File 0905-ssh-test-Extend-crypto-start-to-enable-FIPS-if-possi.patch of Package erlang
From bfc9870b0eea3d23c8ffd9506f5b94ace65e0390 Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Wed, 13 Nov 2019 15:12:50 +0100
Subject: [PATCH 3/6] ssh/test: Extend crypto start to enable FIPS if possible
---
lib/ssh/test/ssh_test_lib.erl | 42 ++++++++++++++++++++++++++++++++++++++++++
lib/ssh/test/ssh_test_lib.hrl | 14 ++++++++++----
2 files changed, 52 insertions(+), 4 deletions(-)
diff --git a/lib/ssh/test/ssh_test_lib.erl b/lib/ssh/test/ssh_test_lib.erl
index d205cef579..47dad5b5d7 100644
--- a/lib/ssh/test/ssh_test_lib.erl
+++ b/lib/ssh/test/ssh_test_lib.erl
@@ -1070,3 +1070,45 @@ ntoa(A) ->
_:_ when is_list(A) -> A
end.
+%%%----------------------------------------------------------------
+try_enable_fips_mode() ->
+ case crypto:info_fips() of
+ enabled ->
+ report("FIPS mode already enabled", ?LINE),
+ ok;
+ not_enabled ->
+ %% Erlang/crypto configured with --enable-fips
+ case crypto:enable_fips_mode(true) of
+ true ->
+ %% and also the cryptolib is fips enabled
+ report("FIPS mode enabled", ?LINE),
+ enabled = crypto:info_fips(),
+ ok;
+ false ->
+ case is_cryptolib_fips_capable() of
+ false ->
+ report("No FIPS mode in cryptolib", ?LINE),
+ {skip, "FIPS mode not supported in cryptolib"};
+ true ->
+ ct:fail("Failed to enable FIPS mode", [])
+ end
+ end;
+ not_supported ->
+ report("FIPS mode not supported by Erlang/OTP", ?LINE),
+ {skip, "FIPS mode not supported"}
+ end.
+
+is_cryptolib_fips_capable() ->
+ [{_,_,Inf}] = crypto:info_lib(),
+ nomatch =/= re:run(Inf, "(F|f)(I|i)(P|p)(S|s)").
+
+report(Comment, Line) ->
+ ct:comment(Comment),
+ ct:log("~p:~p try_enable_fips_mode~n"
+ "crypto:info_lib() = ~p~n"
+ "crypto:info_fips() = ~p~n"
+ "crypto:supports() =~n~p~n",
+ [?MODULE, Line,
+ crypto:info_lib(),
+ crypto:info_fips(),
+ crypto:supports()]).
diff --git a/lib/ssh/test/ssh_test_lib.hrl b/lib/ssh/test/ssh_test_lib.hrl
index 4b6579bd71..b9af2ecb5d 100644
--- a/lib/ssh/test/ssh_test_lib.hrl
+++ b/lib/ssh/test/ssh_test_lib.hrl
@@ -6,10 +6,16 @@
%%-------------------------------------------------------------------------
%% Check for usable crypt
%%-------------------------------------------------------------------------
--define(CHECK_CRYPTO(Available),
- try crypto:start()
- of _ -> Available
- catch _:_ -> {skip, "Can't start crypto"}
+-define(CHECK_CRYPTO(UsersInitCode),
+ try
+ crypto:start(),
+ ssh_test_lib:try_enable_fips_mode()
+ of
+ ok -> UsersInitCode;
+ {skip,_} -> UsersInitCode;
+ Other -> Other
+ catch
+ _:_ -> {skip, "Can't start crypto"}
end
).
--
2.16.4
