Is EVP_CipherFinal required?

58 views
Skip to first unread message

Stef Bon

unread,
May 29, 2026, 2:33:11 AM (3 days ago) May 29
to openssl-users
Hi,

I'm using openssl for a SSH client and server, using EVP_CIPHER_fetch, EVP_CIPHER_CTX, 
and EVP_CipherInit to init,
and EVP_CipherUpdate to encrypt and decrypt. Now the data to de/encrypt with SSH is always a multiple of the blocksize (cause the SSH protocol takes care of the padding) so is the function EVP_CipherFinal required? There are no partial blocks...

Stef

Matt Caswell

unread,
May 29, 2026, 3:53:45 AM (3 days ago) May 29
to Stef Bon, openssl-users
The effects of EVP_CipherFinal are dependent on a number of things
including the cipher, any options and the data. For example if you're
using a block cipher with padding enabled, there will always be a
final "padding" block. If you're using an AEAD cipher then it's
typically during the Final that the tag is created/verified. The
effects of NOT calling Final are undocumented.

So, basically, in some circumstances you might get away without
calling it. But if you choose to do so, you better know what you are
doing. The effects of getting it wrong could be catastrophic for
security.

Matt

>
> Stef
>
> --
> You received this message because you are subscribed to the Google Groups "openssl-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
> To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/17169225-a61f-4b2f-93ec-c62cc3666682n%40openssl.org.

Stef Bon

unread,
May 29, 2026, 7:13:11 AM (2 days ago) May 29
to openssl-users, Matt Caswell, openssl-users, Stef Bon
Hi,



Op vrijdag 29 mei 2026 om 09:53:45 UTC+2 schreef Matt Caswell:


The effects of EVP_CipherFinal are dependent on a number of things
including the cipher, any options and the data. For example if you're
using a block cipher with padding enabled, there will always be a
final "padding" block. If you're using an AEAD cipher then it's
typically during the Final that the tag is created/verified. The
effects of NOT calling Final are undocumented.

So, basically, in some circumstances you might get away without
calling it. But if you choose to do so, you better know what you are
doing. The effects of getting it wrong could be catastrophic for
security.

Ok, I'm using (AES-256-CTR, HMAC-SHA256) and CHACHA20...@openssh.com for now. 
As I see it the first does not AEAD and extra padding, and for the second I cannot oversee this at this moment. It's pretty complicated with two ciphers, and a special
construction using poly1305 for checking the tag.

Thanks for your answer,

Stef

Reply all
Reply to author
Forward
0 new messages