Bug #18735
Encryptable unit tests fail under Ruby 2.4: key must be 32 bytes
Description
Under Ruby 2.4.0, encryptable unit tests and those that depend on the concern all fail:
10) Error: EncryptableTest#test_0008_string is re-encrypted upon save if password changed: ActiveSupport::MessageEncryptor::InvalidMessage: ActiveSupport::MessageEncryptor::InvalidMessage app/models/concerns/encrypt_value.rb:60:in `decrypt_field' app/models/concerns/encryptable.rb:33:in `block (2 levels) in define_auto_decrypt_getter' test/unit/encryptable_test.rb:71:in `block in <class:EncryptableTest>' 11) Failure: EncryptableTest#test_0010_encrypt successfully [/home/dcleal/code/foreman/foreman/test/unit/encryptable_test.rb:95]: Expected "secretpassword" to not be equal to "secretpassword". 12) Error: EncryptableTest#test_0007_string is NOT encrypted AGAIN upon save if it is not changed: ActiveSupport::MessageEncryptor::InvalidMessage: ActiveSupport::MessageEncryptor::InvalidMessage app/models/concerns/encrypt_value.rb:60:in `decrypt_field' app/models/concerns/encryptable.rb:33:in `block (2 levels) in define_auto_decrypt_getter' test/unit/encryptable_test.rb:56:in `block in <class:EncryptableTest>' 13) Failure: EncryptableTest#test_0011_decrypt successfully [/home/dcleal/code/foreman/foreman/test/unit/encryptable_test.rb:105]: Expected "secretpassword" to not be equal to "secretpassword".
The encrypt_str routine is catching an exception raised by Ruby through AS::MessageEncryptor:
> encryptor.encrypt_and_sign(str) ArgumentError: key must be 32 bytes
The standard key length used in Foreman is 40 bytes (Foreman::Util#secure_encryption_key).
Associated revisions
History
#1
Updated by The Foreman Bot over 5 years ago
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/4350 added
#2
Updated by Dominic Cleal over 5 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 1d75969e0782e6bb5d76b250d5e0d467c9bf924f.
#3
Updated by Dominic Cleal over 5 years ago
- Legacy Backlogs Release (now unused) set to 209
fixes #18735 - truncate encryption key to match preferred length (#4350)
Ruby 2.4's OpenSSL bindings raise an ArgumentError during encryption if
the key length exceeds the cipher's configured length (32 bytes with the
default cipher), but the verification hash algorithm still uses the full
length key.
The encryption key is now truncated to the cipher's preferred length
while passing the full key (if supplied) for signatures.
The default new key length has been changed from 40 to 32 bytes matching
the cipher default, but there's no reason to deprecate or force existing
installations to change.