From bb10767b0570d44f240632a7399c882764a48649 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Wed, 18 Oct 2017 23:24:37 +0900 Subject: cipher: disallow setting AAD for non-AEAD ciphers EVP_CipherUpdate() must not be call with the output parameter set to NULL when the cipher does not support AEAD. Check the flag of EVP_CIPHER, and raise an exception as necessary. Reference: http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/83337 Reference: https://bugs.ruby-lang.org/issues/14024 --- ext/openssl/ossl_cipher.c | 2 ++ test/test_cipher.rb | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c index 36e42ede..740f04b2 100644 --- a/ext/openssl/ossl_cipher.c +++ b/ext/openssl/ossl_cipher.c @@ -580,6 +580,8 @@ ossl_cipher_set_auth_data(VALUE self, VALUE data) in_len = RSTRING_LEN(data); GetCipher(self, ctx); + if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER)) + ossl_raise(eCipherError, "AEAD not supported by this cipher"); if (!ossl_cipher_update_long(ctx, NULL, &out_len, in, in_len)) ossl_raise(eCipherError, "couldn't set additional authenticated data"); diff --git a/test/test_cipher.rb b/test/test_cipher.rb index ad0e87b4..216eeded 100644 --- a/test/test_cipher.rb +++ b/test/test_cipher.rb @@ -297,6 +297,13 @@ class OpenSSL::TestCipher < OpenSSL::TestCase assert_equal tag1, tag2 end if has_cipher?("aes-128-gcm") + def test_non_aead_cipher_set_auth_data + assert_raise(OpenSSL::Cipher::CipherError) { + cipher = OpenSSL::Cipher.new("aes-128-cfb").encrypt + cipher.auth_data = "123" + } + end + private def new_encryptor(algo, **kwargs) -- cgit v1.2.3