Calculate size of buffer for OpenSSL encryption and decryption?

Question

In this sample program how to calculate the buffer size instead of mentioning constant.

/*
 * Buffer for ciphertext. Ensure the buffer is long enough for the
 * ciphertext which may be longer than the plaintext, depending on the
 * algorithm and mode.
 */
unsigned char ciphertext[128];

/* Buffer for the decrypted text */
unsigned char decryptedtext[128];

#include <openssl/conf.h>
#include <openssl/evp.h>
#include <openssl/err.h>
#include <string.h>

int main (void)
{
    /* A 256 bit key */
    unsigned char *key = (unsigned char* )"01234567890123456789012345678901";

    /* A 128 bit IV */
    unsigned char *iv = (unsigned char *)"0123456789012345";

    /* Message to be encrypted */
    unsigned char *plaintext =
        (unsigned char *)"The quick brown fox jumps over the lazy dog";

    /*
     * Buffer for ciphertext. Ensure the buffer is long enough for the
     * ciphertext which may be longer than the plaintext, depending on the
     * algorithm and mode.
     */
    unsigned char ciphertext[128];

    /* Buffer for the decrypted text */
    unsigned char decryptedtext[128];

    int decryptedtext_len, ciphertext_len;

    /* Encrypt the plaintext */
    ciphertext_len = encrypt (plaintext, strlen ((char *)plaintext), key, iv,
                              ciphertext);

    /* Do something useful with the ciphertext here */
    printf("Ciphertext is:\n");
    BIO_dump_fp (stdout, (const char *)ciphertext, ciphertext_len);

    /* Decrypt the ciphertext */
    decryptedtext_len = decrypt(ciphertext, ciphertext_len, key, iv,
                                decryptedtext);

    /* Add a NULL terminator. We are expecting printable text */
    decryptedtext[decryptedtext_len] = '\0';

    /* Show the decrypted text */
    printf("Decrypted text is:\n");
    printf("%s\n", decryptedtext);

    return 0;
}

Answer 1

Calculate size of buffer for OpenSSL encryption and decryption?

The size of the buffers depend on the cipher, the direction, mode of operation and the input length. You sample code is missing two or three of them so we can only speculate. The code below assumes a block cipher like AES with a 16-byte block size.

For the forward direction/encryption use the following. It rounds up the plain text size to the next block size. You will have either an oversized buffer or well sized buffer.

size_t max_ciphertext_size(size_t plaintext_size)
{
    return ((plaintext_size+16)/16)*16;
}

You will not know the exact size of the buffer until the encryption transformation is applied. The encryptor has to tell you the number of bytes used.

For the reverse direction/decryption use the following. It rounds down the cipher text size to the next block size. You will have either an oversized buffer or well sized buffer.

size_t max_plaintext_size(size_t ciphertext_size)
{
    return ciphertext_size;
}

You will not know the exact size of the buffer until the decryption transformation is applied. The decryptor has to tell you the number of bytes used.

Answer 2

As per evp_decryptupdate

The parameters and restrictions are identical to the encryption operations except that if padding is enabled the decrypted data buffer out passed to EVP_DecryptUpdate() should have sufficient room for (inl + cipher_block_size) bytes unless the cipher block size is 1 in which case inl bytes is sufficient.

Thus you can define it as

 char decryptedtext[ciphertext_len + EVP_CIPHER_block_size];

---

Aside:: for EVP_EncryptUpdate() also refer the same site.