Hi Mark, Thanks for your response. I understand. I will try to reproduce this in an empty stack and submit report. Thanks, Tom
On Thu, Nov 2, 2023 at 2:20 AM Mark Waddingham via use-livecode < use-livecode@lists.runrev.com> wrote: > On 2023-11-02 02:06, Tom Glod via use-livecode wrote: > > I have found a "wrong decryption key" that does not return a bad > > decrypt > > error, but returns garbage into "the result". > > Every other wrong key correctly gives the usual error. > > The right key works to decrypt. > > What exact error do you get with a wrong key vs the not-so-wrong key? > > > the length of the encryption/decryption key is always 64 characters > > it is always alphanumeric, because its a hash derivative, no weird > > characters, always the correct length. > > and the salt is the same for every key i tried. > > > > I can program around it, but its unsettling. > > I will report it, but in the meantime has anyone ever come across this > > garbage in "the result" as a result of an incorrect. decryption key? > > So I don't think this is a bug, but expected behavior. > > The encrypt/decrypt operations are very low-level they 'simply' apply > the specified > algorithm to the data. > > Encryption/decryption is 'just' a mathematical function which uses the > 'key bytes' > and 'input data' to derive an output - in particular, decryption does > not include > any validation checks to ensure the provided decryption key is what was > used to > encrypt in the first place - that's something you have to do yourself. > > There's a huge variety of ways to do this - but perhaps the simplest is > to add your > favorite (simple) hash of the encryption key before the data being > encrypted: > > ---- > > (pseudo encryption code - I don't know exactly what form of encrypt you > are using!): > > local tKey, tHash > put deriveMyEncryptionKey(tPassword) into tKey > put md5Digest(tKey) into tHash > > encrypt tHash & tData using ... with password tKey > > (pseudo decryption code - I don't know exactly what form of encrypt you > are using!): > > decrypt tEncryptedData using ... with password tKey > > if byte 1 to 16 of tData is not md5Digest(tKey) then > throw "incorrect password" > end if > > ---- > > Of course I'm now slightly intrigued as to what checks OpenSSL *can* > actually do to > be able to generate a 'bad decrypt' message - so by all means file a > bug/send a test > stack to support and we can at least advise on that (and potentially > update the > docs). > > Warmest Regards, > > Mark. > > -- > Mark Waddingham ~ m...@livecode.com ~ http://www.livecode.com/ > LiveCode: Build Amazing Things > > _______________________________________________ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode