[前][次][番号順一覧][スレッド一覧]

ruby-changes:24833

From: emboss <ko1@a...>
Date: Mon, 3 Sep 2012 10:14:42 +0900 (JST)
Subject: [ruby-changes:24833] emboss:r36884 (trunk): * ext/openssl/extconf.rb: Detect OpenSSL_FIPS macro

emboss	2012-09-03 10:14:26 +0900 (Mon, 03 Sep 2012)

  New Revision: 36884

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=36884

  Log:
    * ext/openssl/extconf.rb: Detect OpenSSL_FIPS macro
      ext/openssl/ossl.c: Expose OpenSSL::OPENSSL_FIPS constant to
      indicate whether OpenSSL runs in FIPS mode.
      test/openssl/test_pkey_dh.rb: Generate 256 bit keys for
      non-FIPS installations to improve test performance (e.g. for
      rubyci).
      test/openssl/utils.rb: Replace DSS1 as certificate signature
      digest with SHA1 for FIPS installations when using DSA by
      introducing TestUtils::DSA_SIGNATURE_DIGEST.
      test/openssl/test_x509cert.rb: 
      test/openssl/test_x509crl.rb:
      test/openssl/test_x509req.rb: Use DSA_SIGNATURE_DIGEST
      NEWS: Introduce OpenSSL::OPENSSL_FIPS
      
      These changes allow running the OpenSSL tests in FIPS mode
      while keeping a high performance for non-FIPS installations.
      Introduction of OpenSSL::OPENSSL_FIPS allows for applications
      to react to special requirements when using OpenSSL in FIPS mode.
      [Feature #6946] [ruby-core:47345]
    - Diese und die folgenden Zeilen werden ignoriert --
    
    M    ext/openssl/extconf.rb
    M    ext/openssl/ossl.c
    M    NEWS
    M    ChangeLog
    M    test/openssl/utils.rb
    M    test/openssl/test_x509crl.rb
    M    test/openssl/test_x509req.rb
    M    test/openssl/test_x509cert.rb
    M    test/openssl/test_pkey_dh.rb

  Modified files:
    trunk/ChangeLog
    trunk/NEWS
    trunk/ext/openssl/extconf.rb
    trunk/ext/openssl/ossl.c
    trunk/test/openssl/test_pkey_dh.rb
    trunk/test/openssl/test_x509cert.rb
    trunk/test/openssl/test_x509crl.rb
    trunk/test/openssl/test_x509req.rb
    trunk/test/openssl/utils.rb

Index: ChangeLog
===================================================================
--- ChangeLog	(revision 36883)
+++ ChangeLog	(revision 36884)
@@ -1,3 +1,25 @@
+Mon Sep  3 10:09:36 2012  Martin Bosslet  <Martin.Bosslet@g...>
+
+	* ext/openssl/extconf.rb: Detect OpenSSL_FIPS macro
+	  ext/openssl/ossl.c: Expose OpenSSL::OPENSSL_FIPS constant to
+	  indicate whether OpenSSL runs in FIPS mode.
+	  test/openssl/test_pkey_dh.rb: Generate 256 bit keys for
+	  non-FIPS installations to improve test performance (e.g. for
+	  rubyci).
+	  test/openssl/utils.rb: Replace DSS1 as certificate signature
+	  digest with SHA1 for FIPS installations when using DSA by
+	  introducing TestUtils::DSA_SIGNATURE_DIGEST.
+	  test/openssl/test_x509cert.rb: 
+	  test/openssl/test_x509crl.rb:
+	  test/openssl/test_x509req.rb: Use DSA_SIGNATURE_DIGEST
+	  NEWS: Introduce OpenSSL::OPENSSL_FIPS
+	  
+	  These changes allow running the OpenSSL tests in FIPS mode
+	  while keeping a high performance for non-FIPS installations.
+	  Introduction of OpenSSL::OPENSSL_FIPS allows for applications
+	  to react to special requirements when using OpenSSL in FIPS mode.
+	  [Feature #6946] [ruby-core:47345]
+
 Sun Sep  2 21:46:28 2012  BOSSLET, Martin  <Martin.Bosslet@g...>
 
 	* test/openssl/utils.rb: Use a cached DH key instead of generating a
Index: ext/openssl/ossl.c
===================================================================
--- ext/openssl/ossl.c	(revision 36883)
+++ ext/openssl/ossl.c	(revision 36884)
@@ -936,6 +936,7 @@
      * Version of OpenSSL the ruby OpenSSL extension was built with
      */
     rb_define_const(mOSSL, "OPENSSL_VERSION", rb_str_new2(OPENSSL_VERSION_TEXT));
+
     /*
      * Version number of OpenSSL the ruby OpenSSL extension was built with
      * (base 16)
@@ -943,6 +944,15 @@
     rb_define_const(mOSSL, "OPENSSL_VERSION_NUMBER", INT2NUM(OPENSSL_VERSION_NUMBER));
 
     /*
+     * Boolean indicating whether OpenSSL runs in FIPS mode or not  
+     */
+#ifdef HAVE_OPENSSL_FIPS
+    rb_define_const(mOSSL, "OPENSSL_FIPS", Qtrue);
+#else
+    rb_define_const(mOSSL, "OPENSSL_FIPS", Qfalse);
+#endif
+
+    /*
      * Generic error,
      * common for all classes under OpenSSL module
      */
Index: ext/openssl/extconf.rb
===================================================================
--- ext/openssl/extconf.rb	(revision 36883)
+++ ext/openssl/extconf.rb	(revision 36884)
@@ -108,7 +108,7 @@
 have_func("TLSv1_2_method")
 have_func("TLSv1_2_server_method")
 have_func("TLSv1_2_client_method")
-have_func("OPENSSL_NPN_NEGOTIATED", ['openssl/ssl.h'])
+have_macro("OPENSSL_NPN_NEGOTIATED", ['openssl/ssl.h']) && $defs.push("-DHAVE_OPENSSL_NPN_NEGOTIATED")
 unless have_func("SSL_set_tlsext_host_name", ['openssl/ssl.h'])
   have_macro("SSL_set_tlsext_host_name", ['openssl/ssl.h']) && $defs.push("-DHAVE_SSL_SET_TLSEXT_HOST_NAME")
 end
@@ -146,6 +146,7 @@
 have_struct_member("EVP_CIPHER_CTX", "flags", "openssl/evp.h")
 have_struct_member("EVP_CIPHER_CTX", "engine", "openssl/evp.h")
 have_struct_member("X509_ATTRIBUTE", "single", "openssl/x509.h")
+have_macro("OPENSSL_FIPS", ['openssl/opensslconf.h']) && $defs.push("-DHAVE_OPENSSL_FIPS")
 
 Logging::message "=== Checking done. ===\n"
 
Index: NEWS
===================================================================
--- NEWS	(revision 36883)
+++ NEWS	(revision 36884)
@@ -173,6 +173,9 @@
     long.
   * SSL/TLS support for the Next Protocol Negotiation extension. Supported 
     with OpenSSL 1.0.1 and higher.
+  * OpenSSL::OPENSSL_FIPS allows client applications to detect whether OpenSSL
+    is running in FIPS mode and to react to the special requirements this
+    might impy.
 
 * yaml
   * Syck has been removed.  YAML now completely depends on libyaml being
Index: test/openssl/test_x509cert.rb
===================================================================
--- test/openssl/test_x509cert.rb	(revision 36883)
+++ test/openssl/test_x509cert.rb	(revision 36884)
@@ -39,8 +39,10 @@
 
     sha1 = OpenSSL::Digest::SHA1.new
     dss1 = OpenSSL::Digest::DSS1.new
+    dsa_digest = OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new
+
     [
-      [@rsa1024, sha1], [@rsa2048, sha1], [@dsa256, dss1], [@dsa512, dss1],
+      [@rsa1024, sha1], [@rsa2048, sha1], [@dsa256, dsa_digest], [@dsa512, dsa_digest]
     ].each{|pk, digest|
       cert = issue_cert(@ca, pk, 1, Time.now, Time.now+3600, exts,
                         nil, nil, digest)
@@ -145,7 +147,7 @@
     assert_equal(false, cert.verify(@rsa2048))
 
     cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::DSS1.new)
+                      nil, nil, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new)
     assert_equal(false, certificate_error_returns_false { cert.verify(@rsa1024) })
     assert_equal(false, certificate_error_returns_false { cert.verify(@rsa2048) })
     assert_equal(false, cert.verify(@dsa256))
Index: test/openssl/test_pkey_dh.rb
===================================================================
--- test/openssl/test_pkey_dh.rb	(revision 36883)
+++ test/openssl/test_pkey_dh.rb	(revision 36884)
@@ -3,15 +3,19 @@
 if defined?(OpenSSL)
 
 class OpenSSL::TestPKeyDH < Test::Unit::TestCase
+
+  # improve test performance for non-FIPS installations
+  NEW_KEYLEN = OpenSSL::OPENSSL_FIPS ? 1024 : 256
+
   def test_new
-    dh = OpenSSL::PKey::DH.new(1024)
+    dh = OpenSSL::PKey::DH.new(NEW_KEYLEN)
     assert_key(dh)
   end
 
   def test_new_break
-    assert_nil(OpenSSL::PKey::DH.new(1024) { break })
+    assert_nil(OpenSSL::PKey::DH.new(NEW_KEYLEN) { break })
     assert_raises(RuntimeError) do
-      OpenSSL::PKey::DH.new(1024) { raise }
+      OpenSSL::PKey::DH.new(NEW_KEYLEN) { raise }
     end
   end
 
Index: test/openssl/utils.rb
===================================================================
--- test/openssl/utils.rb	(revision 36883)
+++ test/openssl/utils.rb	(revision 36884)
@@ -109,6 +109,10 @@
 
   TEST_KEY_DH1024.priv_key = OpenSSL::BN.new("48561834C67E65FFD2A9B47F41E5E78FDC95C387428FDB1E4B0188B64D1643C3A8D3455B945B7E8C4D166010C7C2CE23BFB9BEF43D0348FE7FA5284B0225E7FE1537546D114E3D8A4411B9B9351AB451E1A358F50ED61B1F00DA29336EEBBD649980AC86D76AF8BBB065298C2052672EEF3EF13AB47A15275FC2836F3AC74CEA", 16)
 
+  DSA_SIGNATURE_DIGEST = OpenSSL::OPENSSL_FIPS ? 
+                         OpenSSL::Digest::SHA1 :
+                         OpenSSL::Digest::DSS1
+
   module_function
 
   def issue_cert(dn, key, serial, not_before, not_after, extensions,
Index: test/openssl/test_x509crl.rb
===================================================================
--- test/openssl/test_x509crl.rb	(revision 36883)
+++ test/openssl/test_x509crl.rb	(revision 36884)
@@ -198,9 +198,9 @@
     assert_equal(false, crl.verify(@rsa2048))
 
     cert = issue_cert(@ca, @dsa512, 1, Time.now, Time.now+3600, [],
-                      nil, nil, OpenSSL::Digest::DSS1.new)
+                      nil, nil, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new)
     crl = issue_crl([], 1, Time.now, Time.now+1600, [],
-                    cert, @dsa512, OpenSSL::Digest::DSS1.new)
+                    cert, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new)
     assert_equal(false, crl_error_returns_false { crl.verify(@rsa1024) })
     assert_equal(false, crl_error_returns_false { crl.verify(@rsa2048) })
     assert_equal(false, crl.verify(@dsa256))
Index: test/openssl/test_x509req.rb
===================================================================
--- test/openssl/test_x509req.rb	(revision 36883)
+++ test/openssl/test_x509req.rb	(revision 36884)
@@ -26,7 +26,7 @@
     req = OpenSSL::X509::Request.new(req.to_der)
     assert_equal(@rsa1024.public_key.to_der, req.public_key.to_der)
 
-    req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new)
+    req = issue_csr(0, @dn, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new)
     assert_equal(@dsa512.public_key.to_der, req.public_key.to_der)
     req = OpenSSL::X509::Request.new(req.to_der)
     assert_equal(@dsa512.public_key.to_der, req.public_key.to_der)
@@ -115,7 +115,7 @@
     req.subject = OpenSSL::X509::Name.parse("/C=JP/CN=FooBar")
     assert_equal(false, req.verify(@rsa2048))
 
-    req = issue_csr(0, @dn, @dsa512, OpenSSL::Digest::DSS1.new)
+    req = issue_csr(0, @dn, @dsa512, OpenSSL::TestUtils::DSA_SIGNATURE_DIGEST.new)
     assert_equal(false, request_error_returns_false { req.verify(@rsa1024) })
     assert_equal(false, request_error_returns_false { req.verify(@rsa2048) })
     assert_equal(false, req.verify(@dsa256))

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]