Project

General

Profile

Bug #6938

[PATCH] Increase DH key size to fix test suite in FIPS mode

Added by vo.x (Vit Ondruch) almost 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
-
ruby -v:
ruby 2.0.0dev
[ruby-core:47326]

Description

In FIPS mode, DH refuses to generate or use keys with modulus smaller than 1024 bits. This patch increases the key size to make the test suite pass.


Related issues

Related to Ruby trunk - Feature #6946: FIPS support?Assigned

Associated revisions

Revision 36843
Added by emboss almost 5 years ago

  • test/openssl/utils.rb test/openssl/test_pair.rb test/openssl/test_pkey_dh.rb: Use 1024 bit DH parameters to satisfy OpenSSL FIPS requirements. Patch by Vit Ondruch. [Bug #6938]

Revision 36843
Added by emboss almost 5 years ago

  • test/openssl/utils.rb test/openssl/test_pair.rb test/openssl/test_pkey_dh.rb: Use 1024 bit DH parameters to satisfy OpenSSL FIPS requirements. Patch by Vit Ondruch. [Bug #6938]

Revision 36843
Added by emboss almost 5 years ago

  • test/openssl/utils.rb test/openssl/test_pair.rb test/openssl/test_pkey_dh.rb: Use 1024 bit DH parameters to satisfy OpenSSL FIPS requirements. Patch by Vit Ondruch. [Bug #6938]

Revision 36843
Added by emboss almost 5 years ago

  • test/openssl/utils.rb test/openssl/test_pair.rb test/openssl/test_pkey_dh.rb: Use 1024 bit DH parameters to satisfy OpenSSL FIPS requirements. Patch by Vit Ondruch. [Bug #6938]

History

#1 [ruby-core:47328] Updated by naruse (Yui NARUSE) almost 5 years ago

  • Status changed from Open to Assigned
  • Assignee changed from duerst (Martin Dürst) to MartinBosslet (Martin Bosslet)

Generating 1024bit key takes much more time then 256bit, so it should reuse the key
instead of simply replacing like s/256/1024/.

#2 [ruby-core:47333] Updated by vo.x (Vit Ondruch) almost 5 years ago

  • File 0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch added

Hm, actually, it seems that the test_pair one can be entirely dropped. Not sure about the test_pkey_dh.rb, since they are testing directly the DH algorithm.

#3 Updated by vo.x (Vit Ondruch) almost 5 years ago

  • File deleted (0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch)

#5 Updated by vo.x (Vit Ondruch) almost 5 years ago

  • File deleted (0001-Use-higher-DH-key-moudlus-to-pass-test-with-FIPS-ena.patch)

#6 [ruby-core:47335] Updated by MartinBosslet (Martin Bosslet) almost 5 years ago

Yes, better with the cached key. Thanks for the patch!

#7 Updated by Anonymous almost 5 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r36843.
Vit, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • test/openssl/utils.rb test/openssl/test_pair.rb test/openssl/test_pkey_dh.rb: Use 1024 bit DH parameters to satisfy OpenSSL FIPS requirements. Patch by Vit Ondruch. [Bug #6938]

#8 [ruby-core:47388] Updated by naruse (Yui NARUSE) almost 5 years ago

Why TEST_KEY_DH1024 in test/openssl/utils.rb doesn't use cache?

#9 [ruby-core:47393] Updated by MartinBosslet (Martin Bosslet) almost 5 years ago

Why TEST_KEY_DH1024 in test/openssl/utils.rb doesn't use cache?

Unfortunately DH doesn't allow serialization of the private exponent out of the box like the other PKeys do. But 1024 bits generation is eating up a lot of time, way too much for tests IMO. And what's worse, I saw that the "test-all" target for one run on rubyci timed out. I'm currently looking for a way to still be able to serialize DH keys including the private exponent to solve this.

#10 [ruby-core:47395] Updated by MartinBosslet (Martin Bosslet) almost 5 years ago

OK, I found a way to use a cached key (r36881). This still leaves us with the problem that "test_new" in test_pkey_dh.rb consumes a lot of time. But I think I found a way how to handle this cleanly (cf. #6946).

#11 [ruby-core:47398] Updated by naruse (Yui NARUSE) almost 5 years ago

MartinBosslet (Martin Bosslet) wrote:

OK, I found a way to use a cached key (r36881). This still leaves us with the problem that "test_new" in test_pkey_dh.rb consumes a lot of time. But I think I found a way how to handle this cleanly (cf. #6946).

Great!
I thought test_new is unavoidable.

Also available in: Atom PDF