Skip to content

Commit

Permalink
Ensure FIPS compliant mode by ensure_fips option (#4720)
Browse files Browse the repository at this point in the history
ensure_fips option checks whether FIPS mode is
enabled by OpenSSL side.
If FIPS is not enabled in OpenSSL side, it raise an error
when ensure_fips true.

NOTE: If FIPS mode is enabled, ensure_fips does nothing.

Closes: #3121

Signed-off-by: Kentaro Hayashi <[email protected]>
  • Loading branch information
kenhys authored Nov 28, 2024
1 parent d102527 commit df3d0c4
Show file tree
Hide file tree
Showing 3 changed files with 51 additions and 0 deletions.
6 changes: 6 additions & 0 deletions lib/fluent/plugin_helper/cert_option.rb
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,12 @@ def cert_option_create_context(version, insecure, ciphers, conf)
ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
end

if conf.ensure_fips
unless OpenSSL.fips_mode
raise Fluent::ConfigError, "Cannot enable FIPS compliant mode. OpenSSL FIPS configuration is disabled"
end
end

ctx.ca_file = conf.ca_path
ctx.cert = cert
ctx.key = key
Expand Down
2 changes: 2 additions & 0 deletions lib/fluent/plugin_helper/server.rb
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,7 @@ def server_create_for_tls_connection(shared, bind, port, conf, backlog, socket_o
:generate_cert_country, :generate_cert_state, :generate_cert_state,
:generate_cert_locality, :generate_cert_common_name,
:generate_cert_expiration, :generate_cert_digest,
:ensure_fips,
]

def server_create_transport_section_object(opts)
Expand Down Expand Up @@ -294,6 +295,7 @@ module ServerTransportParams
config_param :max_version, :enum, list: Fluent::TLS::SUPPORTED_VERSIONS, default: nil
config_param :ciphers, :string, default: Fluent::TLS::CIPHERS_DEFAULT
config_param :insecure, :bool, default: false
config_param :ensure_fips, :bool, default: false

# Cert signed by public CA
config_param :ca_path, :string, default: nil
Expand Down
43 changes: 43 additions & 0 deletions test/plugin_helper/test_cert_option.rb
Original file line number Diff line number Diff line change
@@ -1,11 +1,16 @@
require_relative '../helper'
require 'fluent/plugin_helper/server'
require 'fluent/plugin_helper/cert_option'

class CertOptionPluginHelperTest < Test::Unit::TestCase
class Dummy < Fluent::Plugin::TestBase
helpers :cert_option
end

class DummyServer < Fluent::Plugin::TestBase
helpers :server
end

test 'can load PEM encoded certificate file' do
d = Dummy.new
certs = d.cert_option_certificates_from_file("test/plugin_helper/data/cert/cert.pem")
Expand All @@ -22,4 +27,42 @@ class Dummy < Fluent::Plugin::TestBase
d.cert_option_certificates_from_file("test/plugin_helper/data/cert/empty.pem")
end
end

sub_test_case "ensure OpenSSL FIPS mode" do
setup do
cert_dir = File.expand_path(File.join(File.dirname(__FILE__), "../plugin_helper/data/cert/"))
@tls_options = {
cert_path: File.join(cert_dir, "cert.pem"),
private_key_path: File.join(cert_dir, "cert-key.pem"),
}
@d = DummyServer.new
end

data(
enabled_fips_mode: [true, true, nil],
skip_checking_fips_mode: [true, false, nil],
block_incompatible_fips_mode: [false, true,
Fluent::ConfigError.new("Cannot enable FIPS compliant mode. OpenSSL FIPS configuration is disabled")],
not_care_fips_mode: [false, false, nil]
)
test 'ensure FIPS error' do |(fips_mode, ensure_fips, expected)|
stub(OpenSSL).fips_mode { fips_mode }
conf = @d.server_create_transport_section_object(@tls_options.merge({ensure_fips: ensure_fips}))
if expected
assert_raise(expected) do
@d.cert_option_create_context(Fluent::TLS::DEFAULT_VERSION,
false,
Fluent::TLS::CIPHERS_DEFAULT,
conf)
end
else
assert_nothing_raised do
@d.cert_option_create_context(Fluent::TLS::DEFAULT_VERSION,
false,
Fluent::TLS::CIPHERS_DEFAULT,
conf)
end
end
end
end
end

0 comments on commit df3d0c4

Please sign in to comment.