From 0fb6b2d572b50493e3d69cea17eb60d3c91a0dbd Mon Sep 17 00:00:00 2001 From: Michael Coyne Date: Sun, 24 Sep 2017 13:38:27 -0400 Subject: Fixes for use_authenticated_cookie_encryption Use CBC encryption is this configuration value is set to false --- actionpack/lib/action_dispatch/middleware/cookies.rb | 13 ++++++++++--- actionpack/test/dispatch/cookies_test.rb | 18 ++++++++++++++++++ 2 files changed, 28 insertions(+), 3 deletions(-) (limited to 'actionpack') diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb index baffe200bc..eb193fcbfb 100644 --- a/actionpack/lib/action_dispatch/middleware/cookies.rb +++ b/actionpack/lib/action_dispatch/middleware/cookies.rb @@ -599,9 +599,16 @@ module ActionDispatch def initialize(parent_jar) super - key_len = ActiveSupport::MessageEncryptor.key_len(encrypted_cookie_cipher) - secret = request.key_generator.generate_key(request.authenticated_encrypted_cookie_salt, key_len) - @encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: encrypted_cookie_cipher, serializer: SERIALIZER) + if request.use_authenticated_cookie_encryption + key_len = ActiveSupport::MessageEncryptor.key_len(encrypted_cookie_cipher) + secret = request.key_generator.generate_key(request.authenticated_encrypted_cookie_salt, key_len) + @encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: encrypted_cookie_cipher, serializer: SERIALIZER) + else + key_len = ActiveSupport::MessageEncryptor.key_len("aes-256-cbc") + secret = request.key_generator.generate_key(request.encrypted_cookie_salt, key_len) + sign_secret = request.key_generator.generate_key(request.encrypted_signed_cookie_salt) + @encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, cipher: "aes-256-cbc", serializer: SERIALIZER) + end request.cookies_rotations.encrypted.each do |*secrets, **options| @encryptor.rotate(*secrets, serializer: SERIALIZER, **options) diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb index 70587fa2b0..fca3b24372 100644 --- a/actionpack/test/dispatch/cookies_test.rb +++ b/actionpack/test/dispatch/cookies_test.rb @@ -899,6 +899,24 @@ class CookiesTest < ActionController::TestCase assert_nil @response.cookies["foo"] end + def test_use_authenticated_cookie_encryption_uses_legacy_hmac_aes_cbc_encrypiton + @request.env["action_dispatch.use_authenticated_cookie_encryption"] = false + + key_generator = @request.env["action_dispatch.key_generator"] + encrypted_cookie_salt = @request.env["action_dispatch.encrypted_cookie_salt"] + encrypted_signed_cookie_salt = @request.env["action_dispatch.encrypted_signed_cookie_salt"] + secret = key_generator.generate_key(encrypted_cookie_salt, ActiveSupport::MessageEncryptor.key_len("aes-256-cbc")) + sign_secret = key_generator.generate_key(encrypted_signed_cookie_salt) + encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, cipher: "aes-256-cbc", digest: "SHA1", serializer: Marshal) + + get :set_encrypted_cookie + + cookies = @controller.send :cookies + assert_not_equal "bar", cookies[:foo] + assert_equal "bar", cookies.encrypted[:foo] + assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"]) + end + def test_legacy_hmac_aes_cbc_encrypted_marshal_cookie_is_upgraded_to_authenticated_encrypted_cookie key_generator = @request.env["action_dispatch.key_generator"] encrypted_cookie_salt = @request.env["action_dispatch.encrypted_cookie_salt"] -- cgit v1.2.3