Skip to content

Commit 0b69f7f

Browse files
junarugamatzbot
junaruga
authored and
matzbot
committed
[ruby/openssl] Fix test_cipher.rb in FIPS.
ruby/openssl@11bd2efb2a
1 parent c3f6fcc commit 0b69f7f

File tree

1 file changed

+30
-24
lines changed

1 file changed

+30
-24
lines changed

test/openssl/test_cipher.rb

Lines changed: 30 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -32,28 +32,28 @@ def test_pkcs5_keyivgen
3232
salt = "\x01" * 8
3333
num = 2048
3434
pt = "data to be encrypted"
35-
cipher = OpenSSL::Cipher.new("DES-EDE3-CBC").encrypt
36-
cipher.pkcs5_keyivgen(pass, salt, num, "MD5")
35+
cipher = OpenSSL::Cipher.new("AES-256-CBC").encrypt
36+
cipher.pkcs5_keyivgen(pass, salt, num, "SHA256")
3737
s1 = cipher.update(pt) << cipher.final
3838

39-
d1 = num.times.inject(pass + salt) {|out, _| OpenSSL::Digest.digest('MD5', out) }
40-
d2 = num.times.inject(d1 + pass + salt) {|out, _| OpenSSL::Digest.digest('MD5', out) }
41-
key = (d1 + d2)[0, 24]
42-
iv = (d1 + d2)[24, 8]
43-
cipher = new_encryptor("DES-EDE3-CBC", key: key, iv: iv)
39+
d1 = num.times.inject(pass + salt) {|out, _| OpenSSL::Digest.digest('SHA256', out) }
40+
d2 = num.times.inject(d1 + pass + salt) {|out, _| OpenSSL::Digest.digest('SHA256', out) }
41+
key = (d1 + d2)[0, 32]
42+
iv = (d1 + d2)[32, 16]
43+
cipher = new_encryptor("AES-256-CBC", key: key, iv: iv)
4444
s2 = cipher.update(pt) << cipher.final
4545

4646
assert_equal s1, s2
4747

48-
cipher2 = OpenSSL::Cipher.new("DES-EDE3-CBC").encrypt
49-
assert_raise(ArgumentError) { cipher2.pkcs5_keyivgen(pass, salt, -1, "MD5") }
48+
cipher2 = OpenSSL::Cipher.new("AES-256-CBC").encrypt
49+
assert_raise(ArgumentError) { cipher2.pkcs5_keyivgen(pass, salt, -1, "SHA256") }
5050
end
5151

5252
def test_info
53-
cipher = OpenSSL::Cipher.new("DES-EDE3-CBC").encrypt
54-
assert_equal "DES-EDE3-CBC", cipher.name
55-
assert_equal 24, cipher.key_len
56-
assert_equal 8, cipher.iv_len
53+
cipher = OpenSSL::Cipher.new("AES-256-CBC").encrypt
54+
assert_equal "AES-256-CBC", cipher.name
55+
assert_equal 32, cipher.key_len
56+
assert_equal 16, cipher.iv_len
5757
end
5858

5959
def test_dup
@@ -80,13 +80,13 @@ def test_reset
8080
end
8181

8282
def test_key_iv_set
83-
cipher = OpenSSL::Cipher.new("DES-EDE3-CBC").encrypt
84-
assert_raise(ArgumentError) { cipher.key = "\x01" * 23 }
85-
assert_nothing_raised { cipher.key = "\x01" * 24 }
86-
assert_raise(ArgumentError) { cipher.key = "\x01" * 25 }
87-
assert_raise(ArgumentError) { cipher.iv = "\x01" * 7 }
88-
assert_nothing_raised { cipher.iv = "\x01" * 8 }
89-
assert_raise(ArgumentError) { cipher.iv = "\x01" * 9 }
83+
cipher = OpenSSL::Cipher.new("AES-256-CBC").encrypt
84+
assert_raise(ArgumentError) { cipher.key = "\x01" * 31 }
85+
assert_nothing_raised { cipher.key = "\x01" * 32 }
86+
assert_raise(ArgumentError) { cipher.key = "\x01" * 33 }
87+
assert_raise(ArgumentError) { cipher.iv = "\x01" * 15 }
88+
assert_nothing_raised { cipher.iv = "\x01" * 16 }
89+
assert_raise(ArgumentError) { cipher.iv = "\x01" * 17 }
9090
end
9191

9292
def test_random_key_iv
@@ -109,8 +109,8 @@ def test_random_key_iv
109109
end
110110

111111
def test_initialize
112-
cipher = OpenSSL::Cipher.new("DES-EDE3-CBC")
113-
assert_raise(RuntimeError) { cipher.__send__(:initialize, "DES-EDE3-CBC") }
112+
cipher = OpenSSL::Cipher.new("AES-256-CBC")
113+
assert_raise(RuntimeError) { cipher.__send__(:initialize, "AES-256-CBC") }
114114
assert_raise(RuntimeError) { OpenSSL::Cipher.allocate.final }
115115
assert_raise(OpenSSL::Cipher::CipherError) {
116116
OpenSSL::Cipher.new("no such algorithm")
@@ -169,12 +169,12 @@ def test_AES
169169
%w(ecb cbc cfb ofb).each{|mode|
170170
c1 = OpenSSL::Cipher.new("aes-256-#{mode}")
171171
c1.encrypt
172-
c1.pkcs5_keyivgen("passwd")
172+
c1.pkcs5_keyivgen("passwd", "12345678", 10000, "SHA256")
173173
ct = c1.update(pt) + c1.final
174174

175175
c2 = OpenSSL::Cipher.new("aes-256-#{mode}")
176176
c2.decrypt
177-
c2.pkcs5_keyivgen("passwd")
177+
c2.pkcs5_keyivgen("passwd", "12345678", 10000, "SHA256")
178178
assert_equal(pt, c2.update(ct) + c2.final)
179179
}
180180
end
@@ -313,6 +313,9 @@ def test_aes_gcm_variable_iv_len
313313
end
314314

315315
def test_aes_ocb_tag_len
316+
# AES-128-OCB is not FIPS-approved.
317+
omit_on_fips
318+
316319
# RFC 7253 Appendix A; the second sample
317320
key = ["000102030405060708090A0B0C0D0E0F"].pack("H*")
318321
iv = ["BBAA99887766554433221101"].pack("H*")
@@ -347,6 +350,9 @@ def test_aes_ocb_tag_len
347350
end if has_cipher?("aes-128-ocb")
348351

349352
def test_aes_gcm_siv
353+
# AES-128-GCM-SIV is not FIPS-approved.
354+
omit_on_fips
355+
350356
# RFC 8452 Appendix C.1., 8th example
351357
key = ["01000000000000000000000000000000"].pack("H*")
352358
iv = ["030000000000000000000000"].pack("H*")

0 commit comments

Comments
 (0)