Add test for GHmac in FIPS mode

This will test a few problems that we hit recently: g_hmac_copy() is broken, https://bugzilla.redhat.com/show_bug.cgi?id=1786538 Crash in g_hmac_update() in FIPS mode, https://bugzilla.redhat.com/show_bug.cgi?id=1971533 Crash when passing -1 length to g_hmac_update() (discovered in #1971533) We'll also test to ensure MD5 fails, and stop compiling the other MD5 tests.
2024-11-05 17:06:18 +01:00 · 2021-06-16 20:46:24 -05:00 · 2021-06-16 20:46:24 -05:00 · 2671527542
commit 2671527542
parent 780c2e18fc
1 changed files with 46 additions and 0 deletions
--- a/glib/tests/hmac.c
+++ b/glib/tests/hmac.c
@ -1,7 +1,10 @@
+#include "config.h"
+
 #include <glib.h>
 #include <string.h>
 #include <stdlib.h>

+#ifndef USE_GNUTLS
 /* HMAC-MD5 test vectors as per RFC 2202 */

 /* Test 1 */
@ -81,6 +84,7 @@ guint8 key_md5_test7[] = {
 guint8 result_md5_test7[] = {
    0x6f, 0x63, 0x0f, 0xad, 0x67, 0xcd, 0xa0, 0xee, 0x1f, 0xb1,
    0xf5, 0x62, 0xdb, 0x3a, 0xa5, 0x3e };
+#endif

 /* HMAC-SHA1, HMAC-SHA256, HMAC-SHA384 and HMAC-SHA512 test vectors
 * as per RFCs 2202 and 4868.
@ -299,6 +303,7 @@ typedef struct {
  gconstpointer result;
 } HmacCase;

+#ifndef USE_GNUTLS
 HmacCase hmac_md5_tests[] = {
  { G_CHECKSUM_MD5, key_md5_test1, 16, "Hi There", 8, result_md5_test1 },
  { G_CHECKSUM_MD5, "Jefe", 4, "what do ya want for nothing?", 28,
@ -317,6 +322,7 @@ HmacCase hmac_md5_tests[] = {
      73, result_md5_test7 },
  { -1, NULL, 0, NULL, 0, NULL },
 };
+#endif

 HmacCase hmac_sha1_tests[] = {
  { G_CHECKSUM_SHA1, key_sha_test1, 20, "Hi There", 8, result_sha1_test1 },
@ -493,11 +499,45 @@ test_hmac_for_bytes (void)
  g_bytes_unref (data);
 }

+#ifdef USE_GNUTLS
+static void
+test_gnutls_fips_mode (void)
+{
+  GHmac *hmac;
+  GHmac *copy;
+
+  /* No MD5 in FIPS mode. */
+  hmac = g_hmac_new (G_CHECKSUM_MD5, (guchar*)"abc123", sizeof ("abc123"));
+  g_assert_null (hmac);
+
+  /* SHA-256 should be good. */
+  hmac = g_hmac_new (G_CHECKSUM_SHA256, (guchar*)"abc123", sizeof ("abc123"));
+  g_assert_nonnull (hmac);
+
+  /* Ensure g_hmac_update() does not crash when called with -1. */
+  g_hmac_update (hmac, (guchar*)"You win again, gravity!", -1);
+
+  /* Ensure g_hmac_copy() does not crash. */
+  copy = g_hmac_copy (hmac);
+  g_assert_nonnull (hmac);
+  g_hmac_unref (hmac);
+
+  g_assert_cmpstr (g_hmac_get_string (copy), ==, "795ba6900bcb22e8ce65c2ec02db4e85697da921deb960ee3143bf88a4a60f83");
+  g_hmac_unref (copy);
+}
+#endif
+
 int
 main (int argc,
    char **argv)
 {
  int i;
+
+#ifdef USE_GNUTLS
+  /* This has to happen before GnuTLS is dlopened. */
+  g_setenv ("GNUTLS_FORCE_FIPS_MODE", "1", FALSE);
+#endif
+
  g_test_init (&argc, &argv, NULL);

  for (i = 0 ; hmac_sha1_tests[i].key_len > 0 ; i++)
@ -532,6 +572,7 @@ main (int argc,
      g_free (name);
    }

+#ifndef USE_GNUTLS
  for (i = 0 ; hmac_md5_tests[i].key_len > 0 ; i++)
    {
      gchar *name = g_strdup_printf ("/hmac/md5-%d", i + 1);
@ -539,6 +580,7 @@ main (int argc,
        (void (*)(const void *)) test_hmac);
      g_free (name);
    }
+#endif

  g_test_add_func ("/hmac/ref-unref", test_hmac_ref_unref);
  g_test_add_func ("/hmac/copy", test_hmac_copy);
@ -546,5 +588,9 @@ main (int argc,
  g_test_add_func ("/hmac/for-string", test_hmac_for_string);
  g_test_add_func ("/hmac/for-bytes", test_hmac_for_bytes);

+#ifdef USE_GNUTLS
+  g_test_add_func ("/hmac/gnutls-fips-mode", test_gnutls_fips_mode);
+#endif
+
  return g_test_run ();
 }