[前][次][番号順一覧][スレッド一覧]

ruby-changes:26429

From: emboss <ko1@a...>
Date: Thu, 20 Dec 2012 09:29:28 +0900 (JST)
Subject: [ruby-changes:26429] emboss:r38480 (trunk): * ext/openssl/ossl.c: add OpenSSL.fips_mode= to allow enabling FIPS

emboss	2012-12-20 09:29:07 +0900 (Thu, 20 Dec 2012)

  New Revision: 38480

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=38480

  Log:
    * ext/openssl/ossl.c: add OpenSSL.fips_mode= to allow enabling FIPS
      mode manually.
    * test/openssl/utils.rb: turn off FIPS mode for tests. This prevents
      OpenSSL installations with FIPS mode enabled by default from raising
      FIPS-related errors during the tests.
    * test/openssl/test_fips.rb: add tests for FIPS-capable OpenSSL
      installations.
      [Feature #6946] [ruby-core:47345]

  Added files:
    trunk/test/openssl/test_fips.rb
  Modified files:
    trunk/ChangeLog
    trunk/NEWS
    trunk/ext/openssl/ossl.c
    trunk/test/openssl/utils.rb

Index: ChangeLog
===================================================================
--- ChangeLog	(revision 38479)
+++ ChangeLog	(revision 38480)
@@ -1,3 +1,14 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1
+Thu Dec 20 10:23:12 2012  Martin Bosslet  <Martin.Bosslet@g...>
+
+	* ext/openssl/ossl.c: add OpenSSL.fips_mode= to allow enabling FIPS
+	  mode manually.
+	* test/openssl/utils.rb: turn off FIPS mode for tests. This prevents
+	  OpenSSL installations with FIPS mode enabled by default from raising
+	  FIPS-related errors during the tests.
+	* test/openssl/test_fips.rb: add tests for FIPS-capable OpenSSL
+	  installations.
+	  [Feature #6946] [ruby-core:47345]
+
 Thu Dec 20 06:59:52 2012  Koichi Sasada  <ko1@a...>
 
 	* vm.c: support variable VM/Machine stack sizes.
Index: ext/openssl/ossl.c
===================================================================
--- ext/openssl/ossl.c	(revision 38479)
+++ ext/openssl/ossl.c	(revision 38480)
@@ -425,6 +425,33 @@ ossl_debug_set(VALUE self, VALUE val) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl.c#L425
 }
 
 /*
+ * call-seq:
+ *   OpenSSL.fips_mode = boolean -> boolean
+ *
+ * Turns FIPS mode on or off. Turning on FIPS mode will obviously only have an
+ * effect for FIPS-capable installations of the OpenSSL library. Trying to do
+ * so otherwise will result in an error.
+ *
+ * === Examples
+ *
+ * OpenSSL.fips_mode = true   # turn FIPS mode on
+ * OpenSSL.fips_mode = false  # and off again
+ */
+static VALUE
+ossl_fips_mode_set(VALUE self, VALUE enabled)
+{
+    if RTEST(enabled) {
+	int mode = FIPS_mode();
+	if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
+	    ossl_raise(eOSSLError, "Turning on FIPS mode failed");
+    } else {
+	if(!FIPS_mode_set(0)) /* turning off twice is OK */
+	    ossl_raise(eOSSLError, "Turning off FIPS mode failed");
+    }
+    return enabled;
+}
+
+/*
  * OpenSSL provides SSL, TLS and general purpose cryptography.  It wraps the
  * OpenSSL[http://www.openssl.org/] library.
  *
@@ -944,13 +971,14 @@ Init_openssl() https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl.c#L971
     rb_define_const(mOSSL, "OPENSSL_VERSION_NUMBER", INT2NUM(OPENSSL_VERSION_NUMBER));
 
     /*
-     * Boolean indicating whether OpenSSL runs in FIPS mode or not
+     * Boolean indicating whether OpenSSL is FIPS-enabled or not
      */
 #ifdef HAVE_OPENSSL_FIPS
     rb_define_const(mOSSL, "OPENSSL_FIPS", Qtrue);
 #else
     rb_define_const(mOSSL, "OPENSSL_FIPS", Qfalse);
 #endif
+    rb_define_module_function(mOSSL, "fips_mode=", ossl_fips_mode_set, 1);
 
     /*
      * Generic error,
Index: NEWS
===================================================================
--- NEWS	(revision 38479)
+++ NEWS	(revision 38480)
@@ -245,6 +245,10 @@ with all sufficient information, see the https://github.com/ruby/ruby/blob/trunk/NEWS#L245
     also allows to programmatically decline (client) renegotiation attempts.
   * Support for "0/n" splitting of records as BEAST mitigation via
     OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS.
+  * The default options for OpenSSL::SSL::SSLContext have changed to
+    OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
+    instead of OpenSSL::SSL::OP_ALL only. This enables the countermeasure for
+    the BEAST attack by default.
   * OpenSSL requires passwords for decrypting PEM-encoded files to be at least
     four characters long. This led to awkward situations where an export with
     a password with fewer than four characters was possible, but accessing the
@@ -255,13 +259,10 @@ with all sufficient information, see the https://github.com/ruby/ruby/blob/trunk/NEWS#L259
   * SSL/TLS support for the Next Protocol Negotiation extension. Supported
     with OpenSSL 1.0.1 and higher.
   * OpenSSL::OPENSSL_FIPS allows client applications to detect whether OpenSSL
-    is running in FIPS mode and to react to the special requirements this
-    might imply.
-  * The default options for OpenSSL::SSL::SSLContext have changed to
-    OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
-    instead of OpenSSL::SSL::OP_ALL only. This enables the countermeasure for
-    the BEAST attack by default.
-
+    is FIPS-enabled. OpenSSL.fips_mode= allows turning on and off FIPS mode
+    manually in order to adapt to situations where FIPS mode would be an
+    explicit requirement.
+  
 * ostruct
   * new methods:
     * OpenStruct#[], []=
Index: test/openssl/utils.rb
===================================================================
--- test/openssl/utils.rb	(revision 38479)
+++ test/openssl/utils.rb	(revision 38480)
@@ -1,5 +1,9 @@ https://github.com/ruby/ruby/blob/trunk/test/openssl/utils.rb#L1
 begin
   require "openssl"
+
+  # disable FIPS mode for tests for installations
+  # where FIPS mode would be enabled by default
+  OpenSSL.fips_mode=false
 rescue LoadError
 end
 require "test/unit"
Index: test/openssl/test_fips.rb
===================================================================
--- test/openssl/test_fips.rb	(revision 0)
+++ test/openssl/test_fips.rb	(revision 38480)
@@ -0,0 +1,55 @@ https://github.com/ruby/ruby/blob/trunk/test/openssl/test_fips.rb#L1
+require_relative 'utils'
+
+if defined?(OpenSSL) && OpenSSL::OPENSSL_FIPS
+
+class OpenSSL::TestFIPS < Test::Unit::TestCase
+  
+  def test_reject_md5
+    data = "test"
+    assert_not_nil(OpenSSL::Digest.new("MD5").digest(data))
+    in_fips_mode do
+      assert_raise(OpenSSL::Digest::DigestError) do
+        OpenSSL::Digest.new("MD5").digest(data)
+      end
+    end
+  end
+
+  def test_reject_short_key_rsa
+    assert_key_too_short(OpenSSL::PKey::RSAError) { dh = OpenSSL::PKey::RSA.new(256) }
+  end
+
+  def test_reject_short_key_dsa
+    assert_key_too_short(OpenSSL::PKey::DSAError) { dh = OpenSSL::PKey::DSA.new(256) }
+  end
+
+  def test_reject_short_key_dh
+    assert_key_too_short(OpenSSL::PKey::DHError) { dh = OpenSSL::PKey::DH.new(256) }
+  end
+
+  def test_reject_short_key_ec
+    assert_key_too_short(OpenSSL::PKey::ECError) do
+      group = OpenSSL::PKey::EC::Group.new('secp112r1')
+      key = OpenSSL::PKey::EC.new
+      key.group = group
+      key.generate_key
+    end
+  end
+
+  private
+  
+  def in_fips_mode
+    OpenSSL.fips_mode = true
+    yield
+  ensure
+    OpenSSL.fips_mode = false
+  end
+
+  def assert_key_too_short(expected_error)
+    in_fips_mode do
+      assert_raise(expected_error) { yield }
+    end
+  end
+
+end
+
+end

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]