From 19168d23680df32ba05b608d47453505261c315b Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Wed, 10 Jul 2024 11:17:52 -0500 Subject: [PATCH] Remove FIPS mode test FIPS mode is currently broken in both Fedora rawhide and RHEL 10. This test is no longer useful because it's now testing whether GnuTLS works rather than whether GLib works. Related: RHEL-44610 --- glib2.spec | 1 + gnutls-hmac.patch | 94 ++++++++++------------------------------------- 2 files changed, 20 insertions(+), 75 deletions(-) diff --git a/glib2.spec b/glib2.spec index 2dd161c..6d58b51 100644 --- a/glib2.spec +++ b/glib2.spec @@ -41,6 +41,7 @@ BuildRequires: /usr/bin/update-desktop-database # For gnutls-hmac.patch. We now dlopen libgnutls.so.30 so that we can build a # static glib2 without depending on a static build of GnuTLS as well. This will # ensure we notice if the GnuTLS soname bumps, so that we can update our patch. +BuildRequires: gnutls %if 0%{?__isa_bits} == 64 Requires: libgnutls.so.30()(64bit) %else diff --git a/gnutls-hmac.patch b/gnutls-hmac.patch index 52681f2..e9c9b0d 100644 --- a/gnutls-hmac.patch +++ b/gnutls-hmac.patch @@ -1,4 +1,4 @@ -From d6208fb067695ebf9e1f06b690e82c2b78994e8b Mon Sep 17 00:00:00 2001 +From 79c6d81cad24e488c8c17fb5043f29fef11a245e Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 7 Jun 2019 18:44:43 +0000 Subject: [PATCH 1/4] ghmac: Split off wrapper functions into ghmac-utils.c @@ -296,10 +296,10 @@ index d2efebadc..d261dde5a 100644 'ghostutils.c', 'giochannel.c', -- -2.44.0 +2.45.2 -From a9e3f0c8cc8b06c97958ea1e99e61d9f8200dab7 Mon Sep 17 00:00:00 2001 +From 6be9a415a7af65a2cee5518e87a3f313068a2e0e Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 7 Jun 2019 19:36:54 +0000 Subject: [PATCH 2/4] Add a gnutls backend for GHmac @@ -702,7 +702,7 @@ index d261dde5a..b3663f184 100644 libintl_deps, libm, diff --git a/meson.build b/meson.build -index 753454209..61ad30b97 100644 +index 85e24aa69..34d14f90a 100644 --- a/meson.build +++ b/meson.build @@ -2286,6 +2286,13 @@ if host_system == 'linux' @@ -736,10 +736,10 @@ index 69a2135bc..e8599abaa 100644 type : 'boolean', value : false, -- -2.44.0 +2.45.2 -From 4e84c697544b099c6e8faea6439d8e03883488be Mon Sep 17 00:00:00 2001 +From 678df1ffadcd7fa326d4c5234dd4dbf561f3d09c Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Wed, 16 Jun 2021 20:35:00 -0500 Subject: [PATCH 3/4] dlopen GnuTLS instead of linking directly @@ -933,7 +933,7 @@ index b3663f184..2340d12b2 100644 libintl_deps, libm, diff --git a/meson.build b/meson.build -index 61ad30b97..25beac81a 100644 +index 34d14f90a..1e6e14554 100644 --- a/meson.build +++ b/meson.build @@ -2286,11 +2286,9 @@ if host_system == 'linux' @@ -951,30 +951,22 @@ index 61ad30b97..25beac81a 100644 if host_system == 'windows' -- -2.44.0 +2.45.2 -From 820417a079f19179201d0ad2378ed3398139339b Mon Sep 17 00:00:00 2001 +From c76bfa6e30ee14bcfb19666ec3e1f3bd379143bd Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Wed, 16 Jun 2021 20:46:24 -0500 -Subject: [PATCH] Add test for GHmac in FIPS mode +Subject: [PATCH 4/4] Disable MD5 and SHA-1 HMac tests -This will test a few problems that we hit recently: - -g_hmac_copy() is broken, https://bugzilla.redhat.com/show_bug.cgi?id=1786538 - -Crash in g_hmac_update() in FIPS mode, https://bugzilla.redhat.com/show_bug.cgi?id=1971533 - -Crash when passing -1 length to g_hmac_update() (discovered in #1971533) - -We'll also test to ensure MD5 fails, and stop compiling the other MD5 -tests. +These are expected to be broken, depending on system crypto policy, +which may disable the algorithms. --- - glib/tests/hmac.c | 48 +++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 48 insertions(+) + glib/tests/hmac.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) diff --git a/glib/tests/hmac.c b/glib/tests/hmac.c -index 3ac3206df..264d4fb84 100644 +index 3ac3206df..e7f3fdf08 100644 --- a/glib/tests/hmac.c +++ b/glib/tests/hmac.c @@ -1,7 +1,10 @@ @@ -1012,48 +1004,10 @@ index 3ac3206df..264d4fb84 100644 HmacCase hmac_sha256_tests[] = { { G_CHECKSUM_SHA256, key_sha_test1, 20, "Hi There", 8, result_sha256_test1 }, -@@ -493,13 +499,48 @@ test_hmac_for_bytes (void) - g_bytes_unref (data); - } - -+#ifdef USE_GNUTLS -+static void -+test_gnutls_fips_mode (void) -+{ -+ GHmac *hmac; -+ GHmac *copy; -+ -+ /* No MD5 in FIPS mode. */ -+ hmac = g_hmac_new (G_CHECKSUM_MD5, (guchar*)"abc123", sizeof ("abc123")); -+ g_assert_null (hmac); -+ -+ /* SHA-256 should be good. */ -+ hmac = g_hmac_new (G_CHECKSUM_SHA256, (guchar*)"abc123", sizeof ("abc123")); -+ g_assert_nonnull (hmac); -+ -+ /* Ensure g_hmac_update() does not crash when called with -1. */ -+ g_hmac_update (hmac, (guchar*)"You win again, gravity!", -1); -+ -+ /* Ensure g_hmac_copy() does not crash. */ -+ copy = g_hmac_copy (hmac); -+ g_assert_nonnull (hmac); -+ g_hmac_unref (hmac); -+ -+ g_assert_cmpstr (g_hmac_get_string (copy), ==, "795ba6900bcb22e8ce65c2ec02db4e85697da921deb960ee3143bf88a4a60f83"); -+ g_hmac_unref (copy); -+} -+#endif -+ - int - main (int argc, +@@ -498,8 +504,10 @@ main (int argc, char **argv) { int i; -+ -+#ifdef USE_GNUTLS -+ /* This has to happen before GnuTLS is dlopened. */ -+ g_setenv ("GNUTLS_FORCE_FIPS_MODE", "1", FALSE); -+#endif + g_test_init (&argc, &argv, NULL); @@ -1061,7 +1015,7 @@ index 3ac3206df..264d4fb84 100644 for (i = 0 ; hmac_sha1_tests[i].key_len > 0 ; i++) { gchar *name = g_strdup_printf ("/hmac/sha1-%d", i + 1); -@@ -507,6 +548,7 @@ main (int argc, +@@ -507,6 +515,7 @@ main (int argc, (void (*)(const void *)) test_hmac); g_free (name); } @@ -1069,7 +1023,7 @@ index 3ac3206df..264d4fb84 100644 for (i = 0 ; hmac_sha256_tests[i].key_len > 0 ; i++) { -@@ -532,6 +574,7 @@ main (int argc, +@@ -532,6 +541,7 @@ main (int argc, g_free (name); } @@ -1077,7 +1031,7 @@ index 3ac3206df..264d4fb84 100644 for (i = 0 ; hmac_md5_tests[i].key_len > 0 ; i++) { gchar *name = g_strdup_printf ("/hmac/md5-%d", i + 1); -@@ -539,6 +582,7 @@ main (int argc, +@@ -539,6 +549,7 @@ main (int argc, (void (*)(const void *)) test_hmac); g_free (name); } @@ -1085,16 +1039,6 @@ index 3ac3206df..264d4fb84 100644 g_test_add_func ("/hmac/ref-unref", test_hmac_ref_unref); g_test_add_func ("/hmac/copy", test_hmac_copy); -@@ -546,5 +590,9 @@ main (int argc, - g_test_add_func ("/hmac/for-string", test_hmac_for_string); - g_test_add_func ("/hmac/for-bytes", test_hmac_for_bytes); - -+#ifdef USE_GNUTLS -+ g_test_add_func ("/hmac/gnutls-fips-mode", test_gnutls_fips_mode); -+#endif -+ - return g_test_run (); - } -- 2.45.2