'RE: problem with EVP_DecryptFinal_ex function'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    RE: problem with EVP_DecryptFinal_ex function
From:       "Dave Thompson" <dthompson () prinpay ! com>
Date:       2011-06-23 21:12:27
Message-ID: 32CADFA1164C4C52B7DAFAA9EA02B444 () prinpay ! com
[Download RAW message or body]

> From: owner-openssl-users@openssl.org On Behalf Of Damir Musulin
> Sent: Wednesday, 22 June, 2011 08:46

> I'm brand new to programming against OpenSSL (EVP)
> so if i make any stupid mistake I'm sorry in advance.
> 
This is really a C programming issue, not OpenSSL (or EVP).

> I use the blowfish algorithm from the OpenSSL page to encrypt 
> a string in C.
> to code is from: 
> http://www.openssl.org/docs/crypto/EVP_EncryptInit.html
> 
> I have created a decrypt function and it fails (how wonderful)
> 
> The problem lies in the EVP_DecryptFinal_ex.

It is *reported* there but actually occurred earlier.

> I have made use of the ERR_print_errors_fp(stderr); option to see what
> is wrong but it is quite
> a cryptic message:
> 2621:error:0606506D:lib(6):func(101):reason(109):evp_enc.c:323:
> 
As already answered or equivalently 
http://www.openssl.org/support/faq.html#PROG7

> What i can find on the internet is that it is a wrong lenght 
> block or i
> need extra padding.

For decrypt it's wrong length, period. Padding is added on the 
*encrypt* side. If you use the lower level routines you may 
need to do this yourself (depending on your mode and data) 
but EVP normally handles it automatically.

<snip>
>         EVP_EncryptInit_ex(&ctx, EVP_bf_cbc(), NULL, key, iv);
> 
>         if(!EVP_EncryptUpdate(&ctx, outbuf, &outlen, intext,
<snip>
>         if(!EVP_EncryptFinal_ex(&ctx, outbuf + outlen, &tmplen))
<snip>
>         EVP_CIPHER_CTX_cleanup(&ctx);
>         /* Need binary mode for fopen because encrypted data is
>          * binary data. Also cannot use strlen() on it because
>          * it wont be null terminated and may contain embedded
>          * nulls.
>          */

You copied this comment correctly but apparently ignored it.
Ciphertext (for modern ciphers) is NOT a C string, and cannot 
safely be manipulated as a C string, as your code tries to.
Use the actual length of the ciphertext, not strlen().



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic