https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234028
--- Comment #6 from Conrad Meyer <c...@freebsd.org> ---
(In reply to bc979 from comment #5)
> However, I point out that the -md parameter is not documented in the man page
> for enc on 11.1 or earlier.
Yep. It's mentioned, but usage and default are totally undocumented (and on
11.2 as well).
$ openssl enc -h
unknown option '-h'
...
-md the next argument is the md to use to create a key
from a passphrase. One of md2, md5, sha or sha1
Helpfully, none of the *listed* options in 1.0.2o enc are the 1.1.0 default
(sha256). /s However, '-md sha256' can be provided manually and seems to
decode correctly on 12.
NAME
openssl-enc, enc - symmetric cipher routines
SYNOPSIS
openssl enc -ciphername [-in filename] [-out filename] [-pass arg] [-e]
[-d] [-a/-base64] [-A] [-k password] [-kfile filename] [-K key] [-iv
IV] [-S salt] [-salt] [-nosalt] [-z] [-md] [-p] [-P] [-bufsize number]
^^^
(-md not documented anywhere else in the page)
Generating gibberish makes sense, unfortunately — enc has no way of knowing
that the wrong KDF function was used to turn password into key, and AES-256-CBC
does not have any sort of integrity MAC to verify the correct key was used. So
you get gibberish. I suspect the only reason a bad decrypt was noticed in my
(short) input was that the final padding byte(s) didn't match up with PKCS
expectations. You might see the same message (but only at the very end of the
"decrypted" contents).
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
