diff options
author | nahi <nahi@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2011-07-28 13:48:05 +0000 |
---|---|---|
committer | nahi <nahi@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2011-07-28 13:48:05 +0000 |
commit | e7e87b3c4e5979ab81e924c3f1d26b7a28edbf74 (patch) | |
tree | 006b08c9a191085db4c3b836daf1a145fc135f1f /ChangeLog | |
parent | 46247fb35a262b71d193b76ec594c644d6efeabe (diff) | |
download | ruby-e7e87b3c4e5979ab81e924c3f1d26b7a28edbf74.tar.gz |
* ext/openssl/ossl_cipher.c (ossl_cipher_initialize): Avoid possible
SEGV from AES encryption/decryption. Processing data by
Cipher#update without initializing key (meaningless usage of Cipher
object since we don't offer a way to export a key) could cause SEGV.
In OpenSSL, the EVP which has EVP_CIPH_RAND_KEY flag (such as DES3)
allows uninitialized key, but other EVPs (such as AES) does not
allow it. Calling EVP_CipherUpdate() without initializing key causes
SEGV so we set the data filled with "\0" as the key by default. See
#2768.
* test/openssl/test_cipher.rb: test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32723 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 15 |
1 files changed, 15 insertions, 0 deletions
@@ -1,3 +1,18 @@ +Thu Jul 28 22:36:06 2011 Hiroshi Nakamura <nahi@ruby-lang.org> + + * ext/openssl/ossl_cipher.c (ossl_cipher_initialize): Avoid possible + SEGV from AES encryption/decryption. Processing data by + Cipher#update without initializing key (meaningless usage of Cipher + object since we don't offer a way to export a key) could cause SEGV. + + In OpenSSL, the EVP which has EVP_CIPH_RAND_KEY flag (such as DES3) + allows uninitialized key, but other EVPs (such as AES) does not + allow it. Calling EVP_CipherUpdate() without initializing key causes + SEGV so we set the data filled with "\0" as the key by default. See + #2768. + + * test/openssl/test_cipher.rb: test it. + Thu Jul 28 14:25:08 2011 NAKAMURA Usaku <usa@ruby-lang.org> * lib/rubygems/user_interaction.rb (Gem::StreamUI#tty?): typo. |