pkey: fix repeated passphrase prompts in OpenSSL::PKey.read #931
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add tests covering edge cases in the current behavior to prevent accidental regressions. The next patches will update the OpenSSL 3.x path.
Specify OSSL_DECODER_CTX_set_pem_password_cb() only when we expect a passphrase-protected private key. OSSL_DECODER appears to try to decrypt every PEM block in the input even when the PEM header does not match the requested selection. This can cause repeated prompts for a passphrase in a single OpenSSL::PKey.read call.
Continue processing only when OSSL_DECODER_from_bio() returns the error code ERR_R_UNSUPPORTED. Otherwise, raise an exception without retrying decoding the input in another format. This fixes another case where OpenSSL::PKey.read prompts for a passphrase multiple times when the input contains more than one passphrase-protected PEM blocks and the first one cannot be decoded. I am not entirely sure if error code ERR_R_UNSUPPORTED is considered part of the public interface of OpenSSL, but this seems to be the only option available and is the approach used internally by the PEM_read_bio_*() functions. Fixes ruby#927
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes two issues shown in #927, which affects OpenSSL 3.0 or later.
pkey: add more tests for OpenSSL::PKey.read
Add tests covering edge cases in the current behavior to prevent accidental regressions. The next patches will update the OpenSSL 3.x path.
pkey: pass pem_password_cb to OSSL_DECODER only when it is needed
Specify
OSSL_DECODER_CTX_set_pem_password_cb()only when we expect a passphrase-protected private key.OSSL_DECODERappears to try to decrypt every PEM block in the input even when the PEM header does not match the requested selection. This can cause repeated prompts for a passphrase in a singleOpenSSL::PKey.readcall.pkey: stop retrying after non-retryable error from OSSL_DECODER
Continue processing only when
OSSL_DECODER_from_bio()returns the error codeERR_R_UNSUPPORTED. Otherwise, raise an exception without retrying decoding the input in another format.This fixes another case where
OpenSSL::PKey.readprompts for a passphrase multiple times when the input contains more than one passphrase-protected PEM blocks and the first one cannot be decoded.I am not entirely sure if error code
ERR_R_UNSUPPORTEDis considered part of the public interface of OpenSSL, but this seems to be the only option available and is the approach used internally by thePEM_read_bio_*()functions.Fixes #927