Cipher differences between 1.7.1 and 1.7.2+

Hi All,

I spent lots of time today trying to upgrade from 1.7.1 to 1.7.3, so
thought I’d share my findings in case someone else hits the same issue.
I
store values in a database encrypted, and was getting errors decrypting
once I upgraded.

I have a function:

def cipher(s, key, decrypt=false)
cipher = OpenSSL::Cipher::AES128.new(“CBC”)
cipher.decrypt if decrypt
cipher.key = key
response = “”
response << cipher.update(s)
response << cipher.final
end

Here’s the output from usage in 1.7.1:

key = OpenSSL::PKey::RSA.generate(1024)
…
x = cipher(“hi”, key.to_pem)
=> “\xA0\xF5+0\xCEWD\x96o\x95\xA6\b\x1D\xE1\xC0\xCD”
cipher(x, key.to_pem, true)

And here is the output from usage in 1.7.3

x = cipher(“hi”, key.to_pem)
=> “\xCB\x99\xD3\xC1\x8F\xC7\x82\xD7R\x10*{\xE6’\x1A\xB9”
cipher(x, key.to_pem, true)
=> “hi”

The difference is because of
https://jira.codehaus.org/browse/JRUBY-6951.
This change was made in 1.7.2 and changes the default of the IV for the
cipher. This means that if you’ve encrypted something in <1.7.1 without
setting a custom IV, you won’t be able to decrypt in >1.7.2 without
using
the old IV default (“OpenSSL for JRuby rulez!”).

Best,
Ben

Yeah sorry about that one…obviously the fix was the right thing to
do, since we weren’t matching MRI’s encryption/decryption, but it does
mean pre-fix encoded data will have an issue. Thanks for posting your
story; hopefully others will see it if they run into issues.

• Charlie

On Thu, Apr 4, 2013 at 7:20 PM, Ben Porterfield

Thanks Charlie! Definitely an understandable change.

Additional point for those like me who are less familiar with encryption

as noted here(
Class: OpenSSL::Cipher (Ruby 1.9.3))
I should probably be using custom IV for each encryption and this would
then not be a problem. I think my specific use case doesn’t really
require
it, but it’s probably poor form no matter what.

On Thu, Apr 4, 2013 at 5:33 PM, Charles Oliver N.