Compare commits

...

No commits in common. "c8-beta" and "c8s" have entirely different histories.
c8-beta ... c8s

17 changed files with 1017 additions and 2 deletions

View File

@ -1 +0,0 @@
949b3b68b929471e0060196d8a9dda08d11e662e SOURCES/fipscheck-1.5.0.tar.bz2

7
.gitignore vendored
View File

@ -1 +1,6 @@
SOURCES/fipscheck-1.5.0.tar.bz2 fipscheck-1.2.0.tar.bz2
/fipscheck-1.3.0.tar.bz2
/fipscheck-1.3.1.tar.bz2
/fipscheck-1.4.0.tar.bz2
/fipscheck-1.4.1.tar.bz2
/fipscheck-1.5.0.tar.bz2

9
gating.yaml Normal file
View File

@ -0,0 +1,9 @@
--- !Policy
product_versions:
- rhel-8
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.userspace-fips-mode.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (fipscheck-1.5.0.tar.bz2) = 31920d45f7f7fe7deacd964b3f847c0caf76ca53452803443353994042a8c2ef1c2f494a029adc87a87ab69150a9823637f6a2f9b5a363a82bd2dbc6829c35c9

61
tests/fipscheck/Makefile Normal file
View File

@ -0,0 +1,61 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Makefile of /CoreOS/fipscheck/Sanity/fipscheck
# Description: Test fipscheck helper tool
# Author: Ondrej Moris <omoris@redhat.com>
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/fipscheck/Sanity/fipscheck
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Ondrej Moris <omoris@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test fipscheck helper tool" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 15m" >> $(METADATA)
@echo "RunFor: fipscheck" >> $(METADATA)
@echo "Requires: fipscheck fipscheck-lib" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
rhts-lint $(METADATA)

5
tests/fipscheck/PURPOSE Normal file
View File

@ -0,0 +1,5 @@
PURPOSE of /CoreOS/fipscheck/Sanity/fipscheck
Description: Test fipscheck helper tool
Author: Ondrej Moris <omoris@redhat.com>
Test fipscheck functionality, supported parameters as well as all return codes.

138
tests/fipscheck/runtest.sh Executable file
View File

@ -0,0 +1,138 @@
#!/bin/bash
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/fipscheck/Sanity/fipscheck
# Description: Test fipscheck helper tool.
# Author: Ondrej Moris <omoris@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2014 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="fipscheck"
rlJournalStart
rlPhaseStartSetup
rlCheckRpm "fipscheck" || rlDie
rlCheckRpm "fipscheck-lib" || rlDie
tmpdir=$(mktemp -d)
rlRun "chmod a+rwx $tmpdir" 0
rlRun "pushd $tmpdir" 0
echo 'hmac' >hmac
echo 'suffixhmac' >suffixhmac
echo 'incorrecthmac' >incorrecthmac
echo 'emptyhmac' >emptyhmac
rlRun "fipshmac hmac" 0
rlRun "fipshmac -s .suffix suffixhmac" 0
rlRun "fipshmac incorrecthmac && echo 'X' >.incorrecthmac.hmac" 0
rlRun "fipshmac emptyhmac && echo '' >.emptyhmac.hmac" 0
fipscheck_hmac=$(rpm -ql fipscheck | egrep '\.hmac')
fipscheck_libs_all=$(rpm -ql fipscheck-lib | grep so | grep -v hmac | tr '\n' ' ')
fipscheck_libs_some_hmac=$(rpm -ql fipscheck-lib | egrep '\.hmac' | head -1)
rlRun "useradd testuser" 0
rlPhaseEnd
rlPhaseStartTest "Integrity"
rlCheckRpm "prelink" && rlRun "prelink -ua" 0
rlRun "fipscheck /usr/bin/fipscheck $fipscheck_libs_all" 0
rlPhaseEnd
rlPhaseStartTest "HMAC verification"
# Verify HMAC.
rlRun "fipscheck hmac" 0
# Verify HMAC with specific suffix.
rlRun "fipscheck -s .suffix suffixhmac" 0
# Incorrect HMAC causes failure.
rlRun "fipscheck incorrecthmac" 1
# Empty HMAC causes failure.
rlRun "fipscheck emptyhmac" 1
rlPhaseEnd
rlPhaseStartTest "Return Codes"
# 0: Checksum OK.
rlLog "0: Checksum OK"
rlRun "fipscheck hmac" 0
# 1: Checksum mismatch.
rlLog "1: Checksum mismatch"
rlRun "fipscheck incorrecthmac" 1
# 2: Missing filename.
rlLog "2: Missing filename"
rlRun "fipscheck" 2
# 3: Cannot open the checksum file.
rlLog "3: Cannot open the checksum file"
rlRun "fipscheck runtest.sh" 3
# 4: Cannot read the file to be checksummed.
rlLog "4: Cannot read the file to be checksummed"
rlRun "chmod a-r hmac" 0
rlRun "runuser -u testuser fipscheck hmac" 4
rlRun "chmod a+r hmac" 0
# 5: Memory allocation error.
# N/A
# 10 and higher: Failure during self-checking the libfipscheck.so shared library.
rlLog "10 and higher: Failure during self-checking the libfipscheck.so shared library"
rlRun "mv $fipscheck_libs_some_hmac ${fipscheck_libs_some_hmac}.backup" 0
rlRun "fipscheck hmac" 10-19
rlRun "mv ${fipscheck_libs_some_hmac}.backup $fipscheck_libs_some_hmac" 0
# 20 and higher: Failure during self-checking the fipscheck binary.
rlRun "mv $fipscheck_hmac ${fipscheck_hmac}.backup" 0
rlRun "fipscheck hmac" 20-255
rlRun "mv ${fipscheck_hmac}.backup $fipscheck_hmac" 0
rlPhaseEnd
rlPhaseStartCleanup
rlRun "popd" 0
rlRun "rm -rf $tmpdir" 0
rlRun "userdel testuser" 0
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

61
tests/fipshmac/Makefile Normal file
View File

@ -0,0 +1,61 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Makefile of /CoreOS/fipscheck/Sanity/fipshmac
# Description: Test fipshmac helper tool
# Author: Ondrej Moris <omoris@redhat.com>
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/fipscheck/Sanity/fipshmac
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Ondrej Moris <omoris@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test fipshmac helper tool" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 15m" >> $(METADATA)
@echo "RunFor: fipscheck" >> $(METADATA)
@echo "Requires: fipscheck" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
rhts-lint $(METADATA)

5
tests/fipshmac/PURPOSE Normal file
View File

@ -0,0 +1,5 @@
PURPOSE of /CoreOS/fipscheck/Sanity/fipshmac
Description: Test fipshmac helper tool
Author: Ondrej Moris <omoris@redhat.com>
Test fipshmac functionality, supported parameters as well as all return codes.

129
tests/fipshmac/runtest.sh Executable file
View File

@ -0,0 +1,129 @@
#!/bin/bash
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/fipscheck/Sanity/fipshmac
# Description: Test fipshmac helper tool.
# Author: Ondrej Moris <omoris@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2014 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="fipscheck"
rlJournalStart
rlPhaseStartSetup
rlCheckRpm "fipscheck" || rlDie
testdir=$(mktemp -d)
testpath=$(mktemp)
testfile=$(basename $testpath)
mountdir=$(mktemp -d)
rlRun "useradd testuser" 0
rlRun "mount -t tmpfs -o size=512k tmpfs $mountdir" 0
rlRun "dd if=/dev/urandom bs=512k count=1 of=${mountdir}/blob" 0
rlPhaseEnd
rlPhaseStartTest "HMAC generation"
# Create HMAC.
rlRun "echo 'abc' > $testpath" 0
rlRun "fipshmac $testpath" 0
# Create HMAC in specified directory.
rlRun "fipshmac -d $testdir $testpath" 0
# Create HMAC with a specific suffix.
rlRun "fipshmac -s .suffix $testpath" 0
# Check that HMAC files exist.
rlAssertExists "/tmp/.${testfile}.hmac"
rlAssertExists "/tmp/.${testfile}.suffix"
rlAssertExists "$testdir/${testfile}.hmac"
# Verify HMAC.
rlRun "fipscheck $testpath" 0
# Check that HMAC file is not empty.
rlRun "test -s /tmp/.${testfile}.hmac" 0
# Check that HMAC file does not change when recomputed.
old=$(cat /tmp/.${testfile}.hmac)
rlRun "fipshmac $testpath" 0
new=$(cat /tmp/.${testfile}.hmac)
rlAssertEquals "Hashes should not differ" "$old" "$new"
# Check that HMAC file changes when recomputed and file changed.
old=$(cat /tmp/.${testfile}.hmac)
rlRun "echo 'efg' >> $testpath" 0
rlRun "fipshmac $testpath" 0
new=$(cat ./.test.hmac)
rlAssertNotEquals "Hashes should differ" "$old" "$new"
rlPhaseEnd
rlPhaseStartTest "Return Codes"
# 0: OK.
rlLog "0: OK"
rlRun "fipshmac $testpath" 0
# 2: Missing filename.
rlLog "2: Missing filename"
rlRun "fipshmac" 2
# 3: Cannot open the checksum file for writing.
rlLog "3: Cannot open the checksum file for writing"
rlRun "chmod a-r $testpath" 0
rlRun "runuser -u testuser fipshmac $testpath" 3
rlRun "chmod a+r $testpath" 0
# 4: Cannot read the file to be checksummed.
rlLog "4: Cannot read the file to be checksummed"
rlRun "fipshmac missing" 4
# 5: Memory allocation error
# N/A
# 6,7: Cannot write to the checksum file.
rlLog "6,7: Cannot write to the checksum file"
rlRun "fipshmac -d $mountdir $testpath" 6,7
rlPhaseEnd
rlPhaseStartCleanup
rlRun "rm -rf $testpath .${testfile}.hmac $testdir" 0
rlRun "userdel testuser" 0
rlRun "umount $mountdir" 0
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

3
tests/inventory Executable file
View File

@ -0,0 +1,3 @@
#!/bin/bash
export TEST_DOCKER_EXTRA_ARGS="--privileged"
exec merge-standard-inventory "$@"

64
tests/library/Makefile Normal file
View File

@ -0,0 +1,64 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/fipscheck/Sanity/library
#
# Description: Test fipscheck API
#
# Author: Ondrej Moris <omoris@redhat.com>
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2017 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/fipscheck/Sanity/library
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE test.c
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Ondrej Moris <omoris@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Test fipscheck API" >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 15m" >> $(METADATA)
@echo "RunFor: fipscheck" >> $(METADATA)
@echo "Requires: fipscheck fipscheck-devel fipscheck-lib libgcrypt libreswan" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
rhts-lint $(METADATA)

10
tests/library/PURPOSE Normal file
View File

@ -0,0 +1,10 @@
PURPOSE of /CoreOS/fipscheck/Sanity/library
Test fipscheck library API:
* FIPSCHECK_verify()
* FIPSCHECK_verify_ex()
* FIPSCHECK_verify_files()
* FIPSCHECK_verify_files_ex()
* FIPSCHECK_kernel_fips_mode()
* FIPSCHECK_fips_module_installed()

416
tests/library/runtest.sh Executable file
View File

@ -0,0 +1,416 @@
#!/bin/bash
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/fipscheck/Sanity/library
# Description: Test fipscheck API
# Author: Ondrej Moris <omoris@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2014 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
#PACKAGE="fipscheck"
rlJournalStart
rlPhaseStartSetup
rlCheckMakefileRequires || rlDie
# Make sure nothing is prelinked (as expected in FIPS).
rlCheckRpm "prelink" && rlRun "prelink -ua" 0
rlIsRHEL 6 && debug="-DRHEL6"
rlRun "gcc $debug test.c -o test -lfipscheck -ldl"
rlPhaseEnd
rlPhaseStartTest "FIPSCHECK_verify()"
rlLog "Function should return 1 if checksum is valid for a given"
rlLog "library (or a current process), 0 otherwise."
# TC1
fipshmac "test"
rlRun "./test --verify" 1 \
"TC1: process, correct checksum, should return 1"
rm -f ".test.hmac"
# TC2
echo 'abc' > ".test.hmac"
rlRun "./test --verify" 0 \
"TC2: process, incorrect checksum, should return 0"
rm -f ".test.hmac"
# TC3
rm -f ".test.hmac"
rlRun "./test --verify" 0 \
"TC3: process, missing checksum, should return 0"
# Setup for TC4 - TC8.
hmac=$(rpm -ql libgcrypt | grep hmac | head -1)
name=$(echo $hmac | sed 's|^.*/\.\(.\+\).hmac|\1|')
path=$(echo $hmac | sed 's|^\(.\+\)/\..*$|\1/|')
file=$(rpm -ql libgcrypt | egrep "/${name}\$")
symb=$(objdump -T $file | grep .text | awk '{print $7}' | tail -1)
echo "hmac=$hmac"
echo "name=$name"
echo "path=$path"
echo "file=$file"
echo "symb=$symb"
# TC4
rlRun "LD_PRELOAD=$file ./test --verify=${file},${symb}" 1 \
"TC4: library, correct checksum, should return 1"
# TC5
temp=$(mktemp)
mv $hmac $temp
echo 'abc' >$hmac
rlRun "LD_PRELOAD=$file ./test --verify=${file},${symb}" 0 \
"TC5: library, incorrect checksum, should return 0"
mv $temp $hmac
# TC6
temp=$(mktemp)
mv $hmac $temp
rlRun "LD_PRELOAD=$file ./test --verify=${file},${symb}" 0 \
"TC6: library, missing checksum, should return 0"
mv $temp $hmac
# TC7
rlRun "LD_PRELOAD=$file ./test --verify=${file}x,${symb}" 0 \
"TC7: library, incorrect library, should return 0"
# TC8
rlRun "LD_PRELOAD=$file ./test --verify=${file},${symb}x" 0 \
"TC8: library, incorrect symbol, should return 0"
rlPhaseEnd
if !rlIsRHEL 6; then
rlPhaseStartTest "FIPSCHECK_verify_ex()"
rlLog "Function should return 1 if checksum is valid for a current"
rlLog "process or a given library and suffix (if fail_is_missing"
rlLog "is set to 1), 0 otherwise."
# TC1
fipshmac "test"
rlRun "./test --verify-ex" 1 \
"TC1: process, correct checksum, should return 1"
rm -f ".test.hmac"
# TC2
echo 'abc' > ".test.hmac"
rlRun "./test --verify-ex" 0 \
"TC2: process, incorrect checksum, should return 0"
rm -f ".test.hmac"
# TC3
rm -f ".test.hmac"
rlRun "./test --verify-ex" 1 \
"TC3: process, missing checksum (pass if missing), should return 1"
# Setup for TC4 - TC10.
hmac=$(rpm -ql libgcrypt | grep hmac | head -1)
name=$(echo $hmac | sed 's|^.*/\.\(.\+\).hmac|\1|')
path=$(echo $hmac | sed 's|^\(.\+\)/\..*$|\1/|')
file=$(rpm -ql libgcrypt | egrep "/${name}\$")
symb=$(objdump -T $file | grep .text | awk '{print $7}' | tail -1)
echo "hmac=$hmac"
echo "name=$name"
echo "path=$path"
echo "file=$file"
echo "symb=$symb"
# TC4
rlRun "LD_PRELOAD=$file ./test --verify-ex=${file},${symb},.hmac,0" 1 \
"TC4: library, correct checksum, should return 1"
# TC5
temp=$(mktemp)
mv $hmac $temp
echo 'abc' >$hmac
rlRun "LD_PRELOAD=$file ./test --verify-ex=${file},${symb},.hmac,0" 0 \
"TC5: library, incorrect checksum, should return 0"
mv $temp $hmac
# TC6
temp=$(mktemp)
mv $hmac $temp
rlRun "LD_PRELOAD=$file ./test --verify-ex=${file},${symb},.hmac,0" 1 \
"TC6: library, missing checksum (pass is missing), should return 1"
mv $temp $hmac
# TC7
temp=$(mktemp)
mv $hmac $temp
rlRun "LD_PRELOAD=$file ./test --verify-ex=${file},${symb},.hmac,1" 0 \
"TC7: library, missing checksum (fail is missing), should return 0"
mv $temp $hmac
# TC8
rlRun "LD_PRELOAD=$file ./test --verify-ex=${file}x,${symb},.hmac,1" 0 \
"TC8: library, incorrect library, should return 0"
# TC9
rlRun "LD_PRELOAD=$file ./test --verify-ex=${file},${symb}x,.hmac,1" 0 \
"TC9: library, incorrect symbol, should return 0"
# TC10
rlRun "LD_PRELOAD=$file ./test --verify-ex=${file},${symb},.hmacx,1" 0 \
"TC10: library, incorrect suffix, should return 0"
rlPhaseEnd
fi
rlPhaseStartTest "FIPSCHECK_verify_files()"
rlLog "Function should return 1 if checksum is valid for given files"
rlLog "otherwise."
# Setup for TC1 - TC5.
hmac1=$(rpm -ql libgcrypt | grep hmac | head -1)
name1=$(echo $hmac1 | sed 's|^.*/\.\(.\+\).hmac|\1|')
path1=$(echo $hmac1 | sed 's|^\(.\+\)/\..*$|\1/|')
file1=$(rpm -ql libgcrypt | egrep "/${name1}\$")
echo "hmac1=$hmac1"
echo "name1=$name1"
echo "path1=$path1"
echo "file1=$file1"
hmac2=$(rpm -ql libreswan | grep pluto.hmac | head -1)
name2=$(echo $hmac2 | sed 's|^.*/\(.\+\).hmac|\1|')
path2=$(echo $hmac2 | sed 's|^\(.\+\)/.*$|\1/|')
file2=$(rpm -ql libreswan | egrep "ipsec/${name2}\$")
echo "hmac2=$hmac2"
echo "name2=$name2"
echo "path2=$path2"
echo "file2=$file2"
# TC1
rlRun "./test --verify-files ${file1},${file2}" 1 \
"TC1: library, correct checksums, should return 1"
# TC2
temp1=$(mktemp)
mv $hmac1 $temp1
echo 'abc' >$hmac1
rlRun "./test --verify-files=${file1},${file2}" 0 \
"TC2: library, correct and incorrect checksums, should return 0"
mv $temp1 $hmac1
# TC3
temp1=$(mktemp)
temp2=$(mktemp)
mv $hmac1 $temp1
mv $hmac2 $temp2
echo 'abc' >$hmac1
echo 'abc' >$hmac2
rlRun "./test --verify-files=${file1},${file2}" 0 \
"TC3: library, incorrect checksums, should return 0"
mv $temp1 $hmac1
mv $temp2 $hmac2
# TC4
temp1=$(mktemp)
mv $hmac1 $temp1
rlRun "./test --verify-files=${file1},${file2}" 0 \
"TC4: library, one checksum missing, should return 0"
mv $temp1 $hmac1
# TC5
temp1=$(mktemp)
temp2=$(mktemp)
mv $hmac1 $temp1
mv $hmac2 $temp2
rlRun "./test --verify-files=${file1},${file2}" 0 \
"TC5: library, both checksums missing, should return 0"
mv $temp1 $hmac1
mv $temp2 $hmac2
rlPhaseEnd
if !rlIsRHEL 6; then
rlPhaseStartTest "FIPSCHECK_verify_files_ex()"
rlLog "Function should return 1 if checksum is valid for given files"
rlLog "and fail_if_missing is set to 1, 0 otherwise."
# Setup for TC1 - TC8.
hmac1=$(rpm -ql libgcrypt | grep hmac | head -1)
name1=$(echo $hmac1 | sed 's|^.*/\.\(.\+\).hmac|\1|')
path1=$(echo $hmac1 | sed 's|^\(.\+\)/\..*$|\1/|')
file1=$(rpm -ql libgcrypt | egrep "/${name1}\$")
echo "hmac1=$hmac1"
echo "name1=$name1"
echo "path1=$path1"
echo "file1=$file1"
hmac2=$(rpm -ql libreswan | grep hmac | head -1)
name2=$(echo $hmac2 | sed 's|^.*/\(.\+\).hmac|\1|')
path2=$(echo $hmac2 | sed 's|^\(.\+\)/.*$|\1/|')
file2=$(rpm -ql libreswan | egrep "/${name2}\$")
echo "hmac2=$hmac2"
echo "name2=$name2"
echo "path2=$path2"
echo "file2=$file2"
# TC1
rlRun "./test --verify-files-ex .hmac,1,${file1},${file2}" 1 \
"TC1: library, correct checksums, should return 1"
# TC2
temp1=$(mktemp)
mv $hmac1 $temp1
echo 'abc' >$hmac1
rlRun "./test --verify-files-ex=.hmac,1,${file1},${file2}" 0 \
"TC2: library, correct and incorrect checksums, should return 0"
mv $temp1 $hmac1
# TC3
temp1=$(mktemp)
temp2=$(mktemp)
mv $hmac1 $temp1
mv $hmac2 $temp2
echo 'abc' >$hmac1
echo 'abc' >$hmac2
rlRun "./test --verify-files-ex=.hmac,1,${file1},${file2}" 0 \
"TC3: library, incorrect checksums, should return 0"
mv $temp1 $hmac1
mv $temp2 $hmac2
# TC4
temp1=$(mktemp)
mv $hmac1 $temp1
rlRun "./test --verify-files-ex=.hnac,1,${file1},${file2}" 0 \
"TC4: library, one checksum missing (fail if missing), should return 0"
mv $temp1 $hmac1
# TC5
temp1=$(mktemp)
mv $hmac1 $temp1
rlRun "./test --verify-files-ex=.hnac,0,${file1},${file2}" 1 \
"TC5: library, one checksum missing (pass if missing), should return 1"
mv $temp1 $hmac1
# TC6
temp1=$(mktemp)
temp2=$(mktemp)
mv $hmac1 $temp1
mv $hmac2 $temp2
rlRun "./test --verify-files-ex=.hmac,1,${file1},${file2}" 0 \
"TC6: library, both checksums missing (fail if missing), should return 0"
mv $temp1 $hmac1
mv $temp2 $hmac2
# TC7
temp1=$(mktemp)
temp2=$(mktemp)
mv $hmac1 $temp1
mv $hmac2 $temp2
rlRun "./test --verify-files-ex=.hmac,0,${file1},${file2}" 1 \
"TC7: library, both checksums missing (pass if missing), should return 1"
mv $temp1 $hmac1
mv $temp2 $hmac2
# TC8
rlRun "./test --verify-files-ex=.hmacx,1,${file1},${file2}" 0 \
"TC8: library, incorrect suffix, should return 0"
rlPhaseEnd
fi
rlPhaseStartTest "FIPSCHECK_kernel_fips_mode()"
rlLog "Function should return 1 if kernel is in FIPS mode, 0 otherwise."
fips_mode=0
grep 1 /proc/sys/crypto/fips_enabled && fips_mode=1
rlRun "./test --kernel-fips-mode" $fips_mode
rlPhaseEnd
if !rlIsRHEL 6; then
rlPhaseStartTest "FIPSCHECK_fips_module_installed()"
rlLog "Function should return 1 if checksum for given library"
rlLog "(or a current process) is available, 0 otherwise."
# TC1
touch ".test.hmac"
rlRun "./test --fips-module-installed" 1 \
"TC1: process, checksum exists, should return 1"
rm -f ".test.hmac"
# TC2
rm -f ".test.hmac"
rlRun "./test --fips-module-installed" 0 \
"TC2: process, checksum does not exist, should return 0"
# Setup for TC3 - TC7.
hmac=$(rpm -ql libgcrypt | grep hmac | head -1)
name=$(echo $hmac | sed 's|^.*/\.\(.\+\).hmac|\1|')
path=$(echo $hmac | sed 's|^\(.\+\)/\..*$|\1/|')
file=$(rpm -ql libgcrypt | egrep "/${name}\$")
symb=$(objdump -T $file | grep .text | awk '{print $7}' | tail -1)
echo "hmac=$hmac"
echo "name=$name"
echo "path=$path"
echo "file=$file"
echo "symb=$symb"
# TC3
rlRun "LD_PRELOAD=$file ./test --fips-module-installed=${file},${symb},.hmac" 1 \
"TC3: library, checksum exists, should return 1"
# TC4
temp=$(mktemp)
mv $hmac $temp
rlRun "LD_PRELOAD=$file ./test --fips-module-installed=${file},${symb},.hmac" 0 \
"TC4: library, checksum does not exists, should return 0"
mv $temp $hmac
# TC5
rlRun "LD_PRELOAD=$file ./test --fips-module-installed=${file}x,${symb},.hmac" 1 \
"TC5: library, incorrect library, should return 1 (failsafe)"
# TC6
rlRun "LD_PRELOAD=$file ./test --fips-module-installed=${file},${symb}x,.hmac" 1 \
"TC6: library, incorrect symbol, should return 1 (failsafe)"
# TC7
rlRun "LD_PRELOAD=$file ./test --fips-module-installed=${file},${symb},.hmacx" 0 \
"TC7: library, incorrect suffix, should return 0"
rlPhaseEnd
fi
rlPhaseStartCleanup
rlRun "rm -f ./test" 0
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

81
tests/library/test.c Normal file
View File

@ -0,0 +1,81 @@
#include <stdio.h>
#include <stdlib.h>
#include <fipscheck.h>
#include <dlfcn.h>
#include <getopt.h>
#include <string.h>
int main(int argc, char *argv[]) {
static struct option long_options[] = {
{ "verify", optional_argument, 0, 1 },
{ "verify-ex", optional_argument, 0, 2 },
{ "verify-files", required_argument, 0, 3 },
{ "verify-files-ex", required_argument, 0, 4 },
{ "fips-module-installed", optional_argument, 0, 5 },
{ "kernel-fips-mode", no_argument, 0, 6 },
{0, 0, 0, 0}
};
int rc = 0, option_index = 0, fail_if_missing;
int c = getopt_long (argc, argv, "", long_options, &option_index);
char *libname = NULL, *symbolname = NULL, *suffix = NULL, *files[3];
switch (c) {
case 1:
if (optarg != NULL) {
libname = strtok(optarg, ",");
symbolname = strtok(NULL, ",");
}
rc = FIPSCHECK_verify(libname, symbolname);
break;
case 2:
if (optarg != NULL) {
libname = strtok(optarg, ",");
symbolname = strtok(NULL, ",");
suffix = strtok(NULL, ",");
fail_if_missing = atoi(strtok(NULL, ","));
}
#ifndef RHEL6
rc = FIPSCHECK_verify_ex(libname, symbolname, suffix, fail_if_missing);
#endif
break;
case 3:
files[0] = strtok(optarg, ",");
files[1] = strtok(NULL, ",");
files[2] = NULL;
rc = FIPSCHECK_verify_files((const char **) files);
break;
case 4:
suffix = strtok(optarg, ",");
fail_if_missing = atoi(strtok(NULL, ","));
files[0] = strtok(NULL, ",");
files[1] = strtok(NULL, ",");
files[2] = NULL;
#ifndef RHEL6
rc = FIPSCHECK_verify_files_ex(suffix, fail_if_missing, (const char **) files);
#endif
break;
case 5:
if (optarg != NULL) {
libname = strtok(optarg, ",");
symbolname = strtok(NULL, ",");
suffix = strtok(NULL, ",");
}
#ifndef RHEL6
rc = FIPSCHECK_fips_module_installed(libname, symbolname, suffix);
#endif
break;
case 6:
rc = FIPSCHECK_kernel_fips_mode();
break;
}
return rc;
}

28
tests/tests.yml Normal file
View File

@ -0,0 +1,28 @@
---
# Tests for classic and container
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- classic
- container
tests:
- library
- fipscheck
- fipshmac
required_packages:
- fipscheck # Required for library test
- fipscheck-devel # Required for library test
- fipscheck-lib # Required for library test
- libgcrypt # Required for library test
- libreswan # Required for library test
- gcc # Required for library test
# Tests for Atomic Host
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- atomic
tests:
- fipshmac