OpenSSL Decryption - EVP_DecryptFinal_ex fails












0














I'm using this decryption function to get the plain text value of a cipher which was encrypted using EVP AES 265 GCM; I can see data in rawOut but ret = EVP_DecryptFinal_ex(ctx, rawOut, &len); returns 0; can you provide any insight as to why? I've also seen sources which do rawOut + len in the EVP_DecryptFinal_ex code, I'm not sure why this would be needed as it would move the pointer to the end of the buffer.



unsigned char* keyDecrypter(unsigned char* pszMasterKey)
{
ERR_load_crypto_strings();

int ret, len;
EVP_CIPHER_CTX* ctx;
unsigned char* rawOut = new unsigned char[48]; // ToDo Remove Hardcoded Value

Info info = m_header.processKeyInfo();
if (NULL == info.nonce)
return NULL;

if (!(ctx = EVP_CIPHER_CTX_new()))
return NULL;

if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, pszMasterKey, info.nonce))
return NULL;

if (!EVP_DecryptUpdate(ctx, NULL, &len, m_header.aad, m_header.aad_len))
return NULL;

if (!EVP_DecryptUpdate(ctx, rawOut, &len, m_header.encryptedValue, m_header.encryptedValueLen))
return NULL;

// Finalise the decryption. A positive return value indicates success,
// anything else is a failure - the plain text is not trustworthy.
ret = EVP_DecryptFinal_ex(ctx, rawOut, &len);

ERR_print_errors_fp(stderr);

EVP_CIPHER_CTX_free(ctx);

if (ret > 0)
{
return rawOut;
}
else
{
return NULL;
}
}









share|improve this question





























    0














    I'm using this decryption function to get the plain text value of a cipher which was encrypted using EVP AES 265 GCM; I can see data in rawOut but ret = EVP_DecryptFinal_ex(ctx, rawOut, &len); returns 0; can you provide any insight as to why? I've also seen sources which do rawOut + len in the EVP_DecryptFinal_ex code, I'm not sure why this would be needed as it would move the pointer to the end of the buffer.



    unsigned char* keyDecrypter(unsigned char* pszMasterKey)
    {
    ERR_load_crypto_strings();

    int ret, len;
    EVP_CIPHER_CTX* ctx;
    unsigned char* rawOut = new unsigned char[48]; // ToDo Remove Hardcoded Value

    Info info = m_header.processKeyInfo();
    if (NULL == info.nonce)
    return NULL;

    if (!(ctx = EVP_CIPHER_CTX_new()))
    return NULL;

    if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, pszMasterKey, info.nonce))
    return NULL;

    if (!EVP_DecryptUpdate(ctx, NULL, &len, m_header.aad, m_header.aad_len))
    return NULL;

    if (!EVP_DecryptUpdate(ctx, rawOut, &len, m_header.encryptedValue, m_header.encryptedValueLen))
    return NULL;

    // Finalise the decryption. A positive return value indicates success,
    // anything else is a failure - the plain text is not trustworthy.
    ret = EVP_DecryptFinal_ex(ctx, rawOut, &len);

    ERR_print_errors_fp(stderr);

    EVP_CIPHER_CTX_free(ctx);

    if (ret > 0)
    {
    return rawOut;
    }
    else
    {
    return NULL;
    }
    }









    share|improve this question



























      0












      0








      0







      I'm using this decryption function to get the plain text value of a cipher which was encrypted using EVP AES 265 GCM; I can see data in rawOut but ret = EVP_DecryptFinal_ex(ctx, rawOut, &len); returns 0; can you provide any insight as to why? I've also seen sources which do rawOut + len in the EVP_DecryptFinal_ex code, I'm not sure why this would be needed as it would move the pointer to the end of the buffer.



      unsigned char* keyDecrypter(unsigned char* pszMasterKey)
      {
      ERR_load_crypto_strings();

      int ret, len;
      EVP_CIPHER_CTX* ctx;
      unsigned char* rawOut = new unsigned char[48]; // ToDo Remove Hardcoded Value

      Info info = m_header.processKeyInfo();
      if (NULL == info.nonce)
      return NULL;

      if (!(ctx = EVP_CIPHER_CTX_new()))
      return NULL;

      if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, pszMasterKey, info.nonce))
      return NULL;

      if (!EVP_DecryptUpdate(ctx, NULL, &len, m_header.aad, m_header.aad_len))
      return NULL;

      if (!EVP_DecryptUpdate(ctx, rawOut, &len, m_header.encryptedValue, m_header.encryptedValueLen))
      return NULL;

      // Finalise the decryption. A positive return value indicates success,
      // anything else is a failure - the plain text is not trustworthy.
      ret = EVP_DecryptFinal_ex(ctx, rawOut, &len);

      ERR_print_errors_fp(stderr);

      EVP_CIPHER_CTX_free(ctx);

      if (ret > 0)
      {
      return rawOut;
      }
      else
      {
      return NULL;
      }
      }









      share|improve this question















      I'm using this decryption function to get the plain text value of a cipher which was encrypted using EVP AES 265 GCM; I can see data in rawOut but ret = EVP_DecryptFinal_ex(ctx, rawOut, &len); returns 0; can you provide any insight as to why? I've also seen sources which do rawOut + len in the EVP_DecryptFinal_ex code, I'm not sure why this would be needed as it would move the pointer to the end of the buffer.



      unsigned char* keyDecrypter(unsigned char* pszMasterKey)
      {
      ERR_load_crypto_strings();

      int ret, len;
      EVP_CIPHER_CTX* ctx;
      unsigned char* rawOut = new unsigned char[48]; // ToDo Remove Hardcoded Value

      Info info = m_header.processKeyInfo();
      if (NULL == info.nonce)
      return NULL;

      if (!(ctx = EVP_CIPHER_CTX_new()))
      return NULL;

      if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, pszMasterKey, info.nonce))
      return NULL;

      if (!EVP_DecryptUpdate(ctx, NULL, &len, m_header.aad, m_header.aad_len))
      return NULL;

      if (!EVP_DecryptUpdate(ctx, rawOut, &len, m_header.encryptedValue, m_header.encryptedValueLen))
      return NULL;

      // Finalise the decryption. A positive return value indicates success,
      // anything else is a failure - the plain text is not trustworthy.
      ret = EVP_DecryptFinal_ex(ctx, rawOut, &len);

      ERR_print_errors_fp(stderr);

      EVP_CIPHER_CTX_free(ctx);

      if (ret > 0)
      {
      return rawOut;
      }
      else
      {
      return NULL;
      }
      }






      c++ c c++11 openssl public-key-encryption






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 20 at 13:47

























      asked Nov 20 at 13:29









      Oliver Ciappara

      448717




      448717
























          1 Answer
          1






          active

          oldest

          votes


















          0














          You need to pass rawOut + len to EVP_DecryptFinal_ex. See in the example at the end of the documentation:



              /* Buffer passed to EVP_EncryptFinal() must be after data just
          * encrypted to avoid overwriting it.
          */
          if(!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen))
          {
          /* Error */
          return 0;
          }
          outlen += tmplen;


          Also note that rawOut must have enough room for (m_header.aad_len + cipher_block_size) bytes. You can get the block size with EVP_CIPHER_block_size().






          share|improve this answer





















          • I have read the documentation and as I mentioned I'm unsure why the outbuf + outlen is needed, as for the cipher_block_size, thank you I've missed that I'll test that out. thanks for your answer
            – Oliver Ciappara
            Nov 20 at 14:44










          • So I've tried both suggestions and still not getting a positive value from the function. Thanks tho.
            – Oliver Ciappara
            Nov 20 at 15:07











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53394102%2fopenssl-decryption-evp-decryptfinal-ex-fails%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          You need to pass rawOut + len to EVP_DecryptFinal_ex. See in the example at the end of the documentation:



              /* Buffer passed to EVP_EncryptFinal() must be after data just
          * encrypted to avoid overwriting it.
          */
          if(!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen))
          {
          /* Error */
          return 0;
          }
          outlen += tmplen;


          Also note that rawOut must have enough room for (m_header.aad_len + cipher_block_size) bytes. You can get the block size with EVP_CIPHER_block_size().






          share|improve this answer





















          • I have read the documentation and as I mentioned I'm unsure why the outbuf + outlen is needed, as for the cipher_block_size, thank you I've missed that I'll test that out. thanks for your answer
            – Oliver Ciappara
            Nov 20 at 14:44










          • So I've tried both suggestions and still not getting a positive value from the function. Thanks tho.
            – Oliver Ciappara
            Nov 20 at 15:07
















          0














          You need to pass rawOut + len to EVP_DecryptFinal_ex. See in the example at the end of the documentation:



              /* Buffer passed to EVP_EncryptFinal() must be after data just
          * encrypted to avoid overwriting it.
          */
          if(!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen))
          {
          /* Error */
          return 0;
          }
          outlen += tmplen;


          Also note that rawOut must have enough room for (m_header.aad_len + cipher_block_size) bytes. You can get the block size with EVP_CIPHER_block_size().






          share|improve this answer





















          • I have read the documentation and as I mentioned I'm unsure why the outbuf + outlen is needed, as for the cipher_block_size, thank you I've missed that I'll test that out. thanks for your answer
            – Oliver Ciappara
            Nov 20 at 14:44










          • So I've tried both suggestions and still not getting a positive value from the function. Thanks tho.
            – Oliver Ciappara
            Nov 20 at 15:07














          0












          0








          0






          You need to pass rawOut + len to EVP_DecryptFinal_ex. See in the example at the end of the documentation:



              /* Buffer passed to EVP_EncryptFinal() must be after data just
          * encrypted to avoid overwriting it.
          */
          if(!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen))
          {
          /* Error */
          return 0;
          }
          outlen += tmplen;


          Also note that rawOut must have enough room for (m_header.aad_len + cipher_block_size) bytes. You can get the block size with EVP_CIPHER_block_size().






          share|improve this answer












          You need to pass rawOut + len to EVP_DecryptFinal_ex. See in the example at the end of the documentation:



              /* Buffer passed to EVP_EncryptFinal() must be after data just
          * encrypted to avoid overwriting it.
          */
          if(!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen))
          {
          /* Error */
          return 0;
          }
          outlen += tmplen;


          Also note that rawOut must have enough room for (m_header.aad_len + cipher_block_size) bytes. You can get the block size with EVP_CIPHER_block_size().







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 20 at 14:25









          sergiopm

          1514




          1514












          • I have read the documentation and as I mentioned I'm unsure why the outbuf + outlen is needed, as for the cipher_block_size, thank you I've missed that I'll test that out. thanks for your answer
            – Oliver Ciappara
            Nov 20 at 14:44










          • So I've tried both suggestions and still not getting a positive value from the function. Thanks tho.
            – Oliver Ciappara
            Nov 20 at 15:07


















          • I have read the documentation and as I mentioned I'm unsure why the outbuf + outlen is needed, as for the cipher_block_size, thank you I've missed that I'll test that out. thanks for your answer
            – Oliver Ciappara
            Nov 20 at 14:44










          • So I've tried both suggestions and still not getting a positive value from the function. Thanks tho.
            – Oliver Ciappara
            Nov 20 at 15:07
















          I have read the documentation and as I mentioned I'm unsure why the outbuf + outlen is needed, as for the cipher_block_size, thank you I've missed that I'll test that out. thanks for your answer
          – Oliver Ciappara
          Nov 20 at 14:44




          I have read the documentation and as I mentioned I'm unsure why the outbuf + outlen is needed, as for the cipher_block_size, thank you I've missed that I'll test that out. thanks for your answer
          – Oliver Ciappara
          Nov 20 at 14:44












          So I've tried both suggestions and still not getting a positive value from the function. Thanks tho.
          – Oliver Ciappara
          Nov 20 at 15:07




          So I've tried both suggestions and still not getting a positive value from the function. Thanks tho.
          – Oliver Ciappara
          Nov 20 at 15:07


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53394102%2fopenssl-decryption-evp-decryptfinal-ex-fails%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Costa Masnaga

          Fotorealismo

          Sidney Franklin