Fix the fips_mode_get on OpenSSL 3.

junaruga · junaruga · commit 9acb9b5507f7 · 2023-03-17T22:06:30.000+01:00
This commit only fixes the issue that the `OpenSSL.fips_mode` returns `false` on OpenSSL 3 FIPS mode enabled environment, while other tests fail on the environment. I believe that this minimal fix is a good start to make Ruby OpenSSL work on the OpenSSL 3 FIPS mode enabled environment with the CI case. It seems that the `OPENSSL_FIPS` macro is not used on the FIPS mode case any more on OpenSSL 3. The API `FIPS_mode` also was removed in OpenSSL 3. See the document <https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod#removed-fips_mode-and-fips_mode_set> the section OPENSSL 3.0 > Main Changes from OpenSSL 1.1.1 > Other notable deprecations and changes - Removed FIPS_mode() and FIPS_mode_set() . The `TEST_RUBY_OPENSSL_FIPS_ENABLED` is set on the FIPS mode case on the CI. Because I want to test that the `OpenSSL.fips_mode` returning the `true` or 'false' in the CI. Right now we don't find a reliable way to get the capability of OpenSSL 3 for the FIPS mode.
diff --git a/ext/openssl/ossl.c b/ext/openssl/ossl.c
@@ -418,7 +418,11 @@ static VALUE
 ossl_fips_mode_get(VALUE self)
 {
 
-#ifdef OPENSSL_FIPS
+#if OSSL_OPENSSL_PREREQ(3, 0, 0)
+    VALUE enabled;
+    enabled = EVP_default_properties_is_fips_enabled(NULL) ? Qtrue : Qfalse;
+    return enabled;
+#elif OPENSSL_FIPS
     VALUE enabled;
     enabled = FIPS_mode() ? Qtrue : Qfalse;
     return enabled;
diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb
@@ -4,12 +4,37 @@
 if defined?(OpenSSL)
 
 class OpenSSL::TestFIPS < OpenSSL::TestCase
+  def test_fips_mode_get_is_true_on_fips_mode_enabled
+    unless ENV["CI"] && ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"]
+      omit "Only for on FIPS mode environment on CI"
+    end
+
+    assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
+      assert OpenSSL.fips_mode == true, ".fips_mode returns true on FIPS mode enabled"
+    end;
+  end
+
+  def test_fips_mode_get_is_false_on_fips_mode_disabled
+    unless ENV["CI"] && !ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"]
+      omit "Only for non-FIPS mode environment on CI"
+    end
+
+    assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
+      assert OpenSSL.fips_mode == false, ".fips_mode returns false on FIPS mode disabled"
+    end;
+  end
+
   def test_fips_mode_is_reentrant
     OpenSSL.fips_mode = false
     OpenSSL.fips_mode = false
   end
 
-  def test_fips_mode_get
+  def test_fips_mode_get_with_fips_mode_set
+    if openssl?(3, 0, 0)
+      pend('OpenSSL::OPENSSL_FIPS and fips_mode_set are not properly ' \
+           'implemented in OpenSSL 3')
+    end
+
     return unless OpenSSL::OPENSSL_FIPS
     assert_separately([{ "OSSL_MDEBUG" => nil }, "-ropenssl"], <<~"end;")
       begin
