mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-16 11:21:56 -06:00
68 lines
2.1 KiB
Python
68 lines
2.1 KiB
Python
|
#
|
||
|
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
|
||
|
#
|
||
|
"""FIPS testing helpers
|
||
|
|
||
|
Based on userspace FIPS mode by Ondrej Moris.
|
||
|
|
||
|
Userspace FIPS mode fakes a Kernel in FIPS enforcing mode. User space
|
||
|
programs behave like the Kernel was booted in FIPS enforcing mode. Kernel
|
||
|
space code still runs in standard mode.
|
||
|
"""
|
||
|
import os
|
||
|
from ipaplatform.paths import paths
|
||
|
|
||
|
FIPS_OVERLAY_DIR = "/var/tmp/userspace-fips"
|
||
|
FIPS_OVERLAY = os.path.join(FIPS_OVERLAY_DIR, "fips_enabled")
|
||
|
SYSTEM_FIPS = "/etc/system-fips"
|
||
|
|
||
|
|
||
|
def is_fips_enabled(host):
|
||
|
"""Check if host has """
|
||
|
result = host.run_command(
|
||
|
["cat", paths.PROC_FIPS_ENABLED], raiseonerr=False
|
||
|
)
|
||
|
if result.returncode == 1:
|
||
|
# FIPS mode not available
|
||
|
return None
|
||
|
elif result.returncode == 0:
|
||
|
return result.stdout_text.strip() == "1"
|
||
|
else:
|
||
|
raise RuntimeError(result.stderr_text)
|
||
|
|
||
|
|
||
|
def enable_userspace_fips(host):
|
||
|
# create /etc/system-fips
|
||
|
host.put_file_contents(SYSTEM_FIPS, "# userspace fips\n")
|
||
|
# fake Kernel FIPS mode with bind mount
|
||
|
host.run_command(["mkdir", "-p", FIPS_OVERLAY_DIR])
|
||
|
host.put_file_contents(FIPS_OVERLAY, "1\n")
|
||
|
host.run_command(
|
||
|
["mount", "--bind", FIPS_OVERLAY, paths.PROC_FIPS_ENABLED]
|
||
|
)
|
||
|
# set crypto policy to FIPS mode
|
||
|
host.run_command(["update-crypto-policies", "--show"])
|
||
|
host.run_command(["update-crypto-policies", "--set", "FIPS"])
|
||
|
# sanity check
|
||
|
assert is_fips_enabled(host)
|
||
|
result = host.run_command(
|
||
|
["openssl", "md5", "/dev/null"], raiseonerr=False
|
||
|
)
|
||
|
assert result.returncode == 1
|
||
|
assert "EVP_DigestInit_ex:disabled for FIPS" in result.stderr_text
|
||
|
|
||
|
|
||
|
def disable_userspace_fips(host):
|
||
|
host.run_command(["rm", "-f", SYSTEM_FIPS])
|
||
|
host.run_command(["update-crypto-policies", "--set", "DEFAULT"])
|
||
|
result = host.run_command(
|
||
|
["umount", paths.PROC_FIPS_ENABLED], raiseonerr=False
|
||
|
)
|
||
|
host.run_command(["rm", "-rf", FIPS_OVERLAY_DIR])
|
||
|
if result.returncode != 0:
|
||
|
raise RuntimeError(result.stderr_text)
|
||
|
|
||
|
# sanity check
|
||
|
assert not is_fips_enabled(host)
|
||
|
host.run_command(["openssl", "md5", "/dev/null"])
|