It seems that OpenSSL 1.1 no longer uses MD5 as the default digest (which is a good thing).
This is problematic when encrypting and decrypting cryptex values across different OpenSSL versions or a different library entirely (i.e. LibreSSL on MacOS High Sierra). Because the message digest is assumed instead of explicitly stated, the subsequent decrypt fails when the digest is not the same default:
bad decrypt
140300440618240:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:535:
[20:42:24]: Couldn't decrypt the repo, please make sure you enter the right password!
I'm seeing this in our docker-based CI environment that is using Debian as the base OS which has OpenSSL 1.1, attempting to decrypt values that were encrypted using MacOS/LibreSSL
I believe a simple fix here is to explicitly pass in -md as part of the openssl invocation and specify an explicit digest. sha256 would be a good choice.
hjanuschka
commented
6 years ago
It seems that OpenSSL 1.1 no longer uses MD5 as the default digest (which is a good thing).
This is problematic when encrypting and decrypting cryptex values across different OpenSSL versions or a different library entirely (i.e. LibreSSL on MacOS High Sierra). Because the message digest is assumed instead of explicitly stated, the subsequent decrypt fails when the digest is not the same default:
I'm seeing this in our docker-based CI environment that is using Debian as the base OS which has OpenSSL 1.1, attempting to decrypt values that were encrypted using MacOS/LibreSSL
I believe a simple fix here is to explicitly pass in
-mdas part of the openssl invocation and specify an explicit digest.sha256would be a good choice.