From 86878ebef0887e0da487d1034b7527d3af24e60b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20Herranz=20Ram=C3=ADrez?= Date: Wed, 4 Dec 2024 12:10:39 +0100 Subject: [PATCH] Added check for GNUtls in FIPS140 mode --- tests/test_fips.py | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/tests/test_fips.py b/tests/test_fips.py index 656a3d94..6b32b035 100644 --- a/tests/test_fips.py +++ b/tests/test_fips.py @@ -3,6 +3,7 @@ """ +import re from pathlib import Path import pytest @@ -189,12 +190,19 @@ def test_gnutls_binary(container_per_test: ContainerData) -> None: """ - container_per_test.connection.check_output( + c = container_per_test.connection + + c.check_output( "zypper --gpg-auto-import-keys -n ref && zypper -n install gcc gnutls gnutls-devel && zypper -n clean && " "gcc -Og -g3 fips-test-gnutls.c -Wall -Wextra -Wpedantic -lgnutls -o fips-test-gnutls && " "mv fips-test-gnutls /bin/fips-test-gnutls" ) + assert re.search( + r"library is in FIPS140(-3|-2|) mode", + c.run_expect([0], "gnutls-cli --fips140-mode").stderr, + ), "Container library not in FIPS140 mode" + expected_fips_gnutls_digests = { "sha1": "c87d25a09584c040f3bfc53b570199591deb10ba648a6a6ffffdaa0badb23b8baf90b6168dd16b3a", "sha224": "54655eae3d97147de34564572231c34d6d0917dd7852b5b93647fb4fe53ee97e5e0a2a4d359b5b461409dc44d9315afbc3b7d6bc5cd598e6", @@ -204,15 +212,11 @@ def test_gnutls_binary(container_per_test: ContainerData) -> None: } for digest in FIPS_GNUTLS_DIGESTS: - res = container_per_test.connection.check_output( - f"/bin/fips-test-gnutls {digest}" - ) + res = c.check_output(f"/bin/fips-test-gnutls {digest}") assert "Digest is: " + expected_fips_gnutls_digests[digest] in res for digest in NONFIPS_GNUTLS_DIGESTS: - err_msg = container_per_test.connection.run_expect( - [1], f"/bin/fips-test-gnutls {digest}" - ).stderr + err_msg = c.run_expect([1], f"/bin/fips-test-gnutls {digest}").stderr assert ( "Hash calculation failed" in err_msg