Fixed in master and 1.0.2 branches Thank you
On Fri May 27 07:38:24 2011, saschae...@neurodiverse.org wrote: > Affects OpenSSL since at least v 0.9.8g. > Originally reported as Debian Bug # 533365 > Problem Cause: Hardcoded "MIN_LEN=4" in source file > crypto/pem/pem_lib.c > > One can generate keys with 'too short' passphrase; e.g. > > $ openssl genrsa -des3 -passout pass:1 -out mykey.pem 1024 > or, alternatively: > $ echo 1> psw > $ openssl genrsa -des3 -passout file:./psw -out mykey.pem 1024 > > One can then "use" the key, even for operations which require > passphrasse; e.g.: > $ openssl rsa -passin pass:1 -in mykey.pem -out outkey.pem > or > $ openssl rsa -passin file:./psw -in mykey.pem -out outkey.pem > > However, a passphrase shorter with length< 4 cannot be entered from > stdin: > > $ openssl rsa -in mykey.pem -out outkey.pem > Enter pass phrase for mykey.pem: > 17325:error:28069065:lib(40):UI_set_result:result too > small:ui_lib.c:850:You must type in 4 to 8191 characters > > > -- Original Report ------- > I have got an RSA key which is encrypted (Proc-Type: 4,ENCRYPTED) > using a password of only one character. > Unfortunately, OpenSSL is not able to remove the Password with the > standard > > openssl rsa -in my.key -out my.key.insecure > > Error: > 29913:error:28069065:lib(40):UI_set_result:result too > small:ui_lib.c:849:You must type in 4 to 8191 characters > > A forced check like this is questionable, and in the case of not > generating, but just *using* (e.g. decrypting) a password it is > totally unacceptable. > OpenSSL renders my private key unusable. > > Proposal for fixing this issue: remove password size/quality checks > for decrypting operations. -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2534 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
