From 4a65e37a6a0625eab299dffcbaf99a0f7fa6f54d Mon Sep 17 00:00:00 2001 From: rhe Date: Tue, 24 May 2016 13:09:03 +0000 Subject: openssl: make Cipher#key= and #iv= reject too long values * ext/openssl/ossl_cipher.c (ossl_cipher_set_key, ossl_cipher_set_iv): Reject too long values as well as too short ones. Currently they just truncate the input but this would hide bugs and lead to unexpected encryption/decryption results. * test/openssl/test_cipher.rb: Test that Cipher#key= and #iv= reject Strings with invalid length. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55146 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ext/openssl/ossl_cipher.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'ext') diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c index 9aab802508..43a8effa64 100644 --- a/ext/openssl/ossl_cipher.c +++ b/ext/openssl/ossl_cipher.c @@ -480,15 +480,17 @@ static VALUE ossl_cipher_set_key(VALUE self, VALUE key) { EVP_CIPHER_CTX *ctx; + int key_len; StringValue(key); GetCipher(self, ctx); - if (RSTRING_LEN(key) < EVP_CIPHER_CTX_key_length(ctx)) - ossl_raise(eCipherError, "key length too short"); + key_len = EVP_CIPHER_CTX_key_length(ctx); + if (RSTRING_LEN(key) != key_len) + ossl_raise(rb_eArgError, "key must be %d bytes", key_len); if (EVP_CipherInit_ex(ctx, NULL, NULL, (unsigned char *)RSTRING_PTR(key), NULL, -1) != 1) - ossl_raise(eCipherError, NULL); + ossl_raise(eCipherError, NULL); return key; } @@ -512,12 +514,14 @@ static VALUE ossl_cipher_set_iv(VALUE self, VALUE iv) { EVP_CIPHER_CTX *ctx; + int iv_len; StringValue(iv); GetCipher(self, ctx); - if (RSTRING_LEN(iv) < EVP_CIPHER_CTX_iv_length(ctx)) - ossl_raise(eCipherError, "iv length too short"); + iv_len = EVP_CIPHER_CTX_iv_length(ctx); + if (RSTRING_LEN(iv) != iv_len) + ossl_raise(rb_eArgError, "iv must be %d bytes", iv_len); if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, (unsigned char *)RSTRING_PTR(iv), -1) != 1) ossl_raise(eCipherError, NULL); -- cgit v1.2.3