1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00

* ext/openssl/ossl.c: add OpenSSL.fips_mode= to allow enabling FIPS

mode manually.
* test/openssl/utils.rb: turn off FIPS mode for tests. This prevents
  OpenSSL installations with FIPS mode enabled by default from raising
  FIPS-related errors during the tests.
* test/openssl/test_fips.rb: add tests for FIPS-capable OpenSSL
  installations.
  [Feature #6946] [ruby-core:47345]



git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@38480 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
emboss 2012-12-20 00:29:07 +00:00
parent e3e4e9dfe7
commit a3b753b282
5 changed files with 107 additions and 8 deletions

View file

@ -1,3 +1,14 @@
Thu Dec 20 10:23:12 2012 Martin Bosslet <Martin.Bosslet@gmail.com>
* ext/openssl/ossl.c: add OpenSSL.fips_mode= to allow enabling FIPS
mode manually.
* test/openssl/utils.rb: turn off FIPS mode for tests. This prevents
OpenSSL installations with FIPS mode enabled by default from raising
FIPS-related errors during the tests.
* test/openssl/test_fips.rb: add tests for FIPS-capable OpenSSL
installations.
[Feature #6946] [ruby-core:47345]
Thu Dec 20 06:59:52 2012 Koichi Sasada <ko1@atdot.net>
* vm.c: support variable VM/Machine stack sizes.

15
NEWS
View file

@ -245,6 +245,10 @@ with all sufficient information, see the ChangeLog file.
also allows to programmatically decline (client) renegotiation attempts.
* Support for "0/n" splitting of records as BEAST mitigation via
OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS.
* The default options for OpenSSL::SSL::SSLContext have changed to
OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
instead of OpenSSL::SSL::OP_ALL only. This enables the countermeasure for
the BEAST attack by default.
* OpenSSL requires passwords for decrypting PEM-encoded files to be at least
four characters long. This led to awkward situations where an export with
a password with fewer than four characters was possible, but accessing the
@ -255,13 +259,10 @@ with all sufficient information, see the ChangeLog file.
* SSL/TLS support for the Next Protocol Negotiation extension. Supported
with OpenSSL 1.0.1 and higher.
* OpenSSL::OPENSSL_FIPS allows client applications to detect whether OpenSSL
is running in FIPS mode and to react to the special requirements this
might imply.
* The default options for OpenSSL::SSL::SSLContext have changed to
OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
instead of OpenSSL::SSL::OP_ALL only. This enables the countermeasure for
the BEAST attack by default.
is FIPS-enabled. OpenSSL.fips_mode= allows turning on and off FIPS mode
manually in order to adapt to situations where FIPS mode would be an
explicit requirement.
* ostruct
* new methods:
* OpenStruct#[], []=

View file

@ -424,6 +424,33 @@ ossl_debug_set(VALUE self, VALUE val)
return val;
}
/*
* call-seq:
* OpenSSL.fips_mode = boolean -> boolean
*
* Turns FIPS mode on or off. Turning on FIPS mode will obviously only have an
* effect for FIPS-capable installations of the OpenSSL library. Trying to do
* so otherwise will result in an error.
*
* === Examples
*
* OpenSSL.fips_mode = true # turn FIPS mode on
* OpenSSL.fips_mode = false # and off again
*/
static VALUE
ossl_fips_mode_set(VALUE self, VALUE enabled)
{
if RTEST(enabled) {
int mode = FIPS_mode();
if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
ossl_raise(eOSSLError, "Turning on FIPS mode failed");
} else {
if(!FIPS_mode_set(0)) /* turning off twice is OK */
ossl_raise(eOSSLError, "Turning off FIPS mode failed");
}
return enabled;
}
/*
* OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the
* OpenSSL[http://www.openssl.org/] library.
@ -944,13 +971,14 @@ Init_openssl()
rb_define_const(mOSSL, "OPENSSL_VERSION_NUMBER", INT2NUM(OPENSSL_VERSION_NUMBER));
/*
* Boolean indicating whether OpenSSL runs in FIPS mode or not
* Boolean indicating whether OpenSSL is FIPS-enabled or not
*/
#ifdef HAVE_OPENSSL_FIPS
rb_define_const(mOSSL, "OPENSSL_FIPS", Qtrue);
#else
rb_define_const(mOSSL, "OPENSSL_FIPS", Qfalse);
#endif
rb_define_module_function(mOSSL, "fips_mode=", ossl_fips_mode_set, 1);
/*
* Generic error,

55
test/openssl/test_fips.rb Normal file
View file

@ -0,0 +1,55 @@
require_relative 'utils'
if defined?(OpenSSL) && OpenSSL::OPENSSL_FIPS
class OpenSSL::TestFIPS < Test::Unit::TestCase
def test_reject_md5
data = "test"
assert_not_nil(OpenSSL::Digest.new("MD5").digest(data))
in_fips_mode do
assert_raise(OpenSSL::Digest::DigestError) do
OpenSSL::Digest.new("MD5").digest(data)
end
end
end
def test_reject_short_key_rsa
assert_key_too_short(OpenSSL::PKey::RSAError) { dh = OpenSSL::PKey::RSA.new(256) }
end
def test_reject_short_key_dsa
assert_key_too_short(OpenSSL::PKey::DSAError) { dh = OpenSSL::PKey::DSA.new(256) }
end
def test_reject_short_key_dh
assert_key_too_short(OpenSSL::PKey::DHError) { dh = OpenSSL::PKey::DH.new(256) }
end
def test_reject_short_key_ec
assert_key_too_short(OpenSSL::PKey::ECError) do
group = OpenSSL::PKey::EC::Group.new('secp112r1')
key = OpenSSL::PKey::EC.new
key.group = group
key.generate_key
end
end
private
def in_fips_mode
OpenSSL.fips_mode = true
yield
ensure
OpenSSL.fips_mode = false
end
def assert_key_too_short(expected_error)
in_fips_mode do
assert_raise(expected_error) { yield }
end
end
end
end

View file

@ -1,5 +1,9 @@
begin
require "openssl"
# disable FIPS mode for tests for installations
# where FIPS mode would be enabled by default
OpenSSL.fips_mode=false
rescue LoadError
end
require "test/unit"