This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
password decryption doesn't fail 0.4% of the time while given the wrong password (depends on salt) #23197
Labels
triaged: question
The issue contains a question
Comments
mattcaswell
added
triaged: question
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
In the @fastlane/fastlane (ruby) project, we use openssl password based encryption to encrypt the files we fetch from the Apple Developer portal. Under the hood, the ruby code generates an IV and Key using
EVP_BytesToKeyand generates a random salt.If the wrong password is used, the code is supposed to fail with the
bad decrypterror.We found out that in about 0.4% of the time, the decryption doesn't detect that the wrong password was entered. This depends on the salt that was generated.
We have a simple ruby code demonstrating the issue.
We've converted it to C and it appears to fail in the same way. I haven't written C in 20 years so I hope I got this right :)
Is there an issue in openssl?
The ruby code was tested on various systems, from Mac to Linux.
The C code was tested on my Mac M1 Pro against openssl 3.2.0
The text was updated successfully, but these errors were encountered: