C OpenSSL block size

Question

My code:

    EVP_DecryptInit (&ctx, EVP_des_cbc (), key, iv);
    if (EVP_DecryptUpdate (&ctx, outbuf, &olen, inbuff, in_length) != 1)
    {
     fprintf (stderr, "error in decrypt update\n");
     return -1;
    }
    if (EVP_DecryptFinal (&ctx, outbuf + olen, &tlen) != 1)
    {
     fprintf (stderr, "error in decrypt final\n");
     return -1;
    }
    olen += tlen;

If my SIZE = from 10001 to 10007 then the olen is always 10008. I think it is b/c of padding. But, even my SIZE is 10000, the olen is still 10008. I dont understand here. Since 10000 % 8 = 0, why do we need to pad 8 more bytes? Similarly, SIZE = 10008 to 10015, olen is 10016.

Answer 1

There always needs to be at least one byte of padding - so this means that if your input size is an exact multiple of the block size, you'll have an entire block of padding.

The reason there needs to be at least one byte is that when the decryption operation finishes, you need to examine the padding to figure out how much to strip off. If there was no padding, then you would be examining the last bytes of data - and that might coincidentally look like padding, causing you to wrongly strip it.