diff options
author | Jun Aruga <jaruga@redhat.com> | 2023-09-19 19:54:31 +0200 |
---|---|---|
committer | git <svn-admin@ruby-lang.org> | 2023-09-21 18:04:55 +0000 |
commit | f370c4dc033ee2ac112343b37144fcdafd254fa3 (patch) | |
tree | f13423427010b4247aca19b58fed7a4e44c6c255 | |
parent | 3123b2fa0e2e5eddde4f751e084282ba655cbd57 (diff) |
[ruby/openssl] test_pkey.rb: Refactor the test_ed25519 on FIPS.
* Split the test in the FIPS case as another test.
* test/openssl/utils.rb: Add omit_on_fips and omit_on_non_fips methods.
https://github.com/ruby/openssl/commit/4d64c38ed0
-rw-r--r-- | test/openssl/test_pkey.rb | 41 | ||||
-rw-r--r-- | test/openssl/utils.rb | 20 |
2 files changed, 53 insertions, 8 deletions
diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb index 5fe37e2d64..aee0546f63 100644 --- a/test/openssl/test_pkey.rb +++ b/test/openssl/test_pkey.rb @@ -82,6 +82,9 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase end def test_ed25519 + # Ed25519 is not FIPS-approved. + omit_on_fips + # Test vector from RFC 8032 Section 7.1 TEST 2 priv_pem = <<~EOF -----BEGIN PRIVATE KEY----- @@ -96,15 +99,11 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase begin priv = OpenSSL::PKey.read(priv_pem) pub = OpenSSL::PKey.read(pub_pem) - rescue OpenSSL::PKey::PKeyError + rescue OpenSSL::PKey::PKeyError => e # OpenSSL < 1.1.1 - if !openssl?(1, 1, 1) - pend "Ed25519 is not implemented" - elsif OpenSSL.fips_mode && openssl?(3, 1, 0, 0) - # See OpenSSL providers/fips/fipsprov.c PROV_NAMES_ED25519 entries - # with FIPS_UNAPPROVED_PROPERTIES in OpenSSL 3.1+. - pend "Ed25519 is not approved in OpenSSL 3.1+ FIPS code" - end + pend "Ed25519 is not implemented" unless openssl?(1, 1, 1) + + raise e end assert_instance_of OpenSSL::PKey::PKey, priv assert_instance_of OpenSSL::PKey::PKey, pub @@ -145,6 +144,32 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase assert_raise(OpenSSL::PKey::PKeyError) { priv.derive(pub) } end + def test_ed25519_not_approved_on_fips + omit_on_non_fips + # Ed25519 is technically allowed in the OpenSSL 3.0 code as a kind of bug. + # So, we need to omit OpenSSL 3.0. + # + # See OpenSSL providers/fips/fipsprov.c PROV_NAMES_ED25519 entries with + # FIPS_DEFAULT_PROPERTIES on openssl-3.0 branch and + # FIPS_UNAPPROVED_PROPERTIES on openssl-3.1 branch. + # + # See also + # https://github.com/openssl/openssl/issues/20758#issuecomment-1639658102 + # for details. + unless openssl?(3, 1, 0, 0) + omit 'Ed25519 is allowed in the OpenSSL 3.0 FIPS code as a kind of bug' + end + + priv_pem = <<~EOF + -----BEGIN PRIVATE KEY----- + MC4CAQAwBQYDK2VwBCIEIEzNCJso/5banbbDRuwRTg9bijGfNaumJNqM9u1PuKb7 + -----END PRIVATE KEY----- + EOF + assert_raise(OpenSSL::PKey::PKeyError) do + OpenSSL::PKey.read(priv_pem) + end + end + def test_x25519 # Test vector from RFC 7748 Section 6.1 alice_pem = <<~EOF diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb index 3856bea875..cd70d4886f 100644 --- a/test/openssl/utils.rb +++ b/test/openssl/utils.rb @@ -139,6 +139,26 @@ class OpenSSL::TestCase < Test::Unit::TestCase # OpenSSL error stack must be empty assert_equal([], OpenSSL.errors) end + + # Omit the tests in FIPS. + # + # For example, the password based encryption used in the PEM format uses MD5 + # for deriving the encryption key from the password, and MD5 is not + # FIPS-approved. + # + # See https://github.com/openssl/openssl/discussions/21830#discussioncomment-6865636 + # for details. + def omit_on_fips + return unless OpenSSL.fips_mode + + omit 'An encryption used in the test is not FIPS-approved' + end + + def omit_on_non_fips + return if OpenSSL.fips_mode + + omit "Only for OpenSSL FIPS" + end end class OpenSSL::SSLTestCase < OpenSSL::TestCase |