From b6816ddd1901de9da5124a1170ade15f1812b7b6 Mon Sep 17 00:00:00 2001 From: Thomas Powell Date: Fri, 18 Jul 2025 13:41:27 -0400 Subject: [PATCH 1/5] Test openssl versions Signed-off-by: Thomas Powell --- omnibus/verification/verify.rb | 78 ++++++++++++++++++++++++++++++++-- 1 file changed, 74 insertions(+), 4 deletions(-) diff --git a/omnibus/verification/verify.rb b/omnibus/verification/verify.rb index f8ac8b27c..f354029ec 100644 --- a/omnibus/verification/verify.rb +++ b/omnibus/verification/verify.rb @@ -305,7 +305,7 @@ def components # https://github.com/chef/chef-cli/issues/420 c.gem_base_dir = "chef" - test = <<-EOF.gsub(/^\s+/, "") + ssl_connectivity_test = <<-EOF.gsub(/^\s+/, "") require "net/http" unless defined?(Net::HTTP) uris = %w{https://www.google.com https://chef.io/ https://ec2.amazonaws.com} @@ -316,13 +316,83 @@ def components end EOF + openssl_version_test = <<-EOF.gsub(/^\s+/, "") + require "openssl" + + # Test that Ruby's OpenSSL library version matches 3.2.4 + puts "OpenSSL library version: \#{OpenSSL::OPENSSL_LIBRARY_VERSION}" + expected_version = "3.2.4" + unless OpenSSL::OPENSSL_LIBRARY_VERSION.include?(expected_version) + raise "Expected OpenSSL library version to include \#{expected_version}, got: \#{OpenSSL::OPENSSL_LIBRARY_VERSION}" + end + puts "✓ OpenSSL library version check passed" + + # Test that FIPS mode can be activated + begin + # Check if FIPS mode can be enabled (this will fail if FIPS provider is not available) + original_fips_mode = OpenSSL.fips_mode + puts "Original FIPS mode: \#{original_fips_mode}" + + # Try to enable FIPS mode + OpenSSL.fips_mode = true + puts "FIPS mode enabled: \#{OpenSSL.fips_mode}" + + # Try to disable FIPS mode + OpenSSL.fips_mode = false + puts "FIPS mode disabled: \#{OpenSSL.fips_mode}" + + puts "✓ FIPS mode activation/deactivation test passed" + rescue => e + raise "FIPS mode test failed: \#{e.message}" + end + EOF + c.unit_test do tmpdir do |cwd| - with_file(File.join(cwd, "openssl.rb")) do |f| - f.write test + with_file(File.join(cwd, "openssl_connectivity.rb")) do |f| + f.write ssl_connectivity_test end - sh!("#{Gem.ruby} openssl.rb", cwd: cwd) + sh!("#{Gem.ruby} openssl_connectivity.rb", cwd: cwd) + + with_file(File.join(cwd, "openssl_version.rb")) do |f| + f.write openssl_version_test + end + sh!("#{Gem.ruby} openssl_version.rb", cwd: cwd) + end + end + + c.smoke_test do + # Test OpenSSL executable version and providers + result = sh!("#{embedded_bin("openssl")} version") + puts "OpenSSL executable version: #{result.stdout.strip}" + + unless result.stdout.include?("3.2.4") + raise "Expected OpenSSL executable version to include 3.2.4, got: #{result.stdout.strip}" + end + puts "✓ OpenSSL executable version check passed" + + # Test that providers are available + providers_result = sh!("#{embedded_bin("openssl")} list -providers") + puts "Available providers:" + puts providers_result.stdout + + # Check for default provider (3.2.4) + unless providers_result.stdout.include?("default") + raise "Default provider not found in OpenSSL providers list" + end + puts "✓ Default provider found" + + # Check for legacy provider (3.2.4) + unless providers_result.stdout.include?("legacy") + raise "Legacy provider not found in OpenSSL providers list" + end + puts "✓ Legacy provider found" + + # Check for FIPS provider (3.0.9) + unless providers_result.stdout.include?("fips") + raise "FIPS provider not found in OpenSSL providers list" end + puts "✓ FIPS provider found" end end From dbae25d72277c085596608afeba0002a05d58001 Mon Sep 17 00:00:00 2001 From: Thomas Powell Date: Fri, 18 Jul 2025 16:38:50 -0400 Subject: [PATCH 2/5] Only test fips for fips platforms Signed-off-by: Thomas Powell --- omnibus/verification/verify.rb | 56 +++++++++++++++++++++++++++++++--- 1 file changed, 51 insertions(+), 5 deletions(-) diff --git a/omnibus/verification/verify.rb b/omnibus/verification/verify.rb index f354029ec..c0d72ef2e 100644 --- a/omnibus/verification/verify.rb +++ b/omnibus/verification/verify.rb @@ -73,6 +73,33 @@ def components self.class.components end + # Check if the current platform is a FIPS-enabled platform based on + # BUILDKITE_LABEL and the fips-platforms configuration in .expeditor/release.omnibus.yml + # + # FIPS platforms are: + # - el-*-x86_64 (RHEL/CentOS/AlmaLinux/etc) + # - ubuntu-*-x86_64 (Ubuntu) + # - windows-* (Windows) + # + # Returns true if running on a FIPS platform, false otherwise. + # If BUILDKITE_LABEL is not set (e.g., local development), returns false. + def fips_platform? + buildkite_label = ENV["BUILDKITE_LABEL"] + return false unless buildkite_label + + # FIPS platforms from .expeditor/release.omnibus.yml: + # - el-*-x86_64 + # - ubuntu-*-x86_64 + # - windows-* + fips_patterns = [ + /^el-.*-x86_64$/, + /^ubuntu-.*-x86_64$/, + /^windows-.*$/ + ] + + fips_patterns.any? { |pattern| buildkite_label.match?(pattern) } + end + bundle_install_mutex = Mutex.new # @@ -326,8 +353,13 @@ def components raise "Expected OpenSSL library version to include \#{expected_version}, got: \#{OpenSSL::OPENSSL_LIBRARY_VERSION}" end puts "✓ OpenSSL library version check passed" + EOF + + # Only test FIPS mode on FIPS-enabled platforms + openssl_fips_test = <<-EOF.gsub(/^\s+/, "") + require "openssl" - # Test that FIPS mode can be activated + # Test that FIPS mode can be activated (only on FIPS platforms) begin # Check if FIPS mode can be enabled (this will fail if FIPS provider is not available) original_fips_mode = OpenSSL.fips_mode @@ -358,6 +390,16 @@ def components f.write openssl_version_test end sh!("#{Gem.ruby} openssl_version.rb", cwd: cwd) + + # Only test FIPS mode on FIPS-enabled platforms + if fips_platform? + with_file(File.join(cwd, "openssl_fips.rb")) do |f| + f.write openssl_fips_test + end + sh!("#{Gem.ruby} openssl_fips.rb", cwd: cwd) + else + puts "ℹ FIPS mode test skipped (non-FIPS platform)" + end end end @@ -388,11 +430,15 @@ def components end puts "✓ Legacy provider found" - # Check for FIPS provider (3.0.9) - unless providers_result.stdout.include?("fips") - raise "FIPS provider not found in OpenSSL providers list" + # Check for FIPS provider (3.0.9) only on FIPS-enabled platforms + if fips_platform? + unless providers_result.stdout.include?("fips") + raise "FIPS provider not found in OpenSSL providers list on FIPS platform" + end + puts "✓ FIPS provider found (FIPS platform detected)" + else + puts "ℹ FIPS provider check skipped (non-FIPS platform)" end - puts "✓ FIPS provider found" end end From 6f1690baddd5f57e10d36191174bdefa114cded8 Mon Sep 17 00:00:00 2001 From: Thomas Powell Date: Mon, 21 Jul 2025 08:45:02 -0400 Subject: [PATCH 3/5] Move fips_platform? around Signed-off-by: Thomas Powell --- omnibus/verification/component_test.rb | 27 ++++++++++++++++++++++++++ omnibus/verification/verify.rb | 27 -------------------------- 2 files changed, 27 insertions(+), 27 deletions(-) diff --git a/omnibus/verification/component_test.rb b/omnibus/verification/component_test.rb index f07cd7497..8ad302e91 100644 --- a/omnibus/verification/component_test.rb +++ b/omnibus/verification/component_test.rb @@ -91,6 +91,33 @@ def embedded_bin(binary) File.join(omnibus_embedded_bin_dir, binary) end + # Check if the current platform is a FIPS-enabled platform based on + # BUILDKITE_LABEL and the fips-platforms configuration in .expeditor/release.omnibus.yml + # + # FIPS platforms are: + # - el-*-x86_64 (RHEL/CentOS/AlmaLinux/etc) + # - ubuntu-*-x86_64 (Ubuntu) + # - windows-* (Windows) + # + # Returns true if running on a FIPS platform, false otherwise. + # If BUILDKITE_LABEL is not set (e.g., local development), returns false. + def fips_platform? + buildkite_label = ENV["BUILDKITE_LABEL"] + return false unless buildkite_label + + # FIPS platforms from .expeditor/release.omnibus.yml: + # - el-*-x86_64 + # - ubuntu-*-x86_64 + # - windows-* + fips_patterns = [ + /^el-.*-x86_64$/, + /^ubuntu-.*-x86_64$/, + /^windows-.*$/ + ] + + fips_patterns.any? { |pattern| buildkite_label.match?(pattern) } + end + def sh(command, options = {}) puts command combined_opts = default_command_options.merge(options) diff --git a/omnibus/verification/verify.rb b/omnibus/verification/verify.rb index c0d72ef2e..d8102a736 100644 --- a/omnibus/verification/verify.rb +++ b/omnibus/verification/verify.rb @@ -73,33 +73,6 @@ def components self.class.components end - # Check if the current platform is a FIPS-enabled platform based on - # BUILDKITE_LABEL and the fips-platforms configuration in .expeditor/release.omnibus.yml - # - # FIPS platforms are: - # - el-*-x86_64 (RHEL/CentOS/AlmaLinux/etc) - # - ubuntu-*-x86_64 (Ubuntu) - # - windows-* (Windows) - # - # Returns true if running on a FIPS platform, false otherwise. - # If BUILDKITE_LABEL is not set (e.g., local development), returns false. - def fips_platform? - buildkite_label = ENV["BUILDKITE_LABEL"] - return false unless buildkite_label - - # FIPS platforms from .expeditor/release.omnibus.yml: - # - el-*-x86_64 - # - ubuntu-*-x86_64 - # - windows-* - fips_patterns = [ - /^el-.*-x86_64$/, - /^ubuntu-.*-x86_64$/, - /^windows-.*$/ - ] - - fips_patterns.any? { |pattern| buildkite_label.match?(pattern) } - end - bundle_install_mutex = Mutex.new # From 0544d1407268549f39872177c3ac4f562ec93cce Mon Sep 17 00:00:00 2001 From: Thomas Powell Date: Mon, 21 Jul 2025 09:51:04 -0400 Subject: [PATCH 4/5] avoid nil return Signed-off-by: Thomas Powell --- omnibus/verification/verify.rb | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/omnibus/verification/verify.rb b/omnibus/verification/verify.rb index d8102a736..bc1296131 100644 --- a/omnibus/verification/verify.rb +++ b/omnibus/verification/verify.rb @@ -353,27 +353,29 @@ def components EOF c.unit_test do + last_result = nil tmpdir do |cwd| with_file(File.join(cwd, "openssl_connectivity.rb")) do |f| f.write ssl_connectivity_test end - sh!("#{Gem.ruby} openssl_connectivity.rb", cwd: cwd) + last_result = sh!("#{Gem.ruby} openssl_connectivity.rb", cwd: cwd) with_file(File.join(cwd, "openssl_version.rb")) do |f| f.write openssl_version_test end - sh!("#{Gem.ruby} openssl_version.rb", cwd: cwd) + last_result = sh!("#{Gem.ruby} openssl_version.rb", cwd: cwd) # Only test FIPS mode on FIPS-enabled platforms if fips_platform? with_file(File.join(cwd, "openssl_fips.rb")) do |f| f.write openssl_fips_test end - sh!("#{Gem.ruby} openssl_fips.rb", cwd: cwd) + last_result = sh!("#{Gem.ruby} openssl_fips.rb", cwd: cwd) else puts "ℹ FIPS mode test skipped (non-FIPS platform)" end end + last_result end c.smoke_test do @@ -412,6 +414,7 @@ def components else puts "ℹ FIPS provider check skipped (non-FIPS platform)" end + providers_result end end From 9a49a05cb615c86a4212987e2ef0be8160b0aeb4 Mon Sep 17 00:00:00 2001 From: Thomas Powell Date: Mon, 21 Jul 2025 10:40:09 -0400 Subject: [PATCH 5/5] Fix fips_platform regex Signed-off-by: Thomas Powell --- omnibus/verification/component_test.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/omnibus/verification/component_test.rb b/omnibus/verification/component_test.rb index 8ad302e91..9420698a8 100644 --- a/omnibus/verification/component_test.rb +++ b/omnibus/verification/component_test.rb @@ -110,9 +110,9 @@ def fips_platform? # - ubuntu-*-x86_64 # - windows-* fips_patterns = [ - /^el-.*-x86_64$/, - /^ubuntu-.*-x86_64$/, - /^windows-.*$/ + / el-.*-x86_64/, + / ubuntu-.*-x86_64/, + / windows-.*/ ] fips_patterns.any? { |pattern| buildkite_label.match?(pattern) }