On 27 May 2014 08:00, Anant Rao <a...@noknok.com> wrote: > When I tried to decrypt it using OpenSSL in a 'c' program, the last call > 'EVP_DecryptFinal_ex' fails. Somehow, ERR_print_errors_fp is not printing > anything either.
If EVP_DecryptFinal_ex fails with GCM then this means that the tag has failed to verify. > > I do have the IV that is used in the Java's encrypt. However, I don't know > where BC stores the tag in the ciphertext. I tried it at the beginning and > the end of the ciphertext, but it didn't help. > > That is, I tried both of the following in the decrypt: > > |IV|TAG|Ciphertext > > |IV|Ciphertext|TAG > Both didn't work. According to the documentation for javax.crypto.Cipher it says: "Modes such as Authenticated Encryption with Associated Data (AEAD) provide authenticity assurances for both confidential data and Additional Associated Data (AAD) that is not encrypted. (Please see RFC 5116 for more information on AEAD and AEAD algorithms such as GCM/CCM.) Both confidential and AAD data can be used when calculating the authentication tag (similar to a Mac). This tag is appended to the ciphertext during encryption, and is verified on decryption." > > I tried both of the following as well with the same failure: > EVP_aes_256_gcm > EVP_aes_128_gcm > > I have run out of ideas what else to try. Any help would be greatly > appreciated. Make sure that the tag length that BouncyCastle is using is the same as the tag length that openssl is using. > /* Finalise: note get no output for GCM */ > 63 > <http://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=demos/evp/aesgcm.c;h=324d8a55b1481c507c7754fa7f33c30a02bdb737;hb=HEAD#l63> > EVP_EncryptFinal_ex(ctx, outbuf, &outlen); > ... > > What does this mean? That we shouldn't expect any output from this call > and/or that we should ignore it? The openssl API is designed to work with all types of modes. In some modes (such as CBC) output is only emitted a whole block at a time. Therefore sometimes in the call to EVP_EncryptFinal_ex you get some extra data added to outbuf. In GCM mode this is not the case, so no additional data will be added to outbuf - but you still need to call EVP_EncryptFinal_ex. Matt ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
