[openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command

Stephen Henson via RT rt at openssl.org
Fri Mar 25 13:15:14 UTC 2016

On Tue Mar 22 21:51:05 2016, michel.sales at free.fr wrote:
> Hi,
> Here attached is some test data files and a patch against today's git repo
> to allow for the use of wrap mode using the OpenSSL 'enc' command.
> The 'raw*.dat' files contains the NIST test vectors, and the '*.ok.enc' the
> expected encrypted result (base64 encoded with equivalent hexa value).
> The testwrap.cmds file is a small Windows script (.bat) with tests commands.
> As mentioned in a previous post, It may not be the best way to achieve this,
> in which case I would be happy to learn how to do it better.

The enc command uses a cipher BIO chain which requires that a cipher is able to
stream. That means the output doesn't depend on how the input is presented:
e.g. all in one piece or one byte at a time.

The wrap modes by their very nature cannot stream and so cannot work easily
with the enc command. It may work for some cases but if buffers fill and you
end up getting data in more than one piece the result is different. There are
other modes which have problem with streaming too such as CCM.

I think supporting wrap modes in the 'enc' utility is a good idea but it
unfortunately requires rather more significant changes to bypass the cipher BIO
mechanism and present the data in a single operation where required. That would
also mean things like chaining (base64 operations) cannot work.

We support tests already in evptests.txt: some additions in there would be

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472
Please log in as guest with password guest if prompted

More information about the openssl-dev mailing list