Fix FIPS mode detection

[stanhu]

Description

Previously FIPS detection relied on the OpenSSL::OPENSSL_FIPS
constant being defined. However, on RedHat operating systems, this
constant is always defined in
/usr/include/openssl/opensslconf-x86_64.h. As a result, on such
operating systems FIPS mode would erroneously be labeled as enabled.
This constant is a necessary but not sufficient condition to determine
whether FIPS is actually enabled.

OpenSSL has a runtime fips_mode check
(https://wiki.openssl.org/index.php/FIPS_mode()) that should be used
instead. Ruby will use this if the OPENSSL_FIPS compile-time
constant is available:
https://github.com/ruby/ruby/blob/685efac05983dee44ce2d96c24f2fcb96a0aebe2/ext/openssl/ossl.c#L413-L428

Related Issue

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Chore (non-breaking change that does not add functionality or fix an issue)

Checklist:

• I have read the CONTRIBUTING document.
• I have run the pre-merge tests locally and they pass.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.
• All commits have been signed-off for the Developer Certificate of Origin.

[stanhu]

Oh, I see this was reverted in ab6180b. OpenSSL v3.0 may not have fips_mode: https://wiki.openssl.org/index.php/OpenSSL_3.0

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

[jaymzh]

LGTM. We ship with our own OpenSSL, so this should be fine.

[stanhu]

Thanks @jaymzh. What's left to merge this?