From 2a7f4345849a4658b9b6474759ef2a2d53f5da9b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dirk=20M=C3=BCller?= <dirk@dmllr.de>
Date: Fri, 14 Jul 2023 18:06:01 +0200
Subject: [PATCH] Reenable FIPS tests on SLE15, skip on tumbleweed

---
 .github/workflows/ci.yaml |  2 +-
 tests/test_fips.py        | 62 +++++++++++++++++++++------------------
 2 files changed, 35 insertions(+), 29 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 64efc224..3096b302 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -39,7 +39,7 @@ jobs:
         run: sudo apt update && sudo apt install jo tox
       - id: setmatrix
         run: |
-          stringified_matrix=$(tox -l | sed -e '/unit/d' -e '/get_urls/d' -e '/doc/d' -e '/lint/d' -e '/fips/d' | jo -a)
+          stringified_matrix=$(tox -l | sed -e '/unit/d' -e '/get_urls/d' -e '/doc/d' -e '/lint/d' | jo -a)
           echo "matrix=$stringified_matrix" >> $GITHUB_OUTPUT
 
   unit-tests:
diff --git a/tests/test_fips.py b/tests/test_fips.py
index 64a869bc..3b578780 100644
--- a/tests/test_fips.py
+++ b/tests/test_fips.py
@@ -20,22 +20,16 @@
 from bci_tester.data import CONTAINERS_WITH_ZYPPER
 from bci_tester.data import OS_VERSION
 from bci_tester.fips import FIPS_DIGESTS
-from bci_tester.fips import host_fips_enabled
 from bci_tester.fips import NONFIPS_DIGESTS
 
 
-# building the documentation will fail on a non-FIPS host otherwise
-if "sphinx" not in sys.modules:
-    assert (
-        host_fips_enabled()
-    ), "The host must run in FIPS mode for the FIPS test suite"
-
-
 #: Error message from OpenSSL when a non-FIPS digest is selected in FIPS mode
-FIPS_ERR_MSG = (
-    "not a known digest" if OS_VERSION == "15.3" else "Error setting digest"
-)
+FIPS_ERR_MSG = "not a known digest"
 
+pytestmark = pytest.mark.skipif(
+    OS_VERSION == "tumbleweed",
+    reason="no FIPS module in tumbleweed yet",
+)
 
 #: multistage :file:`Dockerfile` that builds the program from
 #: :py:const:`FIPS_TEST_DOT_C` using gcc and copies it, ``libcrypto``, ``libssl``
@@ -43,26 +37,32 @@
 #: are not available in the minimal container images.
 DOCKERFILE = """FROM $builder as builder
 
+
 WORKDIR /src/
 COPY fips-test.c /src/
-RUN zypper -n ref && zypper -n in gcc libopenssl-devel && zypper -n clean
-RUN gcc -Og -g3 fips-test.c -Wall -Wextra -Wpedantic -lcrypto -lssl -o fips-test
+RUN zypper -n ref && zypper -n in gcc openssl libopenssl-devel && zypper -n clean
+RUN gcc -O2 fips-test.c -Wall -Werror -lcrypto -lssl -o fips-test
 
 FROM $runner
 
-COPY --from=builder /src/fips-test /bin/fips-test
-COPY --from=builder /usr/lib64/libcrypto.so.1.1 /usr/lib64/
-COPY --from=builder /usr/lib64/libssl.so.1.1 /usr/lib64/
-COPY --from=builder /lib64/libz.so.1 /usr/lib64/
-COPY --from=builder /usr/lib64/engines-1.1 /usr/lib64/engines-1.1
-COPY --from=builder /usr/lib64/.libcrypto.so.1.1.hmac /usr/lib64/
-COPY --from=builder /usr/lib64/.libssl.so.1.1.hmac /usr/lib64/
+ENV ["OPENSSL_FORCE_FIPS_MODE"="1", "SSH_FORCE_FIPS"="1"]
+
+COPY --from=builder /src/fips-test /usr/local/bin/fips-test
+COPY --from=builder /usr/bin/openssl /usr/bin/openssl
+COPY --from=builder /usr/lib64/libcrypto.so.* /usr/lib64/libjitterentropy.so.* /usr/lib64/
+COPY --from=builder /usr/lib64/libssl.so.* /usr/lib64/
+COPY --from=builder /lib64/libz.so.[1] /usr/lib64/libz.so.[1] /usr/lib64/
+COPY --from=builder /usr/lib64/engines-* /usr/lib64/
+COPY --from=builder /usr/lib64/.libcrypto.so.*.hmac /usr/lib64/
+COPY --from=builder /usr/lib64/.libssl.so.*.hmac /usr/lib64/
+
+RUN mkdir /tmp/f ; echo 1 > /tmp/f/fips_enabled
 
-RUN /bin/fips-test sha256
+RUN fips-test sha256
 """
 
 
-@pytest.mark.parametrize("runner", ALL_CONTAINERS)
+@pytest.mark.parametrize("runner", CONTAINERS_WITH_ZYPPER)
 def test_openssl_binary(
     runner: ParameterSet,
     tmp_path,
@@ -105,20 +105,24 @@ def test_openssl_binary(
     img_id = container_runtime.get_image_id_from_stdout(cmd.stdout)
 
     exec_cmd = " ".join(
-        [container_runtime.runner_binary, "run", "--rm"]
+        [container_runtime.runner_binary, "run", "--rm", "--privileged=true"]
         + get_extra_run_args(pytestconfig)
         + [img_id]
     )
 
     for digest in FIPS_DIGESTS:
-        host.run_expect([0], f"{exec_cmd} /bin/fips-test {digest}")
+        host.run_expect(
+            [0],
+            f"{exec_cmd} bash -c 'mount --bind /tmp/f /proc/sys/crypto; fips-test {digest}'",
+        )
 
     for digest in NONFIPS_DIGESTS:
         err_msg = host.run_expect(
-            [1], f"{exec_cmd} /bin/fips-test {digest}"
+            [1],
+            f"{exec_cmd} bash -c 'mount --bind /tmp/f /proc/sys/crypto; fips-test {digest}'",
         ).stderr
 
-        if Version.parse(OS_VERSION) <= Version(15, 3):
+        if Version.parse(OS_VERSION) <= Version(15, 5):
             assert f"Unknown message digest {digest}" in err_msg
         else:
             assert "disabled for FIPS" in err_msg
@@ -134,13 +138,15 @@ def test_openssl_fips_hashes(container_per_test):
 
     """
     for digest in NONFIPS_DIGESTS:
-        cmd = container_per_test.connection.run(f"openssl {digest} /dev/null")
+        cmd = container_per_test.connection.run(
+            f"env OPENSSL_FORCE_FIPS_MODE=1 openssl {digest} /dev/null"
+        )
         assert cmd.rc != 0
         assert FIPS_ERR_MSG in cmd.stderr
 
     for digest in FIPS_DIGESTS:
         dev_null_digest = container_per_test.connection.run_expect(
-            [0], f"openssl {digest} /dev/null"
+            [0], f"env OPENSSL_FORCE_FIPS_MODE=1 openssl {digest} /dev/null"
         ).stdout
         assert (
             f"{digest.upper()}(/dev/null)= " in dev_null_digest