Different AES-256 encryption output between mbedtls and openssl

Question

I'm working on an application that needs to decrypt a file by mbedtls which is encrypted by openssl. Currently, the decryption is not working. After investigation I've found that I cannot create the same encrypted file by using the two frameworks. What is the difference between the two encryption approaches?

Openssl:

 ->  ✗ cat message 
      hello world

 ->   ✗ openssl aes-256-ecb -nosalt -K 6261757363680000000000000000000000000000000000000000000000000000 -in message -out koekoek.bin

 ->   ✗ xxd koekoek.bin
      00000000: 68e1 1f1e 8397 a33e ddea 5c4d 3192 11ab  h......>..\M1...

MbedTLS:

(gdb) p (void)memset(decrypt_output, 0, 16)
$63 = void
(gdb) p sprintf(decrypt_output, "hello world")
$64 = 11
(gdb) p/x key
$65 = {0x62, 0x61, 0x75, 0x73, 0x63, 0x68, 0x0 <repeats 26 times>}
(gdb) p mbedtls_aes_setkey_enc(&aes, key, 256)
$66 = 0
(gdb) p mbedtls_aes_crypt_ecb(&aes, MBEDTLS_AES_ENCRYPT, decrypt_output, decrypt_output) 
$67 = 0
(gdb) p/x decrypt_output 
$68 = {0x1b, 0x7c, 0x4d, 0x41, 0xaf, 0xa4, 0x65, 0x7f, 0x56, 0x39, 0x95, 0x2a, 0x21, 0x32, 0x10, 0xab}
(gdb) 

Answer 1

The following openssl command produces the same result as your mbedtls script:

echo -ne "hello world\0\0\0\0\0" | openssl aes-256-ecb -nopad -K 6261757363680000000000000000000000000000000000000000000000000000 | xxd -p

produces:

1b7c4d41afa4657f5639952a213210ab

Note that the input string is padded up to 16 characters in length (i.e. the length of one AES block) using null (\0) characters, to match what mbedtls does by default (the -e option is needed with echo to allow null characters in the input). Also, the -n option is used with echo so that echo does not append a newline character to the input. Finally, the -nopad option is used with the openssl command, so that openssl does not add an additional block of pkcs#7 padding.