Bug #6938

[PATCH] Increase DH key size to fix test suite in FIPS mode

Added by Vit Ondruch over 2 years ago. Updated over 2 years ago.

[ruby-core:47326]
Status:Closed
Priority:Normal
Assignee:Martin Bosslet
ruby -v:ruby 2.0.0dev Backport:

Description

In FIPS mode, DH refuses to generate or use keys with modulus smaller than 1024 bits. This patch increases the key size to make the test suite pass.

0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch Magnifier (2.64 KB) Vit Ondruch, 08/28/2012 01:23 AM


Related issues

Related to Ruby trunk - Feature #6946: FIPS support? Assigned 08/28/2012

Associated revisions

Revision 36843
Added by emboss over 2 years ago

  • test/openssl/utils.rb test/openssl/test_pair.rb test/openssl/test_pkey_dh.rb: Use 1024 bit DH parameters to satisfy OpenSSL FIPS requirements. Patch by Vit Ondruch. [Bug #6938]

Revision 36843
Added by emboss over 2 years ago

  • test/openssl/utils.rb test/openssl/test_pair.rb test/openssl/test_pkey_dh.rb: Use 1024 bit DH parameters to satisfy OpenSSL FIPS requirements. Patch by Vit Ondruch. [Bug #6938]

History

#1 Updated by Yui NARUSE over 2 years ago

  • Status changed from Open to Assigned
  • Assignee changed from Martin Dürst to Martin Bosslet

Generating 1024bit key takes much more time then 256bit, so it should reuse the key
instead of simply replacing like s/256/1024/.

#2 Updated by Vit Ondruch over 2 years ago

  • File 0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch added

Hm, actually, it seems that the test_pair one can be entirely dropped. Not sure about the test_pkey_dh.rb, since they are testing directly the DH algorithm.

#3 Updated by Vit Ondruch over 2 years ago

  • File deleted (0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch)

#4 Updated by Vit Ondruch over 2 years ago

I'm using now the cached key. I hope I did not degraded the quality of TS too much.

#5 Updated by Vit Ondruch over 2 years ago

  • File deleted (0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch)

#6 Updated by Martin Bosslet over 2 years ago

Yes, better with the cached key. Thanks for the patch!

#7 Updated by Anonymous over 2 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r36843.
Vit, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • test/openssl/utils.rb test/openssl/test_pair.rb test/openssl/test_pkey_dh.rb: Use 1024 bit DH parameters to satisfy OpenSSL FIPS requirements. Patch by Vit Ondruch. [Bug #6938]

#8 Updated by Yui NARUSE over 2 years ago

Why TEST_KEY_DH1024 in test/openssl/utils.rb doesn't use cache?

#9 Updated by Martin Bosslet over 2 years ago

Why TEST_KEY_DH1024 in test/openssl/utils.rb doesn't use cache?

Unfortunately DH doesn't allow serialization of the private exponent out of the box like the other PKeys do. But 1024 bits generation is eating up a lot of time, way too much for tests IMO. And what's worse, I saw that the "test-all" target for one run on rubyci timed out. I'm currently looking for a way to still be able to serialize DH keys including the private exponent to solve this.

#10 Updated by Martin Bosslet over 2 years ago

OK, I found a way to use a cached key (r36881). This still leaves us with the problem that "test_new" in test_pkey_dh.rb consumes a lot of time. But I think I found a way how to handle this cleanly (cf. #6946).

#11 Updated by Yui NARUSE over 2 years ago

MartinBosslet (Martin Bosslet) wrote:

OK, I found a way to use a cached key (r36881). This still leaves us with the problem that "test_new" in test_pkey_dh.rb consumes a lot of time. But I think I found a way how to handle this cleanly (cf. #6946).

Great!
I thought test_new is unavoidable.

Also available in: Atom PDF