-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
yapet-2.6 does not accept (correctly typed) password with openssl-3.2.0 #24
Comments
Same here... |
This is an advice for everyone who, like myself, has all his passwords locked due to this issue. Once you have temporarily reinstalled OpenSSL 3.1, you can convert your password |
My way of working around the issue on archlinux is the following:
If you don't have the package anymore in your local pacman cache, you can download it from here: https://archive.archlinux.org/packages/o/openssl/ |
I was digging a bit. My yapet file was still a yapet 10 file, The issue occurred here:
However, I noticed that yapet had no problem encrypting and decrypting a new file (which subsequently was created as yapet 20 file). Hence, my permanent workaround was to install openssl-3.1.4 (as described in the previous comment), use Not sure if this workaround is a general good strategy. If yapet was my project, I might even consider instructing users to use yapet2csv/csv2yapet to migrate their password files and subsequently dropping the yapet 10 suport entirely (thus simplifying the code). |
I completely agree, yapet 10 format should be deprecated, documenting the command to upgrade to yapet 20 format: yapet2csv passwords_old.pet passwords_tmp.csv
csv2yapet passwords_tmp.csv passwords_new.pet
rm passwords_tmp.csv It would also be very useful to add yapet2csv -stdout passwords_old.pet | csv2yapet -stdin passwords_new.pet |
yapet did for blowfish: | EVP_CipherInit_ex(ctx, cipher, NULL, KEY, iv, mode); | EVP_CIPHER_CTX_set_key_length(ctx, KEY_LENGTH); | EVP_CipherUpdate(ctx, …); this worked in earlier OpenSSL versions and stopped working in openssl-3.0.13. The problem here is that the EVP_CIPHER_CTX_set_key_length() is ignored and the later OpenSSL version returns rightfully an error "Provider routines::no key set" here. Blowfish does support variable key lenghts but the key length has to be set first followed by the actual key. Otherwise the blocksize (16) will be used. The correct way to deal with this would be: | EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, mode); | EVP_CIPHER_CTX_set_key_length(ctx, KEY_LENGTH); | EVP_CipherInit_ex(ctx, NULL, NULL, KEY, IV, mode); | EVP_CipherUpdate(ctx, …); Using now the proper way will break earlier databases because in the blowfish case, always the default blocksize / 16 has been used. In order to keep compatibility with earlier versions of the database and openssl remove the EVP_CIPHER_CTX_set_key_length() invocation. Fixes RafaelOstertag#26 Fixes RafaelOstertag#24 Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
yapet did for blowfish: | EVP_CipherInit_ex(ctx, cipher, NULL, KEY, iv, mode); | EVP_CIPHER_CTX_set_key_length(ctx, KEY_LENGTH); | EVP_CipherUpdate(ctx, …); this worked in earlier OpenSSL versions and stopped working in openssl-3.0.13. The problem here is that the EVP_CIPHER_CTX_set_key_length() is ignored and the later OpenSSL version returns rightfully an error "Provider routines::no key set" here. Blowfish does support variable key lenghts but the key length has to be set first followed by the actual key. Otherwise the blocksize (16) will be used. The correct way to deal with this would be: | EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, mode); | EVP_CIPHER_CTX_set_key_length(ctx, KEY_LENGTH); | EVP_CipherInit_ex(ctx, NULL, NULL, KEY, IV, mode); | EVP_CipherUpdate(ctx, …); Using now the proper way will break earlier databases because in the blowfish case, always the default blocksize / 16 has been used. In order to keep compatibility with earlier versions of the database and openssl remove the EVP_CIPHER_CTX_set_key_length() invocation. Fixes RafaelOstertag#26 Fixes RafaelOstertag#24 Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
On Archlinux, yapet-2.6 worked like a charm until the system was updated from openssl-3.1.4-1-x86_64 to openssl-3.2.0-1-x86_64.
Since the upgrade, when starting yapet, the login screen appears, I can seemingly enter the password, but it is declined.
After downgrading to openssl-3.1.4, the password is accepted.
Not sure if this is of any importance - the NEWS.md in the openssl project reports significant/incompatible changes:
The text was updated successfully, but these errors were encountered: