Join Log in
Score:4
RocketNuts avatar Crypto

OpenSSL AES-GCM says 'bad decrypt', other block modes work fine?

vn flag
RocketNuts

If I do a simple encrypt and decrypt test like so:

echo 'Hello World' | \
openssl enc -aes-128-cbc -pass pass:SeCrEt | \
openssl enc -d -aes-128-cbc -pass pass:SeCrEt

It works fine, it correctly outputs 'Hello World'.

However when I change the blockmode to gcm and keep everything else the same:

echo 'Hello World' | \
openssl enc -aes-128-gcm -pass pass:SeCrEt | \
openssl enc -d -aes-128-gcm -pass pass:SeCrEt

I'm now getting:

Hello World
bad decrypt

Note the 'bad decrypt', even though it still shows the correct decrypted result.

I've also tried other block modes, they all work fine except GCM. Also changing the key size to 192 or 256 makes no difference. Also adding other parameters (like explicitly specifying -salt or -pbkdf2 or e.d. -iter 1000 or -md sha512) make no difference.

Am I doing something wrong, or am I misunderstanding how aes-128/192/256-gcm is supposed to work?

(edit) regarding @mentallurg's response, I've also tried using files instead of pipes:

echo 'Hello World' > plain.txt
openssl enc -aes-128-gcm -pass pass:SeCrEt -in plain.txt -out cipher.bin
openssl enc -d -aes-128-gcm -pass pass:SeCrEt -in cipher.bin -out decrypted.txt

The latter also gives 'bad decrypt'. Note that decrypted.txt is created with the correct contents.

1409
2 + 0
gcm
Score:6
avatar Crypto
kr flag
mentallurg

I assume you are using LibreSSL. It may have problem with GCM validation because of pipes. Don't use pipes. Put the text to encrypt to the file. Save encryption result to file, see option -out. For decryption use also files.

This is a known bug in LibreSSL, which is known since 2015 and is still not fixed.

I have checked it and see the same problem with Libre 3.6.1. For GCM mode decryption works correctly and only superfluous message "bad decrypt" is displayed. For CCM mode decryption does not work at all and only message "bad decrypt" is displayed. I suppose, LibreSSL has problems with authenticated encryption.

+ 4
RocketNuts avatar
vn flag
RocketNuts
Thanks, yes indeed, `openssl version` says "LibreSSL 3.6.1". Note that using files instead of pipes didn't make a difference, see edit above.
0
Reply
kr flag
mentallurg
@RocketNuts: See update. This is a bug in LibreSSL.
1
Reply
Matt Caswell avatar
th flag
Matt Caswell
Effectively, IIUC, LibreSSL does not support AEAD ciphers with enc any more than standard OpenSSL does. The primary difference being that LibreSSL attempts to use them and fails, but standard OpenSSL refuses to use them and prints an error message. My understanding from the bug report is that the GCM decryption in LibreSSL does not validate the authentication tag, but decrypts the data anyway. This defeats the whole point of using GCM mode over simply CTR (or similar) since it means you cannot trust the decrypted output (it may have been modified by an attacker).
0
Reply
kr flag
mentallurg
@MattCaswell: 1) Exactly. *Formally* it does support, but *effectively* (because of the bug) doesn't. In case of pipes in a single command line it is understandable. This is reason why OpenSSL refuses to implement it. But for files it is technically possible to implement. That's why I see that as an implementation bug. 2) For CCM even decryption does not work. This is also a bug.
0
Reply
Score:4
Matt Caswell avatar Crypto
th flag
Matt Caswell

The openssl enc command does not support GCM or any other AEAD mode. All recent versions of openssl will complain if you attempt to do this:

$ echo 'Hello World' | openssl enc -aes-128-gcm -pass pass:SeCrEt
enc: AEAD ciphers not supported
enc: Use -help for summary.
$ openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

The man page says this:

This command does not support authenticated encryption modes like CCM and GCM, and will not support such modes in the future.

https://www.openssl.org/docs/man3.0/man1/openssl-enc.html

Some old (and out of support) versions of openssl just silently failed when you attempted to use AEAD modes instead of giving the AEAD ciphers not supported error message.

+ 3
kr flag
mentallurg
There are different versions of openssl. The standard one works as you describe. The one from LibreSSL supports also GCM.
0
Reply
jp flag
Andrew Savinykh
@mentallurg the github thread you linked in your answer states `attempting to use openssl(1) with any GCM algorithms is futile since there is no way to retrieve or provide the authentication tag via the command line, hence the "bad decrypt" messages.` This wording implies the opposite of "one from LibreSSL supports also GCM" you might want to double check that.
0
Reply
kr flag
mentallurg
@AndrewSavinykh: No, this only confirms my words. There is difference between "supports" and "has implementation bugs". The standard openssl does not support GCM. If you call it with CGM, it will show a message that this algorithm is unknown. Whereas LibreSSL officially supports GCM. But in reality it works only partially. For GCM it encrypts and decrypts correctly, but seems to have problem with validation. For CCM encryption works, but decryption fails, and again message "bad decrypt" is displayed.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.