diff options
| author | Jun Aruga <jaruga@redhat.com> | 2025-08-29 16:57:12 +0100 |
|---|---|---|
| committer | git <svn-admin@ruby-lang.org> | 2025-09-17 12:33:01 +0000 |
| commit | 73b08ff423fb1f1779d5e17f47b0fb5478021151 (patch) | |
| tree | b9054736f762189ecb91d323ef62b18c06f049e6 /test/ruby/test_stack.rb | |
| parent | a1f39b4b807a5412181ca3f1bf87e7c7d2d9f542 (diff) | |
[ruby/openssl] Fix test_ssl.rb in FIPS.
test_post_connect_check_with_anon_ciphers:
test_tmp_dh_callback:
test_tmp_dh:
DH missing the q value on unknown named parameters (ciphers) is not
FIPS-approved, according to the FIPS-186-4 APPENDIX B: Key Pair Generation -
B.1.1 Key Pair Generation Using Extra Random Bits, the inputs p, q, and g are
required. However, TLS doesn't send q.
https://csrc.nist.gov/pubs/fips/186-4/final
OpenSSL has a special workaround to recover the missing "q" value for known
named parameters, which is the reason why other tests that use the default
parameters in `lib/openssl/ssl.rb` are working.
Note that the test_post_connect_check_with_anon_ciphers test got the following error on
`OpenSSL.debug = true` in FIPS.
```
/home/jaruga/var/git/ruby/openssl/lib/openssl/ssl.rb:551: warning: error on stack: error:0A0C0103:SSL routines:tls_construct_server_key_exchange:internal error
```
test_get_ephemeral_key:
kRSA (PKCS1-v1_5 padding) is not allowed in FIPS according to the
NIST SP 800-131A Rev. 2 - 6 Key Agreement and Key Transport Using RSA -
Table 5: Approval Status for the RSA-based Key Agreement and Key Transport
Schemes - PKCS1-v1_5 padding - Disallowed after 2023
https://csrc.nist.gov/pubs/sp/800/131/a/r2/final
Note that the test_get_ephemeral_key test got the following error on
`OpenSSL.debug = true` in FIPS.
```
test/openssl/test_ssl.rb:2326: warning: error on stack: error:1C8000A8:Provider routines:rsa_encrypt:invalid padding mode
```
https://github.com/ruby/openssl/commit/ac3559e51e
Diffstat (limited to 'test/ruby/test_stack.rb')
0 files changed, 0 insertions, 0 deletions