[openssl-users] AES-GCM failing from Command Line Interface
Matt Caswell
matt at openssl.org
Tue Feb 10 15:43:26 UTC 2015
On 10/02/15 15:31, Sec_Aficionado wrote:
> Matt,
>
> Thanks for keeping me honest! I see it now, but I totally missed it before. I must have just played with the cli and not read the full page.
>
> Can you please confirm that EVP is the way to go? I'll create my own little PHP extension since I only need a very specific action.
Yes. EVP is the correct way to use GCM.
See:
http://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption
and
https://www.openssl.org/docs/crypto/EVP_EncryptInit.html#gcm_and_ocb_modes
Note the docs on the website are for 1.1.0 (unreleased) and are subtly
different to 1.0.2/1.0.1. In particular they use the newly introduced
AEAD flags instead of mode specific ones. So where the docs talk about:
EVP_CTRL_AEAD_SET_IVLEN
EVP_CTRL_AEAD_GET_TAG
EVP_CTRL_AEAD_SET_TAG
You should instead use the GCM specific versions:
EVP_CTRL_GCM_SET_IVLEN
EVP_CTRL_GCM_GET_TAG
EVP_CTRL_GCM_SET_TAG
These will still work when 1.1.0 is released.
Matt
More information about the openssl-users
mailing list