diff mbox series

[v4,4/4] selftests: net: fcnal-test: check if FIPS mode is enabled

Message ID 20230613123222.631897-5-magali.lemes@canonical.com (mailing list archive)
State Accepted
Commit d7a2fc1437f71cb058c7b11bc33dfc19e4bf277a
Headers show
Series Check if FIPS mode is enabled when running selftests | expand

Commit Message

Magali Lemes June 13, 2023, 12:32 p.m. UTC
There are some MD5 tests which fail when the kernel is in FIPS mode,
since MD5 is not FIPS compliant. Add a check and only run those tests
if FIPS mode is not enabled.

Fixes: f0bee1ebb5594 ("fcnal-test: Add TCP MD5 tests")
Fixes: 5cad8bce26e01 ("fcnal-test: Add TCP MD5 tests for VRF")
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
---
No change in v4.
No change in v3.
 
Changes in v2:
 - Add R-b tag.

 tools/testing/selftests/net/fcnal-test.sh | 27 ++++++++++++++++-------
 1 file changed, 19 insertions(+), 8 deletions(-)

Comments

Matthieu Baerts June 16, 2023, 7:33 p.m. UTC | #1
Hi Magali,

On 13/06/2023 14:32, Magali Lemes wrote:
> There are some MD5 tests which fail when the kernel is in FIPS mode,
> since MD5 is not FIPS compliant. Add a check and only run those tests
> if FIPS mode is not enabled.
> 
> Fixes: f0bee1ebb5594 ("fcnal-test: Add TCP MD5 tests")
> Fixes: 5cad8bce26e01 ("fcnal-test: Add TCP MD5 tests for VRF")
> Reviewed-by: David Ahern <dsahern@kernel.org>
> Signed-off-by: Magali Lemes <magali.lemes@canonical.com>

Thank you for your patch!

FYI, we got a small conflict when merging 'net' in 'net-next' in the
MPTCP tree due to this patch applied in 'net':

  d7a2fc1437f7 ("selftests: net: fcnal-test: check if FIPS mode is enabled")

and this one from 'net-next':

  dd017c72dde6 ("selftests: fcnal: Test SO_DONTROUTE on TCP sockets.")

----- Generic Message -----
The best is to avoid conflicts between 'net' and 'net-next' trees but if
they cannot be avoided when preparing patches, a note about how to fix
them is much appreciated.

The conflict has been resolved on our side[1] and the resolution we
suggest is attached to this email. Please report any issues linked to
this conflict resolution as it might be used by others. If you worked on
the mentioned patches, don't hesitate to ACK this conflict resolution.
---------------------------

Regarding this conflict, I simply took the modifications from both sides.

Cheers,
Matt

[1] https://github.com/multipath-tcp/mptcp_net-next/commit/502f061b9a02
Matthieu Baerts June 16, 2023, 8:16 p.m. UTC | #2
Hi Jakub, Stephen,

On 16/06/2023 21:33, Matthieu Baerts wrote:
> Hi Magali,
> 
> On 13/06/2023 14:32, Magali Lemes wrote:
>> There are some MD5 tests which fail when the kernel is in FIPS mode,
>> since MD5 is not FIPS compliant. Add a check and only run those tests
>> if FIPS mode is not enabled.
>>
>> Fixes: f0bee1ebb5594 ("fcnal-test: Add TCP MD5 tests")
>> Fixes: 5cad8bce26e01 ("fcnal-test: Add TCP MD5 tests for VRF")
>> Reviewed-by: David Ahern <dsahern@kernel.org>
>> Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
> 
> Thank you for your patch!
> 
> FYI, we got a small conflict when merging 'net' in 'net-next' in the
> MPTCP tree due to this patch applied in 'net':

Just in case, I'm starting to publish the Git rerere resolutions for the
conflicts we have when syncing the MPTCP trees with Netdev's "net" and
"net-next" trees. They are available there:

  https://github.com/multipath-tcp/mptcp-upstream-rr-cache

For this specific conflict, the new files are available there:

  https://github.com/multipath-tcp/mptcp-upstream-rr-cache/commit/5091dd

Don't hesitate to tell me if I need to change anything to this repo.

Cheers,
Matt
diff mbox series

Patch

diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh
index 21ca91473c09..ee6880ac3e5e 100755
--- a/tools/testing/selftests/net/fcnal-test.sh
+++ b/tools/testing/selftests/net/fcnal-test.sh
@@ -92,6 +92,13 @@  NSC_CMD="ip netns exec ${NSC}"
 
 which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
 
+# Check if FIPS mode is enabled
+if [ -f /proc/sys/crypto/fips_enabled ]; then
+	fips_enabled=`cat /proc/sys/crypto/fips_enabled`
+else
+	fips_enabled=0
+fi
+
 ################################################################################
 # utilities
 
@@ -1216,7 +1223,7 @@  ipv4_tcp_novrf()
 	run_cmd nettest -d ${NSA_DEV} -r ${a}
 	log_test_addr ${a} $? 1 "No server, device client, local conn"
 
-	ipv4_tcp_md5_novrf
+	[ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf
 }
 
 ipv4_tcp_vrf()
@@ -1270,9 +1277,11 @@  ipv4_tcp_vrf()
 	log_test_addr ${a} $? 1 "Global server, local connection"
 
 	# run MD5 tests
-	setup_vrf_dup
-	ipv4_tcp_md5
-	cleanup_vrf_dup
+	if [ "$fips_enabled" = "0" ]; then
+		setup_vrf_dup
+		ipv4_tcp_md5
+		cleanup_vrf_dup
+	fi
 
 	#
 	# enable VRF global server
@@ -2772,7 +2781,7 @@  ipv6_tcp_novrf()
 		log_test_addr ${a} $? 1 "No server, device client, local conn"
 	done
 
-	ipv6_tcp_md5_novrf
+	[ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf
 }
 
 ipv6_tcp_vrf()
@@ -2842,9 +2851,11 @@  ipv6_tcp_vrf()
 	log_test_addr ${a} $? 1 "Global server, local connection"
 
 	# run MD5 tests
-	setup_vrf_dup
-	ipv6_tcp_md5
-	cleanup_vrf_dup
+	if [ "$fips_enabled" = "0" ]; then
+		setup_vrf_dup
+		ipv6_tcp_md5
+		cleanup_vrf_dup
+	fi
 
 	#
 	# enable VRF global server