From c9317a0e7cd62bde57fede4cb400cc09bf85951f Mon Sep 17 00:00:00 2001 From: Kentaro Hayashi Date: Wed, 3 Apr 2024 20:43:37 +0900 Subject: [PATCH] Ensure FIPS compliant mode by ensure_fips option ensure_fips option checks whether FIPS mode is enabled by OpenSSL side. If FIPS is not enabled in OpenSSL side, it raise an error when ensure_fips true. NOTE: If FIPS mode is enabled, ensure_fips does nothing. Closes: #3121 Signed-off-by: Kentaro Hayashi --- lib/fluent/plugin_helper/cert_option.rb | 6 ++++ lib/fluent/plugin_helper/server.rb | 2 ++ test/plugin_helper/test_cert_option.rb | 45 +++++++++++++++++++++++++ 3 files changed, 53 insertions(+) diff --git a/lib/fluent/plugin_helper/cert_option.rb b/lib/fluent/plugin_helper/cert_option.rb index 8702f772c7..b325b14ad5 100644 --- a/lib/fluent/plugin_helper/cert_option.rb +++ b/lib/fluent/plugin_helper/cert_option.rb @@ -37,6 +37,12 @@ def cert_option_create_context(version, insecure, ciphers, conf) ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE end + if conf.ensure_fips + unless OpenSSL.fips_mode + raise Fluent::ConfigError, "Cannot enable FIPS compliant mode. OpenSSL FIPS configuration is disabled" + end + end + ctx.ca_file = conf.ca_path ctx.cert = cert ctx.key = key diff --git a/lib/fluent/plugin_helper/server.rb b/lib/fluent/plugin_helper/server.rb index 720ad46a15..35f478942a 100644 --- a/lib/fluent/plugin_helper/server.rb +++ b/lib/fluent/plugin_helper/server.rb @@ -251,6 +251,7 @@ def server_create_for_tls_connection(shared, bind, port, conf, backlog, socket_o :generate_cert_country, :generate_cert_state, :generate_cert_state, :generate_cert_locality, :generate_cert_common_name, :generate_cert_expiration, :generate_cert_digest, + :ensure_fips, ] def server_create_transport_section_object(opts) @@ -294,6 +295,7 @@ module ServerTransportParams config_param :max_version, :enum, list: Fluent::TLS::SUPPORTED_VERSIONS, default: nil config_param :ciphers, :string, default: Fluent::TLS::CIPHERS_DEFAULT config_param :insecure, :bool, default: false + config_param :ensure_fips, :bool, default: false # Cert signed by public CA config_param :ca_path, :string, default: nil diff --git a/test/plugin_helper/test_cert_option.rb b/test/plugin_helper/test_cert_option.rb index df3c915cbe..de0c7f59d1 100644 --- a/test/plugin_helper/test_cert_option.rb +++ b/test/plugin_helper/test_cert_option.rb @@ -1,4 +1,5 @@ require_relative '../helper' +require 'fluent/plugin_helper/server' require 'fluent/plugin_helper/cert_option' class CertOptionPluginHelperTest < Test::Unit::TestCase @@ -6,6 +7,10 @@ class Dummy < Fluent::Plugin::TestBase helpers :cert_option end + class DummyServer < Fluent::Plugin::TestBase + helpers :server + end + test 'can load PEM encoded certificate file' do d = Dummy.new certs = d.cert_option_certificates_from_file("test/plugin_helper/data/cert/cert.pem") @@ -22,4 +27,44 @@ class Dummy < Fluent::Plugin::TestBase d.cert_option_certificates_from_file("test/plugin_helper/data/cert/empty.pem") end end + + sub_test_case "ensure OpenSSL FIPS mode" do + setup do + cert_dir = File.expand_path(File.join(File.dirname(__FILE__), "../plugin_helper/data/cert/")) + @tls_options = { + cert_path: File.join(cert_dir, "cert.pem"), + private_key_path: File.join(cert_dir, "cert-key.pem"), + } + @d = DummyServer.new + end + + data( + ensure_fips_mode: + [true, true, nil], + conflicted_in_non_fips_mode: + [true, false, nil], + fips_mode_by_default: [false, true, + Fluent::ConfigError.new("Cannot enable FIPS compliant mode. OpenSSL FIPS configuration is disabled")], + not_care_fips_mode: [false, false, nil] + ) + test 'ensure FIPS error' do |(fips_mode, ensure_fips, expected)| + stub(OpenSSL).fips_mode { fips_mode } + conf = @d.server_create_transport_section_object(@tls_options.merge({ensure_fips: ensure_fips})) + if expected + assert_raise(expected) do + @d.cert_option_create_context(Fluent::TLS::DEFAULT_VERSION, + false, + Fluent::TLS::CIPHERS_DEFAULT, + conf) + end + else + assert_nothing_raised do + @d.cert_option_create_context(Fluent::TLS::DEFAULT_VERSION, + false, + Fluent::TLS::CIPHERS_DEFAULT, + conf) + end + end + end + end end