[openssl-users] EVP AES Wrap

Luís Martins luis.pinto.martins at gmail.com
Thu May 17 10:12:40 UTC 2018 

Thanks Matt, it works fine now.

Regards,
Luís


On Thu, May 17, 2018 at 10:09 AM Matt Caswell <matt at openssl.org> wrote:

>
>
> On 16/05/18 18:55, Luís Martins wrote:
> > Hi,
> >
> >     I'm trying to use the EVP AES wrap implementations from openssl
> > (e.g. EVP_aes_128/192/256_wrap()) but I'm getting the following error in
> > EVP_EncryptInit_ex() f:
> >     error:0607B0AA:digital envelope routines:EVP_CipherInit_ex:wrap mode
> > not allowed
> >     I've search the documentation for examples or guidance but I
> > couldn't find anything related to this.
> >     Any experienced the same issue ?
>
> You need to enable wrap mode:
>
> EVP_CIPHER_CTX_set_flags(&ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
>
> The EVP encrypt routines set an expectation about how long the output
> might be for a given input:
>
> "EVP_EncryptUpdate() encrypts B<inl> bytes from the buffer B<in> and
> writes the encrypted version to B<out>. This function can be called
> multiple times to encrypt successive blocks of data. The amount
> of data written depends on the block alignment of the encrypted data:
> as a result the amount of data written may be anything from zero bytes
> to (inl + cipher_block_size - 1) so B<out> should contain sufficient
> room."
>
> The wrap modes do not obey this rule and may return more data, so you
> have to explicitly enable the mode to say that you are prepared for the
> output.
>
> Matt
>
>
> >
> >     My pseudo code is:
> >
> >         EVP_CIPHER_CTX ctx;
> >         EVP_CIPHER_CTX_init(&ctx);
> >         if (EVP_EncryptInit_ex(&ctx, EVP_aes_128_wrap(), 0,
> > keyEncriptionKey, iv) != 1)
> >              // process error
> >         if ( EVP_EncryptUpdate(&ctx, bufferOut, &processedSize,
> > plaintext, plaintextSize) != 1)
> >              // process error
> >         if (EVP_EncryptFinal_ex(&ctx, bufferOut + processedSize,
> > &tmpSize) != 1)
> >              // process error
> >         EVP_CIPHER_CTX_cleanup(&ctx);
> >
> > Regards,
> > Luís
> >
> >
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180517/4617c48c/attachment.html>

More information about the openssl-users mailing list