test: increase crypto strength for FIPS standard #3758
Conversation
mscdex
added
crypto
| @@ -141,6 +141,10 @@ Object.defineProperty(exports, 'hasCrypto', {get: function() { | |||
| return process.versions.openssl ? true : false; | |||
| }}); | |||
|
|
|||
| Object.defineProperty(exports, 'hasFipsCrypto', {get: function() { | |||
| return process.versions.openssl && process.versions.openssl.endsWith("-fips"); | |||
|
No need to start |
| @@ -122,7 +122,7 @@ assert.throws(function() { | |||
| '' | |||
| ].join('\n'); | |||
| crypto.createSign('RSA-SHA256').update('test').sign(priv); | |||
| }, /RSA_sign:digest too big for rsa key/); | |||
| }, /(RSA_sign1|RSA_verify_PKCS1_PSS_mgf1):digest too big for rsa key/); | |||
There was a problem hiding this comment.
Is this enough to check /:digest too big for rsa key/ ?
stefanmb
force-pushed
the
fips-cs7-increase-arbitrary-crypto-strength
branch
from
c25a4ae to
d04aa4b
Compare
stefanmb
changed the title
stefanmb
force-pushed
the
fips-cs7-increase-arbitrary-crypto-strength
branch
from
d04aa4b to
8fe3e9b
Compare
|
LGTM |
|
@stefanmb ... this patch, for some reason, is not applying cleanly on master. Can you take a look and rebase/update if necessary. It appears to be having a problem with the changes to common.js |
Use stronger crypto (larger keys, etc.) for arbitrary tests so they will pass in both FIPS and non-FIPS mode without altering the original intent of the test cases.
stefanmb
force-pushed
the
fips-cs7-increase-arbitrary-crypto-strength
branch
from
8fe3e9b to
390f571
Compare
|
@jasnell I think it should be fixed now, please confirm. I included the commit for common.js in several PRs, but once it landed in the first one it's no longer needed in the others. Thanks! |
|
Ok. In the future, when you have one commit that may be need by several others, it would likely be best to separate that out into a separate pull request and referenced from the other PRs that depend on it. Doing so helps keep changes isolated and the dependencies visible. |
Use stronger crypto (larger keys, etc.) for arbitrary tests so they will pass in both FIPS and non-FIPS mode without altering the original intent of the test cases. PR-URL: #3758 Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
|
Landed in 11ad744 |
Use stronger crypto (larger keys, etc.) for arbitrary tests so they will pass in both FIPS and non-FIPS mode without altering the original intent of the test cases. PR-URL: #3758 Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
|
CI wasn't run for this and seems to be causing #3881, fwiw. |
|
Hmm... ok. At the time CI itself was flaky at best so landing was done optimistically after testing locally on osx and ubuntu. I've been considering working the new node-stress-single-test into my workflow for every PR that lands a significant test change. Or perhaps a variation that merges node-stress-single-test and node-test-pull-request might be worthwhile. It would certainly help us to identify the flaky tests earlier now that CI is relatively stable again. |
|
Ah good point. I forgot about that. I like your idea regarding the node-stress-single-test though. |
|
@Fishrock123 This follow up PR should alleviate the rpi perf issues #3902. |
Use stronger crypto (larger keys, etc.) for arbitrary tests so they will pass in both FIPS and non-FIPS mode without altering the original intent of the test cases. PR-URL: #3758 Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Use stronger crypto (larger keys, etc.) for arbitrary tests so they will pass in both FIPS and non-FIPS mode without altering the original intent of the test cases. PR-URL: #3758 Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Use stronger crypto (larger keys, etc.) for arbitrary tests so they will pass in both FIPS and non-FIPS mode without altering the original intent of the test cases. PR-URL: #3758 Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
Use stronger crypto (larger keys, etc.) for arbitrary tests so they will pass in both FIPS and non-FIPS mode without altering the original intent of the test cases. PR-URL: #3758 Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp> Reviewed-By: James M Snell <jasnell@gmail.com>
In many test cases arbitrary crypto is chosen, for example a key length of 256 bits may be selected, or a prime number of 768 bits length. Some of these choices are not compatible with FIPS, in these cases I’ve opted to boost the cryptography level to a minimum supported level in FIPS. For a discussion on “equivalent” crypto strength across different algorithms see Section 5.6.1 of SP 800-57.