Mageia Bugzilla – Attachment 8486 Details for
Bug 19501
ruby new security issue CVE-2016-7798
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
updated test_cipher.rb verifying the fix
test_cipher.rb (text/plain), 7.44 KB, created by
Pascal Terjan
on 2016-10-03 23:13:21 CEST
(
hide
)
Description:
updated test_cipher.rb verifying the fix
Filename:
MIME Type:
Creator:
Pascal Terjan
Created:
2016-10-03 23:13:21 CEST
Size:
7.44 KB
patch
obsolete
>require_relative 'utils' > >if defined?(OpenSSL) > >class OpenSSL::TestCipher < Test::Unit::TestCase > > class << self > > def has_cipher?(name) > ciphers = OpenSSL::Cipher.ciphers > # redefine method so we can use the cached ciphers value from the closure > # and need not recompute the list each time > define_singleton_method :has_cipher? do |name| > ciphers.include?(name) > end > has_cipher?(name) > end > > def has_ciphers?(list) > list.all? { |name| has_cipher?(name) } > end > > end > > def setup > @c1 = OpenSSL::Cipher::Cipher.new("DES-EDE3-CBC") > @c2 = OpenSSL::Cipher::DES.new(:EDE3, "CBC") > @key = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" > @iv = "\0\0\0\0\0\0\0\0" > @hexkey = "0000000000000000000000000000000000000000000000" > @hexiv = "0000000000000000" > @data = "DATA" > end > > def teardown > @c1 = @c2 = nil > end > > def test_crypt > @c1.encrypt.pkcs5_keyivgen(@key, @iv) > @c2.encrypt.pkcs5_keyivgen(@key, @iv) > s1 = @c1.update(@data) + @c1.final > s2 = @c2.update(@data) + @c2.final > assert_equal(s1, s2, "encrypt") > > @c1.decrypt.pkcs5_keyivgen(@key, @iv) > @c2.decrypt.pkcs5_keyivgen(@key, @iv) > assert_equal(@data, @c1.update(s1)+@c1.final, "decrypt") > assert_equal(@data, @c2.update(s2)+@c2.final, "decrypt") > end > > def test_info > assert_equal("DES-EDE3-CBC", @c1.name, "name") > assert_equal("DES-EDE3-CBC", @c2.name, "name") > assert_kind_of(Fixnum, @c1.key_len, "key_len") > assert_kind_of(Fixnum, @c1.iv_len, "iv_len") > end > > def test_dup > assert_equal(@c1.name, @c1.dup.name, "dup") > assert_equal(@c1.name, @c1.clone.name, "clone") > @c1.encrypt > @c1.key = @key > @c1.iv = @iv > tmpc = @c1.dup > s1 = @c1.update(@data) + @c1.final > s2 = tmpc.update(@data) + tmpc.final > assert_equal(s1, s2, "encrypt dup") > end > > def test_reset > @c1.encrypt > @c1.key = @key > @c1.iv = @iv > s1 = @c1.update(@data) + @c1.final > @c1.reset > s2 = @c1.update(@data) + @c1.final > assert_equal(s1, s2, "encrypt reset") > end > > def test_empty_data > @c1.encrypt > assert_raise(ArgumentError){ @c1.update("") } > end > > def test_initialize > assert_raise(RuntimeError) {@c1.__send__(:initialize, "DES-EDE3-CBC")} > assert_raise(RuntimeError) {OpenSSL::Cipher.allocate.final} > end > > def test_ctr_if_exists > begin > cipher = OpenSSL::Cipher.new('aes-128-ctr') > cipher.encrypt > cipher.pkcs5_keyivgen('password') > c = cipher.update('hello,world') + cipher.final > cipher.decrypt > cipher.pkcs5_keyivgen('password') > assert_equal('hello,world', cipher.update(c) + cipher.final) > end > end if has_cipher?('aes-128-ctr') > > if OpenSSL::OPENSSL_VERSION_NUMBER > 0x00907000 > def test_ciphers > OpenSSL::Cipher.ciphers.each{|name| > next if /netbsd/ =~ RUBY_PLATFORM && /idea|rc5/i =~ name > begin > assert_kind_of(OpenSSL::Cipher::Cipher, OpenSSL::Cipher::Cipher.new(name)) > rescue OpenSSL::Cipher::CipherError => e > next if /wrap/ =~ name and e.message == 'wrap mode not allowed' > raise > end > } > end > > def test_AES > pt = File.read(__FILE__) > %w(ECB CBC CFB OFB).each{|mode| > c1 = OpenSSL::Cipher::AES256.new(mode) > c1.encrypt > c1.pkcs5_keyivgen("passwd") > ct = c1.update(pt) + c1.final > > c2 = OpenSSL::Cipher::AES256.new(mode) > c2.decrypt > c2.pkcs5_keyivgen("passwd") > assert_equal(pt, c2.update(ct) + c2.final) > } > end > > def test_update_raise_if_key_not_set > assert_raise(OpenSSL::Cipher::CipherError) do > # it caused OpenSSL SEGV by uninitialized key [Bug #2768] > OpenSSL::Cipher::AES128.new("ECB").update "." * 17 > end > end > end > > if has_ciphers?(['aes-128-gcm', 'aes-192-gcm', 'aes-128-gcm']) > > def test_authenticated > cipher = OpenSSL::Cipher.new('aes-128-gcm') > assert(cipher.authenticated?) > cipher = OpenSSL::Cipher.new('aes-128-cbc') > refute(cipher.authenticated?) > end > > def test_aes_gcm > ['aes-128-gcm', 'aes-192-gcm', 'aes-128-gcm'].each do |algo| > pt = "You should all use Authenticated Encryption!" > cipher, key, iv = new_encryptor(algo) > > cipher.auth_data = "aad" > ct = cipher.update(pt) + cipher.final > tag = cipher.auth_tag > assert_equal(16, tag.size) > > decipher = new_decryptor(algo, key, iv) > decipher.auth_tag = tag > decipher.auth_data = "aad" > > assert_equal(pt, decipher.update(ct) + decipher.final) > end > end > > def test_aes_gcm_short_tag > ['aes-128-gcm', 'aes-192-gcm', 'aes-128-gcm'].each do |algo| > pt = "You should all use Authenticated Encryption!" > cipher, key, iv = new_encryptor(algo) > > cipher.auth_data = "aad" > ct = cipher.update(pt) + cipher.final > tag = cipher.auth_tag(8) > assert_equal(8, tag.size) > > decipher = new_decryptor(algo, key, iv) > decipher.auth_tag = tag > decipher.auth_data = "aad" > > assert_equal(pt, decipher.update(ct) + decipher.final) > end > end > > def test_aes_gcm_wrong_tag > pt = "You should all use Authenticated Encryption!" > cipher, key, iv = new_encryptor('aes-128-gcm') > > cipher.auth_data = "aad" > ct = cipher.update(pt) + cipher.final > tag = cipher.auth_tag > > decipher = new_decryptor('aes-128-gcm', key, iv) > tag.setbyte(-1, (tag.getbyte(-1) + 1) & 0xff) > decipher.auth_tag = tag > decipher.auth_data = "aad" > > assert_raise OpenSSL::Cipher::CipherError do > decipher.update(ct) + decipher.final > end > end > > def test_aes_gcm_wrong_auth_data > pt = "You should all use Authenticated Encryption!" > cipher, key, iv = new_encryptor('aes-128-gcm') > > cipher.auth_data = "aad" > ct = cipher.update(pt) + cipher.final > tag = cipher.auth_tag > > decipher = new_decryptor('aes-128-gcm', key, iv) > decipher.auth_tag = tag > decipher.auth_data = "daa" > > assert_raise OpenSSL::Cipher::CipherError do > decipher.update(ct) + decipher.final > end > end > > def test_aes_gcm_wrong_ciphertext > pt = "You should all use Authenticated Encryption!" > cipher, key, iv = new_encryptor('aes-128-gcm') > > cipher.auth_data = "aad" > ct = cipher.update(pt) + cipher.final > tag = cipher.auth_tag > > decipher = new_decryptor('aes-128-gcm', key, iv) > decipher.auth_tag = tag > decipher.auth_data = "aad" > > assert_raise OpenSSL::Cipher::CipherError do > decipher.update(ct[0..-2] << ct[-1].succ) + decipher.final > end > end > > def test_aes_gcm_key_iv_order_issue > pt = "You should all use Authenticated Encryption!" > cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt > cipher.key = "x" * 16 > cipher.iv = "a" * 12 > ct1 = cipher.update(pt) << cipher.final > tag1 = cipher.auth_tag > > cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt > cipher.iv = "a" * 12 > cipher.key = "x" * 16 > ct2 = cipher.update(pt) << cipher.final > tag2 = cipher.auth_tag > > assert_equal ct1, ct2 > assert_equal tag1, tag2 > end if has_cipher?("aes-128-gcm") > end > > private > > def new_encryptor(algo) > cipher = OpenSSL::Cipher.new(algo) > cipher.encrypt > key = cipher.random_key > iv = cipher.random_iv > [cipher, key, iv] > end > > def new_decryptor(algo, key, iv) > OpenSSL::Cipher.new(algo).tap do |cipher| > cipher.decrypt > cipher.key = key > cipher.iv = iv > end > end > >end > >end
require_relative 'utils' if defined?(OpenSSL) class OpenSSL::TestCipher < Test::Unit::TestCase class << self def has_cipher?(name) ciphers = OpenSSL::Cipher.ciphers # redefine method so we can use the cached ciphers value from the closure # and need not recompute the list each time define_singleton_method :has_cipher? do |name| ciphers.include?(name) end has_cipher?(name) end def has_ciphers?(list) list.all? { |name| has_cipher?(name) } end end def setup @c1 = OpenSSL::Cipher::Cipher.new("DES-EDE3-CBC") @c2 = OpenSSL::Cipher::DES.new(:EDE3, "CBC") @key = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" @iv = "\0\0\0\0\0\0\0\0" @hexkey = "0000000000000000000000000000000000000000000000" @hexiv = "0000000000000000" @data = "DATA" end def teardown @c1 = @c2 = nil end def test_crypt @c1.encrypt.pkcs5_keyivgen(@key, @iv) @c2.encrypt.pkcs5_keyivgen(@key, @iv) s1 = @c1.update(@data) + @c1.final s2 = @c2.update(@data) + @c2.final assert_equal(s1, s2, "encrypt") @c1.decrypt.pkcs5_keyivgen(@key, @iv) @c2.decrypt.pkcs5_keyivgen(@key, @iv) assert_equal(@data, @c1.update(s1)+@c1.final, "decrypt") assert_equal(@data, @c2.update(s2)+@c2.final, "decrypt") end def test_info assert_equal("DES-EDE3-CBC", @c1.name, "name") assert_equal("DES-EDE3-CBC", @c2.name, "name") assert_kind_of(Fixnum, @c1.key_len, "key_len") assert_kind_of(Fixnum, @c1.iv_len, "iv_len") end def test_dup assert_equal(@c1.name, @c1.dup.name, "dup") assert_equal(@c1.name, @c1.clone.name, "clone") @c1.encrypt @c1.key = @key @c1.iv = @iv tmpc = @c1.dup s1 = @c1.update(@data) + @c1.final s2 = tmpc.update(@data) + tmpc.final assert_equal(s1, s2, "encrypt dup") end def test_reset @c1.encrypt @c1.key = @key @c1.iv = @iv s1 = @c1.update(@data) + @c1.final @c1.reset s2 = @c1.update(@data) + @c1.final assert_equal(s1, s2, "encrypt reset") end def test_empty_data @c1.encrypt assert_raise(ArgumentError){ @c1.update("") } end def test_initialize assert_raise(RuntimeError) {@c1.__send__(:initialize, "DES-EDE3-CBC")} assert_raise(RuntimeError) {OpenSSL::Cipher.allocate.final} end def test_ctr_if_exists begin cipher = OpenSSL::Cipher.new('aes-128-ctr') cipher.encrypt cipher.pkcs5_keyivgen('password') c = cipher.update('hello,world') + cipher.final cipher.decrypt cipher.pkcs5_keyivgen('password') assert_equal('hello,world', cipher.update(c) + cipher.final) end end if has_cipher?('aes-128-ctr') if OpenSSL::OPENSSL_VERSION_NUMBER > 0x00907000 def test_ciphers OpenSSL::Cipher.ciphers.each{|name| next if /netbsd/ =~ RUBY_PLATFORM && /idea|rc5/i =~ name begin assert_kind_of(OpenSSL::Cipher::Cipher, OpenSSL::Cipher::Cipher.new(name)) rescue OpenSSL::Cipher::CipherError => e next if /wrap/ =~ name and e.message == 'wrap mode not allowed' raise end } end def test_AES pt = File.read(__FILE__) %w(ECB CBC CFB OFB).each{|mode| c1 = OpenSSL::Cipher::AES256.new(mode) c1.encrypt c1.pkcs5_keyivgen("passwd") ct = c1.update(pt) + c1.final c2 = OpenSSL::Cipher::AES256.new(mode) c2.decrypt c2.pkcs5_keyivgen("passwd") assert_equal(pt, c2.update(ct) + c2.final) } end def test_update_raise_if_key_not_set assert_raise(OpenSSL::Cipher::CipherError) do # it caused OpenSSL SEGV by uninitialized key [Bug #2768] OpenSSL::Cipher::AES128.new("ECB").update "." * 17 end end end if has_ciphers?(['aes-128-gcm', 'aes-192-gcm', 'aes-128-gcm']) def test_authenticated cipher = OpenSSL::Cipher.new('aes-128-gcm') assert(cipher.authenticated?) cipher = OpenSSL::Cipher.new('aes-128-cbc') refute(cipher.authenticated?) end def test_aes_gcm ['aes-128-gcm', 'aes-192-gcm', 'aes-128-gcm'].each do |algo| pt = "You should all use Authenticated Encryption!" cipher, key, iv = new_encryptor(algo) cipher.auth_data = "aad" ct = cipher.update(pt) + cipher.final tag = cipher.auth_tag assert_equal(16, tag.size) decipher = new_decryptor(algo, key, iv) decipher.auth_tag = tag decipher.auth_data = "aad" assert_equal(pt, decipher.update(ct) + decipher.final) end end def test_aes_gcm_short_tag ['aes-128-gcm', 'aes-192-gcm', 'aes-128-gcm'].each do |algo| pt = "You should all use Authenticated Encryption!" cipher, key, iv = new_encryptor(algo) cipher.auth_data = "aad" ct = cipher.update(pt) + cipher.final tag = cipher.auth_tag(8) assert_equal(8, tag.size) decipher = new_decryptor(algo, key, iv) decipher.auth_tag = tag decipher.auth_data = "aad" assert_equal(pt, decipher.update(ct) + decipher.final) end end def test_aes_gcm_wrong_tag pt = "You should all use Authenticated Encryption!" cipher, key, iv = new_encryptor('aes-128-gcm') cipher.auth_data = "aad" ct = cipher.update(pt) + cipher.final tag = cipher.auth_tag decipher = new_decryptor('aes-128-gcm', key, iv) tag.setbyte(-1, (tag.getbyte(-1) + 1) & 0xff) decipher.auth_tag = tag decipher.auth_data = "aad" assert_raise OpenSSL::Cipher::CipherError do decipher.update(ct) + decipher.final end end def test_aes_gcm_wrong_auth_data pt = "You should all use Authenticated Encryption!" cipher, key, iv = new_encryptor('aes-128-gcm') cipher.auth_data = "aad" ct = cipher.update(pt) + cipher.final tag = cipher.auth_tag decipher = new_decryptor('aes-128-gcm', key, iv) decipher.auth_tag = tag decipher.auth_data = "daa" assert_raise OpenSSL::Cipher::CipherError do decipher.update(ct) + decipher.final end end def test_aes_gcm_wrong_ciphertext pt = "You should all use Authenticated Encryption!" cipher, key, iv = new_encryptor('aes-128-gcm') cipher.auth_data = "aad" ct = cipher.update(pt) + cipher.final tag = cipher.auth_tag decipher = new_decryptor('aes-128-gcm', key, iv) decipher.auth_tag = tag decipher.auth_data = "aad" assert_raise OpenSSL::Cipher::CipherError do decipher.update(ct[0..-2] << ct[-1].succ) + decipher.final end end def test_aes_gcm_key_iv_order_issue pt = "You should all use Authenticated Encryption!" cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt cipher.key = "x" * 16 cipher.iv = "a" * 12 ct1 = cipher.update(pt) << cipher.final tag1 = cipher.auth_tag cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt cipher.iv = "a" * 12 cipher.key = "x" * 16 ct2 = cipher.update(pt) << cipher.final tag2 = cipher.auth_tag assert_equal ct1, ct2 assert_equal tag1, tag2 end if has_cipher?("aes-128-gcm") end private def new_encryptor(algo) cipher = OpenSSL::Cipher.new(algo) cipher.encrypt key = cipher.random_key iv = cipher.random_iv [cipher, key, iv] end def new_decryptor(algo, key, iv) OpenSSL::Cipher.new(algo).tap do |cipher| cipher.decrypt cipher.key = key cipher.iv = iv end end end end
View Attachment As Raw
Actions:
View
Attachments on
bug 19501
:
8486
|
8509
|
8511