3

I need to decrypt a file coming from an linux box, password protected with Openssl and AES. The encryption is done with

openssl enc -aes-256-cbc -k <pwd>

Currently, I get it properly decrypted with the following script on Windows:

"openssl.exe" enc -d -aes-256-cbc -k <pwd> -in <inputFile> -out <output>

So far, I included the openssl exe and 2 dll with my project to do so.

However, I would like to get rid of those dependencies and decode it directly in C#.

What is the C# equivalent of the openssl enc -d as above?

It is anyway possible? I read from https://security.stackexchange.com/questions/20628/where-is-the-salt-on-the-openssl-aes-encryption that openssl enc is kind of non standard and is using a random salt from the given password.

Inspired by a few other similar topics, my current method always get the "padding invalid" issue as e.g. this other question AES-256-CBC Decrypt Error Stating Padding is invalid and cannot be removed

This 10-years old thread OpenSSL encryption using .NET classes proposed a solution, even more complex to retrieve the salt and IV, but this is not working anymore. I also get the "padding invalid" issue.

(original code with Rfc2898DeriveBytes object for the pwd removed, openssl does not use this Rfc2898DeriveBytes stuff). See working code in the accepted answer.

EricBDev
  • 1,279
  • 13
  • 21

2 Answers2

3

The code from the 10 year old question you linked actully still works with minor modifications. First note that by default OpenSSL now uses SHA256 as a hash function and not MD5, we can easily fix that. Then, that answer assumes you provide "-base64" option to openssl and get result in base64 and not strange format used by OpenSSL by default, but that's also easy to fix. Just read target file as bytes, then strip ascii-encoded "SALTED__" string from its beginning:

var input = File.ReadAllBytes(@"your encrypted file");
input = input.Skip(Encoding.ASCII.GetBytes("SALTED__").Length).ToArray();

Now adjust how it extracts salt and encrypted data from there, and use PKCS7 padding, and it'll work. Full code copied from the answer above with mentioned fixes:

public class Protection
{
    public string OpenSSLDecrypt(byte[] encryptedBytesWithSalt, string passphrase)
    {
        // extract salt (first 8 bytes of encrypted)
        byte[] salt = new byte[8];
        byte[] encryptedBytes = new byte[encryptedBytesWithSalt.Length - salt.Length];
        Buffer.BlockCopy(encryptedBytesWithSalt, 0, salt, 0, salt.Length);
        Buffer.BlockCopy(encryptedBytesWithSalt, salt.Length, encryptedBytes, 0, encryptedBytes.Length);
        // get key and iv
        byte[] key, iv;
        DeriveKeyAndIV(passphrase, salt, out key, out iv);
        return DecryptStringFromBytesAes(encryptedBytes, key, iv);
    }

    private static void DeriveKeyAndIV(string passphrase, byte[] salt, out byte[] key, out byte[] iv)
    {
        // generate key and iv
        List<byte> concatenatedHashes = new List<byte>(48);

        byte[] password = Encoding.UTF8.GetBytes(passphrase);
        byte[] currentHash = new byte[0];
        var md5 = SHA256.Create();
        bool enoughBytesForKey = false;
        // See http://www.openssl.org/docs/crypto/EVP_BytesToKey.html#KEY_DERIVATION_ALGORITHM
        while (!enoughBytesForKey)
        {
            int preHashLength = currentHash.Length + password.Length + salt.Length;
            byte[] preHash = new byte[preHashLength];

            Buffer.BlockCopy(currentHash, 0, preHash, 0, currentHash.Length);
            Buffer.BlockCopy(password, 0, preHash, currentHash.Length, password.Length);
            Buffer.BlockCopy(salt, 0, preHash, currentHash.Length + password.Length, salt.Length);

            currentHash = md5.ComputeHash(preHash);
            concatenatedHashes.AddRange(currentHash);

            if (concatenatedHashes.Count >= 48)
                enoughBytesForKey = true;
        }

        key = new byte[32];
        iv = new byte[16];
        concatenatedHashes.CopyTo(0, key, 0, 32);
        concatenatedHashes.CopyTo(32, iv, 0, 16);

        md5.Clear();
        md5 = null;
    }
    static string DecryptStringFromBytesAes(byte[] cipherText, byte[] key, byte[] iv)
    {
        // Check arguments.
        if (cipherText == null || cipherText.Length <= 0)
            throw new ArgumentNullException("cipherText");
        if (key == null || key.Length <= 0)
            throw new ArgumentNullException("key");
        if (iv == null || iv.Length <= 0)
            throw new ArgumentNullException("iv");

        // Declare the RijndaelManaged object
        // used to decrypt the data.
        RijndaelManaged aesAlg = null;

        // Declare the string used to hold
        // the decrypted text.
        string plaintext;

        try
        {
            // Create a RijndaelManaged object
            // with the specified key and IV.
            aesAlg = new RijndaelManaged {Mode = CipherMode.CBC, KeySize = 256, BlockSize = 128, Key = key, IV = iv, Padding = PaddingMode.PKCS7};

            // Create a decrytor to perform the stream transform.
            ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
            // Create the streams used for decryption.
            using (MemoryStream msDecrypt = new MemoryStream(cipherText))
            {
                using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
                {
                    using (StreamReader srDecrypt = new StreamReader(csDecrypt))
                    {
                        // Read the decrypted bytes from the decrypting stream
                        // and place them in a string.
                        plaintext = srDecrypt.ReadToEnd();
                        srDecrypt.Close();
                    }
                }
            }
        }
        finally
        {
            // Clear the RijndaelManaged object.
            if (aesAlg != null)
                aesAlg.Clear();
        }

        return plaintext;
    }
}

Then just:

var input = File.ReadAllBytes(@"path to your encrypted file");
input = input.Skip(Encoding.ASCII.GetBytes("SALTED__").Length).ToArray();
var decrypted= new Protection().OpenSSLDecrypt(input, "123123");

If you decrypt non-string data, change DecryptStringFromBytesAes like that:

static byte[] DecryptStringFromBytesAes(byte[] cipherText, byte[] key, byte[] iv) {
    // Check arguments.
    if (cipherText == null || cipherText.Length <= 0)
        throw new ArgumentNullException("cipherText");
    if (key == null || key.Length <= 0)
        throw new ArgumentNullException("key");
    if (iv == null || iv.Length <= 0)
        throw new ArgumentNullException("iv");

    // Declare the RijndaelManaged object
    // used to decrypt the data.
    RijndaelManaged aesAlg = null;

    try {
        // Create a RijndaelManaged object
        // with the specified key and IV.
        aesAlg = new RijndaelManaged { Mode = CipherMode.CBC, KeySize = 256, BlockSize = 128, Key = key, IV = iv, Padding = PaddingMode.PKCS7 };

        // Create a decrytor to perform the stream transform.
        ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
        // Create the streams used for decryption.
        using (MemoryStream msDecrypt = new MemoryStream(cipherText)) {
            using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read)) {
                using (var output = new MemoryStream()) {
                    csDecrypt.CopyTo(output);
                    return output.ToArray();
                }
            }
        }
    }
    finally {
        // Clear the RijndaelManaged object.
        if (aesAlg != null)
            aesAlg.Clear();
    }
}
Evk
  • 98,527
  • 8
  • 141
  • 191
  • thanks for the detailed answer. Unfortunately, I still get the ""Padding is invalid and cannot be removed." exception. – EricBDev Oct 07 '21 at 08:08
  • some further improvements on the updated code: the input.Skip(Encoding.ASCII.GetBytes("SALTED__").Length).ToArray(); could be put directly in the method OpenSSLDecrypt marked as static. and I need a stream or byte[] as output or write a file, which I easily fixed in the DecryptStringFromBytesAes method, but this is not the issue there. the "Padding invalid" occurs anyway (either each version) on the plaintext = srDecrypt.ReadToEnd() or csDecrypt.CopyTo(output); if output is a MemoryStream or FileStream. – EricBDev Oct 07 '21 at 08:15
  • Which OpenSSL version did you use to produce it? I used 1.1.1a for test – Evk Oct 07 '21 at 08:17
  • 1.1.1k encoder on the Linux box 1.1.1l decoder on the Windows PC. – EricBDev Oct 07 '21 at 08:28
  • and my enc file contains a single gz file, which I decrompress in a 2nd step. This 2nd step is working fine with classic GZipStream – EricBDev Oct 07 '21 at 08:32
  • I just tested with 1.1.1k on linux and it works fine for me. Just copy pasted my code, encrypted some text file and decrypted just fine. If you need output as bytes, then you don't need `StreamReader`, so I don't see how you can get exception on `srDecrypt.ReadToEnd`, since this line should not be there. – Evk Oct 07 '21 at 08:45
  • I've updated answer with one possible way to change `DecryptStringFromBytesAes` to handle binary data. – Evk Oct 07 '21 at 08:47
  • Thanks. I also added using (var output = new MemoryStream()) { csDecrypt.CopyTo(output); return output.ToArray(); on my side before my tests. The exception is then raised on the CopyTo(output) not clear yet why I still get it. – EricBDev Oct 07 '21 at 11:27
  • You can attach a sample encrypted file to your question, together with passphrase you used, which fails to decrypt. Then at least there is some test case. – Evk Oct 07 '21 at 11:28
  • You can also play with various `PaddingMode` values, even though in my case `PKCS7` seems to work well. – Evk Oct 07 '21 at 11:33
  • I only have "padding invalid and cannot be removed" if I change back to MD5 hash. With SHA256 as described I never get this error – Evk Oct 07 '21 at 12:00
  • I still don't understand. I did a quick test with a text file gziped and encrypted with openssl on my linux box. I got it correctly decrypted with the current solution. But still got that damned Padding invalid issue with other binaries files. I ll check again how the other file is generated. – EricBDev Oct 07 '21 at 14:19
  • so stupid, one letter in my password got duplicated. Now it is also fine with my orginal file. Thus I mark the answer as accepted. – EricBDev Oct 07 '21 at 14:33
  • 1
    in .NET 6, the RijndaelManaged is marked as obsolete. Using Aes.Create() method instead of new RijndaelManaged() and then setting the properties is working just fine. – EricBDev Nov 23 '21 at 22:22
0

Inspired from the response above, and with my comments to them, this is the class I am using for my .NET 6 projects in VS 2022.

public static class OpenSslUtils
{
    public static byte[] OpenSSLDecrypt(byte[] encryptedBytesWithSalt, string passphrase)
    {
        // remove the SALTED prefix
        byte[] input = encryptedBytesWithSalt.Skip(Encoding.ASCII.GetBytes("Salted__").Length).ToArray();
        // extract salt (first 8 bytes of encrypted)
        byte[] salt = new byte[8];
        byte[] encryptedBytes = new byte[input.Length - salt.Length];
        Buffer.BlockCopy(input, 0, salt, 0, salt.Length);
        Buffer.BlockCopy(input, salt.Length, encryptedBytes, 0, encryptedBytes.Length);
        // get key and iv
        DeriveKeyAndIV(passphrase, salt, out byte[] key, out byte[] iv);
        return DecryptFromBytesAes(encryptedBytes, key, iv);
    }

    private static void DeriveKeyAndIV(string passphrase, byte[] salt, out byte[] key, out byte[] iv)
    {
        // generate key and iv
        List<byte> concatenatedHashes = new(48);

        byte[] password = Encoding.UTF8.GetBytes(passphrase);
        byte[] currentHash = Array.Empty<byte>();
        var hash = SHA256.Create();
        bool enoughBytesForKey = false;
        // See http://www.openssl.org/docs/crypto/EVP_BytesToKey.html#KEY_DERIVATION_ALGORITHM
        while (!enoughBytesForKey)
        {
            int preHashLength = currentHash.Length + password.Length + salt.Length;
            byte[]? preHash = new byte[preHashLength];

            Buffer.BlockCopy(currentHash, 0, preHash, 0, currentHash.Length);
            Buffer.BlockCopy(password, 0, preHash, currentHash.Length, password.Length);
            Buffer.BlockCopy(salt, 0, preHash, currentHash.Length + password.Length, salt.Length);

            currentHash = hash.ComputeHash(preHash);
            concatenatedHashes.AddRange(currentHash);

            if (concatenatedHashes.Count >= 48)
                enoughBytesForKey = true;
        }

        key = new byte[32];
        iv = new byte[16];
        concatenatedHashes.CopyTo(0, key, 0, 32);
        concatenatedHashes.CopyTo(32, iv, 0, 16);

        hash.Dispose();
    }
    private static byte[] DecryptFromBytesAes(byte[] cipherText, byte[] key, byte[] iv)
    {
        // Check arguments.
        if (cipherText == null || cipherText.Length <= 0)
            throw new ArgumentNullException(nameof(cipherText));
        if (key == null || key.Length <= 0)
            throw new ArgumentNullException(nameof(key));
        if (iv == null || iv.Length <= 0)
            throw new ArgumentNullException(nameof(iv));

        // Declare the Aes object used to decrypt the data.
        Aes? aesAlg = null;

        // Declare the byte[] used to hold the decrypted text.
        byte[]? decryptedOutput = null;

        try
        {
            // Create an AES object
            // with the specified key and IV.
            aesAlg = Aes.Create();
            aesAlg.Mode = CipherMode.CBC;
            aesAlg.KeySize = 256;
            aesAlg.BlockSize = 128;
            aesAlg.Key = key;
            aesAlg.IV = iv;
            aesAlg.Padding = PaddingMode.PKCS7;

            // Create a decrytor to perform the stream transform.
            ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
            // Create the streams used for decryption.
            using MemoryStream msDecrypt = new(cipherText);
            using CryptoStream csDecrypt = new(msDecrypt, decryptor, CryptoStreamMode.Read);
            using MemoryStream output = new();
            csDecrypt.CopyTo(output);
            decryptedOutput = output.ToArray();
        }
        finally
        {
            // Clear the object.
            if (aesAlg != null)
            {
                aesAlg.Dispose();
            }
        }

        return decryptedOutput;
    }
}
EricBDev
  • 1,279
  • 13
  • 21