[Pkg-openssl-devel] Bug#843064: openssl: incompatibility for enc command between openssl 1.1.0b-2 and previous 1.0.x versions

Marek Lukaszuk m.lukaszuk at gmail.com
Thu Nov 3 14:59:25 UTC 2016 

Package: openssl
Version: 1.1.0b-2
Severity: important

Dear Maintainer,

* What led up to the situation?

Upgrading from openssl:amd64 1.0.2j-1 to 1.1.0b-2

* What exactly did you do (or not do) that was effective (or
 ineffective)?

I have few files encrypted using this logic:
  cat "somedata" | openssl enc -aes-256-cbc > file_encrypted.dat

I'm accessing them using the command:
  cat file_encrypted.dat | openssl enc -d -aes-256-cbc

After upgrading to openssl 1.1.0b-2, when I try to decrypt a file
encrypted with a previous version of openssl, even if I provide a correct
passphrase I'm getting below error:

  > cat file_encrypted.dat | openssl enc -d -aes-256-cbc
  enter aes-256-cbc decryption password:
  bad decrypt
  139814539760704:error:06065064:digital envelope
  routines:EVP_DecryptFinal_ex:bad decrypt:crypto/evp/evp_enc.c:529:

I've verfied that the file is not corrupted, the sha256 digest matches
with a backup copy that I have. If I downgrade openssl to
openssl_1.0.2j-1 I can again decrypt the same file.

The interesting thing is that if I create an encrypt file using the same
method and openssl 1.1.0b-2 I can decrypt it using 1.1.0b-2 without any
problems, but I can not decrypt it using older openssl version.

The older version being:
  > openssl version
  OpenSSL 1.0.2g  1 Mar 2016

The error on the older version when decrypting file encrypted with
1.1.0b-2:
  > cat a.dat | openssl enc -d -aes-256-cbc
  enter aes-256-cbc decryption password:
  bad decrypt
  140055000397464:error:06065064:digital envelope
  routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (600, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.7.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages openssl depends on:
ii  libc6      2.24-5
ii  libssl1.1  1.1.0b-2

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20160104

-- no debconf information

More information about the Pkg-openssl-devel mailing list