When encrypting using the 'openssl cms -encrypt -aes-256-gcm' command an all zero IV is used, this breaks any guarantees provided by the GCM mode (see NIST Special Publication 800-38D).
Version tested: openssl 1.0.2d on linux x86_64. Example: openssl cms -encrypt -in message.txt -out encrypted-openssl-aes-256-gcm.msg -recip user1_no_cn.pem -aes-256-gcm When looking at the ASN.1 for the contentEncryptionAlgorithm we get: SEQUENCE(2 elem) OBJECT IDENTIFIER2.16.840.1.101.3.4.1.46 OCTET STRING(12 byte) 000000000000000000000000 <-- This is the IV Expectation: - If AES-GCM is not supported by the 'openssl cms' command (there is no clear RFC for it when generating enveloped data, RFC 5084 is for authenticated enveloped data) the command should show an error. - If AES-GCM is supported it should generate a random IV
encrypted-openssl-aes-256-gcm.msg
Description: Binary data
_______________________________________________ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev