1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00

* ext/openssl/ossl.c: do not use FIPS_mode_set if not available.

* test/openssl/utils.rb: revise comment about setting FIPS mode to
  false.
* test/openssl/test_fips.rb: remove tests that cause errors on
  ruby-ci.
  [Feature #6946] [ruby-core:47345]



git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@38491 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
emboss 2012-12-20 07:00:11 +00:00
parent a6ed298df7
commit 4fce754f9b
4 changed files with 23 additions and 47 deletions

View file

@ -1,3 +1,12 @@
Thu Dec 20 15:55:46 2012 Martin Bosslet <Martin.Bosslet@gmail.com>
* ext/openssl/ossl.c: do not use FIPS_mode_set if not available.
* test/openssl/utils.rb: revise comment about setting FIPS mode to
false.
* test/openssl/test_fips.rb: remove tests that cause errors on
ruby-ci.
[Feature #6946] [ruby-core:47345]
Thu Dec 20 15:22:59 2012 Eric Hodel <drbrain@segment7.net>
* lib/rdoc/parser/ruby.rb: Ignore methods defined on constants to
@ -5,7 +14,7 @@ Thu Dec 20 15:22:59 2012 Eric Hodel <drbrain@segment7.net>
documentation.
* test/rdoc/test_rdoc_parser_ruby.rb: Test for the above.
Thu Dec 20 16:00:33 2012 Martin Bosslet <Martin.Bosslet@gmail.com>
Thu Dec 20 15:00:33 2012 Martin Bosslet <Martin.Bosslet@gmail.com>
* ext/openssl/ossl_cipher.c: add support for Authenticated Encryption
with Associated Data (AEAD) for OpenSSL versions that support the

View file

@ -440,6 +440,8 @@ ossl_debug_set(VALUE self, VALUE val)
static VALUE
ossl_fips_mode_set(VALUE self, VALUE enabled)
{
#ifdef HAVE_OPENSSL_FIPS
if RTEST(enabled) {
int mode = FIPS_mode();
if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
@ -449,6 +451,11 @@ ossl_fips_mode_set(VALUE self, VALUE enabled)
ossl_raise(eOSSLError, "Turning off FIPS mode failed");
}
return enabled;
#else
if RTEST(enabled)
ossl_raise(eOSSLError, "This version of OpenSSL does not support FIPS mode");
return enabled;
#endif
}
/*

View file

@ -1,55 +1,14 @@
require_relative 'utils'
if defined?(OpenSSL) && OpenSSL::OPENSSL_FIPS
if defined?(OpenSSL)
class OpenSSL::TestFIPS < Test::Unit::TestCase
def test_reject_md5
data = "test"
assert_not_nil(OpenSSL::Digest.new("MD5").digest(data))
in_fips_mode do
assert_raise(OpenSSL::Digest::DigestError) do
OpenSSL::Digest.new("MD5").digest(data)
end
end
end
def test_reject_short_key_rsa
assert_key_too_short(OpenSSL::PKey::RSAError) { dh = OpenSSL::PKey::RSA.new(256) }
end
def test_reject_short_key_dsa
assert_key_too_short(OpenSSL::PKey::DSAError) { dh = OpenSSL::PKey::DSA.new(256) }
end
def test_reject_short_key_dh
assert_key_too_short(OpenSSL::PKey::DHError) { dh = OpenSSL::PKey::DH.new(256) }
end
def test_reject_short_key_ec
assert_key_too_short(OpenSSL::PKey::ECError) do
group = OpenSSL::PKey::EC::Group.new('secp112r1')
key = OpenSSL::PKey::EC.new
key.group = group
key.generate_key
end
end
private
def in_fips_mode
OpenSSL.fips_mode = true
yield
ensure
def test_fips_mode_is_reentrant
OpenSSL.fips_mode = false
OpenSSL.fips_mode = false
end
def assert_key_too_short(expected_error)
in_fips_mode do
assert_raise(expected_error) { yield }
end
end
end
end

View file

@ -1,8 +1,9 @@
begin
require "openssl"
# disable FIPS mode for tests for installations
# where FIPS mode would be enabled by default
# Disable FIPS mode for tests for installations
# where FIPS mode would be enabled by default.
# Has no effect on all other installations.
OpenSSL.fips_mode=false
rescue LoadError
end