diff options
author | nahi <nahi@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2011-07-28 13:52:57 +0000 |
---|---|---|
committer | nahi <nahi@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2011-07-28 13:52:57 +0000 |
commit | be10ad2072798a82ceedf38456047f518dfe6da7 (patch) | |
tree | 0c9b049f020a2e7188a0a2a9611cf5a2487f2438 /ChangeLog | |
parent | 02345202cad585f0750e3f3c022a377d61f57cc5 (diff) |
* backport r32723 from trunk.
* ext/openssl/ossl_cipher.c (ossl_cipher_initialize): Avoid possible
SEGV from AES encryption/decryption. Processing data by
Cipher#update without initializing key (meaningless usage of Cipher
object since we don't offer a way to export a key) could cause SEGV.
In OpenSSL, the EVP which has EVP_CIPH_RAND_KEY flag (such as DES3)
allows uninitialized key, but other EVPs (such as AES) does not
allow it. Calling EVP_CipherUpdate() without initializing key causes
SEGV so we set the data filled with "\0" as the key by default. See
#2768.
* test/openssl/test_cipher.rb: test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_3@32724 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 17 |
1 files changed, 17 insertions, 0 deletions
@@ -1,3 +1,20 @@ +Thu Jul 28 22:51:27 2011 Hiroshi Nakamura <nahi@ruby-lang.org> + + * backport r32723 from trunk. + + * ext/openssl/ossl_cipher.c (ossl_cipher_initialize): Avoid possible + SEGV from AES encryption/decryption. Processing data by + Cipher#update without initializing key (meaningless usage of Cipher + object since we don't offer a way to export a key) could cause SEGV. + + In OpenSSL, the EVP which has EVP_CIPH_RAND_KEY flag (such as DES3) + allows uninitialized key, but other EVPs (such as AES) does not + allow it. Calling EVP_CipherUpdate() without initializing key causes + SEGV so we set the data filled with "\0" as the key by default. See + #2768. + + * test/openssl/test_cipher.rb: test it. + Thu Jul 28 04:53:31 2011 Eric Hodel <drbrain@segment7.net> * lib/delegate.rb: Move file-level documentation to the appropriate |