The openssl-enc documentation says "This option SHOULD NOT be used ...".
I claim that -nosalt is safe to use in this application because:
1. The secrets being used here are full key-size + IV-size random values
straight out of the random number generator.
2. Keys are never re-used.
-nosalt is desirable for this application because it avoids the "Salted__..."
header. Having a "Salted__" header on every single layer of encryption
allows an attacker to get a known-plaintext-attack fingernail under each
layer, giving an opportunity to attack each layer individually.
operation=$(sed -n "${layer}{;s/ .*//;p;}" "$keyfile")
if [[ "$operation" == openssl-enc ]];then
openssl enc $openssl_decrypt "-$(sed -rn "${layer}s/[^ ]+ ([^ ]+) .*/\\1/p" "$keyfile")" \
operation=$(sed -n "${layer}{;s/ .*//;p;}" "$keyfile")
if [[ "$operation" == openssl-enc ]];then
openssl enc $openssl_decrypt "-$(sed -rn "${layer}s/[^ ]+ ([^ ]+) .*/\\1/p" "$keyfile")" \
- -pass fd:37 37< <(sed -rn "${layer}s/^[^ ]+ [^ ]+ //p" "$keyfile")
+ -nosalt -pass fd:37 37< <(sed -rn "${layer}s/^[^ ]+ [^ ]+ //p" "$keyfile")
elif [[ "$operation" == reverse ]];then
reverse
elif [[ "$operation" == openssl-dgst ]];then
elif [[ "$operation" == reverse ]];then
reverse
elif [[ "$operation" == openssl-dgst ]];then
projects / overonion / commitdiff