-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement FIPS functions, adding OpenSSL FIPS mode case on CI. #608
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
config_diagnostics = 1 | ||
openssl_conf = openssl_init | ||
|
||
# It seems that the .include needs an absolute path. | ||
.include OPENSSL_DIR/ssl/fipsmodule.cnf | ||
|
||
[openssl_init] | ||
providers = provider_sect | ||
alg_section = algorithm_sect | ||
|
||
[provider_sect] | ||
fips = fips_sect | ||
base = base_sect | ||
|
||
[base_sect] | ||
activate = 1 | ||
|
||
[algorithm_sect] | ||
default_properties = fips=yes |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,20 +4,44 @@ | |
if defined?(OpenSSL) | ||
|
||
class OpenSSL::TestFIPS < OpenSSL::TestCase | ||
def test_fips_mode_get_is_true_on_fips_mode_enabled | ||
unless ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"] | ||
omit "Only for FIPS mode environment" | ||
end | ||
|
||
assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;") | ||
assert OpenSSL.fips_mode == true, ".fips_mode should return true on FIPS mode enabled" | ||
end; | ||
end | ||
|
||
def test_fips_mode_get_is_false_on_fips_mode_disabled | ||
if ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"] | ||
omit "Only for non-FIPS mode environment" | ||
end | ||
|
||
assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;") | ||
message = ".fips_mode should return false on FIPS mode disabled. " \ | ||
"If you run the test on FIPS mode, please set " \ | ||
"TEST_RUBY_OPENSSL_FIPS_ENABLED=true" | ||
assert OpenSSL.fips_mode == false, message | ||
end; | ||
end | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Shouldn't this test cases be enabled permanently, also outside of CI? Or shouldn't there rather be one test case, which will compare the expected result based on the env variables? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Right now I don't find a good way to check if the OpenSSL is running on the FIPS mode enabled or disabled. Because the Perhaps, one possible way to check the FIPS mode or not with the OpenSSL 3 is, to add a source code of the command fips_enabled.c
If you guys like this way, I can add the source code to this repository and can add new tests. But I would like that it is in another PR. Because the current tests running on CI can test the new implementation on the CI. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The FIPS mode is enabled in CI, so it is in know state. Or are you afraid that somebody who would by a chance run the test suite on their FIPS enabled system would differ from default expectation? I don't think this is very likely scenario. IOW I believe it is safe to assume that by default, FIPS is disabled and the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Yes. Maybe in my understanding, that is the case I am afraid of. I noticed that
I still cannot imagine how do you want to change the condition. Could you share your suggestion for the change with the result of the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. My another suggestion is below, removing the
|
||
def test_fips_mode_is_reentrant | ||
OpenSSL.fips_mode = false | ||
OpenSSL.fips_mode = false | ||
end | ||
|
||
def test_fips_mode_get | ||
return unless OpenSSL::OPENSSL_FIPS | ||
def test_fips_mode_get_with_fips_mode_set | ||
omit('OpenSSL is not FIPS-capable') unless OpenSSL::OPENSSL_FIPS | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Note that I used the message I see the following error message in the
|
||
|
||
junaruga marked this conversation as resolved.
Show resolved
Hide resolved
|
||
assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;") | ||
begin | ||
OpenSSL.fips_mode = true | ||
assert OpenSSL.fips_mode == true, ".fips_mode returns true when .fips_mode=true" | ||
assert OpenSSL.fips_mode == true, ".fips_mode should return true when .fips_mode=true" | ||
|
||
OpenSSL.fips_mode = false | ||
assert OpenSSL.fips_mode == false, ".fips_mode returns false when .fips_mode=false" | ||
assert OpenSSL.fips_mode == false, ".fips_mode should return false when .fips_mode=false" | ||
rescue OpenSSL::OpenSSLError | ||
pend "Could not set FIPS mode (OpenSSL::OpenSSLError: \#$!); skipping" | ||
end | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This condition is a temporary workaround. If you remove the
if
, you can reproduce the issue #603 on the fips mode case on CI.