diff options
author | Jun Aruga <junaruga@users.noreply.github.com> | 2023-06-01 16:54:55 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-06-01 16:54:55 +0200 |
commit | 7e411b47020bc1efdf3f9e0e0fafe9a743addcc9 (patch) | |
tree | 8c9b256c2d24cf7244ece2e666d9d321aca5b621 | |
parent | 5f505c555c55a6e342f1e5f2a325b87eb51ca77d (diff) | |
parent | 8149cdf6e874214f9349f1f236b003d9239228f9 (diff) | |
download | ruby-openssl-7e411b47020bc1efdf3f9e0e0fafe9a743addcc9.tar.gz |
Merge pull request #615 from junaruga/wip/fips-read
Fix OpenSSL::PKey.read that cannot parse PKey in the FIPS mode.
-rw-r--r-- | .github/workflows/test.yml | 4 | ||||
-rw-r--r-- | ext/openssl/ossl_pkey.c | 26 | ||||
-rw-r--r-- | test/openssl/test_pkey.rb | 7 | ||||
-rw-r--r-- | test/openssl/utils.rb | 5 |
4 files changed, 31 insertions, 11 deletions
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index becf9902..f60f99be 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -149,5 +149,7 @@ jobs: # Run only the passing tests on the FIPS mode as a temporary workaround. # TODO Fix other tests, and run all the tests on FIPS mode. - name: test on fips mode - run: ruby -Ilib test/openssl/test_fips.rb + run: | + ruby -I./lib -ropenssl \ + -e 'Dir.glob "./test/openssl/{test_fips.rb,test_pkey.rb}", &method(:require)' if: matrix.fips_enabled diff --git a/ext/openssl/ossl_pkey.c b/ext/openssl/ossl_pkey.c index 47625667..a8e97d0b 100644 --- a/ext/openssl/ossl_pkey.c +++ b/ext/openssl/ossl_pkey.c @@ -101,10 +101,9 @@ ossl_pkey_read_generic(BIO *bio, VALUE pass) goto out; OSSL_BIO_reset(bio); - /* Then check PEM; multiple OSSL_DECODER_from_bio() calls may be needed */ - if (OSSL_DECODER_CTX_set_input_type(dctx, "PEM") != 1) - goto out; /* + * Then check PEM; multiple OSSL_DECODER_from_bio() calls may be needed. + * * First check for private key formats. This is to keep compatibility with * ruby/openssl < 3.0 which decoded the following as a private key. * @@ -124,8 +123,19 @@ ossl_pkey_read_generic(BIO *bio, VALUE pass) * * Note that normally, the input is supposed to contain a single decodable * PEM block only, so this special handling should not create a new problem. + * + * Note that we need to create the OSSL_DECODER_CTX variable each time when + * we use the different selection as a workaround. + * https://github.com/openssl/openssl/issues/20657 */ - OSSL_DECODER_CTX_set_selection(dctx, EVP_PKEY_KEYPAIR); + OSSL_DECODER_CTX_free(dctx); + dctx = NULL; + dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "PEM", NULL, NULL, + EVP_PKEY_KEYPAIR, NULL, NULL); + if (!dctx) + goto out; + if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb, ppass) != 1) + goto out; while (1) { if (OSSL_DECODER_from_bio(dctx, bio) == 1) goto out; @@ -139,7 +149,13 @@ ossl_pkey_read_generic(BIO *bio, VALUE pass) } OSSL_BIO_reset(bio); - OSSL_DECODER_CTX_set_selection(dctx, 0); + OSSL_DECODER_CTX_free(dctx); + dctx = NULL; + dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, "PEM", NULL, NULL, 0, NULL, NULL); + if (!dctx) + goto out; + if (OSSL_DECODER_CTX_set_pem_password_cb(dctx, ossl_pem_passwd_cb, ppass) != 1) + goto out; while (1) { if (OSSL_DECODER_from_bio(dctx, bio) == 1) goto out; diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb index 2b99e8f3..2cd5290f 100644 --- a/test/openssl/test_pkey.rb +++ b/test/openssl/test_pkey.rb @@ -82,6 +82,9 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase end def test_ed25519 + # https://github.com/openssl/openssl/issues/20758 + pend('Not supported on FIPS mode enabled') if OpenSSL.fips_mode + # Test vector from RFC 8032 Section 7.1 TEST 2 priv_pem = <<~EOF -----BEGIN PRIVATE KEY----- @@ -127,6 +130,8 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase end def test_x25519 + pend('Not supported on FIPS mode enabled') if OpenSSL.fips_mode + # Test vector from RFC 7748 Section 6.1 alice_pem = <<~EOF -----BEGIN PRIVATE KEY----- @@ -153,6 +158,8 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase end def test_compare? + pend('Not supported on FIPS mode enabled') if OpenSSL.fips_mode + key1 = Fixtures.pkey("rsa1024") key2 = Fixtures.pkey("rsa1024") key3 = Fixtures.pkey("rsa2048") diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb index e474fcca..f00084ff 100644 --- a/test/openssl/utils.rb +++ b/test/openssl/utils.rb @@ -1,11 +1,6 @@ # frozen_string_literal: true begin require "openssl" - - # Disable FIPS mode for tests for installations - # where FIPS mode would be enabled by default. - # Has no effect on all other installations. - OpenSSL.fips_mode=false rescue LoadError end |