diff --git a/.gitignore b/.gitignore index f421d61..fdff115 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,6 @@ -SOURCES/fipscheck-1.5.0.tar.bz2 +fipscheck-1.2.0.tar.bz2 +/fipscheck-1.3.0.tar.bz2 +/fipscheck-1.3.1.tar.bz2 +/fipscheck-1.4.0.tar.bz2 +/fipscheck-1.4.1.tar.bz2 /fipscheck-1.5.0.tar.bz2 diff --git a/tests/fipscheck/Makefile b/tests/fipscheck/Makefile new file mode 100644 index 0000000..d8149e1 --- /dev/null +++ b/tests/fipscheck/Makefile @@ -0,0 +1,61 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# Makefile of /CoreOS/fipscheck/Sanity/fipscheck +# Description: Test fipscheck helper tool +# Author: Ondrej Moris +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/fipscheck/Sanity/fipscheck +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Ondrej Moris " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test fipscheck helper tool" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 15m" >> $(METADATA) + @echo "RunFor: fipscheck" >> $(METADATA) + @echo "Requires: fipscheck fipscheck-lib" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/fipscheck/PURPOSE b/tests/fipscheck/PURPOSE new file mode 100644 index 0000000..ddfac49 --- /dev/null +++ b/tests/fipscheck/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/fipscheck/Sanity/fipscheck +Description: Test fipscheck helper tool +Author: Ondrej Moris + +Test fipscheck functionality, supported parameters as well as all return codes. diff --git a/tests/fipscheck/runtest.sh b/tests/fipscheck/runtest.sh new file mode 100755 index 0000000..956c95a --- /dev/null +++ b/tests/fipscheck/runtest.sh @@ -0,0 +1,138 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/fipscheck/Sanity/fipscheck +# Description: Test fipscheck helper tool. +# Author: Ondrej Moris +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2014 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="fipscheck" + +rlJournalStart + + rlPhaseStartSetup + + rlCheckRpm "fipscheck" || rlDie + rlCheckRpm "fipscheck-lib" || rlDie + + tmpdir=$(mktemp -d) + + rlRun "chmod a+rwx $tmpdir" 0 + rlRun "pushd $tmpdir" 0 + + echo 'hmac' >hmac + echo 'suffixhmac' >suffixhmac + echo 'incorrecthmac' >incorrecthmac + echo 'emptyhmac' >emptyhmac + + rlRun "fipshmac hmac" 0 + rlRun "fipshmac -s .suffix suffixhmac" 0 + rlRun "fipshmac incorrecthmac && echo 'X' >.incorrecthmac.hmac" 0 + rlRun "fipshmac emptyhmac && echo '' >.emptyhmac.hmac" 0 + + fipscheck_hmac=$(rpm -ql fipscheck | egrep '\.hmac') + fipscheck_libs_all=$(rpm -ql fipscheck-lib | grep so | grep -v hmac | tr '\n' ' ') + fipscheck_libs_some_hmac=$(rpm -ql fipscheck-lib | egrep '\.hmac' | head -1) + + rlRun "useradd testuser" 0 + + rlPhaseEnd + + rlPhaseStartTest "Integrity" + + rlCheckRpm "prelink" && rlRun "prelink -ua" 0 + rlRun "fipscheck /usr/bin/fipscheck $fipscheck_libs_all" 0 + + rlPhaseEnd + + rlPhaseStartTest "HMAC verification" + + # Verify HMAC. + rlRun "fipscheck hmac" 0 + + # Verify HMAC with specific suffix. + rlRun "fipscheck -s .suffix suffixhmac" 0 + + # Incorrect HMAC causes failure. + rlRun "fipscheck incorrecthmac" 1 + + # Empty HMAC causes failure. + rlRun "fipscheck emptyhmac" 1 + + rlPhaseEnd + + rlPhaseStartTest "Return Codes" + + # 0: Checksum OK. + rlLog "0: Checksum OK" + rlRun "fipscheck hmac" 0 + + # 1: Checksum mismatch. + rlLog "1: Checksum mismatch" + rlRun "fipscheck incorrecthmac" 1 + + # 2: Missing filename. + rlLog "2: Missing filename" + rlRun "fipscheck" 2 + + # 3: Cannot open the checksum file. + rlLog "3: Cannot open the checksum file" + rlRun "fipscheck runtest.sh" 3 + + # 4: Cannot read the file to be checksummed. + rlLog "4: Cannot read the file to be checksummed" + rlRun "chmod a-r hmac" 0 + rlRun "runuser -u testuser fipscheck hmac" 4 + rlRun "chmod a+r hmac" 0 + + # 5: Memory allocation error. + # N/A + + # 10 and higher: Failure during self-checking the libfipscheck.so shared library. + rlLog "10 and higher: Failure during self-checking the libfipscheck.so shared library" + rlRun "mv $fipscheck_libs_some_hmac ${fipscheck_libs_some_hmac}.backup" 0 + rlRun "fipscheck hmac" 10-19 + rlRun "mv ${fipscheck_libs_some_hmac}.backup $fipscheck_libs_some_hmac" 0 + + # 20 and higher: Failure during self-checking the fipscheck binary. + rlRun "mv $fipscheck_hmac ${fipscheck_hmac}.backup" 0 + rlRun "fipscheck hmac" 20-255 + rlRun "mv ${fipscheck_hmac}.backup $fipscheck_hmac" 0 + + rlPhaseEnd + + rlPhaseStartCleanup + + rlRun "popd" 0 + rlRun "rm -rf $tmpdir" 0 + rlRun "userdel testuser" 0 + + rlPhaseEnd + +rlJournalPrintText + +rlJournalEnd diff --git a/tests/fipshmac/Makefile b/tests/fipshmac/Makefile new file mode 100644 index 0000000..6f0bdc9 --- /dev/null +++ b/tests/fipshmac/Makefile @@ -0,0 +1,61 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# Makefile of /CoreOS/fipscheck/Sanity/fipshmac +# Description: Test fipshmac helper tool +# Author: Ondrej Moris +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2013 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/fipscheck/Sanity/fipshmac +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Ondrej Moris " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test fipshmac helper tool" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 15m" >> $(METADATA) + @echo "RunFor: fipscheck" >> $(METADATA) + @echo "Requires: fipscheck" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/fipshmac/PURPOSE b/tests/fipshmac/PURPOSE new file mode 100644 index 0000000..50dfd98 --- /dev/null +++ b/tests/fipshmac/PURPOSE @@ -0,0 +1,5 @@ +PURPOSE of /CoreOS/fipscheck/Sanity/fipshmac +Description: Test fipshmac helper tool +Author: Ondrej Moris + +Test fipshmac functionality, supported parameters as well as all return codes. diff --git a/tests/fipshmac/runtest.sh b/tests/fipshmac/runtest.sh new file mode 100755 index 0000000..31a6655 --- /dev/null +++ b/tests/fipshmac/runtest.sh @@ -0,0 +1,129 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/fipscheck/Sanity/fipshmac +# Description: Test fipshmac helper tool. +# Author: Ondrej Moris +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2014 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="fipscheck" + +rlJournalStart + + rlPhaseStartSetup + + rlCheckRpm "fipscheck" || rlDie + + testdir=$(mktemp -d) + testpath=$(mktemp) + testfile=$(basename $testpath) + mountdir=$(mktemp -d) + + rlRun "useradd testuser" 0 + rlRun "mount -t tmpfs -o size=512k tmpfs $mountdir" 0 + rlRun "dd if=/dev/urandom bs=512k count=1 of=${mountdir}/blob" 0 + + rlPhaseEnd + + rlPhaseStartTest "HMAC generation" + + # Create HMAC. + rlRun "echo 'abc' > $testpath" 0 + rlRun "fipshmac $testpath" 0 + + # Create HMAC in specified directory. + rlRun "fipshmac -d $testdir $testpath" 0 + + # Create HMAC with a specific suffix. + rlRun "fipshmac -s .suffix $testpath" 0 + + # Check that HMAC files exist. + rlAssertExists "/tmp/.${testfile}.hmac" + rlAssertExists "/tmp/.${testfile}.suffix" + rlAssertExists "$testdir/${testfile}.hmac" + + # Verify HMAC. + rlRun "fipscheck $testpath" 0 + + # Check that HMAC file is not empty. + rlRun "test -s /tmp/.${testfile}.hmac" 0 + + # Check that HMAC file does not change when recomputed. + old=$(cat /tmp/.${testfile}.hmac) + rlRun "fipshmac $testpath" 0 + new=$(cat /tmp/.${testfile}.hmac) + rlAssertEquals "Hashes should not differ" "$old" "$new" + + # Check that HMAC file changes when recomputed and file changed. + old=$(cat /tmp/.${testfile}.hmac) + rlRun "echo 'efg' >> $testpath" 0 + rlRun "fipshmac $testpath" 0 + new=$(cat ./.test.hmac) + rlAssertNotEquals "Hashes should differ" "$old" "$new" + + rlPhaseEnd + + rlPhaseStartTest "Return Codes" + + # 0: OK. + rlLog "0: OK" + rlRun "fipshmac $testpath" 0 + + # 2: Missing filename. + rlLog "2: Missing filename" + rlRun "fipshmac" 2 + + # 3: Cannot open the checksum file for writing. + rlLog "3: Cannot open the checksum file for writing" + rlRun "chmod a-r $testpath" 0 + rlRun "runuser -u testuser fipshmac $testpath" 3 + rlRun "chmod a+r $testpath" 0 + + # 4: Cannot read the file to be checksummed. + rlLog "4: Cannot read the file to be checksummed" + rlRun "fipshmac missing" 4 + + # 5: Memory allocation error + # N/A + + # 6,7: Cannot write to the checksum file. + rlLog "6,7: Cannot write to the checksum file" + rlRun "fipshmac -d $mountdir $testpath" 6,7 + + rlPhaseEnd + + rlPhaseStartCleanup + + rlRun "rm -rf $testpath .${testfile}.hmac $testdir" 0 + rlRun "userdel testuser" 0 + rlRun "umount $mountdir" 0 + + rlPhaseEnd + +rlJournalPrintText + +rlJournalEnd diff --git a/tests/inventory b/tests/inventory new file mode 100755 index 0000000..b118a5a --- /dev/null +++ b/tests/inventory @@ -0,0 +1,3 @@ +#!/bin/bash +export TEST_DOCKER_EXTRA_ARGS="--privileged" +exec merge-standard-inventory "$@" diff --git a/tests/library/Makefile b/tests/library/Makefile new file mode 100644 index 0000000..7cc99a3 --- /dev/null +++ b/tests/library/Makefile @@ -0,0 +1,64 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/fipscheck/Sanity/library +# +# Description: Test fipscheck API +# +# Author: Ondrej Moris +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2017 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/fipscheck/Sanity/library +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE test.c + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + test -x runtest.sh || chmod a+x runtest.sh + +clean: + rm -f *~ $(BUILT_FILES) + + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Ondrej Moris " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Test fipscheck API" >> $(METADATA) + @echo "Type: Sanity" >> $(METADATA) + @echo "TestTime: 15m" >> $(METADATA) + @echo "RunFor: fipscheck" >> $(METADATA) + @echo "Requires: fipscheck fipscheck-devel fipscheck-lib libgcrypt libreswan" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + + rhts-lint $(METADATA) diff --git a/tests/library/PURPOSE b/tests/library/PURPOSE new file mode 100644 index 0000000..d77f645 --- /dev/null +++ b/tests/library/PURPOSE @@ -0,0 +1,10 @@ +PURPOSE of /CoreOS/fipscheck/Sanity/library + +Test fipscheck library API: + + * FIPSCHECK_verify() + * FIPSCHECK_verify_ex() + * FIPSCHECK_verify_files() + * FIPSCHECK_verify_files_ex() + * FIPSCHECK_kernel_fips_mode() + * FIPSCHECK_fips_module_installed() diff --git a/tests/library/runtest.sh b/tests/library/runtest.sh new file mode 100755 index 0000000..1bd5a97 --- /dev/null +++ b/tests/library/runtest.sh @@ -0,0 +1,416 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/fipscheck/Sanity/library +# Description: Test fipscheck API +# Author: Ondrej Moris +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2014 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +#PACKAGE="fipscheck" +rlJournalStart + + rlPhaseStartSetup + + rlCheckMakefileRequires || rlDie + + # Make sure nothing is prelinked (as expected in FIPS). + rlCheckRpm "prelink" && rlRun "prelink -ua" 0 + + rlIsRHEL 6 && debug="-DRHEL6" + rlRun "gcc $debug test.c -o test -lfipscheck -ldl" + + rlPhaseEnd + + rlPhaseStartTest "FIPSCHECK_verify()" + + rlLog "Function should return 1 if checksum is valid for a given" + rlLog "library (or a current process), 0 otherwise." + + # TC1 + fipshmac "test" + rlRun "./test --verify" 1 \ + "TC1: process, correct checksum, should return 1" + rm -f ".test.hmac" + + # TC2 + echo 'abc' > ".test.hmac" + rlRun "./test --verify" 0 \ + "TC2: process, incorrect checksum, should return 0" + rm -f ".test.hmac" + + # TC3 + rm -f ".test.hmac" + rlRun "./test --verify" 0 \ + "TC3: process, missing checksum, should return 0" + + # Setup for TC4 - TC8. + hmac=$(rpm -ql libgcrypt | grep hmac | head -1) + name=$(echo $hmac | sed 's|^.*/\.\(.\+\).hmac|\1|') + path=$(echo $hmac | sed 's|^\(.\+\)/\..*$|\1/|') + file=$(rpm -ql libgcrypt | egrep "/${name}\$") + symb=$(objdump -T $file | grep .text | awk '{print $7}' | tail -1) + echo "hmac=$hmac" + echo "name=$name" + echo "path=$path" + echo "file=$file" + echo "symb=$symb" + + # TC4 + rlRun "LD_PRELOAD=$file ./test --verify=${file},${symb}" 1 \ + "TC4: library, correct checksum, should return 1" + + # TC5 + temp=$(mktemp) + mv $hmac $temp + echo 'abc' >$hmac + rlRun "LD_PRELOAD=$file ./test --verify=${file},${symb}" 0 \ + "TC5: library, incorrect checksum, should return 0" + mv $temp $hmac + + # TC6 + temp=$(mktemp) + mv $hmac $temp + rlRun "LD_PRELOAD=$file ./test --verify=${file},${symb}" 0 \ + "TC6: library, missing checksum, should return 0" + mv $temp $hmac + + # TC7 + rlRun "LD_PRELOAD=$file ./test --verify=${file}x,${symb}" 0 \ + "TC7: library, incorrect library, should return 0" + + # TC8 + rlRun "LD_PRELOAD=$file ./test --verify=${file},${symb}x" 0 \ + "TC8: library, incorrect symbol, should return 0" + + rlPhaseEnd + + if !rlIsRHEL 6; then + rlPhaseStartTest "FIPSCHECK_verify_ex()" + + rlLog "Function should return 1 if checksum is valid for a current" + rlLog "process or a given library and suffix (if fail_is_missing" + rlLog "is set to 1), 0 otherwise." + + # TC1 + fipshmac "test" + rlRun "./test --verify-ex" 1 \ + "TC1: process, correct checksum, should return 1" + rm -f ".test.hmac" + + # TC2 + echo 'abc' > ".test.hmac" + rlRun "./test --verify-ex" 0 \ + "TC2: process, incorrect checksum, should return 0" + rm -f ".test.hmac" + + # TC3 + rm -f ".test.hmac" + rlRun "./test --verify-ex" 1 \ + "TC3: process, missing checksum (pass if missing), should return 1" + + # Setup for TC4 - TC10. + hmac=$(rpm -ql libgcrypt | grep hmac | head -1) + name=$(echo $hmac | sed 's|^.*/\.\(.\+\).hmac|\1|') + path=$(echo $hmac | sed 's|^\(.\+\)/\..*$|\1/|') + file=$(rpm -ql libgcrypt | egrep "/${name}\$") + symb=$(objdump -T $file | grep .text | awk '{print $7}' | tail -1) + echo "hmac=$hmac" + echo "name=$name" + echo "path=$path" + echo "file=$file" + echo "symb=$symb" + + # TC4 + rlRun "LD_PRELOAD=$file ./test --verify-ex=${file},${symb},.hmac,0" 1 \ + "TC4: library, correct checksum, should return 1" + + # TC5 + temp=$(mktemp) + mv $hmac $temp + echo 'abc' >$hmac + rlRun "LD_PRELOAD=$file ./test --verify-ex=${file},${symb},.hmac,0" 0 \ + "TC5: library, incorrect checksum, should return 0" + mv $temp $hmac + + # TC6 + temp=$(mktemp) + mv $hmac $temp + rlRun "LD_PRELOAD=$file ./test --verify-ex=${file},${symb},.hmac,0" 1 \ + "TC6: library, missing checksum (pass is missing), should return 1" + mv $temp $hmac + + # TC7 + temp=$(mktemp) + mv $hmac $temp + rlRun "LD_PRELOAD=$file ./test --verify-ex=${file},${symb},.hmac,1" 0 \ + "TC7: library, missing checksum (fail is missing), should return 0" + mv $temp $hmac + + # TC8 + rlRun "LD_PRELOAD=$file ./test --verify-ex=${file}x,${symb},.hmac,1" 0 \ + "TC8: library, incorrect library, should return 0" + + # TC9 + rlRun "LD_PRELOAD=$file ./test --verify-ex=${file},${symb}x,.hmac,1" 0 \ + "TC9: library, incorrect symbol, should return 0" + + # TC10 + rlRun "LD_PRELOAD=$file ./test --verify-ex=${file},${symb},.hmacx,1" 0 \ + "TC10: library, incorrect suffix, should return 0" + + rlPhaseEnd + fi + + rlPhaseStartTest "FIPSCHECK_verify_files()" + + rlLog "Function should return 1 if checksum is valid for given files" + rlLog "otherwise." + + # Setup for TC1 - TC5. + hmac1=$(rpm -ql libgcrypt | grep hmac | head -1) + name1=$(echo $hmac1 | sed 's|^.*/\.\(.\+\).hmac|\1|') + path1=$(echo $hmac1 | sed 's|^\(.\+\)/\..*$|\1/|') + file1=$(rpm -ql libgcrypt | egrep "/${name1}\$") + echo "hmac1=$hmac1" + echo "name1=$name1" + echo "path1=$path1" + echo "file1=$file1" + + hmac2=$(rpm -ql libreswan | grep pluto.hmac | head -1) + name2=$(echo $hmac2 | sed 's|^.*/\(.\+\).hmac|\1|') + path2=$(echo $hmac2 | sed 's|^\(.\+\)/.*$|\1/|') + file2=$(rpm -ql libreswan | egrep "ipsec/${name2}\$") + echo "hmac2=$hmac2" + echo "name2=$name2" + echo "path2=$path2" + echo "file2=$file2" + + # TC1 + rlRun "./test --verify-files ${file1},${file2}" 1 \ + "TC1: library, correct checksums, should return 1" + + # TC2 + temp1=$(mktemp) + mv $hmac1 $temp1 + echo 'abc' >$hmac1 + rlRun "./test --verify-files=${file1},${file2}" 0 \ + "TC2: library, correct and incorrect checksums, should return 0" + mv $temp1 $hmac1 + + # TC3 + temp1=$(mktemp) + temp2=$(mktemp) + mv $hmac1 $temp1 + mv $hmac2 $temp2 + echo 'abc' >$hmac1 + echo 'abc' >$hmac2 + rlRun "./test --verify-files=${file1},${file2}" 0 \ + "TC3: library, incorrect checksums, should return 0" + mv $temp1 $hmac1 + mv $temp2 $hmac2 + + # TC4 + temp1=$(mktemp) + mv $hmac1 $temp1 + rlRun "./test --verify-files=${file1},${file2}" 0 \ + "TC4: library, one checksum missing, should return 0" + mv $temp1 $hmac1 + + # TC5 + temp1=$(mktemp) + temp2=$(mktemp) + mv $hmac1 $temp1 + mv $hmac2 $temp2 + rlRun "./test --verify-files=${file1},${file2}" 0 \ + "TC5: library, both checksums missing, should return 0" + mv $temp1 $hmac1 + mv $temp2 $hmac2 + + rlPhaseEnd + + if !rlIsRHEL 6; then + rlPhaseStartTest "FIPSCHECK_verify_files_ex()" + + rlLog "Function should return 1 if checksum is valid for given files" + rlLog "and fail_if_missing is set to 1, 0 otherwise." + + # Setup for TC1 - TC8. + hmac1=$(rpm -ql libgcrypt | grep hmac | head -1) + name1=$(echo $hmac1 | sed 's|^.*/\.\(.\+\).hmac|\1|') + path1=$(echo $hmac1 | sed 's|^\(.\+\)/\..*$|\1/|') + file1=$(rpm -ql libgcrypt | egrep "/${name1}\$") + echo "hmac1=$hmac1" + echo "name1=$name1" + echo "path1=$path1" + echo "file1=$file1" + + hmac2=$(rpm -ql libreswan | grep hmac | head -1) + name2=$(echo $hmac2 | sed 's|^.*/\(.\+\).hmac|\1|') + path2=$(echo $hmac2 | sed 's|^\(.\+\)/.*$|\1/|') + file2=$(rpm -ql libreswan | egrep "/${name2}\$") + echo "hmac2=$hmac2" + echo "name2=$name2" + echo "path2=$path2" + echo "file2=$file2" + + # TC1 + rlRun "./test --verify-files-ex .hmac,1,${file1},${file2}" 1 \ + "TC1: library, correct checksums, should return 1" + + # TC2 + temp1=$(mktemp) + mv $hmac1 $temp1 + echo 'abc' >$hmac1 + rlRun "./test --verify-files-ex=.hmac,1,${file1},${file2}" 0 \ + "TC2: library, correct and incorrect checksums, should return 0" + mv $temp1 $hmac1 + + # TC3 + temp1=$(mktemp) + temp2=$(mktemp) + mv $hmac1 $temp1 + mv $hmac2 $temp2 + echo 'abc' >$hmac1 + echo 'abc' >$hmac2 + rlRun "./test --verify-files-ex=.hmac,1,${file1},${file2}" 0 \ + "TC3: library, incorrect checksums, should return 0" + mv $temp1 $hmac1 + mv $temp2 $hmac2 + + # TC4 + temp1=$(mktemp) + mv $hmac1 $temp1 + rlRun "./test --verify-files-ex=.hnac,1,${file1},${file2}" 0 \ + "TC4: library, one checksum missing (fail if missing), should return 0" + mv $temp1 $hmac1 + + # TC5 + temp1=$(mktemp) + mv $hmac1 $temp1 + rlRun "./test --verify-files-ex=.hnac,0,${file1},${file2}" 1 \ + "TC5: library, one checksum missing (pass if missing), should return 1" + mv $temp1 $hmac1 + + # TC6 + temp1=$(mktemp) + temp2=$(mktemp) + mv $hmac1 $temp1 + mv $hmac2 $temp2 + rlRun "./test --verify-files-ex=.hmac,1,${file1},${file2}" 0 \ + "TC6: library, both checksums missing (fail if missing), should return 0" + mv $temp1 $hmac1 + mv $temp2 $hmac2 + + # TC7 + temp1=$(mktemp) + temp2=$(mktemp) + mv $hmac1 $temp1 + mv $hmac2 $temp2 + rlRun "./test --verify-files-ex=.hmac,0,${file1},${file2}" 1 \ + "TC7: library, both checksums missing (pass if missing), should return 1" + mv $temp1 $hmac1 + mv $temp2 $hmac2 + + # TC8 + rlRun "./test --verify-files-ex=.hmacx,1,${file1},${file2}" 0 \ + "TC8: library, incorrect suffix, should return 0" + + rlPhaseEnd + fi + + rlPhaseStartTest "FIPSCHECK_kernel_fips_mode()" + + rlLog "Function should return 1 if kernel is in FIPS mode, 0 otherwise." + + fips_mode=0 + grep 1 /proc/sys/crypto/fips_enabled && fips_mode=1 + rlRun "./test --kernel-fips-mode" $fips_mode + + rlPhaseEnd + + if !rlIsRHEL 6; then + rlPhaseStartTest "FIPSCHECK_fips_module_installed()" + + rlLog "Function should return 1 if checksum for given library" + rlLog "(or a current process) is available, 0 otherwise." + + # TC1 + touch ".test.hmac" + rlRun "./test --fips-module-installed" 1 \ + "TC1: process, checksum exists, should return 1" + rm -f ".test.hmac" + + # TC2 + rm -f ".test.hmac" + rlRun "./test --fips-module-installed" 0 \ + "TC2: process, checksum does not exist, should return 0" + + # Setup for TC3 - TC7. + hmac=$(rpm -ql libgcrypt | grep hmac | head -1) + name=$(echo $hmac | sed 's|^.*/\.\(.\+\).hmac|\1|') + path=$(echo $hmac | sed 's|^\(.\+\)/\..*$|\1/|') + file=$(rpm -ql libgcrypt | egrep "/${name}\$") + symb=$(objdump -T $file | grep .text | awk '{print $7}' | tail -1) + echo "hmac=$hmac" + echo "name=$name" + echo "path=$path" + echo "file=$file" + echo "symb=$symb" + + # TC3 + rlRun "LD_PRELOAD=$file ./test --fips-module-installed=${file},${symb},.hmac" 1 \ + "TC3: library, checksum exists, should return 1" + + # TC4 + temp=$(mktemp) + mv $hmac $temp + rlRun "LD_PRELOAD=$file ./test --fips-module-installed=${file},${symb},.hmac" 0 \ + "TC4: library, checksum does not exists, should return 0" + mv $temp $hmac + + # TC5 + rlRun "LD_PRELOAD=$file ./test --fips-module-installed=${file}x,${symb},.hmac" 1 \ + "TC5: library, incorrect library, should return 1 (failsafe)" + + # TC6 + rlRun "LD_PRELOAD=$file ./test --fips-module-installed=${file},${symb}x,.hmac" 1 \ + "TC6: library, incorrect symbol, should return 1 (failsafe)" + + # TC7 + rlRun "LD_PRELOAD=$file ./test --fips-module-installed=${file},${symb},.hmacx" 0 \ + "TC7: library, incorrect suffix, should return 0" + + rlPhaseEnd + fi + + rlPhaseStartCleanup + rlRun "rm -f ./test" 0 + rlPhaseEnd + +rlJournalPrintText + +rlJournalEnd diff --git a/tests/library/test.c b/tests/library/test.c new file mode 100644 index 0000000..de42dac --- /dev/null +++ b/tests/library/test.c @@ -0,0 +1,81 @@ +#include +#include +#include +#include +#include +#include + +int main(int argc, char *argv[]) { + + static struct option long_options[] = { + { "verify", optional_argument, 0, 1 }, + { "verify-ex", optional_argument, 0, 2 }, + { "verify-files", required_argument, 0, 3 }, + { "verify-files-ex", required_argument, 0, 4 }, + { "fips-module-installed", optional_argument, 0, 5 }, + { "kernel-fips-mode", no_argument, 0, 6 }, + {0, 0, 0, 0} + }; + + int rc = 0, option_index = 0, fail_if_missing; + int c = getopt_long (argc, argv, "", long_options, &option_index); + char *libname = NULL, *symbolname = NULL, *suffix = NULL, *files[3]; + + switch (c) { + + case 1: + if (optarg != NULL) { + libname = strtok(optarg, ","); + symbolname = strtok(NULL, ","); + } + rc = FIPSCHECK_verify(libname, symbolname); + break; + + case 2: + if (optarg != NULL) { + libname = strtok(optarg, ","); + symbolname = strtok(NULL, ","); + suffix = strtok(NULL, ","); + fail_if_missing = atoi(strtok(NULL, ",")); + } +#ifndef RHEL6 + rc = FIPSCHECK_verify_ex(libname, symbolname, suffix, fail_if_missing); +#endif + break; + + case 3: + files[0] = strtok(optarg, ","); + files[1] = strtok(NULL, ","); + files[2] = NULL; + rc = FIPSCHECK_verify_files((const char **) files); + break; + + case 4: + suffix = strtok(optarg, ","); + fail_if_missing = atoi(strtok(NULL, ",")); + files[0] = strtok(NULL, ","); + files[1] = strtok(NULL, ","); + files[2] = NULL; +#ifndef RHEL6 + rc = FIPSCHECK_verify_files_ex(suffix, fail_if_missing, (const char **) files); +#endif + break; + + case 5: + if (optarg != NULL) { + libname = strtok(optarg, ","); + symbolname = strtok(NULL, ","); + suffix = strtok(NULL, ","); + } +#ifndef RHEL6 + rc = FIPSCHECK_fips_module_installed(libname, symbolname, suffix); +#endif + break; + + case 6: + rc = FIPSCHECK_kernel_fips_mode(); + break; + } + + return rc; +} diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..526a4e8 --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,28 @@ +--- +# Tests for classic and container +- hosts: localhost + roles: + - role: standard-test-beakerlib + tags: + - classic + - container + tests: + - library + - fipscheck + - fipshmac + required_packages: + - fipscheck # Required for library test + - fipscheck-devel # Required for library test + - fipscheck-lib # Required for library test + - libgcrypt # Required for library test + - libreswan # Required for library test + - gcc # Required for library test + +# Tests for Atomic Host +- hosts: localhost + roles: + - role: standard-test-beakerlib + tags: + - atomic + tests: + - fipshmac