mirror of
https://github.com/ruby/ruby.git
synced 2022-11-09 12:17:21 -05:00
* ext/openssl/ossl.c: do not use FIPS_mode_set if not available.
* test/openssl/utils.rb: revise comment about setting FIPS mode to false. * test/openssl/test_fips.rb: remove tests that cause errors on ruby-ci. [Feature #6946] [ruby-core:47345] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@38491 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
parent
a6ed298df7
commit
4fce754f9b
4 changed files with 23 additions and 47 deletions
11
ChangeLog
11
ChangeLog
|
@ -1,3 +1,12 @@
|
|||
Thu Dec 20 15:55:46 2012 Martin Bosslet <Martin.Bosslet@gmail.com>
|
||||
|
||||
* ext/openssl/ossl.c: do not use FIPS_mode_set if not available.
|
||||
* test/openssl/utils.rb: revise comment about setting FIPS mode to
|
||||
false.
|
||||
* test/openssl/test_fips.rb: remove tests that cause errors on
|
||||
ruby-ci.
|
||||
[Feature #6946] [ruby-core:47345]
|
||||
|
||||
Thu Dec 20 15:22:59 2012 Eric Hodel <drbrain@segment7.net>
|
||||
|
||||
* lib/rdoc/parser/ruby.rb: Ignore methods defined on constants to
|
||||
|
@ -5,7 +14,7 @@ Thu Dec 20 15:22:59 2012 Eric Hodel <drbrain@segment7.net>
|
|||
documentation.
|
||||
* test/rdoc/test_rdoc_parser_ruby.rb: Test for the above.
|
||||
|
||||
Thu Dec 20 16:00:33 2012 Martin Bosslet <Martin.Bosslet@gmail.com>
|
||||
Thu Dec 20 15:00:33 2012 Martin Bosslet <Martin.Bosslet@gmail.com>
|
||||
|
||||
* ext/openssl/ossl_cipher.c: add support for Authenticated Encryption
|
||||
with Associated Data (AEAD) for OpenSSL versions that support the
|
||||
|
|
|
@ -440,6 +440,8 @@ ossl_debug_set(VALUE self, VALUE val)
|
|||
static VALUE
|
||||
ossl_fips_mode_set(VALUE self, VALUE enabled)
|
||||
{
|
||||
|
||||
#ifdef HAVE_OPENSSL_FIPS
|
||||
if RTEST(enabled) {
|
||||
int mode = FIPS_mode();
|
||||
if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
|
||||
|
@ -449,6 +451,11 @@ ossl_fips_mode_set(VALUE self, VALUE enabled)
|
|||
ossl_raise(eOSSLError, "Turning off FIPS mode failed");
|
||||
}
|
||||
return enabled;
|
||||
#else
|
||||
if RTEST(enabled)
|
||||
ossl_raise(eOSSLError, "This version of OpenSSL does not support FIPS mode");
|
||||
return enabled;
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
@ -1,55 +1,14 @@
|
|||
require_relative 'utils'
|
||||
|
||||
if defined?(OpenSSL) && OpenSSL::OPENSSL_FIPS
|
||||
if defined?(OpenSSL)
|
||||
|
||||
class OpenSSL::TestFIPS < Test::Unit::TestCase
|
||||
|
||||
def test_reject_md5
|
||||
data = "test"
|
||||
assert_not_nil(OpenSSL::Digest.new("MD5").digest(data))
|
||||
in_fips_mode do
|
||||
assert_raise(OpenSSL::Digest::DigestError) do
|
||||
OpenSSL::Digest.new("MD5").digest(data)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def test_reject_short_key_rsa
|
||||
assert_key_too_short(OpenSSL::PKey::RSAError) { dh = OpenSSL::PKey::RSA.new(256) }
|
||||
end
|
||||
|
||||
def test_reject_short_key_dsa
|
||||
assert_key_too_short(OpenSSL::PKey::DSAError) { dh = OpenSSL::PKey::DSA.new(256) }
|
||||
end
|
||||
|
||||
def test_reject_short_key_dh
|
||||
assert_key_too_short(OpenSSL::PKey::DHError) { dh = OpenSSL::PKey::DH.new(256) }
|
||||
end
|
||||
|
||||
def test_reject_short_key_ec
|
||||
assert_key_too_short(OpenSSL::PKey::ECError) do
|
||||
group = OpenSSL::PKey::EC::Group.new('secp112r1')
|
||||
key = OpenSSL::PKey::EC.new
|
||||
key.group = group
|
||||
key.generate_key
|
||||
end
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def in_fips_mode
|
||||
OpenSSL.fips_mode = true
|
||||
yield
|
||||
ensure
|
||||
def test_fips_mode_is_reentrant
|
||||
OpenSSL.fips_mode = false
|
||||
OpenSSL.fips_mode = false
|
||||
end
|
||||
|
||||
def assert_key_too_short(expected_error)
|
||||
in_fips_mode do
|
||||
assert_raise(expected_error) { yield }
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -1,8 +1,9 @@
|
|||
begin
|
||||
require "openssl"
|
||||
|
||||
# disable FIPS mode for tests for installations
|
||||
# where FIPS mode would be enabled by default
|
||||
# Disable FIPS mode for tests for installations
|
||||
# where FIPS mode would be enabled by default.
|
||||
# Has no effect on all other installations.
|
||||
OpenSSL.fips_mode=false
|
||||
rescue LoadError
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue