Decryption fails with OpenSSL 1.1 due to difference in default digest
nickgsc opened this issue · 1 comments
It seems that OpenSSL 1.1 no longer uses MD5 as the default digest (which is a good thing).
This is problematic when encrypting and decrypting cryptex values across different OpenSSL versions or a different library entirely (i.e. LibreSSL on MacOS High Sierra). Because the message digest is assumed instead of explicitly stated, the subsequent decrypt fails when the digest is not the same default:
bad decrypt
140300440618240:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:535:
[20:42:24]: Couldn't decrypt the repo, please make sure you enter the right password!
I'm seeing this in our docker-based CI environment that is using Debian as the base OS which has OpenSSL 1.1, attempting to decrypt values that were encrypted using MacOS/LibreSSL
I believe a simple fix here is to explicitly pass in -md
as part of the openssl invocation and specify an explicit digest. sha256
would be a good choice.
shipped as 0.1.4