diff options
| author | Tony Arcieri <bascule@gmail.com> | 2016-01-07 11:02:31 -0800 |
|---|---|---|
| committer | Tony Arcieri <bascule@gmail.com> | 2016-01-07 11:02:31 -0800 |
| commit | 6dee08d14f7a8a51691b799592774e805d6f8707 (patch) | |
| tree | a43722f214101c0ceb9e298ff90068307a2db97e | |
| parent | 962ebf2d17427fb9563f32c96daf4ea881fc9032 (diff) | |
| download | ruby-openssl-6dee08d14f7a8a51691b799592774e805d6f8707.tar.gz | |
Remove 512-bit DH group
512-bit DH keys are severely weak and have been implicated in recent attacks:
https://weakdh.org/
| -rw-r--r-- | lib/openssl/pkey.rb | 8 | ||||
| -rw-r--r-- | test/test_pkey_dh.rb | 14 | ||||
| -rw-r--r-- | test/utils.rb | 7 |
3 files changed, 2 insertions, 27 deletions
diff --git a/lib/openssl/pkey.rb b/lib/openssl/pkey.rb index 3f65adad..89563b65 100644 --- a/lib/openssl/pkey.rb +++ b/lib/openssl/pkey.rb @@ -4,13 +4,6 @@ module OpenSSL if defined?(OpenSSL::PKey::DH) class DH - DEFAULT_512 = new <<-_end_of_pem_ ------BEGIN DH PARAMETERS----- -MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2 -zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC ------END DH PARAMETERS----- - _end_of_pem_ - DEFAULT_1024 = new <<-_end_of_pem_ -----BEGIN DH PARAMETERS----- MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ @@ -23,7 +16,6 @@ T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| warn "using default DH parameters." if $VERBOSE case keylen - when 512 then OpenSSL::PKey::DH::DEFAULT_512 when 1024 then OpenSSL::PKey::DH::DEFAULT_1024 else nil diff --git a/test/test_pkey_dh.rb b/test/test_pkey_dh.rb index 040d0309..95e0e014 100644 --- a/test/test_pkey_dh.rb +++ b/test/test_pkey_dh.rb @@ -6,16 +6,6 @@ class OpenSSL::TestPKeyDH < Test::Unit::TestCase NEW_KEYLEN = 256 - def test_DEFAULT_512 - params = <<-eop ------BEGIN DH PARAMETERS----- -MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2 -zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC ------END DH PARAMETERS----- - eop - assert_equal params, OpenSSL::PKey::DH::DEFAULT_512.to_s - end - def test_DEFAULT_1024 params = <<-eop -----BEGIN DH PARAMETERS----- @@ -64,14 +54,14 @@ T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC end def test_generate_key - dh = OpenSSL::TestUtils::TEST_KEY_DH512_PUB.public_key # creates a copy + dh = OpenSSL::TestUtils::TEST_KEY_DH1024.public_key # creates a copy assert_no_key(dh) dh.generate_key! assert_key(dh) end def test_key_exchange - dh = OpenSSL::TestUtils::TEST_KEY_DH512_PUB + dh = OpenSSL::TestUtils::TEST_KEY_DH1024 dh2 = dh.public_key dh.generate_key! dh2.generate_key! diff --git a/test/utils.rb b/test/utils.rb index 9c6daa84..9bb81baa 100644 --- a/test/utils.rb +++ b/test/utils.rb @@ -97,13 +97,6 @@ CeBUl+MahZtn9fO1JKdF4qJmS39dXnpENg== end - TEST_KEY_DH512_PUB = OpenSSL::PKey::DH.new <<-_end_of_pem_ ------BEGIN DH PARAMETERS----- -MEYCQQDmWXGPqk76sKw/edIOdhAQD4XzjJ+AR/PTk2qzaGs+u4oND2yU5D2NN4wr -aPgwHyJBiK1/ebK3tYcrSKrOoRyrAgEC ------END DH PARAMETERS----- - _end_of_pem_ - TEST_KEY_DH1024 = OpenSSL::PKey::DH.new <<-_end_of_pem_ -----BEGIN DH PARAMETERS----- MIGHAoGBAKnKQ8MNK6nYZzLrrcuTsLxuiJGXoOO5gT+tljOTbHBuiktdMTITzIY0 |