Remove FIPS mode test

FIPS mode is currently broken in both Fedora rawhide and RHEL 10. This
test is no longer useful because it's now testing whether GnuTLS works
rather than whether GLib works.

Related: RHEL-44610
This commit is contained in:
Michael Catanzaro 2024-07-10 11:17:52 -05:00
parent 9fa8445723
commit 19168d2368
2 changed files with 20 additions and 75 deletions

View File

@ -41,6 +41,7 @@ BuildRequires: /usr/bin/update-desktop-database
# For gnutls-hmac.patch. We now dlopen libgnutls.so.30 so that we can build a
# static glib2 without depending on a static build of GnuTLS as well. This will
# ensure we notice if the GnuTLS soname bumps, so that we can update our patch.
BuildRequires: gnutls
%if 0%{?__isa_bits} == 64
Requires: libgnutls.so.30()(64bit)
%else

View File

@ -1,4 +1,4 @@
From d6208fb067695ebf9e1f06b690e82c2b78994e8b Mon Sep 17 00:00:00 2001
From 79c6d81cad24e488c8c17fb5043f29fef11a245e Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 7 Jun 2019 18:44:43 +0000
Subject: [PATCH 1/4] ghmac: Split off wrapper functions into ghmac-utils.c
@ -296,10 +296,10 @@ index d2efebadc..d261dde5a 100644
'ghostutils.c',
'giochannel.c',
--
2.44.0
2.45.2
From a9e3f0c8cc8b06c97958ea1e99e61d9f8200dab7 Mon Sep 17 00:00:00 2001
From 6be9a415a7af65a2cee5518e87a3f313068a2e0e Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 7 Jun 2019 19:36:54 +0000
Subject: [PATCH 2/4] Add a gnutls backend for GHmac
@ -702,7 +702,7 @@ index d261dde5a..b3663f184 100644
libintl_deps,
libm,
diff --git a/meson.build b/meson.build
index 753454209..61ad30b97 100644
index 85e24aa69..34d14f90a 100644
--- a/meson.build
+++ b/meson.build
@@ -2286,6 +2286,13 @@ if host_system == 'linux'
@ -736,10 +736,10 @@ index 69a2135bc..e8599abaa 100644
type : 'boolean',
value : false,
--
2.44.0
2.45.2
From 4e84c697544b099c6e8faea6439d8e03883488be Mon Sep 17 00:00:00 2001
From 678df1ffadcd7fa326d4c5234dd4dbf561f3d09c Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Wed, 16 Jun 2021 20:35:00 -0500
Subject: [PATCH 3/4] dlopen GnuTLS instead of linking directly
@ -933,7 +933,7 @@ index b3663f184..2340d12b2 100644
libintl_deps,
libm,
diff --git a/meson.build b/meson.build
index 61ad30b97..25beac81a 100644
index 34d14f90a..1e6e14554 100644
--- a/meson.build
+++ b/meson.build
@@ -2286,11 +2286,9 @@ if host_system == 'linux'
@ -951,30 +951,22 @@ index 61ad30b97..25beac81a 100644
if host_system == 'windows'
--
2.44.0
2.45.2
From 820417a079f19179201d0ad2378ed3398139339b Mon Sep 17 00:00:00 2001
From c76bfa6e30ee14bcfb19666ec3e1f3bd379143bd Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Wed, 16 Jun 2021 20:46:24 -0500
Subject: [PATCH] Add test for GHmac in FIPS mode
Subject: [PATCH 4/4] Disable MD5 and SHA-1 HMac tests
This will test a few problems that we hit recently:
g_hmac_copy() is broken, https://bugzilla.redhat.com/show_bug.cgi?id=1786538
Crash in g_hmac_update() in FIPS mode, https://bugzilla.redhat.com/show_bug.cgi?id=1971533
Crash when passing -1 length to g_hmac_update() (discovered in #1971533)
We'll also test to ensure MD5 fails, and stop compiling the other MD5
tests.
These are expected to be broken, depending on system crypto policy,
which may disable the algorithms.
---
glib/tests/hmac.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 48 insertions(+)
glib/tests/hmac.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/glib/tests/hmac.c b/glib/tests/hmac.c
index 3ac3206df..264d4fb84 100644
index 3ac3206df..e7f3fdf08 100644
--- a/glib/tests/hmac.c
+++ b/glib/tests/hmac.c
@@ -1,7 +1,10 @@
@ -1012,48 +1004,10 @@ index 3ac3206df..264d4fb84 100644
HmacCase hmac_sha256_tests[] = {
{ G_CHECKSUM_SHA256, key_sha_test1, 20, "Hi There", 8, result_sha256_test1 },
@@ -493,13 +499,48 @@ test_hmac_for_bytes (void)
g_bytes_unref (data);
}
+#ifdef USE_GNUTLS
+static void
+test_gnutls_fips_mode (void)
+{
+ GHmac *hmac;
+ GHmac *copy;
+
+ /* No MD5 in FIPS mode. */
+ hmac = g_hmac_new (G_CHECKSUM_MD5, (guchar*)"abc123", sizeof ("abc123"));
+ g_assert_null (hmac);
+
+ /* SHA-256 should be good. */
+ hmac = g_hmac_new (G_CHECKSUM_SHA256, (guchar*)"abc123", sizeof ("abc123"));
+ g_assert_nonnull (hmac);
+
+ /* Ensure g_hmac_update() does not crash when called with -1. */
+ g_hmac_update (hmac, (guchar*)"You win again, gravity!", -1);
+
+ /* Ensure g_hmac_copy() does not crash. */
+ copy = g_hmac_copy (hmac);
+ g_assert_nonnull (hmac);
+ g_hmac_unref (hmac);
+
+ g_assert_cmpstr (g_hmac_get_string (copy), ==, "795ba6900bcb22e8ce65c2ec02db4e85697da921deb960ee3143bf88a4a60f83");
+ g_hmac_unref (copy);
+}
+#endif
+
int
main (int argc,
@@ -498,8 +504,10 @@ main (int argc,
char **argv)
{
int i;
+
+#ifdef USE_GNUTLS
+ /* This has to happen before GnuTLS is dlopened. */
+ g_setenv ("GNUTLS_FORCE_FIPS_MODE", "1", FALSE);
+#endif
+
g_test_init (&argc, &argv, NULL);
@ -1061,7 +1015,7 @@ index 3ac3206df..264d4fb84 100644
for (i = 0 ; hmac_sha1_tests[i].key_len > 0 ; i++)
{
gchar *name = g_strdup_printf ("/hmac/sha1-%d", i + 1);
@@ -507,6 +548,7 @@ main (int argc,
@@ -507,6 +515,7 @@ main (int argc,
(void (*)(const void *)) test_hmac);
g_free (name);
}
@ -1069,7 +1023,7 @@ index 3ac3206df..264d4fb84 100644
for (i = 0 ; hmac_sha256_tests[i].key_len > 0 ; i++)
{
@@ -532,6 +574,7 @@ main (int argc,
@@ -532,6 +541,7 @@ main (int argc,
g_free (name);
}
@ -1077,7 +1031,7 @@ index 3ac3206df..264d4fb84 100644
for (i = 0 ; hmac_md5_tests[i].key_len > 0 ; i++)
{
gchar *name = g_strdup_printf ("/hmac/md5-%d", i + 1);
@@ -539,6 +582,7 @@ main (int argc,
@@ -539,6 +549,7 @@ main (int argc,
(void (*)(const void *)) test_hmac);
g_free (name);
}
@ -1085,16 +1039,6 @@ index 3ac3206df..264d4fb84 100644
g_test_add_func ("/hmac/ref-unref", test_hmac_ref_unref);
g_test_add_func ("/hmac/copy", test_hmac_copy);
@@ -546,5 +590,9 @@ main (int argc,
g_test_add_func ("/hmac/for-string", test_hmac_for_string);
g_test_add_func ("/hmac/for-bytes", test_hmac_for_bytes);
+#ifdef USE_GNUTLS
+ g_test_add_func ("/hmac/gnutls-fips-mode", test_gnutls_fips_mode);
+#endif
+
return g_test_run ();
}
--
2.45.2