mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-21 01:15:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

apps: Change default cipher to aes-256-cbc for req, cms and smime apps

Browse Source 
Update `CHANGES.md` and `NEWS.md`; remove `no-des` guard from req, cms,
and smime apps

Update MAN pages for default cipher; fix styling by removing braces around single statements

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25839)
This commit is contained in:
Aditya 2024-10-31 17:34:28 +05:30 committed by Tomas Mraz
parent 1d160dbf39
commit 539b17b658
8 changed files with 31 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGES.md
View File

@ -30,6 +30,13 @@ OpenSSL 3.4
### Changes between 3.4 and 3.5 [xx XXX xxxx] ### Changes between 3.4 and 3.5 [xx XXX xxxx]
* Updated the default encryption cipher for the `req`, `cms`, and `smime` applications
from `des-ede3-cbc` to `aes-256-cbc`.
AES-256 provides a stronger 256-bit key encryption than legacy 3DES.
*Aditya*
* Enhanced PKCS#7 inner contents verification. * Enhanced PKCS#7 inner contents verification.
In the PKCS7_verify() function, the BIO *indata parameter refers to the In the PKCS7_verify() function, the BIO *indata parameter refers to the
signed data if the content is detached from p7. Otherwise, indata should be signed data if the content is detached from p7. Otherwise, indata should be

3
NEWS.md
View File

@ -33,7 +33,8 @@ This release is in development.
This release incorporates the following potentially significant or incompatible This release incorporates the following potentially significant or incompatible
changes: changes:
* none yet * Default encryption cipher for the `req`, `cms`, and `smime` applications
changed from `des-ede3-cbc` to `aes-256-cbc`.
This release adds the following new features: This release adds the following new features:

11
apps/cms.c
View File

@ -822,15 +822,8 @@ int cms_main(int argc, char **argv)
} }
if (operation == SMIME_ENCRYPT) { if (operation == SMIME_ENCRYPT) {
if (!cipher) { if (!cipher)
#ifndef OPENSSL_NO_DES cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
#else
BIO_printf(bio_err, "No cipher selected\n");
goto end;
#endif
}
if (secret_key && !secret_keyid) { if (secret_key && !secret_keyid) {
BIO_printf(bio_err, "No secret key id\n"); BIO_printf(bio_err, "No secret key id\n");
goto end; goto end;

4
apps/req.c
View File

@ -275,9 +275,7 @@ int req_main(int argc, char **argv)
long newkey_len = -1; long newkey_len = -1;
unsigned long chtype = MBSTRING_ASC, reqflag = 0; unsigned long chtype = MBSTRING_ASC, reqflag = 0;
#ifndef OPENSSL_NO_DES cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
#endif
opt_set_unknown_name("digest"); opt_set_unknown_name("digest");
prog = opt_init(argc, argv, req_options); prog = opt_init(argc, argv, req_options);

10
apps/smime.c
View File

@ -471,14 +471,8 @@ int smime_main(int argc, char **argv)
} }
if (operation == SMIME_ENCRYPT) { if (operation == SMIME_ENCRYPT) {
if (cipher == NULL) { if (cipher == NULL)
#ifndef OPENSSL_NO_DES cipher = (EVP_CIPHER *)EVP_aes_256_cbc();
cipher = (EVP_CIPHER *)EVP_des_ede3_cbc();
#else
BIO_printf(bio_err, "No cipher selected\n");
goto end;
#endif
}
encerts = sk_X509_new_null(); encerts = sk_X509_new_null();
if (encerts == NULL) if (encerts == NULL)
goto end; goto end;

10
doc/man1/openssl-cms.pod.in
View File

@ -406,16 +406,16 @@ One or more certificate filenames may be given.
=item B<-I<cipher>> =item B<-I<cipher>>
The encryption algorithm to use. For example triple DES (168 bits) - B<-des3> The encryption algorithm to use. For example, AES (256 bits) - B<-aes256>
or 256 bit AES - B<-aes256>. Any standard algorithm name (as used by the or triple DES (168 bits) - B<-des3>. Any standard algorithm name (as used by the
EVP_get_cipherbyname() function) can also be used preceded by a dash, for EVP_get_cipherbyname() function) can also be used preceded by a dash, for
example B<-aes-128-cbc>. See L<openssl-enc(1)> for a list of ciphers example B<-aes-128-cbc>. See L<openssl-enc(1)> for a list of ciphers
supported by your version of OpenSSL. supported by your version of OpenSSL.
Currently the AES variants with GCM mode are the only supported AEAD Currently, the AES variants with GCM mode are the only supported AEAD
algorithms. algorithms.
If not specified triple DES is used. Only used with B<-encrypt> and If not specified, AES-256-CBC is used as the default. Only used with B<-encrypt> and
B<-EncryptedData_create> commands. B<-EncryptedData_create> commands.
=item B<-wrap> I<cipher> =item B<-wrap> I<cipher>
@ -896,6 +896,8 @@ L<ossl_store-file(7)>
=head1 HISTORY =head1 HISTORY
The default encryption cipher was changed from 3DES to AES-256 in OpenSSL 3.5.
The use of multiple B<-signer> options and the B<-resign> command were first The use of multiple B<-signer> options and the B<-resign> command were first
added in OpenSSL 1.0.0. added in OpenSSL 1.0.0.

5
doc/man1/openssl-req.pod.in
View File

@ -90,8 +90,7 @@ The data is a PKCS#10 object.
=item B<-cipher> I<name> =item B<-cipher> I<name>
Specify the cipher to be used for encrypting the private key. Specify the cipher to be used for encrypting the private key.
The default cipher is 3DES (DES-EDE3-CBC). If no cipher is specified, AES-256-CBC will be used by default.
If no cipher is specified, 3DES will be used by default.
You can override this by providing any valid OpenSSL cipher name. You can override this by providing any valid OpenSSL cipher name.
=item B<-in> I<filename> =item B<-in> I<filename>
@ -836,6 +835,8 @@ L<x509v3_config(5)>
=head1 HISTORY =head1 HISTORY
The default encryption cipher was changed from 3DES to AES-256 in OpenSSL 3.5.
The B<-section> option was added in OpenSSL 3.0.0. The B<-section> option was added in OpenSSL 3.0.0.
The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and The B<-multivalue-rdn> option has become obsolete in OpenSSL 3.0.0 and

14
doc/man1/openssl-smime.pod.in
View File

@ -167,13 +167,13 @@ default digest algorithm for the signing key will be used (usually SHA1).
=item B<-I<cipher>> =item B<-I<cipher>>
The encryption algorithm to use. For example DES (56 bits) - B<-des>, The encryption algorithm to use. For example, DES (56 bits) - B<-des>,
triple DES (168 bits) - B<-des3>, triple DES (168 bits) - B<-des3>, or AES (256 bits) - B<-aes256>.
EVP_get_cipherbyname() function) can also be used preceded by a dash, for Any standard algorithm name (as used by the EVP_get_cipherbyname() function)
example B<-aes-128-cbc>. See L<openssl-enc(1)> for list of ciphers can also be used, preceded by a dash, for example B<-aes-128-cbc>.
supported by your version of OpenSSL. See L<openssl-enc(1)> for a list of ciphers supported by your version of OpenSSL.
If not specified triple DES is used. Only used with B<-encrypt>. If not specified, AES-256-CBC is used as the default. Only used with B<-encrypt>.
=item B<-nointern> =item B<-nointern>
@ -468,6 +468,8 @@ L<ossl_store-file(7)>
=head1 HISTORY =head1 HISTORY
The default encryption cipher was changed from 3DES to AES-256 in OpenSSL 3.5.
The use of multiple B<-signer> options and the B<-resign> command were first The use of multiple B<-signer> options and the B<-resign> command were first
added in OpenSSL 1.0.0 added in OpenSSL 1.0.0