diff options
author | rhe <rhe@ruby-lang.org> | 2016-05-20 15:05:25 +0000 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2016-05-31 11:31:27 +0900 |
commit | f38501249f33bff7ca9d208670b8cde695ea8b7b (patch) | |
tree | 0a8426c286a7b535afc69b5220f6cd9f40de2a30 /ext/openssl/ossl_pkey_rsa.c | |
parent | 012635971c01cefbfab15dc51edf1fe29661fc72 (diff) | |
download | ruby-openssl-f38501249f33bff7ca9d208670b8cde695ea8b7b.tar.gz |
openssl: improve handling of password for encrypted PEM
* ext/openssl/ossl.c (ossl_pem_passwd_value): Added. Convert the
argument to String with StringValue() and validate the length is in
4..PEM_BUFSIZE. PEM_BUFSIZE is a macro defined in OpenSSL headers.
(ossl_pem_passwd_cb): When reading/writing encrypted PEM format, we
used to pass the password to PEM_def_callback() directly but it was
problematic. It is not NUL character safe. And surprisingly, it
silently truncates the password to 1024 bytes. [GH ruby/openssl#51]
* ext/openssl/ossl.h: Add function prototype declaration of newly
added ossl_pem_passwd_value().
* ext/openssl/ossl_pkey.c (ossl_pkey_new_from_data): Use
ossl_pem_passwd_value() to validate the password String.
* ext/openssl/ossl_pkey_dsa.c (ossl_dsa_initialize, ossl_dsa_export):
ditto.
* ext/openssl/ossl_pkey_ec.c (ossl_ec_key_initialize,
ossl_ec_key_to_string): ditto.
* ext/openssl/ossl_pkey_rsa.c (ossl_rsa_initialize, ossl_rsa_export):
ditto.
* test/openssl/test_pkey_{dsa,ec,rsa}.rb: test this.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55087 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'ext/openssl/ossl_pkey_rsa.c')
-rw-r--r-- | ext/openssl/ossl_pkey_rsa.c | 15 |
1 files changed, 4 insertions, 11 deletions
diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c index 6ad9f3ed..5219dbed 100644 --- a/ext/openssl/ossl_pkey_rsa.c +++ b/ext/openssl/ossl_pkey_rsa.c @@ -210,7 +210,6 @@ ossl_rsa_initialize(int argc, VALUE *argv, VALUE self) EVP_PKEY *pkey; RSA *rsa; BIO *in; - char *passwd = NULL; VALUE arg, pass; GetPKey(self, pkey); @@ -222,10 +221,10 @@ ossl_rsa_initialize(int argc, VALUE *argv, VALUE self) if (!rsa) ossl_raise(eRSAError, NULL); } else { - if (!NIL_P(pass)) passwd = StringValuePtr(pass); + pass = ossl_pem_passwd_value(pass); arg = ossl_to_der_if_possible(arg); in = ossl_obj2bio(arg); - rsa = PEM_read_bio_RSAPrivateKey(in, NULL, ossl_pem_passwd_cb, passwd); + rsa = PEM_read_bio_RSAPrivateKey(in, NULL, ossl_pem_passwd_cb, (void *)pass); if (!rsa) { OSSL_BIO_reset(in); rsa = PEM_read_bio_RSA_PUBKEY(in, NULL, NULL, NULL); @@ -310,7 +309,6 @@ ossl_rsa_export(int argc, VALUE *argv, VALUE self) EVP_PKEY *pkey; BIO *out; const EVP_CIPHER *ciph = NULL; - char *passwd = NULL; VALUE cipher, pass, str; GetPKeyRSA(self, pkey); @@ -319,19 +317,14 @@ ossl_rsa_export(int argc, VALUE *argv, VALUE self) if (!NIL_P(cipher)) { ciph = GetCipherPtr(cipher); - if (!NIL_P(pass)) { - StringValue(pass); - if (RSTRING_LENINT(pass) < OSSL_MIN_PWD_LEN) - ossl_raise(eOSSLError, "OpenSSL requires passwords to be at least four characters long"); - passwd = RSTRING_PTR(pass); - } + pass = ossl_pem_passwd_value(pass); } if (!(out = BIO_new(BIO_s_mem()))) { ossl_raise(eRSAError, NULL); } if (RSA_HAS_PRIVATE(pkey->pkey.rsa)) { if (!PEM_write_bio_RSAPrivateKey(out, pkey->pkey.rsa, ciph, - NULL, 0, ossl_pem_passwd_cb, passwd)) { + NULL, 0, ossl_pem_passwd_cb, (void *)pass)) { BIO_free(out); ossl_raise(eRSAError, NULL); } |