Commit c709c736 authored Feb 21, 2024 by Michal Berger Committed by Jim Harris Feb 26, 2024

test/nvmf/fips: Don't export OPENSSL_FORCE_FIPS_MODE



This is redundant since we already do this explicitly in the custom
.cnf. Also, it breaks initialization under redhat's openssl 3.1.1 where
the 0032-Force-fips.patch changed quite significantly - it seems it no
longer checks if given provider was already activated|loaded hence the
provider_conf_activate() fails when the second attempt is made.

Previous iteration of this patch was flipping ok to 1 when provider was
already active here it remains 0.

To avoid this, simply don't export OPENSSL_FORCE_FIPS_MODE to make sure
all needed providers (base + fips) are loaded solely based on our .cnf.

Change-Id: I00e007360fac51754fa8c246394e4a5ecf4ffc07
Signed-off-by: Michal Berger <michal.berger@intel.com>
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/21972


Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Reviewed-by: Konrad Sztyber <konrad.sztyber@intel.com>
Reviewed-by: Jim Harris <jim.harris@samsung.com>

parent 88ae3f28

test/nvmf/fips/fips.sh

+1 −2

Original line number	Diff line number	Diff line
		@@ -102,7 +102,6 @@ if ! warn=$(openssl fipsinstall -help 2>&1); then
		# Rhel-based openssl >=3.0.9 builds no longer support fipsinstall command.
		# Enforce proper patches.
		export callback=build_openssl_config
		export OPENSSL_FORCE_FIPS_MODE="$callback"
		else
		exit 1
		fi
		@@ -114,7 +113,7 @@ fi
		"$callback" > spdk_fips.conf
		export OPENSSL_CONF=spdk_fips.conf

		mapfile -t providers < <(OPENSSL_CONF=spdk_fips.conf openssl list -providers \| grep "name")
		mapfile -t providers < <(openssl list -providers \| grep "name")
		# We expect OpenSSL to present the providers we requested. If OpenSSL loaded other providers
		# (e.g. "default") or was unable to load "base" and "fips", the following line will fail,
		# indicating that OPENSSL_CONF is invalid or OpenSSL itself is malconfigured.