-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix test_pkey_dh.rb in FIPS. #694
Conversation
d9ed13e
to
f8113e4
Compare
According to the https://www.openssl.org/source/ - OpenSSL 3.0.8 security policy pdf document page 25, the following part doesn't include 1024 bit for DH public key. I guess that's why the
|
test/openssl/test_pkey_dh.rb
Outdated
EOF | ||
assert_same_dh dh_params, key | ||
|
||
pem = Fixtures.pkey_str(KEY_NAME) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was deliberately hard-coded so that we wouldn't accidentally modify the file content without noticing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK. I changed to use the hardcored key name instead of KEY_NAME
now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm sorry that the comment location was pretty confusing. I was referring to the deleted PEM-encoded string.
Other test cases may depend on the specific parameters/key[*]. Accidentally modifying the content of dh2048_ffdhe2048.pem
could lead to multiple test cases failing. I think it's useful to have a very basic test case that can work as a sanity check against it.
[*] Actually, this isn't the case for test_pkey_dh.rb
- in other words, DH is under-tested. We should have at least an assert_equal
test against the result of DH#derive
using known test vectors. An example in test_pkey_rsa.rb
is test_sign_verify
which depends on the specific key rsa1024.pem
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah all right. You were talking about the deleted PEM-encoded string. No worry. I just misundertood it. I will revert the change.
- pem = <<~EOF
- -----BEGIN DH PARAMETERS-----
- MIGHAoGBAKnKQ8MNK6nYZzLrrcuTsLxuiJGXoOO5gT+tljOTbHBuiktdMTITzIY0
- pFxIvjG05D7HoBZQfrR0c92NGWPkAiCkhQKB8JCbPVzwNLDy6DZ0pmofDKrEsYHG
- AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
- -----END DH PARAMETERS-----
- EOF
Do you want to me to hard-code "dh2048_ffdhe2048"
in each part in the test_pkey_dh.rb
file? Or can I use the KEY_NAME
?
KEY_NAME = "dh2048_ffdhe2048"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's useful to have a very basic test case that can work as a sanity check against it.
I hope that we will add the basic test case in another PR after this PR will be merged, as I want to focus on this PR's subject to pass the test_pkey_dh.rb
in FIPS.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you want to me to hard-code
"dh2048_ffdhe2048"
in each part in thetest_pkey_dh.rb
file? Or can I use theKEY_NAME
?KEY_NAME = "dh2048_ffdhe2048"
I will go ahead with the hard-coded "dh2048_ffdhe2048"
in each part for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, it looks good to me!
Do you want to me to hard-code
"dh2048_ffdhe2048"
in each part in thetest_pkey_dh.rb
file? Or can I use theKEY_NAME
?
I didn't have an opinion on this. Either style seems good as long as we're consistent.
f8113e4
to
857943a
Compare
I rebased this PR fixing by the review and updating the commit message. Now I see the CI failures in OpenSSL 1.1.0 and 1.0.0 and LibreSSL 3.4, 3.3, 3.2 and 3.1. I am trying to debug the issue by installing OpenSSL 1.1.0 on my local. Please let me know if you have an idea of how to fix it. Thank you. https://github.com/ruby/openssl/actions/runs/6866516958/job/18672914263?pr=694#step:12:638
|
After a bit of Then LibreSSL 3.5.0 imported the patch: libressl/openbsd@c537641 According to the original PR openssl/openssl#9435, the main motivation actually was to let RFC 7919 groups pass I feel it's safe to simply skip the test case on older versions of OpenSSL based on the version number, considering that they are all EOL now. |
Thanks for debugging the issue. I debugged with the following reproducing scripts. The
The script prints
First, I compared how the The process is different in the following part. openssl/ext/openssl/ossl_pkey_dh.c Lines 330 to 346 in fac5cac
In the case of the OpenSSL 3.3.0-dev, OpenSSL 1.1.1w where the In the case of the
I prepared the
The script prints
So, I checked what proces makes the difference of the case between The process making a result was the following part. https://github.com/openssl/openssl/blob/OpenSSL_1_1_0l/crypto/dh/dh_check.c#L110 With the
With the
So, I thought the This result supports your investigation? Is the |
857943a
to
fb61ba3
Compare
OK. I confirmed that the
|
Perhaps, are you talking about |
fb61ba3
to
f90b9b5
Compare
OK. I skipped the test in OpenSSL 1.1.1c or early versions. I see one test is failing randomly in https://github.com/ruby/openssl/actions/runs/6894315128/job/18755841590?pr=694 |
We use dh2048_ffdhe2048.pem file (DH 2048 bits) instead of dh1024.pem file in both non-FIPS and FIPS cases. Because the following command fails to generate the pem file with 1024 bits. And the OpenSSL FIPS 140-2 security policy document explains the DH public keys are allowed from 2048 bits.[1] ``` $ OPENSSL_CONF=/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/ssl/openssl_fips.cnf \ /home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/bin/openssl \ dhparam -out dh1024.pem 1024 Generating DH parameters, 1024 bit long safe prime dhparam: Generating DH key parameters failed ``` The dh2048_ffdhe2048.pem file was created by the following command with the OpenSSL FIPS configuration file. The logic to generate the DH pem file is different between non-FIPS and FIPS cases. In FIPS, it seems that the command always returns the text defined as ffdhe2048 in the FFDHE groups in RFC 7919 unlike non-FIPS.[2] As the generated pem file is a normal and valid PKCS#3-style group parameter, we use the file for the non-FIPS case too. ``` $ OPENSSL_CONF=/home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/ssl/openssl_fips.cnf \ /home/jaruga/.local/openssl-3.3.0-dev-fips-debug-1aa08644ec/bin/openssl \ dhparam -out dh2048_ffdhe2048.pem 2048 ``` Note that the hard-coded PEM-encoded string in the `test_DHparams` is intentional to avoid modifying the content unintentionally. * [1] https://www.openssl.org/source/ - OpenSSL 3.0.8 FIPS 140-2 security policy document page 25, Table 10 – Public Keys - DH Public - DH (2048/3072/4096/6144/8192) public key agreement key * [2] RFC7919 - Appendix A.1: ffdhe2048 https://www.rfc-editor.org/rfc/rfc7919#appendix-A.1
f90b9b5
to
6a4ff26
Compare
Now this PR is ready for reviewing again. After rebasing the failure above was gone. Could you review it? |
Sorry for taking a long time to get back on this. The change looks good to me! Thanks. |
Okay. Thank you for reviewing! |
This PR is to fix
test/openssl/test_pkey_dh.rb
in FIPS case. Initially I was thinking to fix othertest/openssl/test_pkey*.rb
files in this PR too. However, the modification is bigger than I thought. So, this PR is only fortest/openssl/test_pkey_dh.rb
to make us review easily.Related issue: #692
Add dh2048_fips.pem file (DH 2048 bits) in FIPS case, because a logic to generate the pem file in FIPS module is different from the logic in non-FIPS default behavior.
Created the DH file with 2048 bits, because the following command failed to generate the DH 1024 bits pem file in FIPS.
The dh2048_fips.pem file was created by the following command.