search

brix / crypto-js

JavaScript library of crypto standards.
Other
15.89k stars 2.39k forks source link

AES256 not compatible with OpenSSL on Arch Linux #101

Open jeaye opened 7 years ago

jeaye commented 7 years ago

Since a month or two ago, I haven't been to decrypt the ciphertext given by crypto-js using Arch's OpenSSL. Furthermore, I haven't been able to decrypt the ciphertext given by Arch's OpenSSL using crypto-js. This is most troubling and it's breaking the command-line tool for one of my services right now. Here's an example (using Node.js and Arch):

Encryption/decryption works within crypto-js

> var ciphertext = CryptoJS.AES.encrypt('test', '9142c0d056d94de8b8cdd741bc790b0b33c717f1af1a00ad497039d661d22207');
undefined
> ciphertext.toString()
'U2FsdGVkX1/UE1AaOYzeCChGSJA3xtYURDppXxqMjxc='
> var bytes  = CryptoJS.AES.decrypt(ciphertext.toString(), '9142c0d056d94de8b8cdd741bc790b0b33c717f1af1a00ad497039d661d22207');
undefined
> console.log(bytes.toString(CryptoJS.enc.Utf8));
test

Encryption/decryption works within OpenSSL

$ printf 'test' | openssl aes-256-cbc -pass pass:"9142c0d056d94de8b8cdd741bc790b0b33c717f1af1a00ad497039d661d22207" | base64 -w 0
U2FsdGVkX18mYPUyWpQLiDwDYBAy86JdFuNG0w2J3mM=

$ printf 'U2FsdGVkX18mYPUyWpQLiDwDYBAy86JdFuNG0w2J3mM=' | base64 -d | openssl aes-256-cbc -d -pass pass:"9142c0d056d94de8b8cdd741bc790b0b33c717f1af1a00ad497039d661d22207"
test

Encryption with crypto-js fails to decrypt with Arch's OpenSSL (using the same ciphertext as above)

$ printf 'U2FsdGVkX1/UE1AaOYzeCChGSJA3xtYURDppXxqMjxc=' | base64 -d | openssl aes-256-cbc -d -pass pass:"9142c0d056d94de8b8cdd741bc790b0b33c717f1af1a00ad497039d661d22207"
bad decrypt
140301371801472:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:535:

Here's the crazy part, which is a real pain. The same exact command works fine on some other distros (presumably due to different OpenSSL versions):

$ printf 'U2FsdGVkX1/UE1AaOYzeCChGSJA3xtYURDppXxqMjxc=' | base64 -d | openssl aes-256-cbc -d -pass pass:"9142c0d056d94de8b8cdd741bc790b0b33c717f1af1a00ad497039d661d22207"
test

I haven't tried with many other distros, but I've proven that it works on some and not on others. Here are the appropriate OpenSSL versions:

# Arch (not working)
$ openssl version
OpenSSL 1.1.0f  25 May 2017

# Gentoo -- BlinkenShell (working)
$ openssl version
OpenSSL 1.0.2k  26 Jan 2017

Update with more info

I've found that this is still borked even when crypto-js is removed from the picture. If I encrypt on the Gentoo machine, then try to decrypt on Arch, it still fails.

# Gentoo machine
$ printf 'test' | openssl aes-256-cbc -pass pass:"9142c0d056d94de8b8cdd741bc790b0b33c717f1af1a00ad497039d661d22207" | base64 -w 0
U2FsdGVkX1+KRfUhuwf5r7thJdnGXfN2Qd9zOtBLNeU=

# Arch machine
$ printf 'U2FsdGVkX1+KRfUhuwf5r7thJdnGXfN2Qd9zOtBLNeU=' | base64 -d | openssl aes-256-cbc -d -pass pass:"9142c0d056d94de8b8cdd741bc790b0b33c717f1af1a00ad497039d661d22207"
bad decrypt
140519829094272:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:535:
jeaye commented 7 years ago

I've found that there's an entry for this in the Arch wiki for OpenSSL: https://wiki.archlinux.org/index.php/OpenSSL#.22bad_decrypt.22_while_decrypting

It looks like I can immediately work around this by specifying MD5 as the digest algorithm for AES256. Does crypto-js support SHA256 instead, when encrypting/decrypting AES?

EDIT: Verified MD5 fixes this; in the long-term, crypto-js is going to need to move to AES256 for the default digest.

hhch commented 5 years ago

thanks, I have the same problem

sebastianhelbig commented 4 years ago

Same problem here. Would be nice to be able to change the used digest algorithm.