-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test: fix invalid modulesLength during DSA keygen #23732
Conversation
During key generation, the default dsa_builtin_paramgen will reset modulusLength to 512. But in dsa_builtin_paramgen2 this does not happen, leading to lockup in FIPS mode. Refs: nodejs#23430
Thanks @AdamMajer. Other than this, did the tests pass on FIPS? |
So far I've only run it with OpenSSL that has fips option enabled, but not on system running in FIPS mode. Having said that, all crypto related tests pass. |
@@ -182,7 +182,7 @@ function convertDERToPEM(label, der) { | |||
{ | |||
// Test async DSA key generation. | |||
generateKeyPair('dsa', { | |||
modulusLength: 256, | |||
modulusLength: 512, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me.
(UPDATE: Previous suggestion removed because I'm not actually sure it's correct and I don't have the ability to test it. It adds complexity anyway, so whatevs.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIUC, openssl just internally increases 256 to 512 (when not FIPs), so always using 512 is no slower and more clear.
Resume Build CI: https://ci.nodejs.org/job/node-test-pull-request/17979/ ✔️ |
Landed in a88ca52. |
During key generation, the default dsa_builtin_paramgen will reset modulusLength to 512. But in dsa_builtin_paramgen2 this does not happen, leading to lockup in FIPS mode. PR-URL: #23732 Refs: #23430 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
During key generation, the default dsa_builtin_paramgen will reset modulusLength to 512. But in dsa_builtin_paramgen2 this does not happen, leading to lockup in FIPS mode. PR-URL: #23732 Refs: #23430 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
During key generation, the default dsa_builtin_paramgen will reset modulusLength to 512. But in dsa_builtin_paramgen2 this does not happen, leading to lockup in FIPS mode. PR-URL: #23732 Refs: #23430 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
During key generation, the default dsa_builtin_paramgen will reset modulusLength to 512. But in dsa_builtin_paramgen2 this does not happen, leading to lockup in FIPS mode. PR-URL: #23732 Refs: #23430 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
During key generation, the default dsa_builtin_paramgen will reset modulusLength to 512. But in dsa_builtin_paramgen2 this does not happen, leading to lockup in FIPS mode. PR-URL: #23732 Refs: #23430 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
In #23430, key sizes were reduced to speed up the test. Unfortunately this resulted in invalid DSA key generation parameters.
In standard build of OpenSSL, key generation uses dsa_builtin_paramgen and that will reset modulusLength to 512. But in dsa_builtin_paramgen2, used in FIPS, this does not happen, leading to an infinite loop and test failure.
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes