From 55cb1b5e7084f651961f00bfaf181ba8dcc7d852 Mon Sep 17 00:00:00 2001 From: hsbt Date: Thu, 14 Jan 2016 06:09:19 +0000 Subject: * Remove 512-bit DH group. It's affected by LogJam Attack. https://weakdh.org/ [fix GH-1196][Bug #11968][ruby-core:72766] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53531 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ChangeLog | 6 ++++++ ext/openssl/lib/openssl/pkey.rb | 8 -------- test/openssl/test_pkey_dh.rb | 14 ++------------ test/openssl/utils.rb | 7 ------- 4 files changed, 8 insertions(+), 27 deletions(-) diff --git a/ChangeLog b/ChangeLog index 468c302307..51416fcd25 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +Thu Jan 14 15:08:43 2016 Tony Arcieri + + * Remove 512-bit DH group. It's affected by LogJam Attack. + https://weakdh.org/ + [fix GH-1196][Bug #11968][ruby-core:72766] + Thu Jan 14 11:44:29 2016 Nobuyoshi Nakada * variable.c (rb_f_global_variables): add $1..$9 only if $~ is diff --git a/ext/openssl/lib/openssl/pkey.rb b/ext/openssl/lib/openssl/pkey.rb index 3f65adadb5..89563b6537 100644 --- a/ext/openssl/lib/openssl/pkey.rb +++ b/ext/openssl/lib/openssl/pkey.rb @@ -4,13 +4,6 @@ module OpenSSL if defined?(OpenSSL::PKey::DH) class DH - DEFAULT_512 = new <<-_end_of_pem_ ------BEGIN DH PARAMETERS----- -MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2 -zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC ------END DH PARAMETERS----- - _end_of_pem_ - DEFAULT_1024 = new <<-_end_of_pem_ -----BEGIN DH PARAMETERS----- MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ @@ -23,7 +16,6 @@ T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| warn "using default DH parameters." if $VERBOSE case keylen - when 512 then OpenSSL::PKey::DH::DEFAULT_512 when 1024 then OpenSSL::PKey::DH::DEFAULT_1024 else nil diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb index 9ef4025bee..0ccb2f2552 100644 --- a/test/openssl/test_pkey_dh.rb +++ b/test/openssl/test_pkey_dh.rb @@ -7,16 +7,6 @@ class OpenSSL::TestPKeyDH < Test::Unit::TestCase NEW_KEYLEN = 256 - def test_DEFAULT_512 - params = <<-eop ------BEGIN DH PARAMETERS----- -MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2 -zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC ------END DH PARAMETERS----- - eop - assert_equal params, OpenSSL::PKey::DH::DEFAULT_512.to_s - end - def test_DEFAULT_1024 params = <<-eop -----BEGIN DH PARAMETERS----- @@ -65,14 +55,14 @@ T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC end def test_generate_key - dh = OpenSSL::TestUtils::TEST_KEY_DH512_PUB.public_key # creates a copy + dh = OpenSSL::TestUtils::TEST_KEY_DH1024.public_key # creates a copy assert_no_key(dh) dh.generate_key! assert_key(dh) end def test_key_exchange - dh = OpenSSL::TestUtils::TEST_KEY_DH512_PUB + dh = OpenSSL::TestUtils::TEST_KEY_DH1024 dh2 = dh.public_key dh.generate_key! dh2.generate_key! diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb index 0802c1ba99..d4f0443511 100644 --- a/test/openssl/utils.rb +++ b/test/openssl/utils.rb @@ -97,13 +97,6 @@ CeBUl+MahZtn9fO1JKdF4qJmS39dXnpENg== end - TEST_KEY_DH512_PUB = OpenSSL::PKey::DH.new <<-_end_of_pem_ ------BEGIN DH PARAMETERS----- -MEYCQQDmWXGPqk76sKw/edIOdhAQD4XzjJ+AR/PTk2qzaGs+u4oND2yU5D2NN4wr -aPgwHyJBiK1/ebK3tYcrSKrOoRyrAgEC ------END DH PARAMETERS----- - _end_of_pem_ - TEST_KEY_DH1024 = OpenSSL::PKey::DH.new <<-_end_of_pem_ -----BEGIN DH PARAMETERS----- MIGHAoGBAKnKQ8MNK6nYZzLrrcuTsLxuiJGXoOO5gT+tljOTbHBuiktdMTITzIY0 -- cgit v1.2.3