Blame 0009-Fix-issues-in-tests-when-running-in-FIPS-mode.patch

Vojtech Trefny 193309
From bc8c4fa2b3ba76647de9742c28bae751757dc2dd Mon Sep 17 00:00:00 2001
Vojtech Trefny 193309
From: Vojtech Trefny <vtrefny@redhat.com>
Vojtech Trefny 193309
Date: Thu, 18 May 2023 14:45:42 +0200
Vojtech Trefny 193309
Subject: [PATCH 1/2] tests: Use longer passphrase for LUKS in dm_test
Vojtech Trefny 193309
Vojtech Trefny 193309
The short passphrase doesn't work when running in FIPS mode.
Vojtech Trefny 193309
---
Vojtech Trefny 193309
 tests/dm_test.py | 4 ++--
Vojtech Trefny 193309
 1 file changed, 2 insertions(+), 2 deletions(-)
Vojtech Trefny 193309
Vojtech Trefny 193309
diff --git a/tests/dm_test.py b/tests/dm_test.py
Vojtech Trefny 193309
index 936e3055..3b491d89 100644
Vojtech Trefny 193309
--- a/tests/dm_test.py
Vojtech Trefny 193309
+++ b/tests/dm_test.py
Vojtech Trefny 193309
@@ -59,8 +59,8 @@ class DevMapperGetSubsystemFromName(DevMapperTestCase):
Vojtech Trefny 193309
     def test_get_subsystem_from_name_crypt(self):
Vojtech Trefny 193309
         """Verify that it is possible to get luks device subsystem from its name"""
Vojtech Trefny 193309
         self.addCleanup(self._destroy_crypt)
Vojtech Trefny 193309
-        run("echo \"key\" | cryptsetup luksFormat %s -" %self.loop_dev)
Vojtech Trefny 193309
-        run("echo \"key\" | cryptsetup open %s libbd_dm_tests-subsystem_crypt --key-file=-" %self.loop_dev)
Vojtech Trefny 193309
+        run("echo \"supersecretkey\" | cryptsetup luksFormat %s -" %self.loop_dev)
Vojtech Trefny 193309
+        run("echo \"supersecretkey\" | cryptsetup open %s libbd_dm_tests-subsystem_crypt --key-file=-" %self.loop_dev)
Vojtech Trefny 193309
         subsystem = BlockDev.dm_get_subsystem_from_name("libbd_dm_tests-subsystem_crypt")
Vojtech Trefny 193309
         self.assertEqual(subsystem, "CRYPT")
Vojtech Trefny 193309
 
Vojtech Trefny 193309
-- 
Vojtech Trefny 193309
2.40.1
Vojtech Trefny 193309
Vojtech Trefny 193309
Vojtech Trefny 193309
From b1f6d1484a980885b9870d27d2b113c98400851b Mon Sep 17 00:00:00 2001
Vojtech Trefny 193309
From: Vojtech Trefny <vtrefny@redhat.com>
Vojtech Trefny 193309
Date: Thu, 18 May 2023 14:56:32 +0200
Vojtech Trefny 193309
Subject: [PATCH 2/2] tests: Skip crypto tests with argon2 in FIPS mode
Vojtech Trefny 193309
Vojtech Trefny 193309
argon is not available when running in FIPS mode.
Vojtech Trefny 193309
---
Vojtech Trefny 193309
 tests/crypto_test.py | 17 +++++++++++++++++
Vojtech Trefny 193309
 1 file changed, 17 insertions(+)
Vojtech Trefny 193309
Vojtech Trefny 193309
diff --git a/tests/crypto_test.py b/tests/crypto_test.py
Vojtech Trefny 193309
index 94b89131..91ea1f35 100644
Vojtech Trefny 193309
--- a/tests/crypto_test.py
Vojtech Trefny 193309
+++ b/tests/crypto_test.py
Vojtech Trefny 193309
@@ -175,6 +175,23 @@ class CryptoTestFormat(CryptoTestCase):
Vojtech Trefny 193309
             self.fail("Failed to get pbkdf information from:\n%s %s" % (out, err))
Vojtech Trefny 193309
         self.assertEqual(m.group(1), "pbkdf2")
Vojtech Trefny 193309
 
Vojtech Trefny 193309
+    def _is_fips_enabled(self):
Vojtech Trefny 193309
+        if not os.path.exists("/proc/sys/crypto/fips_enabled"):
Vojtech Trefny 193309
+            # if the file doesn't exist, we are definitely not in FIPS mode
Vojtech Trefny 193309
+            return False
Vojtech Trefny 193309
+
Vojtech Trefny 193309
+        with open("/proc/sys/crypto/fips_enabled", "r") as f:
Vojtech Trefny 193309
+            enabled = f.read()
Vojtech Trefny 193309
+        return enabled.strip() == "1"
Vojtech Trefny 193309
+
Vojtech Trefny 193309
+    @tag_test(TestTags.SLOW, TestTags.CORE)
Vojtech Trefny 193309
+    @unittest.skipUnless(HAVE_LUKS2, "LUKS 2 not supported")
Vojtech Trefny 193309
+    def test_luks2_format_pbkdf_options(self):
Vojtech Trefny 193309
+        """Verify that formatting device as LUKS 2 works"""
Vojtech Trefny 193309
+
Vojtech Trefny 193309
+        if self._is_fips_enabled():
Vojtech Trefny 193309
+            self.skipTest("FIPS mode is enabled, cannot use argon2, skipping")
Vojtech Trefny 193309
+
Vojtech Trefny 193309
         # different options for argon2 -- all parameters set
Vojtech Trefny 193309
         pbkdf = BlockDev.CryptoLUKSPBKDF(type="argon2id", max_memory_kb=100*1024, iterations=10, parallel_threads=1)
Vojtech Trefny 193309
         extra = BlockDev.CryptoLUKSExtra(pbkdf=pbkdf)
Vojtech Trefny 193309
-- 
Vojtech Trefny 193309
2.40.1
Vojtech Trefny 193309