From 5445492c639c2d0dd566b2d3c0ac5b131c50b792 Mon Sep 17 00:00:00 2001 From: clach04 Date: Mon, 1 Jan 2024 10:33:22 -0800 Subject: [PATCH] Fix #6 - OpenSSL 1.1.0 and later (rather than 1.1.1 and later) --- README.md | 2 +- openssl_enc_compat/cipher.py | 14 +++++++------- setup.py | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index baa50af..1a53b27 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # openssl_enc_compat -Pure Python 2.7 and 3.x library that is compatible with OpenSSL 1.1.1+ encryption and decryption. +Pure Python 2.7 and 3.x library that is compatible with OpenSSL 1.1.0+ encryption and decryption. https://github.com/clach04/openssl_enc_compat This is intended to be used a library, rather than as a command line tool. diff --git a/openssl_enc_compat/cipher.py b/openssl_enc_compat/cipher.py index 51a4022..b0c0dc1 100755 --- a/openssl_enc_compat/cipher.py +++ b/openssl_enc_compat/cipher.py @@ -1,16 +1,16 @@ #!/usr/bin/env python # -*- coding: us-ascii -*- # vim:ts=4:sw=4:softtabstop=4:smarttab:expandtab -"""Pure Python encrypt/descrypt routines with compatability with a (subset) of the command line tool openssl 1.1.1+ enc/dec operations. +"""Pure Python encrypt/descrypt routines with compatability with a (subset) of the command line tool openssl 1.1.0+ enc/dec operations. -I.e. Python 2.7 and Python 3.x code to allow encryption/decryption of files compatible with OpenSSL 1.1.1: +I.e. Python 2.7 and Python 3.x code to allow encryption/decryption of files compatible with OpenSSL 1.1.0: openssl enc -e aes-256-cbc -salt -pbkdf2 -iter 10000 -in in_file -base64 -out out_file openssl dec -d aes-256-cbc -salt -pbkdf2 -iter 10000 -in in_file -base64 -out out_file echo hello| openssl enc -e aes-256-cbc -salt -pbkdf2 -iter 10000 -in - -base64 -out - -pass pass:password -NOTE PBKDF2 iteration count of 10,000 is the default in OpenSSL 1.1.1 and is considered too few in 2023. +NOTE PBKDF2 iteration count of 10,000 is the default in OpenSSL 1.1.0 and is considered too few in 2023. Older versions of OpenSSL did not support; PBKDF2 (and ergo iterations) and salt and used a much weaker KDF. """ @@ -85,16 +85,16 @@ def openssl_pbkdf2(key, salt, iteration_count=OPENSSL_DEFAULT_ITERATION_COUNT): return aes_key, aes_iv class OpenSslEncDecCompat: - """Cipher to handle OpenSSL format encryped data, i.e. OpenSSL 1.1.1 compatible (with a very small subset of options). + """Cipher to handle OpenSSL format encryped data, i.e. OpenSSL 1.1.0 compatible (with a very small subset of options). - Intended to allow decryption of files generated with OpenSSL 1.1.1 and vice-versa. Supported OpenSSL flags/formats: + Intended to allow decryption of files generated with OpenSSL 1.1.0 and vice-versa. Supported OpenSSL flags/formats: openssl enc -e aes-256-cbc -salt -pbkdf2 -iter 10000 -in in_file -base64 -out out_file openssl dec -d aes-256-cbc -salt -pbkdf2 -iter 10000 -in in_file -base64 -out out_file echo hello| openssl enc -e aes-256-cbc -salt -pbkdf2 -iter 10000 -in - -base64 -out - -pass pass:password - NOTE PBKDF2 iteration count of 10,000 is the default in OpenSSL 1.1.1 and is considered too few in 2023. + NOTE PBKDF2 iteration count of 10,000 is the default in OpenSSL 1.1.0 and is considered too few in 2023. Older versions of OpenSSL did not support; PBKDF2 (and ergo iterations) and salt and used a much weaker KDF. API PEP-272 Like... This is non-confirming: @@ -125,7 +125,7 @@ def __init__(self, key, mode=MODE_CBC, IV=None, **kwargs): # PBKDF2 WILL be used self._openssl_options['base64'] = kwargs.get('base64', None) self._openssl_options['cipher_name'] = kwargs.get('cipher', 'aes-256-cbc') # actual name, mode, and size - self._openssl_options['pbkdf2_iteration_count'] = kwargs.get('iter', OPENSSL_DEFAULT_ITERATION_COUNT) # pbkdf2 iteration count - 10K is the default as of 2023 since OpenSSL 1.1.1 + self._openssl_options['pbkdf2_iteration_count'] = kwargs.get('iter', OPENSSL_DEFAULT_ITERATION_COUNT) # pbkdf2 iteration count - 10K is the default as of 2023 since OpenSSL 1.1.0 # TODO user specificed salt and IV # TODO other cipher names # TODO clear kwargs of processed arguments, and raise an error if anything else left (i.e. unsupported arguments) diff --git a/setup.py b/setup.py index 39e6296..8fe9219 100755 --- a/setup.py +++ b/setup.py @@ -43,7 +43,7 @@ version=__version__, author='clach04', url='https://github.com/clach04/' + project_name, - description='Pure Python read/write encryption/decryption of encrypted OpenSSL 1.1.1 files', + description='Pure Python read/write encryption/decryption of encrypted OpenSSL 1.1.0 files', long_description=long_description, long_description_content_type='text/markdown', packages=[project_name],