mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
b8947b829b
The test ipatests/test_integration/test_fips.py is faking FIPS mode and calls "openssl md5" to ensure the algo is not available in the fake FIPS mode. The error message has been updated with openssl-3.0.5-5. In the past the command used to return: $ openssl md5 /dev/null Error setting digest 140640350118336:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:147: And now it returns: $ openssl md5 /dev/null Error setting digest 00C224822E7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD5 : 97), Properties () 00C224822E7F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:252: To be compatible with all versions, only check the common part: Error setting digest Mark the test as xfail since installation is currently not working. Related: https://pagure.io/freeipa/issue/9002 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
77 lines
2.4 KiB
Python
77 lines
2.4 KiB
Python
#
|
|
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
|
|
#
|
|
"""FIPS testing helpers
|
|
|
|
Based on userspace FIPS mode by Ondrej Moris.
|
|
|
|
Userspace FIPS mode fakes a Kernel in FIPS enforcing mode. User space
|
|
programs behave like the Kernel was booted in FIPS enforcing mode. Kernel
|
|
space code still runs in standard mode.
|
|
"""
|
|
import os
|
|
from ipaplatform.paths import paths
|
|
|
|
FIPS_OVERLAY_DIR = "/var/tmp/userspace-fips"
|
|
FIPS_OVERLAY = os.path.join(FIPS_OVERLAY_DIR, "fips_enabled")
|
|
SYSTEM_FIPS = "/etc/system-fips"
|
|
|
|
|
|
def is_fips_enabled(host):
|
|
"""Check if host has """
|
|
result = host.run_command(
|
|
["cat", paths.PROC_FIPS_ENABLED], raiseonerr=False
|
|
)
|
|
if result.returncode == 1:
|
|
# FIPS mode not available
|
|
return None
|
|
elif result.returncode == 0:
|
|
return result.stdout_text.strip() == "1"
|
|
else:
|
|
raise RuntimeError(result.stderr_text)
|
|
|
|
|
|
def enable_userspace_fips(host):
|
|
# create /etc/system-fips
|
|
host.put_file_contents(SYSTEM_FIPS, "# userspace fips\n")
|
|
# fake Kernel FIPS mode with bind mount
|
|
host.run_command(["mkdir", "-p", FIPS_OVERLAY_DIR])
|
|
host.put_file_contents(FIPS_OVERLAY, "1\n")
|
|
host.run_command(
|
|
["chcon", "-t", "sysctl_crypto_t", "-u", "system_u", FIPS_OVERLAY]
|
|
)
|
|
host.run_command(
|
|
["mount", "--bind", FIPS_OVERLAY, paths.PROC_FIPS_ENABLED]
|
|
)
|
|
# set crypto policy to FIPS mode
|
|
host.run_command(["update-crypto-policies", "--show"])
|
|
host.run_command(["update-crypto-policies", "--set", "FIPS"])
|
|
# sanity check
|
|
assert is_fips_enabled(host)
|
|
result = host.run_command(
|
|
["openssl", "md5", "/dev/null"], raiseonerr=False
|
|
)
|
|
assert result.returncode == 1
|
|
assert "Error setting digest" in result.stderr_text
|
|
|
|
|
|
def disable_userspace_fips(host):
|
|
host.run_command(["rm", "-f", SYSTEM_FIPS])
|
|
host.run_command(["update-crypto-policies", "--set", "DEFAULT"])
|
|
result = host.run_command(
|
|
["umount", paths.PROC_FIPS_ENABLED], raiseonerr=False
|
|
)
|
|
host.run_command(["rm", "-rf", FIPS_OVERLAY_DIR])
|
|
if result.returncode != 0:
|
|
raise RuntimeError(result.stderr_text)
|
|
|
|
# sanity check
|
|
assert not is_fips_enabled(host)
|
|
host.run_command(["openssl", "md5", "/dev/null"])
|
|
|
|
|
|
def enable_crypto_subpolicy(host, subpolicy):
|
|
result = host.run_command(["update-crypto-policies", "--show"])
|
|
policy = result.stdout_text.strip() + ":" + subpolicy
|
|
host.run_command(["update-crypto-policies", "--set", policy])
|