* ext/openssl/ossl.c

ext/openssl/ossl_pkey_rsa.c ext/openssl/ossl_pkey_dsa.c ext/openssl/ossl_pkey_ec.c: Forbid export passwords that are less than four characters long, as OpenSSL itself does not allow this. Issue found by Eric Hodel. * ext/openssl/ossl_pkey_ec.c: Add export as an alias of to_pem, following the PKey interface contract. * test/openssl/test_pkey_dsa.rb test/openssl/test_pkey_rsa.rb test/openssl/test_pkey_ec.rb: Add tests that assert correct behaviour when dealing with passwords that are less than four characters long. [ruby-core: 42281][ruby-trunk - Bug #5951] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36001 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2012-06-10 01:23:21 +00:00 · 2012-06-10 01:23:21 +00:00 · 5bd7899b98
--- a/17
+++ b/17
@ -1,3 +1,20 @@
+Sun Jun 10 10:21:37 2012  Martin Bosslet  <Martin.Bosslet@googlemail.com>
+
+	* ext/openssl/ossl.c
+	  ext/openssl/ossl_pkey_rsa.c
+	  ext/openssl/ossl_pkey_dsa.c
+	  ext/openssl/ossl_pkey_ec.c: Forbid export passwords that are less
+	  than four characters long, as OpenSSL itself does not allow this.
+	  Issue found by Eric Hodel.
+	* ext/openssl/ossl_pkey_ec.c: Add export as an alias of to_pem,
+	  following the PKey interface contract.
+	* test/openssl/test_pkey_dsa.rb
+	  test/openssl/test_pkey_rsa.rb
+	  test/openssl/test_pkey_ec.rb: Add tests that assert correct
+	  behaviour when dealing with passwords that are less than four
+	  characters long.
+	  [ruby-core: 42281][ruby-trunk - Bug #5951]
+
 Sun Jun 10 10:14:26 2012  Tanaka Akira  <akr@fsij.org>

 	* process.c (rb_f_exec): use rb_exec_arg_prepare.
--- a/ext/openssl/ossl.h
+++ b/ext/openssl/ossl.h
@ -74,6 +74,11 @@ extern "C" {
 #  include <openssl/ocsp.h>
 #endif

+/* OpenSSL requires passwords for PEM-encoded files to be at least four
+ * characters long
+ */
+#define OSSL_MIN_PWD_LEN 4
+
 /*
 * Common Module
 */
--- a/ext/openssl/ossl_pkey_dsa.c
+++ b/ext/openssl/ossl_pkey_dsa.c
@ -318,7 +318,10 @@ ossl_dsa_export(int argc, VALUE *argv, VALUE self)
    if (!NIL_P(cipher)) {
 	ciph = GetCipherPtr(cipher);
 	if (!NIL_P(pass)) {
-	    passwd = StringValuePtr(pass);
+	    StringValue(pass);
+	    if (RSTRING_LENINT(pass) < OSSL_MIN_PWD_LEN)
+		ossl_raise(eOSSLError, "OpenSSL requires passwords to be at least four characters long");
+	    passwd = RSTRING_PTR(pass);
 	}
    }
    if (!(out = BIO_new(BIO_s_mem()))) {
--- a/ext/openssl/ossl_pkey_ec.c
+++ b/ext/openssl/ossl_pkey_ec.c
@ -493,7 +493,10 @@ static VALUE ossl_ec_key_to_string(VALUE self, VALUE ciph, VALUE pass, int forma
 	    if (!NIL_P(ciph)) {
 		cipher = GetCipherPtr(ciph);
 		if (!NIL_P(pass)) {
-		    password = StringValuePtr(pass);
+		    StringValue(pass);
+		    if (RSTRING_LENINT(pass) < OSSL_MIN_PWD_LEN)
+			ossl_raise(eOSSLError, "OpenSSL requires passwords to be at least four characters long");
+		    password = RSTRING_PTR(pass);
 		}
 	    }
 	    else {
@ -530,8 +533,8 @@ static VALUE ossl_ec_key_to_string(VALUE self, VALUE ciph, VALUE pass, int forma

 /*
 *  call-seq:
- *     key.to_pem   => String
- *     key.to_pem(cipher, pass_phrase) => String
+ *     key.export   => String
+ *     key.export(cipher, pass_phrase) => String
 *
 * Outputs the EC key in PEM encoding.  If +cipher+ and +pass_phrase+ are
 * given they will be used to encrypt the key.  +cipher+ must be an
@ -540,7 +543,7 @@ static VALUE ossl_ec_key_to_string(VALUE self, VALUE ciph, VALUE pass, int forma
 * text.
 *
 */
-static VALUE ossl_ec_key_to_pem(int argc, VALUE *argv, VALUE self)
+static VALUE ossl_ec_key_export(int argc, VALUE *argv, VALUE self)
 {
    VALUE cipher, passwd;
    rb_scan_args(argc, argv, "02", &cipher, &passwd);
@ -1533,7 +1536,8 @@ void Init_ossl_ec()
    rb_define_method(cEC, "dsa_verify_asn1", ossl_ec_key_dsa_verify_asn1, 2);
 /* do_sign/do_verify */

-    rb_define_method(cEC, "to_pem", ossl_ec_key_to_pem, -1);
+    rb_define_method(cEC, "export", ossl_ec_key_export, -1);
+    rb_define_alias(cEC, "to_pem", "export");
    rb_define_method(cEC, "to_der", ossl_ec_key_to_der, 0);
    rb_define_method(cEC, "to_text", ossl_ec_key_to_text, 0);

--- a/ext/openssl/ossl_pkey_rsa.c
+++ b/ext/openssl/ossl_pkey_rsa.c
@ -314,7 +314,10 @@ ossl_rsa_export(int argc, VALUE *argv, VALUE self)
    if (!NIL_P(cipher)) {
 	ciph = GetCipherPtr(cipher);
 	if (!NIL_P(pass)) {
-	    passwd = StringValuePtr(pass);
+	    StringValue(pass);
+	    if (RSTRING_LENINT(pass) < OSSL_MIN_PWD_LEN)
+		ossl_raise(eOSSLError, "OpenSSL requires passwords to be at least four characters long");
+	    passwd = RSTRING_PTR(pass);
 	}
    }
    if (!(out = BIO_new(BIO_s_mem()))) {
--- a/test/openssl/test_pkey_dsa.rb
+++ b/test/openssl/test_pkey_dsa.rb
@ -218,6 +218,15 @@ YNMbNw==
    assert_equal([], OpenSSL.errors)
  end

+  def test_export_password_length
+    key = OpenSSL::TestUtils::TEST_KEY_DSA256
+    assert_raise(OpenSSL::OpenSSLError) do
+      key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'sec')
+    end
+    pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr')
+    assert(pem)
+  end
+
  private

  def check_sign_verify(digest)
--- a/test/openssl/test_pkey_ec.rb
+++ b/test/openssl/test_pkey_ec.rb
@ -175,6 +175,15 @@ class OpenSSL::TestEC < Test::Unit::TestCase
    assert_equal([], OpenSSL.errors)
  end

+  def test_export_password_length
+    key = OpenSSL::TestUtils::TEST_KEY_EC_P256V1
+    assert_raise(OpenSSL::OpenSSLError) do
+      key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'sec')
+    end
+    pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr')
+    assert(pem)
+  end
+
 # test Group: asn1_flag, point_conversion

 end
--- a/test/openssl/test_pkey_rsa.rb
+++ b/test/openssl/test_pkey_rsa.rb
@ -244,6 +244,15 @@ AwEAAQ==
    assert_equal([], OpenSSL.errors)
  end

+  def test_export_password_length
+    key = OpenSSL::TestUtils::TEST_KEY_RSA1024
+    assert_raise(OpenSSL::OpenSSLError) do
+      key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'sec')
+    end
+    pem = key.export(OpenSSL::Cipher.new('AES-128-CBC'), 'secr')
+    assert(pem)
+  end
+
  private

  def check_PUBKEY(asn1, key)