* ext/openssl/ossl.c: add OpenSSL.fips_mode= to allow enabling FIPS

mode manually. * test/openssl/utils.rb: turn off FIPS mode for tests. This prevents OpenSSL installations with FIPS mode enabled by default from raising FIPS-related errors during the tests. * test/openssl/test_fips.rb: add tests for FIPS-capable OpenSSL installations. [Feature #6946] [ruby-core:47345] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@38480 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: emboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2012-12-20 00:29:07 +0000
committer: emboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2012-12-20 00:29:07 +0000
commit: a3b753b28214ad321e7335afada7f1b06d036836 (patch)
tree: c405de7ac3b8a087774472e6d31ee7de7642863c
parent: e3e4e9dfe77c103ac8a46e5ad15ef6b36e6f0653 (diff)
5 files changed, 107 insertions, 8 deletions
diff --git a/ChangeLog b/ChangeLog
index 9a86ec1922..745220f651 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+Thu Dec 20 10:23:12 2012  Martin Bosslet  <Martin.Bosslet@gmail.com>
+
+	* ext/openssl/ossl.c: add OpenSSL.fips_mode= to allow enabling FIPS
+	  mode manually.
+	* test/openssl/utils.rb: turn off FIPS mode for tests. This prevents
+	  OpenSSL installations with FIPS mode enabled by default from raising
+	  FIPS-related errors during the tests.
+	* test/openssl/test_fips.rb: add tests for FIPS-capable OpenSSL
+	  installations.
+	  [Feature #6946] [ruby-core:47345]
+
 Thu Dec 20 06:59:52 2012  Koichi Sasada  <ko1@atdot.net>
 
 	* vm.c: support variable VM/Machine stack sizes.
diff --git a/NEWS b/NEWS
index a497d247f6..9a4ab4cb5a 100644
--- a/NEWS
+++ b/NEWS
@@ -245,6 +245,10 @@ with all sufficient information, see the ChangeLog file.
     also allows to programmatically decline (client) renegotiation attempts.
   * Support for "0/n" splitting of records as BEAST mitigation via
     OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS.
+  * The default options for OpenSSL::SSL::SSLContext have changed to
+    OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
+    instead of OpenSSL::SSL::OP_ALL only. This enables the countermeasure for
+    the BEAST attack by default.
   * OpenSSL requires passwords for decrypting PEM-encoded files to be at least
     four characters long. This led to awkward situations where an export with
     a password with fewer than four characters was possible, but accessing the
@@ -255,13 +259,10 @@ with all sufficient information, see the ChangeLog file.
   * SSL/TLS support for the Next Protocol Negotiation extension. Supported
     with OpenSSL 1.0.1 and higher.
   * OpenSSL::OPENSSL_FIPS allows client applications to detect whether OpenSSL
-    is running in FIPS mode and to react to the special requirements this
-    might imply.
-  * The default options for OpenSSL::SSL::SSLContext have changed to
-    OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
-    instead of OpenSSL::SSL::OP_ALL only. This enables the countermeasure for
-    the BEAST attack by default.
-
+    is FIPS-enabled. OpenSSL.fips_mode= allows turning on and off FIPS mode
+    manually in order to adapt to situations where FIPS mode would be an
+    explicit requirement.
+  
 * ostruct
   * new methods:
     * OpenStruct#[], []=
diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
index ac8f63800d..9d14ca6110 100644
--- a/ext/openssl/ossl.c
+++ b/ext/openssl/ossl.c
@@ -425,6 +425,33 @@ ossl_debug_set(VALUE self, VALUE val)
 }
 
 /*
+ * call-seq:
+ *   OpenSSL.fips_mode = boolean -> boolean
+ *
+ * Turns FIPS mode on or off. Turning on FIPS mode will obviously only have an
+ * effect for FIPS-capable installations of the OpenSSL library. Trying to do
+ * so otherwise will result in an error.
+ *
+ * === Examples
+ *
+ * OpenSSL.fips_mode = true   # turn FIPS mode on
+ * OpenSSL.fips_mode = false  # and off again
+ */
+static VALUE
+ossl_fips_mode_set(VALUE self, VALUE enabled)
+{
+    if RTEST(enabled) {
+	int mode = FIPS_mode();
+	if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
+	    ossl_raise(eOSSLError, "Turning on FIPS mode failed");
+    } else {
+	if(!FIPS_mode_set(0)) /* turning off twice is OK */
+	    ossl_raise(eOSSLError, "Turning off FIPS mode failed");
+    }
+    return enabled;
+}
+
+/*
  * OpenSSL provides SSL, TLS and general purpose cryptography.  It wraps the
  * OpenSSL[http://www.openssl.org/] library.
  *
@@ -944,13 +971,14 @@ Init_openssl()
     rb_define_const(mOSSL, "OPENSSL_VERSION_NUMBER", INT2NUM(OPENSSL_VERSION_NUMBER));
 
     /*
-     * Boolean indicating whether OpenSSL runs in FIPS mode or not
+     * Boolean indicating whether OpenSSL is FIPS-enabled or not
      */
 #ifdef HAVE_OPENSSL_FIPS
     rb_define_const(mOSSL, "OPENSSL_FIPS", Qtrue);
 #else
     rb_define_const(mOSSL, "OPENSSL_FIPS", Qfalse);
 #endif
+    rb_define_module_function(mOSSL, "fips_mode=", ossl_fips_mode_set, 1);
 
     /*
      * Generic error,
diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb
new file mode 100644
index 0000000000..f04e511d76
--- /dev/null
+++ b/test/openssl/test_fips.rb
@@ -0,0 +1,55 @@
+require_relative 'utils'
+
+if defined?(OpenSSL) && OpenSSL::OPENSSL_FIPS
+
+class OpenSSL::TestFIPS < Test::Unit::TestCase
+  
+  def test_reject_md5
+    data = "test"
+    assert_not_nil(OpenSSL::Digest.new("MD5").digest(data))
+    in_fips_mode do
+      assert_raise(OpenSSL::Digest::DigestError) do
+        OpenSSL::Digest.new("MD5").digest(data)
+      end
+    end
+  end
+
+  def test_reject_short_key_rsa
+    assert_key_too_short(OpenSSL::PKey::RSAError) { dh = OpenSSL::PKey::RSA.new(256) }
+  end
+
+  def test_reject_short_key_dsa
+    assert_key_too_short(OpenSSL::PKey::DSAError) { dh = OpenSSL::PKey::DSA.new(256) }
+  end
+
+  def test_reject_short_key_dh
+    assert_key_too_short(OpenSSL::PKey::DHError) { dh = OpenSSL::PKey::DH.new(256) }
+  end
+
+  def test_reject_short_key_ec
+    assert_key_too_short(OpenSSL::PKey::ECError) do
+      group = OpenSSL::PKey::EC::Group.new('secp112r1')
+      key = OpenSSL::PKey::EC.new
+      key.group = group
+      key.generate_key
+    end
+  end
+
+  private
+  
+  def in_fips_mode
+    OpenSSL.fips_mode = true
+    yield
+  ensure
+    OpenSSL.fips_mode = false
+  end
+
+  def assert_key_too_short(expected_error)
+    in_fips_mode do
+      assert_raise(expected_error) { yield }
+    end
+  end
+
+end
+
+end
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
index 103e1e7eff..646ed88366 100644
--- a/test/openssl/utils.rb
+++ b/test/openssl/utils.rb
@@ -1,5 +1,9 @@
 begin
   require "openssl"
+
+  # disable FIPS mode for tests for installations
+  # where FIPS mode would be enabled by default
+  OpenSSL.fips_mode=false
 rescue LoadError
 end
 require "test/unit"
author	emboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2012-12-20 00:29:07 +0000
committer	emboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2012-12-20 00:29:07 +0000
commit	a3b753b28214ad321e7335afada7f1b06d036836 (patch)
tree	c405de7ac3b8a087774472e6d31ee7de7642863c
parent	e3e4e9dfe77c103ac8a46e5ad15ef6b36e6f0653 (diff)