diff options
author | Stan Hu <stanhu@gmail.com> | 2022-08-09 12:31:17 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-08-09 12:31:17 -0700 |
commit | 5bc0ddbfd4ce0ae007d109f081fc4a0c7fb169ac (patch) | |
tree | 4062842df8dc9db2c1eb0dd68979eb1cb1ed4308 /spec/unit/plugins | |
parent | e4f52072309e66149dd97e02608d1a6dc6239f80 (diff) | |
download | ohai-5bc0ddbfd4ce0ae007d109f081fc4a0c7fb169ac.tar.gz |
Fix FIPS mode detection (#1754)
Previously FIPS detection relied on the `OpenSSL::OPENSSL_FIPS`
constant being defined. However, on RedHat operating systems, this
constant is always defined in
`/usr/include/openssl/opensslconf-x86_64.h`. As a result, on such
operating systems FIPS mode would erroneously be labeled as enabled.
This constant is a necessary but not sufficient condition to determine
whether FIPS is actually enabled.
OpenSSL has a runtime `fips_mode` check
(https://wiki.openssl.org/index.php/FIPS_mode()) that should be used
instead. Ruby will use this if the `OPENSSL_FIPS` compile-time
constant is available:
https://github.com/ruby/ruby/blob/685efac05983dee44ce2d96c24f2fcb96a0aebe2/ext/openssl/ossl.c#L413-L428
Signed-off-by: Stan Hu <stanhu@gmail.com>
Diffstat (limited to 'spec/unit/plugins')
-rw-r--r-- | spec/unit/plugins/fips_spec.rb | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/spec/unit/plugins/fips_spec.rb b/spec/unit/plugins/fips_spec.rb index 0925eb16..7fdf10bb 100644 --- a/spec/unit/plugins/fips_spec.rb +++ b/spec/unit/plugins/fips_spec.rb @@ -33,14 +33,14 @@ describe Ohai::System, "plugin fips" do context "when OpenSSL reports FIPS mode true" do it "sets fips enabled true" do - stub_const("OpenSSL::OPENSSL_FIPS", true) + allow(OpenSSL).to receive(:fips_mode).and_return(true) expect(subject).to be(true) end end context "when OpenSSL reports FIPS mode false" do it "sets fips enabled false" do - stub_const("OpenSSL::OPENSSL_FIPS", false) + allow(OpenSSL).to receive(:fips_mode).and_return(false) expect(subject).to be(false) end end |