Hi John/List, Thanks for all the help it seems my problem is resolved.
I have to admit that I had the return value from the EVP_CIPHER_CTX_ctrl() command wrong. It is not stated what the correct values are, but I should have known it will not differ from the other EVP_CIPHER_CTX calls (one of the example code I got from the internet also used it wrong). Btw, I am not setting the IV length or AAD and the DecryptFinal() is successful. Leon Brits Senior Design Engineer Parsec Work +27 12 678 9740 Cell +27 (84) 250 2855 Email [email protected] www.parsec.co.za/disclaimer -----Original Message----- From: John Foley [mailto:[email protected]] Sent: 01 March 2013 03:13 PM To: Leon Brits Cc: [email protected] Subject: Re: Error implementing AES-GCM using EVP from OpenSSL Agreed, utilizing GCM mode is like solving a puzzle. Some documentation would be helpful. The EVP API doesn't appear to be setup for AEAD ciphers. The attached code shows one way to use the EVP API for AES-GCM mode. Hopefully this helps. On 03/01/2013 02:12 AM, Leon Brits wrote: > I am trying to add AES-GCM mode to my code which has been working for most > other modes for quite a while now. The mode is given as a parameter and I use > it for GCM mode to switch and do special stuff such as to set the AAD and > get/set the tag for AES-GCM mode. > > In the encipherment function I store the tag at the end of the ciphertext and > return a larger data size. In the decipherment function I automatically > reduce the size by 16 and use the last 16 bytes as the tag to compare. This > will be so documented for this mode in the library header. > > I've followed the advise of these two posting: > http://stackoverflow.com/questions/12153009/openssl-c-example-of-aes-g > cm-using-evp-interfaces > and > http://incog-izick.blogspot.in/2011/08/using-openssl-aes-gcm.html > > My problem is that the call to get the tag fails (EVP_CIPHER_CTX_ctrl() > returns 1) in the encipherment function. > > Can anybody shine some light on what my problem may be? (I can post > code if you want, but the referenced links contain good code already) > > I am working on Ubuntu 12.10 which has the following OpenSSL installed: > > $ openssl version -a > > OpenSSL 1.0.1 14 Mar 2012 built on: Tue Aug 21 05:18:48 UTC 2012 platform: > debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) > blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS > -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 > -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security > -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions > -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT > -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM > -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM > -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/usr/lib/ssl" > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [email protected] > . > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
