[CompactIndex] Disable when openssl is in fips mode

lib/bundler/fetcher/compact_index.rb

@@ -3,10 +3,10 @@
 require "bundler/worker"
 
 module Bundler
+  autoload :CompactIndexClient, "bundler/compact_index_client"
+
   class Fetcher
     class CompactIndex < Base
-      require "bundler/compact_index_client"
-
       def self.compact_index_request(method_name)
         method = instance_method(method_name)
         undef_method(method_name)
@@ -61,6 +61,7 @@ def fetch_spec(spec)
       compact_index_request :fetch_spec
 
       def available?
+        return nil unless md5_available?
         user_home = Bundler.user_home
         return nil unless user_home.directory? && user_home.writable?
         # Read info file checksums out of /versions, so we can know if gems are up to date
@@ -119,6 +120,17 @@ def call(path, headers)
           Net::HTTPNotModified.new(nil, nil, nil)
         end
       end
+
+      def md5_available?
+        begin
+          require "openssl"
+          return false if defined?(OpenSSL::OPENSSL_FIPS) && OpenSSL::OPENSSL_FIPS
+        rescue LoadError
+          nil
+        end
+
+        true
+      end
     end
   end
 end

spec/bundler/fetcher/compact_index_spec.rb

@@ -25,6 +25,22 @@
       compact_index.specs_for_names(["lskdjf"])
     end
 
+    describe "#available?" do
+      context "when OpenSSL is in FIPS mode", :ruby => ">= 2.0.0" do
+        before { stub_const("OpenSSL::OPENSSL_FIPS", true) }
+
+        it "returns false" do
+          expect(compact_index).to_not be_available
+        end
+
+        it "never requires digest/md5" do
+          expect(Kernel).to receive(:require).with("digest/md5").never
+
+          compact_index.available?
+        end
+      end
+    end
+
     context "logging" do
       before { allow(compact_index).to receive(:log_specs).and_call_original }