diff options
| author | Kazuki Yamaguchi <k@rhe.jp> | 2017-01-26 13:34:28 +0900 |
|---|---|---|
| committer | Kazuki Yamaguchi <k@rhe.jp> | 2017-01-26 13:34:28 +0900 |
| commit | bb0d1aff173b53d79dd09477106a650db6aecccb (patch) | |
| tree | a399d77c3d456d59d4fd0e26aa8b294ae0427e0d | |
| parent | 5c586acc387834ab4e09260937dc21064fc59de4 (diff) | |
| parent | eaffc69e40ab9ca11d0e46cada9e9b72d3b2ea8d (diff) | |
| download | ruby-openssl-bb0d1aff173b53d79dd09477106a650db6aecccb.tar.gz | |
Merge branch 'topic/ssl-move-default-dh-params'
* topic/ssl-move-default-dh-params:
ssl: move default DH parameters from OpenSSL::PKey::DH
| -rw-r--r-- | lib/openssl/pkey.rb | 41 | ||||
| -rw-r--r-- | lib/openssl/ssl.rb | 35 | ||||
| -rw-r--r-- | test/test_pkey_dh.rb | 16 |
3 files changed, 34 insertions, 58 deletions
diff --git a/lib/openssl/pkey.rb b/lib/openssl/pkey.rb index 9af5f781..dcedd849 100644 --- a/lib/openssl/pkey.rb +++ b/lib/openssl/pkey.rb @@ -1,44 +1,3 @@ # frozen_string_literal: false module OpenSSL - module PKey - if defined?(OpenSSL::PKey::DH) - - class DH - # :nodoc: - DEFAULT_1024 = new <<-_end_of_pem_ ------BEGIN DH PARAMETERS----- -MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ -AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR -T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC ------END DH PARAMETERS----- - _end_of_pem_ - - # :nodoc: - DEFAULT_2048 = new <<-_end_of_pem_ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY -JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab -VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6 -YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 -1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD -7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg== ------END DH PARAMETERS----- - _end_of_pem_ - end - - # :nodoc: - DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| - warn "using default DH parameters." if $VERBOSE - case keylen - when 1024 then OpenSSL::PKey::DH::DEFAULT_1024 - when 2048 then OpenSSL::PKey::DH::DEFAULT_2048 - else - nil - end - } - - else - DEFAULT_TMP_DH_CALLBACK = nil - end - end end diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb index 73f4cdde..4ea0ffaf 100644 --- a/lib/openssl/ssl.rb +++ b/lib/openssl/ssl.rb @@ -29,6 +29,39 @@ module OpenSSL }.call } + if defined?(OpenSSL::PKey::DH) + # :nodoc: + DEFAULT_1024 = OpenSSL::PKey::DH.new <<-_end_of_pem_ +-----BEGIN DH PARAMETERS----- +MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ +AV/ZD2AWPbrTqV76mGRgJg4EddgT1zG0jq3rnFdMj2XzkBYx3BVvfR0Arnby0RHR +T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20FP9X5xmNUXeDAgEC +-----END DH PARAMETERS----- + _end_of_pem_ + + # :nodoc: + DEFAULT_2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY +JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab +VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6 +YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 +1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD +7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg== +-----END DH PARAMETERS----- + _end_of_pem_ + + # :nodoc: + DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| + warn "using default DH parameters." if $VERBOSE + case keylen + when 1024 then DEFAULT_1024 + when 2048 then DEFAULT_2048 + else nil + end + } + end + if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") && OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000) DEFAULT_PARAMS.merge!( @@ -315,7 +348,7 @@ module OpenSSL end def tmp_dh_callback - @context.tmp_dh_callback || OpenSSL::PKey::DEFAULT_TMP_DH_CALLBACK + @context.tmp_dh_callback || OpenSSL::SSL::SSLContext::DEFAULT_TMP_DH_CALLBACK end def tmp_ecdh_callback diff --git a/test/test_pkey_dh.rb b/test/test_pkey_dh.rb index 09a24279..e7e76f97 100644 --- a/test/test_pkey_dh.rb +++ b/test/test_pkey_dh.rb @@ -4,22 +4,6 @@ require_relative 'utils' class OpenSSL::TestPKeyDH < OpenSSL::PKeyTestCase NEW_KEYLEN = 256 - def test_DEFAULT_parameters - list = { - 1024 => OpenSSL::PKey::DH::DEFAULT_1024, - 2048 => OpenSSL::PKey::DH::DEFAULT_2048, - } - - list.each do |expected_size, dh| - assert_equal expected_size, dh.p.num_bits - assert_predicate dh.p, :prime? - result, remainder = (dh.p - 1) / 2 - assert_predicate result, :prime? - assert_equal 0, remainder - assert_no_key dh - end - end - def test_new dh = OpenSSL::PKey::DH.new(NEW_KEYLEN) assert_key(dh) |