mirror of
https://github.com/ruby/ruby.git
synced 2022-11-09 12:17:21 -05:00
* ext/openssl/ossl.c: add OpenSSL.fips_mode= to allow enabling FIPS
mode manually. * test/openssl/utils.rb: turn off FIPS mode for tests. This prevents OpenSSL installations with FIPS mode enabled by default from raising FIPS-related errors during the tests. * test/openssl/test_fips.rb: add tests for FIPS-capable OpenSSL installations. [Feature #6946] [ruby-core:47345] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@38480 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
parent
e3e4e9dfe7
commit
a3b753b282
5 changed files with 107 additions and 8 deletions
11
ChangeLog
11
ChangeLog
|
@ -1,3 +1,14 @@
|
|||
Thu Dec 20 10:23:12 2012 Martin Bosslet <Martin.Bosslet@gmail.com>
|
||||
|
||||
* ext/openssl/ossl.c: add OpenSSL.fips_mode= to allow enabling FIPS
|
||||
mode manually.
|
||||
* test/openssl/utils.rb: turn off FIPS mode for tests. This prevents
|
||||
OpenSSL installations with FIPS mode enabled by default from raising
|
||||
FIPS-related errors during the tests.
|
||||
* test/openssl/test_fips.rb: add tests for FIPS-capable OpenSSL
|
||||
installations.
|
||||
[Feature #6946] [ruby-core:47345]
|
||||
|
||||
Thu Dec 20 06:59:52 2012 Koichi Sasada <ko1@atdot.net>
|
||||
|
||||
* vm.c: support variable VM/Machine stack sizes.
|
||||
|
|
15
NEWS
15
NEWS
|
@ -245,6 +245,10 @@ with all sufficient information, see the ChangeLog file.
|
|||
also allows to programmatically decline (client) renegotiation attempts.
|
||||
* Support for "0/n" splitting of records as BEAST mitigation via
|
||||
OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS.
|
||||
* The default options for OpenSSL::SSL::SSLContext have changed to
|
||||
OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
|
||||
instead of OpenSSL::SSL::OP_ALL only. This enables the countermeasure for
|
||||
the BEAST attack by default.
|
||||
* OpenSSL requires passwords for decrypting PEM-encoded files to be at least
|
||||
four characters long. This led to awkward situations where an export with
|
||||
a password with fewer than four characters was possible, but accessing the
|
||||
|
@ -255,13 +259,10 @@ with all sufficient information, see the ChangeLog file.
|
|||
* SSL/TLS support for the Next Protocol Negotiation extension. Supported
|
||||
with OpenSSL 1.0.1 and higher.
|
||||
* OpenSSL::OPENSSL_FIPS allows client applications to detect whether OpenSSL
|
||||
is running in FIPS mode and to react to the special requirements this
|
||||
might imply.
|
||||
* The default options for OpenSSL::SSL::SSLContext have changed to
|
||||
OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
|
||||
instead of OpenSSL::SSL::OP_ALL only. This enables the countermeasure for
|
||||
the BEAST attack by default.
|
||||
|
||||
is FIPS-enabled. OpenSSL.fips_mode= allows turning on and off FIPS mode
|
||||
manually in order to adapt to situations where FIPS mode would be an
|
||||
explicit requirement.
|
||||
|
||||
* ostruct
|
||||
* new methods:
|
||||
* OpenStruct#[], []=
|
||||
|
|
|
@ -424,6 +424,33 @@ ossl_debug_set(VALUE self, VALUE val)
|
|||
return val;
|
||||
}
|
||||
|
||||
/*
|
||||
* call-seq:
|
||||
* OpenSSL.fips_mode = boolean -> boolean
|
||||
*
|
||||
* Turns FIPS mode on or off. Turning on FIPS mode will obviously only have an
|
||||
* effect for FIPS-capable installations of the OpenSSL library. Trying to do
|
||||
* so otherwise will result in an error.
|
||||
*
|
||||
* === Examples
|
||||
*
|
||||
* OpenSSL.fips_mode = true # turn FIPS mode on
|
||||
* OpenSSL.fips_mode = false # and off again
|
||||
*/
|
||||
static VALUE
|
||||
ossl_fips_mode_set(VALUE self, VALUE enabled)
|
||||
{
|
||||
if RTEST(enabled) {
|
||||
int mode = FIPS_mode();
|
||||
if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
|
||||
ossl_raise(eOSSLError, "Turning on FIPS mode failed");
|
||||
} else {
|
||||
if(!FIPS_mode_set(0)) /* turning off twice is OK */
|
||||
ossl_raise(eOSSLError, "Turning off FIPS mode failed");
|
||||
}
|
||||
return enabled;
|
||||
}
|
||||
|
||||
/*
|
||||
* OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the
|
||||
* OpenSSL[http://www.openssl.org/] library.
|
||||
|
@ -944,13 +971,14 @@ Init_openssl()
|
|||
rb_define_const(mOSSL, "OPENSSL_VERSION_NUMBER", INT2NUM(OPENSSL_VERSION_NUMBER));
|
||||
|
||||
/*
|
||||
* Boolean indicating whether OpenSSL runs in FIPS mode or not
|
||||
* Boolean indicating whether OpenSSL is FIPS-enabled or not
|
||||
*/
|
||||
#ifdef HAVE_OPENSSL_FIPS
|
||||
rb_define_const(mOSSL, "OPENSSL_FIPS", Qtrue);
|
||||
#else
|
||||
rb_define_const(mOSSL, "OPENSSL_FIPS", Qfalse);
|
||||
#endif
|
||||
rb_define_module_function(mOSSL, "fips_mode=", ossl_fips_mode_set, 1);
|
||||
|
||||
/*
|
||||
* Generic error,
|
||||
|
|
55
test/openssl/test_fips.rb
Normal file
55
test/openssl/test_fips.rb
Normal file
|
@ -0,0 +1,55 @@
|
|||
require_relative 'utils'
|
||||
|
||||
if defined?(OpenSSL) && OpenSSL::OPENSSL_FIPS
|
||||
|
||||
class OpenSSL::TestFIPS < Test::Unit::TestCase
|
||||
|
||||
def test_reject_md5
|
||||
data = "test"
|
||||
assert_not_nil(OpenSSL::Digest.new("MD5").digest(data))
|
||||
in_fips_mode do
|
||||
assert_raise(OpenSSL::Digest::DigestError) do
|
||||
OpenSSL::Digest.new("MD5").digest(data)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def test_reject_short_key_rsa
|
||||
assert_key_too_short(OpenSSL::PKey::RSAError) { dh = OpenSSL::PKey::RSA.new(256) }
|
||||
end
|
||||
|
||||
def test_reject_short_key_dsa
|
||||
assert_key_too_short(OpenSSL::PKey::DSAError) { dh = OpenSSL::PKey::DSA.new(256) }
|
||||
end
|
||||
|
||||
def test_reject_short_key_dh
|
||||
assert_key_too_short(OpenSSL::PKey::DHError) { dh = OpenSSL::PKey::DH.new(256) }
|
||||
end
|
||||
|
||||
def test_reject_short_key_ec
|
||||
assert_key_too_short(OpenSSL::PKey::ECError) do
|
||||
group = OpenSSL::PKey::EC::Group.new('secp112r1')
|
||||
key = OpenSSL::PKey::EC.new
|
||||
key.group = group
|
||||
key.generate_key
|
||||
end
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def in_fips_mode
|
||||
OpenSSL.fips_mode = true
|
||||
yield
|
||||
ensure
|
||||
OpenSSL.fips_mode = false
|
||||
end
|
||||
|
||||
def assert_key_too_short(expected_error)
|
||||
in_fips_mode do
|
||||
assert_raise(expected_error) { yield }
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
|
@ -1,5 +1,9 @@
|
|||
begin
|
||||
require "openssl"
|
||||
|
||||
# disable FIPS mode for tests for installations
|
||||
# where FIPS mode would be enabled by default
|
||||
OpenSSL.fips_mode=false
|
||||
rescue LoadError
|
||||
end
|
||||
require "test/unit"
|
||||
|
|
Loading…
Reference in a new issue