But to answer your question, you need to add an option to tell Crypt::CBC to use the old-style header, setting "randomiv" for the "-header" option. From the Crypt::CBC docs describing values for the "-header" option:

 
"randomiv" -- Generate the block cipher key from the passphrase, and
           choose a random 8-byte value to use as the IV. The IV will
           be prepended to the data stream. This method is compatible
           with ciphertext produced by versions of the library prior to
           2.17, but is incompatible with block ciphers that have non
           8-byte block sizes, such as Rijndael. Crypt::CBC will exit
           with a fatal error if you try to use this header mode with a
           non 8-byte cipher.

-sam

Ok, I added that but was told by the system that salt was incompatible with randomiv, so I removed the salt entry and get this message now:

"Ciphertext does not begin with a valid header for 'randomiv' header mode"

Here is my new code at the bottom of the subroutine:

my $cipher = Crypt::CBC->new( -key   => $key,
                             -cipher => 'Blowfish',
                             -header => 'randomiv'
                           );
[download]

Any other ideas?

Richard
PS> Thank you for your assistance... and No those are not my real keys, I put some testing ones in... Mine are like 250 bytes long or so.

Huh. Maybe you've got a mix of 'salt' and 'randomiv' data? Your encrypt routine has presumably been working since the change - only decryption has been bombing. You might try wrapping the first try in an eval - if it fails, try again with the alternate option.

-sam

I recently upgraded a server, Perl modules included, and went through a similar problem. Scripts that were there for ages suddenly failed with a message like yours. I solved my problem by including the header key in the call to new with the value 'randomiv'.

my $cipher = Crypt::CBC->new( -key   => $key,
                             -cipher => 'Blowfish',
                             -header => 'randomiv',
                             -salt   => 1,
                           );
[download]

From the Crypt::CBC Changes file (emphasis added):

2.17    Mon Jan  9 18:22:51 EST 2006
        -IMPORTANT NOTE: Versions of this module prior to 2.17 were incorrectly
        using 8 byte IVs when generating the old-style RandomIV style header
        (as opposed to the new-style random salt header). This affects data
        encrypted using the Rijndael algorithm, which has a 16 byte blocksize,
        and is a significant security issue.

        The bug has been corrected in versions 2.17 and higher by making it
        impossible to use 16-byte block ciphers with RandomIV headers. You may
        still read legacy encrypted data by explicitly passing the 
        -insecure_legacy_decrypt option to Crypt::CBC->new().

I think that's just for Rinjdael. He's using Blowfish, so he shouldn't need that.

-sam

Thanks... I tried that, here is my new code at the end of the subroutine:

my $cipher = Crypt::CBC->new( -key   => $key,
                             -cipher => 'Blowfish',
                             -salt => 1,
                             -insecure_legacy_decrypt => 1
                           );
[download]

Now I get the following message, even if I take out the -salt=>1
Ciphertext does not begin with a valid header for 'salt' header mode

Any other ideas?

Thank you,
Richard

What Sam wrote above sounds like a good hypothesis... Have you tried that?

If all else fails, you might also consider downgrading to pre-2.17 (temporarily, to get operational again) and then work out a way to migrate your old encrypted data to the new style usage/encoding.  For that, it's probably a good idea to install the old version into some private location, and then put use lib "/path/to/old/module"; at the top of the script.