Fix FIPS mode detection (#1754)

Previously FIPS detection relied on the `OpenSSL::OPENSSL_FIPS` constant being defined. However, on RedHat operating systems, this constant is always defined in `/usr/include/openssl/opensslconf-x86_64.h`. As a result, on such operating systems FIPS mode would erroneously be labeled as enabled. This constant is a necessary but not sufficient condition to determine whether FIPS is actually enabled. OpenSSL has a runtime `fips_mode` check (https://wiki.openssl.org/index.php/FIPS_mode()) that should be used instead. Ruby will use this if the `OPENSSL_FIPS` compile-time constant is available: https://github.com/ruby/ruby/blob/685efac05983dee44ce2d96c24f2fcb96a0aebe2/ext/openssl/ossl.c#L413-L428 Signed-off-by: Stan Hu <stanhu@gmail.com>
author: Stan Hu <stanhu@gmail.com> 2022-08-09 12:31:17 -0700
committer: GitHub <noreply@github.com> 2022-08-09 12:31:17 -0700
commit: 5bc0ddbfd4ce0ae007d109f081fc4a0c7fb169ac (patch)
tree: 4062842df8dc9db2c1eb0dd68979eb1cb1ed4308 /lib
parent: e4f52072309e66149dd97e02608d1a6dc6239f80 (diff)
download: ohai-5bc0ddbfd4ce0ae007d109f081fc4a0c7fb169ac.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/ohai/plugins/fips.rb b/lib/ohai/plugins/fips.rb
index 7cf40fdf..fdb5c133 100644
--- a/lib/ohai/plugins/fips.rb
+++ b/lib/ohai/plugins/fips.rb
@@ -30,6 +30,7 @@ Ohai.plugin(:Fips) do
     fips Mash.new
 
     require "openssl" unless defined?(OpenSSL)
-    fips["kernel"] = { "enabled" => OpenSSL::OPENSSL_FIPS }
+
+    fips["kernel"] = { "enabled" => defined?(OpenSSL.fips_mode) && OpenSSL.fips_mode }
   end
 end
author	Stan Hu <stanhu@gmail.com>	2022-08-09 12:31:17 -0700
committer	GitHub <noreply@github.com>	2022-08-09 12:31:17 -0700
commit	5bc0ddbfd4ce0ae007d109f081fc4a0c7fb169ac (patch)
tree	4062842df8dc9db2c1eb0dd68979eb1cb1ed4308 /lib
parent	e4f52072309e66149dd97e02608d1a6dc6239f80 (diff)
download	ohai-5bc0ddbfd4ce0ae007d109f081fc4a0c7fb169ac.tar.gz