From ae32b69ab9647f4072d6852c4d4d1f2a939360c1 Mon Sep 17 00:00:00 2001
From: Vipul A M <vipulnsward@gmail.com>
Date: Sat, 9 Jul 2016 04:03:43 -0700
Subject: Follow up of #25602 Since keys are truncated, ruby 2.4 doesn't accept
 keys greater than their lenghts. keys of same value but different lenght and
 greater than key size of cipher, produce the same results as reproduced at
 https://gist.github.com/rhenium/b81355fe816dcfae459cc5eadfc4f6f9 Since our
 default cipher is 'aes-256-cbc', key length for which is 32 bytes, limit the
 length of key being passed to Encryptor to 32 bytes. This continues to
 support backwards compat with any existing signed data, already encrupted and
 signed with 32+ byte keys. Also fixes the passing of this value in multiple
 tests.

---
 actionpack/lib/action_dispatch/middleware/cookies.rb | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'actionpack/lib/action_dispatch')

diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index ff83c4beca..8d7884b3b5 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -567,17 +567,19 @@ module ActionDispatch
 
     class EncryptedCookieJar < AbstractCookieJar # :nodoc:
       include SerializedCookieJars
+      DEFAULT_CIPHER = 'aes-256-cbc'
 
-      def initialize(parent_jar)
-        super
+      def initialize(parent_jar, cipher: DEFAULT_CIPHER)
+        super(parent_jar)
 
         if ActiveSupport::LegacyKeyGenerator === key_generator
           raise "You didn't set secrets.secret_key_base, which is required for this cookie jar. " +
             "Read the upgrade documentation to learn more about this new config option."
         end
 
-        secret = key_generator.generate_key(request.encrypted_cookie_salt || "")
-        sign_secret = key_generator.generate_key(request.encrypted_signed_cookie_salt || "")
+        key_len = OpenSSL::Cipher.new(cipher).key_len
+        secret = key_generator.generate_key(request.encrypted_cookie_salt || '')[0, key_len]
+        sign_secret = key_generator.generate_key(request.encrypted_signed_cookie_salt || '')
         @encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, digest: digest, serializer: ActiveSupport::MessageEncryptor::NullSerializer)
       end
 
-- 
cgit v1.2.3