> This isn't something I've had to do personally however...
It's not something I've wanted to do... > Popping and pushing the BIO should work provided you get it right. For this to > work properly of course you need change keys and IVs only after a multiple of > the block length has been sent, otherwise data will be lost and possibly > internal buffering could spoil you whole day due to synchronisation errors. Yes, everything up to that point was sent in full block increments. > In fact synchronisation may well be a problem because when using padding the > EVP routines need to buffer a whole block on decrypt so that the block padding > check works. So when you read data from the end BIO in the chain it will > typically have internally buffered the next block using the current key/IV. I've done my best to be sure that there's nothing sent or left over to be buffered. And if I remove and destroy that bio, I'd hope that it takes any buffered data with it. > In OpenSSL 0.9.7X you can disable padding using the EVP API, that is the > preferred method because the internal buffering no longer occurs. You need to > retrieve the EVP_CIPHER_CTX structure from the BIO to do that, see the 0.9.7 > manual pages for precise details. Hmmn. Not a bad plan - I'll check into that. -- Brian Hatch "You don't frighten easily." Systems and "I work for Ambassador Security Engineer Mollari. After a while http://www.ifokr.org/bri/ nothing bothers you." Every message PGP signed
pgp00000.pgp
Description: PGP signature