[openssl-dev] [openssl.org #2534] Hardcoded MIN_LEN prevents using VALID passphrase from stdin

[Richard Levitte via RT]

Fixed in master and 1.0.2 branches

Thank you

On Fri May 27 07:38:24 2011, saschaefer at neurodiverse.org wrote:
> Affects OpenSSL since at least v 0.9.8g.
> Originally reported as Debian Bug # 533365
> Problem Cause: Hardcoded "MIN_LEN=4" in source file
> crypto/pem/pem_lib.c
>
> One can generate keys with 'too short' passphrase; e.g.
>
> $ openssl genrsa -des3 -passout pass:1 -out mykey.pem 1024
> or, alternatively:
> $ echo 1> psw
> $ openssl genrsa -des3 -passout file:./psw -out mykey.pem 1024
>
> One can then "use" the key, even for operations which require
> passphrasse; e.g.:
> $ openssl rsa -passin pass:1 -in mykey.pem -out outkey.pem
> or
> $ openssl rsa -passin file:./psw -in mykey.pem -out outkey.pem
>
> However, a passphrase shorter with length< 4 cannot be entered from
> stdin:
>
> $ openssl rsa -in mykey.pem -out outkey.pem
> Enter pass phrase for mykey.pem:
> 17325:error:28069065:lib(40):UI_set_result:result too
> small:ui_lib.c:850:You must type in 4 to 8191 characters
>
>
> -- Original Report -------
> I have got an RSA key which is encrypted (Proc-Type: 4,ENCRYPTED)
> using a password of only one character.
> Unfortunately, OpenSSL is not able to remove the Password with the
> standard
>
> openssl rsa -in my.key -out my.key.insecure
>
> Error:
> 29913:error:28069065:lib(40):UI_set_result:result too
> small:ui_lib.c:849:You must type in 4 to 8191 characters
>
> A forced check like this is questionable, and in the case of not
> generating, but just *using* (e.g. decrypting) a password it is
> totally unacceptable.
> OpenSSL renders my private key unusable.
>
> Proposal for fixing this issue: remove password size/quality checks
> for decrypting operations.


--
Richard Levitte
levitte at openssl.org

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2534
Please log in as guest with password guest if prompted