Fix FIPS mode detection (#1754)

Previously FIPS detection relied on the `OpenSSL::OPENSSL_FIPS`
constant being defined. However, on RedHat operating systems, this
constant is always defined in
`/usr/include/openssl/opensslconf-x86_64.h`. As a result, on such
operating systems FIPS mode would erroneously be labeled as enabled.
This constant is a necessary but not sufficient condition to determine
whether FIPS is actually enabled.

OpenSSL has a runtime `fips_mode` check
(https://wiki.openssl.org/index.php/FIPS_mode()) that should be used
instead. Ruby will use this if the `OPENSSL_FIPS` compile-time
constant is available:
https://github.com/ruby/ruby/blob/685efac05983dee44ce2d96c24f2fcb96a0aebe2/ext/openssl/ossl.c#L413-L428

Signed-off-by: Stan Hu <stanhu@gmail.com>

2 files changed, 4 insertions, 3 deletions

diff --git a/lib/ohai/plugins/fips.rb b/lib/ohai/plugins/fips.rb
index 7cf40fdf..fdb5c133 100644
--- a/lib/ohai/plugins/fips.rb
+++ b/lib/ohai/plugins/fips.rb
@@ -30,6 +30,7 @@ Ohai.plugin(:Fips) do
     fips Mash.new
 
     require "openssl" unless defined?(OpenSSL)
-    fips["kernel"] = { "enabled" => OpenSSL::OPENSSL_FIPS }
+
+    fips["kernel"] = { "enabled" => defined?(OpenSSL.fips_mode) && OpenSSL.fips_mode }
   end
 end
diff --git a/spec/unit/plugins/fips_spec.rb b/spec/unit/plugins/fips_spec.rb
index 0925eb16..7fdf10bb 100644
--- a/spec/unit/plugins/fips_spec.rb
+++ b/spec/unit/plugins/fips_spec.rb
@@ -33,14 +33,14 @@ describe Ohai::System, "plugin fips" do
 
   context "when OpenSSL reports FIPS mode true" do
     it "sets fips enabled true" do
-      stub_const("OpenSSL::OPENSSL_FIPS", true)
+      allow(OpenSSL).to receive(:fips_mode).and_return(true)
       expect(subject).to be(true)
     end
   end
 
   context "when OpenSSL reports FIPS mode false" do
     it "sets fips enabled false" do
-      stub_const("OpenSSL::OPENSSL_FIPS", false)
+      allow(OpenSSL).to receive(:fips_mode).and_return(false)
       expect(subject).to be(false)
     end
   end