[Pkg-openssl-devel] Bug#544763: openssl: enc(1ssl) mistakenly claims -nosalt is the default

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Sep 2 19:10:44 UTC 2009 

Package: openssl
Version: 0.9.8k-4
Severity: normal

-salt appears to be the default for openssl's enc subcommand, but the
 documentation is mistaken about that.

>From enc(1ssl):

       -salt
           use a salt in the key derivation routines. This option should
           ALWAYS be used unless compatibility with previous versions of
           OpenSSL or SSLeay is required. This option is only present on
           OpenSSL versions 0.9.5 or above.

       -nosalt
           don't use a salt in the key derivation routines. This is the
           default for compatibility with previous versions of OpenSSL and
           SSLeay.


And yet it appears that either form of invocation uses -salt as the
default (as measured by the salt being an additional prepended
cipherblock):

0 dkg at pip:~$ printf 'abcdabcdabcdabc\n' | FUBAR=abcd openssl enc -aes-128-cbc -nopad  -e -pass env:FUBAR | wc -c
32
0 dkg at pip:~$ printf 'abcdabcdabcdabc\n' | FUBAR=abcd openssl enc -aes-128-cbc -nopad  -e -pass env:FUBAR -nosalt | wc -c
16
0 dkg at pip:~$ printf 'abcdabcdabcdabc\n' | FUBAR=abcd openssl aes-128-cbc -nopad  -e -pass env:FUBAR -nosalt | wc -c
16
0 dkg at pip:~$ printf 'abcdabcdabcdabc\n' | FUBAR=abcd openssl aes-128-cbc -nopad  -e -pass env:FUBAR  | wc -c
32
0 dkg at pip:~$ 

Thanks for maintaining openssl in debian!

       --dkg

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-vserver-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssl depends on:
ii  libc6                  2.9-23            GNU C Library: Shared libraries
ii  libssl0.9.8            0.9.8k-4          SSL shared libraries
ii  zlib1g                 1:1.2.3.3.dfsg-15 compression library - runtime

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates               20090814   Common CA certificates

-- no debconf information

More information about the Pkg-openssl-devel mailing list