From fd3e3e722f4c5195be50efa6004315b268ab8dfe Mon Sep 17 00:00:00 2001
From: Jun Aruga <jaruga@redhat.com>
Date: Mon, 24 Feb 2025 16:23:25 +0100
Subject: [PATCH] Use ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"] instead of
 OpenSSL::OPENSSL_FIPS.

As OpenSSL::OPENSSL_FIPS always returns true on OpenSSL >= 3.0.0, we cannot use
this constant as a flag to check whether the OpenSSL is FIPS or not.
See <https://github.com/ruby/openssl/blob/d725783c5c180337f3d00efcba5b8744e0aea813/ext/openssl/ossl.c#L994-L1004>.

Skip the test_fips_mode_get_with_fips_mode_set test in AWS-LC case.

Because we don't test `OpenSSL.fips_mode=` on AWS-LC for now. We cannot change
the value of the `OpenSSL.fips_mode` on AWS-LC.
The `OpenSSL.fips_mode` in AWS-LC behaves as follows.

On AWS-LC non-FIPS:
```
$ bundle exec ruby -I ./lib -ropenssl.so -e 'p OpenSSL.fips_mode'
false

$ bundle exec ruby -I ./lib -ropenssl.so -e 'OpenSSL.fips_mode = true; p OpenSSL.fips_mode'
-e:1:in 'OpenSSL.fips_mode=': Turning on FIPS mode failed (OpenSSL::OpenSSLError)
	from -e:1:in '<main>'

$ bundle exec ruby -I ./lib -ropenssl.so -e 'OpenSSL.fips_mode = false; p OpenSSL.fips_mode'
false
```

On AWS-LC FIPS:
```
$ bundle exec ruby -I ./lib -ropenssl.so -e 'p OpenSSL.fips_mode'
true

$ bundle exec ruby -I ./lib -ropenssl.so -e 'OpenSSL.fips_mode = false; p OpenSSL.fips_mode'
-e:1:in 'OpenSSL.fips_mode=': Turning off FIPS mode failed (OpenSSL::OpenSSLError)
	from -e:1:in '<main>'

$ bundle exec ruby -I ./lib -ropenssl.so -e 'OpenSSL.fips_mode = true; p OpenSSL.fips_mode'
true
```
---
 test/openssl/test_fips.rb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/test/openssl/test_fips.rb b/test/openssl/test_fips.rb
index 8a33cecdd..efc2655e2 100644
--- a/test/openssl/test_fips.rb
+++ b/test/openssl/test_fips.rb
@@ -37,7 +37,10 @@ def test_fips_mode_is_reentrant
   end
 
   def test_fips_mode_get_with_fips_mode_set
-    omit('OpenSSL is not FIPS-capable') unless OpenSSL::OPENSSL_FIPS and !aws_lc? # AWS-LC's FIPS mode is decided at compile time.
+    return if aws_lc? # AWS-LC's FIPS mode is decided at compile time.
+    unless ENV["TEST_RUBY_OPENSSL_FIPS_ENABLED"]
+      omit "Only for FIPS mode environment"
+    end
 
     assert_separately(["-ropenssl"], <<~"end;")
       begin