Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reenable FIPS tests on SLE15, skip on tumbleweed #272

Closed
wants to merge 2 commits into from
Closed

Reenable FIPS tests on SLE15, skip on tumbleweed #272

wants to merge 2 commits into from

Conversation

dirkmueller
Copy link
Member

No description provided.

@dirkmueller dirkmueller marked this pull request as ready for review July 14, 2023 16:06
dcermak
dcermak requested changes Jul 16, 2023
View reviewed changes
Copy link
Collaborator

@dcermak dcermak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fails with:

blake2b512 is not a known digest

@dirkmueller dirkmueller requested a review from dcermak July 17, 2023 08:09
dcermak
dcermak requested changes Jul 17, 2023
View reviewed changes
tests/test_fips.py Outdated
@@ -105,20 +105,24 @@ def test_openssl_binary(
img_id = container_runtime.get_image_id_from_stdout(cmd.stdout)

exec_cmd = " ".join(
[container_runtime.runner_binary, "run", "--rm"]
[container_runtime.runner_binary, "run", "--rm", "--privileged=true"]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you have to run it privileged?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

because I'm running mount inside the container

tests/test_fips.py Outdated

for digest in NONFIPS_DIGESTS:
err_msg = host.run_expect(
[1], f"{exec_cmd} /bin/fips-test {digest}"
[1],
f"{exec_cmd} bash -c 'mount --bind /tmp/f /proc/sys/crypto; fips-test {digest}'",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the CI test run, this returns 0.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now it's a 32 😵‍💫
Also: mount: /proc/sys/crypto: mount point does not exist

Copy link
Member Author

@dirkmueller dirkmueller Jul 19, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know, apparently the ubuntu workers need some kernel module that doesn't autoload.

@dirkmueller dirkmueller marked this pull request as draft July 17, 2023 16:27
@dirkmueller dirkmueller force-pushed the fipstests branch 2 times, most recently from abf9390 to 3606621 Compare July 20, 2023 09:15
@dirkmueller dirkmueller marked this pull request as ready for review October 24, 2023 16:07
@dirkmueller dirkmueller marked this pull request as draft October 24, 2023 16:07
@dirkmueller dirkmueller mentioned this pull request Nov 17, 2023
Merged
dcermak
dcermak reviewed Nov 17, 2023
View reviewed changes
tests/test_fips.py
@@ -134,13 +132,15 @@ def test_openssl_fips_hashes(container_per_test):

"""
for digest in NONFIPS_DIGESTS:
cmd = container_per_test.connection.run(f"openssl {digest} /dev/null")
cmd = container_per_test.connection.run(
f"env OPENSSL_FORCE_FIPS_MODE=1 openssl {digest} /dev/null"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We only want to set OPENSSL_FORCE_FIPS_MODE on hosts that are not in fips mode

dcermak
dcermak reviewed Nov 17, 2023
View reviewed changes
tests/test_fips.py
COPY --from=builder /usr/bin/openssl /usr/bin/openssl
COPY --from=builder /usr/lib64/libcrypto.so.* /usr/lib64/
COPY --from=builder /usr/lib64/libssl.so.* /usr/lib64/
COPY --from=builder /usr/lib64/libz.so.1 /usr/lib64/
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will break on 15.3 & 15.4:

❯ podman run --rm -it registry.suse.com/bci/bci-base:15.4 ls -al /usr/lib64/libz.so.1
ls: cannot access '/usr/lib64/libz.so.1': No such file or directory

dcermak
dcermak reviewed Nov 17, 2023
View reviewed changes
tests/test_fips.py
Comment on lines +26 to +29
#: Error message from OpenSSL when a non-FIPS digest is selected in FIPS mode
FIPS_ERR_MSG = (
"not a known digest" if OS_VERSION == "15.3" else "Error setting digest"
)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error message is now the same on all service packs

dcermak
dcermak reviewed Nov 17, 2023
View reviewed changes
tests/test_fips.py
Comment on lines +113 to +116
if Version.parse(OS_VERSION) <= Version(15, 5):
assert f"Unknown message digest {digest}" in err_msg
else:
assert "disabled for FIPS" in err_msg
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error message is now the same on all service packs

@dirkmueller
Copy link
Member Author

obsolete I think

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dcermak dcermak dcermak requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dirkmueller @dcermak