tags 659251 + patch thanks * Roland Stigge | 2012-02-09 15:52:21 [+0100]:
>$ openssl enc -bf -in /usr/share/common-licenses/GPL-3 -out GPL-3.enc >enter bf-cbc encryption password: >Verifying - enter bf-cbc encryption password: >$ openssl enc -bf -in /usr/share/common-licenses/GPL-3 -out GPL-3.enc-z -z >enter bf-cbc encryption password: >Verifying - enter bf-cbc encryption password: >$ gzip -c /usr/share/common-licenses/GPL-3 > GPL-3.gz >$ ls -l GPL-3* /usr/share/common-licenses/GPL-3 >-rw-r--r-- 1 rst rst 35168 Feb 9 15:39 GPL-3.enc >-rw-r--r-- 1 rst rst 35189 Feb 9 15:39 GPL-3.enc-z >-rw-r--r-- 1 rst rst 12143 Feb 9 15:40 GPL-3.gz >-rw-r--r-- 1 root root 35147 Jul 2 2007 /usr/share/common-licenses/GPL-3 >$ The problem is that openssl tries to compress encrypted content which seems not to work. The patch attached changes the order to first compress and then encrypt. Sebastian
From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Subject: [PATCH] enc: compress before compress/base64 is applied The command |openssl enc -pass pass:pass -iv 0 -K 0 -S 0 -aes-256-cbc -base64 < file > file.enc.b64 first performs the encryption followed by base64 encoding. That means the output is base64 encoded as requests. The command |openssl enc -pass pass:pass -iv 0 -K 0 -S 0 -aes-256-cbc -z < file > file.enc.z first performs the encryption followed by compression. That means the encrypted data is compressed which should not give any improvement because a good encryption algorithm should not produce anything that can be compressed. The command | openssl enc -pass pass:pass -iv 0 -K 0 -S 0 -aes-256-cbc -z -base64 < file > file.enc.z.base64 first performs the encryption, followed by base64 encoding followed by compression. The output is no longer base64 encoded as requests but compressed by zlib. This patch changes the order of the individual steps to - compress the input - encrypt the content - encode is as base64 the -d step is in reverse order. That means the last command will produce a base64 encoded file which was compressed before encrypted. The *now* created files are no longer compatible with the files created with an earlier version of openssl if the -z option was involved. To get the "old" content with new binary the following step is required: | openssl enc -d -z < file.old | \ | openssl enc -d -aes-256-cbc > file where the first step simply decompresses the content and the second performs the decryption. Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> --- apps/enc.c | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/apps/enc.c b/apps/enc.c index 719acc3..a6fd07e 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -475,19 +475,6 @@ bad: rbio=in; wbio=out; -#ifdef ZLIB - - if (do_zlib) - { - if ((bzl=BIO_new(BIO_f_zlib())) == NULL) - goto end; - if (enc) - wbio=BIO_push(bzl,wbio); - else - rbio=BIO_push(bzl,rbio); - } -#endif - if (base64) { if ((b64=BIO_new(BIO_f_base64())) == NULL) @@ -653,9 +640,24 @@ bad: } } - /* Only encrypt/decrypt as we write the file */ if (benc != NULL) - wbio=BIO_push(benc,wbio); + { + if (!enc) + rbio=BIO_push(benc,rbio); + else + wbio=BIO_push(benc,wbio); + } +#ifdef ZLIB + if (do_zlib) + { + if ((bzl=BIO_new(BIO_f_zlib())) == NULL) + goto end; + if (enc) + wbio=BIO_push(bzl,wbio); + else + rbio=BIO_push(bzl,rbio); + } +#endif for (;;) { -- 1.7.9.5