ssl: use ffdhe2048 from RFC 7919 as the default DH group parameter
This commit fixes the following failures in OpenSSL FIPS using the `OPENSSL_FORCE_FIPS_MODE=1` in CentOS stream 9 non-FIPS OS environment. ``` $ cat /etc/redhat-release CentOS Stream release 9 $ rpm -q openssl openssl-3.0.7-24.el9.x86_64 $ pwd /builddir/build/BUILD/ruby-3.1.2 $ make runruby 'TESTRUN_SCRIPT= \ -I/builddir/build/BUILD/ruby-3.1.2/tool/lib --enable-gems \ /builddir/build/SOURCES/test_openssl_fips.rb /builddir/build/BUILD/ruby-3.1.2 --verbose' ... 1) Failure: OpenSSL::TestFIPS#test_fips_mode_get_with_fips_mode_set [/builddir/build/BUILD/ruby-3.1.2/test/openssl/test_fips.rb:38]: assert_separately failed with error message pid 2043890 exit 1 | /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError) | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:34:in `<class:SSLContext>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:20:in `<module:SSL>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:19:in `<module:OpenSSL>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:18:in `<top (required)>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `require_relative' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `<top (required)>' | from -:in `require' 2) Failure: OpenSSL::TestFIPS#test_fips_mode_get_is_true_on_fips_mode_enabled [/builddir/build/BUILD/ruby-3.1.2/test/openssl/test_fips.rb:12]: assert_separately failed with error message pid 2043891 exit 1 | /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError) | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/pkey.rb:132:in `new' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:34:in `<class:SSLContext>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:20:in `<module:SSL>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:19:in `<module:OpenSSL>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl/ssl.rb:18:in `<top (required)>' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `require_relative' | from /builddir/build/BUILD/ruby-3.1.2/.ext/common/openssl.rb:21:in `<top (required)>' | from -:in `require' Finished tests in 0.154373s, 77.7337 tests/s, 369.2351 assertions/s. 12 tests, 57 assertions, 2 failures, 0 errors, 1 skips ruby -v: ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux] make: *** [uncommon.mk:1249: runruby] Error 2 ``` Note that we obverved the issue in RHEL 9.4 Beta non-FIPS OS environment too. The error happened by applying the patch ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch rewriting the `ossl_pkey_read_generic` properly. The error didn't happen without the patch. ``` $ cat /etc/redhat-release Red Hat Enterprise Linux release 9.4 Beta (Plow) $ OPENSSL_FORCE_FIPS_MODE=1 bundle exec ruby -I./lib -e "require 'openssl'" /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `initialize': could not parse pkey (OpenSSL::PKey::DHError) from /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `new' from /builddir/work/ruby/openssl/lib/openssl/pkey.rb:132:in `new' from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:34:in `<class:SSLContext>' from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:20:in `<module:SSL>' from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:19:in `<module:OpenSSL>' from /builddir/work/ruby/openssl/lib/openssl/ssl.rb:18:in `<top (required)>' from /builddir/work/ruby/openssl/lib/openssl.rb:21:in `require_relative' from /builddir/work/ruby/openssl/lib/openssl.rb:21:in `<top (required)>' from -e:1:in `require' from -e:1:in `<main>' ``` Related: RHEL-12724
This commit is contained in:
parent
6ad0d16f8a
commit
e0deda71a3
@ -0,0 +1,73 @@
|
|||||||
|
From b6d7cdc2bad0eadbca73f3486917f0ec7a475814 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kazuki Yamaguchi <k@rhe.jp>
|
||||||
|
Date: Tue, 29 Aug 2023 19:46:02 +0900
|
||||||
|
Subject: [PATCH] [ruby/openssl] ssl: use ffdhe2048 from RFC 7919 as the
|
||||||
|
default DH group parameters
|
||||||
|
|
||||||
|
In TLS 1.2 or before, if DH group parameters for DHE are not supplied
|
||||||
|
with SSLContext#tmp_dh= or #tmp_dh_callback=, we currently use the
|
||||||
|
self-generated parameters added in commit https://github.com/ruby/openssl/commit/bb3399a61c03 ("support 2048
|
||||||
|
bit length DH-key", 2016-01-15) as the fallback.
|
||||||
|
|
||||||
|
While there is no known weakness in the current parameters, it would be
|
||||||
|
a good idea to switch to pre-defined, more well audited parameters.
|
||||||
|
|
||||||
|
This also allows the fallback to work in the FIPS mode.
|
||||||
|
|
||||||
|
The PEM encoding was derived with:
|
||||||
|
|
||||||
|
# RFC 7919 Appendix A.1. ffdhe2048
|
||||||
|
print OpenSSL::PKey.read(OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer((<<-END).split.join.to_i(16)), OpenSSL::ASN1::Integer(2)]).to_der).to_pem
|
||||||
|
FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1
|
||||||
|
D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9
|
||||||
|
7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561
|
||||||
|
2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935
|
||||||
|
984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735
|
||||||
|
30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB
|
||||||
|
B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19
|
||||||
|
0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61
|
||||||
|
9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73
|
||||||
|
3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA
|
||||||
|
886B4238 61285C97 FFFFFFFF FFFFFFFF
|
||||||
|
END
|
||||||
|
|
||||||
|
https://github.com/ruby/openssl/commit/a5527cb4f4
|
||||||
|
---
|
||||||
|
ext/openssl/lib/openssl/ssl.rb | 18 +++++++++---------
|
||||||
|
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
|
||||||
|
index ea8bb2a18e533..94be6ba80b894 100644
|
||||||
|
--- a/ext/openssl/lib/openssl/ssl.rb
|
||||||
|
+++ b/ext/openssl/lib/openssl/ssl.rb
|
||||||
|
@@ -31,21 +31,21 @@ class SSLContext
|
||||||
|
}
|
||||||
|
|
||||||
|
if defined?(OpenSSL::PKey::DH)
|
||||||
|
- DEFAULT_2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_
|
||||||
|
+ DH_ffdhe2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_
|
||||||
|
-----BEGIN DH PARAMETERS-----
|
||||||
|
-MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
|
||||||
|
-JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab
|
||||||
|
-VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6
|
||||||
|
-YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
|
||||||
|
-1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD
|
||||||
|
-7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg==
|
||||||
|
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||||
|
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||||
|
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||||
|
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||||
|
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||||
|
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||||
|
-----END DH PARAMETERS-----
|
||||||
|
_end_of_pem_
|
||||||
|
- private_constant :DEFAULT_2048
|
||||||
|
+ private_constant :DH_ffdhe2048
|
||||||
|
|
||||||
|
DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| # :nodoc:
|
||||||
|
warn "using default DH parameters." if $VERBOSE
|
||||||
|
- DEFAULT_2048
|
||||||
|
+ DH_ffdhe2048
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
@ -291,6 +291,10 @@ Patch66: ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-read-in-openssl-3.patch
|
|||||||
# https://github.com/ruby/openssl/pull/615
|
# https://github.com/ruby/openssl/pull/615
|
||||||
# https://github.com/ruby/ruby/commit/920bc71284f417f9044b0dc1822b1d29a8fc61e5
|
# https://github.com/ruby/ruby/commit/920bc71284f417f9044b0dc1822b1d29a8fc61e5
|
||||||
Patch67: ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch
|
Patch67: ruby-3.3.0-openssl-3.2.0-fips-enable-tests.patch
|
||||||
|
# ssl: use ffdhe2048 from RFC 7919 as the default DH group parameters
|
||||||
|
# https://github.com/ruby/openssl/pull/674
|
||||||
|
# https://github.com/ruby/ruby/commit/b6d7cdc2bad0eadbca73f3486917f0ec7a475814
|
||||||
|
Patch68: ruby-3.3.0-openssl-3.2.0-fips-fix-pkey-dh-require-openssl.patch
|
||||||
|
|
||||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
Suggests: rubypick
|
Suggests: rubypick
|
||||||
@ -763,6 +767,7 @@ rm -rf ext/fiddle/libffi*
|
|||||||
%patch65 -p1
|
%patch65 -p1
|
||||||
%patch66 -p1
|
%patch66 -p1
|
||||||
%patch67 -p1
|
%patch67 -p1
|
||||||
|
%patch68 -p1
|
||||||
|
|
||||||
# Provide an example of usage of the tapset:
|
# Provide an example of usage of the tapset:
|
||||||
cp -a %{SOURCE3} .
|
cp -a %{SOURCE3} .
|
||||||
@ -1534,6 +1539,8 @@ make runruby TESTRUN_SCRIPT=" \
|
|||||||
* Mon Oct 09 2023 Jun Aruga <jaruga@redhat.com> - 3.0.4-161
|
* Mon Oct 09 2023 Jun Aruga <jaruga@redhat.com> - 3.0.4-161
|
||||||
- Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS.
|
- Fix OpenSSL.fips_mode and OpenSSL::PKey.read in OpenSSL 3 FIPS.
|
||||||
Resolves: RHEL-12724
|
Resolves: RHEL-12724
|
||||||
|
- ssl: use ffdhe2048 from RFC 7919 as the default DH group parameters
|
||||||
|
Related: RHEL-12724
|
||||||
|
|
||||||
* Wed Jun 28 2023 Jun Aruga <jaruga@redhat.com> - 3.0.4-160
|
* Wed Jun 28 2023 Jun Aruga <jaruga@redhat.com> - 3.0.4-160
|
||||||
- Bypass git submodule test failure on Git >= 2.38.1.
|
- Bypass git submodule test failure on Git >= 2.38.1.
|
||||||
|
Loading…
Reference in New Issue
Block a user