diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2023-08-16 11:46:41 +0900 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-08-16 11:46:41 +0900 |
commit | 283958a51848d9dff4ff885fcda2e2fee3bd45a0 (patch) | |
tree | f934328ba2b696700871e23db15fc0b0a96d6ab7 | |
parent | 6424402375380aacec77c1fb99ec67162c8935dd (diff) | |
parent | f9980d88aade30982eed01fd6a117cc515ad83e5 (diff) | |
download | ruby-openssl-283958a51848d9dff4ff885fcda2e2fee3bd45a0.tar.gz |
Merge pull request #664 from junaruga/wip/fips-test-pkey-fix-pending-tests
test/openssl/test_pkey.rb: Fix pending tests in FIPS case.
-rw-r--r-- | test/openssl/test_pkey.rb | 15 | ||||
-rw-r--r-- | test/openssl/utils.rb | 16 |
2 files changed, 26 insertions, 5 deletions
diff --git a/test/openssl/test_pkey.rb b/test/openssl/test_pkey.rb index 92331323..da3ae5d6 100644 --- a/test/openssl/test_pkey.rb +++ b/test/openssl/test_pkey.rb @@ -82,8 +82,7 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase end def test_ed25519 - # https://github.com/openssl/openssl/issues/20758 - pend('Not supported on FIPS mode enabled') if OpenSSL.fips_mode + pend_on_openssl_issue_21493 # Test vector from RFC 8032 Section 7.1 TEST 2 priv_pem = <<~EOF @@ -101,7 +100,13 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase pub = OpenSSL::PKey.read(pub_pem) rescue OpenSSL::PKey::PKeyError # OpenSSL < 1.1.1 - pend "Ed25519 is not implemented" + if !openssl?(1, 1, 1) + pend "Ed25519 is not implemented" + elsif OpenSSL.fips_mode && openssl?(3, 1, 0, 0) + # See OpenSSL providers/fips/fipsprov.c PROV_NAMES_ED25519 entries + # with FIPS_UNAPPROVED_PROPERTIES in OpenSSL 3.1+. + pend "Ed25519 is not approved in OpenSSL 3.1+ FIPS code" + end end assert_instance_of OpenSSL::PKey::PKey, priv assert_instance_of OpenSSL::PKey::PKey, pub @@ -143,7 +148,7 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase end def test_x25519 - pend('Not supported on FIPS mode enabled') if OpenSSL.fips_mode + pend_on_openssl_issue_21493 # Test vector from RFC 7748 Section 6.1 alice_pem = <<~EOF @@ -197,7 +202,7 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase end def test_compare? - pend('Not supported on FIPS mode enabled') if OpenSSL.fips_mode + pend_on_openssl_issue_21493 key1 = Fixtures.pkey("rsa1024") key2 = Fixtures.pkey("rsa1024") diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb index 3d4d05fe..b5ffbe1c 100644 --- a/test/openssl/utils.rb +++ b/test/openssl/utils.rb @@ -144,6 +144,22 @@ module OpenSSL::TestUtils return false unless version !major || (version.map(&:to_i) <=> [major, minor, fix]) >= 0 end + + # OpenSSL 3: x25519 a decode from and then encode to a pem file corrupts the + # key if fips+base provider is used + # This issue happens in OpenSSL between 3.0,0 and 3.0.10 or between 3.1.0 and + # 3.1.2. + # https://github.com/openssl/openssl/issues/21493 + # https://github.com/openssl/openssl/pull/21519 + def pend_on_openssl_issue_21493 + if OpenSSL.fips_mode && + ( + (openssl?(3, 0, 0, 0) && !openssl?(3, 0, 0, 11)) || + (openssl?(3, 1, 0, 0) && !openssl?(3, 1, 0, 3)) + ) + pend('See <https://github.com/openssl/openssl/issues/21493>') + end + end end class OpenSSL::TestCase < Test::Unit::TestCase |