Commit f8547f62c212837dbf44fb7e2755e5774a59a57b (documented in 9e8b6f042749ded556380227c9f2db7ffad9a3aa), changed the default digest for the 'enc' utility from MD5 to SHA256.
While I do strongly encourage getting away from MD5, this has the unfortunate side effect of silently breaking existing data. An old encrypted file would be generated with MD5 as the digest used on the passphrase. Then if you tried to decrypt it on a new version of OpenSSL, that defaults to SHA256, you'd get just garbage output. This recently bit me when trying to decrypt Amanda backups: https://github.com/zmanda/amanda/blob/8136c076757d2e54fa7d4df15f002187823d8787/common-src/amcrypt-ossl.sh#L81 https://github.com/zmanda/amanda/blob/8136c076757d2e54fa7d4df15f002187823d8787/common-src/amcrypt-ossl-asym.sh#L134 (yes, I'm aware that the asym variant also passes in -nosalt). This happens because there is no metadata that conveys what parameters were used during encryption. Unless you happen to know exactly which version of OpenSSL was used, and what parameters, you risk getting garbage data back. This can also happen already when the ciphers are mismatched between encryption & decryption. The -salt option already sets a precedent for adding a header with the salt data, and I'd like to extend that, to improve backwards compatibility. 1. Encrypted data should include a header block, that OPTIONALLY specifies each of: - cipher & parameters (e.g. salt, padding) - key derivation function & parameters (MD) 1.1. Some users might want to leave the fields empty, to increase security by obscurity. 1.2. This also opens the path to stronger key derivation (PBKDF2) 2. During decryption, if no header block is present, and no message digest was specified, the default digest SHOULD be MD5. -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Asst. Treasurer E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
signature.asc
Description: Digital signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev