IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-28 18:01:23 -06:00
Code Issues Packages Projects Releases Wiki Activity
6739d8722c
freeipa/ipatests/pytest_ipa/integration/fips.py
Christian Heimes 8124b1bd4c Test installation with (fake) userspace FIPS 
Based on userspace FIPS mode by Ondrej Moris.

Userspace FIPS mode fakes a Kernel in FIPS enforcing mode. User space
programs behave like the Kernel was booted in FIPS enforcing mode. Kernel
space code still runs in standard mode.

Fixes: https://pagure.io/freeipa/issue/8118
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-14 16:01:15 +01:00

68 lines
2.1 KiB
Python
Raw Blame History

#
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
#
"""FIPS testing helpers
Based on userspace FIPS mode by Ondrej Moris.
Userspace FIPS mode fakes a Kernel in FIPS enforcing mode. User space
programs behave like the Kernel was booted in FIPS enforcing mode. Kernel
space code still runs in standard mode.
"""
import os
from ipaplatform.paths import paths
FIPS_OVERLAY_DIR = "/var/tmp/userspace-fips"
FIPS_OVERLAY = os.path.join(FIPS_OVERLAY_DIR, "fips_enabled")
SYSTEM_FIPS = "/etc/system-fips"
def is_fips_enabled(host):
"""Check if host has """
result = host.run_command(
["cat", paths.PROC_FIPS_ENABLED], raiseonerr=False
)
if result.returncode == 1:
# FIPS mode not available
return None
elif result.returncode == 0:
return result.stdout_text.strip() == "1"
else:
raise RuntimeError(result.stderr_text)
def enable_userspace_fips(host):
# create /etc/system-fips
host.put_file_contents(SYSTEM_FIPS, "# userspace fips\n")
# fake Kernel FIPS mode with bind mount
host.run_command(["mkdir", "-p", FIPS_OVERLAY_DIR])
host.put_file_contents(FIPS_OVERLAY, "1\n")
host.run_command(
["mount", "--bind", FIPS_OVERLAY, paths.PROC_FIPS_ENABLED]
)
# set crypto policy to FIPS mode
host.run_command(["update-crypto-policies", "--show"])
host.run_command(["update-crypto-policies", "--set", "FIPS"])
# sanity check
assert is_fips_enabled(host)
result = host.run_command(
["openssl", "md5", "/dev/null"], raiseonerr=False
)
assert result.returncode == 1
assert "EVP_DigestInit_ex:disabled for FIPS" in result.stderr_text
def disable_userspace_fips(host):
host.run_command(["rm", "-f", SYSTEM_FIPS])
host.run_command(["update-crypto-policies", "--set", "DEFAULT"])
result = host.run_command(
["umount", paths.PROC_FIPS_ENABLED], raiseonerr=False
)
host.run_command(["rm", "-rf", FIPS_OVERLAY_DIR])
if result.returncode != 0:
raise RuntimeError(result.stderr_text)
# sanity check
assert not is_fips_enabled(host)
host.run_command(["openssl", "md5", "/dev/null"])
Reference in New Issue View Git Blame Copy Permalink