[xmlsec] problem encrypting / decrypting content of an empty element

Tomas Sieger tomas.sieger at systinet.com
Mon Feb 9 02:39:18 PST 2004 

Hi all,
  I've discovered a decryption problem (and no relevant discussion / 
solution):

When one has encrypted an empty element (e.g. <a/>) using 
encrypt-element-content type (xmlSecTypeEncContent), and then tries to 
decrypt it back, the decryption process fails.

The problem is the buffer holding the decrypted data is empty (it's ok - 
the content of the element having been encypted was empty, too). 
However, even the buffer is empty, the xmlSecReplaceNodeBuffer() 
function is called to replace the <EncryptedData> node with the result 
of the decryption = buffer (which is empty), and the 
xmlSecReplaceNodeBuffer() function asserts on non-empty buffer.

See xmlenc.c, about line 605.

My question is: is this behaviour intentional?
Don't you want to encrypt empty elements as encrypt-element-content :-)?

If you'll find my notice "legal", you would take a look at the patch 
being attached.

best regards,
  Tomas Sieger
-------------- next part --------------
--- xmlenc.c.orig	Mon Feb  9 11:11:04 2004
+++ xmlenc.c	Mon Feb  9 11:16:22 2004
@@ -601,17 +601,24 @@
 	}
 	encCtx->resultReplaced = 1;			       
     } else if((encCtx->type != NULL) && xmlStrEqual(encCtx->type, xmlSecTypeEncContent)) {
-	/* replace the node with the buffer */
-	ret = xmlSecReplaceNodeBuffer(node, xmlSecBufferGetData(buffer), xmlSecBufferGetSize(buffer));
-	if(ret < 0) {
-	    xmlSecError(XMLSEC_ERRORS_HERE,
-			NULL,
-			"xmlSecReplaceNodeBuffer",
-			XMLSEC_ERRORS_R_XMLSEC_FAILED,
-			"node=%s",
-			xmlSecErrorsSafeString(xmlSecNodeGetName(node)));
-	    return(-1);	    	
-	}	
+        /* replace the node with the buffer */
+        if (xmlSecBufferGetSize(buffer) == 0) {
+            /* the buffer is empty (because the element content being encrypted was empty, too);
+             * simply remove the <EncryptedData/> node since there is nothing to replace it */
+            xmlUnlinkNode(node);
+            xmlFreeNode(node);
+        } else {
+            ret = xmlSecReplaceNodeBuffer(node, xmlSecBufferGetData(buffer), xmlSecBufferGetSize(buffer));
+            if(ret < 0) {
+                xmlSecError(XMLSEC_ERRORS_HERE,
+                            NULL,
+                            "xmlSecReplaceNodeBuffer",
+                            XMLSEC_ERRORS_R_XMLSEC_FAILED,
+                            "node=%s",
+                            xmlSecErrorsSafeString(xmlSecNodeGetName(node)));
+                return(-1);
+            }
+        }
 	encCtx->resultReplaced = 1;			       
     }
     return(0);

More information about the xmlsec mailing list