openssl BIOs to encrypt / decrypt - padding problem

Hi Experts,

I've got some code that sets up a cipher/base64/memory sink bio.  I write to this bio and then I do the same to decrypt.

The thing that I do wrong to get it working is to pad the clear text myself (so that it's a multiple of 8) with spaces.  This means my input cannot end with a space.  That's my problem.  On my decrypt, I remove the spaces at the end.  How do I get OpenSSL to pad for me with the BIO functions so that I don' t have this constraint?

here's my code:
	m_pMem = BIO_new(BIO_s_mem());

	// create the base64 bio
	m_pBase64 = BIO_new(BIO_f_base64());
	BIO_set_flags(m_pBase64, BIO_FLAGS_BASE64_NO_NL);

	// create the cipher bio
	m_pCipher = BIO_new(BIO_f_cipher());

	// build the chain
	BIO_push(m_pCipher, m_pBase64);
	BIO_push(m_pBase64, m_pMem);
        BIO_set_cipher(m_pCipher, EVP_des_ede3_cbc(), (unsigned char *) PASSPHRASE, (const unsigned char *)vector, 1);

         BIO_write(...)
         BIO_flush(....)

Open in new window

LVL 1
threadyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Padding is by default enabled and better to use EVP function direct. EVP_ interfaces takes care of padding for it to be transparently applied, as guided by the Openssl writing  -
All new code should use EVP_EncryptInit_ex(), EVP_EncryptFinal_ex(), EVP_DecryptInit_ex(), EVP_DecryptFinal_ex(), EVP_CipherInit_ex() and EVP_CipherFinal_ex() because they can reuse an existing context without allocating and freeing it up on each call.
https://www.openssl.org/docs/manmaster/crypto/EVP_EncryptInit.html

The older ones functions are same name but w/o "_ex", they are still kept for legacy support but we should still use the newer one. So for example using the symmetric , can check out below. Do consider AES instead of 3DES which latter is weaker in crypto strength and keys

https://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption

Henceforth the sequences should be
Call EVP_CIPHER_CTX_new to create a context
Call EVP_CIPHER_CTX_set_padding on the context
Call EVP_EncryptInit_ex with the context
Call EVP_EncryptUpdate_ex to encrypt the data
Call EVP_EncryptFinal_ex to retrieve the cipher text

Do consider for your applications to use the higher level functions such as EVP_EncryptInit etc. instead. But do note this learning
Having just recently been grappling with this, you need to make sure, in
your OpenSSL code, that the EVP_EncryptFinal_ex() function is being
executed correctly on the last block of data.

Left to the defaults, EVP_EncryptFinal_ex worries about the padding, you
do not need to do anything.

One problem that I did encounter was issues with the length of the
encrypted block. In my code, I was encrypting the block, and then base64
encoding the result. I then un-base64-encoded the result, and then applied
the decryption to reverse the process. The problem was in my case that the
length I was using to decrypt the code was the length returned by the
base64 decoder, which was adding 1 to the real length to be a terminating
0 character.

OpenSSL then complained that it could not decrypt the final block.

In other words, double check your lengths and make sure they are correct
all the way through.
http://permalink.gmane.org/gmane.comp.encryption.openssl.user/28243

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
threadyAuthor Commented:
Fabulous answer, thanks a lot.  I did use evp method in the end.  Would have been nice to have padding with BIOs though, because the code is infinitely cleaner.
btanExec ConsultantCommented:
Thanks for sharing, glad it helps
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.