blob: a6c9d54c0fb74e27928352d15487f86d8ec58029 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
# frozen_string_literal: true
require "spec_helper"
RSpec.describe Gitlab::FIPS do
describe ".enabled?" do
subject { described_class.enabled? }
let(:openssl_fips_mode) { false }
let(:fips_mode_env_var) { nil }
before do
expect(OpenSSL).to receive(:fips_mode).and_return(openssl_fips_mode)
stub_env("FIPS_MODE", fips_mode_env_var)
end
describe "OpenSSL auto-detection" do
context "OpenSSL is in FIPS mode" do
let(:openssl_fips_mode) { true }
it { is_expected.to be_truthy }
end
context "OpenSSL is not in FIPS mode" do
let(:openssl_fips_mode) { false }
it { is_expected.to be_falsey }
end
end
describe "manual configuration via env var" do
context "env var is not set" do
let(:fips_mode_env_var) { nil }
it { is_expected.to be_falsey }
end
context "env var is set to true" do
let(:fips_mode_env_var) { "true" }
it { is_expected.to be_truthy }
end
context "env var is set to false" do
let(:fips_mode_env_var) { "false" }
it { is_expected.to be_falsey }
end
end
end
describe '.enable_fips_mode!' do
let(:digests) { {} }
let(:test_string) { 'abc' }
before do
described_class::OPENSSL_DIGESTS.each do |digest|
digests[digest] = Digest.const_get(digest, false)
end
end
after do
digests.each do |name, value|
Digest.send(:remove_const, name)
Digest.const_set(name, value)
end
end
it 'assigns OpenSSL digests' do
described_class.enable_fips_mode!
# rubocop:disable Fips/OpenSSL
# rubocop:disable Fips/SHA1
# rubocop:disable Layout/LineLength
expect(Digest::SHA1).to be(OpenSSL::Digest::SHA1)
expect(Digest::SHA2).to be(OpenSSL::Digest::SHA256)
expect(Digest::SHA256).to be(OpenSSL::Digest::SHA256)
expect(Digest::SHA384).to be(OpenSSL::Digest::SHA384)
expect(Digest::SHA512).to be(OpenSSL::Digest::SHA512)
# From https://www.nist.gov/itl/ssd/software-quality-group/nsrl-test-data
expect(Digest::SHA1.hexdigest(test_string)).to eq('a9993e364706816aba3e25717850c26c9cd0d89d')
expect(Digest::SHA2.hexdigest(test_string)).to eq('ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad')
expect(Digest::SHA256.hexdigest(test_string)).to eq('ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad')
expect(Digest::SHA384.hexdigest(test_string)).to eq('cb00753f45a35e8bb5a03d699ac65007272c32ab0eded1631a8b605a43ff5bed8086072ba1e7cc2358baeca134c825a7')
expect(Digest::SHA512.hexdigest(test_string)).to eq('ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f')
expect(Digest::SHA1.base64digest(test_string)).to eq('qZk+NkcGgWq6PiVxeFDCbJzQ2J0=')
expect(Digest::SHA2.base64digest(test_string)).to eq('ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0=')
expect(Digest::SHA256.base64digest(test_string)).to eq('ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0=')
expect(Digest::SHA384.base64digest(test_string)).to eq('ywB1P0WjXou1oD1pmsZQBycsMqsO3tFjGotgWkP/W+2AhgcroefMI1i67KE0yCWn')
expect(Digest::SHA512.base64digest(test_string)).to eq('3a81oZNherrMQXNJriBBMRLm+k6JqX6iCp7u5ktV05ohkpkqJ0/BqDa6PCOj/uu9RU1EI2Q86A4qmslPpUyknw==')
# rubocop:enable Fips/OpenSSL
# rubocop:enable Fips/SHA1
# rubocop:enable Layout/LineLength
end
end
end
|