kernc/myba

Use `openssl cms -aes-256-gcm-siv`

Open

#5 opened on Mar 27, 2026

View on GitHub
 (0 comments) (0 reactions) (0 assignees)Shell (2 forks)github user discovery
enhancementgood first issuehelp wanted

Repository metrics

Stars
 (6 stars)
PR merge metrics
 (PR metrics pending)

Description

Use cipher algorithm AES-256-GCM-SIV that does authentication over AES-256-CTR that doesn't.

See also: https://github.com/openssl/openssl/issues/12220 https://github.com/openssl/openssl/issues/12220#issuecomment-1237509811 https://github.com/openssl/openssl/issues/24421 https://github.com/openssl/openssl/discussions/22269

https://github.com/openssl/openssl/issues/28607 https://github.com/openssl/openssl/commit/86344acb02eb3718b0491b9915846667c55c95ff

Demo:

echo "test content" > test_cms.txt
key=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
# NOTE: aes-256-gcm != aes-256-gcm-siv  # https://www.reddit.com/r/crypto/comments/giw4wz/comment/fqi1wbh/
#       We would want to use the latter!
openssl cms -encrypt -binary -aes-256-gcm -secretkey $key -secretkeyid 1234 -in test_cms.txt -out test_cms.enc
openssl cms -decrypt -binary -secretkey $key -secretkeyid 1234 -in test_cms.enc
rm -f test_cms.txt test_cms.enc

Contributor guide