Bug #6938
closed[PATCH] Increase DH key size to fix test suite in FIPS mode
Description
In FIPS mode, DH refuses to generate or use keys with modulus smaller than 1024 bits. This patch increases the key size to make the test suite pass.
Files
Updated by naruse (Yui NARUSE) about 12 years ago
- Status changed from Open to Assigned
- Assignee changed from duerst (Martin Dürst) to MartinBosslet (Martin Bosslet)
Generating 1024bit key takes much more time then 256bit, so it should reuse the key
instead of simply replacing like s/256/1024/.
Updated by vo.x (Vit Ondruch) about 12 years ago
- File 0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch added
Hm, actually, it seems that the test_pair one can be entirely dropped. Not sure about the test_pkey_dh.rb, since they are testing directly the DH algorithm.
Updated by vo.x (Vit Ondruch) about 12 years ago
- File deleted (
0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch)
Updated by vo.x (Vit Ondruch) about 12 years ago
- File 0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch 0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch added
I'm using now the cached key. I hope I did not degraded the quality of TS too much.
Updated by vo.x (Vit Ondruch) about 12 years ago
- File deleted (
0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch)
Updated by MartinBosslet (Martin Bosslet) about 12 years ago
Yes, better with the cached key. Thanks for the patch!
Updated by Anonymous about 12 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
This issue was solved with changeset r36843.
Vit, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.
- test/openssl/utils.rb
test/openssl/test_pair.rb
test/openssl/test_pkey_dh.rb: Use 1024 bit DH parameters to satisfy
OpenSSL FIPS requirements. Patch by Vit Ondruch.
[Bug #6938] [ruby-core:47326]
Updated by naruse (Yui NARUSE) about 12 years ago
Why TEST_KEY_DH1024 in test/openssl/utils.rb doesn't use cache?
Updated by MartinBosslet (Martin Bosslet) about 12 years ago
Why TEST_KEY_DH1024 in test/openssl/utils.rb doesn't use cache?
Unfortunately DH doesn't allow serialization of the private exponent out of the box like the other PKeys do. But 1024 bits generation is eating up a lot of time, way too much for tests IMO. And what's worse, I saw that the "test-all" target for one run on rubyci timed out. I'm currently looking for a way to still be able to serialize DH keys including the private exponent to solve this.
Updated by MartinBosslet (Martin Bosslet) about 12 years ago
OK, I found a way to use a cached key (r36881). This still leaves us with the problem that "test_new" in test_pkey_dh.rb consumes a lot of time. But I think I found a way how to handle this cleanly (cf. #6946).
Updated by naruse (Yui NARUSE) about 12 years ago
MartinBosslet (Martin Bosslet) wrote:
OK, I found a way to use a cached key (r36881). This still leaves us with the problem that "test_new" in test_pkey_dh.rb consumes a lot of time. But I think I found a way how to handle this cleanly (cf. #6946).
Great!
I thought test_new is unavoidable.