On 10/02/15 15:31, Sec_Aficionado wrote: > Matt, > > Thanks for keeping me honest! I see it now, but I totally missed it before. I must have just played with the cli and not read the full page. > > Can you please confirm that EVP is the way to go? I'll create my own little PHP extension since I only need a very specific action. Yes. EVP is the correct way to use GCM. See: http://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption and https://www.openssl.org/docs/crypto/EVP_EncryptInit.html#gcm_and_ocb_modes Note the docs on the website are for 1.1.0 (unreleased) and are subtly different to 1.0.2/1.0.1. In particular they use the newly introduced AEAD flags instead of mode specific ones. So where the docs talk about: EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_AEAD_GET_TAG EVP_CTRL_AEAD_SET_TAG You should instead use the GCM specific versions: EVP_CTRL_GCM_SET_IVLEN EVP_CTRL_GCM_GET_TAG EVP_CTRL_GCM_SET_TAG These will still work when 1.1.0 is released. Matt
