github
/
ruby
зеркало из https://github.com/github/ruby.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
ruby/test/openssl
История
Jun Aruga 543dd74049 Fix test_pkey_dh.rb in FIPS. 
We use dh2048_ffdhe2048.pem file (DH 2048 bits) instead of dh1024.pem file in
both non-FIPS and FIPS cases. Because the following command fails to generate
the pem file with 1024 bits. And the OpenSSL FIPS 140-2 security policy
document explains the DH public keys are allowed from 2048 bits.[1]

```
$ OPENSSL_CONF=/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/ssl/openssl_fips.cnf \
  /home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/bin/openssl \
  dhparam -out dh1024.pem 1024
Generating DH parameters, 1024 bit long safe prime
dhparam: Generating DH key parameters failed
```

The dh2048_ffdhe2048.pem file was created by the following command with the
OpenSSL FIPS configuration file. The logic to generate the DH pem file is
different between non-FIPS and FIPS cases. In FIPS, it seems that the command
always returns the text defined as ffdhe2048 in the FFDHE groups in RFC 7919
unlike non-FIPS.[2]

As the generated pem file is a normal and valid PKCS#3-style group parameter, we
use the file for the non-FIPS case too.

```
$ OPENSSL_CONF=/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/ssl/openssl_fips.cnf \
  /home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/bin/openssl \
  dhparam -out dh2048_ffdhe2048.pem 2048
```

Note that the hard-coded PEM-encoded string in the `test_DHparams` is
intentional to avoid modifying the content unintentionally.

* [1] https://www.openssl.org/source/ - OpenSSL 3.0.8 FIPS 140-2 security
  policy document page 25, Table 10 – Public Keys - DH Public
  - DH (2048/3072/4096/6144/8192) public key agreement key
* [2] RFC7919 - Appendix A.1: ffdhe2048
  https://www.rfc-editor.org/rfc/rfc7919#appendix-A.1
 		2023-11-25 10:12:28 +00:00
..
fixtures/pkey Fix test_pkey_dh.rb in FIPS. 2023-11-25 10:12:28 +00:00
test_asn1.rb [ruby/openssl] test/openssl/test_asn1.rb: remove pend for unsupported LibreSSL versions 2022-12-23 09:39:15 +09:00
test_bn.rb [ruby/openssl] Fix modular square root test with LibreSSL >= 3.8 2023-06-19 01:57:09 +09:00
test_buffering.rb Import openssl-2.2.0 (#2693) 2020-02-16 15:21:29 +09:00
test_cipher.rb [ruby/openssl] Use openssl? instead of OpenSSL::OPENSSL_VERSION_NUMBER. 2023-08-16 14:48:42 +09:00
test_config.rb [ruby/openssl] config: relax test assertions against error messages 2023-08-16 14:48:41 +09:00
test_digest.rb [ruby/openssl] Prefer String#unpack1 2023-09-06 19:24:53 +09:00
test_engine.rb [ruby/openssl] Remove OSSL_DEBUG compile-time option 2023-09-06 19:20:57 +09:00
test_fips.rb [ruby/openssl] test_fips.rb: Fix the `OpenSSL.fips_mode` affecting other tests. 2023-09-21 18:04:55 +00:00
test_hmac.rb [ruby/openssl] Revert "Skip OpenSSL::TestHMAC#test_dup when running with RHEL9" 2023-05-19 09:25:11 +09:00
test_kdf.rb Import openssl-2.2.0 (#2693) 2020-02-16 15:21:29 +09:00
test_ns_spki.rb [ruby/openssl] Prefer String#unpack1 2023-09-06 19:24:53 +09:00
test_ocsp.rb [ruby/openssl] Let OpenSSL choose the digest if digest for Openssl::OCSP::BasicResponse#sign is nil. 2022-07-08 23:18:22 +09:00
test_ossl.rb [ruby/openssl] test/openssl/test_ossl.rb: relax assertion for error messages 2023-09-06 19:30:55 +09:00
test_pair.rb [ruby/openssl] test/openssl/test_ssl.rb: do not run SSL tests if not available 2022-12-23 09:39:15 +09:00
test_pkcs7.rb [ruby/openssl] pkcs7: keep private key when duplicating PKCS7_SIGNER_INFO 2021-03-31 18:05:07 +09:00
test_pkcs12.rb [ruby/openssl] Prefer String#unpack1 2023-09-06 19:24:53 +09:00
test_pkey.rb [ruby/openssl] test_pkey.rb: Refactor the test_ed25519 on FIPS. 2023-09-21 18:04:55 +00:00
test_pkey_dh.rb Fix test_pkey_dh.rb in FIPS. 2023-11-25 10:12:28 +00:00
test_pkey_dsa.rb [ruby/openssl] Prefer String#unpack1 2023-09-06 19:24:53 +09:00
test_pkey_ec.rb [ruby/openssl] Fix test_pkey_ec.rb on FIPS. 2023-09-21 18:04:56 +00:00
test_pkey_rsa.rb [ruby/openssl] Prefer String#unpack1 2023-09-06 19:24:53 +09:00
test_provider.rb [ruby/openssl] Remove OSSL_DEBUG compile-time option 2023-09-06 19:20:57 +09:00
test_random.rb Import openssl-2.2.0 (#2693) 2020-02-16 15:21:29 +09:00
test_ssl.rb [ruby/openssl] ssl: raise SSLError if loading ca_file or ca_path fails 2023-08-16 14:48:41 +09:00
test_ssl_session.rb [ruby/openssl] Prefer String#unpack1 2023-09-06 19:24:53 +09:00
test_ts.rb [ruby/openssl] fix segv in Timestamp::{Request,Response,TokenInfo}.new 2021-10-16 18:34:35 +09:00
test_x509attr.rb Import openssl-2.2.0 (#2693) 2020-02-16 15:21:29 +09:00
test_x509cert.rb [ruby/openssl] Use SHA256 instead of SHA1 where needed in tests. 2022-12-13 18:07:41 +09:00
test_x509crl.rb [ruby/openssl] Use SHA256 instead of SHA1 where needed in tests. 2022-12-13 18:07:41 +09:00
test_x509ext.rb [ruby/openssl] Exact checks with `assert_include` 2023-10-06 09:45:20 +00:00
test_x509name.rb [ruby/openssl] Look up digest by name instead of constant 2020-05-13 15:47:51 +09:00
test_x509req.rb [ruby/openssl] Use SHA256 instead of SHA1 where needed in tests. 2022-12-13 18:07:41 +09:00
test_x509store.rb [ruby/openssl] test: adjust test cases for LibreSSL 3.2.4 2021-03-16 19:37:06 +09:00
ut_eof.rb [ruby/openssl] Add SSLSocket#getbyte 2021-07-18 17:44:53 +09:00
utils.rb Fix test_pkey_dh.rb in FIPS. 2023-11-25 10:12:28 +00:00