diff options
author | Stan Hu <stanhu@gmail.com> | 2022-08-09 12:31:17 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-08-09 12:31:17 -0700 |
commit | 5bc0ddbfd4ce0ae007d109f081fc4a0c7fb169ac (patch) | |
tree | 4062842df8dc9db2c1eb0dd68979eb1cb1ed4308 | |
parent | e4f52072309e66149dd97e02608d1a6dc6239f80 (diff) | |
download | ohai-5bc0ddbfd4ce0ae007d109f081fc4a0c7fb169ac.tar.gz |
Fix FIPS mode detection (#1754)
Previously FIPS detection relied on the `OpenSSL::OPENSSL_FIPS`
constant being defined. However, on RedHat operating systems, this
constant is always defined in
`/usr/include/openssl/opensslconf-x86_64.h`. As a result, on such
operating systems FIPS mode would erroneously be labeled as enabled.
This constant is a necessary but not sufficient condition to determine
whether FIPS is actually enabled.
OpenSSL has a runtime `fips_mode` check
(https://wiki.openssl.org/index.php/FIPS_mode()) that should be used
instead. Ruby will use this if the `OPENSSL_FIPS` compile-time
constant is available:
https://github.com/ruby/ruby/blob/685efac05983dee44ce2d96c24f2fcb96a0aebe2/ext/openssl/ossl.c#L413-L428
Signed-off-by: Stan Hu <stanhu@gmail.com>
-rw-r--r-- | lib/ohai/plugins/fips.rb | 3 | ||||
-rw-r--r-- | spec/unit/plugins/fips_spec.rb | 4 |
2 files changed, 4 insertions, 3 deletions
diff --git a/lib/ohai/plugins/fips.rb b/lib/ohai/plugins/fips.rb index 7cf40fdf..fdb5c133 100644 --- a/lib/ohai/plugins/fips.rb +++ b/lib/ohai/plugins/fips.rb @@ -30,6 +30,7 @@ Ohai.plugin(:Fips) do fips Mash.new require "openssl" unless defined?(OpenSSL) - fips["kernel"] = { "enabled" => OpenSSL::OPENSSL_FIPS } + + fips["kernel"] = { "enabled" => defined?(OpenSSL.fips_mode) && OpenSSL.fips_mode } end end diff --git a/spec/unit/plugins/fips_spec.rb b/spec/unit/plugins/fips_spec.rb index 0925eb16..7fdf10bb 100644 --- a/spec/unit/plugins/fips_spec.rb +++ b/spec/unit/plugins/fips_spec.rb @@ -33,14 +33,14 @@ describe Ohai::System, "plugin fips" do context "when OpenSSL reports FIPS mode true" do it "sets fips enabled true" do - stub_const("OpenSSL::OPENSSL_FIPS", true) + allow(OpenSSL).to receive(:fips_mode).and_return(true) expect(subject).to be(true) end end context "when OpenSSL reports FIPS mode false" do it "sets fips enabled false" do - stub_const("OpenSSL::OPENSSL_FIPS", false) + allow(OpenSSL).to receive(:fips_mode).and_return(false) expect(subject).to be(false) end end |