Fix test_pkey_ec.rb on FIPS.

junaruga · junaruga · commit 4262e31d5941 · 2023-09-19T20:16:48.000+02:00
diff --git a/Rakefile b/Rakefile
@@ -23,6 +23,7 @@ Rake::TestTask.new(:test_fips) do |t|
   t.test_files = FileList[
     'test/openssl/test_fips.rb',
     'test/openssl/test_pkey.rb',
+    'test/openssl/test_pkey_ec.rb',
   ]
   t.warning = true
 end
diff --git a/test/openssl/test_pkey_ec.rb b/test/openssl/test_pkey_ec.rb
@@ -229,6 +229,8 @@ def test_ECPrivateKey_with_parameters
   end
 
   def test_ECPrivateKey_encrypted
+    omit_on_fips
+
     p256 = Fixtures.pkey("p256")
     # key = abcdef
     pem = <<~EOF
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
@@ -119,6 +119,18 @@ def libressl?(major = nil, minor = nil, fix = nil)
     return false unless version
     !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0
   end
+
+  def omit_on_fips
+    # The password based encryption used in the PEM format uses MD5 for
+    # deriving the encryption key from the password, and MD5 is not
+    # FIPS-approved.
+    #
+    # See https://github.com/openssl/openssl/discussions/21830#discussioncomment-6865636
+    # for details.
+    if OpenSSL.fips_mode
+      omit "The encryption used in the test is not approved in FIPS"
+    end
+  end
 end
 
 class OpenSSL::TestCase < Test::Unit::TestCase

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ Rake::TestTask.new(:test_fips) do \|t\|`
`23`	`23`	`t.test_files = FileList[`
`24`	`24`	`'test/openssl/test_fips.rb',`
`25`	`25`	`'test/openssl/test_pkey.rb',`
	`26`	`+ 'test/openssl/test_pkey_ec.rb',`
`26`	`27`	`]`
`27`	`28`	`t.warning = true`
`28`	`29`	`end`