setup OpenSSL FIPS provider in test phase
Since OpenSSL 3 GOLANG_FIPS=1 is not sufficient anymore to exercise FIPS functionality, therefore a custom OpenSSL config is created enabling the OpenSSL FIPS provider in the test phase of the specfile.
This commit is contained in:
parent
d5a8a5e3a1
commit
31059f957a
49
grafana.spec
49
grafana.spec
@ -93,6 +93,9 @@ BuildRequires: nodejs >= 1:14, yarnpkg
|
||||
|
||||
%if %{enable_fips_mode}
|
||||
BuildRequires: openssl-devel
|
||||
|
||||
# only required for running the FIPS test
|
||||
BuildRequires: openssl
|
||||
%endif
|
||||
|
||||
# omit golang debugsource, see BZ995136 and related
|
||||
@ -607,6 +610,52 @@ export TZ=GMT
|
||||
%gotest ./pkg/...
|
||||
|
||||
%if %{enable_fips_mode}
|
||||
# FIPS setup instructions lifted from golang.spec:
|
||||
# https://gitlab.com/redhat/centos-stream/rpms/golang/-/blob/c9s/golang.spec
|
||||
|
||||
TEST_BORING_CONFIGS=`mktemp -d`
|
||||
TEST_BORING_CNF=$TEST_BORING_CONFIGS/openssl-boring.cnf
|
||||
TEST_BORING_FIPS_CNF=$TEST_BORING_CONFIGS/fipsmodule.cnf
|
||||
trap "rm -rf $TEST_BORING_CONFIGS" EXIT
|
||||
|
||||
cp /etc/pki/tls/openssl.cnf $TEST_BORING_CNF
|
||||
openssl fipsinstall -module /usr/lib64/ossl-modules/fips.so -out $TEST_BORING_FIPS_CNF
|
||||
|
||||
cat > $TEST_BORING_CNF << EOM
|
||||
openssl_conf = openssl_test
|
||||
|
||||
[openssl_test]
|
||||
providers = provider_test
|
||||
alg_section = algorithm_test
|
||||
ssl_conf = ssl_module
|
||||
|
||||
[algorithm_test]
|
||||
default_properties = fips=yes
|
||||
|
||||
[provider_test]
|
||||
default = default_sect
|
||||
# The fips section name should match the section name inside the
|
||||
# included fipsmodule.cnf.
|
||||
fips = fips_sect
|
||||
.include $TEST_BORING_FIPS_CNF
|
||||
|
||||
[default_sect]
|
||||
activate = 1
|
||||
|
||||
[ ssl_module ]
|
||||
|
||||
system_default = crypto_policy
|
||||
|
||||
[ crypto_policy ]
|
||||
|
||||
.include = /etc/crypto-policies/back-ends/opensslcnf.config
|
||||
|
||||
[ new_oids ]
|
||||
|
||||
EOM
|
||||
|
||||
|
||||
export OPENSSL_CONF=$TEST_BORING_CNF
|
||||
GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryption
|
||||
%endif
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user