Fix for AEAD auth_tag check in MessageEncryptor

When MessageEncryptor tries to +decrypt_and_verify+ ciphertexts generated in a different mode (such CBC-HMAC), the +auth_tag+ may be +nil+ and must explicitly check for it. See the discussion here: https://github.com/rails/rails/pull/28132#discussion_r116388462
author: Michael Coyne <mikeycgto@gmail.com> 2017-05-15 08:45:14 +0000
committer: Michael Coyne <mikeycgto@gmail.com> 2017-05-15 08:54:39 +0000
commit: 71fb6def5f07233e4fdf628e02981e4add5c6b8b (patch)
tree: 88b1144823baced8660d34d6f1f5652afb97167c /activesupport/test/message_encryptor_test.rb
parent: 4734d23c74fb4193aafe7cb04256bb745680d97f (diff)
download: rails-71fb6def5f07233e4fdf628e02981e4add5c6b8b.tar.gz
rails-71fb6def5f07233e4fdf628e02981e4add5c6b8b.tar.bz2
rails-71fb6def5f07233e4fdf628e02981e4add5c6b8b.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/activesupport/test/message_encryptor_test.rb b/activesupport/test/message_encryptor_test.rb
index 56a436f751..c67ada5f20 100644
--- a/activesupport/test/message_encryptor_test.rb
+++ b/activesupport/test/message_encryptor_test.rb
@@ -86,6 +86,14 @@ class MessageEncryptorTest < ActiveSupport::TestCase
     assert_equal @data, encryptor.decrypt_and_verify(message)
   end
 
+  def test_aead_mode_with_hmac_cbc_cipher_text
+    encryptor = ActiveSupport::MessageEncryptor.new(@secret, cipher: "aes-256-gcm")
+
+    assert_raise ActiveSupport::MessageEncryptor::InvalidMessage do
+      encryptor.decrypt_and_verify "eHdGeExnZEwvMSt3U3dKaFl1WFo0TjVvYzA0eGpjbm5WSkt5MXlsNzhpZ0ZnbWhBWFlQZTRwaXE1bVJCS2oxMDZhYVp2dVN3V0lNZUlWQ3c2eVhQbnhnVjFmeVVubmhRKzF3WnZyWHVNMDg9LS1HSisyakJVSFlPb05ISzRMaXRzcFdBPT0=--831a1d54a3cda8a0658dc668a03dedcbce13b5ca"
+    end
+  end
+
   def test_messing_with_aead_values_causes_failures
     encryptor = ActiveSupport::MessageEncryptor.new(@secret, cipher: "aes-256-gcm")
     text, iv, auth_tag = encryptor.encrypt_and_sign(@data).split("--")
author	Michael Coyne <mikeycgto@gmail.com>	2017-05-15 08:45:14 +0000
committer	Michael Coyne <mikeycgto@gmail.com>	2017-05-15 08:54:39 +0000
commit	71fb6def5f07233e4fdf628e02981e4add5c6b8b (patch)
tree	88b1144823baced8660d34d6f1f5652afb97167c /activesupport/test/message_encryptor_test.rb
parent	4734d23c74fb4193aafe7cb04256bb745680d97f (diff)
download	rails-71fb6def5f07233e4fdf628e02981e4add5c6b8b.tar.gz rails-71fb6def5f07233e4fdf628e02981e4add5c6b8b.tar.bz2 rails-71fb6def5f07233e4fdf628e02981e4add5c6b8b.zip