ruby-changes:24833
From: emboss <ko1@a...>
Date: Mon, 3 Sep 2012 10:14:42 +0900 (JST)
Subject: [ruby-changes:24833] emboss:r36884 (trunk): * ext/openssl/extconf.rb: Detect OpenSSL_FIPS macro
emboss 2012-09-03 10:14:26 +0900 (Mon, 03 Sep 2012) New Revision: 36884 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=36884 Log: * ext/openssl/extconf.rb: Detect OpenSSL_FIPS macro ext/openssl/ossl.c: Expose OpenSSL::OPENSSL_FIPS constant to indicate whether OpenSSL runs in FIPS mode. test/openssl/test_pkey_dh.rb: Generate 256 bit keys for non-FIPS installations to improve test performance (e.g. for rubyci). test/openssl/utils.rb: Replace DSS1 as certificate signature digest with SHA1 for FIPS installations when using DSA by introducing TestUtils::DSA_SIGNATURE_DIGEST. test/openssl/test_x509cert.rb: test/openssl/test_x509crl.rb: test/openssl/test_x509req.rb: Use DSA_SIGNATURE_DIGEST NEWS: Introduce OpenSSL::OPENSSL_FIPS These changes allow running the OpenSSL tests in FIPS mode while keeping a high performance for non-FIPS installations. Introduction of OpenSSL::OPENSSL_FIPS allows for applications to react to special requirements when using OpenSSL in FIPS mode. [Feature #6946] [ruby-core:47345] - Diese und die folgenden Zeilen werden ignoriert -- M ext/openssl/extconf.rb M ext/openssl/ossl.c M NEWS M ChangeLog M test/openssl/utils.rb M test/openssl/test_x509crl.rb M test/openssl/test_x509req.rb M test/openssl/test_x509cert.rb M test/openssl/test_pkey_dh.rb Modified files: trunk/ChangeLog trunk/NEWS trunk/ext/openssl/extconf.rb trunk/ext/openssl/ossl.c trunk/test/openssl/test_pkey_dh.rb trunk/test/openssl/test_x509cert.rb trunk/test/openssl/test_x509crl.rb trunk/test/openssl/test_x509req.rb trunk/test/openssl/utils.rb Index: ChangeLog =================================================================== --- ChangeLog (revision 36883) +++ ChangeLog (revision 36884) @@ -1,3 +1,25 @@ +Mon Sep 3 10:09:36 2012 Martin Bosslet <Martin.Bosslet@g...> + + * ext/openssl/extconf.rb: Detect OpenSSL_FIPS macro + ext/openssl/ossl.c: Expose OpenSSL::OPENSSL_FIPS constant to + indicate whether OpenSSL runs in FIPS mode. + test/openssl/test_pkey_dh.rb: Generate 256 bit keys for + non-FIPS installations to improve test performance (e.g. for + rubyci). + test/openssl/utils.rb: Replace DSS1 as certificate signature + digest with SHA1 for FIPS installations when using DSA by + introducing TestUtils::DSA_SIGNATURE_DIGEST. + test/openssl/test_x509cert.rb: + test/openssl/test_x509crl.rb: + test/openssl/test_x509req.rb: Use DSA_SIGNATURE_DIGEST + NEWS: Introduce OpenSSL::OPENSSL_FIPS + + These changes allow running the OpenSSL tests in FIPS mode + while keeping a high performance for non-FIPS installations. + Introduction of OpenSSL::OPENSSL_FIPS allows for applications + to react to special requirements when using OpenSSL in FIPS mode. + [Feature #6946] [ruby-core:47345] + Sun Sep 2 21:46:28 2012 BOSSLET, Martin <Martin.Bosslet@g...> * test/openssl/utils.rb: Use a cached DH key instead of generating a Index: ext/openssl/ossl.c =================================================================== --- ext/openssl/ossl.c (revision 36883) +++ ext/openssl/ossl.c (revision 36884) @@ -936,6 +936,7 @@ * Version of OpenSSL the ruby OpenSSL extension was built with */ rb_define_const(mOSSL, "OPENSSL_VERSION", rb_str_new2(OPENSSL_VERSION_TEXT)); + /* * Version number of OpenSSL the ruby OpenSSL extension was built with * (base 16) @@ -943,6 +944,15 @@ rb_define_const(mOSSL, "OPENSSL_VERSION_NUMBER", INT2NUM(OPENSSL_VERSION_NUMBER)); /* + * Boolean indicating whether OpenSSL runs in FIPS mode or not + */ +#ifdef HAVE_OPENSSL_FIPS + rb_define_const(mOSSL, "OPENSSL_FIPS", Qtrue); +#else + rb_define_const(mOSSL, "OPENSSL_FIPS", Qfalse); +#endif + + /* * Generic error, * common for all classes under OpenSSL module */ Index: ext/openssl/extconf.rb =================================================================== --- ext/openssl/extconf.rb (revision 36883) +++ ext/openssl/extconf.rb (revision 36884) @@ -108,7 +108,7 @@ have_func("TLSv1_2_method") have_func("TLSv1_2_server_method") have_func("TLSv1_2_client_method") -have_func("OPENSSL_NPN_NEGOTIATED", ['openssl/ssl.h']) +have_macro("OPENSSL_NPN_NEGOTIATED", ['openssl/ssl.h']) && $defs.push("-DHAVE_OPENSSL_NPN_NEGOTIATED") unless have_func("SSL_set_tlsext_host_name", ['openssl/ssl.h']) have_macro("SSL_set_tlsext_host_name", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_SET_TLSEXT_HOST_NAME") end @@ -146,6 +146,7 @@ have_struct_member("EVP_CIPHER_CTX", "flags", "openssl/evp.h") have_struct_member("EVP_CIPHER_CTX", "engine", "openssl/evp.h") have_struct_member("X509_ATTRIBUTE", "single", "openssl/x509.h") +have_macro("OPENSSL_FIPS", ['openssl/opensslconf.h']) && $defs.push("-DHAVE_OPENSSL_FIPS") Logging::message "=== Checking done. ===\n" Index: NEWS =================================================================== --- NEWS (revision 36883) +++ NEWS (revision 36884) @@ -173,6 +173,9 @@ long. * SSL/TLS support for the Next Protocol Negotiation extension. Supported with OpenSSL 1.0.1 and higher. + * OpenSSL::OPENSSL_FIPS allows client applications to detect whether OpenSSL + is running in FIPS mode and to react to the special requirements this + might impy. * yaml * Syck has been removed. YAML now completely depends on libyaml being Index: test/openssl/test_x509cert.rb =================================================================== --- test/openssl/test_x509cert.rb (revision 36883) +++ test/openssl/test_x509cert.rb (revision 36884) @@ -39,8 +39,10 @@ sha1 = OpenSSL::Digest::SHA1.new dss1 = OpenSSL::Digest::DSS1.new + dsa_digest = OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new + [ - [@rsa1024, sha1], [@rsa2048, sha1], [@dsa256, dss1], [@dsa512, dss1], + [@rsa1024, sha1], [@rsa2048, sha1], [@dsa256, dsa_digest], [@dsa512, dsa_digest] ].each{|pk, digest| cert = issue_cert(@ca, pk, 1, Time.now, Time.now+3600, exts, nil, nil, digest) @@ -145,7 +147,7 @@ assert_equal(false, cert.verify(@rsa2048)) cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::DSS1.new) + nil, nil, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) assert_equal(false, certificate_error_returns_false { cert.verify(@rsa1024) }) assert_equal(false, certificate_error_returns_false { cert.verify(@rsa2048) }) assert_equal(false, cert.verify(@dsa256)) Index: test/openssl/test_pkey_dh.rb =================================================================== --- test/openssl/test_pkey_dh.rb (revision 36883) +++ test/openssl/test_pkey_dh.rb (revision 36884) @@ -3,15 +3,19 @@ if defined?(OpenSSL) class OpenSSL::TestPKeyDH < Test::Unit::TestCase + + # improve test performance for non-FIPS installations + NEW_KEYLEN = OpenSSL::OPENSSL_FIPS ? 1024 : 256 + def test_new - dh = OpenSSL::PKey::DH.new(1024) + dh = OpenSSL::PKey::DH.new(NEW_KEYLEN) assert_key(dh) end def test_new_break - assert_nil(OpenSSL::PKey::DH.new(1024) { break }) + assert_nil(OpenSSL::PKey::DH.new(NEW_KEYLEN) { break }) assert_raises(RuntimeError) do - OpenSSL::PKey::DH.new(1024) { raise } + OpenSSL::PKey::DH.new(NEW_KEYLEN) { raise } end end Index: test/openssl/utils.rb =================================================================== --- test/openssl/utils.rb (revision 36883) +++ test/openssl/utils.rb (revision 36884) @@ -109,6 +109,10 @@ TEST_KEY_DH1024.priv_key = OpenSSL::BN.new("48561834C67E65FFD2A9B47F41E5E78FDC95C387428FDB1E4B0188B64D1643C3A8D3455B945B7E8C4D166010C7C2CE23BFB9BEF43D0348FE7FA5284B0225E7FE1537546D114E3D8A4411B9B9351AB451E1A358F50ED61B1F00DA29336EEBBD649980AC86D76AF8BBB065298C2052672EEF3EF13AB47A15275FC2836F3AC74CEA", 16) + DSA_SIGNATURE_DIGEST = OpenSSL::OPENSSL_FIPS ? + OpenSSL::Digest::SHA1 : + OpenSSL::Digest::DSS1 + module_function def issue_cert(dn, key, serial, not_before, not_after, extensions, Index: test/openssl/test_x509crl.rb =================================================================== --- test/openssl/test_x509crl.rb (revision 36883) +++ test/openssl/test_x509crl.rb (revision 36884) @@ -198,9 +198,9 @@ assert_equal(false, crl.verify(@rsa2048)) cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [], - nil, nil, OpenSSL::Digest::DSS1.new) + nil, nil, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) crl = issue_crl([], 1, Time.now, Time.now+1600, [], - cert, @dsa512, OpenSSL::Digest::DSS1.new) + cert, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) }) assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) }) assert_equal(false, crl.verify(@dsa256)) Index: test/openssl/test_x509req.rb =================================================================== --- test/openssl/test_x509req.rb (revision 36883) +++ test/openssl/test_x509req.rb (revision 36884) @@ -26,7 +26,7 @@ req = OpenSSL::X509::Request.new(req.to_der) assert_equal(@rsa1024.public_key.to_der, req.public_key.to_der) - req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new) + req = issue_csr(0, @dn, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) assert_equal(@dsa512.public_key.to_der, req.public_key.to_der) req = OpenSSL::X509::Request.new(req.to_der) assert_equal(@dsa512.public_key.to_der, req.public_key.to_der) @@ -115,7 +115,7 @@ req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBar") assert_equal(false, req.verify(@rsa2048)) - req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new) + req = issue_csr(0, @dn, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new) assert_equal(false, request_error_returns_false { req.verify(@rsa1024) }) assert_equal(false, request_error_returns_false { req.verify(@rsa2048) }) assert_equal(false, req.verify(@dsa256)) -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/