ruby-changes:74039
From: Kazuki <ko1@a...>
Date: Mon, 17 Oct 2022 16:43:26 +0900 (JST)
Subject: [ruby-changes:74039] 65bba0ef6f (master): [ruby/openssl] hmac: use EVP_PKEY_new_raw_private_key() if available
https://git.ruby-lang.org/ruby.git/commit/?id=65bba0ef6f From 65bba0ef6fa104324d34079f107f9c72ed8d0e2f Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi <k@r...> Date: Thu, 1 Sep 2022 15:59:52 +0900 Subject: [ruby/openssl] hmac: use EVP_PKEY_new_raw_private_key() if available Current OpenSSL 3.0.x release has a regression with zero-length MAC keys. While this issue should be fixed in a future release of OpenSSL, we can use EVP_PKEY_new_raw_private_key() in place of the problematic EVP_PKEY_new_mac_key() to avoid the issue. OpenSSL 3.0's man page recommends using it regardless: > EVP_PKEY_new_mac_key() works in the same way as > EVP_PKEY_new_raw_private_key(). New applications should use > EVP_PKEY_new_raw_private_key() instead. Fixes https://github.com/ruby/openssl/issues/369#issuecomment-1224912710 https://github.com/ruby/openssl/commit/4293f18b1f --- ext/openssl/extconf.rb | 1 + ext/openssl/ossl_hmac.c | 8 ++++++++ test/openssl/test_hmac.rb | 8 ++++++++ 3 files changed, 17 insertions(+) diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index f8be3e9e03..fd96533569 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -174,6 +174,7 @@ have_func("SSL_CTX_set_post_handshake_auth", ssl_h) https://github.com/ruby/ruby/blob/trunk/ext/openssl/extconf.rb#L174 # added in 1.1.1 have_func("EVP_PKEY_check", evp_h) +have_func("EVP_PKEY_new_raw_private_key", evp_h) have_func("SSL_CTX_set_ciphersuites", ssl_h) # added in 3.0.0 diff --git a/ext/openssl/ossl_hmac.c b/ext/openssl/ossl_hmac.c index bfe3a74b12..1a5f471a27 100644 --- a/ext/openssl/ossl_hmac.c +++ b/ext/openssl/ossl_hmac.c @@ -97,11 +97,19 @@ ossl_hmac_initialize(VALUE self, VALUE key, VALUE digest) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_hmac.c#L97 GetHMAC(self, ctx); StringValue(key); +#ifdef HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY + pkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, + (unsigned char *)RSTRING_PTR(key), + RSTRING_LENINT(key)); + if (!pkey) + ossl_raise(eHMACError, "EVP_PKEY_new_raw_private_key"); +#else pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, (unsigned char *)RSTRING_PTR(key), RSTRING_LENINT(key)); if (!pkey) ossl_raise(eHMACError, "EVP_PKEY_new_mac_key"); +#endif if (EVP_DigestSignInit(ctx, NULL, ossl_evp_get_digestbyname(digest), NULL, pkey) != 1) { EVP_PKEY_free(pkey); diff --git a/test/openssl/test_hmac.rb b/test/openssl/test_hmac.rb index 2f53a813e1..3cb707448a 100644 --- a/test/openssl/test_hmac.rb +++ b/test/openssl/test_hmac.rb @@ -62,6 +62,14 @@ class OpenSSL::TestHMAC < OpenSSL::TestCase https://github.com/ruby/ruby/blob/trunk/test/openssl/test_hmac.rb#L62 b64digest = OpenSSL::HMAC.base64digest("MD5", key, "Hi There") assert_equal "kpRyejY4uxwT9I74FYv8nQ==", b64digest end + + def test_zero_length_key + # Empty string as the key + hexdigest = OpenSSL::HMAC.hexdigest("SHA256", "\0"*32, "test") + assert_equal "43b0cef99265f9e34c10ea9d3501926d27b39f57c6d674561d8ba236e7a819fb", hexdigest + hexdigest = OpenSSL::HMAC.hexdigest("SHA256", "", "test") + assert_equal "43b0cef99265f9e34c10ea9d3501926d27b39f57c6d674561d8ba236e7a819fb", hexdigest + end end end -- cgit v1.2.3 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/