test: Skip weak crypto tests in FIPS mode by stefanmb · Pull Request #3757 · nodejs/node

stefanmb · 2015-11-10T23:58:30Z

FIPS 140-2 does not permit the use of MD5 and RC4, skip tests that use them in FIPS mode, or substitute with stronger crypto where applicable.

indutny · 2015-11-11T22:54:08Z

test/parallel/test-crypto-binary-default.js

I would rather wrap is with if.

shigeki · 2015-11-13T04:57:05Z

@stefanmb I've just updated test-tls-honorcipherorder.js so as to work on only TLS1.2 ciphers to change

DES-CBC-SHA => AES256-SHA256
AES256-SHA => AES128-GCM-SHA256
RC4-SHA => AES128-SHA256
ECDHE-RSA-AES256-SHA => ECDHE-RSA-AES128-GCM-SHA256

Please refer the whole tests at https://gist.github.com/shigeki/f523f894f6d739f59364

All the symmetric cipher is AES so it looks very hard to distinguish them at a glance but it does not matter to test and check the cipher selection.
Only the test5 has a different scenario from the previous one because it need to add a TLS1.2 cipher not included the current default list. I think it is not a realistic test case and should be okay to change it.

stefanmb · 2015-11-13T20:18:10Z

@shigeki

Thank you! I've included those changes as an additional commit in this PR.

indutny · 2015-11-13T20:21:36Z

test/common.js

Style, please move get: on a next line and indent everything properly.

Sure, I'll change the line above it too as mine is an exact copy of the existing hasCrypto above it.

stefanmb · 2015-11-13T20:52:41Z

@indutny Style (and formatting) issues fixed. Thanks!

jasnell · 2015-11-16T03:31:31Z

@stefanmb ... ok, quite a few CI failures on multiple platforms. The failures look relevant.

Modified tests to work in FIPS and non-FIPS mode using TLS1.2 crypto.

stefanmb · 2015-11-16T16:57:18Z

@jasnell Oops, there was a typo in one of the tests - I fixed it. Let's try another run.

jasnell · 2015-11-16T17:11:39Z

New CI: https://ci.nodejs.org/job/node-test-pull-request/747/

stefanmb · 2015-11-16T20:38:43Z

@jasnell I see two unrelated failures.

jasnell · 2015-11-16T20:42:59Z

LGTM
would like @nodejs/crypto to sign off tho

indutny · 2015-11-16T20:48:36Z

LGTM

mhdawson · 2015-11-19T18:15:46Z

Going to land CI run here: https://ci.nodejs.org/job/node-test-pull-request/787/

mhdawson · 2015-11-19T20:54:17Z

No relevant failures, a couple of centos machines had machine related issues and a failure on windows I'm pretty sure I've seen before

jasnell · 2015-11-19T20:54:52Z

+1. let's land it!

FIPS 140-2 does not permit the use of MD5 and RC4, skip or tests that use them, or substitute with stronger crypto where applicable. PR-URL: #3757 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: James Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>

mhdawson · 2015-11-19T21:54:25Z

Landed as e499ea8

FIPS 140-2 does not permit the use of MD5 and RC4, skip or tests that use them, or substitute with stronger crypto where applicable. PR-URL: #3757 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: James Snell <jasnell@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>

mscdex added crypto Issues and PRs related to the crypto subsystem. test Issues and PRs related to the tests. labels Nov 11, 2015

stefanmb mentioned this pull request Nov 11, 2015

crypto: Resolve FIPS test failures and API issues #3760

Closed

indutny reviewed Nov 11, 2015
View reviewed changes

jasnell added the lts-watch-v4.x label Nov 12, 2015

stefanmb force-pushed the fips-cs6-disable-weak-md5-rc4 branch from 5e91045 to f42f961 Compare November 12, 2015 23:02

stefanmb force-pushed the fips-cs6-disable-weak-md5-rc4 branch 2 times, most recently from f8ea05f to e6b1468 Compare November 13, 2015 20:16

indutny reviewed Nov 13, 2015
View reviewed changes

stefanmb force-pushed the fips-cs6-disable-weak-md5-rc4 branch 2 times, most recently from e09ee04 to af09eb8 Compare November 13, 2015 20:51

tls: test honor cipher order with TLS1.2

cc835ad

Modified tests to work in FIPS and non-FIPS mode using TLS1.2 crypto.

stefanmb force-pushed the fips-cs6-disable-weak-md5-rc4 branch from dd5ae5a to cc835ad Compare November 16, 2015 16:56

mhdawson self-assigned this Nov 19, 2015

mhdawson closed this Nov 20, 2015

Fishrock123 mentioned this pull request Nov 26, 2015

deps: upgrade npm to 3.5.0 #4032

Closed

MylesBorins added lts-landed-on-v4.x and removed lts-watch-v4.x labels Nov 30, 2015

This was referenced Dec 8, 2015

Release proposal: v5.2.0 #4180

Closed

Release proposal: v5.2.0 (Stable) #4181

Merged

MylesBorins added land-on-v4.x and removed lts-landed-on-v4.x labels Dec 17, 2015

jasnell mentioned this pull request Dec 17, 2015

Release 4.2.4 Planning #4321

Closed

Uh oh!

Conversation

stefanmb commented Nov 10, 2015

Uh oh!

indutny Nov 11, 2015

Choose a reason for hiding this comment

Uh oh!

shigeki Nov 12, 2015

Choose a reason for hiding this comment

Uh oh!

stefanmb Nov 12, 2015

Choose a reason for hiding this comment

Uh oh!

shigeki commented Nov 13, 2015

Uh oh!

stefanmb commented Nov 13, 2015

Uh oh!

indutny Nov 13, 2015

Choose a reason for hiding this comment

Uh oh!

stefanmb Nov 13, 2015

Choose a reason for hiding this comment

Uh oh!

stefanmb commented Nov 13, 2015

Uh oh!

jasnell commented Nov 16, 2015

Uh oh!

stefanmb commented Nov 16, 2015

Uh oh!

jasnell commented Nov 16, 2015

Uh oh!

stefanmb commented Nov 16, 2015

Uh oh!

jasnell commented Nov 16, 2015

Uh oh!

indutny commented Nov 16, 2015

Uh oh!

mhdawson commented Nov 19, 2015

Uh oh!

mhdawson commented Nov 19, 2015

Uh oh!

jasnell commented Nov 19, 2015

Uh oh!

mhdawson commented Nov 19, 2015

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants