1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[ruby/openssl] pkey: AWS-LC disallows parsing of invalid keys and params

Browse Source 
OpenSSL allows invalid EC keys or DH params to be parsed. The consuming
application can then run parameter/key checks to check the validity of
the parameters. We happen to run tests to verify that this behaves as
expected.
AWS-LC on the other hand, directly raises an error and disallows the
invalid state to be parsed, rather than making it parsable and checking
the validity later. Relevant tests have been adjusted accordingly to
reflect this.

https://github.com/ruby/openssl/commit/febe50be1b
This commit is contained in:
Samuel Chiang 2025-02-12 01:45:15 +00:00 committed by git
parent 6263d0d16b
commit f63a123606
2 changed files with 23 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
test/openssl/test_pkey_dh.rb
View File

@ -123,11 +123,22 @@ class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase
])) ]))
assert_equal(true, dh1.params_ok?) assert_equal(true, dh1.params_ok?)
dh2 = OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([ # AWS-LC automatically does parameter checks on the parsed params.
OpenSSL::ASN1::Integer(dh0.p + 1), if aws_lc?
OpenSSL::ASN1::Integer(dh0.g) assert_raise(OpenSSL::PKey::DHError) {
])) OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([
assert_equal(false, dh2.params_ok?) OpenSSL::ASN1::Integer(dh0.p + 1),
OpenSSL::ASN1::Integer(dh0.g)
]))
}
else
dh2 = OpenSSL::PKey::DH.new(OpenSSL::ASN1::Sequence([
OpenSSL::ASN1::Integer(dh0.p + 1),
OpenSSL::ASN1::Integer(dh0.g)
]))
assert_equal(false, dh2.params_ok?)
end
end end
def test_params def test_params

9
test/openssl/test_pkey_ec.rb
View File

@ -89,14 +89,19 @@ class OpenSSL::TestEC < OpenSSL::PKeyTestCase
# Behavior of EVP_PKEY_public_check changes between OpenSSL 1.1.1 and 3.0 # Behavior of EVP_PKEY_public_check changes between OpenSSL 1.1.1 and 3.0
# The public key does not match the private key # The public key does not match the private key
key4 = OpenSSL::PKey.read(<<~EOF) ec_key_data = <<~EOF
-----BEGIN EC PRIVATE KEY----- -----BEGIN EC PRIVATE KEY-----
MHcCAQEEIP+TT0V8Fndsnacji9tyf6hmhHywcOWTee9XkiBeJoVloAoGCCqGSM49 MHcCAQEEIP+TT0V8Fndsnacji9tyf6hmhHywcOWTee9XkiBeJoVloAoGCCqGSM49
AwEHoUQDQgAEBkhhJIU/2/YdPSlY2I1k25xjK4trr5OXSgXvBC21PtY0HQ7lor7A AwEHoUQDQgAEBkhhJIU/2/YdPSlY2I1k25xjK4trr5OXSgXvBC21PtY0HQ7lor7A
jzT0giJITqmcd81fwGw5+96zLcdxTF1hVQ== jzT0giJITqmcd81fwGw5+96zLcdxTF1hVQ==
-----END EC PRIVATE KEY----- -----END EC PRIVATE KEY-----
EOF EOF
assert_raise(OpenSSL::PKey::ECError) { key4.check_key } if aws_lc? # AWS-LC automatically does key checks on the parsed key.
assert_raise(OpenSSL::PKey::PKeyError) { OpenSSL::PKey.read(ec_key_data) }
else
key4 = OpenSSL::PKey.read(ec_key_data)
assert_raise(OpenSSL::PKey::ECError) { key4.check_key }
end
# EC#private_key= is deprecated in 3.0 and won't work on OpenSSL 3.0 # EC#private_key= is deprecated in 3.0 and won't work on OpenSSL 3.0
if !openssl?(3, 0, 0) if !openssl?(3, 0, 0)