summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoremboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2012-09-03 01:14:26 +0000
committeremboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2012-09-03 01:14:26 +0000
commite29819df6e6a644bbfadbdc706a472c413015286 (patch)
tree33b5dcd1ab6b1d96a922f1e5e48d3f7032ad8124
parent9b6f66c74f367bbce13dc19bcc5e4d037ed290bf (diff)
* ext/openssl/extconf.rb: Detect OpenSSL_FIPS macro
ext/openssl/ossl.c: Expose OpenSSL::OPENSSL_FIPS constant to indicate whether OpenSSL runs in FIPS mode. test/openssl/test_pkey_dh.rb: Generate 256 bit keys for non-FIPS installations to improve test performance (e.g. for rubyci). test/openssl/utils.rb: Replace DSS1 as certificate signature digest with SHA1 for FIPS installations when using DSA by introducing TestUtils::DSA_SIGNATURE_DIGEST. test/openssl/test_x509cert.rb: test/openssl/test_x509crl.rb: test/openssl/test_x509req.rb: Use DSA_SIGNATURE_DIGEST NEWS: Introduce OpenSSL::OPENSSL_FIPS These changes allow running the OpenSSL tests in FIPS mode while keeping a high performance for non-FIPS installations. Introduction of OpenSSL::OPENSSL_FIPS allows for applications to react to special requirements when using OpenSSL in FIPS mode. [Feature #6946] [ruby-core:47345] - Diese und die folgenden Zeilen werden ignoriert -- M ext/openssl/extconf.rb M ext/openssl/ossl.c M NEWS M ChangeLog M test/openssl/utils.rb M test/openssl/test_x509crl.rb M test/openssl/test_x509req.rb M test/openssl/test_x509cert.rb M test/openssl/test_pkey_dh.rb git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36884 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r--ChangeLog22
-rw-r--r--NEWS3
-rw-r--r--ext/openssl/extconf.rb3
-rw-r--r--ext/openssl/ossl.c10
-rw-r--r--test/openssl/test_pkey_dh.rb10
-rw-r--r--test/openssl/test_x509cert.rb6
-rw-r--r--test/openssl/test_x509crl.rb4
-rw-r--r--test/openssl/test_x509req.rb4
-rw-r--r--test/openssl/utils.rb4
9 files changed, 56 insertions, 10 deletions
diff --git a/ChangeLog b/ChangeLog
index f0c0c1e3432..5217205cad3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,25 @@
+Mon Sep 3 10:09:36 2012 Martin Bosslet <Martin.Bosslet@googlemail.com>
+
+ * ext/openssl/extconf.rb: Detect OpenSSL_FIPS macro
+ ext/openssl/ossl.c: Expose OpenSSL::OPENSSL_FIPS constant to
+ indicate whether OpenSSL runs in FIPS mode.
+ test/openssl/test_pkey_dh.rb: Generate 256 bit keys for
+ non-FIPS installations to improve test performance (e.g. for
+ rubyci).
+ test/openssl/utils.rb: Replace DSS1 as certificate signature
+ digest with SHA1 for FIPS installations when using DSA by
+ introducing TestUtils::DSA_SIGNATURE_DIGEST.
+ test/openssl/test_x509cert.rb:
+ test/openssl/test_x509crl.rb:
+ test/openssl/test_x509req.rb: Use DSA_SIGNATURE_DIGEST
+ NEWS: Introduce OpenSSL::OPENSSL_FIPS
+
+ These changes allow running the OpenSSL tests in FIPS mode
+ while keeping a high performance for non-FIPS installations.
+ Introduction of OpenSSL::OPENSSL_FIPS allows for applications
+ to react to special requirements when using OpenSSL in FIPS mode.
+ [Feature #6946] [ruby-core:47345]
+
Sun Sep 2 21:46:28 2012 BOSSLET, Martin <Martin.Bosslet@googlemail.com>
* test/openssl/utils.rb: Use a cached DH key instead of generating a
diff --git a/NEWS b/NEWS
index c335ccd91c9..792e445fb47 100644
--- a/NEWS
+++ b/NEWS
@@ -173,6 +173,9 @@ with all sufficient information, see the ChangeLog file.
long.
* SSL/TLS support for the Next Protocol Negotiation extension. Supported
with OpenSSL 1.0.1 and higher.
+ * OpenSSL::OPENSSL_FIPS allows client applications to detect whether OpenSSL
+ is running in FIPS mode and to react to the special requirements this
+ might impy.
* yaml
* Syck has been removed. YAML now completely depends on libyaml being
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index 91caa529ad6..8ac7f7cabd7 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -108,7 +108,7 @@ have_func("TLSv1_1_client_method")
have_func("TLSv1_2_method")
have_func("TLSv1_2_server_method")
have_func("TLSv1_2_client_method")
-have_func("OPENSSL_NPN_NEGOTIATED", ['openssl/ssl.h'])
+have_macro("OPENSSL_NPN_NEGOTIATED", ['openssl/ssl.h']) && $defs.push("-DHAVE_OPENSSL_NPN_NEGOTIATED")
unless have_func("SSL_set_tlsext_host_name", ['openssl/ssl.h'])
have_macro("SSL_set_tlsext_host_name", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_SET_TLSEXT_HOST_NAME")
end
@@ -146,6 +146,7 @@ end
have_struct_member("EVP_CIPHER_CTX", "flags", "openssl/evp.h")
have_struct_member("EVP_CIPHER_CTX", "engine", "openssl/evp.h")
have_struct_member("X509_ATTRIBUTE", "single", "openssl/x509.h")
+have_macro("OPENSSL_FIPS", ['openssl/opensslconf.h']) && $defs.push("-DHAVE_OPENSSL_FIPS")
Logging::message "=== Checking done. ===\n"
diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
index da7d08ad495..ebd2b5d13a1 100644
--- a/ext/openssl/ossl.c
+++ b/ext/openssl/ossl.c
@@ -936,6 +936,7 @@ Init_openssl()
* Version of OpenSSL the ruby OpenSSL extension was built with
*/
rb_define_const(mOSSL, "OPENSSL_VERSION", rb_str_new2(OPENSSL_VERSION_TEXT));
+
/*
* Version number of OpenSSL the ruby OpenSSL extension was built with
* (base 16)
@@ -943,6 +944,15 @@ Init_openssl()
rb_define_const(mOSSL, "OPENSSL_VERSION_NUMBER", INT2NUM(OPENSSL_VERSION_NUMBER));
/*
+ * Boolean indicating whether OpenSSL runs in FIPS mode or not
+ */
+#ifdef HAVE_OPENSSL_FIPS
+ rb_define_const(mOSSL, "OPENSSL_FIPS", Qtrue);
+#else
+ rb_define_const(mOSSL, "OPENSSL_FIPS", Qfalse);
+#endif
+
+ /*
* Generic error,
* common for all classes under OpenSSL module
*/
diff --git a/test/openssl/test_pkey_dh.rb b/test/openssl/test_pkey_dh.rb
index d261c8f215c..7c7596f193f 100644
--- a/test/openssl/test_pkey_dh.rb
+++ b/test/openssl/test_pkey_dh.rb
@@ -3,15 +3,19 @@ require_relative 'utils'
if defined?(OpenSSL)
class OpenSSL::TestPKeyDH < Test::Unit::TestCase
+
+ # improve test performance for non-FIPS installations
+ NEW_KEYLEN = OpenSSL::OPENSSL_FIPS ? 1024 : 256
+
def test_new
- dh = OpenSSL::PKey::DH.new(1024)
+ dh = OpenSSL::PKey::DH.new(NEW_KEYLEN)
assert_key(dh)
end
def test_new_break
- assert_nil(OpenSSL::PKey::DH.new(1024) { break })
+ assert_nil(OpenSSL::PKey::DH.new(NEW_KEYLEN) { break })
assert_raises(RuntimeError) do
- OpenSSL::PKey::DH.new(1024) { raise }
+ OpenSSL::PKey::DH.new(NEW_KEYLEN) { raise }
end
end
diff --git a/test/openssl/test_x509cert.rb b/test/openssl/test_x509cert.rb
index 80c31f4d130..1c47b2b42b0 100644
--- a/test/openssl/test_x509cert.rb
+++ b/test/openssl/test_x509cert.rb
@@ -39,8 +39,10 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
sha1 = OpenSSL::Digest::SHA1.new
dss1 = OpenSSL::Digest::DSS1.new
+ dsa_digest = OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new
+
[
- [@rsa1024, sha1], [@rsa2048, sha1], [@dsa256, dss1], [@dsa512, dss1],
+ [@rsa1024, sha1], [@rsa2048, sha1], [@dsa256, dsa_digest], [@dsa512, dsa_digest]
].each{|pk, digest|
cert = issue_cert(@ca, pk, 1, Time.now, Time.now+3600, exts,
nil, nil, digest)
@@ -145,7 +147,7 @@ class OpenSSL::TestX509Certificate < Test::Unit::TestCase
assert_equal(false, cert.verify(@rsa2048))
cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
- nil, nil, OpenSSL::Digest::DSS1.new)
+ nil, nil, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new)
assert_equal(false, certificate_error_returns_false { cert.verify(@rsa1024) })
assert_equal(false, certificate_error_returns_false { cert.verify(@rsa2048) })
assert_equal(false, cert.verify(@dsa256))
diff --git a/test/openssl/test_x509crl.rb b/test/openssl/test_x509crl.rb
index 56508e0a123..c321c000833 100644
--- a/test/openssl/test_x509crl.rb
+++ b/test/openssl/test_x509crl.rb
@@ -198,9 +198,9 @@ class OpenSSL::TestX509CRL < Test::Unit::TestCase
assert_equal(false, crl.verify(@rsa2048))
cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
- nil, nil, OpenSSL::Digest::DSS1.new)
+ nil, nil, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new)
crl = issue_crl([], 1, Time.now, Time.now+1600, [],
- cert, @dsa512, OpenSSL::Digest::DSS1.new)
+ cert, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new)
assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) })
assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) })
assert_equal(false, crl.verify(@dsa256))
diff --git a/test/openssl/test_x509req.rb b/test/openssl/test_x509req.rb
index 882a1d7356a..e6c89c5e817 100644
--- a/test/openssl/test_x509req.rb
+++ b/test/openssl/test_x509req.rb
@@ -26,7 +26,7 @@ class OpenSSL::TestX509Request < Test::Unit::TestCase
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(@rsa1024.public_key.to_der, req.public_key.to_der)
- req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new)
+ req = issue_csr(0, @dn, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new)
assert_equal(@dsa512.public_key.to_der, req.public_key.to_der)
req = OpenSSL::X509::Request.new(req.to_der)
assert_equal(@dsa512.public_key.to_der, req.public_key.to_der)
@@ -115,7 +115,7 @@ class OpenSSL::TestX509Request < Test::Unit::TestCase
req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBar")
assert_equal(false, req.verify(@rsa2048))
- req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new)
+ req = issue_csr(0, @dn, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new)
assert_equal(false, request_error_returns_false { req.verify(@rsa1024) })
assert_equal(false, request_error_returns_false { req.verify(@rsa2048) })
assert_equal(false, req.verify(@dsa256))
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
index f95179636cf..ae33aa998c9 100644
--- a/test/openssl/utils.rb
+++ b/test/openssl/utils.rb
@@ -109,6 +109,10 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
TEST_KEY_DH1024.priv_key = OpenSSL::BN.new("48561834C67E65FFD2A9B47F41E5E78FDC95C387428FDB1E4B0188B64D1643C3A8D3455B945B7E8C4D166010C7C2CE23BFB9BEF43D0348FE7FA5284B0225E7FE1537546D114E3D8A4411B9B9351AB451E1A358F50ED61B1F00DA29336EEBBD649980AC86D76AF8BBB065298C2052672EEF3EF13AB47A15275FC2836F3AC74CEA", 16)
+ DSA_SIGNATURE_DIGEST = OpenSSL::OPENSSL_FIPS ?
+ OpenSSL::Digest::SHA1 :
+ OpenSSL::Digest::DSS1
+
module_function
def issue_cert(dn, key, serial, not_before, not_after, extensions,