diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2022-09-01 15:59:52 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2022-10-17 16:35:35 +0900 |
commit | 65bba0ef6fa104324d34079f107f9c72ed8d0e2f (patch) | |
tree | 7412ce5484ded42ae9c28aab7e42c0f647a2984d /ext/openssl | |
parent | bee383d9fe84eb29ec12a8c392fcbf7c646575b8 (diff) | |
download | ruby-65bba0ef6fa104324d34079f107f9c72ed8d0e2f.tar.gz |
[ruby/openssl] hmac: use EVP_PKEY_new_raw_private_key() if available
Current OpenSSL 3.0.x release has a regression with zero-length MAC
keys. While this issue should be fixed in a future release of OpenSSL,
we can use EVP_PKEY_new_raw_private_key() in place of the problematic
EVP_PKEY_new_mac_key() to avoid the issue. OpenSSL 3.0's man page
recommends using it regardless:
> EVP_PKEY_new_mac_key() works in the same way as
> EVP_PKEY_new_raw_private_key(). New applications should use
> EVP_PKEY_new_raw_private_key() instead.
Fixes https://github.com/ruby/openssl/issues/369#issuecomment-1224912710
https://github.com/ruby/openssl/commit/4293f18b1f
Diffstat (limited to 'ext/openssl')
-rw-r--r-- | ext/openssl/extconf.rb | 1 | ||||
-rw-r--r-- | ext/openssl/ossl_hmac.c | 8 |
2 files changed, 9 insertions, 0 deletions
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index f8be3e9e03..fd96533569 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -174,6 +174,7 @@ have_func("SSL_CTX_set_post_handshake_auth", ssl_h) # added in 1.1.1 have_func("EVP_PKEY_check", evp_h) +have_func("EVP_PKEY_new_raw_private_key", evp_h) have_func("SSL_CTX_set_ciphersuites", ssl_h) # added in 3.0.0 diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c index bfe3a74b12..1a5f471a27 100644 --- a/ext/openssl/ossl_hmac.c +++ b/ext/openssl/ossl_hmac.c @@ -97,11 +97,19 @@ ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest) GetHMAC(self, ctx); StringValue(key); +#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY + pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, + (unsigned char *)RSTRING_PTR(key), + RSTRING_LENINT(key)); + if (!pkey) + ossl_raise(eHMACError, "EVP_PKEY_new_raw_private_key"); +#else pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, (unsigned char *)RSTRING_PTR(key), RSTRING_LENINT(key)); if (!pkey) ossl_raise(eHMACError, "EVP_PKEY_new_mac_key"); +#endif if (EVP_DigestSignInit(ctx, NULL, ossl_evp_get_digestbyname(digest), NULL, pkey) != 1) { EVP_PKEY_free(pkey); |