[ruby/openssl] test_pkey.rb: Refactor the test_ed25519 on FIPS.

* Split the test in the FIPS case as another test. * test/openssl/utils.rb: Add omit_on_fips and omit_on_non_fips methods. https://github.com/ruby/openssl/commit/4d64c38ed0
2023-09-19 19:54:31 +02:00 · 2023-09-19 19:54:31 +02:00 · f370c4dc03
commit f370c4dc03
parent 3123b2fa0e
2 changed files with 53 additions and 8 deletions
--- a/test/openssl/test_pkey.rb
+++ b/test/openssl/test_pkey.rb
@ -82,6 +82,9 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
  end

  def test_ed25519
+    # Ed25519 is not FIPS-approved.
+    omit_on_fips
+
    # Test vector from RFC 8032 Section 7.1 TEST 2
    priv_pem = <<~EOF
    -----BEGIN PRIVATE KEY-----
@ -96,15 +99,11 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
    begin
      priv = OpenSSL::PKey.read(priv_pem)
      pub = OpenSSL::PKey.read(pub_pem)
-    rescue OpenSSL::PKey::PKeyError
+    rescue OpenSSL::PKey::PKeyError => e
      # OpenSSL < 1.1.1
-      if !openssl?(1, 1, 1)
-        pend "Ed25519 is not implemented"
-      elsif OpenSSL.fips_mode && openssl?(3, 1, 0, 0)
-        # See OpenSSL providers/fips/fipsprov.c PROV_NAMES_ED25519 entries
-        # with FIPS_UNAPPROVED_PROPERTIES in OpenSSL 3.1+.
-        pend "Ed25519 is not approved in OpenSSL 3.1+ FIPS code"
-      end
+      pend "Ed25519 is not implemented" unless openssl?(1, 1, 1)
+
+      raise e
    end
    assert_instance_of OpenSSL::PKey::PKey, priv
    assert_instance_of OpenSSL::PKey::PKey, pub
@ -145,6 +144,32 @@ class OpenSSL::TestPKey < OpenSSL::PKeyTestCase
    assert_raise(OpenSSL::PKey::PKeyError) { priv.derive(pub) }
  end

+  def test_ed25519_not_approved_on_fips
+    omit_on_non_fips
+    # Ed25519 is technically allowed in the OpenSSL 3.0 code as a kind of bug.
+    # So, we need to omit OpenSSL 3.0.
+    #
+    # See OpenSSL providers/fips/fipsprov.c PROV_NAMES_ED25519 entries with
+    # FIPS_DEFAULT_PROPERTIES on openssl-3.0 branch and
+    # FIPS_UNAPPROVED_PROPERTIES on openssl-3.1 branch.
+    #
+    # See also
+    # https://github.com/openssl/openssl/issues/20758#issuecomment-1639658102
+    # for details.
+    unless openssl?(3, 1, 0, 0)
+      omit 'Ed25519 is allowed in the OpenSSL 3.0 FIPS code as a kind of bug'
+    end
+
+    priv_pem = <<~EOF
+    -----BEGIN PRIVATE KEY-----
+    MC4CAQAwBQYDK2VwBCIEIEzNCJso/5banbbDRuwRTg9bijGfNaumJNqM9u1PuKb7
+    -----END PRIVATE KEY-----
+    EOF
+    assert_raise(OpenSSL::PKey::PKeyError) do
+      OpenSSL::PKey.read(priv_pem)
+    end
+  end
+
  def test_x25519
    # Test vector from RFC 7748 Section 6.1
    alice_pem = <<~EOF
--- a/test/openssl/utils.rb
+++ b/test/openssl/utils.rb
@ -139,6 +139,26 @@ class OpenSSL::TestCase < Test::Unit::TestCase
    # OpenSSL error stack must be empty
    assert_equal([], OpenSSL.errors)
  end
+
+  # Omit the tests in FIPS.
+  #
+  # For example, the password based encryption used in the PEM format uses MD5
+  # for deriving the encryption key from the password, and MD5 is not
+  # FIPS-approved.
+  #
+  # See https://github.com/openssl/openssl/discussions/21830#discussioncomment-6865636
+  # for details.
+  def omit_on_fips
+    return unless OpenSSL.fips_mode
+
+    omit 'An encryption used in the test is not FIPS-approved'
+  end
+
+  def omit_on_non_fips
+    return if OpenSSL.fips_mode
+
+    omit "Only for OpenSSL FIPS"
+  end
 end

 class OpenSSL::SSLTestCase < OpenSSL::TestCase