ruby: Enable OPENSSL_FIPS macro for system SSL builds
What does this MR do?
In the Ubuntu 18.04 FIPS builds, currently OpenSSL.fips_mode
is
false
, which prevents GitLab from entering FIPS mode.
Even though these builds properly link against the FIPS-enabled system
OpenSSL, this flag is false
because Ruby compiles out the dynamic
FIPS_mode()
checks (https://wiki.openssl.org/index.php/FIPS_mode())
unless the OPENSSL_FIPS
macro is defined (https://github.com/ruby/ruby/blob/7b6fde4258e700c0e0292bb091aa84a5e473342e/ext/openssl/ossl.c#L1157-L1163). In RedHat, OPENSSL_FIPS
is always
defined in /usr/include/openssl/opensslconf-x86_64.h
, but this is
not the case for Ubuntu. On non FIPS-systems, FIPS_mode()
should
return 0 (not available), so this compile-time guard should not be
necessary. For now, we only enable it for builds that link
against the system SSL.
Related issues
Checklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion
Required
-
Merge Request Title, and Description are up to date, accurate, and descriptive -
MR targeting the appropriate branch -
MR has a green pipeline on GitLab.com -
Pipeline is green on dev.gitlab.org if the change is touching anything besides documentation or internal cookbooks -
trigger-package
has a green pipeline running against latest commit
Expected (please provide an explanation if not completing)
-
Test plan indicating conditions for success has been posted and passes -
Documentation created/updated -
Tests added -
Integration tests added to GitLab QA -
Equivalent MR/issue for the GitLab Chart opened