[openssl.org #2172] [BUG] Incorrect input checking in openssl enc

Tue, 16 Feb 2010 00:29:46 -0800 

Hello,

They have a bad verification of argument "pass" between in openssl command.

I discovered this because i use a passphrase of more than 4000 chars (interest 
can be discussed). All following information about souce code is based on 
OpenSSL 0.9.8k.


When the pass argument is givent by command line 
$ /usr/bin/openssl enc -p -d -a -bf -pass pass:<big pass of 4000 chars> -in 
mlvs
or by environment size of passphrase is unlimited
$ /usr/bin/openssl enc -p -d -a -bf -pass env:pass -in mlvs

decoding occur correctly. But if i use:
$ /usr/bin/openssl enc -p -d -a -bf -kfile /path/to/my/pass -in mlvs
$ /usr/bin/openssl enc -p -d -a -bf -pass file:/path/to/my/pass -in mlvs

i have something like this:
bad decrypt
16246:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad 
decrypt:evp_enc.c:330:

After reading source code, i think this append because with openssl enc 
command with option kfile read only 128 first chars of the file (enc.c line 
228). 
So it's unable to read correctly the complete passphrase.

With the -pass option, same issu, reding is done in apps.c of a contant size 
APP_PASS_LEN define in apps.h with value of 1024. Same issue, unable to read 
complete pass file, so failure in decyphring.

The issue is 
$ /usr/bin/openssl enc -p -d -a -bf -pass pass:<big pass of 4000 chars> -in
$ /usr/bin/openssl enc -p -d -a -bf -pass env:pass -in mlvs
$ /usr/bin/openssl enc -p -d -a -bf -kfile /path/to/my/pass -in mlvs
$ /usr/bin/openssl enc -p -d -a -bf -pass file:/path/to/my/pass -in mlvs
have not the same bahaviour with more than 128 chars in passphrase.

And this is blocking when we want a passphrase with chars than cannot be 
passed by env or command line (with non ascii chars) and with size more than 
1024 chars.

Best regards,

-- 
Sebastien "Seblu" Luttringer - IT Engineer
Smartjog - TDF Pole Multimedia
27 bd Hippolyte Marques, 94200 Ivry sur Seine, France
Phone: +33.1.58.68.62.32
Fax: +33.1.58.68.62.05

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to