From 4d094f6b51c0d88b4b9a0a6d7220d5b52b653ed8 Mon Sep 17 00:00:00 2001
From: Michal Nowak <mnowak@isc.org>
Date: Tue, 20 Oct 2020 12:15:23 +0200
Subject: [PATCH] Disable failing MD5 unit tests in FIPS mode

With FIPS mode enabled 'isc_hmac_init_test' and 'isc_hmac_md5_test'
tests of hmac_test and 'isc_md_init_test' and 'isc_md_md5_test' test
of md_test fail.

This is due to leveraging MD5, which is disabled in FIPS mode.
---
 tests/isc/hmac_test.c | 19 ++++++++++++++-----
 tests/isc/md_test.c   | 15 ++++++++++++---
 2 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/tests/isc/hmac_test.c b/tests/isc/hmac_test.c
index 89e23a6291..b4438a2853 100644
--- a/tests/isc/hmac_test.c
+++ b/tests/isc/hmac_test.c
@@ -24,6 +24,7 @@
 #include <cmocka.h>
 
 #include <isc/buffer.h>
+#include <isc/fips.h>
 #include <isc/hex.h>
 #include <isc/hmac.h>
 #include <isc/region.h>
@@ -120,15 +121,18 @@ ISC_RUN_TEST_IMPL(isc_hmac_init) {
 	isc_hmac_t *hmac = *state;
 	assert_non_null(hmac);
 
-	expect_assert_failure(isc_hmac_init(NULL, "", 0, ISC_MD_MD5));
-
 	assert_int_equal(isc_hmac_init(hmac, "", 0, NULL),
 			 ISC_R_NOTIMPLEMENTED);
 
-	expect_assert_failure(isc_hmac_init(hmac, NULL, 0, ISC_MD_MD5));
+	if (!isc_fips_mode()) {
+		expect_assert_failure(isc_hmac_init(NULL, "", 0, ISC_MD_MD5));
 
-	assert_int_equal(isc_hmac_init(hmac, "", 0, ISC_MD_MD5), ISC_R_SUCCESS);
-	assert_int_equal(isc_hmac_reset(hmac), ISC_R_SUCCESS);
+		expect_assert_failure(isc_hmac_init(hmac, NULL, 0, ISC_MD_MD5));
+
+		assert_int_equal(isc_hmac_init(hmac, "", 0, ISC_MD_MD5),
+				 ISC_R_SUCCESS);
+		assert_int_equal(isc_hmac_reset(hmac), ISC_R_SUCCESS);
+	}
 
 	assert_int_equal(isc_hmac_init(hmac, "", 0, ISC_MD_SHA1),
 			 ISC_R_SUCCESS);
@@ -212,6 +216,11 @@ ISC_RUN_TEST_IMPL(isc_hmac_final) {
 ISC_RUN_TEST_IMPL(isc_hmac_md5) {
 	isc_hmac_t *hmac = *state;
 
+	if (isc_fips_mode()) {
+		skip();
+		return;
+	}
+
 	/* Test 0 */
 	isc_hmac_test(hmac, TEST_INPUT(""), ISC_MD_MD5, TEST_INPUT(""),
 		      "74E6F7298A9C2D168935F58C001BAD88", 1);
diff --git a/tests/isc/md_test.c b/tests/isc/md_test.c
index 446367fc3b..f9adb4fb18 100644
--- a/tests/isc/md_test.c
+++ b/tests/isc/md_test.c
@@ -17,13 +17,14 @@
 #include <stddef.h>
 #include <string.h>
 
-/* For FIPS_mode() */
+/* Needs to be included before <cmocka.h> */
 #include <openssl/crypto.h>
 
 #define UNIT_TESTING
 #include <cmocka.h>
 
 #include <isc/buffer.h>
+#include <isc/fips.h>
 #include <isc/hex.h>
 #include <isc/md.h>
 #include <isc/region.h>
@@ -117,8 +118,10 @@ ISC_RUN_TEST_IMPL(isc_md_init) {
 
 	assert_int_equal(isc_md_init(md, NULL), ISC_R_NOTIMPLEMENTED);
 
-	assert_int_equal(isc_md_init(md, ISC_MD_MD5), ISC_R_SUCCESS);
-	assert_int_equal(isc_md_reset(md), ISC_R_SUCCESS);
+	if (!isc_fips_mode()) {
+		assert_int_equal(isc_md_init(md, ISC_MD_MD5), ISC_R_SUCCESS);
+		assert_int_equal(isc_md_reset(md), ISC_R_SUCCESS);
+	}
 
 	assert_int_equal(isc_md_init(md, ISC_MD_SHA1), ISC_R_SUCCESS);
 	assert_int_equal(isc_md_reset(md), ISC_R_SUCCESS);
@@ -193,6 +196,12 @@ ISC_RUN_TEST_IMPL(isc_md_final) {
 
 ISC_RUN_TEST_IMPL(isc_md_md5) {
 	isc_md_t *md = *state;
+
+	if (isc_fips_mode()) {
+		skip();
+		return;
+	}
+
 	isc_md_test(md, ISC_MD_MD5, NULL, 0, NULL, 0);
 	isc_md_test(md, ISC_MD_MD5, TEST_INPUT(""),
 		    "D41D8CD98F00B204E9800998ECF8427E", 1);