From 5bc0ddbfd4ce0ae007d109f081fc4a0c7fb169ac Mon Sep 17 00:00:00 2001
From: Stan Hu <stanhu@gmail.com>
Date: Tue, 9 Aug 2022 12:31:17 -0700
Subject: Fix FIPS mode detection (#1754)

Previously FIPS detection relied on the `OpenSSL::OPENSSL_FIPS`
constant being defined. However, on RedHat operating systems, this
constant is always defined in
`/usr/include/openssl/opensslconf-x86_64.h`. As a result, on such
operating systems FIPS mode would erroneously be labeled as enabled.
This constant is a necessary but not sufficient condition to determine
whether FIPS is actually enabled.

OpenSSL has a runtime `fips_mode` check
(https://wiki.openssl.org/index.php/FIPS_mode()) that should be used
instead. Ruby will use this if the `OPENSSL_FIPS` compile-time
constant is available:
https://github.com/ruby/ruby/blob/685efac05983dee44ce2d96c24f2fcb96a0aebe2/ext/openssl/ossl.c#L413-L428

Signed-off-by: Stan Hu <stanhu@gmail.com>
---
 lib/ohai/plugins/fips.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/ohai/plugins/fips.rb b/lib/ohai/plugins/fips.rb
index 7cf40fdf..fdb5c133 100644
--- a/lib/ohai/plugins/fips.rb
+++ b/lib/ohai/plugins/fips.rb
@@ -30,6 +30,7 @@ Ohai.plugin(:Fips) do
     fips Mash.new
 
     require "openssl" unless defined?(OpenSSL)
-    fips["kernel"] = { "enabled" => OpenSSL::OPENSSL_FIPS }
+
+    fips["kernel"] = { "enabled" => defined?(OpenSSL.fips_mode) && OpenSSL.fips_mode }
   end
 end
-- 
cgit v1.2.1