Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Ensures that EVP encryption & decryption operations check the encrypt flag on the context. #172
I'm new to this codebase, so sorry if I made any style mistakes. Also, I have a couple questions:
I believe EVP should make it hard to shoot yourself in the foot, so this change ensures that a user cannot accidentally decrypt data with an encryption context or vice-versa. For example, without the check, if an encryption context is used to decrypt EVP_aes_256_gcm encrypted data, the code will fail to validate the TAG.
Example code availabe at: http://quaxio.com/wtf/openssl_wtf.html
Please don't close issues if they still persist.
See for instance the question on SO in the next URL to see that this causes issues.
The routines are currently ignoring the fail fast and least surprise design principles. Please fix.
referenced this pull request
Dec 9, 2018
@alokmenghrajani Thank you for initially proposing the code. But your PR consists of code to fix an issue, correct? It doesn't offer any other functionality but to correctly report an error if the API is misused. Otherwise you would have posted "thank you for eventually applying the PR ;). Anyway, fixed is fixed.
Hmmm, it's true that I didn't refer back to you, @alokmenghrajani, in my remake of this PR. I was a bit exasperated and actually started from scratch, 'cause I thought enough must have changed in master that this PR couldn't be picked cleanly. So yeah, not mentioning you wasn't very courteous of me, and for that I'm sorry.