File: fips.rb

package info (click to toggle)
ruby-gitlab-labkit 0.36.1-2
  • links: PTS, VCS
  • area: main
  • in suites: experimental
  • size: 444 kB
  • sloc: ruby: 1,705; makefile: 6
file content (51 lines) | stat: -rw-r--r-- 1,445 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
 
# frozen_string_literal: true

module Labkit
  module Digest
    module SHA2
      def new(*args, &block)
        bitlen = args.first || 256
        ::OpenSSL::Digest.const_get("SHA#{bitlen}").new
      end
    end
  end

  class FIPS
    OPENSSL_DIGESTS = %i[SHA1 SHA256 SHA384 SHA512].freeze

    class << self
      # Returns whether we should be running in FIPS mode or not
      #
      # @return [Boolean]
      def enabled?
        # Check if it set manually to false
        return false if %w[0 false no].include?(ENV["FIPS_MODE"])

        # Otherwise allow it to be set manually via the env vars
        return true if %w[1 true yes].include?(ENV["FIPS_MODE"])

        # Otherwise, attempt to auto-detect FIPS mode from OpenSSL
        return true if OpenSSL.fips_mode

        false
      end

      # Swap Ruby's Digest::SHAx implementations for OpenSSL::Digest::SHAx.
      def enable_fips_mode!
        require "digest"
        require "digest/sha1"
        require "digest/sha2"

        ::Digest::SHA2.singleton_class.prepend(Labkit::Digest::SHA2)
        OPENSSL_DIGESTS.each { |alg| use_openssl_digest(alg, alg) }
      end

      private

      def use_openssl_digest(ruby_algorithm, openssl_algorithm)
        ::Digest.send(:remove_const, ruby_algorithm) # rubocop:disable GitlabSecurity/PublicSend
        ::Digest.const_set(ruby_algorithm, OpenSSL::Digest.const_get(openssl_algorithm, false))
      end
    end
  end
end