From 267152754263fa9a0f67b8f5313ada392a87793c Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Wed, 16 Jun 2021 20:46:24 -0500
Subject: [PATCH] Add test for GHmac in FIPS mode

This will test a few problems that we hit recently:

g_hmac_copy() is broken, https://bugzilla.redhat.com/show_bug.cgi?id=1786538

Crash in g_hmac_update() in FIPS mode, https://bugzilla.redhat.com/show_bug.cgi?id=1971533

Crash when passing -1 length to g_hmac_update() (discovered in #1971533)

We'll also test to ensure MD5 fails, and stop compiling the other MD5
tests.
---
 glib/tests/hmac.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/glib/tests/hmac.c b/glib/tests/hmac.c
index 3ac3206df..352d18a09 100644
--- a/glib/tests/hmac.c
+++ b/glib/tests/hmac.c
@@ -1,7 +1,10 @@
+#include "config.h"
+
 #include <glib.h>
 #include <string.h>
 #include <stdlib.h>
 
+#ifndef USE_GNUTLS
 /* HMAC-MD5 test vectors as per RFC 2202 */
 
 /* Test 1 */
@@ -81,6 +84,7 @@ guint8 key_md5_test7[] = {
 guint8 result_md5_test7[] = {
     0x6f, 0x63, 0x0f, 0xad, 0x67, 0xcd, 0xa0, 0xee, 0x1f, 0xb1,
     0xf5, 0x62, 0xdb, 0x3a, 0xa5, 0x3e };
+#endif
 
 /* HMAC-SHA1, HMAC-SHA256, HMAC-SHA384 and HMAC-SHA512 test vectors
  * as per RFCs 2202 and 4868.
@@ -299,6 +303,7 @@ typedef struct {
   gconstpointer result;
 } HmacCase;
 
+#ifndef USE_GNUTLS
 HmacCase hmac_md5_tests[] = {
   { G_CHECKSUM_MD5, key_md5_test1, 16, "Hi There", 8, result_md5_test1 },
   { G_CHECKSUM_MD5, "Jefe", 4, "what do ya want for nothing?", 28,
@@ -317,6 +322,7 @@ HmacCase hmac_md5_tests[] = {
       73, result_md5_test7 },
   { -1, NULL, 0, NULL, 0, NULL },
 };
+#endif
 
 HmacCase hmac_sha1_tests[] = {
   { G_CHECKSUM_SHA1, key_sha_test1, 20, "Hi There", 8, result_sha1_test1 },
@@ -493,11 +499,45 @@ test_hmac_for_bytes (void)
   g_bytes_unref (data);
 }
 
+#ifdef USE_GNUTLS
+static void
+test_gnutls_fips_mode (void)
+{
+  GHmac *hmac;
+  GHmac *copy;
+
+  /* No MD5 in FIPS mode. */
+  hmac = g_hmac_new (G_CHECKSUM_MD5, (guchar*)"abc123", sizeof ("abc123"));
+  g_assert_null (hmac);
+
+  /* SHA-256 should be good. */
+  hmac = g_hmac_new (G_CHECKSUM_SHA256, (guchar*)"abc123", sizeof ("abc123"));
+  g_assert_nonnull (hmac);
+
+  /* Ensure g_hmac_update() does not crash when called with -1. */
+  g_hmac_update (hmac, (guchar*)"You win again, gravity!", -1);
+
+  /* Ensure g_hmac_copy() does not crash. */
+  copy = g_hmac_copy (hmac);
+  g_assert_nonnull (hmac);
+  g_hmac_unref (hmac);
+
+  g_assert_cmpstr (g_hmac_get_string (copy), ==, "795ba6900bcb22e8ce65c2ec02db4e85697da921deb960ee3143bf88a4a60f83");
+  g_hmac_unref (copy);
+}
+#endif
+
 int
 main (int argc,
     char **argv)
 {
   int i;
+
+#ifdef USE_GNUTLS
+  /* This has to happen before GnuTLS is dlopened. */
+  g_setenv ("GNUTLS_FORCE_FIPS_MODE", "1", FALSE);
+#endif
+
   g_test_init (&argc, &argv, NULL);
 
   for (i = 0 ; hmac_sha1_tests[i].key_len > 0 ; i++)
@@ -532,6 +572,7 @@ main (int argc,
       g_free (name);
     }
 
+#ifndef USE_GNUTLS
   for (i = 0 ; hmac_md5_tests[i].key_len > 0 ; i++)
     {
       gchar *name = g_strdup_printf ("/hmac/md5-%d", i + 1);
@@ -539,6 +580,7 @@ main (int argc,
         (void (*)(const void *)) test_hmac);
       g_free (name);
     }
+#endif
 
   g_test_add_func ("/hmac/ref-unref", test_hmac_ref_unref);
   g_test_add_func ("/hmac/copy", test_hmac_copy);
@@ -546,5 +588,9 @@ main (int argc,
   g_test_add_func ("/hmac/for-string", test_hmac_for_string);
   g_test_add_func ("/hmac/for-bytes", test_hmac_for_bytes);
 
+#ifdef USE_GNUTLS
+  g_test_add_func ("/hmac/gnutls-fips-mode", test_gnutls_fips_mode);
+#endif
+
   return g_test_run ();
 }