diff options
| -rw-r--r-- | ChangeLog | 11 | ||||
| -rw-r--r-- | ext/openssl/ossl.c | 7 | ||||
| -rw-r--r-- | test/openssl/test_fips.rb | 47 | ||||
| -rw-r--r-- | test/openssl/utils.rb | 5 |
4 files changed, 23 insertions, 47 deletions
@@ -1,3 +1,12 @@ +Thu Dec 20 15:55:46 2012 Martin Bosslet <Martin.Bosslet@gmail.com> + + * ext/openssl/ossl.c: do not use FIPS_mode_set if not available. + * test/openssl/utils.rb: revise comment about setting FIPS mode to + false. + * test/openssl/test_fips.rb: remove tests that cause errors on + ruby-ci. + [Feature #6946] [ruby-core:47345] + Thu Dec 20 15:22:59 2012 Eric Hodel <drbrain@segment7.net> * lib/rdoc/parser/ruby.rb: Ignore methods defined on constants to @@ -5,7 +14,7 @@ Thu Dec 20 15:22:59 2012 Eric Hodel <drbrain@segment7.net> documentation. * test/rdoc/test_rdoc_parser_ruby.rb: Test for the above. -Thu Dec 20 16:00:33 2012 Martin Bosslet <Martin.Bosslet@gmail.com> +Thu Dec 20 15:00:33 2012 Martin Bosslet <Martin.Bosslet@gmail.com> * ext/openssl/ossl_cipher.c: add support for Authenticated Encryption with Associated Data (AEAD) for OpenSSL versions that support the diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c index 9d14ca6110..1fae594028 100644 --- a/ext/openssl/ossl.c +++ b/ext/openssl/ossl.c @@ -440,6 +440,8 @@ ossl_debug_set(VALUE self, VALUE val) static VALUE ossl_fips_mode_set(VALUE self, VALUE enabled) { + +#ifdef HAVE_OPENSSL_FIPS if RTEST(enabled) { int mode = FIPS_mode(); if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ @@ -449,6 +451,11 @@ ossl_fips_mode_set(VALUE self, VALUE enabled) ossl_raise(eOSSLError, "Turning off FIPS mode failed"); } return enabled; +#else + if RTEST(enabled) + ossl_raise(eOSSLError, "This version of OpenSSL does not support FIPS mode"); + return enabled; +#endif } /* diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb index 7d290feb7c..882647f7e1 100644 --- a/test/openssl/test_fips.rb +++ b/test/openssl/test_fips.rb @@ -1,53 +1,12 @@ require_relative 'utils' -if defined?(OpenSSL) && OpenSSL::OPENSSL_FIPS +if defined?(OpenSSL) class OpenSSL::TestFIPS < Test::Unit::TestCase - def test_reject_md5 - data = "test" - assert_not_nil(OpenSSL::Digest.new("MD5").digest(data)) - in_fips_mode do - assert_raise(OpenSSL::Digest::DigestError) do - OpenSSL::Digest.new("MD5").digest(data) - end - end - end - - def test_reject_short_key_rsa - assert_key_too_short(OpenSSL::PKey::RSAError) { dh = OpenSSL::PKey::RSA.new(256) } - end - - def test_reject_short_key_dsa - assert_key_too_short(OpenSSL::PKey::DSAError) { dh = OpenSSL::PKey::DSA.new(256) } - end - - def test_reject_short_key_dh - assert_key_too_short(OpenSSL::PKey::DHError) { dh = OpenSSL::PKey::DH.new(256) } - end - - def test_reject_short_key_ec - assert_key_too_short(OpenSSL::PKey::ECError) do - group = OpenSSL::PKey::EC::Group.new('secp112r1') - key = OpenSSL::PKey::EC.new - key.group = group - key.generate_key - end - end - - private - - def in_fips_mode - OpenSSL.fips_mode = true - yield - ensure + def test_fips_mode_is_reentrant + OpenSSL.fips_mode = false OpenSSL.fips_mode = false - end - - def assert_key_too_short(expected_error) - in_fips_mode do - assert_raise(expected_error) { yield } - end end end diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb index 646ed88366..ba9714b3fc 100644 --- a/test/openssl/utils.rb +++ b/test/openssl/utils.rb @@ -1,8 +1,9 @@ begin require "openssl" - # disable FIPS mode for tests for installations - # where FIPS mode would be enabled by default + # Disable FIPS mode for tests for installations + # where FIPS mode would be enabled by default. + # Has no effect on all other installations. OpenSSL.fips_mode=false rescue LoadError end |