TCP: remove wrong INSIST(csock->recv_cb != NULL), disable the "cipher-suites" test in FIPS mode (!8655) · Merge requests · ISC Open Source Projects / BIND

Artem Boldariev requested to merge 4536-remove-wrong-INSIST-fix-cipher-suites-test into main Jan 15, 2024

This MR removes wrong INSIST() condition as the assumption that if csock->recv_cb != NULL iff csock->statichandle != NULL is wrong.

There is no direct relation between csock->statichandle and csock->recv_cb, as csock->statichandle gets set when allocating a handle regardless of csock->recv_cb not being NULL, as it is possible to attach to the handle without starting a read operation (at the very least, it is correct to start writing before reading).

That condition made cipher-suites system test fail with crash on some platforms in FIPS mode (namely, Oracle Linux 9) despite not being related to FIPS at all.

The wrong condition seems like a left-over from earlier days of the Network Manager.

Also, we need to skip the cipher-suites system test in FIPS mode as some of the algorithms used in the test are not available when using the FIPS mode (e.g. TLS_CHACHA20_POLY1305_SHA256)

Closes #4536 (closed)

Edited Jan 15, 2024 by Artem Boldariev

TCP: remove wrong INSIST(csock->recv_cb != NULL), disable the "cipher-suites" test in FIPS mode

Merge request reports