openssl aes gcm encryption with authentication TAG; command line

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP


openssl aes gcm encryption with authentication TAG; command line



I'm trying to encrypt a file in AES-GCM mode with 'openssl' th/ command line


openssl enc -aes-256-gcm -p -iv 000000000000000000000000 -K 00000000000000000000000000000000000000000000000000000000000000 -nosalt -in file.raw -out file.enc`



Encryption works but I could not find a way to retrieve a resulting GCM tag.
Is there a way to get it?



In this document (link) I found "Note that it is now even possible to use authenticated mode like CCM or GCM" but still there is none info how to do that.



Or if there any other standard macos tool which could do the same job?





PS: I'm interesting in doing that through the means of commonly distributed command line tools, that's not a question about writing own utility





You're last paragraph summarises why this question is off-topic - it has nothing to do with programming. Try SuperUser.
– Luke Joshua Park
2 days ago






1 Answer
1



Note: as user dave_thompson_085 pointed out below, the results in the remainder of the answer are not relevant for current versions of OpenSSL. I was accidentally using LibreSSL openssl. Reading a current version of the OpenSSL documentation for the enc tool, it contains the following sentence


openssl


enc



The enc program does not support authenticated encryption modes like
CCM and GCM. The utility does not store or retrieve the authentication
tag.



This answers your question, I suppose -- depending on which version of OpenSSL you are using.



Original answer, obtained with LibreSSL openssl which comes with macOS:


openssl



The GCM tag is not stored in the output file when using the openssl enc app. You can see that from the following one-liner:


openssl enc


$ echo -n 'abcdefghijklmnop' | openssl enc -aes-256-gcm -K 0 -iv 0 | hexdump -C
00000000 af c5 23 59 28 06 0c 06 6e 24 ae bf d7 9d f2 68 |..#Y(...n$.....h|
00000010



The size of the output is exactly the same as the size of the input, no tag bytes anywhere.



You can also see it by inspecting the implementation enc.c. It does not do any EVP_CIPHER_CTX_ctrl() call to deal with the GCM tag, as explained in the OpenSSL Wiki page on EVP Authenticated Encryption and Decryption. In other words, he tag data is lost.


EVP_CIPHER_CTX_ctrl()



On decryption with aes-256-gcm, the tool itself ignores the absence of the tag as well. A message bad decrypt is emitted to stderr but that seems to come from a different layer than the application, which happily prints the result:


aes-256-gcm


bad decrypt


stderr


$ echo -n 'abcdefghijklmnop' | openssl enc -aes-256-gcm -K 0 -iv 0 | openssl enc -aes-256-gcm -K 0 -iv 0 -d
bad decrypt
abcdefghijklmnop





Look up at line 341 and you'll see that version (1.0.2n) gives an error message instead. Only 1.0.1 base through patch g had the buggy behavior -- at least upstream; distros may differ. Neardupe stackoverflow.com/questions/27561605/… Also see github.com/openssl/openssl/issues/471
– dave_thompson_085
2 days ago





Ah, thanks @dave_thompson_085 for pointing that out. I did not realize I was using version LibreSSL 2.3.1 when testing this. I have updated my answer.
– Reinier Torenbeek
2 days ago




LibreSSL 2.3.1





Hmm... that versioning, indeed, is really confusing. Turned out that I looked at a wrong doc. Thanks guys.
– user3124812
18 hours ago






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

Keycloak server returning user_not_found error when user is already imported with LDAP

Keycloak server returning user_not_found error when user is already imported with LDAP I am currently running a keycloak server as a service in a kubernetes cluster. I can access it perfectly with the initial keycloak admin account and used it to setup a new realm using LDAP for User Federation. The connection and queries seem to work fine as a I can search for Users and they pop up with their correct username, first name, last name and e-mail so all seemed fine. When I then log out and try to log in with a normal user account that exists in the AD and has been imported I just find get the following error: WARN [org.keycloak.events] (default task-8) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=<my ip>, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=http://myserver.com/auth/admin/master/console/#/realms/MyRealm, code_id=a8ca7f06-dfec-4e6e-8f6b-74eb871f71da, username=myUser So it seems that in some way wh
Read more

PHP parse/syntax errors; and how to solve them?

Image
PHP parse/syntax errors; and how to solve them? Everyone runs into syntax errors. Even experienced programmers make typos. For newcomers it's just part of the learning process. However, it's often easy to interpret error messages such as: PHP Parse error: syntax error, unexpected '{' in index.php on line 20 The unexpected symbol isn't always the real culprit. But the line number gives a rough idea where to start looking. Always look at the code context . The syntax mistake often hides in the mentioned or in previous code lines . Compare your code against syntax examples from the manual. While not every case matches the other. Yet there are some general steps to solve syntax mistakes . This references summarized the common pitfalls: Unexpected T_STRING Unexpected T_VARIABLE Unexpected '$varname' (T_VARIABLE) Unexpected T_CONSTANT_ENCAPSED_STRING Unexpected T_ENCAPSED_AND_WHITESPACE Unexpected $end Unexpected T_FUNCTION… Unexpected { { Unexpected } } Unexpe
Read more

How to scale/resize CVPixelBufferRef in objective C, iOS

Image
Clash Royale CLAN TAG #URR8PPP How to scale/resize CVPixelBufferRef in objective C, iOS I am trying to resize an image from a CVPixelBufferRef to 299x299. Ideally is would also crop the image. The original pixelbuffer is 640x320, the goal is to scale/crop to 299x299 without loosing aspect ratio (crop to center). I found code to resize a UIImage in objective c, but none to resize a CVPixelBufferRef. I have found various very complicated examples of object C many different image types, but none specifically for resizing a CVPixelBufferRef. What is the easiest/best way to do this, please include the exact code. ... I tried the answer from selton, but this did not work as the resulting type in the scaled buffer is not correct (goes into assert code), OSType sourcePixelFormat = CVPixelBufferGetPixelFormatType(pixelBuffer); int doReverseChannels; if (kCVPixelFormatType_32ARGB == sourcePixelFormat) { doReverseChannels = 1; } else if (kCVPixelFormatType_32BGRA == sourcePixelFormat) {
Read more