> I'm not sure, that this code is correct?


It has some minor issues but appears basically correct.


> EVP_EncryptInit_ex(&ctx,EVP_aes_256_cbc(),NULL,key,iv);
> EVP_EncryptUpdate(&ctx,outbuf,&outlen,text,strlen(text));
> EVP_EncryptFinal_ex(&ctx,outbuf+outlen,&tmplen);
> outlen+=tmplen;
> EVP_CIPHER_CTX_cleanup(&ctx);


> printf("%s\n",outbuf);


The result of this 'printfs' is undefined. The '%s' format specifier
requires a C-style string, and 'outbuf' does not contain a C-style string.
This will most likely just display a few bytes of garbage but it could
crash.

> EVP_DecryptInit_ex(&ctx,EVP_aes_256_cbc(),NULL,key,iv);
> EVP_DecryptUpdate(&ctx,outbuf,&outlen,text,strlen(text));


This is really ugly code. The function 'strlen(text)' tells you the size of
the string stored in text, but what you want is the number of bytes of
storage allocated. (In this case, it doesn't make much difference, but it's
a bad habit to get into and in realistic cases, it will make your code
fail).

> EVP_DecryptFinal_ex(&ctx,outbuf+outlen,&tmplen);
> outlen+=tmplen;
> EVP_CIPHER_CTX_cleanup(&ctx);
>
> printf("%s\n",text);


Again, in a toy program, this is fine. But in a real program, you need to
make sure you have a C-style string before you pass it through '%s' or call
functions like 'strlen' and 'strcat'. Normally, the result of decrypting is
an arbitrary array of bytes, not a string.

DS


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org