PR#31: Fix tests conflicts with sssd_krb5_locator_plugin.so and include missing OpenSSL FIPS header - rpms/krb5

rpms / krb5

#31 Fix tests conflicts with sssd_krb5_locator_plugin.so and include missing OpenSSL FIPS header

Merged a year ago by jrische. Opened a year ago by jrische.

rpms/ jrische/krb5 next into rawhide

Include missing OpenSSL FIPS header

Julien Rische • a year ago

f0b4f85

Make tests compatible with sssd_krb5_locator_plugin.so

Julien Rische • a year ago

f29ff71

0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch

file added

+41

		`@@ -0,0 +1,41 @@`
		`+ From 9a536113196d8b32e3143964a655356ac8af1347 Mon Sep 17 00:00:00 2001`
		`+ From: Julien Rische <jrische@redhat.com>`
		`+ Date: Wed, 7 Dec 2022 13:22:42 +0100`
		`+ Subject: [PATCH] [downstream] Make tests compatible with`
		`+ sssd_krb5_locator_plugin.so`
		`+`
		`+ The sssd_krb5_locator_plugin.so plugin provided by sssd-client conflicts`
		`+ with the upstream test t_discover_uri.py. The test has to be modified in`
		`+ order to avoid false positive.`
		`+ ---`
		`+ src/lib/krb5/os/t_discover_uri.py \| 9 ++++++++-`
		`+ 1 file changed, 8 insertions(+), 1 deletion(-)`
		`+`
		`+ diff --git a/src/lib/krb5/os/t_discover_uri.py b/src/lib/krb5/os/t_discover_uri.py`
		`+ index 87bac17929..26bc95a8dc 100644`
		`+ --- a/src/lib/krb5/os/t_discover_uri.py`
		`+ +++ b/src/lib/krb5/os/t_discover_uri.py`
		`+ @@ -1,3 +1,4 @@`
		`+ +from os.path import exists`
		`+ from k5test import *`
		`+`
		`+ entries = ('URI _kerberos.TEST krb5srv::kkdcp:https://kdc1 1 1\n',`
		`+ @@ -37,8 +38,14 @@ realm.env['RESOLV_WRAPPER_HOSTS'] = hosts_filename`
		`+ out = realm.run(['./t_locate_kdc', 'TEST'], env=realm.env)`
		`+ l = out.splitlines()`
		`+`
		`+ +if (exists('/usr/lib/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so')`
		`+ + or exists('/usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so')):`
		`+ + line_range = range(6, 14)`
		`+ +else:`
		`+ + line_range = range(4, 12)`
		`+ +`
		`+ j = 0`
		`+ -for i in range(4, 12):`
		`+ +for i in line_range:`
		`+ if l[i].strip() != expected[j]:`
		`+ fail('URI answers do not match')`
		`+ j += 1`
		`+ --`
		`+ 2.38.1`
		`+`

0014-downstream-Include-missing-OpenSSL-FIPS-header.patch

file added

+120

		`@@ -0,0 +1,120 @@`
		`+ From d57a804136c5ebf473ce053a9517edd71a56389f Mon Sep 17 00:00:00 2001`
		`+ From: Julien Rische <jrische@redhat.com>`
		`+ Date: Thu, 5 Jan 2023 20:06:47 +0100`
		`+ Subject: [PATCH] [downstream] Include missing OpenSSL FIPS header`
		`+`
		`+ The inclusion of openssl/fips.h, which provides the declaration of`
		`+ FIPS_mode(), was removed from openssl/crypto.h. As a consequence, this`
		`+ header file has to be included explicitly in krb5 code.`
		`+ ---`
		`+ src/lib/crypto/krb/prng.c \| 4 +++-`
		`+ src/lib/crypto/openssl/enc_provider/camellia.c \| 1 +`
		`+ src/lib/crypto/openssl/enc_provider/rc4.c \| 4 ++++`
		`+ src/lib/crypto/openssl/hmac.c \| 1 +`
		`+ src/lib/krad/internal.h \| 4 ++++`
		`+ src/plugins/preauth/spake/spake_client.c \| 4 ++++`
		`+ src/plugins/preauth/spake/spake_kdc.c \| 4 ++++`
		`+ 7 files changed, 21 insertions(+), 1 deletion(-)`
		`+`
		`+ diff --git a/src/lib/crypto/krb/prng.c b/src/lib/crypto/krb/prng.c`
		`+ index 9e80a03d21..ae37c77518 100644`
		`+ --- a/src/lib/crypto/krb/prng.c`
		`+ +++ b/src/lib/crypto/krb/prng.c`
		`+ @@ -28,7 +28,9 @@`
		`+`
		`+ #include <openssl/rand.h>`
		`+`
		`+ -#if OPENSSL_VERSION_NUMBER < 0x30000000L`
		`+ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L`
		`+ +#include <openssl/fips.h>`
		`+ +#else`
		`+ #include <openssl/crypto.h>`
		`+ #endif`
		`+`
		`+ diff --git a/src/lib/crypto/openssl/enc_provider/camellia.c b/src/lib/crypto/openssl/enc_provider/camellia.c`
		`+ index d9f327add6..3dd3b0624f 100644`
		`+ --- a/src/lib/crypto/openssl/enc_provider/camellia.c`
		`+ +++ b/src/lib/crypto/openssl/enc_provider/camellia.c`
		`+ @@ -32,6 +32,7 @@`
		`+ #include <openssl/camellia.h>`
		`+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L`
		`+ #include <openssl/core_names.h>`
		`+ +#include <openssl/fips.h>`
		`+ #else`
		`+ #include <openssl/modes.h>`
		`+ #endif`
		`+ diff --git a/src/lib/crypto/openssl/enc_provider/rc4.c b/src/lib/crypto/openssl/enc_provider/rc4.c`
		`+ index ce63cb5f1b..6a83f10d27 100644`
		`+ --- a/src/lib/crypto/openssl/enc_provider/rc4.c`
		`+ +++ b/src/lib/crypto/openssl/enc_provider/rc4.c`
		`+ @@ -38,6 +38,10 @@`
		`+`
		`+ #include <openssl/evp.h>`
		`+`
		`+ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L`
		`+ +#include <openssl/fips.h>`
		`+ +#endif`
		`+ +`
		`+ /*`
		`+ * The loopback field is a pointer to the structure. If the application copies`
		`+ * the state (not a valid operation, but one which happens to works with some`
		`+ diff --git a/src/lib/crypto/openssl/hmac.c b/src/lib/crypto/openssl/hmac.c`
		`+ index f21e268f7f..25a419d73a 100644`
		`+ --- a/src/lib/crypto/openssl/hmac.c`
		`+ +++ b/src/lib/crypto/openssl/hmac.c`
		`+ @@ -59,6 +59,7 @@`
		`+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L`
		`+ #include <openssl/params.h>`
		`+ #include <openssl/core_names.h>`
		`+ +#include <openssl/fips.h>`
		`+ #else`
		`+ #include <openssl/hmac.h>`
		`+ #endif`
		`+ diff --git a/src/lib/krad/internal.h b/src/lib/krad/internal.h`
		`+ index e123763954..a17b6f39b1 100644`
		`+ --- a/src/lib/krad/internal.h`
		`+ +++ b/src/lib/krad/internal.h`
		`+ @@ -41,6 +41,10 @@`
		`+`
		`+ #include <openssl/crypto.h>`
		`+`
		`+ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L`
		`+ +#include <openssl/fips.h>`
		`+ +#endif`
		`+ +`
		`+ #ifndef UCHAR_MAX`
		`+ #define UCHAR_MAX 255`
		`+ #endif`
		`+ diff --git a/src/plugins/preauth/spake/spake_client.c b/src/plugins/preauth/spake/spake_client.c`
		`+ index a3ce22b70f..13c699071f 100644`
		`+ --- a/src/plugins/preauth/spake/spake_client.c`
		`+ +++ b/src/plugins/preauth/spake/spake_client.c`
		`+ @@ -40,6 +40,10 @@`
		`+`
		`+ #include <openssl/crypto.h>`
		`+`
		`+ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L`
		`+ +#include <openssl/fips.h>`
		`+ +#endif`
		`+ +`
		`+ typedef struct reqstate_st {`
		`+ krb5_pa_spake msg; / set in prep_questions, used in process */`
		`+ krb5_keyblock *initial_key;`
		`+ diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c`
		`+ index 232e78bc05..3394f8a58e 100644`
		`+ --- a/src/plugins/preauth/spake/spake_kdc.c`
		`+ +++ b/src/plugins/preauth/spake/spake_kdc.c`
		`+ @@ -43,6 +43,10 @@`
		`+`
		`+ #include <openssl/crypto.h>`
		`+`
		`+ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L`
		`+ +#include <openssl/fips.h>`
		`+ +#endif`
		`+ +`
		`+ /*`
		`+ * The SPAKE kdcpreauth module uses a secure cookie containing the following`
		`+ * concatenated fields (all integer fields are big-endian):`
		`+ --`
		`+ 2.38.1`
		`+`

krb5.spec

file modified

+7 -4

		`@@ -10,7 +10,7 @@`
		`#`
		`# baserelease is what we have standardized across Fedora and what`
		`# rpmdev-bumpspec knows how to handle.`
		`- %global baserelease 3`
		`+ %global baserelease 4`

		`# This should be e.g. beta1 or %%nil`
		`%global pre_release %nil`
		`@@ -71,6 +71,8 @@`
		`Patch10: 0010-Update-error-checking-for-OpenSSL-CMS_verify.patch`
		`Patch11: 0011-downstream-Catch-SHA-1-digest-disallowed-error-for-P.patch`
		`Patch12: 0012-Add-and-use-ts_interval-helper.patch`
		`+ Patch13: 0013-downstream-Make-tests-compatible-with-sssd_krb5_loca.patch`
		`+ Patch14: 0014-downstream-Include-missing-OpenSSL-FIPS-header.patch`

		`License: MIT`
		`URL: https://web.mit.edu/kerberos/www/`
		`@@ -254,9 +256,6 @@`
		`Requires: /usr/share/dict/words`
		`#Requires: openldap-servers, openldap-clients`

		`- # sssd_krb5_locator_plugin.so conflicts with t_discover_uri.py`
		`- Conflicts: sssd-client`
		`-`
		`%description tests`
		`FOR TESTING PURPOSE ONLY`
		`Test sources for krb5 build, with pre-defined compilation parameters`
		`@@ -710,6 +709,10 @@`
		`%{_datarootdir}/%{name}-tests/`

		`%changelog`
		`+ * Thu Jan 05 2023 Julien Rische <jrische@redhat.com> - 1.20.1-4`
		`+ - Include missing OpenSSL FIPS header`
		`+ - Make tests compatible with sssd_krb5_locator_plugin.so`
		`+`
		`* Tue Dec 06 2022 Julien Rische <jrische@redhat.com> - 1.20.1-3`
		`- Enable TMT integration with Fedora CI`

plans/tests.fmf

file modified

-4

		`@@ -1,9 +1,5 @@`
		`summary: Tests`
		`discover:`
		`how: fmf`
		`- prepare:`
		`- - how: shell`
		`- script:`
		`- - dnf remove -y sssd-client`
		`execute:`
		`how: tmt`

no initial comment

Metadata Update from @jrische:
- Request assigned

a year ago

sbose commented a year ago

Hi,

not sure if this will help, but you can disable SSSD's locator plugin by setting the environment variable SSSD_KRB5_LOCATOR_DISABLE to any value, see man sssd_krb5_locator_plugin for details.

bye,
Sumit

2 new commits added

Include missing OpenSSL FIPS header
Make tests compatible with sssd_krb5_locator_plugin.so

a year ago

jrische commented a year ago

Hi Sumit,

I tried to set the SSSD_KRB5_LOCATOR_DISABLE variable, but it still causes some debug messages to be displayed. And since test is checking command outputs, it is enough to cause it to fail.

So I am afraid that uninstalling sssd-client or modifying the test are the only possible solutions.

rebased onto f29ff71

a year ago

Pull-Request has been merged by jrische

a year ago