Ensure FIPS compliant mode by ensure_fips option (#4720)

ensure_fips option checks whether FIPS mode is
enabled by OpenSSL side.
If FIPS is not enabled in OpenSSL side, it raise an error
when ensure_fips true.

NOTE: If FIPS mode is enabled, ensure_fips does nothing.

Closes: #3121

Signed-off-by: Kentaro Hayashi <hayashi@clear-code.com>

Author: kenhys

lib/fluent/plugin_helper/cert_option.rb

@@ -37,6 +37,12 @@ def cert_option_create_context(version, insecure, ciphers, conf)
           ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
         end
 
+        if conf.ensure_fips
+          unless OpenSSL.fips_mode
+            raise Fluent::ConfigError, "Cannot enable FIPS compliant mode. OpenSSL FIPS configuration is disabled"
+          end
+        end
+
         ctx.ca_file = conf.ca_path
         ctx.cert = cert
         ctx.key = key

lib/fluent/plugin_helper/server.rb

@@ -251,6 +251,7 @@ def server_create_for_tls_connection(shared, bind, port, conf, backlog, socket_o
         :generate_cert_country, :generate_cert_state, :generate_cert_state,
         :generate_cert_locality, :generate_cert_common_name,
         :generate_cert_expiration, :generate_cert_digest,
+        :ensure_fips,
       ]
 
       def server_create_transport_section_object(opts)
@@ -294,6 +295,7 @@ module ServerTransportParams
           config_param :max_version, :enum, list: Fluent::TLS::SUPPORTED_VERSIONS, default: nil
           config_param :ciphers, :string, default: Fluent::TLS::CIPHERS_DEFAULT
           config_param :insecure, :bool, default: false
+          config_param :ensure_fips, :bool, default: false
 
           # Cert signed by public CA
           config_param :ca_path, :string, default: nil

test/plugin_helper/test_cert_option.rb

@@ -1,11 +1,16 @@
 require_relative '../helper'
+require 'fluent/plugin_helper/server'
 require 'fluent/plugin_helper/cert_option'
 
 class CertOptionPluginHelperTest < Test::Unit::TestCase
   class Dummy < Fluent::Plugin::TestBase
     helpers :cert_option
   end
 
+  class DummyServer < Fluent::Plugin::TestBase
+    helpers :server
+  end
+
   test 'can load PEM encoded certificate file' do
     d = Dummy.new
     certs = d.cert_option_certificates_from_file("test/plugin_helper/data/cert/cert.pem")
@@ -22,4 +27,42 @@ class Dummy < Fluent::Plugin::TestBase
       d.cert_option_certificates_from_file("test/plugin_helper/data/cert/empty.pem")
     end
   end
+
+  sub_test_case "ensure OpenSSL FIPS mode" do
+    setup do
+      cert_dir = File.expand_path(File.join(File.dirname(__FILE__), "../plugin_helper/data/cert/"))
+      @tls_options = {
+        cert_path: File.join(cert_dir, "cert.pem"),
+        private_key_path: File.join(cert_dir, "cert-key.pem"),
+      }
+      @d = DummyServer.new
+    end
+
+    data(
+      enabled_fips_mode: [true, true, nil],
+      skip_checking_fips_mode: [true, false, nil],
+      block_incompatible_fips_mode: [false, true,
+                                     Fluent::ConfigError.new("Cannot enable FIPS compliant mode. OpenSSL FIPS configuration is disabled")],
+      not_care_fips_mode: [false, false, nil]
+    )
+    test 'ensure FIPS error' do |(fips_mode, ensure_fips, expected)|
+      stub(OpenSSL).fips_mode { fips_mode }
+      conf = @d.server_create_transport_section_object(@tls_options.merge({ensure_fips: ensure_fips}))
+      if expected
+        assert_raise(expected) do
+          @d.cert_option_create_context(Fluent::TLS::DEFAULT_VERSION,
+                                        false,
+                                        Fluent::TLS::CIPHERS_DEFAULT,
+                                        conf)
+        end
+      else
+        assert_nothing_raised do
+          @d.cert_option_create_context(Fluent::TLS::DEFAULT_VERSION,
+                                        false,
+                                        Fluent::TLS::CIPHERS_DEFAULT,
+                                        conf)
+        end
+      end
+    end
+  end
 end