EVP_aes_256_xts() problems with multiple calls to EVP_CipherUpdate

Norm Green norm.green at gemtalksystems.com
Tue Oct 1 01:11:39 UTC 2019


Hi all,

I'm using OpenSSL 1.1.1d on Linux with the cipher EVP_aes_256_xts() in 
order to write database/disk encryption software.

When encrypting, I have problems if I call EVP_CipherUpdate() and 
encrypt the data in chunks. Encrypting only works when I encrypt the 
entire payload with one and only one call to EVP_CipherUpdate.

If I try to break the data into chunks (and make more than one call to 
EVP_CipherUpdate), then decrypting the data produces garbage after the 
first chunk that was encrypted
When decrypting, I always decrypt all data in one call to EVP_CipherUpdate .

For example, when encrypting 1024 bytes, this pseudo-code sequence works:

char payload[1024];
char encrypted[1024];
int destSize = sizeof(encrypted);
EVP_CipherInit_ex();
EVP_CipherUpdate(ctx, encrypted, &destSize, payload, sizeof(payload));
EVP_CipherFinal(); (produces no additional data)

However if I break the 1024 payload into 2 x 512 byte chunks, decrypting 
the entire 1024 bytes of cipher text produces garbage every time:

char payload[1024];
char encrypted[1024];
int destSize = sizeof(encrypted);
EVP_CipherInit_ex();
EVP_CipherUpdate(ctx, encrypted, &destSize, payload, 512); // first chunk
destSize -= 512;
EVP_CipherUpdate(ctx, &encrypted[512], &destSize, &payload[512], 512); 
// second chunk
EVP_CipherFinal(); (produces no additional data)

I have a short C program that demonstrates the problem that I can post 
if necessary.

Can anyone explain what's going on?

Norm Green
CTO, GemTalk Systems Inc.


More information about the openssl-users mailing list