ruby-changes:26440
From: emboss <ko1@a...>
Date: Thu, 20 Dec 2012 16:01:39 +0900 (JST)
Subject: [ruby-changes:26440] emboss:r38491 (trunk): * ext/openssl/ossl.c: do not use FIPS_mode_set if not available.
emboss 2012-12-20 16:00:11 +0900 (Thu, 20 Dec 2012) New Revision: 38491 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=38491 Log: * ext/openssl/ossl.c: do not use FIPS_mode_set if not available. * test/openssl/utils.rb: revise comment about setting FIPS mode to false. * test/openssl/test_fips.rb: remove tests that cause errors on ruby-ci. [Feature #6946] [ruby-core:47345] Modified files: trunk/ChangeLog trunk/ext/openssl/ossl.c trunk/test/openssl/test_fips.rb trunk/test/openssl/utils.rb Index: ChangeLog =================================================================== --- ChangeLog (revision 38490) +++ ChangeLog (revision 38491) @@ -1,3 +1,12 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Thu Dec 20 15:55:46 2012 Martin Bosslet <Martin.Bosslet@g...> + + * ext/openssl/ossl.c: do not use FIPS_mode_set if not available. + * test/openssl/utils.rb: revise comment about setting FIPS mode to + false. + * test/openssl/test_fips.rb: remove tests that cause errors on + ruby-ci. + [Feature #6946] [ruby-core:47345] + Thu Dec 20 15:22:59 2012 Eric Hodel <drbrain@s...> * lib/rdoc/parser/ruby.rb: Ignore methods defined on constants to @@ -5,7 +14,7 @@ Thu Dec 20 15:22:59 2012 Eric Hodel <d https://github.com/ruby/ruby/blob/trunk/ChangeLog#L14 documentation. * test/rdoc/test_rdoc_parser_ruby.rb: Test for the above. -Thu Dec 20 16:00:33 2012 Martin Bosslet <Martin.Bosslet@g...> +Thu Dec 20 15:00:33 2012 Martin Bosslet <Martin.Bosslet@g...> * ext/openssl/ossl_cipher.c: add support for Authenticated Encryption with Associated Data (AEAD) for OpenSSL versions that support the Index: ext/openssl/ossl.c =================================================================== --- ext/openssl/ossl.c (revision 38490) +++ ext/openssl/ossl.c (revision 38491) @@ -440,6 +440,8 @@ ossl_debug_set(VALUE self, VALUE val) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl.c#L440 static VALUE ossl_fips_mode_set(VALUE self, VALUE enabled) { + +#ifdef HAVE_OPENSSL_FIPS if RTEST(enabled) { int mode = FIPS_mode(); if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */ @@ -449,6 +451,11 @@ ossl_fips_mode_set(VALUE self, VALUE ena https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl.c#L451 ossl_raise(eOSSLError, "Turning off FIPS mode failed"); } return enabled; +#else + if RTEST(enabled) + ossl_raise(eOSSLError, "This version of OpenSSL does not support FIPS mode"); + return enabled; +#endif } /* Index: test/openssl/utils.rb =================================================================== --- test/openssl/utils.rb (revision 38490) +++ test/openssl/utils.rb (revision 38491) @@ -1,8 +1,9 @@ https://github.com/ruby/ruby/blob/trunk/test/openssl/utils.rb#L1 begin require "openssl" - # disable FIPS mode for tests for installations - # where FIPS mode would be enabled by default + # Disable FIPS mode for tests for installations + # where FIPS mode would be enabled by default. + # Has no effect on all other installations. OpenSSL.fips_mode=false rescue LoadError end Index: test/openssl/test_fips.rb =================================================================== --- test/openssl/test_fips.rb (revision 38490) +++ test/openssl/test_fips.rb (revision 38491) @@ -1,53 +1,12 @@ https://github.com/ruby/ruby/blob/trunk/test/openssl/test_fips.rb#L1 require_relative 'utils' -if defined?(OpenSSL) && OpenSSL::OPENSSL_FIPS +if defined?(OpenSSL) class OpenSSL::TestFIPS < Test::Unit::TestCase - def test_reject_md5 - data = "test" - assert_not_nil(OpenSSL::Digest.new("MD5").digest(data)) - in_fips_mode do - assert_raise(OpenSSL::Digest::DigestError) do - OpenSSL::Digest.new("MD5").digest(data) - end - end - end - - def test_reject_short_key_rsa - assert_key_too_short(OpenSSL::PKey::RSAError) { dh = OpenSSL::PKey::RSA.new(256) } - end - - def test_reject_short_key_dsa - assert_key_too_short(OpenSSL::PKey::DSAError) { dh = OpenSSL::PKey::DSA.new(256) } - end - - def test_reject_short_key_dh - assert_key_too_short(OpenSSL::PKey::DHError) { dh = OpenSSL::PKey::DH.new(256) } - end - - def test_reject_short_key_ec - assert_key_too_short(OpenSSL::PKey::ECError) do - group = OpenSSL::PKey::EC::Group.new('secp112r1') - key = OpenSSL::PKey::EC.new - key.group = group - key.generate_key - end - end - - private - - def in_fips_mode - OpenSSL.fips_mode = true - yield - ensure + def test_fips_mode_is_reentrant + OpenSSL.fips_mode = false OpenSSL.fips_mode = false - end - - def assert_key_too_short(expected_error) - in_fips_mode do - assert_raise(expected_error) { yield } - end end end -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/