[openssl-users] Encryption length, OpenSSL_add_all_algorithm, and OpenSSL_add_all_ciphers questions

Michel michel.sales at free.fr
Fri Mar 27 16:15:01 UTC 2015 

Hi Phil,

First, let me emphasized that Richard was rigth in a previous post : it is
not good pratice to compare login info to decrypted password.
It is better NOT to keep user password when possible, and compare login to
salted hash password instead.

As you already know : the encrypted length is length of clear text + size of
1 cipher block if padding is enabled.
As a result, the length of the clear text is allways shorter (or equal) than
the length of the cipher text.
:-)
And the EVP_DecryptFinal() function will NOT count the number of padding
bytes it has removed in the value returned in the 'outl' parameter.
https://www.openssl.org/docs/crypto/EVP_EncryptInit.html
So, to retrieve the total clear text length, you can safely do like the
example at :
https://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption
(in this example, it is obviously named 'plaintext_len')

I hope I did not misunderstand you,
And hope this helps,

Regards,

Michel



De : openssl-users [mailto:openssl-users-bounces at openssl.org] De la part de
Philip Bellino
Envoyé : vendredi 27 mars 2015 13:48
À : openssl-users at openssl.org
Objet : Re: [openssl-users] Encryption length, OpenSSL_add_all_algorithm,
and OpenSSL_add_all_ciphers questions

Michel,
Thank you very much for your email.
The example given in your email works out fine if the encryption and
decryption are performed in the same routine.
The problem we are having is that we perform the encryption and then at some
in the future we need to do the decryption.
At that point, we do not have the clear text password available nor do we
know the length that was the result of the previous
encryption so we don't have the correct encrypted length value to pass to
the decryption routine.
Some passwords have encrypted results that have nulls embedded in them, so
strlen() cannot be used on the
encrypted result  to get its length.
 
Have you come across a situation such as this or is there something else you
can suggest to me?
 
Thanks,
Phil

More information about the openssl-users mailing list