stunnel/stunnel-5.61-fips-test.patch

Skip FIPS tests if FIPS is unconfigured

When built against OpenSSL 3 with the enable-fips option, the FIPS
shared library can be loaded, but unless the system administrator has
run openssl fipsinstall and modified the OpenSSL configuration, FIPS
mode will still fail with an error message saying it is missing config
data.

Since this does not indicate a problem with stunnel's code, but with the
underlying OpenSSL setup, skip the test if this occurs. This is the same
behavior when running against a copy of OpenSSL 3.x that was not built with
'enable-fips'.

Upstream-Status: Inappropriate [configuration]
diff -up stunnel-5.61/tests/plugins/p10_fips.py.fips-tests stunnel-5.61/tests/plugins/p10_fips.py
--- stunnel-5.61/tests/plugins/p10_fips.py.fips-tests	2022-01-12 11:40:11.121241545 +0100
+++ stunnel-5.61/tests/plugins/p10_fips.py	2022-01-12 11:45:01.791364483 +0100
@@ -29,7 +29,8 @@ class FIPSTest(StunnelTest):
         self.events.skip = [
             "FIPS provider not available",
             "fips mode not supported",
-            r"FIPS PROVIDER.*could not load the shared library"
+            r"FIPS PROVIDER.*could not load the shared library",
+            r"FIPS PROVIDER.*missing config data"
         ]
         self.events.failure = [
             "peer did not return a certificate",
diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.fips-tests stunnel-5.61/tests/plugins/p11_fips_cipher.py
--- stunnel-5.61/tests/plugins/p11_fips_cipher.py.fips-tests	2022-01-12 11:40:16.192330329 +0100
+++ stunnel-5.61/tests/plugins/p11_fips_cipher.py	2022-01-12 11:52:22.159227499 +0100
@@ -30,7 +30,8 @@ class FailureCipherFIPS(StunnelTest):
         self.events.skip = [
             "FIPS provider not available",
             "fips mode not supported",
-            r"FIPS PROVIDER.*could not load the shared library"
+            r"FIPS PROVIDER.*could not load the shared library",
+            r"FIPS PROVIDER.*missing config data"
         ]
         self.events.count = 1
         self.events.success = [
@@ -86,7 +87,8 @@ class FailureCiphersuitesFIPS(StunnelTes
         self.events.skip = [
             "FIPS provider not available",
             "fips mode not supported",
-            r"FIPS PROVIDER.*could not load the shared library"
+            r"FIPS PROVIDER.*could not load the shared library",
+            r"FIPS PROVIDER.*missing config data"
         ]
         self.events.count = 1
         self.events.success = [
@@ -145,7 +147,8 @@ class FailureEllipticCurveFIPS(StunnelTe
         self.events.skip = [
             "FIPS provider not available",
             "fips mode not supported",
-            r"FIPS PROVIDER.*could not load the shared library"
+            r"FIPS PROVIDER.*could not load the shared library",
+            r"FIPS PROVIDER.*missing config data"
         ]
         self.events.count = 1
         self.events.success = [
New upstream release 5.61 Fixes #1887204. Update the default TLS version patch to no longer include a large amount of whitespace in its "Using the default TLS version as specified in its OpenSSL crypto policies. Not setting explicitly." message. The whitespace was caused by a line continuation, which is now replaced by string literal concatenation. Patch the FIPS tests to be skipped when stunnel is compiled against an OpenSSL 3.x configured with enable-fips, but without the required configuration that would be installed by a system administrator using openssl fipsinstall. This matches the behavior when compiled against OpenSSL 3.x configured without enable-fips. Switch to package URL to https. Upstream has done the same in the spec file in the tarball. Add build dependencies for python3 and the openssl command line tool. Both are used in tests now. Drop a sed expression applied to the configure script that no longer does anything and remove environment variables from testing that are no longer required to make the tests pass. 2022-01-12 11:09:33 +00:00			`Skip FIPS tests if FIPS is unconfigured`

			`When built against OpenSSL 3 with the enable-fips option, the FIPS`
			`shared library can be loaded, but unless the system administrator has`
			`run openssl fipsinstall and modified the OpenSSL configuration, FIPS`
			`mode will still fail with an error message saying it is missing config`
			`data.`

			`Since this does not indicate a problem with stunnel's code, but with the`
			`underlying OpenSSL setup, skip the test if this occurs. This is the same`
			`behavior when running against a copy of OpenSSL 3.x that was not built with`
			`'enable-fips'.`
Fix stunnel in FIPS mode (w/upcoming OpenSSL changes) Related: rhbz#2050617 Signed-off-by: Clemens Lang <cllang@redhat.com> 2022-02-04 14:44:10 +00:00
			`Upstream-Status: Inappropriate [configuration]`
New upstream release 5.61 Fixes #1887204. Update the default TLS version patch to no longer include a large amount of whitespace in its "Using the default TLS version as specified in its OpenSSL crypto policies. Not setting explicitly." message. The whitespace was caused by a line continuation, which is now replaced by string literal concatenation. Patch the FIPS tests to be skipped when stunnel is compiled against an OpenSSL 3.x configured with enable-fips, but without the required configuration that would be installed by a system administrator using openssl fipsinstall. This matches the behavior when compiled against OpenSSL 3.x configured without enable-fips. Switch to package URL to https. Upstream has done the same in the spec file in the tarball. Add build dependencies for python3 and the openssl command line tool. Both are used in tests now. Drop a sed expression applied to the configure script that no longer does anything and remove environment variables from testing that are no longer required to make the tests pass. 2022-01-12 11:09:33 +00:00			`diff -up stunnel-5.61/tests/plugins/p10_fips.py.fips-tests stunnel-5.61/tests/plugins/p10_fips.py`
			`--- stunnel-5.61/tests/plugins/p10_fips.py.fips-tests 2022-01-12 11:40:11.121241545 +0100`
			`+++ stunnel-5.61/tests/plugins/p10_fips.py 2022-01-12 11:45:01.791364483 +0100`
			`@@ -29,7 +29,8 @@ class FIPSTest(StunnelTest):`
			`self.events.skip = [`
			`"FIPS provider not available",`
			`"fips mode not supported",`
			`- r"FIPS PROVIDER.*could not load the shared library"`
			`+ r"FIPS PROVIDER.*could not load the shared library",`
			`+ r"FIPS PROVIDER.*missing config data"`
			`]`
			`self.events.failure = [`
			`"peer did not return a certificate",`
			`diff -up stunnel-5.61/tests/plugins/p11_fips_cipher.py.fips-tests stunnel-5.61/tests/plugins/p11_fips_cipher.py`
			`--- stunnel-5.61/tests/plugins/p11_fips_cipher.py.fips-tests 2022-01-12 11:40:16.192330329 +0100`
			`+++ stunnel-5.61/tests/plugins/p11_fips_cipher.py 2022-01-12 11:52:22.159227499 +0100`
			`@@ -30,7 +30,8 @@ class FailureCipherFIPS(StunnelTest):`
			`self.events.skip = [`
			`"FIPS provider not available",`
			`"fips mode not supported",`
			`- r"FIPS PROVIDER.*could not load the shared library"`
			`+ r"FIPS PROVIDER.*could not load the shared library",`
			`+ r"FIPS PROVIDER.*missing config data"`
			`]`
			`self.events.count = 1`
			`self.events.success = [`
			`@@ -86,7 +87,8 @@ class FailureCiphersuitesFIPS(StunnelTes`
			`self.events.skip = [`
			`"FIPS provider not available",`
			`"fips mode not supported",`
			`- r"FIPS PROVIDER.*could not load the shared library"`
			`+ r"FIPS PROVIDER.*could not load the shared library",`
			`+ r"FIPS PROVIDER.*missing config data"`
			`]`
			`self.events.count = 1`
			`self.events.success = [`
			`@@ -145,7 +147,8 @@ class FailureEllipticCurveFIPS(StunnelTe`
			`self.events.skip = [`
			`"FIPS provider not available",`
			`"fips mode not supported",`
			`- r"FIPS PROVIDER.*could not load the shared library"`
			`+ r"FIPS PROVIDER.*could not load the shared library",`
			`+ r"FIPS PROVIDER.*missing config data"`
			`]`
			`self.events.count = 1`
			`self.events.success = [`