diff options
| author | Kasper Timm Hansen <kaspth@gmail.com> | 2017-05-15 21:20:12 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-05-15 21:20:12 +0200 |
| commit | 7cc526beb5c1ecc509db9f607c26fabaed4b4027 (patch) | |
| tree | 6dc8c89cff17d9e8be090fe728df7cf82f199022 /activesupport/lib/active_support | |
| parent | 5bfb2875e9287c75f91e89f5e50654e5fbaa5855 (diff) | |
| parent | 51b090549b76684692bbb8a5c7fbdb3bdaa25642 (diff) | |
| download | rails-7cc526beb5c1ecc509db9f607c26fabaed4b4027.tar.gz rails-7cc526beb5c1ecc509db9f607c26fabaed4b4027.tar.bz2 rails-7cc526beb5c1ecc509db9f607c26fabaed4b4027.zip | |
Merge pull request #29086 from mikeycgto/message-encryptor-auth-tag-check
Message encryptor auth tag check
Fixes MessageEncryptor when used in AEAD mode. Specifically, we need to check if the `auth_tag` is nil. This may arise when an AEAD encryptor is used to decrypt a ciphertext generated from a different mode, such as CBC-HMAC. Basically, the number of double dashes will differ and `auth_tag` may be nil in this case.
Diffstat (limited to 'activesupport/lib/active_support')
| -rw-r--r-- | activesupport/lib/active_support/message_encryptor.rb | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/activesupport/lib/active_support/message_encryptor.rb b/activesupport/lib/active_support/message_encryptor.rb index 24053b4fe5..726e1464ad 100644 --- a/activesupport/lib/active_support/message_encryptor.rb +++ b/activesupport/lib/active_support/message_encryptor.rb @@ -115,7 +115,7 @@ module ActiveSupport # Currently the OpenSSL bindings do not raise an error if auth_tag is # truncated, which would allow an attacker to easily forge it. See # https://github.com/ruby/openssl/issues/63 - raise InvalidMessage if aead_mode? && auth_tag.bytes.length != 16 + raise InvalidMessage if aead_mode? && (auth_tag.nil? || auth_tag.bytes.length != 16) cipher.decrypt cipher.key = @secret |