[ruby/openssl] pkcs7: remove default cipher from PKCS7.encrypt

Require that users explicitly specify the desired algorithm. In my opinion, we are not in a position to specify the default cipher. When OpenSSL::PKCS7.encrypt is given only two arguments, it uses "RC2-40-CBC" as the symmetric cipher algorithm. 40-bit RC2 is a US export-grade cipher and considered insecure. Although this is technically a breaking change, the impact should be minimal. Even when OpenSSL is compiled with RC2 support and the macro OPENSSL_NO_RC2 is not defined, it will not actually work on modern systems because RC2 is part of the legacy provider. https://github.com/ruby/openssl/commit/439f456bfa
author: Kazuki Yamaguchi <[email protected]> 2024-09-05 19:45:31 +0900
committer: git <[email protected]> 2024-10-31 08:31:16 +0000
commit: 27d77a9c73009c94864214c684faac38278398c2 (patch)
tree: 976194f0319b2d24a9c7ae2b71b13d600591a8b3 /test
parent: 339a8dd5e7da99e82129bcb7f8191f870e0866aa (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/test/openssl/test_pkcs7.rb b/test/openssl/test_pkcs7.rb
index c049ed444a..862716b4d8 100644
--- a/test/openssl/test_pkcs7.rb
+++ b/test/openssl/test_pkcs7.rb
@@ -153,6 +153,11 @@ class OpenSSL::TestPKCS7 < OpenSSL::TestCase
     assert_equal(data, p7.decrypt(@rsa1024, @ee2_cert))
 
     assert_equal(data, p7.decrypt(@rsa1024))
+
+    # Default cipher has been removed in v3.3
+    assert_raise_with_message(ArgumentError, /RC2-40-CBC/) {
+      OpenSSL::PKCS7.encrypt(certs, data)
+    }
   end
 
   def test_empty_signed_data_ruby_bug_19974
author	Kazuki Yamaguchi <[email protected]>	2024-09-05 19:45:31 +0900
committer	git <[email protected]>	2024-10-31 08:31:16 +0000
commit	27d77a9c73009c94864214c684faac38278398c2 (patch)
tree	976194f0319b2d24a9c7ae2b71b13d600591a8b3 /test
parent	339a8dd5e7da99e82129bcb7f8191f870e0866aa (diff)