diff options
author | emboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2012-12-20 00:29:07 +0000 |
---|---|---|
committer | emboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2012-12-20 00:29:07 +0000 |
commit | a3b753b28214ad321e7335afada7f1b06d036836 (patch) | |
tree | c405de7ac3b8a087774472e6d31ee7de7642863c /test/openssl/test_fips.rb | |
parent | e3e4e9dfe77c103ac8a46e5ad15ef6b36e6f0653 (diff) | |
download | ruby-a3b753b28214ad321e7335afada7f1b06d036836.tar.gz |
* ext/openssl/ossl.c: add OpenSSL.fips_mode= to allow enabling FIPS
mode manually.
* test/openssl/utils.rb: turn off FIPS mode for tests. This prevents
OpenSSL installations with FIPS mode enabled by default from raising
FIPS-related errors during the tests.
* test/openssl/test_fips.rb: add tests for FIPS-capable OpenSSL
installations.
[Feature #6946] [ruby-core:47345]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@38480 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'test/openssl/test_fips.rb')
-rw-r--r-- | test/openssl/test_fips.rb | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb new file mode 100644 index 0000000000..f04e511d76 --- /dev/null +++ b/test/openssl/test_fips.rb @@ -0,0 +1,55 @@ +require_relative 'utils' + +if defined?(OpenSSL) && OpenSSL::OPENSSL_FIPS + +class OpenSSL::TestFIPS < Test::Unit::TestCase + + def test_reject_md5 + data = "test" + assert_not_nil(OpenSSL::Digest.new("MD5").digest(data)) + in_fips_mode do + assert_raise(OpenSSL::Digest::DigestError) do + OpenSSL::Digest.new("MD5").digest(data) + end + end + end + + def test_reject_short_key_rsa + assert_key_too_short(OpenSSL::PKey::RSAError) { dh = OpenSSL::PKey::RSA.new(256) } + end + + def test_reject_short_key_dsa + assert_key_too_short(OpenSSL::PKey::DSAError) { dh = OpenSSL::PKey::DSA.new(256) } + end + + def test_reject_short_key_dh + assert_key_too_short(OpenSSL::PKey::DHError) { dh = OpenSSL::PKey::DH.new(256) } + end + + def test_reject_short_key_ec + assert_key_too_short(OpenSSL::PKey::ECError) do + group = OpenSSL::PKey::EC::Group.new('secp112r1') + key = OpenSSL::PKey::EC.new + key.group = group + key.generate_key + end + end + + private + + def in_fips_mode + OpenSSL.fips_mode = true + yield + ensure + OpenSSL.fips_mode = false + end + + def assert_key_too_short(expected_error) + in_fips_mode do + assert_raise(expected_error) { yield } + end + end + +end + +end |