Bug #18735

Encryptable unit tests fail under Ruby 2.4: key must be 32 bytes

Added by Dominic Cleal over 1 year ago. Updated 9 days ago.

Status:Closed
Priority:Normal
Assignee:Dominic Cleal
Category:Security
Target version:1.15.0
Difficulty: Team Backlog:
Triaged: Fixed in Releases:
Bugzilla link: Found in Releases:
Pull request:https://github.com/theforeman/foreman/pull/4350

Description

Under Ruby 2.4.0, encryptable unit tests and those that depend on the concern all fail:

 10) Error:
EncryptableTest#test_0008_string is re-encrypted upon save if password changed:
ActiveSupport::MessageEncryptor::InvalidMessage: ActiveSupport::MessageEncryptor::InvalidMessage
    app/models/concerns/encrypt_value.rb:60:in `decrypt_field'
    app/models/concerns/encryptable.rb:33:in `block (2 levels) in define_auto_decrypt_getter'
    test/unit/encryptable_test.rb:71:in `block in <class:EncryptableTest>'

 11) Failure:
EncryptableTest#test_0010_encrypt successfully [/home/dcleal/code/foreman/foreman/test/unit/encryptable_test.rb:95]:
Expected "secretpassword" to not be equal to "secretpassword".

 12) Error:
EncryptableTest#test_0007_string is NOT encrypted AGAIN upon save if it is not changed:
ActiveSupport::MessageEncryptor::InvalidMessage: ActiveSupport::MessageEncryptor::InvalidMessage
    app/models/concerns/encrypt_value.rb:60:in `decrypt_field'
    app/models/concerns/encryptable.rb:33:in `block (2 levels) in define_auto_decrypt_getter'
    test/unit/encryptable_test.rb:56:in `block in <class:EncryptableTest>'

 13) Failure:
EncryptableTest#test_0011_decrypt successfully [/home/dcleal/code/foreman/foreman/test/unit/encryptable_test.rb:105]:
Expected "secretpassword" to not be equal to "secretpassword".

The encrypt_str routine is catching an exception raised by Ruby through AS::MessageEncryptor:

> encryptor.encrypt_and_sign(str)
ArgumentError: key must be 32 bytes

The standard key length used in Foreman is 40 bytes (Foreman::Util#secure_encryption_key).

Associated revisions

Revision 1d75969e
Added by Dominic Cleal over 1 year ago

fixes #18735 - truncate encryption key to match preferred length (#4350)

Ruby 2.4's OpenSSL bindings raise an ArgumentError during encryption if
the key length exceeds the cipher's configured length (32 bytes with the
default cipher), but the verification hash algorithm still uses the full
length key.

The encryption key is now truncated to the cipher's preferred length
while passing the full key (if supplied) for signatures.

The default new key length has been changed from 40 to 32 bytes matching
the cipher default, but there's no reason to deprecate or force existing
installations to change.

History

#1 Updated by The Foreman Bot over 1 year ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4350 added

#2 Updated by Dominic Cleal over 1 year ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#3 Updated by Dominic Cleal over 1 year ago

  • Legacy Backlogs Release (now unused) set to 209

Also available in: Atom PDF