kotovalexarian-likes-github/ruby--ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
Code Releases Activity

[ruby/openssl] hmac: use EVP_PKEY_new_raw_private_key() if available

Browse source 
Current OpenSSL 3.0.x release has a regression with zero-length MAC
keys. While this issue should be fixed in a future release of OpenSSL,
we can use EVP_PKEY_new_raw_private_key() in place of the problematic
EVP_PKEY_new_mac_key() to avoid the issue. OpenSSL 3.0's man page
recommends using it regardless:

> EVP_PKEY_new_mac_key() works in the same way as
> EVP_PKEY_new_raw_private_key().  New applications should use
> EVP_PKEY_new_raw_private_key() instead.

Fixes https://github.com/ruby/openssl/issues/369#issuecomment-1224912710

4293f18b1f
This commit is contained in:
Kazuki Yamaguchi 2022-09-01 15:59:52 +09:00
parent bee383d9fe
commit 65bba0ef6f
3 changed files with 17 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
ext/openssl/extconf.rb
View file

@ -174,6 +174,7 @@ have_func("SSL_CTX_set_post_handshake_auth", ssl_h)
# added in 1.1.1 # added in 1.1.1
have_func("EVP_PKEY_check", evp_h) have_func("EVP_PKEY_check", evp_h)
have_func("EVP_PKEY_new_raw_private_key", evp_h)
have_func("SSL_CTX_set_ciphersuites", ssl_h) have_func("SSL_CTX_set_ciphersuites", ssl_h)
# added in 3.0.0 # added in 3.0.0

8
ext/openssl/ossl_hmac.c
View file

@ -97,11 +97,19 @@ ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest)
GetHMAC(self, ctx); GetHMAC(self, ctx);
StringValue(key); StringValue(key);
#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
(unsigned char *)RSTRING_PTR(key),
RSTRING_LENINT(key));
if (!pkey)
ossl_raise(eHMACError, "EVP_PKEY_new_raw_private_key");
#else
pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
(unsigned char *)RSTRING_PTR(key), (unsigned char *)RSTRING_PTR(key),
RSTRING_LENINT(key)); RSTRING_LENINT(key));
if (!pkey) if (!pkey)
ossl_raise(eHMACError, "EVP_PKEY_new_mac_key"); ossl_raise(eHMACError, "EVP_PKEY_new_mac_key");
#endif
if (EVP_DigestSignInit(ctx, NULL, ossl_evp_get_digestbyname(digest), if (EVP_DigestSignInit(ctx, NULL, ossl_evp_get_digestbyname(digest),
NULL, pkey) != 1) { NULL, pkey) != 1) {
EVP_PKEY_free(pkey); EVP_PKEY_free(pkey);

8
test/openssl/test_hmac.rb
View file

@ -62,6 +62,14 @@ class OpenSSL::TestHMAC < OpenSSL::TestCase
b64digest = OpenSSL::HMAC.base64digest("MD5", key, "Hi There") b64digest = OpenSSL::HMAC.base64digest("MD5", key, "Hi There")
assert_equal "kpRyejY4uxwT9I74FYv8nQ==", b64digest assert_equal "kpRyejY4uxwT9I74FYv8nQ==", b64digest
end end
def test_zero_length_key
# Empty string as the key
hexdigest = OpenSSL::HMAC.hexdigest("SHA256", "\0"*32, "test")
assert_equal "43b0cef99265f9e34c10ea9d3501926d27b39f57c6d674561d8ba236e7a819fb", hexdigest
hexdigest = OpenSSL::HMAC.hexdigest("SHA256", "", "test")
assert_equal "43b0cef99265f9e34c10ea9d3501926d27b39f57c6d674561d8ba236e7a819fb", hexdigest
end
end end
end end