AEAD encrypted cookies and sessions

This commit changes encrypted cookies from AES in CBC HMAC mode to Authenticated Encryption using AES-GCM. It also provides a cookie jar to transparently upgrade encrypted cookies to this new scheme. Some other notable changes include: - There is a new application configuration value: +use_authenticated_cookie_encryption+. When enabled, AEAD encrypted cookies will be used. - +cookies.signed+ does not raise a +TypeError+ now if the name of an encrypted cookie is used. Encrypted cookies using the same key as signed cookies would be verified and serialization would then fail due the message still be encrypted.
author: Michael Coyne <mikeycgto@gmail.com> 2017-02-23 13:54:17 -0500
committer: Michael Coyne <mikeycgto@gmail.com> 2017-05-22 08:50:36 +0000
commit: 5a3ba63d9abad86b7f6dd36a92cfaf722e52760b (patch)
tree: 523981cf2bfddf5941218a463a8b19544c28db65
parent: 7a2041335f2a5f86179e303fa84a4653f58e1620 (diff)
download: rails-5a3ba63d9abad86b7f6dd36a92cfaf722e52760b.tar.gz
rails-5a3ba63d9abad86b7f6dd36a92cfaf722e52760b.tar.bz2
rails-5a3ba63d9abad86b7f6dd36a92cfaf722e52760b.zip
10 files changed, 295 insertions, 108 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 86ea9a7ce6..54937617df 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,13 @@
+*   AEAD encrypted cookies and sessions with GCM
+
+    Encrypted cookies now use AES-GCM which couples authentication and
+    encryption in one faster step and produces shorter ciphertexts. Cookies
+    encrypted using AES in CBC HMAC mode will be seamlessly upgraded when
+    this new mode is enabled via the
+    `action_dispatch.use_authenticated_cookie_encryption` configuration value.
+
+    *Michael J Coyne*
+
 *   Change the cache key format for fragments to make it easier to debug key churn. The new format is:
 
         views/template/action.html.erb:7a1156131a6928cb0026877f8b749ac9/projects/123
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index e565c03a8a..c0dda1bba5 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -43,6 +43,10 @@ module ActionDispatch
       get_header Cookies::ENCRYPTED_SIGNED_COOKIE_SALT
     end
 
+    def authenticated_encrypted_cookie_salt
+      get_header Cookies::AUTHENTICATED_ENCRYPTED_COOKIE_SALT
+    end
+
     def secret_token
       get_header Cookies::SECRET_TOKEN
     end
@@ -149,6 +153,7 @@ module ActionDispatch
     SIGNED_COOKIE_SALT = "action_dispatch.signed_cookie_salt".freeze
     ENCRYPTED_COOKIE_SALT = "action_dispatch.encrypted_cookie_salt".freeze
     ENCRYPTED_SIGNED_COOKIE_SALT = "action_dispatch.encrypted_signed_cookie_salt".freeze
+    AUTHENTICATED_ENCRYPTED_COOKIE_SALT = "action_dispatch.authenticated_encrypted_cookie_salt".freeze
     SECRET_TOKEN = "action_dispatch.secret_token".freeze
     SECRET_KEY_BASE = "action_dispatch.secret_key_base".freeze
     COOKIES_SERIALIZER = "action_dispatch.cookies_serializer".freeze
@@ -207,6 +212,9 @@ module ActionDispatch
       # If +secrets.secret_key_base+ and +secrets.secret_token+ (deprecated) are both set,
       # legacy cookies signed with the old key generator will be transparently upgraded.
       #
+      # If +config.action_dispatch.encrypted_cookie_salt+ and +config.action_dispatch.encrypted_signed_cookie_salt+
+      # are both set, legacy cookies encrypted with HMAC AES-256-CBC will be transparently upgraded.
+      #
       # This jar requires that you set a suitable secret for the verification on your app's +secrets.secret_key_base+.
       #
       # Example:
@@ -219,6 +227,8 @@ module ActionDispatch
         @encrypted ||=
           if upgrade_legacy_signed_cookies?
             UpgradeLegacyEncryptedCookieJar.new(self)
+          elsif upgrade_legacy_hmac_aes_cbc_cookies?
+            UpgradeLegacyHmacAesCbcCookieJar.new(self)
           else
             EncryptedCookieJar.new(self)
           end
@@ -240,6 +250,13 @@ module ActionDispatch
         def upgrade_legacy_signed_cookies?
           request.secret_token.present? && request.secret_key_base.present?
         end
+
+        def upgrade_legacy_hmac_aes_cbc_cookies?
+          request.secret_key_base.present?                       &&
+            request.authenticated_encrypted_cookie_salt.present? &&
+            request.encrypted_signed_cookie_salt.present?        &&
+            request.encrypted_cookie_salt.present?
+        end
     end
 
     # Passing the ActiveSupport::MessageEncryptor::NullSerializer downstream
@@ -576,9 +593,11 @@ module ActionDispatch
             "Read the upgrade documentation to learn more about this new config option."
         end
 
-        secret = key_generator.generate_key(request.encrypted_cookie_salt || "")[0, ActiveSupport::MessageEncryptor.key_len]
-        sign_secret = key_generator.generate_key(request.encrypted_signed_cookie_salt || "")
-        @encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, digest: digest, serializer: ActiveSupport::MessageEncryptor::NullSerializer)
+        cipher = "aes-256-gcm"
+        key_len = ActiveSupport::MessageEncryptor.key_len(cipher)
+        secret = key_generator.generate_key(request.authenticated_encrypted_cookie_salt || "")[0, key_len]
+
+        @encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: cipher, serializer: ActiveSupport::MessageEncryptor::NullSerializer)
       end
 
       private
@@ -603,6 +622,32 @@ module ActionDispatch
       include VerifyAndUpgradeLegacySignedMessage
     end
 
+    # UpgradeLegacyHmacAesCbcCookieJar is used by ActionDispatch::Session::CookieStore
+    # to upgrade cookies encrypted with AES-256-CBC with HMAC to AES-256-GCM
+    class UpgradeLegacyHmacAesCbcCookieJar < EncryptedCookieJar
+      def initialize(parent_jar)
+        super
+
+        secret = key_generator.generate_key(request.encrypted_cookie_salt || "")[0, ActiveSupport::MessageEncryptor.key_len]
+        sign_secret = key_generator.generate_key(request.encrypted_signed_cookie_salt || "")
+
+        @legacy_encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, digest: digest, serializer: ActiveSupport::MessageEncryptor::NullSerializer)
+      end
+
+      def decrypt_and_verify_legacy_encrypted_message(name, signed_message)
+        deserialize(name, @legacy_encryptor.decrypt_and_verify(signed_message)).tap do |value|
+          self[name] = { value: value }
+        end
+      rescue ActiveSupport::MessageVerifier::InvalidSignature, ActiveSupport::MessageEncryptor::InvalidMessage
+        nil
+      end
+
+      private
+        def parse(name, signed_message)
+          super || decrypt_and_verify_legacy_encrypted_message(name, signed_message)
+        end
+    end
+
     def initialize(app)
       @app = app
     end
diff --git a/actionpack/lib/action_dispatch/railtie.rb b/actionpack/lib/action_dispatch/railtie.rb
index 16a18a7f25..7662e164b8 100644
--- a/actionpack/lib/action_dispatch/railtie.rb
+++ b/actionpack/lib/action_dispatch/railtie.rb
@@ -16,6 +16,7 @@ module ActionDispatch
     config.action_dispatch.signed_cookie_salt = "signed cookie"
     config.action_dispatch.encrypted_cookie_salt = "encrypted cookie"
     config.action_dispatch.encrypted_signed_cookie_salt = "signed encrypted cookie"
+    config.action_dispatch.use_authenticated_cookie_encryption = false
     config.action_dispatch.perform_deep_munge = true
 
     config.action_dispatch.default_headers = {
@@ -36,6 +37,8 @@ module ActionDispatch
       ActionDispatch::ExceptionWrapper.rescue_responses.merge!(config.action_dispatch.rescue_responses)
       ActionDispatch::ExceptionWrapper.rescue_templates.merge!(config.action_dispatch.rescue_templates)
 
+      config.action_dispatch.authenticated_encrypted_cookie_salt = "authenticated encrypted cookie" if config.action_dispatch.use_authenticated_cookie_encryption
+
       config.action_dispatch.always_write_cookie = Rails.env.development? if config.action_dispatch.always_write_cookie.nil?
       ActionDispatch::Cookies::CookieJar.always_write_cookie = config.action_dispatch.always_write_cookie
 
diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb
index 664faa31bb..e5646de82e 100644
--- a/actionpack/test/dispatch/cookies_test.rb
+++ b/actionpack/test/dispatch/cookies_test.rb
@@ -288,8 +288,7 @@ class CookiesTest < ActionController::TestCase
     @request.env["action_dispatch.key_generator"] = ActiveSupport::KeyGenerator.new(SALT, iterations: 2)
 
     @request.env["action_dispatch.signed_cookie_salt"] =
-      @request.env["action_dispatch.encrypted_cookie_salt"] =
-      @request.env["action_dispatch.encrypted_signed_cookie_salt"] = SALT
+      @request.env["action_dispatch.authenticated_encrypted_cookie_salt"] = SALT
 
     @request.host = "www.nextangle.com"
   end
@@ -531,9 +530,7 @@ class CookiesTest < ActionController::TestCase
     get :set_encrypted_cookie
     cookies = @controller.send :cookies
     assert_not_equal "bar", cookies[:foo]
-    assert_raise TypeError do
-      cookies.signed[:foo]
-    end
+    assert_nil cookies.signed[:foo]
     assert_equal "bar", cookies.encrypted[:foo]
   end
 
@@ -542,9 +539,7 @@ class CookiesTest < ActionController::TestCase
     get :set_encrypted_cookie
     cookies = @controller.send :cookies
     assert_not_equal "bar", cookies[:foo]
-    assert_raises TypeError do
-      cookies.signed[:foo]
-    end
+    assert_nil cookies.signed[:foo]
     assert_equal "bar", cookies.encrypted[:foo]
   end
 
@@ -553,9 +548,7 @@ class CookiesTest < ActionController::TestCase
     get :set_encrypted_cookie
     cookies = @controller.send :cookies
     assert_not_equal "bar", cookies[:foo]
-    assert_raises ::JSON::ParserError do
-      cookies.signed[:foo]
-    end
+    assert_nil cookies.signed[:foo]
     assert_equal "bar", cookies.encrypted[:foo]
   end
 
@@ -564,9 +557,7 @@ class CookiesTest < ActionController::TestCase
     get :set_wrapped_encrypted_cookie
     cookies = @controller.send :cookies
     assert_not_equal "wrapped: bar", cookies[:foo]
-    assert_raises ::JSON::ParserError do
-      cookies.signed[:foo]
-    end
+    assert_nil cookies.signed[:foo]
     assert_equal "wrapped: bar", cookies.encrypted[:foo]
   end
 
@@ -577,38 +568,16 @@ class CookiesTest < ActionController::TestCase
     assert_equal "bar was dumped and loaded", cookies.encrypted[:foo]
   end
 
-  def test_encrypted_cookie_using_custom_digest
-    @request.env["action_dispatch.cookies_digest"] = "SHA256"
-    get :set_encrypted_cookie
-    cookies = @controller.send :cookies
-    assert_not_equal "bar", cookies[:foo]
-    assert_equal "bar", cookies.encrypted[:foo]
-
-    sign_secret = @request.env["action_dispatch.key_generator"].generate_key(@request.env["action_dispatch.encrypted_signed_cookie_salt"])
-
-    sha1_verifier   = ActiveSupport::MessageVerifier.new(sign_secret, serializer: ActiveSupport::MessageEncryptor::NullSerializer, digest: "SHA1")
-    sha256_verifier = ActiveSupport::MessageVerifier.new(sign_secret, serializer: ActiveSupport::MessageEncryptor::NullSerializer, digest: "SHA256")
-
-    assert_raises(ActiveSupport::MessageVerifier::InvalidSignature) do
-      sha1_verifier.verify(cookies[:foo])
-    end
-
-    assert_nothing_raised do
-      sha256_verifier.verify(cookies[:foo])
-    end
-  end
-
   def test_encrypted_cookie_using_hybrid_serializer_can_migrate_marshal_dumped_value_to_json
     @request.env["action_dispatch.cookies_serializer"] = :hybrid
 
-    key_generator = @request.env["action_dispatch.key_generator"]
-    encrypted_cookie_salt = @request.env["action_dispatch.encrypted_cookie_salt"]
-    encrypted_signed_cookie_salt = @request.env["action_dispatch.encrypted_signed_cookie_salt"]
-    secret = key_generator.generate_key(encrypted_cookie_salt)
-    sign_secret = key_generator.generate_key(encrypted_signed_cookie_salt)
+    cipher = "aes-256-gcm"
+    salt = @request.env["action_dispatch.authenticated_encrypted_cookie_salt"]
+    secret = @request.env["action_dispatch.key_generator"].generate_key(salt)[0, ActiveSupport::MessageEncryptor.key_len(cipher)]
+    encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: cipher, serializer: Marshal)
 
-    marshal_value = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret, serializer: Marshal).encrypt_and_sign("bar")
-    @request.headers["Cookie"] = "foo=#{marshal_value}"
+    marshal_value = encryptor.encrypt_and_sign("bar")
+    @request.headers["Cookie"] = "foo=#{::Rack::Utils.escape marshal_value}"
 
     get :get_encrypted_cookie
 
@@ -616,40 +585,28 @@ class CookiesTest < ActionController::TestCase
     assert_not_equal "bar", cookies[:foo]
     assert_equal "bar", cookies.encrypted[:foo]
 
-    encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret, serializer: JSON)
-    assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"])
+    json_encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: cipher, serializer: JSON)
+    assert_not_nil @response.cookies["foo"]
+    assert_equal "bar", json_encryptor.decrypt_and_verify(@response.cookies["foo"])
   end
 
   def test_encrypted_cookie_using_hybrid_serializer_can_read_from_json_dumped_value
     @request.env["action_dispatch.cookies_serializer"] = :hybrid
 
-    key_generator = @request.env["action_dispatch.key_generator"]
-    encrypted_cookie_salt = @request.env["action_dispatch.encrypted_cookie_salt"]
-    encrypted_signed_cookie_salt = @request.env["action_dispatch.encrypted_signed_cookie_salt"]
-    secret = key_generator.generate_key(encrypted_cookie_salt)
-    sign_secret = key_generator.generate_key(encrypted_signed_cookie_salt)
-    json_value = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret, serializer: JSON).encrypt_and_sign("bar")
-    @request.headers["Cookie"] = "foo=#{json_value}"
-
-    get :get_encrypted_cookie
+    cipher = "aes-256-gcm"
+    salt = @request.env["action_dispatch.authenticated_encrypted_cookie_salt"]
+    secret = @request.env["action_dispatch.key_generator"].generate_key(salt)[0, ActiveSupport::MessageEncryptor.key_len(cipher)]
+    encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: cipher, serializer: JSON)
 
-    cookies = @controller.send :cookies
-    assert_not_equal "bar", cookies[:foo]
-    assert_equal "bar", cookies.encrypted[:foo]
-
-    assert_nil @response.cookies["foo"]
-  end
-
-  def test_compat_encrypted_cookie_using_64_byte_key
-    # Cookie generated with 64 bytes secret
-    message = ["566d4e75536d686e633246564e6b493062557079626c566d51574d30515430394c53315665564a694e4563786555744f57537454576b396a5a31566a626e52525054303d2d2d34663234333330623130623261306163363562316266323335396164666364613564643134623131"].pack("H*")
-    @request.headers["Cookie"] = "foo=#{message}"
+    json_value = encryptor.encrypt_and_sign("bar")
+    @request.headers["Cookie"] = "foo=#{::Rack::Utils.escape json_value}"
 
     get :get_encrypted_cookie
 
     cookies = @controller.send :cookies
     assert_not_equal "bar", cookies[:foo]
     assert_equal "bar", cookies.encrypted[:foo]
+
     assert_nil @response.cookies["foo"]
   end
 
@@ -813,10 +770,10 @@ class CookiesTest < ActionController::TestCase
 
     assert_equal "bar", @controller.send(:cookies).encrypted[:foo]
 
-    key_generator = @request.env["action_dispatch.key_generator"]
-    secret = key_generator.generate_key(@request.env["action_dispatch.encrypted_cookie_salt"])
-    sign_secret = key_generator.generate_key(@request.env["action_dispatch.encrypted_signed_cookie_salt"])
-    encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret)
+    cipher = "aes-256-gcm"
+    salt = @request.env["action_dispatch.authenticated_encrypted_cookie_salt"]
+    secret = @request.env["action_dispatch.key_generator"].generate_key(salt)[0, ActiveSupport::MessageEncryptor.key_len(cipher)]
+    encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: cipher, serializer: Marshal)
     assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"])
   end
 
@@ -842,8 +799,6 @@ class CookiesTest < ActionController::TestCase
     @request.env["action_dispatch.cookies_serializer"] = :json
     @request.env["action_dispatch.secret_token"] = "b3c631c314c0bbca50c1b2843150fe33"
     @request.env["action_dispatch.secret_key_base"] = "c3b95688f35581fad38df788add315ff"
-    @request.env["action_dispatch.encrypted_cookie_salt"] = "4433796b79d99a7735553e316522acee"
-    @request.env["action_dispatch.encrypted_signed_cookie_salt"] = "00646eb40062e1b1deff205a27cd30f9"
 
     legacy_value = ActiveSupport::MessageVerifier.new("b3c631c314c0bbca50c1b2843150fe33", serializer: JSON).generate("bar")
 
@@ -852,10 +807,10 @@ class CookiesTest < ActionController::TestCase
 
     assert_equal "bar", @controller.send(:cookies).encrypted[:foo]
 
-    key_generator = @request.env["action_dispatch.key_generator"]
-    secret = key_generator.generate_key(@request.env["action_dispatch.encrypted_cookie_salt"])
-    sign_secret = key_generator.generate_key(@request.env["action_dispatch.encrypted_signed_cookie_salt"])
-    encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret, serializer: JSON)
+    cipher = "aes-256-gcm"
+    salt = @request.env["action_dispatch.authenticated_encrypted_cookie_salt"]
+    secret = @request.env["action_dispatch.key_generator"].generate_key(salt)[0, ActiveSupport::MessageEncryptor.key_len(cipher)]
+    encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: cipher, serializer: JSON)
     assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"])
   end
 
@@ -881,8 +836,6 @@ class CookiesTest < ActionController::TestCase
     @request.env["action_dispatch.cookies_serializer"] = :hybrid
     @request.env["action_dispatch.secret_token"] = "b3c631c314c0bbca50c1b2843150fe33"
     @request.env["action_dispatch.secret_key_base"] = "c3b95688f35581fad38df788add315ff"
-    @request.env["action_dispatch.encrypted_cookie_salt"] = "4433796b79d99a7735553e316522acee"
-    @request.env["action_dispatch.encrypted_signed_cookie_salt"] = "00646eb40062e1b1deff205a27cd30f9"
 
     legacy_value = ActiveSupport::MessageVerifier.new("b3c631c314c0bbca50c1b2843150fe33", serializer: JSON).generate("bar")
 
@@ -891,10 +844,10 @@ class CookiesTest < ActionController::TestCase
 
     assert_equal "bar", @controller.send(:cookies).encrypted[:foo]
 
-    key_generator = @request.env["action_dispatch.key_generator"]
-    secret = key_generator.generate_key(@request.env["action_dispatch.encrypted_cookie_salt"])
-    sign_secret = key_generator.generate_key(@request.env["action_dispatch.encrypted_signed_cookie_salt"])
-    encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret, serializer: JSON)
+    cipher = "aes-256-gcm"
+    salt = @request.env["action_dispatch.authenticated_encrypted_cookie_salt"]
+    secret = @request.env["action_dispatch.key_generator"].generate_key(salt)[0, ActiveSupport::MessageEncryptor.key_len(cipher)]
+    encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: cipher, serializer: JSON)
     assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"])
   end
 
@@ -920,8 +873,6 @@ class CookiesTest < ActionController::TestCase
     @request.env["action_dispatch.cookies_serializer"] = :hybrid
     @request.env["action_dispatch.secret_token"] = "b3c631c314c0bbca50c1b2843150fe33"
     @request.env["action_dispatch.secret_key_base"] = "c3b95688f35581fad38df788add315ff"
-    @request.env["action_dispatch.encrypted_cookie_salt"] = "4433796b79d99a7735553e316522acee"
-    @request.env["action_dispatch.encrypted_signed_cookie_salt"] = "00646eb40062e1b1deff205a27cd30f9"
 
     legacy_value = ActiveSupport::MessageVerifier.new("b3c631c314c0bbca50c1b2843150fe33").generate("bar")
 
@@ -930,10 +881,10 @@ class CookiesTest < ActionController::TestCase
 
     assert_equal "bar", @controller.send(:cookies).encrypted[:foo]
 
-    key_generator = @request.env["action_dispatch.key_generator"]
-    secret = key_generator.generate_key(@request.env["action_dispatch.encrypted_cookie_salt"])
-    sign_secret = key_generator.generate_key(@request.env["action_dispatch.encrypted_signed_cookie_salt"])
-    encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret, serializer: JSON)
+    cipher = "aes-256-gcm"
+    salt = @request.env["action_dispatch.authenticated_encrypted_cookie_salt"]
+    secret = @request.env["action_dispatch.key_generator"].generate_key(salt)[0, ActiveSupport::MessageEncryptor.key_len(cipher)]
+    encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: cipher, serializer: JSON)
     assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"])
   end
 
@@ -959,6 +910,89 @@ class CookiesTest < ActionController::TestCase
     assert_nil @response.cookies["foo"]
   end
 
+  def test_legacy_hmac_aes_cbc_encrypted_marshal_cookie_is_upgraded_to_authenticated_encrypted_cookie
+    @request.env["action_dispatch.secret_key_base"] = "c3b95688f35581fad38df788add315ff"
+
+    @request.env["action_dispatch.encrypted_cookie_salt"] =
+      @request.env["action_dispatch.encrypted_signed_cookie_salt"] = SALT
+
+    key_generator = @request.env["action_dispatch.key_generator"]
+    encrypted_cookie_salt = @request.env["action_dispatch.encrypted_cookie_salt"]
+    encrypted_signed_cookie_salt = @request.env["action_dispatch.encrypted_signed_cookie_salt"]
+    secret = key_generator.generate_key(encrypted_cookie_salt)
+    sign_secret = key_generator.generate_key(encrypted_signed_cookie_salt)
+    marshal_value = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret, serializer: Marshal).encrypt_and_sign("bar")
+
+    @request.headers["Cookie"] = "foo=#{marshal_value}"
+
+    get :get_encrypted_cookie
+
+    cookies = @controller.send :cookies
+    assert_not_equal "bar", cookies[:foo]
+    assert_equal "bar", cookies.encrypted[:foo]
+
+    aead_cipher = "aes-256-gcm"
+    aead_salt = @request.env["action_dispatch.authenticated_encrypted_cookie_salt"]
+    aead_secret = key_generator.generate_key(aead_salt)[0, ActiveSupport::MessageEncryptor.key_len(aead_cipher)]
+    aead_encryptor = ActiveSupport::MessageEncryptor.new(aead_secret, cipher: aead_cipher, serializer: Marshal)
+
+    assert_equal "bar", aead_encryptor.decrypt_and_verify(@response.cookies["foo"])
+  end
+
+  def test_legacy_hmac_aes_cbc_encrypted_json_cookie_is_upgraded_to_authenticated_encrypted_cookie
+    @request.env["action_dispatch.cookies_serializer"] = :json
+    @request.env["action_dispatch.secret_key_base"] = "c3b95688f35581fad38df788add315ff"
+
+    @request.env["action_dispatch.encrypted_cookie_salt"] =
+      @request.env["action_dispatch.encrypted_signed_cookie_salt"] = SALT
+
+    key_generator = @request.env["action_dispatch.key_generator"]
+    encrypted_cookie_salt = @request.env["action_dispatch.encrypted_cookie_salt"]
+    encrypted_signed_cookie_salt = @request.env["action_dispatch.encrypted_signed_cookie_salt"]
+    secret = key_generator.generate_key(encrypted_cookie_salt)
+    sign_secret = key_generator.generate_key(encrypted_signed_cookie_salt)
+    marshal_value = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret, serializer: JSON).encrypt_and_sign("bar")
+
+    @request.headers["Cookie"] = "foo=#{marshal_value}"
+
+    get :get_encrypted_cookie
+
+    cookies = @controller.send :cookies
+    assert_not_equal "bar", cookies[:foo]
+    assert_equal "bar", cookies.encrypted[:foo]
+
+    aead_cipher = "aes-256-gcm"
+    aead_salt = @request.env["action_dispatch.authenticated_encrypted_cookie_salt"]
+    aead_secret = key_generator.generate_key(aead_salt)[0, ActiveSupport::MessageEncryptor.key_len(aead_cipher)]
+    aead_encryptor = ActiveSupport::MessageEncryptor.new(aead_secret, cipher: aead_cipher, serializer: JSON)
+
+    assert_equal "bar", aead_encryptor.decrypt_and_verify(@response.cookies["foo"])
+  end
+
+  def test_legacy_hmac_aes_cbc_encrypted_cookie_using_64_byte_key_is_upgraded_to_authenticated_encrypted_cookie
+    @request.env["action_dispatch.secret_key_base"] = "c3b95688f35581fad38df788add315ff"
+
+    @request.env["action_dispatch.encrypted_cookie_salt"] =
+      @request.env["action_dispatch.encrypted_signed_cookie_salt"] = SALT
+
+    # Cookie generated with 64 bytes secret
+    message = ["566d4e75536d686e633246564e6b493062557079626c566d51574d30515430394c53315665564a694e4563786555744f57537454576b396a5a31566a626e52525054303d2d2d34663234333330623130623261306163363562316266323335396164666364613564643134623131"].pack("H*")
+    @request.headers["Cookie"] = "foo=#{message}"
+
+    get :get_encrypted_cookie
+
+    cookies = @controller.send :cookies
+    assert_not_equal "bar", cookies[:foo]
+    assert_equal "bar", cookies.encrypted[:foo]
+    cipher = "aes-256-gcm"
+
+    salt = @request.env["action_dispatch.authenticated_encrypted_cookie_salt"]
+    secret = @request.env["action_dispatch.key_generator"].generate_key(salt)[0, ActiveSupport::MessageEncryptor.key_len(cipher)]
+    encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: cipher, serializer: Marshal)
+
+    assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"])
+  end
+
   def test_cookie_with_all_domain_option
     get :set_cookie_with_domain
     assert_response :success
diff --git a/guides/source/configuring.md b/guides/source/configuring.md
index bf9456a482..6a7eaf00e1 100644
--- a/guides/source/configuring.md
+++ b/guides/source/configuring.md
@@ -456,10 +456,14 @@ to `'http authentication'`.
 Defaults to `'signed cookie'`.
 
 * `config.action_dispatch.encrypted_cookie_salt` sets the encrypted cookies salt
-value. Defaults to `'encrypted cookie'`.
+  value. Defaults to `'encrypted cookie'`.
 
 * `config.action_dispatch.encrypted_signed_cookie_salt` sets the signed
-encrypted cookies salt value. Defaults to `'signed encrypted cookie'`.
+  encrypted cookies salt value. Defaults to `'signed encrypted cookie'`.
+
+* `config.action_dispatch.authenticated_encrypted_cookie_salt` sets the
+  authenticated encrypted cookie salt. Defaults to `'authenticated encrypted
+  cookie'`.
 
 * `config.action_dispatch.perform_deep_munge` configures whether `deep_munge`
   method should be performed on the parameters. See [Security Guide](security.html#unsafe-query-generation)
diff --git a/guides/source/security.md b/guides/source/security.md
index c305350243..61b0c5e368 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -95,16 +95,23 @@ Rails 2 introduced a new default session storage, CookieStore. CookieStore saves
 
 * The client can see everything you store in a session, because it is stored in clear-text (actually Base64-encoded, so not encrypted). So, of course, _you don't want to store any secrets here_. To prevent session hash tampering, a digest is calculated from the session with a server-side secret (`secrets.secret_token`) and inserted into the end of the cookie.
 
-However, since Rails 4, the default store is EncryptedCookieStore. With
-EncryptedCookieStore the session is encrypted before being stored in a cookie.
-This prevents the user from accessing and tampering the content of the cookie.
-Thus the session becomes a more secure place to store data. The encryption is
-done using a server-side secret key `secrets.secret_key_base` stored in
-`config/secrets.yml`.
+In Rails 4, encrypted cookies through AES in CBC mode with HMAC using SHA1 for
+verification was introduced. This prevents the user from accessing and tampering
+the content of the cookie. Thus the session becomes a more secure place to store
+data. The encryption is performed using a server-side `secrets.secret_key_base`.
+Two salts are used when deriving keys for encryption and verification. These
+salts are set via the `config.action_dispatch.encrypted_cookie_salt` and
+`config.action_dispatch.encrypted_signed_cookie_salt` configuration values.
 
-That means the security of this storage depends on this secret (and on the digest algorithm, which defaults to SHA1, for compatibility). So _don't use a trivial secret, i.e. a word from a dictionary, or one which is shorter than 30 characters, use `rails secret` instead_.
+Rails 5.2 uses AES-GCM for the encryption which couples authentication
+and encryption in one faster step and produces shorter ciphertexts.
 
-`secrets.secret_key_base` is used for specifying a key which allows sessions for the application to be verified against a known secure key to prevent tampering. Applications get `secrets.secret_key_base` initialized to a random key present in `config/secrets.yml`, e.g.:
+Encrypted cookies are automatically upgraded if the
+`config.action_dispatch.use_authenticated_cookie_encryption` is enabled.
+
+_Do not use a trivial secret, i.e. a word from a dictionary, or one which is shorter than 30 characters! Instead use `rails secret` to generate secret keys!_
+
+Applications get `secrets.secret_key_base` initialized to a random key present in `config/secrets.yml`, e.g.:
 
     development:
       secret_key_base: a75d...
diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb
index f8a923141d..39ca2db8e1 100644
--- a/railties/lib/rails/application.rb
+++ b/railties/lib/rails/application.rb
@@ -260,6 +260,7 @@ module Rails
           "action_dispatch.signed_cookie_salt" => config.action_dispatch.signed_cookie_salt,
           "action_dispatch.encrypted_cookie_salt" => config.action_dispatch.encrypted_cookie_salt,
           "action_dispatch.encrypted_signed_cookie_salt" => config.action_dispatch.encrypted_signed_cookie_salt,
+          "action_dispatch.authenticated_encrypted_cookie_salt" => config.action_dispatch.authenticated_encrypted_cookie_salt,
           "action_dispatch.cookies_serializer" => config.action_dispatch.cookies_serializer,
           "action_dispatch.cookies_digest" => config.action_dispatch.cookies_digest
         )
diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb
index 4dc9a431f6..4ffde6198a 100644
--- a/railties/lib/rails/application/configuration.rb
+++ b/railties/lib/rails/application/configuration.rb
@@ -88,6 +88,10 @@ module Rails
             active_record.cache_versioning = true
           end
 
+          if respond_to?(:action_dispatch)
+            action_dispatch.use_authenticated_cookie_encryption = true
+          end
+
         else
           raise "Unknown version #{target_version.to_s.inspect}"
         end
diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_5_2.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_5_2.rb.tt
index 52c08500d8..900baa607a 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_5_2.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/new_framework_defaults_5_2.rb.tt
@@ -9,3 +9,7 @@
 # Make Active Record use stable #cache_key alongside new #cache_version method.
 # This is needed for recyclable cache keys.
 # Rails.application.config.active_record.cache_versioning = true
+
+# Use AES 256 GCM authenticated encryption for encrypted cookies.
+# Existing cookies will be converted on read then written with the new scheme.
+# Rails.application.config.action_dispatch.use_authenticated_cookie_encryption = true
diff --git a/railties/test/application/middleware/session_test.rb b/railties/test/application/middleware/session_test.rb
index 959a629ede..a14ea589ed 100644
--- a/railties/test/application/middleware/session_test.rb
+++ b/railties/test/application/middleware/session_test.rb
@@ -162,6 +162,11 @@ module ApplicationTests
         end
       RUBY
 
+      add_to_config <<-RUBY
+        # Enable AEAD cookies
+        config.action_dispatch.use_authenticated_cookie_encryption = true
+      RUBY
+
       require "#{app_path}/config/environment"
 
       get "/foo/write_session"
@@ -171,9 +176,9 @@ module ApplicationTests
       get "/foo/read_encrypted_cookie"
       assert_equal "1", last_response.body
 
-      secret = app.key_generator.generate_key("encrypted cookie")
-      sign_secret = app.key_generator.generate_key("signed encrypted cookie")
-      encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret)
+      cipher = "aes-256-gcm"
+      secret = app.key_generator.generate_key("authenticated encrypted cookie")
+      encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len(cipher)], cipher: cipher)
 
       get "/foo/read_raw_cookie"
       assert_equal 1, encryptor.decrypt_and_verify(last_response.body)["foo"]
@@ -209,6 +214,9 @@ module ApplicationTests
 
       add_to_config <<-RUBY
         secrets.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
+
+        # Enable AEAD cookies
+        config.action_dispatch.use_authenticated_cookie_encryption = true
       RUBY
 
       require "#{app_path}/config/environment"
@@ -220,9 +228,9 @@ module ApplicationTests
       get "/foo/read_encrypted_cookie"
       assert_equal "1", last_response.body
 
-      secret = app.key_generator.generate_key("encrypted cookie")
-      sign_secret = app.key_generator.generate_key("signed encrypted cookie")
-      encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret)
+      cipher = "aes-256-gcm"
+      secret = app.key_generator.generate_key("authenticated encrypted cookie")
+      encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len(cipher)], cipher: cipher)
 
       get "/foo/read_raw_cookie"
       assert_equal 1, encryptor.decrypt_and_verify(last_response.body)["foo"]
@@ -264,6 +272,73 @@ module ApplicationTests
 
       add_to_config <<-RUBY
         secrets.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
+
+        # Enable AEAD cookies
+        config.action_dispatch.use_authenticated_cookie_encryption = true
+      RUBY
+
+      require "#{app_path}/config/environment"
+
+      get "/foo/write_raw_session"
+      get "/foo/read_session"
+      assert_equal "1", last_response.body
+
+      get "/foo/write_session"
+      get "/foo/read_session"
+      assert_equal "2", last_response.body
+
+      get "/foo/read_encrypted_cookie"
+      assert_equal "2", last_response.body
+
+      cipher = "aes-256-gcm"
+      secret = app.key_generator.generate_key("authenticated encrypted cookie")
+      encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len(cipher)], cipher: cipher)
+
+      get "/foo/read_raw_cookie"
+      assert_equal 2, encryptor.decrypt_and_verify(last_response.body)["foo"]
+    end
+
+    test "session upgrading from AES-CBC-HMAC encryption to AES-GCM encryption" do
+      app_file "config/routes.rb", <<-RUBY
+        Rails.application.routes.draw do
+          get ':controller(/:action)'
+        end
+      RUBY
+
+      controller :foo, <<-RUBY
+        class FooController < ActionController::Base
+          def write_raw_session
+            # AES-256-CBC with SHA1 HMAC
+            # {"session_id"=>"1965d95720fffc123941bdfb7d2e6870", "foo"=>1}
+            cookies[:_myapp_session] = "TlgrdS85aUpDd1R2cDlPWlR6K0FJeGExckwySjZ2Z0pkR3d2QnRObGxZT25aalJWYWVvbFVLcHF4d0VQVDdSaFF2QjFPbG9MVjJzeWp3YjcyRUlKUUU2ZlR4bXlSNG9ZUkJPRUtld0E3dVU9LS0xNDZXbGpRZ3NjdW43N2haUEZJSUNRPT0=--3639b5ce54c09495cfeaae928cd5634e0c4b2e96"
+            head :ok
+          end
+
+          def write_session
+            session[:foo] = session[:foo] + 1
+            head :ok
+          end
+
+          def read_session
+            render plain: session[:foo]
+          end
+
+          def read_encrypted_cookie
+            render plain: cookies.encrypted[:_myapp_session]['foo']
+          end
+
+          def read_raw_cookie
+            render plain: cookies[:_myapp_session]
+          end
+        end
+      RUBY
+
+      add_to_config <<-RUBY
+        # Use a static key
+        secrets.secret_key_base = "known key base"
+
+        # Enable AEAD cookies
+        config.action_dispatch.use_authenticated_cookie_encryption = true
       RUBY
 
       require "#{app_path}/config/environment"
@@ -279,9 +354,9 @@ module ApplicationTests
       get "/foo/read_encrypted_cookie"
       assert_equal "2", last_response.body
 
-      secret = app.key_generator.generate_key("encrypted cookie")
-      sign_secret = app.key_generator.generate_key("signed encrypted cookie")
-      encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len], sign_secret)
+      cipher = "aes-256-gcm"
+      secret = app.key_generator.generate_key("authenticated encrypted cookie")
+      encryptor = ActiveSupport::MessageEncryptor.new(secret[0, ActiveSupport::MessageEncryptor.key_len(cipher)], cipher: cipher)
 
       get "/foo/read_raw_cookie"
       assert_equal 2, encryptor.decrypt_and_verify(last_response.body)["foo"]
author	Michael Coyne <mikeycgto@gmail.com>	2017-02-23 13:54:17 -0500
committer	Michael Coyne <mikeycgto@gmail.com>	2017-05-22 08:50:36 +0000
commit	5a3ba63d9abad86b7f6dd36a92cfaf722e52760b (patch)
tree	523981cf2bfddf5941218a463a8b19544c28db65
parent	7a2041335f2a5f86179e303fa84a4653f58e1620 (diff)
download	rails-5a3ba63d9abad86b7f6dd36a92cfaf722e52760b.tar.gz rails-5a3ba63d9abad86b7f6dd36a92cfaf722e52760b.tar.bz2 rails-5a3ba63d9abad86b7f6dd36a92cfaf722e52760b.zip