aboutsummaryrefslogtreecommitdiffstats
path: root/activesupport/lib/active_support/message_encryptor.rb
diff options
context:
space:
mode:
Diffstat (limited to 'activesupport/lib/active_support/message_encryptor.rb')
-rw-r--r--activesupport/lib/active_support/message_encryptor.rb14
1 files changed, 7 insertions, 7 deletions
diff --git a/activesupport/lib/active_support/message_encryptor.rb b/activesupport/lib/active_support/message_encryptor.rb
index 090d51933a..952306b482 100644
--- a/activesupport/lib/active_support/message_encryptor.rb
+++ b/activesupport/lib/active_support/message_encryptor.rb
@@ -121,14 +121,13 @@ module ActiveSupport
# Encrypt and sign a message. We need to sign the message in order to avoid
# padding attacks. Reference: http://www.limited-entropy.com/padding-oracle-attacks.
def encrypt_and_sign(value, expires_at: nil, expires_in: nil, purpose: nil)
- data = Messages::Metadata.wrap(value, expires_at: expires_at, expires_in: expires_in, purpose: purpose)
- verifier.generate(_encrypt(data))
+ verifier.generate(_encrypt(value, expires_at: expires_at, expires_in: expires_in, purpose: purpose))
end
# Decrypt and verify a message. We need to verify the message in order to
# avoid padding attacks. Reference: http://www.limited-entropy.com/padding-oracle-attacks.
def decrypt_and_verify(data, purpose: nil)
- Messages::Metadata.verify(_decrypt(verifier.verify(data)), purpose)
+ _decrypt(verifier.verify(data), purpose)
end
# Given a cipher, returns the key length of the cipher to help generate the key of desired size
@@ -137,7 +136,7 @@ module ActiveSupport
end
private
- def _encrypt(value)
+ def _encrypt(value, **metadata_options)
cipher = new_cipher
cipher.encrypt
cipher.key = @secret
@@ -146,7 +145,7 @@ module ActiveSupport
iv = cipher.random_iv
cipher.auth_data = "" if aead_mode?
- encrypted_data = cipher.update(@serializer.dump(value))
+ encrypted_data = cipher.update(Messages::Metadata.wrap(@serializer.dump(value), metadata_options))
encrypted_data << cipher.final
blob = "#{::Base64.strict_encode64 encrypted_data}--#{::Base64.strict_encode64 iv}"
@@ -154,7 +153,7 @@ module ActiveSupport
blob
end
- def _decrypt(encrypted_message)
+ def _decrypt(encrypted_message, purpose)
cipher = new_cipher
encrypted_data, iv, auth_tag = encrypted_message.split("--".freeze).map { |v| ::Base64.strict_decode64(v) }
@@ -174,7 +173,8 @@ module ActiveSupport
decrypted_data = cipher.update(encrypted_data)
decrypted_data << cipher.final
- @serializer.load(decrypted_data)
+ message = Messages::Metadata.verify(decrypted_data, purpose)
+ @serializer.load(message) if message
rescue OpenSSLCipherError, TypeError, ArgumentError
raise InvalidMessage
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-26 19:15:57 +0000