CI: Add OpenSSL FIPS mode case.

junaruga · junaruga · commit 18b017218ca8 · 2023-05-15T13:16:02.000+02:00
test/openssl/fixtures/ssl/openssl_fips.cnf.tmpl: I referred to the following document for the openssl config file for FIPS mode. <https://www.openssl.org/docs/manmaster/man7/fips_module.html> - Making all applications use the FIPS module by default It seems that the `.include` syntax only requires the absolute path. So, the placeholder OPENSSL_DIR in the template file is replaced with the actual OpenSSL directory. .github/workflows/test.yml: The `TEST_RUBY_OPENSSL_FIPS_ENABLED` environment variable is set in the FIPS mode CI case. It can be used in the unit tests.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -51,7 +51,7 @@ jobs:
 
   test-openssls:
     name: >-
-      ${{ matrix.openssl }}
+      ${{ matrix.openssl }} ${{ matrix.name_extra || '' }}
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
@@ -70,6 +70,9 @@ jobs:
           - libressl-3.5.3
           - libressl-3.6.1
           - libressl-3.7.0 # Development release
+        fips_enabled: [ false ]
+        include:
+          - { os: ubuntu-latest, ruby: "3.0", openssl: openssl-3.0.8, fips_enabled: true, append_configure: 'enable-fips', name_extra: 'fips' }
     steps:
       - name: repo checkout
         uses: actions/checkout@v3
@@ -83,7 +86,7 @@ jobs:
             tar xf ${{ matrix.openssl }}.tar.gz && cd ${{ matrix.openssl }}
             # shared is required for 1.0.x.
             ./Configure --prefix=$HOME/.openssl/${{ matrix.openssl }} --libdir=lib \
-                shared linux-x86_64
+                shared linux-x86_64 ${{ matrix.append_configure }}
             make depend
             ;;
           libressl-*)
@@ -98,6 +101,26 @@ jobs:
           make -j4
           make install_sw
 
+      - name: prepare openssl fips
+        run: make install_fips
+        working-directory: tmp/build-openssl/${{ matrix.openssl }}
+        if: matrix.fips_enabled
+
+      - name: set the open installed directory
+        run: >
+          sed -e "s|OPENSSL_DIR|$HOME/.openssl/${{ matrix.openssl }}|"
+          test/openssl/fixtures/ssl/openssl_fips.cnf.tmpl >
+          test/openssl/fixtures/ssl/openssl_fips.cnf
+        if: matrix.fips_enabled
+
+      - name: set openssl config file path for fips.
+        run: echo "OPENSSL_CONF=$(pwd)/test/openssl/fixtures/ssl/openssl_fips.cnf" >> $GITHUB_ENV
+        if: matrix.fips_enabled
+
+      - name: set fips enviornment variable for testing.
+        run: echo "TEST_RUBY_OPENSSL_FIPS_ENABLED=true" >> $GITHUB_ENV
+        if: matrix.fips_enabled
+
       - name: load ruby
         uses: ruby/setup-ruby@v1
         with:
@@ -112,3 +135,10 @@ jobs:
       - name: test
         run:  rake test TESTOPTS="-v --no-show-detail-immediately" OSSL_MDEBUG=1
         timeout-minutes: 5
+        if: ${{ !matrix.fips_enabled }}
+
+      # Run only the passing tests on the FIPS mode as a temporary workaround.
+      # TODO Fix other tests, and run all the tests on FIPS mode.
+      - name: test on fips mode
+        run:  ruby -Ilib test/openssl/test_fips.rb
+        if: matrix.fips_enabled
diff --git a/test/openssl/fixtures/ssl/openssl_fips.cnf.tmpl b/test/openssl/fixtures/ssl/openssl_fips.cnf.tmpl
@@ -0,0 +1,19 @@
+config_diagnostics = 1
+openssl_conf = openssl_init
+
+# It seems that the .include needs an absolute path.
+.include OPENSSL_DIR/ssl/fipsmodule.cnf
+
+[openssl_init]
+providers = provider_sect
+alg_section = algorithm_sect
+
+[provider_sect]
+fips = fips_sect
+base = base_sect
+
+[base_sect]
+activate = 1
+
+[algorithm_sect]
+default_properties = fips=yes
