From 1f4077d870f793d0d589d29ef1eed5f11f956a11 Mon Sep 17 00:00:00 2001 From: Thomas Waldmann Date: Tue, 3 Mar 2015 20:18:28 +0100 Subject: [PATCH] crypto.pyx: adapt to strange requirements found in the openssl docs https://www.openssl.org/docs/crypto/EVP_aes_256_cbc.html EVP_DecryptInit_ex(), EVP_DecryptUpdate() and EVP_DecryptFinal_ex() are the corresponding decryption operations. EVP_DecryptFinal() will return an error code if padding is enabled and the final block is not correctly formatted. The parameters and restrictions are identical to the encryption operations except that if padding is enabled the decrypted data buffer out passed to EVP_DecryptUpdate() should have sufficient room for (inl + cipher_block_size) bytes unless the cipher block size is 1 in which case inl bytes is sufficient. I doubt this is correct, but let's rather be defensive here. --- attic/crypto.pyx | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/attic/crypto.pyx b/attic/crypto.pyx index 20e6c05cd..61dbc42d5 100644 --- a/attic/crypto.pyx +++ b/attic/crypto.pyx @@ -152,7 +152,10 @@ cdef class AES: cdef int inl = len(data) cdef int ptl = 0 cdef int outl = 0 - cdef unsigned char *out = malloc(inl) + # note: modes that use padding, need up to one extra AES block (16b). + # This is what the openssl docs say. I am not sure this is correct, + # but OTOH it will not cause any harm if our buffer is a little bigger. + cdef unsigned char *out = malloc(inl+16) if not out: raise MemoryError try: