openssl/openssl

salt missing from encrypted output (regression)

Open

#22,057 建立於 2023年9月11日

在 GitHub 查看
 (3 留言) (0 反應) (0 負責人)C (11,262 fork)batch import
backlog fixhelp wantedresolved: not a bugtriaged: feature

倉庫指標

Star
 (30,157 star)
PR 合併指標
 (30 天內沒有已合併 PR)

描述

SALT=aabbccddeeff0011
echo raininspain | openssl enc -aes256 -pbkdf2 -pass pass:hello -S $SALT > crypt.bin
openssl enc -aes256 -pbkdf2 -pass pass:hello -d -in crypt.bin 
# bad magic number

It's unmagical because the salt is no longer included in the encrypted output. Decryption is still possible, but only if the salt that was used is specified on the command line:

openssl enc -aes256 -pbkdf2 -pass pass:hello -d -in crypt.bin -S $SALT
# raininspain

However, that is not how a salt is supposed to work. A salt is a salt, not a second password that needs to be recorded or remembered. The salt should always be included in the encrypted output. That is how it worked in earlier versions of openssl (and how it still works in the case of a random salt).

The manual workaround, if anyone needs it, is to prefix 16 bytes to the output, with the second 16 bytes being the salt:

((echo -n Salted__|xxd -p; echo $SALT)|xxd -p -r; cat crypt.bin) > crypt-salt.bin

Decryption then works as it should, without needing to specify the salt:

openssl enc -aes256 -pbkdf2 -pass pass:hello -d -in crypt-salt.bin
# raininspain

For openssl, the fix is the same, i.e., prepend "Salted__" and the salt, whether the salt is random or specified on the command line. That is what it used to do.

openssl version
# OpenSSL 3.1.2 1 Aug 2023 (Library: OpenSSL 3.1.2 1 Aug 2023)

Related: #19730

貢獻者指南