1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

openssl: make Cipher#key= and #iv= reject too long values

Browse Source 
* ext/openssl/ossl_cipher.c (ossl_cipher_set_key, ossl_cipher_set_iv):
  Reject too long values as well as too short ones. Currently they
  just truncate the input but this would hide bugs and lead to
  unexpected encryption/decryption results.

* test/openssl/test_cipher.rb: Test that Cipher#key= and #iv= reject
  Strings with invalid length.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55146 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
rhe 2016-05-24 13:09:03 +00:00
parent cff5bd6306
commit ce635262f5
3 changed files with 31 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ChangeLog
View File

@ -1,3 +1,13 @@
Tue May 24 22:04:15 2016 Kazuki Yamaguchi <k@rhe.jp>
* ext/openssl/ossl_cipher.c (ossl_cipher_set_key, ossl_cipher_set_iv):
Reject too long values as well as too short ones. Currently they
just truncate the input but this would hide bugs and lead to
unexpected encryption/decryption results.
* test/openssl/test_cipher.rb: Test that Cipher#key= and #iv= reject
Strings with invalid length.
Tue May 24 21:32:21 2016 Kazuki Yamaguchi <k@rhe.jp> Tue May 24 21:32:21 2016 Kazuki Yamaguchi <k@rhe.jp>
* ext/openssl/ossl_x509ext.c (ossl_x509ext_set_value): Use * ext/openssl/ossl_x509ext.c (ossl_x509ext_set_value): Use

14
ext/openssl/ossl_cipher.c
View File

@ -480,15 +480,17 @@ static VALUE
ossl_cipher_set_key(VALUE self, VALUE key) ossl_cipher_set_key(VALUE self, VALUE key)
{ {
EVP_CIPHER_CTX *ctx; EVP_CIPHER_CTX *ctx;
int key_len;
StringValue(key); StringValue(key);
GetCipher(self, ctx); GetCipher(self, ctx);
if (RSTRING_LEN(key) < EVP_CIPHER_CTX_key_length(ctx)) key_len = EVP_CIPHER_CTX_key_length(ctx);
ossl_raise(eCipherError, "key length too short"); if (RSTRING_LEN(key) != key_len)
ossl_raise(rb_eArgError, "key must be %d bytes", key_len);
if (EVP_CipherInit_ex(ctx, NULL, NULL, (unsigned char *)RSTRING_PTR(key), NULL, -1) != 1) if (EVP_CipherInit_ex(ctx, NULL, NULL, (unsigned char *)RSTRING_PTR(key), NULL, -1) != 1)
ossl_raise(eCipherError, NULL); ossl_raise(eCipherError, NULL);
return key; return key;
} }
@ -512,12 +514,14 @@ static VALUE
ossl_cipher_set_iv(VALUE self, VALUE iv) ossl_cipher_set_iv(VALUE self, VALUE iv)
{ {
EVP_CIPHER_CTX *ctx; EVP_CIPHER_CTX *ctx;
int iv_len;
StringValue(iv); StringValue(iv);
GetCipher(self, ctx); GetCipher(self, ctx);
if (RSTRING_LEN(iv) < EVP_CIPHER_CTX_iv_length(ctx)) iv_len = EVP_CIPHER_CTX_iv_length(ctx);
ossl_raise(eCipherError, "iv length too short"); if (RSTRING_LEN(iv) != iv_len)
ossl_raise(rb_eArgError, "iv must be %d bytes", iv_len);
if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, (unsigned char *)RSTRING_PTR(iv), -1) != 1) if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, (unsigned char *)RSTRING_PTR(iv), -1) != 1)
ossl_raise(eCipherError, NULL); ossl_raise(eCipherError, NULL);

12
test/openssl/test_cipher.rb
View File

@ -80,6 +80,18 @@ class OpenSSL::TestCipher < OpenSSL::TestCase
assert_equal(s1, s2, "encrypt reset") assert_equal(s1, s2, "encrypt reset")
end end
def test_key_iv_set
# default value for DES-EDE3-CBC
assert_equal(24, @c1.key_len)
assert_equal(8, @c1.iv_len)
assert_raise(ArgumentError) { @c1.key = "\x01" * 23 }
@c1.key = "\x01" * 24
assert_raise(ArgumentError) { @c1.key = "\x01" * 25 }
assert_raise(ArgumentError) { @c1.iv = "\x01" * 7 }
@c1.iv = "\x01" * 8
assert_raise(ArgumentError) { @c1.iv = "\x01" * 9 }
end
def test_empty_data def test_empty_data
@c1.encrypt @c1.encrypt
assert_raise(ArgumentError){ @c1.update("") } assert_raise(ArgumentError){ @c1.update("") }