[_526] can now opt out of strong primes to speed up SSL & PAM tests

d-w-moore · d-w-moore · commit a67fb1a99f4c · 2024-04-05T03:52:06.000-04:00
diff --git a/irods/test/setupssl.py b/irods/test/setupssl.py
@@ -25,20 +25,28 @@ def create_server_cert(process_output = sys.stdout, irods_key_path = 'irods.key'
     p.wait()
     return p.returncode
 
-def create_ssl_dir(irods_key_path = 'irods.key'):
+
+def create_ssl_dir(irods_key_path = 'irods.key', ssl_dir = '', use_strong_primes_for_dh_generation = True):
+    ssl_dir = ssl_dir or IRODS_SSL_DIR
     save_cwd = os.getcwd()
     silent_run =  { 'shell': True, 'stderr' : PIPE, 'stdout' : PIPE }
     try:
-        if not (os.path.exists(IRODS_SSL_DIR)):
-            os.mkdir(IRODS_SSL_DIR)
-        os.chdir(IRODS_SSL_DIR)
+        if not (os.path.exists(ssl_dir)):
+            os.mkdir(ssl_dir)
+        os.chdir(ssl_dir)
         if not keep_old:
             Popen("openssl genrsa -out '{irods_key_path}' 2048 && chmod 600 '{irods_key_path}'".format(**locals()),
                   **silent_run).communicate()
         with open("/dev/null","wb") as dev_null:
             if 0 == create_server_cert(process_output = dev_null, irods_key_path = irods_key_path):
                 if not keep_old:
-                    Popen('openssl dhparam -2 -out dhparams.pem',**silent_run).communicate()
+                    # https://www.openssl.org/docs/man1.0.2/man1/dhparam.html#:~:text=DH%20parameter%20generation%20with%20the,that%20may%20be%20possible%20otherwise.
+                    if use_strong_primes_for_dh_generation:
+                        dhparam_generation_command = 'openssl dhparam -2 -out dhparams.pem'
+                    else:
+                        dhparam_generation_command = 'openssl dhparam -dsaparam -out dhparams.pem 4096'
+                    print('cmd=',dhparam_generation_command )
+                    Popen(dhparam_generation_command,**silent_run).communicate()
         return os.listdir(".")
     finally:
         os.chdir(save_cwd)
@@ -57,14 +65,17 @@ def test(options, args=()):
     if affirm[:1].lower() == 'y':
         if not keep_old:
             shutil.rmtree(IRODS_SSL_DIR,ignore_errors=True)
-        print("Generating new '{}'. This may take a while.".format(IRODS_SSL_DIR), file=sys.stderr)
-        ssl_dir_files = create_ssl_dir()
-        print('ssl_dir_files=', ssl_dir_files)
+        dh_strong_primes = '-q' not in options
+        wait_warning = (' This may take a while.' if dh_strong_primes else '')
+        print("Generating new '{}'.{}".format(IRODS_SSL_DIR, wait_warning), file = sys.stderr)
+        ssl_dir_files = create_ssl_dir(use_strong_primes_for_dh_generation = dh_strong_primes)
+        print('ssl_dir_files=', ssl_dir_files, file = sys.stderr)
     
 if __name__ == '__main__':
     import getopt
-    opt, arg_list = getopt.getopt(sys.argv[1:],'x:fh:k')
+    opt, arg_list = getopt.getopt(sys.argv[1:],'x:fh:kq')
     opt_lookup = dict(opt)
+
     ext = opt_lookup.get('-x','')
     if ext:
         ext = '.' + ext.lstrip('.')
