"num" parameter and expected output buffer size in EVP_CipherUpdate

Tomas Mraz tomas at openssl.org
Fri Dec 16 10:53:46 UTC 2022

On Thu, 2022-12-15 at 20:44 +0100, Wiktor Kwapisiewicz via openssl-
users wrote:
> Hi Michel,
> On 15.12.2022 19:17, Michel wrote:
> > ///"the amount of data written can be anything from zero bytes to
> > (inl + 
> > cipher_block_size) bytes"/(at a maximum)
> > 
> > what you are asking for ?
> > 
> > Resulting in///cipher_block_size/bytesneeded (at max, may be 0)
> > when 
> > callingEVP_CipherFinal() ?
> > 
> > “///The encrypted final data is written to////out////which should
> > have 
> > sufficient space for one cipher block/”.
> This gives a range and I'm looking for exact value. That value can be
> calculated using Matt's description [0]. I'm wondering if that can be
> done without keeping external state, just using cipher API.
> The "num" parameter looked like exactly what I was looking for but 
> either I'm holding it wrong or I misunderstood its purpose.
> The use case I have in mind is to provide safe API that checks if the
> client provided buffer big enough for next call to CipherUpdate. In
> some 
> cases, for example when encrypting data block by block by the client,
> the output buffer of one block is sufficient.
> I hope that clarifies the use case I have in mind.

There is no way to get the exact output buffer size needed than by
knowing the cipher an the provider. If you know that the cipher used is
producing the ciphertext with the same length as the plaintext (at
least in the circumstances you follow - for example the length is a
multiple of the block size), then you know that if for every previous
call to EncryptUpdate (if there was any) the output ciphertext size was
the same as the plaintext size, then the next EncryptUpdate call cannot
produce any more ciphertext bytes than plaintext size.

Of course once you feed the data to EncryptUpdate by chunks sized
smaller than block size, there logically has to be some caching
involved as a block cipher must encrypt only full blocks unless there
is some padding involved but that applies only to the last block.

In case of AEAD modes this is also different as there must be some
additional space in the ciphertext for the tag.

Tomáš Mráz, OpenSSL

More information about the openssl-users mailing list