[openssl-users] Two questions on OpenSSL EVP API

Paul Smith paul at mad-scientist.net
Wed Dec 19 01:54:30 UTC 2018

Hi all; I'm working with OpenSSL 1.1.1a, using the EVP interface to
encrypt/decrypt with various ciphers/modes.

I had a couple of questions:

First, the encrypt update docs say:

> the amount of data written may be anything from zero bytes to
> (inl + cipher_block_size - 1)

Is that really true?  For example if my block size is 16 and my input
length is 4, could the encrypt step really write as many as 19 bytes
(4 + 16 - 1)?

I would have thought that the true maximum would be round-up(inl,
cipher_block_size); that is, for inl values 1-15 you'd get 16 bytes,
and for inl values 16-31 you'd get 32 bytes, etc. (I'm not actually
sure whether inl of 16 gets you 16 or 32 bytes...)

Am I wrong about that?  Would some ciphers/modes write beyond the end
of the current "block" and into the next one?

Second, the type of the outl parameter on EVP encrypt update is "int",
rather than (as I would have expected) "unsigned int".  Is there a
possibility that EVP would set &outl to a negative value and if so,
what would that mean?  Do I need to check for this in my code?  Same
with inl; why isn't it "unsigned int"?  Is there ever a reason to pass
in a negative value?

More information about the openssl-users mailing list