main(int argc, char *argv[]) memcpy(passphrase, options.optarg, pwlen); } break; + case 'E': + use_passphrase = 1; + if (options.optarg) { + passphrase_env_ptr = getenv(options.optarg); + if (passphrase_env_ptr == NULL) { + BAIL(ERR_PASS_READ_FAIL); + } + pwlen = strlen(passphrase_env_ptr) + 1; + if (pwlen > MAXPASS) { + BAIL(ERR_PASS_TOO_BIG); + } + memcpy(passphrase, passphrase_env_ptr, pwlen); + } + break; case 'u': use_passphrase = 1; if (options.optarg) {