gnutls/SOURCES/gnutls-3.7.3-fix-tests-in-fips.patch

From 2c33761787f6530cf3984310a5f3b7dd05a7b375 Mon Sep 17 00:00:00 2001
From: Zoltan Fridrich <zfridric@redhat.com>
Date: Thu, 17 Feb 2022 11:46:29 +0100
Subject: [PATCH] Disable some tests in fips mode

Signed-off-by: Zoltan Fridrich <zfridric@redhat.com>
---
 tests/pkcs11/pkcs11-eddsa-privkey-test.c | 5 +++++
 tests/pkcs11/tls-neg-pkcs11-key.c        | 8 +++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/tests/pkcs11/pkcs11-eddsa-privkey-test.c b/tests/pkcs11/pkcs11-eddsa-privkey-test.c
index 44515da3f..ebbfe5278 100644
--- a/tests/pkcs11/pkcs11-eddsa-privkey-test.c
+++ b/tests/pkcs11/pkcs11-eddsa-privkey-test.c
@@ -107,6 +107,11 @@ void doit(void)
 		fail("%d: %s\n", ret, gnutls_strerror(ret));
 	}
 
+	if (gnutls_fips140_mode_enabled()) {
+		gnutls_global_deinit();
+		return;
+	}
+
 	gnutls_pkcs11_set_pin_function(pin_func, NULL);
 	gnutls_global_set_log_function(tls_log_func);
 	if (debug)
diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c
index fc7c3dc4e..5cc1ae6e2 100644
--- a/tests/pkcs11/tls-neg-pkcs11-key.c
+++ b/tests/pkcs11/tls-neg-pkcs11-key.c
@@ -268,6 +268,7 @@ typedef struct test_st {
 	int exp_serv_err;
 	int needs_eddsa;
 	int needs_decryption;
+	int nofips;
 	unsigned requires_pkcs11_pss;
 } test_st;
 
@@ -340,6 +341,7 @@ static const test_st tests[] = {
 	 .cert = &server_ca3_eddsa_cert,
 	 .key = &server_ca3_eddsa_key,
 	 .exp_kx = GNUTLS_KX_ECDHE_RSA,
+	 .nofips = 1
 	},
 	{.name = "tls1.3: ecc key",
 	 .pk = GNUTLS_PK_ECDSA,
@@ -392,7 +394,8 @@ static const test_st tests[] = {
 	 .prio = "NORMAL:+ECDHE-RSA:+ECDHE-ECDSA",
 	 .cert = &server_ca3_eddsa_cert,
 	 .key = &server_ca3_eddsa_key,
-	 .exp_kx = GNUTLS_KX_ECDHE_RSA
+	 .exp_kx = GNUTLS_KX_ECDHE_RSA,
+	 .nofips = 1
 	}
 };
 
@@ -448,6 +451,9 @@ void doit(void)
 	have_eddsa = verify_eddsa_presence();
 
 	for (i=0;i<sizeof(tests)/sizeof(tests[0]);i++) {
+		if (tests[i].nofips && gnutls_fips140_mode_enabled())
+			continue;
+
 		if (tests[i].needs_eddsa && !have_eddsa)
 			continue;
 
-- 
2.35.1