ruby-changes:26429
From: emboss <ko1@a...>
Date: Thu, 20 Dec 2012 09:29:28 +0900 (JST)
Subject: [ruby-changes:26429] emboss:r38480 (trunk): * ext/openssl/ossl.c: add OpenSSL.fips_mode= to allow enabling FIPS
emboss 2012-12-20 09:29:07 +0900 (Thu, 20 Dec 2012) New Revision: 38480 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=38480 Log: * ext/openssl/ossl.c: add OpenSSL.fips_mode= to allow enabling FIPS mode manually. * test/openssl/utils.rb: turn off FIPS mode for tests. This prevents OpenSSL installations with FIPS mode enabled by default from raising FIPS-related errors during the tests. * test/openssl/test_fips.rb: add tests for FIPS-capable OpenSSL installations. [Feature #6946] [ruby-core:47345] Added files: trunk/test/openssl/test_fips.rb Modified files: trunk/ChangeLog trunk/NEWS trunk/ext/openssl/ossl.c trunk/test/openssl/utils.rb Index: ChangeLog =================================================================== --- ChangeLog (revision 38479) +++ ChangeLog (revision 38480) @@ -1,3 +1,14 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Thu Dec 20 10:23:12 2012 Martin Bosslet <Martin.Bosslet@g...> + + * ext/openssl/ossl.c: add OpenSSL.fips_mode= to allow enabling FIPS + mode manually. + * test/openssl/utils.rb: turn off FIPS mode for tests. This prevents + OpenSSL installations with FIPS mode enabled by default from raising + FIPS-related errors during the tests. + * test/openssl/test_fips.rb: add tests for FIPS-capable OpenSSL + installations. + [Feature #6946] [ruby-core:47345] + Thu Dec 20 06:59:52 2012 Koichi Sasada <ko1@a...> * vm.c: support variable VM/Machine stack sizes. Index: ext/openssl/ossl.c =================================================================== --- ext/openssl/ossl.c (revision 38479) +++ ext/openssl/ossl.c (revision 38480) @@ -425,6 +425,33 @@ ossl_debug_set(VALUE self, VALUE val) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl.c#L425 } /* + * call-seq: + * OpenSSL.fips_mode = boolean -> boolean + * + * Turns FIPS mode on or off. Turning on FIPS mode will obviously only have an + * effect for FIPS-capable installations of the OpenSSL library. Trying to do + * so otherwise will result in an error. + * + * === Examples + * + * OpenSSL.fips_mode = true # turn FIPS mode on + * OpenSSL.fips_mode = false # and off again + */ +static VALUE +ossl_fips_mode_set(VALUE self, VALUE enabled) +{ + if RTEST(enabled) { + int mode = FIPS_mode(); + if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ + ossl_raise(eOSSLError, "Turning on FIPS mode failed"); + } else { + if(!FIPS_mode_set(0)) /* turning off twice is OK */ + ossl_raise(eOSSLError, "Turning off FIPS mode failed"); + } + return enabled; +} + +/* * OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the * OpenSSL[http://www.openssl.org/] library. * @@ -944,13 +971,14 @@ Init_openssl() https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl.c#L971 rb_define_const(mOSSL, "OPENSSL_VERSION_NUMBER", INT2NUM(OPENSSL_VERSION_NUMBER)); /* - * Boolean indicating whether OpenSSL runs in FIPS mode or not + * Boolean indicating whether OpenSSL is FIPS-enabled or not */ #ifdef HAVE_OPENSSL_FIPS rb_define_const(mOSSL, "OPENSSL_FIPS", Qtrue); #else rb_define_const(mOSSL, "OPENSSL_FIPS", Qfalse); #endif + rb_define_module_function(mOSSL, "fips_mode=", ossl_fips_mode_set, 1); /* * Generic error, Index: NEWS =================================================================== --- NEWS (revision 38479) +++ NEWS (revision 38480) @@ -245,6 +245,10 @@ with all sufficient information, see the https://github.com/ruby/ruby/blob/trunk/NEWS#L245 also allows to programmatically decline (client) renegotiation attempts. * Support for "0/n" splitting of records as BEAST mitigation via OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. + * The default options for OpenSSL::SSL::SSLContext have changed to + OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS + instead of OpenSSL::SSL::OP_ALL only. This enables the countermeasure for + the BEAST attack by default. * OpenSSL requires passwords for decrypting PEM-encoded files to be at least four characters long. This led to awkward situations where an export with a password with fewer than four characters was possible, but accessing the @@ -255,13 +259,10 @@ with all sufficient information, see the https://github.com/ruby/ruby/blob/trunk/NEWS#L259 * SSL/TLS support for the Next Protocol Negotiation extension. Supported with OpenSSL 1.0.1 and higher. * OpenSSL::OPENSSL_FIPS allows client applications to detect whether OpenSSL - is running in FIPS mode and to react to the special requirements this - might imply. - * The default options for OpenSSL::SSL::SSLContext have changed to - OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS - instead of OpenSSL::SSL::OP_ALL only. This enables the countermeasure for - the BEAST attack by default. - + is FIPS-enabled. OpenSSL.fips_mode= allows turning on and off FIPS mode + manually in order to adapt to situations where FIPS mode would be an + explicit requirement. + * ostruct * new methods: * OpenStruct#[], []= Index: test/openssl/utils.rb =================================================================== --- test/openssl/utils.rb (revision 38479) +++ test/openssl/utils.rb (revision 38480) @@ -1,5 +1,9 @@ https://github.com/ruby/ruby/blob/trunk/test/openssl/utils.rb#L1 begin require "openssl" + + # disable FIPS mode for tests for installations + # where FIPS mode would be enabled by default + OpenSSL.fips_mode=false rescue LoadError end require "test/unit" Index: test/openssl/test_fips.rb =================================================================== --- test/openssl/test_fips.rb (revision 0) +++ test/openssl/test_fips.rb (revision 38480) @@ -0,0 +1,55 @@ https://github.com/ruby/ruby/blob/trunk/test/openssl/test_fips.rb#L1 +require_relative 'utils' + +if defined?(OpenSSL) && OpenSSL::OPENSSL_FIPS + +class OpenSSL::TestFIPS < Test::Unit::TestCase + + def test_reject_md5 + data = "test" + assert_not_nil(OpenSSL::Digest.new("MD5").digest(data)) + in_fips_mode do + assert_raise(OpenSSL::Digest::DigestError) do + OpenSSL::Digest.new("MD5").digest(data) + end + end + end + + def test_reject_short_key_rsa + assert_key_too_short(OpenSSL::PKey::RSAError) { dh = OpenSSL::PKey::RSA.new(256) } + end + + def test_reject_short_key_dsa + assert_key_too_short(OpenSSL::PKey::DSAError) { dh = OpenSSL::PKey::DSA.new(256) } + end + + def test_reject_short_key_dh + assert_key_too_short(OpenSSL::PKey::DHError) { dh = OpenSSL::PKey::DH.new(256) } + end + + def test_reject_short_key_ec + assert_key_too_short(OpenSSL::PKey::ECError) do + group = OpenSSL::PKey::EC::Group.new('secp112r1') + key = OpenSSL::PKey::EC.new + key.group = group + key.generate_key + end + end + + private + + def in_fips_mode + OpenSSL.fips_mode = true + yield + ensure + OpenSSL.fips_mode = false + end + + def assert_key_too_short(expected_error) + in_fips_mode do + assert_raise(expected_error) { yield } + end + end + +end + +end -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/