summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog17
-rw-r--r--ext/openssl/ossl.h5
-rw-r--r--ext/openssl/ossl_pkey_dsa.c5
-rw-r--r--ext/openssl/ossl_pkey_ec.c14
-rw-r--r--ext/openssl/ossl_pkey_rsa.c5
-rw-r--r--test/openssl/test_pkey_dsa.rb9
-rw-r--r--test/openssl/test_pkey_ec.rb9
-rw-r--r--test/openssl/test_pkey_rsa.rb9
8 files changed, 66 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog
index c78803bf739..80d2dc48733 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,20 @@
+Sun Jun 10 10:21:37 2012 Martin Bosslet <Martin.Bosslet@googlemail.com>
+
+ * ext/openssl/ossl.c
+ ext/openssl/ossl_pkey_rsa.c
+ ext/openssl/ossl_pkey_dsa.c
+ ext/openssl/ossl_pkey_ec.c: Forbid export passwords that are less
+ than four characters long, as OpenSSL itself does not allow this.
+ Issue found by Eric Hodel.
+ * ext/openssl/ossl_pkey_ec.c: Add export as an alias of to_pem,
+ following the PKey interface contract.
+ * test/openssl/test_pkey_dsa.rb
+ test/openssl/test_pkey_rsa.rb
+ test/openssl/test_pkey_ec.rb: Add tests that assert correct
+ behaviour when dealing with passwords that are less than four
+ characters long.
+ [ruby-core: 42281][ruby-trunk - Bug #5951]
+
Sun Jun 10 10:14:26 2012 Tanaka Akira <akr@fsij.org>
* process.c (rb_f_exec): use rb_exec_arg_prepare.
diff --git a/ext/openssl/ossl.h b/ext/openssl/ossl.h
index 97095f7d6f0..f8023bc8c61 100644
--- a/ext/openssl/ossl.h
+++ b/ext/openssl/ossl.h
@@ -74,6 +74,11 @@ extern "C" {
# include <openssl/ocsp.h>
#endif
+/* OpenSSL requires passwords for PEM-encoded files to be at least four
+ * characters long
+ */
+#define OSSL_MIN_PWD_LEN 4
+
/*
* Common Module
*/
diff --git a/ext/openssl/ossl_pkey_dsa.c b/ext/openssl/ossl_pkey_dsa.c
index 6fc3a44bbc2..d3e91f00e3e 100644
--- a/ext/openssl/ossl_pkey_dsa.c
+++ b/ext/openssl/ossl_pkey_dsa.c
@@ -318,7 +318,10 @@ ossl_dsa_export(int argc, VALUE *argv, VALUE self)
if (!NIL_P(cipher)) {
ciph = GetCipherPtr(cipher);
if (!NIL_P(pass)) {
- passwd = StringValuePtr(pass);
+ StringValue(pass);
+ if (RSTRING_LENINT(pass) < OSSL_MIN_PWD_LEN)
+ ossl_raise(eOSSLError, "OpenSSL requires passwords to be at least four characters long");
+ passwd = RSTRING_PTR(pass);
}
}
if (!(out = BIO_new(BIO_s_mem()))) {
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
index cfcaf97ab51..63bb8200e6e 100644
--- a/ext/openssl/ossl_pkey_ec.c
+++ b/ext/openssl/ossl_pkey_ec.c
@@ -493,7 +493,10 @@ static VALUE ossl_ec_key_to_string(VALUE self, VALUE ciph, VALUE pass, int forma
if (!NIL_P(ciph)) {
cipher = GetCipherPtr(ciph);
if (!NIL_P(pass)) {
- password = StringValuePtr(pass);
+ StringValue(pass);
+ if (RSTRING_LENINT(pass) < OSSL_MIN_PWD_LEN)
+ ossl_raise(eOSSLError, "OpenSSL requires passwords to be at least four characters long");
+ password = RSTRING_PTR(pass);
}
}
else {
@@ -530,8 +533,8 @@ static VALUE ossl_ec_key_to_string(VALUE self, VALUE ciph, VALUE pass, int forma
/*
* call-seq:
- * key.to_pem => String
- * key.to_pem(cipher, pass_phrase) => String
+ * key.export => String
+ * key.export(cipher, pass_phrase) => String
*
* Outputs the EC key in PEM encoding. If +cipher+ and +pass_phrase+ are
* given they will be used to encrypt the key. +cipher+ must be an
@@ -540,7 +543,7 @@ static VALUE ossl_ec_key_to_string(VALUE self, VALUE ciph, VALUE pass, int forma
* text.
*
*/
-static VALUE ossl_ec_key_to_pem(int argc, VALUE *argv, VALUE self)
+static VALUE ossl_ec_key_export(int argc, VALUE *argv, VALUE self)
{
VALUE cipher, passwd;
rb_scan_args(argc, argv, "02", &cipher, &passwd);
@@ -1533,7 +1536,8 @@ void Init_ossl_ec()
rb_define_method(cEC, "dsa_verify_asn1", ossl_ec_key_dsa_verify_asn1, 2);
/* do_sign/do_verify */
- rb_define_method(cEC, "to_pem", ossl_ec_key_to_pem, -1);
+ rb_define_method(cEC, "export", ossl_ec_key_export, -1);
+ rb_define_alias(cEC, "to_pem", "export");
rb_define_method(cEC, "to_der", ossl_ec_key_to_der, 0);
rb_define_method(cEC, "to_text", ossl_ec_key_to_text, 0);
diff --git a/ext/openssl/ossl_pkey_rsa.c b/ext/openssl/ossl_pkey_rsa.c
index d3d69134bc8..3fbd87fb488 100644
--- a/ext/openssl/ossl_pkey_rsa.c
+++ b/ext/openssl/ossl_pkey_rsa.c
@@ -314,7 +314,10 @@ ossl_rsa_export(int argc, VALUE *argv, VALUE self)
if (!NIL_P(cipher)) {
ciph = GetCipherPtr(cipher);
if (!NIL_P(pass)) {
- passwd = StringValuePtr(pass);
+ StringValue(pass);
+ if (RSTRING_LENINT(pass) < OSSL_MIN_PWD_LEN)
+ ossl_raise(eOSSLError, "OpenSSL requires passwords to be at least four characters long");
+ passwd = RSTRING_PTR(pass);
}
}
if (!(out = BIO_new(BIO_s_mem()))) {
diff --git a/test/openssl/test_pkey_dsa.rb b/test/openssl/test_pkey_dsa.rb
index 4bf64a51beb..555637e7a49 100644
--- a/test/openssl/test_pkey_dsa.rb
+++ b/test/openssl/test_pkey_dsa.rb
@@ -218,6 +218,15 @@ YNMbNw==
assert_equal([], OpenSSL.errors)
end
+ def test_export_password_length
+ key = OpenSSL::TestUtils::TEST_KEY_DSA256
+ assert_raise(OpenSSL::OpenSSLError) do
+ key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'sec')
+ end
+ pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr')
+ assert(pem)
+ end
+
private
def check_sign_verify(digest)
diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb
index e63f617140a..a663bb07572 100644
--- a/test/openssl/test_pkey_ec.rb
+++ b/test/openssl/test_pkey_ec.rb
@@ -175,6 +175,15 @@ class OpenSSL::TestEC < Test::Unit::TestCase
assert_equal([], OpenSSL.errors)
end
+ def test_export_password_length
+ key = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
+ assert_raise(OpenSSL::OpenSSLError) do
+ key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'sec')
+ end
+ pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr')
+ assert(pem)
+ end
+
# test Group: asn1_flag, point_conversion
end
diff --git a/test/openssl/test_pkey_rsa.rb b/test/openssl/test_pkey_rsa.rb
index 815f49b61ee..1881525c02e 100644
--- a/test/openssl/test_pkey_rsa.rb
+++ b/test/openssl/test_pkey_rsa.rb
@@ -244,6 +244,15 @@ AwEAAQ==
assert_equal([], OpenSSL.errors)
end
+ def test_export_password_length
+ key = OpenSSL::TestUtils::TEST_KEY_RSA1024
+ assert_raise(OpenSSL::OpenSSLError) do
+ key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'sec')
+ end
+ pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr')
+ assert(pem)
+ end
+
private
def check_PUBKEY(asn1, key)