[CHEF-5356-gcm(2)] Encrypted data bags should use different HMAC key and include the IV in the HMAC #1591
Conversation
…tests Conflicts: spec/unit/encrypted_data_bag_item_spec.rb
|
Thanks for the quick patch @zuazo. We will review this further but one thing that came up is to catch the OpenSSL error when Stay tuned for more review 😄 |
|
BTW, here's what happens for unsupported ciphers: |
…ot met, give a meaningful error message
|
@sersut, @danielsdeleo, thanks for your review and your help 😃 I added an Note: And by the way, using |
|
@zuazo yeah, it would be good to fix deprecation warnings. Will the code work on 1.8.7 if we fix that? |
|
@danielsdeleo, yes, it works with 1.8.7. From the official 1.8.7 documentation of http://ruby-doc.org/stdlib-1.8.7/libdoc/openssl/rdoc/OpenSSL/Cipher/Cipher.html:
This is very old. The change was added to Ruby in the commit 953e8aca (2007-04-05) and merged onto 1.8.7 in commit 18342ff8 (2007-06-08). Ruby 1.8.7 was released in 2008-05-31. |
|
But, of course, you still require Ruby 2 to use GCM. |
|
@zuazo sounds good. We just need to be able to run tests and such against ruby 1.8 until we drop support for it (which we're planning for Chef 12.0). Otherwise we'd have to wait to merge it. |
…enSSL::Cipher::Cipher and OpenSSL::Digest::Digest
|
I removed the Ruby 1.9.3 tests results:
Ruby 2.0.0 tests results:
They seem to be random unrelated errors. Can someone please review this errors or re-run the failed jobs? |
|
Re-running the tests now. |
|
Thanks @danielsdeleo. Tests passed. |
| context "when decrypting a version 3 (JSON+aes-256-gcm+random iv+auth tag) encrypted value" do | ||
|
|
||
| context "on supported platforms", | ||
| :if => (RUBY_VERSION >= "2" and OpenSSL::OPENSSL_VERSION_NUMBER >= 10001000) do |
There was a problem hiding this comment.
Is it possible to put this logic in the rspec config in spec_helper? Personally I don't have a preference for one style or the other, but everything is in spec_helper right now so I'd like to be consistent.
|
Overall it looks good except for the nitpicks about how the tests handle the platform requirements. |
…e alternative tests using stubs
|
@danielsdeleo, totally agree with you. I added RSpec filters and added some tests using stubs instead of conditionals. I have not removed the conditional tests because I think that makes sense considering that I have not checked the GCM support according to the version, but according to functionality: def assert_aead_requirements_met!(algorithm)
unless OpenSSL::Cipher.method_defined?(:auth_data=)
raise # ...
end
unless OpenSSL::Cipher.ciphers.include?(algorithm)
raise # ...
end
endSo these conditional tests are used to verify that the functionality checks are fine. |
| @@ -37,6 +38,7 @@ class Chef::EncryptedDataBagItem | |||
| # to create an instance of the appropriate strategy for the given encrypted | |||
| # data bag value. | |||
| module Decryptor | |||
| extend Chef::EncryptedDataBagItem::Assertions | |||
There was a problem hiding this comment.
Do we actually call these methods on this module? I didn't see any case where we do.
There was a problem hiding this comment.
Decryptor module calls #assert_format_version_acceptable! below. I could have avoided moving that function to Assertions. But I moved to have all the assertions together.
|
@zuazo Ok, your explanation for making the tests conditional makes sense to me. I found one more thing I'm curious about, and everything else looks good. |
… fix, "Ruby with_out_ AEAD support"
|
Thanks @danielsdeleo. I've made some small fixes. Nothing important. |
|
Okay, this looks good to me now, 👍 |
[CHEF-5356-gcm(2)] Encrypted data bags should use different HMAC key and include the IV in the HMAC
thommay
added
Type: Enhancement
Note: issue #1590 rebased onto master, conflicts fixed.
Reopening issue #1504 with some fixes (alternative to issue #1474 using GCM).
https://tickets.opscode.com/browse/CHEF-5356
>= 1.0.1and ruby>= 2.DOC_CHANGES.mdupdated.