ruby-changes:74040
From: Kazuki <ko1@a...>
Date: Mon, 17 Oct 2022 16:43:27 +0900 (JST)
Subject: [ruby-changes:74040] 10f93a8bd7 (master): [ruby/openssl] pkey/dsa: let PKey::DSA.generate choose appropriate q size
https://git.ruby-lang.org/ruby.git/commit/?id=10f93a8bd7 From 10f93a8bd787658996f08b13a0e564eaf3f41489 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi <k@r...> Date: Tue, 4 Jan 2022 22:11:00 +0900 Subject: [ruby/openssl] pkey/dsa: let PKey::DSA.generate choose appropriate q size DSA parameters generation via EVP_PKEY_paramgen() will not automatically adjust the size of q value but uses 224 bits by default unless specified explicitly. This behavior is different from the now-deprecated DSA_generate_parameters_ex(), which PKey::DSA.generate used to call. Fixes https://github.com/ruby/openssl/issues/483 Fixes: https://github.com/ruby/openssl/commit/1800a8d5ebaf ("pkey/dsa: use high level EVP interface to generate parameters and keys", 2020-05-17) https://github.com/ruby/openssl/commit/0105975a0b --- ext/openssl/lib/openssl/pkey.rb | 8 ++++++++ test/openssl/test_pkey_dsa.rb | 19 +++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/ext/openssl/lib/openssl/pkey.rb b/ext/openssl/lib/openssl/pkey.rb index c3e0629091..d51f066b89 100644 --- a/ext/openssl/lib/openssl/pkey.rb +++ b/ext/openssl/lib/openssl/pkey.rb @@ -167,8 +167,16 @@ module OpenSSL::PKey https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/pkey.rb#L167 # +size+:: # The desired key size in bits. def generate(size, &blk) + # FIPS 186-4 specifies four (L,N) pairs: (1024,160), (2048,224), + # (2048,256), and (3072,256). + # + # q size is derived here with compatibility with + # DSA_generator_parameters_ex() which previous versions of ruby/openssl + # used to call. + qsize = size >= 2048 ? 256 : 160 dsaparams = OpenSSL::PKey.generate_parameters("DSA", { "dsa_paramgen_bits" => size, + "dsa_paramgen_q_bits" => qsize, }, &blk) OpenSSL::PKey.generate_key(dsaparams) end diff --git a/test/openssl/test_pkey_dsa.rb b/test/openssl/test_pkey_dsa.rb index 726b7dbf7e..de6aa63e23 100644 --- a/test/openssl/test_pkey_dsa.rb +++ b/test/openssl/test_pkey_dsa.rb @@ -28,6 +28,25 @@ class OpenSSL::TestPKeyDSA < OpenSSL::PKeyTestCase https://github.com/ruby/ruby/blob/trunk/test/openssl/test_pkey_dsa.rb#L28 end end + def test_generate + # DSA.generate used to call DSA_generate_parameters_ex(), which adjusts the + # size of q according to the size of p + key1024 = OpenSSL::PKey::DSA.generate(1024) + assert_predicate key1024, :private? + assert_equal 1024, key1024.p.num_bits + assert_equal 160, key1024.q.num_bits + + key2048 = OpenSSL::PKey::DSA.generate(2048) + assert_equal 2048, key2048.p.num_bits + assert_equal 256, key2048.q.num_bits + + if ENV["OSSL_TEST_ALL"] == "1" # slow + key3072 = OpenSSL::PKey::DSA.generate(3072) + assert_equal 3072, key3072.p.num_bits + assert_equal 256, key3072.q.num_bits + end + end + def test_sign_verify dsa512 = Fixtures.pkey("dsa512") data = "Sign me!" -- cgit v1.2.3 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/