How to do encryption using AES in Openssl

Question

I am trying to write a sample program to do AES encryption using Openssl  I tried going through Openssl documentation  it s a pain   could not figure out much  I went through the code and found the API s using which i wrote a small program as below  please omit the line numbers   I don t see any encryption happening    am i missing something   PS  I don t get any errors upon compilation     1  include  lt stdio h gt     2  include  lt openssl aes h gt       3    4 static const unsigned char key         5   0x00  0x11  0x22  0x33  0x44  0x55  0x66  0x77    6     0x88  0x99  0xaa  0xbb  0xcc  0xdd  0xee  0xff    7       0x00  0x01  0x02  0x03  0x04  0x05  0x06  0x07    8         0x08  0x09  0x0a  0x0b  0x0c  0x0d  0x0e  0x0f   9             10   11 void main    12    13     unsigned char text    virident    14     unsigned char out 10     15     unsigned char decout 10    16   17     AES KEY wctx   18   19     AES set encrypt key key  128   amp wctx    20     AES encrypt text  out   amp wctx      21   22     printf  encryp data    s n   out    23       24     AES decrypt out  decout   amp wctx    25     printf   Decrypted o p   s  n   decout    26   27   28     Please help me to figure this out

User · Answer

My suggestion is to run  openssl enc -aes-256-cbc -in plain txt -out encrypted bin   under debugger and see what exactly what it is doing  openssl c is the only real tutorial getting started reference guide OpenSSL has   All other documentation is just an API reference   U1  My guess is that you are not setting some other required options  like mode of operation  padding    U2  this is probably a duplicate of this question  AES CTR 256 Encryption Mode of operation on OpenSSL and answers there will likely help

User · Answer

I don t know what s wrong with yours but one thing for sure is you need to call AES set decrypt key   before decrypting the message  Also don t try to print out as  s because the encrypted message isn t composed by ascii characters anymore   For example   static const unsigned char key           0x00  0x11  0x22  0x33  0x44  0x55  0x66  0x77      0x88  0x99  0xaa  0xbb  0xcc  0xdd  0xee  0xff      0x00  0x01  0x02  0x03  0x04  0x05  0x06  0x07      0x08  0x09  0x0a  0x0b  0x0c  0x0d  0x0e  0x0f     int main         unsigned char text    hello world        unsigned char enc out 80       unsigned char dec out 80        AES KEY enc key  dec key       AES set encrypt key key  128   amp enc key       AES encrypt text  enc out   amp enc key              AES set decrypt key key 128  amp dec key       AES decrypt enc out  dec out   amp dec key        int i       printf  original  t        for i 0   text i   0x00 i            printf   X     text i        printf   nencrypted  t        for i 0   enc out i   0x00 i            printf   X     enc out i        printf   ndecrypted  t        for i 0   dec out i   0x00 i            printf   X     dec out i        printf   n         return 0       U1  your key is 192 bit isn t it

User · Answer

I am trying to write a sample program to do AES encryption using Openssl    This answer is kind of popular  so I m going to offer something more up-to-date since OpenSSL added some modes of operation that will probably help you   First  don t use AES encrypt and AES decrypt  They are low level and harder to use  Additionally  it s a software-only routine  and it will never use hardware acceleration  like AES-NI  Finally  its subject to endianess issues on some obscure platforms   Instead  use the EVP   interfaces  The EVP   functions use hardware acceleration  like AES-NI  if available  And it does not suffer endianess issues on obscure platforms   Second  you can use a mode like CBC  but the ciphertext will lack integrity and authenticity assurances  So you usually want a mode like EAX  CCM  or GCM   Or you manually have to apply a HMAC after the encryption under a separate key    Third  OpenSSL has a wiki page that will probably interest you  EVP Authenticated Encryption and Decryption  It uses GCM mode   Finally  here s the program to encrypt using AES GCM  The OpenSSL wiki example is based on it    include  lt openssl evp h gt   include  lt openssl aes h gt   include  lt openssl err h gt   include  lt string h gt      int main int arc  char  argv          OpenSSL add all algorithms        ERR load crypto strings                 Set up the key and iv  Do I need to say to not hard code these in a real application   -             A 256 bit key        static const unsigned char key      01234567890123456789012345678901           A 128 bit IV        static const unsigned char iv      0123456789012345           Message to be encrypted        unsigned char plaintext      The quick brown fox jumps over the lazy dog           Some additional data to be authenticated        static const unsigned char aad      Some AAD data           Buffer for ciphertext  Ensure the buffer is long enough for the        ciphertext which may be longer than the plaintext  dependant on the        algorithm and mode             unsigned char ciphertext 128           Buffer for the decrypted text        unsigned char decryptedtext 128           Buffer for the tag        unsigned char tag 16        int decryptedtext len   0  ciphertext len   0          Encrypt the plaintext        ciphertext len   encrypt plaintext  strlen plaintext   aad  strlen aad   key  iv  ciphertext  tag           Do something useful with the ciphertext here        printf  Ciphertext is  n        BIO dump fp stdout  ciphertext  ciphertext len       printf  Tag is  n        BIO dump fp stdout  tag  14           Mess with stuff           ciphertext 0     1            tag 0     1             Decrypt the ciphertext        decryptedtext len   decrypt ciphertext  ciphertext len  aad  strlen aad   tag  key  iv  decryptedtext        if decryptedtext len  lt  0                   Verify error            printf  Decrypted text failed to verify n              else                  Add a NULL terminator  We are expecting printable text            decryptedtext decryptedtext len      0               Show the decrypted text            printf  Decrypted text is  n            printf   s n   decryptedtext                 Remove error strings        ERR free strings         return 0     void handleErrors void        unsigned long errCode       printf  An error occurred n        while errCode   ERR get error                  char  err   ERR error string errCode  NULL           printf   s n   err             abort       int encrypt unsigned char  plaintext  int plaintext len  unsigned char  aad              int aad len  unsigned char  key  unsigned char  iv              unsigned char  ciphertext  unsigned char  tag        EVP CIPHER CTX  ctx   NULL      int len   0  ciphertext len   0          Create and initialise the context        if   ctx   EVP CIPHER CTX new     handleErrors            Initialise the encryption operation         if 1    EVP EncryptInit ex ctx  EVP aes 256 gcm    NULL  NULL  NULL           handleErrors            Set IV length if default 12 bytes  96 bits  is not appropriate        if 1    EVP CIPHER CTX ctrl ctx  EVP CTRL GCM SET IVLEN  16  NULL           handleErrors            Initialise key and IV        if 1    EVP EncryptInit ex ctx  NULL  NULL  key  iv   handleErrors            Provide any AAD data  This can be called zero or more times as        required             if aad  amp  amp  aad len  gt  0                if 1    EVP EncryptUpdate ctx  NULL   amp len  aad  aad len               handleErrors                  Provide the message to be encrypted  and obtain the encrypted output         EVP EncryptUpdate can be called multiple times if necessary             if plaintext                if 1    EVP EncryptUpdate ctx  ciphertext   amp len  plaintext  plaintext len               handleErrors             ciphertext len   len                Finalise the encryption  Normally ciphertext bytes may be written at        this stage  but this does not occur in GCM mode             if 1    EVP EncryptFinal ex ctx  ciphertext   len   amp len   handleErrors        ciphertext len    len          Get the tag        if 1    EVP CIPHER CTX ctrl ctx  EVP CTRL GCM GET TAG  16  tag           handleErrors            Clean up        EVP CIPHER CTX free ctx        return ciphertext len     int decrypt unsigned char  ciphertext  int ciphertext len  unsigned char  aad              int aad len  unsigned char  tag  unsigned char  key  unsigned char  iv              unsigned char  plaintext        EVP CIPHER CTX  ctx   NULL      int len   0  plaintext len   0  ret          Create and initialise the context        if   ctx   EVP CIPHER CTX new     handleErrors            Initialise the decryption operation         if  EVP DecryptInit ex ctx  EVP aes 256 gcm    NULL  NULL  NULL           handleErrors            Set IV length  Not necessary if this is 12 bytes  96 bits         if  EVP CIPHER CTX ctrl ctx  EVP CTRL GCM SET IVLEN  16  NULL           handleErrors            Initialise key and IV        if  EVP DecryptInit ex ctx  NULL  NULL  key  iv   handleErrors            Provide any AAD data  This can be called zero or more times as        required             if aad  amp  amp  aad len  gt  0                if  EVP DecryptUpdate ctx  NULL   amp len  aad  aad len               handleErrors                  Provide the message to be decrypted  and obtain the plaintext output         EVP DecryptUpdate can be called multiple times if necessary             if ciphertext                if  EVP DecryptUpdate ctx  plaintext   amp len  ciphertext  ciphertext len               handleErrors             plaintext len   len                Set expected tag value  Works in OpenSSL 1 0 1d and later        if  EVP CIPHER CTX ctrl ctx  EVP CTRL GCM SET TAG  16  tag           handleErrors            Finalise the decryption  A positive return value indicates success         anything else is a failure - the plaintext is not trustworthy              ret   EVP DecryptFinal ex ctx  plaintext   len   amp len           Clean up        EVP CIPHER CTX free ctx        if ret  gt  0                   Success            plaintext len    len          return plaintext len            else                  Verify failed            return -1

User · Answer

Check out this link it has a example code to encrypt decrypt data using AES256CBC using EVP API   https   github com saju misc blob master misc openssl aes c  Also you can check the use of AES256 CBC in a detailed open source project developed by me at https   github com llubu mpro  The code is detailed enough with comments and if you still need much explanation about the API itself i suggest check out this book Network Security with OpenSSL by Viega Messier Chandra  google it you will easily find a pdf of this    read chapter 6 which is specific to symmetric ciphers using EVP API   This helped me a lot actually understanding the reasons behind using various functions and structures of EVP   and if you want to dive deep into the Openssl crypto library  i suggest download the code from the openssl website  the version installed on your machine  and then look in the implementation of EVP and aeh api implementation   One more suggestion from the code you posted above i see you are using the api from aes h instead use EVP  Check out the reason for doing this here OpenSSL using EVP vs  algorithm API for symmetric crypto nicely explained by Daniel in one of the question asked by me

[c] How to do encryption using AES in Openssl

Examples related to c

Examples related to openssl

Examples related to aes