tags 659251 + patch
thanks
* Roland Stigge | 2012-02-09 15:52:21 [+0100]:
>$ openssl enc -bf -in /usr/share/common-licenses/GPL-3 -out GPL-3.enc
>enter bf-cbc encryption password:
>Verifying - enter bf-cbc encryption password:
>$ openssl enc -bf -in /usr/share/common-licenses/GPL-3 -out GPL-3.enc-z -z
>enter bf-cbc encryption password:
>Verifying - enter bf-cbc encryption password:
>$ gzip -c /usr/share/common-licenses/GPL-3 > GPL-3.gz
>$ ls -l GPL-3* /usr/share/common-licenses/GPL-3
>-rw-r--r-- 1 rst rst 35168 Feb 9 15:39 GPL-3.enc
>-rw-r--r-- 1 rst rst 35189 Feb 9 15:39 GPL-3.enc-z
>-rw-r--r-- 1 rst rst 12143 Feb 9 15:40 GPL-3.gz
>-rw-r--r-- 1 root root 35147 Jul 2 2007 /usr/share/common-licenses/GPL-3
>$
The problem is that openssl tries to compress encrypted content which
seems not to work. The patch attached changes the order to first
compress and then encrypt.
Sebastian
From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Subject: [PATCH] enc: compress before compress/base64 is applied
The command
|openssl enc -pass pass:pass -iv 0 -K 0 -S 0 -aes-256-cbc -base64 < file > file.enc.b64
first performs the encryption followed by base64 encoding. That means the output
is base64 encoded as requests.
The command
|openssl enc -pass pass:pass -iv 0 -K 0 -S 0 -aes-256-cbc -z < file > file.enc.z
first performs the encryption followed by compression. That means the encrypted
data is compressed which should not give any improvement because a good
encryption algorithm should not produce anything that can be compressed.
The command
| openssl enc -pass pass:pass -iv 0 -K 0 -S 0 -aes-256-cbc -z -base64 < file > file.enc.z.base64
first performs the encryption, followed by base64 encoding followed by
compression. The output is no longer base64 encoded as requests but compressed
by zlib.
This patch changes the order of the individual steps to
- compress the input
- encrypt the content
- encode is as base64
the -d step is in reverse order.
That means the last command will produce a base64 encoded file which was
compressed before encrypted.
The *now* created files are no longer compatible with the files created with
an earlier version of openssl if the -z option was involved.
To get the "old" content with new binary the following step is required:
| openssl enc -d -z < file.old | \
| openssl enc -d -aes-256-cbc > file
where the first step simply decompresses the content and the second performs the
decryption.
Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
---
apps/enc.c | 32 +++++++++++++++++---------------
1 file changed, 17 insertions(+), 15 deletions(-)
diff --git a/apps/enc.c b/apps/enc.c
index 719acc3..a6fd07e 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -475,19 +475,6 @@ bad:
rbio=in;
wbio=out;
-#ifdef ZLIB
-
- if (do_zlib)
- {
- if ((bzl=BIO_new(BIO_f_zlib())) == NULL)
- goto end;
- if (enc)
- wbio=BIO_push(bzl,wbio);
- else
- rbio=BIO_push(bzl,rbio);
- }
-#endif
-
if (base64)
{
if ((b64=BIO_new(BIO_f_base64())) == NULL)
@@ -653,9 +640,24 @@ bad:
}
}
- /* Only encrypt/decrypt as we write the file */
if (benc != NULL)
- wbio=BIO_push(benc,wbio);
+ {
+ if (!enc)
+ rbio=BIO_push(benc,rbio);
+ else
+ wbio=BIO_push(benc,wbio);
+ }
+#ifdef ZLIB
+ if (do_zlib)
+ {
+ if ((bzl=BIO_new(BIO_f_zlib())) == NULL)
+ goto end;
+ if (enc)
+ wbio=BIO_push(bzl,wbio);
+ else
+ rbio=BIO_push(bzl,rbio);
+ }
+#endif
for (;;)
{
--
1.7.9.5
