-salt is default for "openssl enc"; from djm

tweaked with some help from Matthew Dempsky and djm ok djm
author: jmc <> 2008-05-30 19:06:50 +0000
committer: jmc <> 2008-05-30 19:06:50 +0000
commit: f3b12bced646aded51b00b6567551d2da20238b8 (patch)
tree: 5aa2730cebf467b5dd9ac90a03d1ed0a39cebd31 /src
parent: e603b6ec8e9138225bd5cbfedbd0b5b1e82735e6 (diff)
download: openbsd-f3b12bced646aded51b00b6567551d2da20238b8.tar.gz
openbsd-f3b12bced646aded51b00b6567551d2da20238b8.tar.bz2
openbsd-f3b12bced646aded51b00b6567551d2da20238b8.zip
1 files changed, 19 insertions, 29 deletions
diff --git a/src/usr.sbin/openssl/openssl.1 b/src/usr.sbin/openssl/openssl.1
index 67c1a76958..8d674df686 100644
--- a/src/usr.sbin/openssl/openssl.1
+++ b/src/usr.sbin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.60 2007/12/01 11:05:25 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.61 2008/05/30 19:06:50 jmc Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -112,7 +112,7 @@
 .\"
 .\" OPENSSL
 .\"
-.Dd $Mdocdate: December 1 2007 $
+.Dd $Mdocdate: May 30 2008 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -2528,10 +2528,13 @@ Disable standard block padding.
 Don't use a
 .Ar salt
 in the key derivation routines.
-This is the default for compatibility with previous versions of
+This option should
+.Em NEVER
+be used unless compatibility with previous versions of
 .Nm OpenSSL
-and
+or
-.Nm SSLeay .
+.Nm SSLeay
+is required.
 .It Fl out Ar file
 The output
 .Ar file ,
@@ -2567,16 +2570,7 @@ this must be represented as a string comprised only of hex digits.
 Use a
 .Ar salt
 in the key derivation routines.
-This option should
+This is the default.
-.Em ALWAYS
-be used unless compatibility with previous versions of
-.Nm OpenSSL
-or
-.Nm SSLeay
-is required.
-This option is only present on
-.Nm OpenSSL
-versions 0.9.5 or above.
 .El
 .Sh ENC NOTES
 The program can be called either as
@@ -2591,28 +2585,24 @@ and
 if necessary.
 .Pp
 The
-.Fl salt
+.Fl nosalt
 option should
-.Em ALWAYS
+.Em NEVER
-be used if the key is being derived from a password unless compatibility
+be used unless compatibility with previous versions of
-with previous versions of
 .Nm OpenSSL
-and
+or
 .Nm SSLeay
-is necessary.
+is required.
 .Pp
-Without the
+With the
-.Fl salt
+.Fl nosalt
 option it is possible to perform efficient dictionary
 attacks on the password and to attack stream cipher encrypted data.
-The reason for this is that without the
+The reason for this is that without the salt
-.Ar salt
 the same password always generates the same encryption key.
-When the
+When the salt
-.Ar salt
 is being used the first eight bytes of the encrypted data are reserved
-for the
+for the salt:
-.Ar salt :
 it is generated at random when encrypting a file and read from the
 encrypted file when it is decrypted.
 .Pp
author	jmc <>	2008-05-30 19:06:50 +0000
committer	jmc <>	2008-05-30 19:06:50 +0000
commit	f3b12bced646aded51b00b6567551d2da20238b8 (patch)
tree	5aa2730cebf467b5dd9ac90a03d1ed0a39cebd31 /src
parent	e603b6ec8e9138225bd5cbfedbd0b5b1e82735e6 (diff)
download	openbsd-f3b12bced646aded51b00b6567551d2da20238b8.tar.gz openbsd-f3b12bced646aded51b00b6567551d2da20238b8.tar.bz2 openbsd-f3b12bced646aded51b00b6567551d2da20238b8.zip

diff --git a/src/usr.sbin/openssl/openssl.1 b/src/usr.sbin/openssl/openssl.1 index 67c1a76958..8d674df686 100644 --- a/src/usr.sbin/openssl/openssl.1 +++ b/src/usr.sbin/openssl/openssl.1
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: openssl.1,v 1.60 2007/12/01 11:05:25 jmc Exp $	1	.\" $OpenBSD: openssl.1,v 1.61 2008/05/30 19:06:50 jmc Exp $
2	.\" ====================================================================	2	.\" ====================================================================
3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.	3	.\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
4	.\"	4	.\"
@@ -112,7 +112,7 @@
112	.\"	112	.\"
113	.\" OPENSSL	113	.\" OPENSSL
114	.\"	114	.\"
115	.Dd $Mdocdate: December 1 2007 $	115	.Dd $Mdocdate: May 30 2008 $
116	.Dt OPENSSL 1	116	.Dt OPENSSL 1
117	.Os	117	.Os
118	.Sh NAME	118	.Sh NAME
@@ -2528,10 +2528,13 @@ Disable standard block padding.
2528	Don't use a	2528	Don't use a
2529	.Ar salt	2529	.Ar salt
2530	in the key derivation routines.	2530	in the key derivation routines.
2531	This is the default for compatibility with previous versions of	2531	This option should
		2532	.Em NEVER
		2533	be used unless compatibility with previous versions of
2532	.Nm OpenSSL	2534	.Nm OpenSSL
2533	and	2535	or
2534	.Nm SSLeay .	2536	.Nm SSLeay
		2537	is required.
2535	.It Fl out Ar file	2538	.It Fl out Ar file
2536	The output	2539	The output
2537	.Ar file ,	2540	.Ar file ,
@@ -2567,16 +2570,7 @@ this must be represented as a string comprised only of hex digits.
2567	Use a	2570	Use a
2568	.Ar salt	2571	.Ar salt
2569	in the key derivation routines.	2572	in the key derivation routines.
2570	This option should	2573	This is the default.
2571	.Em ALWAYS
2572	be used unless compatibility with previous versions of
2573	.Nm OpenSSL
2574	or
2575	.Nm SSLeay
2576	is required.
2577	This option is only present on
2578	.Nm OpenSSL
2579	versions 0.9.5 or above.
2580	.El	2574	.El
2581	.Sh ENC NOTES	2575	.Sh ENC NOTES
2582	The program can be called either as	2576	The program can be called either as
@@ -2591,28 +2585,24 @@ and
2591	if necessary.	2585	if necessary.
2592	.Pp	2586	.Pp
2593	The	2587	The
2594	.Fl salt	2588	.Fl nosalt
2595	option should	2589	option should
2596	.Em ALWAYS	2590	.Em NEVER
2597	be used if the key is being derived from a password unless compatibility	2591	be used unless compatibility with previous versions of
2598	with previous versions of
2599	.Nm OpenSSL	2592	.Nm OpenSSL
2600	and	2593	or
2601	.Nm SSLeay	2594	.Nm SSLeay
2602	is necessary.	2595	is required.
2603	.Pp	2596	.Pp
2604	Without the	2597	With the
2605	.Fl salt	2598	.Fl nosalt
2606	option it is possible to perform efficient dictionary	2599	option it is possible to perform efficient dictionary
2607	attacks on the password and to attack stream cipher encrypted data.	2600	attacks on the password and to attack stream cipher encrypted data.
2608	The reason for this is that without the	2601	The reason for this is that without the salt
2609	.Ar salt
2610	the same password always generates the same encryption key.	2602	the same password always generates the same encryption key.
2611	When the	2603	When the salt
2612	.Ar salt
2613	is being used the first eight bytes of the encrypted data are reserved	2604	is being used the first eight bytes of the encrypted data are reserved
2614	for the	2605	for the salt:
2615	.Ar salt :
2616	it is generated at random when encrypting a file and read from the	2606	it is generated at random when encrypting a file and read from the
2617	encrypted file when it is decrypted.	2607	encrypted file when it is decrypted.
2618	.Pp	2608	.Pp