OpenSSL bad decrypt between 0.9.8o and 1.1.0f

debian ssl openssl encoding debian-stretch

I use OpenSSL to encode clear text and decode it on several remote servers. Whilte I was testing my scripts to ensure Debian 9 Stretch compatibility and found an error.

Here is the way I test: Debian 6, OpenSSL 0.9.8o, encoding a string:

# echo "Hi guys" | openssl des3 -salt -a -k "testkey"
U2FsdGVkX1+I3EBhXjqrm+MJOmKRpj+Y5TtNJaJjI/s=

Decoding on the same server:

# echo "U2FsdGVkX1+I3EBhXjqrm+MJOmKRpj+Y5TtNJaJjI/s=" | openssl des3 -salt -a -d -k "testkey"
Hi guys

Debian 9, OpenSSL 1.1.0f, decoding the string:

# echo "U2FsdGVkX1+I3EBhXjqrm+MJOmKRpj+Y5TtNJaJjI/s=" | openssl des3 -salt -a -d -k "testkey"
bad decrypt
140259873273088:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:535:
z���AR�

While decoding is working on:

Debian 7, OpenSSL 1.0.1t:

$ echo "U2FsdGVkX1+I3EBhXjqrm+MJOmKRpj+Y5TtNJaJjI/s=" | openssl des3 -salt -a -d -k "testkey"
Hi guys

Debian 8, OpenSSL 1.0.1t

# echo "U2FsdGVkX1+I3EBhXjqrm+MJOmKRpj+Y5TtNJaJjI/s=" | openssl des3 -salt -a -d -k "testkey"
Hi guys

So I've tested to encode on the Debian 9, OpenSSL 1.1.0f testing server:

# echo "Hi guys" | openssl des3 -salt -a -k "testkey"
U2FsdGVkX1+p/LDtOotR/gmVTfGL+LabNPvLxKqwbOk=

And decoding on the same server is working:

# echo "U2FsdGVkX1+p/LDtOotR/gmVTfGL+LabNPvLxKqwbOk=" | openssl des3 -salt -a -d -k "testkey"
Hi guys

But decoding is not working on the 3 other servers: Debian 6, OpenSSL 0.9.8o:

# echo "U2FsdGVkX1+p/LDtOotR/gmVTfGL+LabNPvLxKqwbOk=" | openssl des3 -salt -a -d -k "testkey"
bad decrypt
12605:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:330:
��Rv��

Debian 7, OpenSSL 1.0.1t:

$ echo "U2FsdGVkX1+p/LDtOotR/gmVTfGL+LabNPvLxKqwbOk=" | openssl des3 -salt -a -d -k "testkey"
bad decrypt
139771367589544:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:516:
▒▒Rv▒▒

Debian 8, OpenSSL 1.0.1t:

# echo "U2FsdGVkX1+p/LDtOotR/gmVTfGL+LabNPvLxKqwbOk=" | openssl des3 -salt -a -d -k "testkey"
bad decrypt
139719827605136:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:516:
▒▒Rv▒▒

I've checked the OpenSSL dependencies, and tested on several servers on each versions.


Solution 1:

Sorry guys, few minutes later I found the answer on Debian bug tracker by Sebastian Andrzej Siewior:

Debian Bug report #843064

bah. They changed the default digest from md5 to sha256 to create the key. If you add '-md md5' to your 1.1. openssl then it will work. The other way around you need '-md sha256' to keep 1.0 happy.

So by adding "-md md5" on Debian 9 it works on older OpenSSL encoded string:

# echo "U2FsdGVkX1+I3EBhXjqrm+MJOmKRpj+Y5TtNJaJjI/s=" | openssl des3 -salt -md md5 -a -d -k "testkey"
Hi guys

And by adding "-md sha256" on older Debian, the newer OpenSSL encoded string works too:

# echo "U2FsdGVkX1+p/LDtOotR/gmVTfGL+LabNPvLxKqwbOk=" | openssl des3 -md sha256 -salt -a -d -k "testkey"
Hi guys

Keeping the thread to save time to other guys :)

Related

How to disable Windows 10 Feedback Hub?
Default cell background in Calc
Can't access localhost from computer running on same network
Bash-script as linux-service won't run, but executed from terminal works perfectly
Cannot solve the "The following packages have unmet dependencies" issue
What are "temp" folders used for in Windows 10?
How do I use a TV Tuner in XBMC?
Text terminal hardware (for Linux)
When should I put programs in "Program Files" and when "Program Files (x86)"?
AMD CPU Equivalents
Make emacs not remove the BOM from XML files
How to use curl with Django, csrf tokens and POST requests