diff options
| author | slontis <shane.lontis@oracle.com> | 2023-08-31 17:51:46 +1000 |
|---|---|---|
| committer | Pauli <pauli@openssl.org> | 2023-09-04 14:15:34 +1000 |
| commit | e3994583a1e4bde9a589c379520d216bc0a0c515 (patch) | |
| tree | 740416411fe5f6b4c6fbead6c06d03de556d17cc /doc | |
| parent | 9f679bdc71aac83e89cc5aacb42855f3657ace39 (diff) | |
| download | openssl-e3994583a1e4bde9a589c379520d216bc0a0c515.tar.gz | |
Added 'saltlen' option to the OpenSSL enc command line app.
This allows PBKDF2 to change the saltlen to something other than the
new default value of 16. Previously this app hardwired the salt length
to a maximum of 8 bytes. Non PBKDF2 mode uses EVP_BytesToKey()
internally, which is documented to only allow 8 bytes.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21858)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/man1/openssl-enc.pod.in | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/doc/man1/openssl-enc.pod.in b/doc/man1/openssl-enc.pod.in index 84d67361f8..14066a3185 100644 --- a/doc/man1/openssl-enc.pod.in +++ b/doc/man1/openssl-enc.pod.in @@ -31,6 +31,7 @@ B<openssl> B<enc>|I<cipher> [B<-md> I<digest>] [B<-iter> I<count>] [B<-pbkdf2>] +[B<-saltlen> I<size>] [B<-p>] [B<-P>] [B<-bufsize> I<number>] @@ -132,6 +133,15 @@ This option enables the use of PBKDF2 algorithm to derive the key. Use PBKDF2 algorithm with a default iteration count of 10000 unless otherwise specified by the B<-iter> command line option. +=item B<-saltlen> + +Set the salt length to use when using the B<-pbkdf2> option. +For compatibility reasons, the default is 8 bytes. +The maximum value is currently 16 bytes. +If the B<-pbkdf2> option is not used, then this option is ignored +and a fixed salt length of 8 is used. The salt length used when +encrypting must also be used when decrypting. + =item B<-nosalt> Don't use a salt in the key derivation routines. This option B<SHOULD NOT> be @@ -147,7 +157,8 @@ encrypting, this is the default. The actual salt to use: this must be represented as a string of hex digits. If this option is used while encrypting, the same exact value will be needed -again during decryption. +again during decryption. This salt may be truncated or zero padded to +match the salt length (See B<-saltlen>). =item B<-K> I<key> @@ -465,9 +476,11 @@ The B<-list> option was added in OpenSSL 1.1.1e. The B<-ciphers> and B<-engine> options were deprecated in OpenSSL 3.0. +The B<-saltlen> option was added in OpenSSL 3.2. + =head1 COPYRIGHT -Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy |