Revision 1d75969e
Added by Dominic Cleal over 7 years ago
| app/models/concerns/encrypt_value.rb | ||
|---|---|---|
|
|
||
|
def encrypt_field(str)
|
||
|
return str unless is_encryptable?(str)
|
||
|
encryptor = ActiveSupport::MessageEncryptor.new(encryption_key)
|
||
|
begin
|
||
|
# add prefix to encrypted string
|
||
|
str_encrypted = "#{ENCRYPTION_PREFIX}#{encryptor.encrypt_and_sign(str)}"
|
||
| ... | ... | |
|
|
||
|
def decrypt_field(str)
|
||
|
return str unless is_decryptable?(str)
|
||
|
encryptor = ActiveSupport::MessageEncryptor.new(encryption_key)
|
||
|
begin
|
||
|
# remove prefix before decrypting string
|
||
|
str_no_prefix = str.gsub(/^#{ENCRYPTION_PREFIX}/, "")
|
||
| ... | ... | |
|
logger.add level, msg
|
||
|
puts msg if Foreman.in_rake? && !Rails.env.test? && level >= Logger::INFO
|
||
|
end
|
||
|
|
||
|
def encryptor
|
||
|
full_key = encryption_key
|
||
|
|
||
|
# Pass a limited length encryption key as Ruby's OpenSSL bindings will either raise an
|
||
|
# exception for a mis-sized key or it will be silently truncated.
|
||
|
#
|
||
|
# Pass a full length signature key though, so pre-existing encrypted data can still be verified
|
||
|
# against a key that is longer than the necessary encryption key.
|
||
|
ActiveSupport::MessageEncryptor.new(full_key[0, ActiveSupport::MessageEncryptor.key_len], full_key)
|
||
|
end
|
||
|
end
|
||
Also available in: Unified diff
fixes #18735 - truncate encryption key to match preferred length (#4350)
Ruby 2.4's OpenSSL bindings raise an ArgumentError during encryption if
the key length exceeds the cipher's configured length (32 bytes with the
default cipher), but the verification hash algorithm still uses the full
length key.
The encryption key is now truncated to the cipher's preferred length
while passing the full key (if supplied) for signatures.
The default new key length has been changed from 40 to 32 bytes matching
the cipher default, but there's no reason to deprecate or force existing
installations to change.