#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
#   runtest.sh of /CoreOS/gnutls/Sanity/fips-without-etc-system-fips
#   Description: FIPS mode without /etc/system-fips
#   Author: Alexander Sosedkin <asosedki@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
#   Copyright (c) 2020 Red Hat, Inc.
#
#   This program is free software: you can redistribute it and/or
#   modify it under the terms of the GNU General Public License as
#   published by the Free Software Foundation, either version 2 of
#   the License, or (at your option) any later version.
#
#   This program is distributed in the hope that it will be
#   useful, but WITHOUT ANY WARRANTY; without even the implied
#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
#   PURPOSE.  See the GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1

PACKAGE='libgcrypt'

rlJournalStart
    rlPhaseStartSetup
        rlAssertRpm $PACKAGE
        rlRun "TmpDir=\$(mktemp -d)" 0 'Creating tmp directory'
        rlRun "cp gcry-fips-random.c $TmpDir/"
        rlRun "pushd $TmpDir"
        rlRun 'rlImport distribution/fips'
        rlRun 'make CFLAGS="-g -O2 -Wall" LDFLAGS=-lgcrypt gcry-fips-random'
        rlFileBackup "/etc/system-fips"
    rlPhaseEnd


    if [ $fipsMode == 'enabled' ]; then
     rlPhaseStartTest "Check operation with FIPS $fipsMode"
         rlRun -s './gcry-fips-random'
         rlAssertGrep "FIPS_MODE: 1" $rlRun_LOG
         rlAssertGrep "OPERATIONAL: 1" $rlRun_LOG
     rlPhaseEnd

     rlPhaseStartTest "Check operation with FIPS $fipsMode (corrupted hmac)"
         hmacfile="$(ls /usr/lib*/.libgcrypt.so.??.hmac)"
         rlFileBackup --namespace hmacfile $hmacfile
         rlRun "sed -i 's/0/1/;s/1/2/;s/2/3/' $hmacfile"
         rlRun -s './gcry-fips-random' 1-255
         rlFileRestore --namespace hmacfile
     rlPhaseEnd

     if (rlIsRHEL && ! rlIsRHEL '<8.3') || (rlIsFedora && ! rlIsFedora '<33') || rlCheckRpm libgcrypt 1.8.5; then
        rlPhaseStartTest 'RHEL >=8.3 or Fedora >=33 try removing /etc/system-fips'
            # The file might disappear later completely so no need to error out
            rlRun "mv /etc/system-fips /etc/system-fips.disabled || :"
        rlPhaseEnd

        rlPhaseStartTest "Check operation with FIPS $fipsMode (no system-fips)"
            rlRun -s './gcry-fips-random'
            rlAssertGrep "FIPS_MODE: 1" $rlRun_LOG
            rlAssertGrep "OPERATIONAL: 1" $rlRun_LOG
        rlPhaseEnd

        rlPhaseStartTest "Check operation with FIPS $fipsMode (no system-fips corrupted hmac)"
            hmacfile="$(ls /usr/lib*/.libgcrypt.so.??.hmac)"
            rlFileBackup --namespace hmacfile $hmacfile
            rlRun "sed -i 's/0/1/;s/1/2/;s/2/3/' $hmacfile"
            rlRun -s './gcry-fips-random' 1-255
            rlFileRestore --namespace hmacfile
        rlPhaseEnd
     fi

    elif [[ $fipsMode == 'disabled' ]]; then

     rlPhaseStartTest "Check operation with FIPS $fipsMode"
         rlRun -s './gcry-fips-random'
         rlAssertGrep "FIPS_MODE: 0" $rlRun_LOG
         rlAssertGrep "OPERATIONAL: 1" $rlRun_LOG
     rlPhaseEnd

     rlPhaseStartTest "Check operation with FIPS $fipsMode (corrupted hmac)"
         hmacfile="$(ls /usr/lib*/.libgcrypt.so.??.hmac)"
         rlFileBackup --namespace hmacfile $hmacfile
         rlRun "sed -i 's/0/1/;s/1/2/;s/2/3/' $hmacfile"
         rlRun -s './gcry-fips-random' 0
         rlAssertGrep "FIPS_MODE: 0" $rlRun_LOG
         rlAssertGrep "OPERATIONAL: 1" $rlRun_LOG
         rlFileRestore --namespace hmacfile
     rlPhaseEnd

     if (rlIsRHEL && ! rlIsRHEL '<8.3') || (rlIsFedora && ! rlIsFedora '<33') || rlCheckRpm libgcrypt 1.8.5; then
        rlPhaseStartTest 'RHEL >=8.3 or Fedora >=33 try removing /etc/system-fips'
            # The file might disappear later completely so no need to error out
            rlRun "mv /etc/system-fips /etc/system-fips.disabled || :"
        rlPhaseEnd

        rlPhaseStartTest "Check operation with FIPS $fipsMode (no system-fips)"
            rlRun -s './gcry-fips-random'
            rlAssertGrep "FIPS_MODE: 0" $rlRun_LOG
            rlAssertGrep "OPERATIONAL: 1" $rlRun_LOG
        rlPhaseEnd

        rlPhaseStartTest "Check operation with FIPS $fipsMode (no system-fips corrupted hmac)"
            hmacfile="$(ls /usr/lib*/.libgcrypt.so.??.hmac)"
            rlFileBackup --namespace hmacfile $hmacfile
            rlRun "sed -i 's/0/1/;s/1/2/;s/2/3/' $hmacfile"
            rlRun -s './gcry-fips-random' 0
            rlAssertGrep "FIPS_MODE: 0" $rlRun_LOG
            rlAssertGrep "OPERATIONAL: 1" $rlRun_LOG
            rlFileRestore --namespace hmacfile
        rlPhaseEnd
     fi
    fi

    rlPhaseStartCleanup
        rlFileRestore
        rlRun 'popd'
        rlRun "rm -r $TmpDir" 0 'Removing tmp directory'
    rlPhaseEnd
rlJournalEnd