From f52ab6e4940f9095c4fc5e2f7860bd56747f1c7c Mon Sep 17 00:00:00 2001
From: rhe <rhe@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Fri, 20 May 2016 15:05:25 +0000
Subject: openssl: improve handling of password for encrypted PEM

* ext/openssl/ossl.c (ossl_pem_passwd_value): Added. Convert the
  argument to String with StringValue() and validate the length is in
  4..PEM_BUFSIZE. PEM_BUFSIZE is a macro defined in OpenSSL headers.
  (ossl_pem_passwd_cb): When reading/writing encrypted PEM format, we
  used to pass the password to PEM_def_callback() directly but it was
  problematic. It is not NUL character safe. And surprisingly, it
  silently truncates the password to 1024 bytes.  [GH ruby/openssl#51]

* ext/openssl/ossl.h: Add function prototype declaration of newly
  added ossl_pem_passwd_value().

* ext/openssl/ossl_pkey.c (ossl_pkey_new_from_data): Use
  ossl_pem_passwd_value() to validate the password String.

* ext/openssl/ossl_pkey_dsa.c (ossl_dsa_initialize, ossl_dsa_export):
  ditto.

* ext/openssl/ossl_pkey_ec.c (ossl_ec_key_initialize,
  ossl_ec_key_to_string): ditto.

* ext/openssl/ossl_pkey_rsa.c (ossl_rsa_initialize, ossl_rsa_export):
  ditto.

* test/openssl/test_pkey_{dsa,ec,rsa}.rb: test this.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55087 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

(limited to 'ChangeLog')

diff --git a/ChangeLog b/ChangeLog
index 7d6c88f0c9..26e1e21b7f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,30 @@
+Fri May 20 23:25:42 2016  Kazuki Yamaguchi  <k@rhe.jp>
+
+	* ext/openssl/ossl.c (ossl_pem_passwd_value): Added. Convert the
+	  argument to String with StringValue() and validate the length is in
+	  4..PEM_BUFSIZE. PEM_BUFSIZE is a macro defined in OpenSSL headers.
+	  (ossl_pem_passwd_cb): When reading/writing encrypted PEM format, we
+	  used to pass the password to PEM_def_callback() directly but it was
+	  problematic. It is not NUL character safe. And surprisingly, it
+	  silently truncates the password to 1024 bytes.  [GH ruby/openssl#51]
+
+	* ext/openssl/ossl.h: Add function prototype declaration of newly
+	  added ossl_pem_passwd_value().
+
+	* ext/openssl/ossl_pkey.c (ossl_pkey_new_from_data): Use
+	  ossl_pem_passwd_value() to validate the password String.
+
+	* ext/openssl/ossl_pkey_dsa.c (ossl_dsa_initialize, ossl_dsa_export):
+	  ditto.
+
+	* ext/openssl/ossl_pkey_ec.c (ossl_ec_key_initialize,
+	  ossl_ec_key_to_string): ditto.
+
+	* ext/openssl/ossl_pkey_rsa.c (ossl_rsa_initialize, ossl_rsa_export):
+	  ditto.
+
+	* test/openssl/test_pkey_{dsa,ec,rsa}.rb: test this.
+
 Fri May 20 23:45:53 2016  Naohisa Goto  <ngotogenome@gmail.com>
 
 	* id_table.c (list_id_table_init): When unaligned word access is
-- 
cgit v1.2.3