Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 3153dd6

Browse filesBrowse files
sam-githubBridgeAR
sam-github
authored and
BridgeAR
committed
test: well-defined DH groups now verify clean
OpenSSL 1.1.1d no longer generates warnings for some DH groups that used to be considered unsafe. See below for discussion. This is considered a bug fix. See: - openssl/openssl#9363 - openssl/openssl#9363 (comment) PR-URL: #29550 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Anna Henningsen <anna@addaleax.net>
1 parent 5eb013b commit 3153dd6
Copy full SHA for 3153dd6

File tree

Expand file treeCollapse file tree

2 files changed

+8
-15
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

2 files changed

+8
-15
lines changed
Open diff view settings
Collapse file

‎test/parallel/test-crypto-binary-default.js‎

Copy file name to clipboardExpand all lines: test/parallel/test-crypto-binary-default.js
+1-3Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,6 @@ const crypto = require('crypto');
3636
const fs = require('fs');
3737
const tls = require('tls');
3838
const fixtures = require('../common/fixtures');
39-
const DH_NOT_SUITABLE_GENERATOR = crypto.constants.DH_NOT_SUITABLE_GENERATOR;
4039

4140
require('internal/crypto/util').setDefaultEncoding('latin1');
4241

@@ -615,8 +614,7 @@ common.expectsError(
615614
'020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437' +
616615
'4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED' +
617616
'EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF';
618-
const d = crypto.createDiffieHellman(p, 'hex');
619-
assert.strictEqual(d.verifyError, DH_NOT_SUITABLE_GENERATOR);
617+
crypto.createDiffieHellman(p, 'hex');
620618

621619
// Test RSA key signing/verification
622620
const rsaSign = crypto.createSign('SHA1');
Collapse file

‎test/parallel/test-crypto-dh.js‎

Copy file name to clipboardExpand all lines: test/parallel/test-crypto-dh.js
+7-12Lines changed: 7 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,6 @@ if (!common.hasCrypto)
66
const assert = require('assert');
77
const crypto = require('crypto');
88

9-
const DH_NOT_SUITABLE_GENERATOR = crypto.constants.DH_NOT_SUITABLE_GENERATOR;
10-
119
// Test Diffie-Hellman with two parties sharing a secret,
1210
// using various encodings as we go along
1311
const dh1 = crypto.createDiffieHellman(common.hasFipsCrypto ? 1024 : 256);
@@ -126,8 +124,6 @@ bob.generateKeys();
126124
const aSecret = alice.computeSecret(bob.getPublicKey()).toString('hex');
127125
const bSecret = bob.computeSecret(alice.getPublicKey()).toString('hex');
128126
assert.strictEqual(aSecret, bSecret);
129-
assert.strictEqual(alice.verifyError, DH_NOT_SUITABLE_GENERATOR);
130-
assert.strictEqual(bob.verifyError, DH_NOT_SUITABLE_GENERATOR);
131127

132128
/* Ensure specific generator (buffer) works as expected.
133129
* The values below (modp2/modp2buf) are for a 1024 bits long prime from
@@ -158,8 +154,6 @@ const modp2buf = Buffer.from([
158154
const exmodp2Secret = exmodp2.computeSecret(modp2.getPublicKey())
159155
.toString('hex');
160156
assert.strictEqual(modp2Secret, exmodp2Secret);
161-
assert.strictEqual(modp2.verifyError, DH_NOT_SUITABLE_GENERATOR);
162-
assert.strictEqual(exmodp2.verifyError, DH_NOT_SUITABLE_GENERATOR);
163157
}
164158

165159
for (const buf of [modp2buf, ...common.getArrayBufferViews(modp2buf)]) {
@@ -172,7 +166,6 @@ for (const buf of [modp2buf, ...common.getArrayBufferViews(modp2buf)]) {
172166
const exmodp2Secret = exmodp2.computeSecret(modp2.getPublicKey())
173167
.toString('hex');
174168
assert.strictEqual(modp2Secret, exmodp2Secret);
175-
assert.strictEqual(exmodp2.verifyError, DH_NOT_SUITABLE_GENERATOR);
176169
}
177170

178171
{
@@ -184,7 +177,6 @@ for (const buf of [modp2buf, ...common.getArrayBufferViews(modp2buf)]) {
184177
const exmodp2Secret = exmodp2.computeSecret(modp2.getPublicKey())
185178
.toString('hex');
186179
assert.strictEqual(modp2Secret, exmodp2Secret);
187-
assert.strictEqual(exmodp2.verifyError, DH_NOT_SUITABLE_GENERATOR);
188180
}
189181

190182
{
@@ -196,17 +188,20 @@ for (const buf of [modp2buf, ...common.getArrayBufferViews(modp2buf)]) {
196188
const exmodp2Secret = exmodp2.computeSecret(modp2.getPublicKey())
197189
.toString('hex');
198190
assert.strictEqual(modp2Secret, exmodp2Secret);
199-
assert.strictEqual(exmodp2.verifyError, DH_NOT_SUITABLE_GENERATOR);
200191
}
201192

202-
193+
// Second OAKLEY group, see
194+
// https://github.com/nodejs/node-v0.x-archive/issues/2338 and
195+
// https://xml2rfc.tools.ietf.org/public/rfc/html/rfc2412.html#anchor49
203196
const p = 'FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74' +
204197
'020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437' +
205198
'4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED' +
206199
'EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF';
207-
const bad_dh = crypto.createDiffieHellman(p, 'hex');
208-
assert.strictEqual(bad_dh.verifyError, DH_NOT_SUITABLE_GENERATOR);
200+
crypto.createDiffieHellman(p, 'hex');
209201

202+
// Confirm DH_check() results are exposed for optional examination.
203+
const bad_dh = crypto.createDiffieHellman('02', 'hex');
204+
assert.notStrictEqual(bad_dh.verifyError, 0);
210205

211206
const availableCurves = new Set(crypto.getCurves());
212207
const availableHashes = new Set(crypto.getHashes());

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.