Project

General

Profile

Bug #6938

[PATCH] Increase DH key size to fix test suite in FIPS mode

Added by Vit Ondruch almost 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
ruby -v:
ruby 2.0.0dev
[ruby-core:47326]

Description

In FIPS mode, DH refuses to generate or use keys with modulus smaller than 1024 bits. This patch increases the key size to make the test suite pass.

0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch Magnifier (2.64 KB) Vit Ondruch, 08/28/2012 01:23 AM


Related issues

Related to Ruby trunk - Feature #6946: FIPS support? Assigned

Associated revisions

Revision 36843
Added by emboss almost 4 years ago

  • test/openssl/utils.rb test/openssl/test_pair.rb test/openssl/test_pkey_dh.rb: Use 1024 bit DH parameters to satisfy OpenSSL FIPS requirements. Patch by Vit Ondruch. [Bug #6938]

Revision 36843
Added by emboss almost 4 years ago

  • test/openssl/utils.rb test/openssl/test_pair.rb test/openssl/test_pkey_dh.rb: Use 1024 bit DH parameters to satisfy OpenSSL FIPS requirements. Patch by Vit Ondruch. [Bug #6938]

Revision 36843
Added by emboss almost 4 years ago

  • test/openssl/utils.rb test/openssl/test_pair.rb test/openssl/test_pkey_dh.rb: Use 1024 bit DH parameters to satisfy OpenSSL FIPS requirements. Patch by Vit Ondruch. [Bug #6938]

History

#1 [ruby-core:47328] Updated by Yui NARUSE almost 4 years ago

  • Status changed from Open to Assigned
  • Assignee changed from Martin Dürst to Martin Bosslet

Generating 1024bit key takes much more time then 256bit, so it should reuse the key
instead of simply replacing like s/256/1024/.

#2 [ruby-core:47333] Updated by Vit Ondruch almost 4 years ago

  • File 0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch added

Hm, actually, it seems that the test_pair one can be entirely dropped. Not sure about the test_pkey_dh.rb, since they are testing directly the DH algorithm.

#3 Updated by Vit Ondruch almost 4 years ago

  • File deleted (0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch)

#4 [ruby-core:47334] Updated by Vit Ondruch almost 4 years ago

I'm using now the cached key. I hope I did not degraded the quality of TS too much.

#5 Updated by Vit Ondruch almost 4 years ago

  • File deleted (0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch)

#6 [ruby-core:47335] Updated by Martin Bosslet almost 4 years ago

Yes, better with the cached key. Thanks for the patch!

#7 Updated by Anonymous almost 4 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r36843.
Vit, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • test/openssl/utils.rb test/openssl/test_pair.rb test/openssl/test_pkey_dh.rb: Use 1024 bit DH parameters to satisfy OpenSSL FIPS requirements. Patch by Vit Ondruch. [Bug #6938]

#8 [ruby-core:47388] Updated by Yui NARUSE almost 4 years ago

Why TEST_KEY_DH1024 in test/openssl/utils.rb doesn't use cache?

#9 [ruby-core:47393] Updated by Martin Bosslet almost 4 years ago

Why TEST_KEY_DH1024 in test/openssl/utils.rb doesn't use cache?

Unfortunately DH doesn't allow serialization of the private exponent out of the box like the other PKeys do. But 1024 bits generation is eating up a lot of time, way too much for tests IMO. And what's worse, I saw that the "test-all" target for one run on rubyci timed out. I'm currently looking for a way to still be able to serialize DH keys including the private exponent to solve this.

#10 [ruby-core:47395] Updated by Martin Bosslet almost 4 years ago

OK, I found a way to use a cached key (r36881). This still leaves us with the problem that "test_new" in test_pkey_dh.rb consumes a lot of time. But I think I found a way how to handle this cleanly (cf. #6946).

#11 [ruby-core:47398] Updated by Yui NARUSE almost 4 years ago

MartinBosslet (Martin Bosslet) wrote:

OK, I found a way to use a cached key (r36881). This still leaves us with the problem that "test_new" in test_pkey_dh.rb consumes a lot of time. But I think I found a way how to handle this cleanly (cf. #6946).

Great!
I thought test_new is unavoidable.

Also available in: Atom PDF