diff options
| author | Jun Aruga <jaruga@redhat.com> | 2025-02-24 16:23:25 +0100 |
|---|---|---|
| committer | git <svn-admin@ruby-lang.org> | 2025-02-27 17:01:57 +0000 |
| commit | 244363b23e5e14cedbeb99a4fb24b1576ff44ffe (patch) | |
| tree | c873c4e71a4adf948c3d23a4c7318113d61e4a87 /include/ruby/encoding.h | |
| parent | 4f19f23036a873ff718ac3b2253101d85890b919 (diff) | |
[ruby/openssl] Use ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"] instead of OpenSSL::OPENSSL_FIPS.
As OpenSSL::OPENSSL_FIPS always returns true on OpenSSL >= 3.0.0, we cannot use
this constant as a flag to check whether the OpenSSL is FIPS or not.
See <https://github.com/ruby/openssl/blob/d725783c5c180337f3d00efcba5b8744e0aea813/ext/openssl/ossl.c#L994-L1004>.
Skip the test_fips_mode_get_with_fips_mode_set test in AWS-LC case.
Because we don't test `OpenSSL.fips_mode=` on AWS-LC for now. We cannot change
the value of the `OpenSSL.fips_mode` on AWS-LC.
The `OpenSSL.fips_mode` in AWS-LC behaves as follows.
On AWS-LC non-FIPS:
```
$ bundle exec ruby -I ./lib -ropenssl.so -e 'p OpenSSL.fips_mode'
false
$ bundle exec ruby -I ./lib -ropenssl.so -e 'OpenSSL.fips_mode = true; p OpenSSL.fips_mode'
-e:1:in 'OpenSSL.fips_mode=': Turning on FIPS mode failed (OpenSSL::OpenSSLError)
from -e:1:in '<main>'
$ bundle exec ruby -I ./lib -ropenssl.so -e 'OpenSSL.fips_mode = false; p OpenSSL.fips_mode'
false
```
On AWS-LC FIPS:
```
$ bundle exec ruby -I ./lib -ropenssl.so -e 'p OpenSSL.fips_mode'
true
$ bundle exec ruby -I ./lib -ropenssl.so -e 'OpenSSL.fips_mode = false; p OpenSSL.fips_mode'
-e:1:in 'OpenSSL.fips_mode=': Turning off FIPS mode failed (OpenSSL::OpenSSLError)
from -e:1:in '<main>'
$ bundle exec ruby -I ./lib -ropenssl.so -e 'OpenSSL.fips_mode = true; p OpenSSL.fips_mode'
true
```
https://github.com/ruby/openssl/commit/fd3e3e722f
Diffstat (limited to 'include/ruby/encoding.h')
0 files changed, 0 insertions, 0 deletions