From 74d64f9b6ac0cddf5705e0cd4ca34c72971b6fce Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Thu, 17 Feb 2022 09:37:05 +0100
Subject: [PATCH] Fix upstream testsuite in fips mode

Resolves: #2051637
Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
 gnutls-3.7.3-fix-tests-in-fips.patch | 70 ++++++++++++++++++++++++++++
 gnutls.spec                          |  6 ++-
 2 files changed, 75 insertions(+), 1 deletion(-)
 create mode 100644 gnutls-3.7.3-fix-tests-in-fips.patch

diff --git a/gnutls-3.7.3-fix-tests-in-fips.patch b/gnutls-3.7.3-fix-tests-in-fips.patch
new file mode 100644
index 0000000..a5c8bee
--- /dev/null
+++ b/gnutls-3.7.3-fix-tests-in-fips.patch
@@ -0,0 +1,70 @@
+From 2c33761787f6530cf3984310a5f3b7dd05a7b375 Mon Sep 17 00:00:00 2001
+From: Zoltan Fridrich <zfridric@redhat.com>
+Date: Thu, 17 Feb 2022 11:46:29 +0100
+Subject: [PATCH] Disable some tests in fips mode
+
+Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
+---
+ tests/pkcs11/pkcs11-eddsa-privkey-test.c | 5 +++++
+ tests/pkcs11/tls-neg-pkcs11-key.c        | 8 +++++++-
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/tests/pkcs11/pkcs11-eddsa-privkey-test.c b/tests/pkcs11/pkcs11-eddsa-privkey-test.c
+index 44515da3f..ebbfe5278 100644
+--- a/tests/pkcs11/pkcs11-eddsa-privkey-test.c
++++ b/tests/pkcs11/pkcs11-eddsa-privkey-test.c
+@@ -107,6 +107,11 @@ void doit(void)
+ 		fail("%d: %s\n", ret, gnutls_strerror(ret));
+ 	}
+ 
++	if (gnutls_fips140_mode_enabled()) {
++		gnutls_global_deinit();
++		return;
++	}
++
+ 	gnutls_pkcs11_set_pin_function(pin_func, NULL);
+ 	gnutls_global_set_log_function(tls_log_func);
+ 	if (debug)
+diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c
+index fc7c3dc4e..5cc1ae6e2 100644
+--- a/tests/pkcs11/tls-neg-pkcs11-key.c
++++ b/tests/pkcs11/tls-neg-pkcs11-key.c
+@@ -268,6 +268,7 @@ typedef struct test_st {
+ 	int exp_serv_err;
+ 	int needs_eddsa;
+ 	int needs_decryption;
++	int nofips;
+ 	unsigned requires_pkcs11_pss;
+ } test_st;
+ 
+@@ -340,6 +341,7 @@ static const test_st tests[] = {
+ 	 .cert = &server_ca3_eddsa_cert,
+ 	 .key = &server_ca3_eddsa_key,
+ 	 .exp_kx = GNUTLS_KX_ECDHE_RSA,
++	 .nofips = 1
+ 	},
+ 	{.name = "tls1.3: ecc key",
+ 	 .pk = GNUTLS_PK_ECDSA,
+@@ -392,7 +394,8 @@ static const test_st tests[] = {
+ 	 .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
+ 	 .cert = &server_ca3_eddsa_cert,
+ 	 .key = &server_ca3_eddsa_key,
+-	 .exp_kx = GNUTLS_KX_ECDHE_RSA
++	 .exp_kx = GNUTLS_KX_ECDHE_RSA,
++	 .nofips = 1
+ 	}
+ };
+ 
+@@ -448,6 +451,9 @@ void doit(void)
+ 	have_eddsa = verify_eddsa_presence();
+ 
+ 	for (i=0;i<sizeof(tests)/sizeof(tests[0]);i++) {
++		if (tests[i].nofips && gnutls_fips140_mode_enabled())
++			continue;
++
+ 		if (tests[i].needs_eddsa && !have_eddsa)
+ 			continue;
+ 
+-- 
+2.35.1
+
diff --git a/gnutls.spec b/gnutls.spec
index dd3a738..0086256 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -13,7 +13,7 @@ print(string.sub(hash, 0, 16))
 }
 
 Version: 3.7.3
-Release: 4%{?dist}
+Release: 5%{?dist}
 Patch1:	gnutls-3.6.7-no-now-guile.patch
 Patch2:	gnutls-3.2.7-rpath.patch
 Patch3:	gnutls-3.7.2-enable-intel-cet.patch
@@ -22,6 +22,7 @@ Patch5: gnutls-3.7.3-disable-config-reload.patch
 Patch6: gnutls-3.7.3-fips-rsa-keygen.patch
 Patch7: gnutls-3.7.3-ktls-stub.patch
 Patch8: gnutls-3.7.3-fips-pkcs12.patch
+Patch9: gnutls-3.7.3-fix-tests-in-fips.patch
 %bcond_with bootstrap
 %bcond_without dane
 %if 0%{?rhel}
@@ -334,6 +335,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %endif
 
 %changelog
+* Thu Feb 17 2022 Zoltan Fridrich <zfridric@redhat.com> - 3.7.3-5
+- Fix upstream testsuite in fips mode (#2051637)
+
 * Wed Feb 16 2022 Daiki Ueno <dueno@redhat.com> - 3.7.3-4
 - Specify FIPS140-3 module name and version
 - fips: allow a few more primes in RSA key generation