Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

test_s_generate_parameters: Consider a DSA error in FIPS. #786

Merged
merged 1 commit into from
Aug 16, 2024

Conversation

junaruga
Copy link
Member

This PR fixes the "openssl-master with fips provider" specific failure #785 in CI.


DSA kengen is not FIPS-approved. The EVP_PKEY_paramgen in the OpenSSL::PKey.generate_parameters("DSA") raises a DSA error in FIPS by the following commit.
openssl/openssl@49a35f0#diff-605396c063194975af8ce31399d42690ab18186b422fb5012101cc9132660fe1R611-R614

@junaruga
Copy link
Member Author

There is another failure in the test_ed25519_not_approved_on_fips in "openssl-master with fip provider" case in CI. This test failure is not related to this PR.

https://github.com/ruby/openssl/actions/runs/10405700727/job/28817053622?pr=786#step:11:103

 1) Failure: test_ed25519_not_approved_on_fips(OpenSSL::TestPKey): OpenSSL::PKey::PKeyError expected but nothing was raised.
/home/runner/work/openssl/openssl/vendor/bundle/ruby/3.0.0/gems/test-unit-ruby-core-1.0.6/lib/core_assertions.rb:462:in `assert_raise'
/home/runner/work/openssl/openssl/test/openssl/test_pkey.rb:174:in `test_ed25519_not_approved_on_fips'
     171:     MC4CAQAwBQYDK2VwBCIEIEzNCJso/5banbbDRuwRTg9bijGfNaumJNqM9u1PuKb7
     172:     -----END PRIVATE KEY-----
     173:     EOF
  => 174:     assert_raise(OpenSSL::PKey::PKeyError) do
     175:       OpenSSL::PKey.read(priv_pem)
     176:     end
     177:   end

@junaruga
Copy link
Member Author

There is another failure in the test_ed25519_not_approved_on_fips in "openssl-master with fip provider" case in CI. This test failure is not related to this PR.

I filed this issue on #787.

test/openssl/test_pkey.rb Outdated Show resolved Hide resolved
DSA kengen is not FIPS-approved. The `EVP_PKEY_paramgen` in the
`OpenSSL::PKey.generate_parameters("DSA")` raises a DSA error in FIPS by the
following commit. Split the test for DSA.

openssl/openssl@49a35f0#diff-605396c063194975af8ce31399d42690ab18186b422fb5012101cc9132660fe1R611-R614
@junaruga junaruga force-pushed the wip/EVP_PKEY_paramgen-fips-dsa branch from 5cf7542 to 5ca6eb4 Compare August 15, 2024 17:42
@rhenium rhenium merged commit 3fc8972 into ruby:master Aug 16, 2024
55 of 56 checks passed
@rhenium
Copy link
Member

rhenium commented Aug 16, 2024

Merged, thanks!

@junaruga
Copy link
Member Author

Thanks for your review!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants