diff options
| author | Jun Aruga <jaruga@redhat.com> | 2025-02-24 16:23:25 +0100 |
|---|---|---|
| committer | git <svn-admin@ruby-lang.org> | 2025-02-27 17:01:57 +0000 |
| commit | 244363b23e5e14cedbeb99a4fb24b1576ff44ffe (patch) | |
| tree | c873c4e71a4adf948c3d23a4c7318113d61e4a87 | |
| parent | 4f19f23036a873ff718ac3b2253101d85890b919 (diff) | |
[ruby/openssl] Use ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"] instead of OpenSSL::OPENSSL_FIPS.
As OpenSSL::OPENSSL_FIPS always returns true on OpenSSL >= 3.0.0, we cannot use
this constant as a flag to check whether the OpenSSL is FIPS or not.
See <https://github.com/ruby/openssl/blob/d725783c5c180337f3d00efcba5b8744e0aea813/ext/openssl/ossl.c#L994-L1004>.
Skip the test_fips_mode_get_with_fips_mode_set test in AWS-LC case.
Because we don't test `OpenSSL.fips_mode=` on AWS-LC for now. We cannot change
the value of the `OpenSSL.fips_mode` on AWS-LC.
The `OpenSSL.fips_mode` in AWS-LC behaves as follows.
On AWS-LC non-FIPS:
```
$ bundle exec ruby -I ./lib -ropenssl.so -e 'p OpenSSL.fips_mode'
false
$ bundle exec ruby -I ./lib -ropenssl.so -e 'OpenSSL.fips_mode = true; p OpenSSL.fips_mode'
-e:1:in 'OpenSSL.fips_mode=': Turning on FIPS mode failed (OpenSSL::OpenSSLError)
from -e:1:in '<main>'
$ bundle exec ruby -I ./lib -ropenssl.so -e 'OpenSSL.fips_mode = false; p OpenSSL.fips_mode'
false
```
On AWS-LC FIPS:
```
$ bundle exec ruby -I ./lib -ropenssl.so -e 'p OpenSSL.fips_mode'
true
$ bundle exec ruby -I ./lib -ropenssl.so -e 'OpenSSL.fips_mode = false; p OpenSSL.fips_mode'
-e:1:in 'OpenSSL.fips_mode=': Turning off FIPS mode failed (OpenSSL::OpenSSLError)
from -e:1:in '<main>'
$ bundle exec ruby -I ./lib -ropenssl.so -e 'OpenSSL.fips_mode = true; p OpenSSL.fips_mode'
true
```
https://github.com/ruby/openssl/commit/fd3e3e722f
| -rw-r--r-- | test/openssl/test_fips.rb | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb index 8a33cecdd5..efc2655e25 100644 --- a/test/openssl/test_fips.rb +++ b/test/openssl/test_fips.rb @@ -37,7 +37,10 @@ class OpenSSL::TestFIPS < OpenSSL::TestCase end def test_fips_mode_get_with_fips_mode_set - omit('OpenSSL is not FIPS-capable') unless OpenSSL::OPENSSL_FIPS and !aws_lc? # AWS-LC's FIPS mode is decided at compile time. + return if aws_lc? # AWS-LC's FIPS mode is decided at compile time. + unless ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"] + omit "Only for FIPS mode environment" + end assert_separately(["-ropenssl"], <<~"end;") begin |