selftest: Force fips mode for openssl in ad_dc_fips

This allows us to test MIT KRB5 and OpenLDAP in FIPS mode.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 9264dfe83c62f3f5ecff9a05c4999c2874a7e571..6118f2e243ad053bddc682fe93922e5bc8a7dfdc 100644 (file)
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -692,6 +692,9 @@ sub get_env_for_process
        if (defined($env_vars->{GNUTLS_FORCE_FIPS_MODE})) {
                $proc_envs->{GNUTLS_FORCE_FIPS_MODE} = $env_vars->{GNUTLS_FORCE_FIPS_MODE};
        }
+       if (defined($env_vars->{OPENSSL_FORCE_FIPS_MODE})) {
+               $proc_envs->{OPENSSL_FORCE_FIPS_MODE} = $env_vars->{OPENSSL_FORCE_FIPS_MODE};
+       }
        return $proc_envs;
 }
 
@@ -878,6 +881,7 @@ my @exported_envvars = (
 
        # crypto libraries
        "GNUTLS_FORCE_FIPS_MODE",
+       "OPENSSL_FORCE_FIPS_MODE",
 );
 
 sub exported_envvars_str

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index c13a454e2624fb46c71e966cb79f0b4b2e8dd8c8..2046af3b9841d3a5b809ee61e6984c3b8ca5cc2c 100755 (executable)
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -171,6 +171,9 @@ sub wait_for_start($$)
                if (defined($testenv_vars->{GNUTLS_FORCE_FIPS_MODE})) {
                        $cmd .= "GNUTLS_FORCE_FIPS_MODE=$testenv_vars->{GNUTLS_FORCE_FIPS_MODE} ";
                }
+               if (defined($testenv_vars->{OPENSSL_FORCE_FIPS_MODE})) {
+                       $cmd .= "OPENSSL_FORCE_FIPS_MODE=$testenv_vars->{OPENSSL_FORCE_FIPS_MODE} ";
+               }
 
                $cmd .= "$ldbsearch ";
                $cmd .= "$testenv_vars->{CONFIGURATION} ";
@@ -387,6 +390,9 @@ sub get_cmd_env_vars
        if (defined($localenv->{GNUTLS_FORCE_FIPS_MODE})) {
                $cmd_env .= "GNUTLS_FORCE_FIPS_MODE=$localenv->{GNUTLS_FORCE_FIPS_MODE} ";
        }
+       if (defined($localenv->{OPENSSL_FORCE_FIPS_MODE})) {
+               $cmd_env .= "OPENSSL_FORCE_FIPS_MODE=$localenv->{OPENSSL_FORCE_FIPS_MODE} ";
+       }
        $cmd_env .= " KRB5_CONFIG=\"$localenv->{KRB5_CONFIG}\" ";
        $cmd_env .= "KRB5CCNAME=\"$localenv->{KRB5_CCACHE}\" ";
        $cmd_env .= "RESOLV_CONF=\"$localenv->{RESOLV_CONF}\" ";
@@ -616,6 +622,7 @@ sub provision_raw_prepare($$$$$$$$$$$$$$)
        }
        if (defined($ctx->{force_fips_mode})) {
                push (@provision_options, "GNUTLS_FORCE_FIPS_MODE=1");
+               push (@provision_options, "OPENSSL_FORCE_FIPS_MODE=1");
        }
 
        if (defined($ENV{GDB_PROVISION})) {
@@ -892,6 +899,7 @@ nogroup:x:65534:nobody
        }
        if (defined($ctx->{force_fips_mode})) {
                $ret->{GNUTLS_FORCE_FIPS_MODE} = "1",
+               $ret->{OPENSSL_FORCE_FIPS_MODE} = "1",
        }
 
        if ($ctx->{server_role} eq "domain controller") {