Hello, > So what you are saying is that if I encrypt a file with a password > according to my interpretation of PKCS#5/PBKDF2, then it might not > decrypt properly (with the same password) using the command-line openssl > function? Yes, this function internally looks like PBKDF2 and has similar use but has some difference. Under some circumstances this may be compatible with PBKDF1 - but I did't check this. You may check this with attached example. (CIPHER parameter is used only for getting key/iv size)
Best regards, -- Marek Marcola <[EMAIL PROTECTED]>
#include <string.h> #include <openssl/x509.h> #include <openssl/evp.h> #include <openssl/hmac.h> int print_hex(unsigned char *buf, int len) { int i; int n; for(i=0,n=0;i<len;i++){ if(n > 7){ printf("\n"); n = 0; } printf("0x%02x, ",buf[i]); n++; } printf("\n"); return(0); } int main() { char *pass = "password"; char *salt = "12340000"; int ic = 1; unsigned char buf[1024]; ic = 1; PKCS5_PBKDF2_HMAC_SHA1(pass, strlen(pass), (unsigned char*)salt, strlen(salt), ic, 32+16, buf); printf("PKCS5_PBKDF2_HMAC_SHA1(\"%s\", \"%s\", %d)=\n", pass, salt, ic); print_hex(buf, 32+16); ic = 1; EVP_BytesToKey(EVP_aes_256_cbc(), EVP_sha1(), (unsigned char*)salt, (unsigned char*)pass, strlen(pass), ic, buf, buf+32); printf("EVP_BytesToKey(\"%s\", \"%s\", %d)=\n", pass, salt, ic); print_hex(buf, 32+16); return(0); }