* ext/openssl/ossl.c: do not use FIPS_mode_set if not available.

* test/openssl/utils.rb: revise comment about setting FIPS mode to
  false.
* test/openssl/test_fips.rb: remove tests that cause errors on
  ruby-ci.
  [Feature #6946] [ruby-core:47345]



git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@38491 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,12 @@
+Thu Dec 20 15:55:46 2012  Martin Bosslet  <Martin.Bosslet@gmail.com>
+
+	* ext/openssl/ossl.c: do not use FIPS_mode_set if not available.
+	* test/openssl/utils.rb: revise comment about setting FIPS mode to
+	  false.
+	* test/openssl/test_fips.rb: remove tests that cause errors on
+	  ruby-ci.
+	  [Feature #6946] [ruby-core:47345]
+
 Thu Dec 20 15:22:59 2012  Eric Hodel  <drbrain@segment7.net>
 
 	* lib/rdoc/parser/ruby.rb:  Ignore methods defined on constants to
@@ -5,7 +14,7 @@ Thu Dec 20 15:22:59 2012  Eric Hodel  <drbrain@segment7.net>
 	  documentation.
 	* test/rdoc/test_rdoc_parser_ruby.rb:  Test for the above.
 
-Thu Dec 20 16:00:33 2012  Martin Bosslet  <Martin.Bosslet@gmail.com>
+Thu Dec 20 15:00:33 2012  Martin Bosslet  <Martin.Bosslet@gmail.com>
 
 	* ext/openssl/ossl_cipher.c: add support for Authenticated Encryption
 	  with Associated Data (AEAD) for OpenSSL versions that support the

ext/openssl/ossl.c

@@ -440,6 +440,8 @@ ossl_debug_set(VALUE self, VALUE val)
 static VALUE
 ossl_fips_mode_set(VALUE self, VALUE enabled)
 {
+
+#ifdef HAVE_OPENSSL_FIPS
     if RTEST(enabled) {
 	int mode = FIPS_mode();
 	if(!mode && !FIPS_mode_set(1)) /* turning on twice leads to an error */
@@ -449,6 +451,11 @@ ossl_fips_mode_set(VALUE self, VALUE enabled)
 	    ossl_raise(eOSSLError, "Turning off FIPS mode failed");
     }
     return enabled;
+#else
+    if RTEST(enabled)
+	ossl_raise(eOSSLError, "This version of OpenSSL does not support FIPS mode");
+    return enabled;
+#endif
 }
 
 /*

test/openssl/test_fips.rb

@@ -1,55 +1,14 @@
 require_relative 'utils'
 
-if defined?(OpenSSL) && OpenSSL::OPENSSL_FIPS
+if defined?(OpenSSL)
 
 class OpenSSL::TestFIPS < Test::Unit::TestCase
 
-  def test_reject_md5
-    data = "test"
-    assert_not_nil(OpenSSL::Digest.new("MD5").digest(data))
-    in_fips_mode do
-      assert_raise(OpenSSL::Digest::DigestError) do
-        OpenSSL::Digest.new("MD5").digest(data)
-      end
-    end
-  end
-
-  def test_reject_short_key_rsa
-    assert_key_too_short(OpenSSL::PKey::RSAError) { dh = OpenSSL::PKey::RSA.new(256) }
-  end
-
-  def test_reject_short_key_dsa
-    assert_key_too_short(OpenSSL::PKey::DSAError) { dh = OpenSSL::PKey::DSA.new(256) }
-  end
-
-  def test_reject_short_key_dh
-    assert_key_too_short(OpenSSL::PKey::DHError) { dh = OpenSSL::PKey::DH.new(256) }
-  end
-
-  def test_reject_short_key_ec
-    assert_key_too_short(OpenSSL::PKey::ECError) do
-      group = OpenSSL::PKey::EC::Group.new('secp112r1')
-      key = OpenSSL::PKey::EC.new
-      key.group = group
-      key.generate_key
-    end
-  end
-
-  private
-
-  def in_fips_mode
-    OpenSSL.fips_mode = true
-    yield
-  ensure
+  def test_fips_mode_is_reentrant
+    OpenSSL.fips_mode = false
     OpenSSL.fips_mode = false
   end
 
-  def assert_key_too_short(expected_error)
-    in_fips_mode do
-      assert_raise(expected_error) { yield }
-    end
-  end
-
 end
 
 end

test/openssl/utils.rb

@@ -1,8 +1,9 @@
 begin
   require "openssl"
 
-  # disable FIPS mode for tests for installations
-  # where FIPS mode would be enabled by default
+  # Disable FIPS mode for tests for installations
+  # where FIPS mode would be enabled by default.
+  # Has no effect on all other installations.
   OpenSSL.fips_mode=false
 rescue LoadError
 end