From 8ee269cf51c58b0600a3fa536219637f240e888d Mon Sep 17 00:00:00 2001 From: Vipul A M Date: Sun, 29 May 2016 11:07:22 -0700 Subject: We default to using aes-256-cbc as our verification/signing cipher. It can accept key lengths of 128, 192 or 256-bit, whereas currently we were providing twice the acceptable value. ruby < 2.4 allowed accepting these values, as extra key bits were ignored. Since https://github.com/ruby/ruby/commit/ce635262f53b760284d56bb1027baebaaec175d1 this now has a strict checking on key length. Default to key length 32 bytes, to match the compatible length for aes-256-cbc Fixes #25185 --- activesupport/lib/active_support/key_generator.rb | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) (limited to 'activesupport/lib') diff --git a/activesupport/lib/active_support/key_generator.rb b/activesupport/lib/active_support/key_generator.rb index 7f73f9ddfc..7eafbb571f 100644 --- a/activesupport/lib/active_support/key_generator.rb +++ b/activesupport/lib/active_support/key_generator.rb @@ -15,9 +15,8 @@ module ActiveSupport end # Returns a derived key suitable for use. The default key_size is chosen - # to be compatible with the default settings of ActiveSupport::MessageVerifier. - # i.e. OpenSSL::Digest::SHA1#block_length - def generate_key(salt, key_size=64) + # to be compatible with the acceptable key length of aes-256-cbc, the default cipher. + def generate_key(salt, key_size=32) OpenSSL::PKCS5.pbkdf2_hmac_sha1(@secret, salt, @iterations, key_size) end end @@ -32,9 +31,8 @@ module ActiveSupport end # Returns a derived key suitable for use. The default key_size is chosen - # to be compatible with the default settings of ActiveSupport::MessageVerifier. - # i.e. OpenSSL::Digest::SHA1#block_length - def generate_key(salt, key_size=64) + # to be compatible with the acceptable key length of aes-256-cbc, the default cipher. + def generate_key(salt, key_size=32) @cache_keys["#{salt}#{key_size}"] ||= @key_generator.generate_key(salt, key_size) end end -- cgit v1.2.3