Xu, Qiang (FXSGSC) wrote:
> Hi, all:
>
> I come across a problem in using crypto library in OpenSSL.
>
> We are using EVP_DecryptInit(), EVP_DecryptUpdate(), and EVP_DecryptFinal() to do the decryption of the user's password after the user logs in. However, I just found when the user's password is "$elkins02", the decrypted string will be empty one (whose strlen() == 0).
>
> I have changed the user's password to "$dlkins02", "$flkins02", and "$Elkins02", and all of them can be decypted correctly. So I suspect crypto library can't handle the substring "$e" in password. But another password "$eFair123" can be decrypted correctly. I am really at a loss what combination will cause the crypto library unable to decrypt password.
>
> Anyone has spotted the problem before? We are using OpenSSL 0.9.7a.
>
> Any suggestion is welcome,
> Xu Qiang


It's quite unlikely that the openssl crypto library (or any crypto
library) would have the kind of problem that you're mentioning.

My guess, would be that the problem lies in your encryption/decryption
code. Make sure that the encrypted password is stored/retrieved properly
(if I dare venture a guess, please check that you're not treating
encrypted material as C strings in your code).


-jb
--
I used to think I was indecisive, but now I'm not so sure.
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org