search

SmallLars / openssl-ccm

Ruby Gem for RFC 3610 - Counter with CBC-MAC (CCM)
rubygems.org/gems/openssl-ccm
MIT License
2 stars 6 forks source link

Update cipher validation to be case-insensitive #4

Closed jooeycheng closed 5 years ago

jooeycheng commented 5 years ago

I'm facing the following error when using the gem on CircleCI:

OpenSSL::CCMError:
  unsupported cipher algorithm (AES)
./vendor/bundle/ruby/2.5.0/gems/openssl-ccm-1.2.1/lib/openssl/ccm.rb:42:in `initialize'
./vendor/bundle/ruby/2.5.0/gems/adyen-cse-ruby-1.1.0/lib/adyen_cse/encrypter.rb:34:in `new'
./vendor/bundle/ruby/2.5.0/gems/adyen-cse-ruby-1.1.0/lib/adyen_cse/encrypter.rb:34:in `encrypt!'

The error is weird bcos AES should be supported. It is triggered by:

# ./lib/openssl/ccm.rb

def initialize(cipher, key, mac_len)
  unless CCM.ciphers.include?(cipher)
    fail CCMError, "unsupported cipher algorithm (#{cipher})"
  end
  ...
end

SSH-ing into the machine, I find that OpenSSL::CCM.ciphers yields an empty array, which explains why the exception is raised.

Due to some odd reason (which I'm still unsure of the cause), OpenSSL::Cipher.ciphers are returned as lowercased strings in my CircleCI environment:

irb(main)> OpenSSL::Cipher.ciphers
=> ["aes-128-cbc", "aes-128-cbc-hmac-sha1", "aes-128-cbc-hmac-sha256", "aes-128-ccm", ...]

$ openssl version
OpenSSL 1.1.0j  20 Nov 2018

However, in my local machine, ciphers are returned as uppercased strings:

irb(main)> OpenSSL::Cipher.ciphers
=> ["AES-128-CBC", "AES-128-CBC-HMAC-SHA1", "AES-128-CFB", "AES-128-CFB1", "AES-128-CFB8", ...]

$ openssl version
LibreSSL 2.6.5

So, I refactored the def self.ciphers method to perform a case-insensitive check instead, and added memoization.

franee commented 5 years ago

Hi just encountered this same error yesterday (on ruby 2.5.1 mac and on circleci ruby 2.6.0).

EXCEPTION CAUGHT: unsupported cipher algorithm (AES)
/Users/franee/.rvm/gems/ruby-2.6.0/gems/openssl-ccm-1.2.1/lib/openssl/ccm.rb:42:in `initialize'
/Users/franee/.rvm/gems/ruby-2.6.0/gems/adyen-cse-ruby-1.1.0/lib/adyen_cse/encrypter.rb:34:in `new'
/Users/franee/.rvm/gems/ruby-2.6.0/gems/adyen-cse-ruby-1.1.0/lib/adyen_cse/encrypter.rb:34:in `encrypt!'
franee commented 5 years ago

@jooeycheng think you have to add an .upcase to the collected ciphers since it still fails in the initialize method (the PR also fails when running the specs btw):

    def initialize(cipher, key, mac_len)
      unless CCM.ciphers.include?(cipher)
        fail CCMError, "unsupported cipher algorithm (#{cipher})"
      end