[PATCH] Increase DH key size to fix test suite in FIPS mode
In FIPS mode, DH refuses to generate or use keys with modulus smaller than 1024 bits. This patch increases the key size to make the test suite pass.
#1 [ruby-core:47328] Updated by naruse (Yui NARUSE) over 5 years ago
- Status changed from Open to Assigned
- Assignee changed from duerst (Martin Dürst) to MartinBosslet (Martin Bosslet)
Generating 1024bit key takes much more time then 256bit, so it should reuse the key
instead of simply replacing like s/256/1024/.
#4 [ruby-core:47334] Updated by vo.x (Vit Ondruch) over 5 years ago
- File 0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch 0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch added
I'm using now the cached key. I hope I did not degraded the quality of TS too much.
#7 Updated by Anonymous over 5 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
This issue was solved with changeset r36843.
Vit, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.
- test/openssl/utils.rb test/openssl/test_pair.rb test/openssl/test_pkey_dh.rb: Use 1024 bit DH parameters to satisfy OpenSSL FIPS requirements. Patch by Vit Ondruch. [Bug #6938]
#9 [ruby-core:47393] Updated by MartinBosslet (Martin Bosslet) over 5 years ago
Why TEST_KEY_DH1024 in test/openssl/utils.rb doesn't use cache?
Unfortunately DH doesn't allow serialization of the private exponent out of the box like the other PKeys do. But 1024 bits generation is eating up a lot of time, way too much for tests IMO. And what's worse, I saw that the "test-all" target for one run on rubyci timed out. I'm currently looking for a way to still be able to serialize DH keys including the private exponent to solve this.