Re: Secure Remote Password (SRP)

[Tomas Mraz]

The SRP support will not be removed in 3.x releases. At the earliest it
could be removed in 4.0 release. Whether there will be a replacement
for the deprecated SRP APIs at that time we cannot currently say.

So unless you absolutely require not using deprecated APIs you can
still move to 3.x releases as the existing SRP API continues to be
supported there.

Tomas Mraz, OpenSSL

On Mon, 2022-10-17 at 21:13 -0700, Norm Green wrote:
>  I'm also interested in the answer to these questions regarding SRP
> in OpenSSL v3.
>  
>  Our project still uses OpenSSL v1.1.1 with plans to move to v3 next
> year. 
>  
>  However we use SRP extensively and will not be able to move to v3 if
> SRP support is soon to be no longer available.
>  
>  Norm Green
>  GemTalk Systems LLC
>  
> On 10/17/2022 2:49 PM, Rohit Khera [C] wrote:
>  
> > I am trying to get information on versions and usage of the Secure
> > Remote Password Protocol (SRP) APIs in OpenSSLv3. 
> >  
> >    1. Are SRPv3, v6, and/or v6a supported? 
> >  
> >    1. I found the following information in the OpenSSL documents on
> > the following C API for SRP: SRP_create_verifier(),
> > SRP_user_pwd_new(), SSL_CTX_set_srp_password()
> > While the following documents the API :
> > https://www.openssl.org/docs/man3.0/man3/SRP_VBASE_new.html
> > Are there any examples of client and server programs that use these
> > interfaces in order to register and authenticate a user? 
> >  
> >    1. The docs state that the APIs are deprecated -  are new
> > versions of the APIs planned or can we expect SRP functionality to
> > be unavailable in future versions of OpenSSL? 
> >  
> > /R
> >  
> >  
>  

-- 
Tomáš Mráz, OpenSSL

Re: Secure Remote Password (SRP)

[Norm Green]

I'm also interested in the answer to these questions regarding SRP in 
OpenSSL v3.


Our project still uses OpenSSL v1.1.1 with plans to move to v3 next year.

However we use SRP extensively and will not be able to move to v3 if SRP 
support is soon to be no longer available.


Norm Green
GemTalk Systems LLC

On 10/17/2022 2:49 PM, Rohit Khera [C] wrote:


I am trying to get information on versions and usage of the Secure 
Remote Password Protocol (SRP) APIs in OpenSSLv3.


 1. Are SRPv3, v6, and/or v6a supported?

 2. I found the following information in the OpenSSL documents on the
following C API for SRP: SRP_create_verifier(),
SRP_user_pwd_new(), SSL_CTX_set_srp_password()

While the following documents the API :

https://www.openssl.org/docs/man3.0/man3/SRP_VBASE_new.html

Are there any examples of client and server programs that use these 
interfaces in order to register and authenticate a user?


 3. The docs state that the APIs are deprecated -  are new versions of
the APIs planned or can we expect SRP functionality to be
unavailable in future versions of OpenSSL?

/R

RE: Build openssl on windows 10 using cygwin

[Michael Wojcik via openssl-users]

> From: רונן לוי  
> Sent: Monday, 17 October, 2022 12:03

Send messages to the list, not directly to me.

> And, in which header file am I expected to find the Definition for LONG?

That's a question about the Windows SDK, not OpenSSL.

It's in WinNT.h, per Microsoft's documentation (which is readily available 
online).

But for building OpenSSL this is not your concern. Building OpenSSL on Windows 
with the Microsoft toolchain requires a valid installation of the Windows SDK. 
If you're not building with the Microsoft toolchain, then you'll have to 
consult the OpenSSL build instructions for the toolchain you're using. Have you 
read the text files in the OpenSSL distribution which explain how to build it?

> Which linux command I can use to find if there exists a definition for LONG?

Assuming you mean "which Cygwin command can I use on Windows...": find + xargs 
+ grep would be the usual choice to find the definition, but as I already noted 
that's in WinNT.h. If that's not what you mean, then your question is unclear.

-- 
Michael Wojcik

Secure Remote Password (SRP)

[Rohit Khera [C]]

I am trying to get information on versions and usage of the Secure Remote 
Password Protocol (SRP) APIs in OpenSSLv3.


  1.  Are SRPv3, v6, and/or v6a supported?



  1.  I found the following information in the OpenSSL documents on the 
following C API for SRP: SRP_create_verifier(), SRP_user_pwd_new(), 
SSL_CTX_set_srp_password()

While the following documents the API :

https://www.openssl.org/docs/man3.0/man3/SRP_VBASE_new.html

Are there any examples of client and server programs that use these interfaces 
in order to register and authenticate a user?



  1.  The docs state that the APIs are deprecated -  are new versions of the 
APIs planned or can we expect SRP functionality to be unavailable in future 
versions of OpenSSL?

/R

RE: Build openssl on windows 10 using cygwin

[Michael Wojcik via openssl-users]

> From: רונן לוי  
> Sent: Monday, 17 October, 2022 11:12

> see attached file for cygwin details.

I'm afraid I have no comment on that. I merely mentioned that for some OpenSSL 
releases, using a POSIXy perl implementation such as Cygwin's to configure 
OpenSSL for a Windows build did not work.

> ***   OpenSSL has been successfully configured                     ***

If memory serves, configuring with Cygwin perl would succeed, but the build 
would subsequently fail due to an issue with paths somewhere. I don't remember 
the details.

I suggest you try Strawberry Perl. It's free, and trying it would not take long.

-- 
Michael Wojcik

RE: Build openssl on windows 10 using cygwin

[Michael Wojcik via openssl-users]

> From: רונן לוי  
> Sent: Monday, 17 October, 2022 11:16

Please send messages to the list, not to me directly.

> And for the question with regard to the Windows style, are you referring to 
> CRLF as
> opposed to LF from linux?

No, to Windows-style file paths, with drive letters and backslashes, rather 
than (sensible) POSIX-style ones.

-- 
Michael Wojcik

Re: Build openssl on windows 10 using cygwin

[רונן לוי]

Hi Michael,

see attached file for cygwin details.

The openssl is cloned from:
git clone https://github.com/openssl/openssl.git

perl Configure
*Configuring OpenSSL version 3.2.0-dev for target Cygwin-x86_64*
Using os-specific seed configuration
Created configdata.pm
Running configdata.pm
Created Makefile.in
Created Makefile
Created include/openssl/configuration.h

**
******
***   OpenSSL has been successfully configured ***
******
***   If you encounter a problem while building, please open an***
***   issue on GitHub   ***
***   and include the output from the following command:   ***
******
***   perl configdata.pm --dump***
******
***   (If you are new to OpenSSL, you might want to consult the***
***   'Troubleshooting' section in the INSTALL.md file first)  ***
******
**

‫בתאריך יום א׳, 16 באוק׳ 2022 ב-17:55 מאת ‪Michael Wojcik‬‏ <‪
michael.woj...@microfocus.com‬‏>:‬

> > From: openssl-users  On Behalf Of
>  ???
> > Sent: Saturday, 15 October, 2022 15:48
>
> > I have tried to build openssl using cygwin:
>
> > Both options starts compiling, but end up with error:
> > In file included from
> providers/implementations/storemgmt/winstore_store.c:27:
> > /usr/include/w32api/wincrypt.h:20:11: error: unknown type name 'LONG'
> >   20 |   typedef LONG HRESULT;
> > Q: What am I missing here?
>
> Well, the version of OpenSSL you're using, for one thing. And what C
> implementation; there are various ones which can be used under Cygwin.
> Cygwin is an environment, not a build toolchain.
>
> I don't know if this is still true, or if it differs for 1.1.1 and 3.0;
> but historically there have been issues using Cygwin perl to build OpenSSL,
> because OpenSSL on Windows wants a perl implementation that uses
> Windows-style file paths. We use Strawberry Perl.
>
> That said, that error appears to be due to an issue with the Windows SDK
> headers, since it's the Windows SDK which should be typedef'ing LONG.
> (Because we wouldn't want Microsoft to use actual standard C type names,
> would we?) So this might be due to not having some macro defined when
> including the various Windows SDK headers.
>
> --
> Michael Wojcik
>

Command line (with current working directory = .):

/usr/bin/perl ./Configure

Perl information:

/usr/bin/perl
5.32.1 for x86_64-cygwin-threads-multi

Enabled features:

aria
asm
async
autoalginit
autoerrinit
autoload-config
bf
blake2
bulk
cached-fetch
camellia
capieng
winstore
cast
chacha
cmac
cmp
cms
comp
ct
deprecated
des
dgram
dh
dsa
dso
dtls
dynamic-engine
ec
ec2m
ecdh
ecdsa
engine
err
filenames
gost
idea
legacy
loadereng
makedepend
md4
mdc2
module
multiblock
nextprotoneg
ocb
ocsp
padlockeng
pic
pinshared
poly1305
posix-io
psk
rc2
rc4
rdrand
rfc3779
rmd160
scrypt
secure-memory
seed
shared
siphash
siv
sm2
sm3
sm4
sock
srp
srtp
sse2
ssl
ssl-trace
static-engine
stdio
tests
threads
tls
ts
ui-console
whirlpool
tls1
tls1-method
tls1_1
tls1_1-method
tls1_2
tls1_2-method
tls1_3
dtls1
dtls1-method
dtls1_2
dtls1_2-method

Disabled features:

acvp-tests  [cascade]OPENSSL_NO_ACVP_TESTS
afalgeng[not-linux]  OPENSSL_NO_AFALGENG
asan[default]OPENSSL_NO_ASAN
buildtest-c++   [default]
crypto-mdebug   [default]OPENSSL_NO_CRYPTO_MDEBUG
devcryptoeng[default]OPENSSL_NO_DEVCRYPTOENG
ec_nistp_64_gcc_128 [default]OPENSSL_NO_EC_NISTP_64_GCC_128
egd [default]OPENSSL_NO_EGD
external-tests  [default]OPENSSL_NO_EXTERNAL_TESTS
fips[default]
fips-securitychecks [cascade]OPENSSL_NO_FIPS_SECURITYCHECKS
fuzz-afl[default]OPENSSL_NO_FUZZ_AFL
fuzz-libfuzzer  [default]OPENSSL_NO_FUZZ_LIBFUZZER
ktls[default]OPENSSL_NO_KTLS
md2 [default]OPENSSL_NO_MD2 (skip crypto/md2)
msan[default]OPENSSL_NO_MSAN
quic[default]OPENSSL_NO_QUIC
r

Re: Need help on OpenSSL windows build errors

[Matt Caswell]

On 17/10/2022 13:10, Ashok Kumar Sarode via openssl-users wrote:


NOTE: I have re-named file openssl\*configuration.h.in* to 
openssl\*configuration.h*

Likewise i re-named err.h, ssl.h, opensslv.h, crypto.h


Don't do that. That is almost certainly the cause of these errors. The 
".h.in" files are *not* header files ready for use. They are templates 
from which we generate the real header files.


You need to build OpenSSL first before you can use the headers. Refer to 
the INSTALL.md file for instructions. Alternatively you can just 
download a pre built version from a third party distributor. See:


https://wiki.openssl.org/index.php/Binaries

Matt

Urlaub

[silvan . scherrer]

Sehr geehrte Damen und Herren
vom 8. Oktober bis und mit dem 18. Oktober bin ich im Urlaub.
eMails werden nur sehr spärlich gelesen und nur in dringenden Fällen beantwortet

freundliche Grüsse
Silvan Scherrer

Need help on OpenSSL windows build errors

[Ashok Kumar Sarode via openssl-users]

Hello OpenSSL users,
I need help on following errors which I am getting from myWindows machine 
building on Visual Studio 2019,
Version 16.11.17.
Build started...1>-- Build started: Project: executeHelloWorld, 
Configuration: Debug Win32 
--1>VerifyJWTSignUsingRSA.cpp1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(28,1):
 error C2447: '{': missing function header (old-style formal 
list?)1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(29,5):
 error C2018: unknown character 
'0x40'1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(30,16):
 error C2018: unknown character 
'0x40'1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(36,14):
 error C2018: unknown character 
'0x40'1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(40,9):
 error C2018: unknown character 
'0x40'1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(41,16):
 error C2018: unknown character 
'0x40'1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(51,1):
 error C2447: '{': missing function header (old-style formal 
list?)1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(57,1):
 error C4430: missing type specifier - int assumed. Note: C++ does not support 
default-int1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(57,4):
 error C2065: '$config': undeclared 
identifier1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(57,12):
 error C2065: 'bn_ll': undeclared 
identifier1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(57,47):
 error C2059: syntax error: 
'}'1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(57,47):
 error C2143: syntax error: missing ';' before 
'}'1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(59,1):
 error C4430: missing type specifier - int assumed. Note: C++ does not support 
default-int1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(59,4):
 error C2065: '$config': undeclared 
identifier1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(59,12):
 error C2065: 'b64l': undeclared 
identifier1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(59,46):
 error C2059: syntax error: 
'}'1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(59,46):
 error C2143: syntax error: missing ';' before 
'}'1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(60,1):
 error C2143: syntax error: missing ';' before 
'{'1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(60,1):
 error C2447: '{': missing function header (old-style formal 
list?)1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(61,1):
 error C4430: missing type specifier - int assumed. Note: C++ does not support 
default-int1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(61,4):
 error C2065: '$config': undeclared 
identifier1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(61,12):
 error C2065: 'b32': undeclared 
identifier1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(61,46):
 error C2059: syntax error: 
'}'1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(61,46):
 error C2143: syntax error: missing ';' before 
'}'1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(67,1):
 error C2143: syntax error: missing ';' before 
'}'1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\configuration.h(67,1):
 error C2059: syntax error: 
'}'1>C:\Users\myDir\WindowsUtils\executeHelloWorld\openssl-master\include\openssl\macros.h(138,6):
 fatal error C1017: invalid integer constant expression1>Done building project 
"executeHelloWorld.vcxproj" -- FAILED.== Build: 0 succeeded, 1 failed, 
0 up-to-date, 0 skipped ==

NOTE: I have re-named file openssl\configuration.h.in to 
openssl\configuration.hLikewise i re-named err.h, ssl.h, opensslv.h, crypto.h
I downloaded OpenSLL source from GitHub - openssl/openssl: TLS/SSL and crypto 
library
Regards,
S.Ashok Kumar  

Re: Problems with ECDSA signature and verification

[Matt Caswell]

On 17/10/2022 09:34, Fernando Elena Benavente wrote:
Hi guys, we are having problems with the implementation of the signature 
and verification of messages with ECDSA, because the demo of ECDSA in 
github  us does not allow us to determine the type of ECDSA curve,


I assume you are looking at this demo:

https://github.com/openssl/openssl/blob/master/demos/signature/EVP_Signature_demo.c

The curve in use is a property of the key. So if you want to use a 
different curve then you need to generate a key for use with that 
different curve, e.g. for a key using the P-256 curve you can generate a 
PEM format one from the command line like this:


$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out 
privkey.pem


Or a DER format one like this:

$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out 
privkey.der -outform DER


To do this in C code you can just use the simple one liner:

EVP_PKEY *pkey = EVP_EC_gen("P-256");

Also see this demo code if your keygen requirements are more complex 
than just simply specifying the curvename:


https://github.com/openssl/openssl/blob/master/demos/pkey/EVP_PKEY_EC_keygen.c

In 
addition, we have seen that we have problems when it comes to having 
strings and EVP_PKEY and not being able to pass one to another and vice 
versa.


Your question here is lacking detail. It's unclear what you are trying 
to do, what you expected to happen and what actually happens.



We are also not able to print EVP_PKEY keys because the BIO 
functions in our version (3.0) are deprecated.


See the functions here:

https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_print_public.html


Matt


If you know the functions 
to make this signature and verification from strings or even another 
ECDSA example, would be great help for us.


Thanks for your help.

-Fernando

Re: PKCS#7 Signing: How to get repeatable output for signing the same data

[Michal Suchánek]

On Mon, Oct 17, 2022 at 10:28:45AM +0200, Tim Meusel wrote:
> Hi!
> I maintain a Ruby script that does PKCS#7 signing and afterwards some
> enryption with AES-128-CFB. A trimmed down version:
> 
> certpath = '/tmp/cert.pem'
> keypath = '/tmp/key/pem'
> data = 'teststring'
> key  = OpenSSL::PKey::RSA.new(File.read(keypath), '1234')
> cert = OpenSSL::X509::Certificate.new(File.read(certpath))
> signed = OpenSSL::PKCS7::sign(cert, key, data, [], OpenSSL::PKCS7::BINARY)
> cipher = OpenSSL::Cipher::new("AES-128-CFB")
> iv_len = cipher.iv_len
> key_len = cipher.key_len
> fqdn_rand = Digest::SHA256.hexdigest([destination,data.length].join(':'))
> iv_seed, key_seed = fqdn_rand.partition(/.{32}/)[1,2]
> iv = iv_seed.unpack('a2'*key_len).map{|x| x.hex}.pack('c'*key_len)
> key = key_seed.unpack('a2'*key_len).map{|x| x.hex}.pack('c'*key_len)
> cipher.encrypt
> cipher.iv=(iv)
> cipher.key=(key)
> OpenSSL::PKCS7::encrypt([target], signed.to_der, cipher,
> OpenSSL::PKCS7::BINARY).to_s
> 
> I pulled the AES encryption into a testscript and that's indeed repeatable
> (script at the end of the email). I did some tests and noticed that the
> initial signing doesn't produce repeatable output:
> 
> signed = OpenSSL::PKCS7::sign(cert, key, data, [], OpenSSL::PKCS7::BINARY)
> 
> I did some googling and that told me the signing date/timestamp is part of
> the output, which would explain why it doesn't produce the same output when
> I run it twice. Now to my actual questions:
> * Is the different output caused by a changing signing time and/or something
> else?
> * Do you know if I can pass the signingtime to manipulate it?
> 
> I know that this isn't a Ruby mailinglist, but the ruby-openssl bindings and
> the documentation are generated from the C code and were not very helpful
> (for people not knowing C/not knowing a lot about OpenSSL/PKCS#7). Maybe
> you've some thoughts.
> 
> Why am I doing this?
> 
> Roughly explained, the script is executed every 30 minutes for a lot of
> content, then the previous PKCS#7 output is pulled from a database,
> compared, and if the new script output is different, the DB is updated. This
> is stupid in many ways, but I cannot change that short-term. As a workarond,
> we would like to update the script to produce repeatable output. I know that
> this weakens the security, but we need to reduce the database load from the
> many reoccurring updates.

Hello,
this is code that creates a PKCS#7 signature from a raw RSA signature
without using openssl (because openssl cannot do that) -> you can put
any data you want in it. YMMV

https://github.com/openSUSE/pesign-obs-integration/blob/master/kernel-sign-file#L457

HTH

Michal

Problems with ECDSA signature and verification

[Fernando Elena Benavente]

Hi guys, we are having problems with the implementation of the signature and 
verification of messages with ECDSA, because the demo of ECDSA in github  us 
does not allow us to determine the type of ECDSA curve, In addition, we have 
seen that we have problems when it comes to having strings and EVP_PKEY and not 
being able to pass one to another and vice versa. We are also not able to print 
EVP_PKEY keys because the BIO functions in our version (3.0) are deprecated. If 
you know the functions to make this signature and verification from strings or 
even another ECDSA example, would be great help for us.

Thanks for your help.

-Fernando

PKCS#7 Signing: How to get repeatable output for signing the same data

[Tim Meusel]

Hi!
I maintain a Ruby script that does PKCS#7 signing and afterwards some 
enryption with AES-128-CFB. A trimmed down version:


certpath = '/tmp/cert.pem'
keypath = '/tmp/key/pem'
data = 'teststring'
key  = OpenSSL::PKey::RSA.new(File.read(keypath), '1234')
cert = OpenSSL::X509::Certificate.new(File.read(certpath))
signed = OpenSSL::PKCS7::sign(cert, key, data, [], OpenSSL::PKCS7::BINARY)
cipher = OpenSSL::Cipher::new("AES-128-CFB")
iv_len = cipher.iv_len
key_len = cipher.key_len
fqdn_rand = Digest::SHA256.hexdigest([destination,data.length].join(':'))
iv_seed, key_seed = fqdn_rand.partition(/.{32}/)[1,2]
iv = iv_seed.unpack('a2'*key_len).map{|x| x.hex}.pack('c'*key_len)
key = key_seed.unpack('a2'*key_len).map{|x| x.hex}.pack('c'*key_len)
cipher.encrypt
cipher.iv=(iv)
cipher.key=(key)
OpenSSL::PKCS7::encrypt([target], signed.to_der, cipher, 
OpenSSL::PKCS7::BINARY).to_s


I pulled the AES encryption into a testscript and that's indeed 
repeatable (script at the end of the email). I did some tests and 
noticed that the initial signing doesn't produce repeatable output:


signed = OpenSSL::PKCS7::sign(cert, key, data, [], OpenSSL::PKCS7::BINARY)

I did some googling and that told me the signing date/timestamp is part 
of the output, which would explain why it doesn't produce the same 
output when I run it twice. Now to my actual questions:
* Is the different output caused by a changing signing time and/or 
something else?

* Do you know if I can pass the signingtime to manipulate it?

I know that this isn't a Ruby mailinglist, but the ruby-openssl bindings 
and the documentation are generated from the C code and were not very 
helpful (for people not knowing C/not knowing a lot about 
OpenSSL/PKCS#7). Maybe you've some thoughts.


Why am I doing this?

Roughly explained, the script is executed every 30 minutes for a lot of 
content, then the previous PKCS#7 output is pulled from a database, 
compared, and if the new script output is different, the DB is updated. 
This is stupid in many ways, but I cannot change that short-term. As a 
workarond, we would like to update the script to produce repeatable 
output. I know that this weakens the security, but we need to reduce the 
database load from the many reoccurring updates.


my AES testing:

root@puppet ~ # ruby openssl.rb
encrypted: ["38b5cefb"]
decrypted: test
encrypted: ["38b5cefb"]
decrypted: test
root@puppet ~ # cat openssl.rb
#!/usr/bin/env ruby

require 'openssl'

def encrypt(content)
  cipher = OpenSSL::Cipher::new("AES-128-CFB")
  cipher.encrypt
  iv ="0001".unpack('a2'*16).map{|x| 
x.hex}.pack('c'*16)

  cipher.iv=(iv)
  key = "7ffb8032dff33aef9aa92e9ac96239d3".unpack('a2'*16).map{|x| 
x.hex}.pack('c'*16)

  cipher.key=(key)
  output = cipher.update(content)
  output << cipher.final
  puts "encrypted: #{output.unpack('H*')}\n"
  puts "decrypted: #{decrypt(output, iv, key)}\n"
end

def decrypt(content, iv, key)
  cipher = OpenSSL::Cipher::new("AES-128-CFB")
  cipher.decrypt
  cipher.iv=(iv)
  cipher.key=(key)
  output = cipher.update(content)
  output << cipher.final
  output
end
encrypt 'test'
encrypt 'test'
root@puppet ~ #

The complete original code:
https://github.com/binford2k/binford2k-node_encrypt/blob/main/lib/puppet_x/binford2k/node_encrypt.rb#L11-L55
My WIP patch: 
https://github.com/binford2k/binford2k-node_encrypt/compare/main...bastelfreak:binford2k-node_encrypt:49675?expand=1


Cheers, Tim


OpenPGP_signature
Description: OpenPGP digital signature