ruby-changes:41457
From: hsbt <ko1@a...>
Date: Thu, 14 Jan 2016 15:08:52 +0900 (JST)
Subject: [ruby-changes:41457] hsbt:r53531 (trunk): * Remove 512-bit DH group. It's affected by LogJam Attack.
hsbt 2016-01-14 15:09:19 +0900 (Thu, 14 Jan 2016) New Revision: 53531 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=53531 Log: * Remove 512-bit DH group. It's affected by LogJam Attack. https://weakdh.org/ [fix GH-1196][Bug #11968][ruby-core:72766] Modified files: trunk/ChangeLog trunk/ext/openssl/lib/openssl/pkey.rb trunk/test/openssl/test_pkey_dh.rb trunk/test/openssl/utils.rb Index: test/openssl/utils.rb =================================================================== --- test/openssl/utils.rb (revision 53530) +++ test/openssl/utils.rb (revision 53531) @@ -97,13 +97,6 @@ CeBUl+MahZtn9fO1JKdF4qJmS39dXnpENg== https://github.com/ruby/ruby/blob/trunk/test/openssl/utils.rb#L97 end - TEST_KEY_DH512_PUB = OpenSSL::PKey::DH.new <<-_end_of_pem_ ------BEGIN DH PARAMETERS----- -MEYCQQDmWXGPqk76sKw/edIOdhAQD4XzjJ+AR/PTk2qzaGs+u4oND2yU5D2NN4wr -aPgwHyJBiK1/ebK3tYcrSKrOoRyrAgEC ------END DH PARAMETERS----- - _end_of_pem_ - TEST_KEY_DH1024 = OpenSSL::PKey::DH.new <<-_end_of_pem_ -----BEGIN DH PARAMETERS----- MIGHAoGBAKnKQ8MNK6nYZzLrrcuTsLxuiJGXoOO5gT+tljOTbHBuiktdMTITzIY0 Index: test/openssl/test_pkey_dh.rb =================================================================== --- test/openssl/test_pkey_dh.rb (revision 53530) +++ test/openssl/test_pkey_dh.rb (revision 53531) @@ -7,16 +7,6 @@ class OpenSSL::TestPKeyDH < Test::Unit:: https://github.com/ruby/ruby/blob/trunk/test/openssl/test_pkey_dh.rb#L7 NEW_KEYLEN = 256 - def test_DEFAULT_512 - params = <<-eop ------BEGIN DH PARAMETERS----- -MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2 -zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC ------END DH PARAMETERS----- - eop - assert_equal params, OpenSSL::PKey::DH::DEFAULT_512.to_s - end - def test_DEFAULT_1024 params = <<-eop -----BEGIN DH PARAMETERS----- @@ -65,14 +55,14 @@ T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20 https://github.com/ruby/ruby/blob/trunk/test/openssl/test_pkey_dh.rb#L55 end def test_generate_key - dh = OpenSSL::TestUtils::TEST_KEY_DH512_PUB.public_key # creates a copy + dh = OpenSSL::TestUtils::TEST_KEY_DH1024.public_key # creates a copy assert_no_key(dh) dh.generate_key! assert_key(dh) end def test_key_exchange - dh = OpenSSL::TestUtils::TEST_KEY_DH512_PUB + dh = OpenSSL::TestUtils::TEST_KEY_DH1024 dh2 = dh.public_key dh.generate_key! dh2.generate_key! Index: ext/openssl/lib/openssl/pkey.rb =================================================================== --- ext/openssl/lib/openssl/pkey.rb (revision 53530) +++ ext/openssl/lib/openssl/pkey.rb (revision 53531) @@ -4,13 +4,6 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/pkey.rb#L4 if defined?(OpenSSL::PKey::DH) class DH - DEFAULT_512 = new <<-_end_of_pem_ ------BEGIN DH PARAMETERS----- -MEYCQQD0zXHljRg/mJ9PYLACLv58Cd8VxBxxY7oEuCeURMiTqEhMym16rhhKgZG2 -zk2O9uUIBIxSj+NKMURHGaFKyIvLAgEC ------END DH PARAMETERS----- - _end_of_pem_ - DEFAULT_1024 = new <<-_end_of_pem_ -----BEGIN DH PARAMETERS----- MIGHAoGBAJ0lOVy0VIr/JebWn0zDwY2h+rqITFOpdNr6ugsgvkDXuucdcChhYExJ @@ -23,7 +16,6 @@ T4h7KZ/2zmjvV+eF8kBUHBJAojUlzxKj4QeO2x20 https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/pkey.rb#L16 DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| warn "using default DH parameters." if $VERBOSE case keylen - when 512 then OpenSSL::PKey::DH::DEFAULT_512 when 1024 then OpenSSL::PKey::DH::DEFAULT_1024 else nil Index: ChangeLog =================================================================== --- ChangeLog (revision 53530) +++ ChangeLog (revision 53531) @@ -1,3 +1,9 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Thu Jan 14 15:08:43 2016 Tony Arcieri <bascule@g...> + + * Remove 512-bit DH group. It's affected by LogJam Attack. + https://weakdh.org/ + [fix GH-1196][Bug #11968][ruby-core:72766] + Thu Jan 14 11:44:29 2016 Nobuyoshi Nakada <nobu@r...> * variable.c (rb_f_global_variables): add $1..$9 only if $~ is -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/