Project

General

Profile

Actions

Bug #6938

closed

[PATCH] Increase DH key size to fix test suite in FIPS mode

Added by vo.x (Vit Ondruch) over 11 years ago. Updated over 11 years ago.

Status:
Closed
Target version:
-
ruby -v:
ruby 2.0.0dev
Backport:
[ruby-core:47326]

Description

In FIPS mode, DH refuses to generate or use keys with modulus smaller than 1024 bits. This patch increases the key size to make the test suite pass.


Files


Related issues 1 (1 open0 closed)

Related to Ruby master - Feature #6946: FIPS support?OpenActions

Updated by naruse (Yui NARUSE) over 11 years ago

  • Status changed from Open to Assigned
  • Assignee changed from duerst (Martin Dürst) to MartinBosslet (Martin Bosslet)

Generating 1024bit key takes much more time then 256bit, so it should reuse the key
instead of simply replacing like s/256/1024/.

Updated by vo.x (Vit Ondruch) over 11 years ago

  • File 0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch added

Hm, actually, it seems that the test_pair one can be entirely dropped. Not sure about the test_pkey_dh.rb, since they are testing directly the DH algorithm.

Actions #3

Updated by vo.x (Vit Ondruch) over 11 years ago

  • File deleted (0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch)

Updated by vo.x (Vit Ondruch) over 11 years ago

I'm using now the cached key. I hope I did not degraded the quality of TS too much.

Actions #5

Updated by vo.x (Vit Ondruch) over 11 years ago

  • File deleted (0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch)

Updated by MartinBosslet (Martin Bosslet) over 11 years ago

Yes, better with the cached key. Thanks for the patch!

Actions #7

Updated by Anonymous over 11 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r36843.
Vit, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • test/openssl/utils.rb
    test/openssl/test_pair.rb
    test/openssl/test_pkey_dh.rb: Use 1024 bit DH parameters to satisfy
    OpenSSL FIPS requirements. Patch by Vit Ondruch.
    [Bug #6938] [ruby-core:47326]

Updated by naruse (Yui NARUSE) over 11 years ago

Why TEST_KEY_DH1024 in test/openssl/utils.rb doesn't use cache?

Updated by MartinBosslet (Martin Bosslet) over 11 years ago

Why TEST_KEY_DH1024 in test/openssl/utils.rb doesn't use cache?

Unfortunately DH doesn't allow serialization of the private exponent out of the box like the other PKeys do. But 1024 bits generation is eating up a lot of time, way too much for tests IMO. And what's worse, I saw that the "test-all" target for one run on rubyci timed out. I'm currently looking for a way to still be able to serialize DH keys including the private exponent to solve this.

Updated by MartinBosslet (Martin Bosslet) over 11 years ago

OK, I found a way to use a cached key (r36881). This still leaves us with the problem that "test_new" in test_pkey_dh.rb consumes a lot of time. But I think I found a way how to handle this cleanly (cf. #6946).

Updated by naruse (Yui NARUSE) over 11 years ago

MartinBosslet (Martin Bosslet) wrote:

OK, I found a way to use a cached key (r36881). This still leaves us with the problem that "test_new" in test_pkey_dh.rb consumes a lot of time. But I think I found a way how to handle this cleanly (cf. #6946).

Great!
I thought test_new is unavoidable.

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0