Issue #12561 has been reported by Kevin Burk.

----------------------------------------
Feature #12561: OpenSSL::Cipher#key= silently truncates key strings.
https://bugs.ruby-lang.org/issues/12561

* Author: Kevin Burk
* Status: Open
* Priority: Normal
* Assignee: 
----------------------------------------
Not entirely sure if this is a bug or a feature request, so please recategorize if I got it wrong.

Setting the key on an OpenSSL::Cipher will throw an exception if the key is too short.  But if the key string is too long, and bytes past the key length are silently discarded.  In the IRB session below, it looks like the second and third attempts to set the key succeed, and set the key to different values, but in fact the third attempt sets the key to the same things as the second, ignoring the `"ghijkl"` that lie past the 128-bit / 16-byte key length.

```
irb(main):013:0> c = OpenSSL::Cipher.new('AES-128-CBC')
=> #<OpenSSL::Cipher:0x007fb86893af30>
irb(main):014:0> c.key = '1234567890'
OpenSSL::Cipher::CipherError: key length too short
	from (irb):14:in `key='
	from (irb):14
	from /Users/kevin.burk/.rbenv/versions/2.3.0/bin/irb:11:in `<main>'
irb(main):015:0> c.key = '1234567890abcdef'
=> "1234567890abcdef"
irb(main):016:0> c.key = '1234567890abcdefghijkl'
=> "1234567890abcdefghijkl"
```

Could we throw an `OpenSSL::Cipher::CipherError: key length too long` exception here?  The current behavior makes it very easy for people like me to accidentally screw this up, introducing security flaws.

---Files--------------------------------
cipher-truncate.rb (880 Bytes)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>