Reenable FIPS tests on SLE15, skip on tumbleweed

.github/workflows/ci.yaml

@@ -39,7 +39,7 @@ jobs:
         run: sudo apt update && sudo apt install jo tox
       - id: setmatrix
         run: |
-          stringified_matrix=$(tox -l | sed -e '/unit/d' -e '/get_urls/d' -e '/doc/d' -e '/lint/d' -e '/fips/d' | jo -a)
+          stringified_matrix=$(tox -l | sed -e '/unit/d' -e '/get_urls/d' -e '/doc/d' -e '/lint/d' | jo -a)
           echo "matrix=$stringified_matrix" >> $GITHUB_OUTPUT
 
   unit-tests:

tests/test_fips.py

@@ -20,45 +20,45 @@
 from bci_tester.data import CONTAINERS_WITH_ZYPPER
 from bci_tester.data import OS_VERSION
 from bci_tester.fips import FIPS_DIGESTS
-from bci_tester.fips import host_fips_enabled
 from bci_tester.fips import NONFIPS_DIGESTS
 
 
-# building the documentation will fail on a non-FIPS host otherwise
-if "sphinx" not in sys.modules:
-    assert (
-        host_fips_enabled()
-    ), "The host must run in FIPS mode for the FIPS test suite"
-
-
 #: Error message from OpenSSL when a non-FIPS digest is selected in FIPS mode
 FIPS_ERR_MSG = (
     "not a known digest" if OS_VERSION == "15.3" else "Error setting digest"
 )
 
+pytestmark = pytest.mark.skipif(
+    OS_VERSION == "tumbleweed",
+    reason="no FIPS module in tumbleweed yet",
+)
 
 #: multistage :file:`Dockerfile` that builds the program from
 #: :py:const:`FIPS_TEST_DOT_C` using gcc and copies it, ``libcrypto``, ``libssl``
 #: and ``libz`` into the deployment image. The libraries must be copied, as they
 #: are not available in the minimal container images.
 DOCKERFILE = """FROM $builder as builder
 
+
 WORKDIR /src/
 COPY fips-test.c /src/
-RUN zypper -n ref && zypper -n in gcc libopenssl-devel && zypper -n clean
-RUN gcc -Og -g3 fips-test.c -Wall -Wextra -Wpedantic -lcrypto -lssl -o fips-test
+RUN zypper -n ref && zypper -n in gcc openssl libopenssl-devel && zypper -n clean
+RUN gcc -O2 fips-test.c -Wall -Werror -lcrypto -lssl -o fips-test
 
 FROM $runner
 
-COPY --from=builder /src/fips-test /bin/fips-test
-COPY --from=builder /usr/lib64/libcrypto.so.1.1 /usr/lib64/
-COPY --from=builder /usr/lib64/libssl.so.1.1 /usr/lib64/
-COPY --from=builder /lib64/libz.so.1 /usr/lib64/
-COPY --from=builder /usr/lib64/engines-1.1 /usr/lib64/engines-1.1
-COPY --from=builder /usr/lib64/.libcrypto.so.1.1.hmac /usr/lib64/
-COPY --from=builder /usr/lib64/.libssl.so.1.1.hmac /usr/lib64/
+ENV ["OPENSSL_FORCE_FIPS_MODE"="1", "SSH_FORCE_FIPS"="1"]
+
+COPY --from=builder /src/fips-test /usr/local/bin/fips-test
+COPY --from=builder /usr/bin/openssl /usr/bin/openssl
+COPY --from=builder /usr/lib64/libcrypto.so.* /usr/lib64/
+COPY --from=builder /usr/lib64/libssl.so.* /usr/lib64/
+COPY --from=builder /usr/lib64/libz.so.1 /usr/lib64/
+COPY --from=builder /usr/lib64/engines-* /usr/lib64/
+COPY --from=builder /usr/lib64/.libcrypto.so.*.hmac /usr/lib64/
+COPY --from=builder /usr/lib64/.libssl.so.*.hmac /usr/lib64/
 
-RUN /bin/fips-test sha256
+RUN fips-test sha256
 """
 
 
@@ -111,14 +111,12 @@ def test_openssl_binary(
     )
 
     for digest in FIPS_DIGESTS:
-        host.run_expect([0], f"{exec_cmd} /bin/fips-test {digest}")
+        host.run_expect([0], f"{exec_cmd} fips-test {digest}")
 
     for digest in NONFIPS_DIGESTS:
-        err_msg = host.run_expect(
-            [1], f"{exec_cmd} /bin/fips-test {digest}"
-        ).stderr
+        err_msg = host.run_expect([1], f"{exec_cmd} fips-test {digest}").stderr
 
-        if Version.parse(OS_VERSION) <= Version(15, 3):
+        if Version.parse(OS_VERSION) <= Version(15, 5):
             assert f"Unknown message digest {digest}" in err_msg
         else:
             assert "disabled for FIPS" in err_msg
@@ -134,13 +132,15 @@ def test_openssl_fips_hashes(container_per_test):
 
     """
     for digest in NONFIPS_DIGESTS:
-        cmd = container_per_test.connection.run(f"openssl {digest} /dev/null")
+        cmd = container_per_test.connection.run(
+            f"env OPENSSL_FORCE_FIPS_MODE=1 openssl {digest} /dev/null"
+        )
         assert cmd.rc != 0
         assert FIPS_ERR_MSG in cmd.stderr
 
     for digest in FIPS_DIGESTS:
         dev_null_digest = container_per_test.connection.run_expect(
-            [0], f"openssl {digest} /dev/null"
+            [0], f"env OPENSSL_FORCE_FIPS_MODE=1 openssl {digest} /dev/null"
         ).stdout
         assert (
             f"{digest.upper()}(/dev/null)= " in dev_null_digest