# HG changeset patch

# User John Dennis <jdennis@redhat.com>

# Date 1434146324 14400

#      Fri Jun 12 17:58:44 2015 -0400

# Node ID 6096d0660e2abefcee12e502fed029663d435c54

# Parent  a5e07e90e9c8cb08c5fb46eba16bdb43b94d67c3

Some unit tests fail in FIPS mode

Resolves bug

https://bugzilla.redhat.com/show_bug.cgi?id=1194349

Essentially there were 2 problems:

1. The DB password 'db_passwd' was not complex enough for FIPS

   changing it to 'DB_passwd' with upper case was sufficient.

   Also changed the pkcs password 'pk12_passwd' to 'PK12_passwd'

2. NSS adds a random salt in FIPS mode for the PKCS12 operations.

   The presence of this salt was causing a comparision to fail,

   the exact salt is insignificant to the operation of the test

   so it was stripped out prior to comparision.

At the same time setup_certs.py was augmented to accept a --fips

parameter to put the DB into fips mode and setup_certs.py also

now reports the status of the system FIPS mode and DB FIPS mode in

addtion to the existing info displayed at its conclusion.

diff --git a/test/setup_certs.py b/test/setup_certs.py

--- a/test/setup_certs.py

+++ b/test/setup_certs.py

@@ -4,6 +4,7 @@

 import atexit

 import logging

 import os

+import re

 import shutil

 import subprocess

 import sys

@@ -11,6 +12,12 @@

 import tempfile

 #-------------------------------------------------------------------------------

+logger = None

+

+FIPS_SWITCH_FAILED_ERR = 11

+FIPS_ALREADY_ON_ERR = 12

+FIPS_ALREADY_OFF_ERR = 13

+

 class CmdError(Exception):

     def __init__(self, cmd_args, returncode, message=None, stdout=None, stderr=None):

@@ -41,7 +48,7 @@

         returncode = p.returncode

         if returncode != 0:

             raise CmdError(cmd_args, returncode,

-                           'failed %s' % (', '.join(cmd_args)),

+                           'failed %s' % (' '.join(cmd_args)),

                            stdout, stderr)

         return stdout, stderr

     except OSError as e:

@@ -319,9 +326,75 @@

     run_cmd(cmd_args)

     return name

+def parse_fips_enabled(string):

+    if re.search('FIPS mode disabled', string):

+        return False

+    if re.search('FIPS mode enabled', string):

+        return True

+    raise ValueError('unknown fips enabled string: "%s"' % string)

+

+def get_system_fips_enabled():

+    fips_path = '/proc/sys/crypto/fips_enabled'

+

+    try:

+        with open(fips_path) as f:

+            data = f.read()

+    except Exception as e:

+        logger.warning("Unable to determine system FIPS mode: %s" % e)

+        data = '0'

+

+    value = int(data)

+    if value:

+        return True

+    else:

+        return False

+        

+

+def get_db_fips_enabled(db_name):

+    cmd_args = ['/usr/bin/modutil',

+                '-dbdir', db_name,               # NSS database

+                '-chkfips', 'true',              # enable/disable fips

+                ]

+

+    try:

+        stdout, stderr = run_cmd(cmd_args)

+        return parse_fips_enabled(stdout)

+    except CmdError as e:

+        if e.returncode == FIPS_SWITCH_FAILED_ERR:

+            return parse_fips_enabled(e.stdout)

+        else:

+            raise

+        

+def set_fips_mode(options):

+    if options.fips:

+        state = 'true'

+    else:

+        if get_system_fips_enabled():

+            logger.warning("System FIPS enabled, cannot disable FIPS")

+            return

+        state = 'false'

+

+    logging.info('setting fips: %s', state)

+

+    cmd_args = ['/usr/bin/modutil',

+                '-dbdir', options.db_name,       # NSS database

+                '-fips', state,                  # enable/disable fips

+                '-force'

+                ]

+

+    try:

+        stdout, stderr = run_cmd(cmd_args)

+    except CmdError as e:

+        if options.fips and e.returncode == FIPS_ALREADY_ON_ERR:

+            pass

+        elif not options.fips and e.returncode == FIPS_ALREADY_OFF_ERR:

+            pass

+        else:

+            raise

 #-------------------------------------------------------------------------------

 def setup_certs(args):

+    global logger

     # --- cmd ---

     parser = argparse.ArgumentParser(description='create certs for testing',

@@ -393,6 +466,9 @@

     parser.add_argument('--serial-file', dest='serial_file',

                         help='name of file used to track next serial number')

+    parser.add_argument('--db-fips', action='store_true',

+                        help='enable FIPS mode on NSS Database')

+

     parser.set_defaults(verbose = False,

                         debug = False,

                         quiet = False,

@@ -402,7 +478,7 @@

                         hostname = os.uname()[1],

                         db_type = 'sql',

                         db_dir = 'pki',

-                        db_passwd = 'db_passwd',

+                        db_passwd = 'DB_passwd',

                         ca_subject = 'CN=Test CA',

                         ca_nickname = 'test_ca',

                         server_subject =  'CN=${hostname}',

@@ -416,6 +492,7 @@

                         valid_months = 12,

                         ca_path_len = 2,

                         serial_file = '${db_dir}/serial',

+                        fips = False,

                         )

@@ -468,6 +545,7 @@

     try:

         create_database(options)

+        set_fips_mode(options)

         cert_nicknames.append(create_ca_cert(options))

         cert_nicknames.append(create_server_cert(options))

         cert_nicknames.append(create_client_cert(options))

@@ -488,6 +566,8 @@

     logging.info('---------- Summary ----------')

     logging.info('NSS database name="%s", password="%s"',

                  options.db_name, options.db_passwd)

+    logging.info('system FIPS mode=%s', get_system_fips_enabled());

+    logging.info('DB FIPS mode=%s', get_db_fips_enabled(options.db_name));

     logging.info('CA nickname="%s", CA subject="%s"',

                  options.ca_nickname, options.ca_subject)

     logging.info('server nickname="%s", server subject="%s"',

diff --git a/test/test_client_server.py b/test/test_client_server.py

--- a/test/test_client_server.py

+++ b/test/test_client_server.py

@@ -22,7 +22,7 @@

 verbose = False

 info = False

-password = 'db_passwd'

+password = 'DB_passwd'

 use_ssl = True

 client_cert_action = NO_CLIENT_CERT

 db_name = 'sql:pki'

diff --git a/test/test_pkcs12.py b/test/test_pkcs12.py

--- a/test/test_pkcs12.py

+++ b/test/test_pkcs12.py

@@ -15,8 +15,8 @@

 verbose = False

 db_name = 'sql:pki'

-db_passwd = 'db_passwd'

-pk12_passwd = 'pk12_passwd'

+db_passwd = 'DB_passwd'

+pk12_passwd = 'PK12_passwd'

 cert_nickname = 'test_user'

 pk12_filename = '%s.p12' % cert_nickname

@@ -115,6 +115,9 @@

         raise ValueError('Could not file Key section in pk12 listing')

     return text[match.start(0):]

+def strip_salt_from_pk12_listing(text):

+    return re.sub(r'\s+Salt:\s*\n.*', '', text)

+

 #-------------------------------------------------------------------------------

 def load_tests(loader, tests, pattern):

@@ -206,9 +209,11 @@

         pk12_listing = list_pk12(pk12_filename)

         pk12_listing = strip_key_from_pk12_listing(pk12_listing)

+        pk12_listing = strip_salt_from_pk12_listing(pk12_listing)

         exported_pk12_listing = list_pk12(exported_pk12_filename)

         exported_pk12_listing = strip_key_from_pk12_listing(exported_pk12_listing)

+        exported_pk12_listing = strip_salt_from_pk12_listing(exported_pk12_listing)

         self.assertEqual(pk12_listing, exported_pk12_listing)