* [PATCH net v2 0/3] Check if FIPS mode is enabled when running selftests
@ 2023-06-09 16:43 Magali Lemes
2023-06-09 16:43 ` [PATCH net v2 1/3] selftests: net: tls: check if FIPS mode is enabled Magali Lemes
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Magali Lemes @ 2023-06-09 16:43 UTC (permalink / raw)
To: davem, dsahern, edumazet, kuba, pabeni, shuah, tianjia.zhang,
vfedorenko
Cc: andrei.gherzan, linux-kernel, linux-kselftest, netdev
Some test cases from net/tls, net/fcnal-test and net/vrf-xfrm-tests
that rely on cryptographic functions to work and use non-compliant FIPS
algorithms fail in FIPS mode.
In order to allow these tests to pass in a wider set of kernels,
- for net/tls, skip the test variants that use the ChaCha20-Poly1305
and SM4 algorithms, when FIPS mode is enabled;
- for net/fcnal-test, skip the MD5 tests, when FIPS mode is enabled;
- for net/vrf-xfrm-tests, replace the algorithms that are not
FIPS-compliant with compliant ones.
Changes in v2:
- Add R-b tags.
- Put fips_non_compliant into the variants.
- Turn fips_enabled into a static global variable.
- Read /proc/sys/crypto/fips_enabled only once at main().
v1: https://lore.kernel.org/netdev/20230607174302.19542-1-magali.lemes@canonical.com/
Magali Lemes (3):
selftests: net: tls: check if FIPS mode is enabled
selftests: net: vrf-xfrm-tests: change authentication and encryption
algos
selftests: net: fcnal-test: check if FIPS mode is enabled
tools/testing/selftests/net/fcnal-test.sh | 27 ++-
tools/testing/selftests/net/tls.c | 175 +++++++++++++++++-
tools/testing/selftests/net/vrf-xfrm-tests.sh | 32 ++--
3 files changed, 209 insertions(+), 25 deletions(-)
--
2.34.1
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH net v2 1/3] selftests: net: tls: check if FIPS mode is enabled
2023-06-09 16:43 [PATCH net v2 0/3] Check if FIPS mode is enabled when running selftests Magali Lemes
@ 2023-06-09 16:43 ` Magali Lemes
2023-06-09 17:53 ` Jakub Kicinski
2023-06-09 16:43 ` [PATCH net v2 2/3] selftests: net: vrf-xfrm-tests: change authentication and encryption algos Magali Lemes
2023-06-09 16:43 ` [PATCH net v2 3/3] selftests: net: fcnal-test: check if FIPS mode is enabled Magali Lemes
2 siblings, 1 reply; 9+ messages in thread
From: Magali Lemes @ 2023-06-09 16:43 UTC (permalink / raw)
To: davem, edumazet, kuba, pabeni, shuah, vfedorenko, tianjia.zhang
Cc: andrei.gherzan, netdev, linux-kselftest, linux-kernel
TLS selftests use the ChaCha20-Poly1305 and SM4 algorithms, which are not
FIPS compliant. When fips=1, this set of tests fails. Add a check and only
run these tests if not in FIPS mode.
Fixes: 4f336e88a870 ("selftests/tls: add CHACHA20-POLY1305 to tls selftests")
Fixes: e506342a03c7 ("selftests/tls: add SM4 GCM/CCM to tls selftests")
Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
---
Changes in v2:
- Put fips_non_compliant into the variants.
- Turn fips_enabled into a static global variable.
- Read /proc/sys/crypto/fips_enabled only once at main().
tools/testing/selftests/net/tls.c | 175 +++++++++++++++++++++++++++++-
1 file changed, 174 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c
index e699548d4247..0725c60f227c 100644
--- a/tools/testing/selftests/net/tls.c
+++ b/tools/testing/selftests/net/tls.c
@@ -25,6 +25,8 @@
#define TLS_PAYLOAD_MAX_LEN 16384
#define SOL_TLS 282
+static int fips_enabled = 0;
+
struct tls_crypto_info_keys {
union {
struct tls12_crypto_info_aes_gcm_128 aes128;
@@ -235,7 +237,7 @@ FIXTURE_VARIANT(tls)
{
uint16_t tls_version;
uint16_t cipher_type;
- bool nopad;
+ bool nopad, fips_non_compliant;
};
FIXTURE_VARIANT_ADD(tls, 12_aes_gcm)
@@ -254,24 +256,28 @@ FIXTURE_VARIANT_ADD(tls, 12_chacha)
{
.tls_version = TLS_1_2_VERSION,
.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
+ .fips_non_compliant = true,
};
FIXTURE_VARIANT_ADD(tls, 13_chacha)
{
.tls_version = TLS_1_3_VERSION,
.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
+ .fips_non_compliant = true,
};
FIXTURE_VARIANT_ADD(tls, 13_sm4_gcm)
{
.tls_version = TLS_1_3_VERSION,
.cipher_type = TLS_CIPHER_SM4_GCM,
+ .fips_non_compliant = true,
};
FIXTURE_VARIANT_ADD(tls, 13_sm4_ccm)
{
.tls_version = TLS_1_3_VERSION,
.cipher_type = TLS_CIPHER_SM4_CCM,
+ .fips_non_compliant = true,
};
FIXTURE_VARIANT_ADD(tls, 12_aes_ccm)
@@ -311,6 +317,9 @@ FIXTURE_SETUP(tls)
int one = 1;
int ret;
+ if (fips_enabled && variant->fips_non_compliant)
+ return;
+
tls_crypto_info_init(variant->tls_version, variant->cipher_type,
&tls12);
@@ -343,6 +352,9 @@ TEST_F(tls, sendfile)
int filefd = open("/proc/self/exe", O_RDONLY);
struct stat st;
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
EXPECT_GE(filefd, 0);
fstat(filefd, &st);
EXPECT_GE(sendfile(self->fd, filefd, 0, st.st_size), 0);
@@ -357,6 +369,9 @@ TEST_F(tls, send_then_sendfile)
struct stat st;
char *buf;
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
EXPECT_GE(filefd, 0);
fstat(filefd, &st);
buf = (char *)malloc(st.st_size);
@@ -406,6 +421,10 @@ static void chunked_sendfile(struct __test_metadata *_metadata,
TEST_F(tls, multi_chunk_sendfile)
{
+
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
chunked_sendfile(_metadata, self, 4096, 4096);
chunked_sendfile(_metadata, self, 4096, 0);
chunked_sendfile(_metadata, self, 4096, 1);
@@ -433,6 +452,9 @@ TEST_F(tls, recv_max)
char recv_mem[TLS_PAYLOAD_MAX_LEN];
char buf[TLS_PAYLOAD_MAX_LEN];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
memrnd(buf, sizeof(buf));
EXPECT_GE(send(self->fd, buf, send_len, 0), 0);
@@ -446,6 +468,9 @@ TEST_F(tls, recv_small)
int send_len = 10;
char buf[10];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
send_len = strlen(test_str) + 1;
EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
EXPECT_NE(recv(self->cfd, buf, send_len, 0), -1);
@@ -458,6 +483,9 @@ TEST_F(tls, msg_more)
int send_len = 10;
char buf[10 * 2];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
EXPECT_EQ(send(self->fd, test_str, send_len, MSG_MORE), send_len);
EXPECT_EQ(recv(self->cfd, buf, send_len, MSG_DONTWAIT), -1);
EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
@@ -472,6 +500,9 @@ TEST_F(tls, msg_more_unsent)
int send_len = 10;
char buf[10];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
EXPECT_EQ(send(self->fd, test_str, send_len, MSG_MORE), send_len);
EXPECT_EQ(recv(self->cfd, buf, send_len, MSG_DONTWAIT), -1);
}
@@ -485,6 +516,9 @@ TEST_F(tls, sendmsg_single)
struct iovec vec;
char buf[13];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
vec.iov_base = (char *)test_str;
vec.iov_len = send_len;
memset(&msg, 0, sizeof(struct msghdr));
@@ -505,6 +539,9 @@ TEST_F(tls, sendmsg_fragmented)
struct msghdr msg;
int i, frags;
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
for (frags = 1; frags <= MAX_FRAGS; frags++) {
for (i = 0; i < frags; i++) {
vec[i].iov_base = (char *)test_str;
@@ -536,6 +573,9 @@ TEST_F(tls, sendmsg_large)
size_t recvs = 0;
size_t sent = 0;
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
memset(&msg, 0, sizeof(struct msghdr));
while (sent++ < sends) {
struct iovec vec = { (void *)mem, send_len };
@@ -564,6 +604,9 @@ TEST_F(tls, sendmsg_multiple)
char *buf;
int i;
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
memset(&msg, 0, sizeof(struct msghdr));
for (i = 0; i < iov_len; i++) {
test_strs[i] = (char *)malloc(strlen(test_str) + 1);
@@ -601,6 +644,9 @@ TEST_F(tls, sendmsg_multiple_stress)
int len_cmp = 0;
int i;
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
memset(&msg, 0, sizeof(struct msghdr));
for (i = 0; i < iov_len; i++) {
test_strs[i] = (char *)malloc(strlen(test_str) + 1);
@@ -629,6 +675,9 @@ TEST_F(tls, splice_from_pipe)
char mem_recv[TLS_PAYLOAD_MAX_LEN];
int p[2];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
ASSERT_GE(pipe(p), 0);
EXPECT_GE(write(p[1], mem_send, send_len), 0);
EXPECT_GE(splice(p[0], NULL, self->fd, NULL, send_len, 0), 0);
@@ -644,6 +693,9 @@ TEST_F(tls, splice_from_pipe2)
int p2[2];
int p[2];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
memrnd(mem_send, sizeof(mem_send));
ASSERT_GE(pipe(p), 0);
@@ -666,6 +718,9 @@ TEST_F(tls, send_and_splice)
char buf[10];
int p[2];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
ASSERT_GE(pipe(p), 0);
EXPECT_EQ(send(self->fd, test_str, send_len2, 0), send_len2);
EXPECT_EQ(recv(self->cfd, buf, send_len2, MSG_WAITALL), send_len2);
@@ -685,6 +740,9 @@ TEST_F(tls, splice_to_pipe)
char mem_recv[TLS_PAYLOAD_MAX_LEN];
int p[2];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
memrnd(mem_send, sizeof(mem_send));
ASSERT_GE(pipe(p), 0);
@@ -705,6 +763,9 @@ TEST_F(tls, splice_cmsg_to_pipe)
if (self->notls)
SKIP(return, "no TLS support");
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
ASSERT_GE(pipe(p), 0);
EXPECT_EQ(tls_send_cmsg(self->fd, 100, test_str, send_len, 0), 10);
EXPECT_EQ(splice(self->cfd, NULL, p[1], NULL, send_len, 0), -1);
@@ -728,6 +789,9 @@ TEST_F(tls, splice_dec_cmsg_to_pipe)
if (self->notls)
SKIP(return, "no TLS support");
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
ASSERT_GE(pipe(p), 0);
EXPECT_EQ(tls_send_cmsg(self->fd, 100, test_str, send_len, 0), 10);
EXPECT_EQ(recv(self->cfd, buf, send_len, 0), -1);
@@ -748,6 +812,9 @@ TEST_F(tls, recv_and_splice)
int half = send_len / 2;
int p[2];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
ASSERT_GE(pipe(p), 0);
EXPECT_EQ(send(self->fd, mem_send, send_len, 0), send_len);
/* Recv hald of the record, splice the other half */
@@ -766,6 +833,9 @@ TEST_F(tls, peek_and_splice)
int chunk = TLS_PAYLOAD_MAX_LEN / 4;
int n, i, p[2];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
memrnd(mem_send, sizeof(mem_send));
ASSERT_GE(pipe(p), 0);
@@ -797,6 +867,9 @@ TEST_F(tls, recvmsg_single)
struct msghdr hdr;
struct iovec vec;
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
memset(&hdr, 0, sizeof(hdr));
EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
vec.iov_base = (char *)buf;
@@ -815,6 +888,9 @@ TEST_F(tls, recvmsg_single_max)
struct iovec vec;
struct msghdr hdr;
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
memrnd(send_mem, sizeof(send_mem));
EXPECT_EQ(send(self->fd, send_mem, send_len, 0), send_len);
@@ -840,6 +916,9 @@ TEST_F(tls, recvmsg_multiple)
memrnd(buf, sizeof(buf));
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
EXPECT_EQ(send(self->fd, buf, send_len, 0), send_len);
for (i = 0; i < msg_iovlen; i++) {
iov_base[i] = (char *)malloc(iov_len);
@@ -862,6 +941,9 @@ TEST_F(tls, single_send_multiple_recv)
char send_mem[TLS_PAYLOAD_MAX_LEN * 2];
char recv_mem[TLS_PAYLOAD_MAX_LEN * 2];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
memrnd(send_mem, sizeof(send_mem));
EXPECT_GE(send(self->fd, send_mem, total_len, 0), 0);
@@ -879,6 +961,9 @@ TEST_F(tls, multiple_send_single_recv)
char recv_mem[2 * 10];
char send_mem[10];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
memrnd(send_mem, sizeof(send_mem));
EXPECT_GE(send(self->fd, send_mem, send_len, 0), 0);
@@ -897,6 +982,9 @@ TEST_F(tls, single_send_multiple_recv_non_align)
char recv_mem[recv_len * 2];
char send_mem[total_len];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
memrnd(send_mem, sizeof(send_mem));
EXPECT_GE(send(self->fd, send_mem, total_len, 0), 0);
@@ -915,6 +1003,9 @@ TEST_F(tls, recv_partial)
int send_len = strlen(test_str) + 1;
char recv_mem[18];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
memset(recv_mem, 0, sizeof(recv_mem));
EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
EXPECT_NE(recv(self->cfd, recv_mem, strlen(test_str_first),
@@ -932,6 +1023,9 @@ TEST_F(tls, recv_nonblock)
char buf[4096];
bool err;
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
EXPECT_EQ(recv(self->cfd, buf, sizeof(buf), MSG_DONTWAIT), -1);
err = (errno == EAGAIN || errno == EWOULDBLOCK);
EXPECT_EQ(err, true);
@@ -943,6 +1037,9 @@ TEST_F(tls, recv_peek)
int send_len = strlen(test_str) + 1;
char buf[15];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
EXPECT_EQ(recv(self->cfd, buf, send_len, MSG_PEEK), send_len);
EXPECT_EQ(memcmp(test_str, buf, send_len), 0);
@@ -959,6 +1056,9 @@ TEST_F(tls, recv_peek_multiple)
char buf[15];
int i;
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
for (i = 0; i < num_peeks; i++) {
EXPECT_NE(recv(self->cfd, buf, send_len, MSG_PEEK), -1);
@@ -977,6 +1077,9 @@ TEST_F(tls, recv_peek_multiple_records)
int len;
char buf[64];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
len = strlen(test_str_first);
EXPECT_EQ(send(self->fd, test_str_first, len, 0), len);
@@ -1026,6 +1129,9 @@ TEST_F(tls, recv_peek_large_buf_mult_recs)
int len;
char buf[64];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
len = strlen(test_str_first);
EXPECT_EQ(send(self->fd, test_str_first, len, 0), len);
@@ -1046,6 +1152,9 @@ TEST_F(tls, recv_lowat)
char recv_mem[20];
int lowat = 8;
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
EXPECT_EQ(send(self->fd, send_mem, 10, 0), 10);
EXPECT_EQ(send(self->fd, send_mem, 5, 0), 5);
@@ -1067,6 +1176,9 @@ TEST_F(tls, bidir)
char buf[10];
int ret;
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
if (!self->notls) {
struct tls_crypto_info_keys tls12;
@@ -1102,6 +1214,9 @@ TEST_F(tls, pollin)
char buf[10];
int send_len = 10;
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
fd.fd = self->cfd;
fd.events = POLLIN;
@@ -1120,6 +1235,9 @@ TEST_F(tls, poll_wait)
struct pollfd fd = { 0, 0, 0 };
char recv_mem[15];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
fd.fd = self->cfd;
fd.events = POLLIN;
EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
@@ -1135,6 +1253,9 @@ TEST_F(tls, poll_wait_split)
char send_mem[20] = {};
char recv_mem[15];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
fd.fd = self->cfd;
fd.events = POLLIN;
/* Send 20 bytes */
@@ -1160,6 +1281,9 @@ TEST_F(tls, blocking)
size_t data = 100000;
int res = fork();
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
EXPECT_NE(res, -1);
if (res) {
@@ -1202,6 +1326,9 @@ TEST_F(tls, nonblocking)
int flags;
int res;
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
flags = fcntl(self->fd, F_GETFL, 0);
fcntl(self->fd, F_SETFL, flags | O_NONBLOCK);
fcntl(self->cfd, F_SETFL, flags | O_NONBLOCK);
@@ -1343,31 +1470,49 @@ test_mutliproc(struct __test_metadata *_metadata, struct _test_data_tls *self,
TEST_F(tls, mutliproc_even)
{
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
test_mutliproc(_metadata, self, false, 6, 6);
}
TEST_F(tls, mutliproc_readers)
{
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
test_mutliproc(_metadata, self, false, 4, 12);
}
TEST_F(tls, mutliproc_writers)
{
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
test_mutliproc(_metadata, self, false, 10, 2);
}
TEST_F(tls, mutliproc_sendpage_even)
{
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
test_mutliproc(_metadata, self, true, 6, 6);
}
TEST_F(tls, mutliproc_sendpage_readers)
{
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
test_mutliproc(_metadata, self, true, 4, 12);
}
TEST_F(tls, mutliproc_sendpage_writers)
{
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
test_mutliproc(_metadata, self, true, 10, 2);
}
@@ -1378,6 +1523,9 @@ TEST_F(tls, control_msg)
int send_len = 10;
char buf[10];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
if (self->notls)
SKIP(return, "no TLS support");
@@ -1406,6 +1554,9 @@ TEST_F(tls, shutdown)
int send_len = 10;
char buf[10];
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
ASSERT_EQ(strlen(test_str) + 1, send_len);
EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
@@ -1421,6 +1572,9 @@ TEST_F(tls, shutdown_unsent)
char const *test_str = "test_read";
int send_len = 10;
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
EXPECT_EQ(send(self->fd, test_str, send_len, MSG_MORE), send_len);
shutdown(self->fd, SHUT_RDWR);
@@ -1432,6 +1586,9 @@ TEST_F(tls, shutdown_reuse)
struct sockaddr_in addr;
int ret;
+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
shutdown(self->fd, SHUT_RDWR);
shutdown(self->cfd, SHUT_RDWR);
close(self->cfd);
@@ -1865,4 +2022,20 @@ TEST(prequeue) {
close(cfd);
}
+#define main test_main
TEST_HARNESS_MAIN
+#undef main
+int main(int argc, char **argv) {
+ int res;
+ FILE *f;
+
+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
+ if (f) {
+ res = fscanf(f, "%d", &fips_enabled);
+ if (res != 1)
+ ksft_print_msg("ERROR: Couldn't read /proc/sys/crypto/fips_enabled\n");
+ fclose(f);
+ }
+
+ return test_main(argc, argv);
+}
--
2.34.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH net v2 2/3] selftests: net: vrf-xfrm-tests: change authentication and encryption algos
2023-06-09 16:43 [PATCH net v2 0/3] Check if FIPS mode is enabled when running selftests Magali Lemes
2023-06-09 16:43 ` [PATCH net v2 1/3] selftests: net: tls: check if FIPS mode is enabled Magali Lemes
@ 2023-06-09 16:43 ` Magali Lemes
2023-06-09 16:43 ` [PATCH net v2 3/3] selftests: net: fcnal-test: check if FIPS mode is enabled Magali Lemes
2 siblings, 0 replies; 9+ messages in thread
From: Magali Lemes @ 2023-06-09 16:43 UTC (permalink / raw)
To: davem, edumazet, kuba, pabeni, shuah, dsahern
Cc: andrei.gherzan, David Ahern, netdev, linux-kselftest,
linux-kernel
The vrf-xfrm-tests tests use the hmac(md5) and cbc(des3_ede)
algorithms for performing authentication and encryption, respectively.
This causes the tests to fail when fips=1 is set, since these algorithms
are not allowed in FIPS mode. Therefore, switch from hmac(md5) and
cbc(des3_ede) to hmac(sha1) and cbc(aes), which are FIPS compliant.
Fixes: 3f251d741150 ("selftests: Add tests for vrf and xfrms")
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
---
Changes in v2:
- Add R-b tag.
tools/testing/selftests/net/vrf-xfrm-tests.sh | 32 +++++++++----------
1 file changed, 16 insertions(+), 16 deletions(-)
diff --git a/tools/testing/selftests/net/vrf-xfrm-tests.sh b/tools/testing/selftests/net/vrf-xfrm-tests.sh
index 184da81f554f..452638ae8aed 100755
--- a/tools/testing/selftests/net/vrf-xfrm-tests.sh
+++ b/tools/testing/selftests/net/vrf-xfrm-tests.sh
@@ -264,60 +264,60 @@ setup_xfrm()
ip -netns host1 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
proto esp spi ${SPI_1} reqid 0 mode tunnel \
replay-window 4 replay-oseq 0x4 \
- auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
- enc 'cbc(des3_ede)' ${ENC_1} \
+ auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
+ enc 'cbc(aes)' ${ENC_1} \
sel src ${h1_4} dst ${h2_4} ${devarg}
ip -netns host2 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
proto esp spi ${SPI_1} reqid 0 mode tunnel \
replay-window 4 replay-oseq 0x4 \
- auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
- enc 'cbc(des3_ede)' ${ENC_1} \
+ auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
+ enc 'cbc(aes)' ${ENC_1} \
sel src ${h1_4} dst ${h2_4}
ip -netns host1 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
proto esp spi ${SPI_2} reqid 0 mode tunnel \
replay-window 4 replay-oseq 0x4 \
- auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
- enc 'cbc(des3_ede)' ${ENC_2} \
+ auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
+ enc 'cbc(aes)' ${ENC_2} \
sel src ${h2_4} dst ${h1_4} ${devarg}
ip -netns host2 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
proto esp spi ${SPI_2} reqid 0 mode tunnel \
replay-window 4 replay-oseq 0x4 \
- auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
- enc 'cbc(des3_ede)' ${ENC_2} \
+ auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
+ enc 'cbc(aes)' ${ENC_2} \
sel src ${h2_4} dst ${h1_4}
ip -6 -netns host1 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
proto esp spi ${SPI_1} reqid 0 mode tunnel \
replay-window 4 replay-oseq 0x4 \
- auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
- enc 'cbc(des3_ede)' ${ENC_1} \
+ auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
+ enc 'cbc(aes)' ${ENC_1} \
sel src ${h1_6} dst ${h2_6} ${devarg}
ip -6 -netns host2 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
proto esp spi ${SPI_1} reqid 0 mode tunnel \
replay-window 4 replay-oseq 0x4 \
- auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
- enc 'cbc(des3_ede)' ${ENC_1} \
+ auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
+ enc 'cbc(aes)' ${ENC_1} \
sel src ${h1_6} dst ${h2_6}
ip -6 -netns host1 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
proto esp spi ${SPI_2} reqid 0 mode tunnel \
replay-window 4 replay-oseq 0x4 \
- auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
- enc 'cbc(des3_ede)' ${ENC_2} \
+ auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
+ enc 'cbc(aes)' ${ENC_2} \
sel src ${h2_6} dst ${h1_6} ${devarg}
ip -6 -netns host2 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
proto esp spi ${SPI_2} reqid 0 mode tunnel \
replay-window 4 replay-oseq 0x4 \
- auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
- enc 'cbc(des3_ede)' ${ENC_2} \
+ auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
+ enc 'cbc(aes)' ${ENC_2} \
sel src ${h2_6} dst ${h1_6}
}
--
2.34.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH net v2 3/3] selftests: net: fcnal-test: check if FIPS mode is enabled
2023-06-09 16:43 [PATCH net v2 0/3] Check if FIPS mode is enabled when running selftests Magali Lemes
2023-06-09 16:43 ` [PATCH net v2 1/3] selftests: net: tls: check if FIPS mode is enabled Magali Lemes
2023-06-09 16:43 ` [PATCH net v2 2/3] selftests: net: vrf-xfrm-tests: change authentication and encryption algos Magali Lemes
@ 2023-06-09 16:43 ` Magali Lemes
2 siblings, 0 replies; 9+ messages in thread
From: Magali Lemes @ 2023-06-09 16:43 UTC (permalink / raw)
To: davem, edumazet, kuba, pabeni, shuah, dsahern
Cc: andrei.gherzan, David Ahern, netdev, linux-kselftest,
linux-kernel
There are some MD5 tests which fail when the kernel is in FIPS mode,
since MD5 is not FIPS compliant. Add a check and only run those tests
if FIPS mode is not enabled.
Fixes: f0bee1ebb5594 ("fcnal-test: Add TCP MD5 tests")
Fixes: 5cad8bce26e01 ("fcnal-test: Add TCP MD5 tests for VRF")
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
---
Changes in v2:
- Add R-b tag.
tools/testing/selftests/net/fcnal-test.sh | 27 ++++++++++++++++-------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh
index 21ca91473c09..ee6880ac3e5e 100755
--- a/tools/testing/selftests/net/fcnal-test.sh
+++ b/tools/testing/selftests/net/fcnal-test.sh
@@ -92,6 +92,13 @@ NSC_CMD="ip netns exec ${NSC}"
which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
+# Check if FIPS mode is enabled
+if [ -f /proc/sys/crypto/fips_enabled ]; then
+ fips_enabled=`cat /proc/sys/crypto/fips_enabled`
+else
+ fips_enabled=0
+fi
+
################################################################################
# utilities
@@ -1216,7 +1223,7 @@ ipv4_tcp_novrf()
run_cmd nettest -d ${NSA_DEV} -r ${a}
log_test_addr ${a} $? 1 "No server, device client, local conn"
- ipv4_tcp_md5_novrf
+ [ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf
}
ipv4_tcp_vrf()
@@ -1270,9 +1277,11 @@ ipv4_tcp_vrf()
log_test_addr ${a} $? 1 "Global server, local connection"
# run MD5 tests
- setup_vrf_dup
- ipv4_tcp_md5
- cleanup_vrf_dup
+ if [ "$fips_enabled" = "0" ]; then
+ setup_vrf_dup
+ ipv4_tcp_md5
+ cleanup_vrf_dup
+ fi
#
# enable VRF global server
@@ -2772,7 +2781,7 @@ ipv6_tcp_novrf()
log_test_addr ${a} $? 1 "No server, device client, local conn"
done
- ipv6_tcp_md5_novrf
+ [ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf
}
ipv6_tcp_vrf()
@@ -2842,9 +2851,11 @@ ipv6_tcp_vrf()
log_test_addr ${a} $? 1 "Global server, local connection"
# run MD5 tests
- setup_vrf_dup
- ipv6_tcp_md5
- cleanup_vrf_dup
+ if [ "$fips_enabled" = "0" ]; then
+ setup_vrf_dup
+ ipv6_tcp_md5
+ cleanup_vrf_dup
+ fi
#
# enable VRF global server
--
2.34.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH net v2 1/3] selftests: net: tls: check if FIPS mode is enabled
2023-06-09 16:43 ` [PATCH net v2 1/3] selftests: net: tls: check if FIPS mode is enabled Magali Lemes
@ 2023-06-09 17:53 ` Jakub Kicinski
2023-06-09 18:52 ` Magali Lemes do Sacramento
2023-06-09 20:15 ` Magali Lemes do Sacramento
0 siblings, 2 replies; 9+ messages in thread
From: Jakub Kicinski @ 2023-06-09 17:53 UTC (permalink / raw)
To: Magali Lemes
Cc: davem, edumazet, pabeni, shuah, vfedorenko, tianjia.zhang,
andrei.gherzan, netdev, linux-kselftest, linux-kernel
On Fri, 9 Jun 2023 13:43:22 -0300 Magali Lemes wrote:
> diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c
> index e699548d4247..0725c60f227c 100644
> --- a/tools/testing/selftests/net/tls.c
> +++ b/tools/testing/selftests/net/tls.c
> @@ -25,6 +25,8 @@
> #define TLS_PAYLOAD_MAX_LEN 16384
> #define SOL_TLS 282
>
> +static int fips_enabled = 0;
No need to zero init static variables, but really instead of doing
the main() hack you should init this to a return value of a function.
And have that function read the value.
> struct tls_crypto_info_keys {
> union {
> struct tls12_crypto_info_aes_gcm_128 aes128;
> @@ -311,6 +317,9 @@ FIXTURE_SETUP(tls)
> int one = 1;
> int ret;
>
> + if (fips_enabled && variant->fips_non_compliant)
> + return;
Eh, let me help you, this should really be part of the SETUP() function
but SETUP() doesn't currently handle SKIP(). So you'll need to add this
to your series:
diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h
index d8bff2005dfc..3091c345452e 100644
--- a/tools/testing/selftests/kselftest_harness.h
+++ b/tools/testing/selftests/kselftest_harness.h
@@ -249,7 +249,7 @@
/**
* FIXTURE_SETUP() - Prepares the setup function for the fixture.
- * *_metadata* is included so that EXPECT_* and ASSERT_* work correctly.
+ * *_metadata* is included so that EXPECT_*, ASSERT_* etc. work correctly.
*
* @fixture_name: fixture name
*
@@ -275,7 +275,7 @@
/**
* FIXTURE_TEARDOWN()
- * *_metadata* is included so that EXPECT_* and ASSERT_* work correctly.
+ * *_metadata* is included so that EXPECT_*, ASSERT_* etc. work correctly.
*
* @fixture_name: fixture name
*
@@ -388,7 +388,7 @@
if (setjmp(_metadata->env) == 0) { \
fixture_name##_setup(_metadata, &self, variant->data); \
/* Let setup failure terminate early. */ \
- if (!_metadata->passed) \
+ if (!_metadata->passed || _metadata->skip) \
return; \
_metadata->setup_completed = true; \
fixture_name##_##test_name(_metadata, &self, variant->data); \
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH net v2 1/3] selftests: net: tls: check if FIPS mode is enabled
2023-06-09 17:53 ` Jakub Kicinski
@ 2023-06-09 18:52 ` Magali Lemes do Sacramento
2023-06-09 19:21 ` Jakub Kicinski
2023-06-09 20:15 ` Magali Lemes do Sacramento
1 sibling, 1 reply; 9+ messages in thread
From: Magali Lemes do Sacramento @ 2023-06-09 18:52 UTC (permalink / raw)
To: Jakub Kicinski
Cc: davem, edumazet, pabeni, shuah, vfedorenko, tianjia.zhang,
andrei.gherzan, netdev, linux-kselftest, linux-kernel
Hi!
On Fri, Jun 9, 2023 at 2:53 PM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Fri, 9 Jun 2023 13:43:22 -0300 Magali Lemes wrote:
> > diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c
> > index e699548d4247..0725c60f227c 100644
> > --- a/tools/testing/selftests/net/tls.c
> > +++ b/tools/testing/selftests/net/tls.c
> > @@ -25,6 +25,8 @@
> > #define TLS_PAYLOAD_MAX_LEN 16384
> > #define SOL_TLS 282
> >
> > +static int fips_enabled = 0;
>
> No need to zero init static variables, but really instead of doing
> the main() hack you should init this to a return value of a function.
> And have that function read the value.
>
I'm not sure I understand what you mean here. I agree we want to avoid
reading the /proc/sys/crypto/fips_enabled file for every test.
However, correct me where I'm wrong, if we want to have fips_enabled
as a static global variable I don't think we can directly initialize
it from the return value of a function.
Could you clarify that, please?
Best regards,
Magali
> > struct tls_crypto_info_keys {
> > union {
> > struct tls12_crypto_info_aes_gcm_128 aes128;
>
> > @@ -311,6 +317,9 @@ FIXTURE_SETUP(tls)
> > int one = 1;
> > int ret;
> >
> > + if (fips_enabled && variant->fips_non_compliant)
> > + return;
>
> Eh, let me help you, this should really be part of the SETUP() function
> but SETUP() doesn't currently handle SKIP(). So you'll need to add this
> to your series:
>
> diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h
> index d8bff2005dfc..3091c345452e 100644
> --- a/tools/testing/selftests/kselftest_harness.h
> +++ b/tools/testing/selftests/kselftest_harness.h
> @@ -249,7 +249,7 @@
>
> /**
> * FIXTURE_SETUP() - Prepares the setup function for the fixture.
> - * *_metadata* is included so that EXPECT_* and ASSERT_* work correctly.
> + * *_metadata* is included so that EXPECT_*, ASSERT_* etc. work correctly.
> *
> * @fixture_name: fixture name
> *
> @@ -275,7 +275,7 @@
>
> /**
> * FIXTURE_TEARDOWN()
> - * *_metadata* is included so that EXPECT_* and ASSERT_* work correctly.
> + * *_metadata* is included so that EXPECT_*, ASSERT_* etc. work correctly.
> *
> * @fixture_name: fixture name
> *
> @@ -388,7 +388,7 @@
> if (setjmp(_metadata->env) == 0) { \
> fixture_name##_setup(_metadata, &self, variant->data); \
> /* Let setup failure terminate early. */ \
> - if (!_metadata->passed) \
> + if (!_metadata->passed || _metadata->skip) \
> return; \
> _metadata->setup_completed = true; \
> fixture_name##_##test_name(_metadata, &self, variant->data); \
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH net v2 1/3] selftests: net: tls: check if FIPS mode is enabled
2023-06-09 18:52 ` Magali Lemes do Sacramento
@ 2023-06-09 19:21 ` Jakub Kicinski
0 siblings, 0 replies; 9+ messages in thread
From: Jakub Kicinski @ 2023-06-09 19:21 UTC (permalink / raw)
To: Magali Lemes do Sacramento
Cc: davem, edumazet, pabeni, shuah, vfedorenko, tianjia.zhang,
andrei.gherzan, netdev, linux-kselftest, linux-kernel
On Fri, 9 Jun 2023 15:52:10 -0300 Magali Lemes do Sacramento wrote:
> > No need to zero init static variables, but really instead of doing
> > the main() hack you should init this to a return value of a function.
> > And have that function read the value.
>
> I'm not sure I understand what you mean here. I agree we want to avoid
> reading the /proc/sys/crypto/fips_enabled file for every test.
> However, correct me where I'm wrong, if we want to have fips_enabled
> as a static global variable I don't think we can directly initialize
> it from the return value of a function.
> Could you clarify that, please?
Hm, I thought that worked, I must be misremembering.
If it doesn't - let's steal the trick that the harness itself uses and
put the init in a function decorated with __attribute__((constructor)).
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH net v2 1/3] selftests: net: tls: check if FIPS mode is enabled
2023-06-09 17:53 ` Jakub Kicinski
2023-06-09 18:52 ` Magali Lemes do Sacramento
@ 2023-06-09 20:15 ` Magali Lemes do Sacramento
2023-06-09 21:08 ` Jakub Kicinski
1 sibling, 1 reply; 9+ messages in thread
From: Magali Lemes do Sacramento @ 2023-06-09 20:15 UTC (permalink / raw)
To: Jakub Kicinski
Cc: davem, edumazet, pabeni, shuah, vfedorenko, tianjia.zhang,
andrei.gherzan, netdev, linux-kselftest, linux-kernel
Hi, Jakub.
On Fri, Jun 9, 2023 at 2:53 PM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Fri, 9 Jun 2023 13:43:22 -0300 Magali Lemes wrote:
> > diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c
> > index e699548d4247..0725c60f227c 100644
> > --- a/tools/testing/selftests/net/tls.c
> > +++ b/tools/testing/selftests/net/tls.c
> > @@ -25,6 +25,8 @@
> > #define TLS_PAYLOAD_MAX_LEN 16384
> > #define SOL_TLS 282
> >
> > +static int fips_enabled = 0;
>
> No need to zero init static variables, but really instead of doing
> the main() hack you should init this to a return value of a function.
> And have that function read the value.
>
> > struct tls_crypto_info_keys {
> > union {
> > struct tls12_crypto_info_aes_gcm_128 aes128;
>
> > @@ -311,6 +317,9 @@ FIXTURE_SETUP(tls)
> > int one = 1;
> > int ret;
> >
> > + if (fips_enabled && variant->fips_non_compliant)
> > + return;
>
> Eh, let me help you, this should really be part of the SETUP() function
> but SETUP() doesn't currently handle SKIP(). So you'll need to add this
> to your series:
May I add your Suggested-by tag to this upcoming patch in this patchset v3?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH net v2 1/3] selftests: net: tls: check if FIPS mode is enabled
2023-06-09 20:15 ` Magali Lemes do Sacramento
@ 2023-06-09 21:08 ` Jakub Kicinski
0 siblings, 0 replies; 9+ messages in thread
From: Jakub Kicinski @ 2023-06-09 21:08 UTC (permalink / raw)
To: Magali Lemes do Sacramento
Cc: davem, edumazet, pabeni, shuah, vfedorenko, tianjia.zhang,
andrei.gherzan, netdev, linux-kselftest, linux-kernel
On Fri, 9 Jun 2023 17:15:38 -0300 Magali Lemes do Sacramento wrote:
> > Eh, let me help you, this should really be part of the SETUP() function
> > but SETUP() doesn't currently handle SKIP(). So you'll need to add this
> > to your series:
>
> May I add your Suggested-by tag to this upcoming patch in this patchset v3?
No strong preference but sure, why not :)
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2023-06-09 21:08 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-09 16:43 [PATCH net v2 0/3] Check if FIPS mode is enabled when running selftests Magali Lemes
2023-06-09 16:43 ` [PATCH net v2 1/3] selftests: net: tls: check if FIPS mode is enabled Magali Lemes
2023-06-09 17:53 ` Jakub Kicinski
2023-06-09 18:52 ` Magali Lemes do Sacramento
2023-06-09 19:21 ` Jakub Kicinski
2023-06-09 20:15 ` Magali Lemes do Sacramento
2023-06-09 21:08 ` Jakub Kicinski
2023-06-09 16:43 ` [PATCH net v2 2/3] selftests: net: vrf-xfrm-tests: change authentication and encryption algos Magali Lemes
2023-06-09 16:43 ` [PATCH net v2 3/3] selftests: net: fcnal-test: check if FIPS mode is enabled Magali Lemes
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).