From patchwork Wed Jun 7 17:43:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Magali Lemes X-Patchwork-Id: 13271046 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6C799C7EE25 for ; Wed, 7 Jun 2023 17:43:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232105AbjFGRn1 (ORCPT ); Wed, 7 Jun 2023 13:43:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42678 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232120AbjFGRnW (ORCPT ); Wed, 7 Jun 2023 13:43:22 -0400 Received: from smtp-relay-internal-0.canonical.com (smtp-relay-internal-0.canonical.com [185.125.188.122]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4BBB51FD7 for ; Wed, 7 Jun 2023 10:43:18 -0700 (PDT) Received: from mail-ot1-f71.google.com (mail-ot1-f71.google.com [209.85.210.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id C34333F15C for ; Wed, 7 Jun 2023 17:43:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1686159795; bh=bh70dEDRfbjXT/ngJKXaFl7q3s6RJ+sr2Nrb8AyrZUE=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=g7aFjYXmoTZv6yYuqBWiMhhV99u0KnlzD/28NoBeMs8w8kifWiPpyUs2m7tQU16Np xStBHtwKK0QWdaOYuSKcYSF6oxNsyI5S7MZKyUxgy732uWOhUxUe/2O78lvAlBgbzR uF/w9rNcomf72YLDZPYoay5fb1x4nUy67yuBP2ayGWhFAVUwgE9MJ3onPfh58yEgDH tvC0bU0Cyt6Bn0puqN2TuK6bXPd2is7FCdHNZDSe7HEpckg1ZNaYQV2djt97qhod3v 5ZWSqBQBmm3v5Hy+fOdY+NpRQ1YXdaYmBy3pE0Bp417ZnnbiYGj5UUu/Jr9fbtxrYu JX98kpbNOx/jA== Received: by mail-ot1-f71.google.com with SMTP id 46e09a7af769-6b0f6e05ad7so6984962a34.3 for ; Wed, 07 Jun 2023 10:43:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686159794; x=1688751794; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bh70dEDRfbjXT/ngJKXaFl7q3s6RJ+sr2Nrb8AyrZUE=; b=AdAyWV17Z0krjfRXFfqQySToQls3yP5TXR7W9hTu0wdyizHadKXyH/yGzLwbnFQ/rF hKW4ZYmoNUP5rB1XRH+WqZ1h+NeoKG/PNiXtWJgqhTz/suKnjLSP7djPPk6D4tN4v0gv LOiyebz4X6jismjmTAn8PukxX0QDy20gH3VWknD6g9W5T7D0awqc5gugpmN6Gvx/nP1o YUpVxbb1R3XAyUtMoZqLo/QUP7GlP+zRPUbU3/H6z67eeTS3XbqImBwva0vmVj/8xl6X kaqzbqwa+eJQPw+qkPiIX+ZZ44CUc72hyYMJy6j6uXChNVNbV9tTKaAyA8fuuutP4ISl jydw== X-Gm-Message-State: AC+VfDylkow39H9oQ5HLRZj+ekoH8fbGGANjpACdo+2IlrYBG9DelVE8 y1hLn/U4fn4RftzSgBdkO3RXFjLZEuHgjrNmLNFTUbeCUekeDI73XX+zq6AP1w2RhaWnRNXPwu7 orrUuhWcjVnrXcx1cHGwo69VjmoAihot1pQUkEOXGd7uH4A== X-Received: by 2002:a9d:745a:0:b0:6b2:930e:ba3d with SMTP id p26-20020a9d745a000000b006b2930eba3dmr6075117otk.2.1686159793710; Wed, 07 Jun 2023 10:43:13 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7ZtormhkemcZN2J0MYPakjTR6dWJVfNLeGEjYrQ7Y0wKdH/n23gGjbwMoeCyXHrtMbGG6OtA== X-Received: by 2002:a9d:745a:0:b0:6b2:930e:ba3d with SMTP id p26-20020a9d745a000000b006b2930eba3dmr6075101otk.2.1686159793352; Wed, 07 Jun 2023 10:43:13 -0700 (PDT) Received: from mingau.. ([2804:7f0:b443:8cea:efdc:2496:54f7:d884]) by smtp.gmail.com with ESMTPSA id c10-20020a9d75ca000000b006ac75cff491sm2176016otl.3.2023.06.07.10.43.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jun 2023 10:43:12 -0700 (PDT) From: Magali Lemes To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, shuah@kernel.org, vfedorenko@novek.ru, tianjia.zhang@linux.alibaba.com Cc: andrei.gherzan@canonical.com, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH net 1/3] selftests: net: tls: check if FIPS mode is enabled Date: Wed, 7 Jun 2023 14:43:00 -0300 Message-Id: <20230607174302.19542-2-magali.lemes@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230607174302.19542-1-magali.lemes@canonical.com> References: <20230607174302.19542-1-magali.lemes@canonical.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org TLS selftests use the ChaCha20-Poly1305 and SM4 algorithms, which are not FIPS compliant. When fips=1, this set of tests fails. Add a check and only run these tests if not in FIPS mode. Fixes: 4f336e88a870 ("selftests/tls: add CHACHA20-POLY1305 to tls selftests") Fixes: e506342a03c7 ("selftests/tls: add SM4 GCM/CCM to tls selftests") Signed-off-by: Magali Lemes --- tools/testing/selftests/net/tls.c | 265 +++++++++++++++++++++++++++++- 1 file changed, 263 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c index e699548d4247..44cb145a32fd 100644 --- a/tools/testing/selftests/net/tls.c +++ b/tools/testing/selftests/net/tls.c @@ -227,7 +227,7 @@ TEST_F(tls_basic, base_base) FIXTURE(tls) { - int fd, cfd; + int fd, cfd, fips_enabled; bool notls; }; @@ -309,7 +309,22 @@ FIXTURE_SETUP(tls) { struct tls_crypto_info_keys tls12; int one = 1; - int ret; + int ret, res; + FILE *f; + + self->fips_enabled = 0; + f = fopen("/proc/sys/crypto/fips_enabled", "r"); + if (f) { + res = fscanf(f, "%d", &self->fips_enabled); + if (res != 1) + ksft_print_msg("ERROR: Couldn't read /proc/sys/crypto/fips_enabled\n"); + fclose(f); + } + + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + return; tls_crypto_info_init(variant->tls_version, variant->cipher_type, &tls12); @@ -343,6 +358,11 @@ TEST_F(tls, sendfile) int filefd = open("/proc/self/exe", O_RDONLY); struct stat st; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_GE(filefd, 0); fstat(filefd, &st); EXPECT_GE(sendfile(self->fd, filefd, 0, st.st_size), 0); @@ -357,6 +377,11 @@ TEST_F(tls, send_then_sendfile) struct stat st; char *buf; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_GE(filefd, 0); fstat(filefd, &st); buf = (char *)malloc(st.st_size); @@ -406,6 +431,12 @@ static void chunked_sendfile(struct __test_metadata *_metadata, TEST_F(tls, multi_chunk_sendfile) { + + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + chunked_sendfile(_metadata, self, 4096, 4096); chunked_sendfile(_metadata, self, 4096, 0); chunked_sendfile(_metadata, self, 4096, 1); @@ -433,6 +464,11 @@ TEST_F(tls, recv_max) char recv_mem[TLS_PAYLOAD_MAX_LEN]; char buf[TLS_PAYLOAD_MAX_LEN]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(buf, sizeof(buf)); EXPECT_GE(send(self->fd, buf, send_len, 0), 0); @@ -446,6 +482,11 @@ TEST_F(tls, recv_small) int send_len = 10; char buf[10]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + send_len = strlen(test_str) + 1; EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); EXPECT_NE(recv(self->cfd, buf, send_len, 0), -1); @@ -458,6 +499,11 @@ TEST_F(tls, msg_more) int send_len = 10; char buf[10 * 2]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, test_str, send_len, MSG_MORE), send_len); EXPECT_EQ(recv(self->cfd, buf, send_len, MSG_DONTWAIT), -1); EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); @@ -472,6 +518,11 @@ TEST_F(tls, msg_more_unsent) int send_len = 10; char buf[10]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, test_str, send_len, MSG_MORE), send_len); EXPECT_EQ(recv(self->cfd, buf, send_len, MSG_DONTWAIT), -1); } @@ -485,6 +536,11 @@ TEST_F(tls, sendmsg_single) struct iovec vec; char buf[13]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + vec.iov_base = (char *)test_str; vec.iov_len = send_len; memset(&msg, 0, sizeof(struct msghdr)); @@ -505,6 +561,11 @@ TEST_F(tls, sendmsg_fragmented) struct msghdr msg; int i, frags; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + for (frags = 1; frags <= MAX_FRAGS; frags++) { for (i = 0; i < frags; i++) { vec[i].iov_base = (char *)test_str; @@ -536,6 +597,11 @@ TEST_F(tls, sendmsg_large) size_t recvs = 0; size_t sent = 0; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + memset(&msg, 0, sizeof(struct msghdr)); while (sent++ < sends) { struct iovec vec = { (void *)mem, send_len }; @@ -564,6 +630,11 @@ TEST_F(tls, sendmsg_multiple) char *buf; int i; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + memset(&msg, 0, sizeof(struct msghdr)); for (i = 0; i < iov_len; i++) { test_strs[i] = (char *)malloc(strlen(test_str) + 1); @@ -601,6 +672,11 @@ TEST_F(tls, sendmsg_multiple_stress) int len_cmp = 0; int i; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + memset(&msg, 0, sizeof(struct msghdr)); for (i = 0; i < iov_len; i++) { test_strs[i] = (char *)malloc(strlen(test_str) + 1); @@ -629,6 +705,11 @@ TEST_F(tls, splice_from_pipe) char mem_recv[TLS_PAYLOAD_MAX_LEN]; int p[2]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + ASSERT_GE(pipe(p), 0); EXPECT_GE(write(p[1], mem_send, send_len), 0); EXPECT_GE(splice(p[0], NULL, self->fd, NULL, send_len, 0), 0); @@ -644,6 +725,11 @@ TEST_F(tls, splice_from_pipe2) int p2[2]; int p[2]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(mem_send, sizeof(mem_send)); ASSERT_GE(pipe(p), 0); @@ -666,6 +752,11 @@ TEST_F(tls, send_and_splice) char buf[10]; int p[2]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + ASSERT_GE(pipe(p), 0); EXPECT_EQ(send(self->fd, test_str, send_len2, 0), send_len2); EXPECT_EQ(recv(self->cfd, buf, send_len2, MSG_WAITALL), send_len2); @@ -685,6 +776,11 @@ TEST_F(tls, splice_to_pipe) char mem_recv[TLS_PAYLOAD_MAX_LEN]; int p[2]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(mem_send, sizeof(mem_send)); ASSERT_GE(pipe(p), 0); @@ -705,6 +801,11 @@ TEST_F(tls, splice_cmsg_to_pipe) if (self->notls) SKIP(return, "no TLS support"); + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + ASSERT_GE(pipe(p), 0); EXPECT_EQ(tls_send_cmsg(self->fd, 100, test_str, send_len, 0), 10); EXPECT_EQ(splice(self->cfd, NULL, p[1], NULL, send_len, 0), -1); @@ -728,6 +829,11 @@ TEST_F(tls, splice_dec_cmsg_to_pipe) if (self->notls) SKIP(return, "no TLS support"); + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + ASSERT_GE(pipe(p), 0); EXPECT_EQ(tls_send_cmsg(self->fd, 100, test_str, send_len, 0), 10); EXPECT_EQ(recv(self->cfd, buf, send_len, 0), -1); @@ -748,6 +854,11 @@ TEST_F(tls, recv_and_splice) int half = send_len / 2; int p[2]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + ASSERT_GE(pipe(p), 0); EXPECT_EQ(send(self->fd, mem_send, send_len, 0), send_len); /* Recv hald of the record, splice the other half */ @@ -766,6 +877,11 @@ TEST_F(tls, peek_and_splice) int chunk = TLS_PAYLOAD_MAX_LEN / 4; int n, i, p[2]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(mem_send, sizeof(mem_send)); ASSERT_GE(pipe(p), 0); @@ -797,6 +913,11 @@ TEST_F(tls, recvmsg_single) struct msghdr hdr; struct iovec vec; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + memset(&hdr, 0, sizeof(hdr)); EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); vec.iov_base = (char *)buf; @@ -815,6 +936,11 @@ TEST_F(tls, recvmsg_single_max) struct iovec vec; struct msghdr hdr; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(send_mem, sizeof(send_mem)); EXPECT_EQ(send(self->fd, send_mem, send_len, 0), send_len); @@ -840,6 +966,11 @@ TEST_F(tls, recvmsg_multiple) memrnd(buf, sizeof(buf)); + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, buf, send_len, 0), send_len); for (i = 0; i < msg_iovlen; i++) { iov_base[i] = (char *)malloc(iov_len); @@ -862,6 +993,11 @@ TEST_F(tls, single_send_multiple_recv) char send_mem[TLS_PAYLOAD_MAX_LEN * 2]; char recv_mem[TLS_PAYLOAD_MAX_LEN * 2]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(send_mem, sizeof(send_mem)); EXPECT_GE(send(self->fd, send_mem, total_len, 0), 0); @@ -879,6 +1015,11 @@ TEST_F(tls, multiple_send_single_recv) char recv_mem[2 * 10]; char send_mem[10]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(send_mem, sizeof(send_mem)); EXPECT_GE(send(self->fd, send_mem, send_len, 0), 0); @@ -897,6 +1038,11 @@ TEST_F(tls, single_send_multiple_recv_non_align) char recv_mem[recv_len * 2]; char send_mem[total_len]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(send_mem, sizeof(send_mem)); EXPECT_GE(send(self->fd, send_mem, total_len, 0), 0); @@ -915,6 +1061,11 @@ TEST_F(tls, recv_partial) int send_len = strlen(test_str) + 1; char recv_mem[18]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + memset(recv_mem, 0, sizeof(recv_mem)); EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); EXPECT_NE(recv(self->cfd, recv_mem, strlen(test_str_first), @@ -932,6 +1083,11 @@ TEST_F(tls, recv_nonblock) char buf[4096]; bool err; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(recv(self->cfd, buf, sizeof(buf), MSG_DONTWAIT), -1); err = (errno == EAGAIN || errno == EWOULDBLOCK); EXPECT_EQ(err, true); @@ -943,6 +1099,11 @@ TEST_F(tls, recv_peek) int send_len = strlen(test_str) + 1; char buf[15]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); EXPECT_EQ(recv(self->cfd, buf, send_len, MSG_PEEK), send_len); EXPECT_EQ(memcmp(test_str, buf, send_len), 0); @@ -959,6 +1120,11 @@ TEST_F(tls, recv_peek_multiple) char buf[15]; int i; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); for (i = 0; i < num_peeks; i++) { EXPECT_NE(recv(self->cfd, buf, send_len, MSG_PEEK), -1); @@ -977,6 +1143,11 @@ TEST_F(tls, recv_peek_multiple_records) int len; char buf[64]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + len = strlen(test_str_first); EXPECT_EQ(send(self->fd, test_str_first, len, 0), len); @@ -1026,6 +1197,11 @@ TEST_F(tls, recv_peek_large_buf_mult_recs) int len; char buf[64]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + len = strlen(test_str_first); EXPECT_EQ(send(self->fd, test_str_first, len, 0), len); @@ -1046,6 +1222,11 @@ TEST_F(tls, recv_lowat) char recv_mem[20]; int lowat = 8; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, send_mem, 10, 0), 10); EXPECT_EQ(send(self->fd, send_mem, 5, 0), 5); @@ -1067,6 +1248,11 @@ TEST_F(tls, bidir) char buf[10]; int ret; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + if (!self->notls) { struct tls_crypto_info_keys tls12; @@ -1102,6 +1288,11 @@ TEST_F(tls, pollin) char buf[10]; int send_len = 10; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); fd.fd = self->cfd; fd.events = POLLIN; @@ -1120,6 +1311,11 @@ TEST_F(tls, poll_wait) struct pollfd fd = { 0, 0, 0 }; char recv_mem[15]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + fd.fd = self->cfd; fd.events = POLLIN; EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); @@ -1135,6 +1331,11 @@ TEST_F(tls, poll_wait_split) char send_mem[20] = {}; char recv_mem[15]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + fd.fd = self->cfd; fd.events = POLLIN; /* Send 20 bytes */ @@ -1160,6 +1361,11 @@ TEST_F(tls, blocking) size_t data = 100000; int res = fork(); + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_NE(res, -1); if (res) { @@ -1202,6 +1408,11 @@ TEST_F(tls, nonblocking) int flags; int res; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + flags = fcntl(self->fd, F_GETFL, 0); fcntl(self->fd, F_SETFL, flags | O_NONBLOCK); fcntl(self->cfd, F_SETFL, flags | O_NONBLOCK); @@ -1343,31 +1554,61 @@ test_mutliproc(struct __test_metadata *_metadata, struct _test_data_tls *self, TEST_F(tls, mutliproc_even) { + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + test_mutliproc(_metadata, self, false, 6, 6); } TEST_F(tls, mutliproc_readers) { + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + test_mutliproc(_metadata, self, false, 4, 12); } TEST_F(tls, mutliproc_writers) { + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + test_mutliproc(_metadata, self, false, 10, 2); } TEST_F(tls, mutliproc_sendpage_even) { + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + test_mutliproc(_metadata, self, true, 6, 6); } TEST_F(tls, mutliproc_sendpage_readers) { + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + test_mutliproc(_metadata, self, true, 4, 12); } TEST_F(tls, mutliproc_sendpage_writers) { + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + test_mutliproc(_metadata, self, true, 10, 2); } @@ -1378,6 +1619,11 @@ TEST_F(tls, control_msg) int send_len = 10; char buf[10]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + if (self->notls) SKIP(return, "no TLS support"); @@ -1406,6 +1652,11 @@ TEST_F(tls, shutdown) int send_len = 10; char buf[10]; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + ASSERT_EQ(strlen(test_str) + 1, send_len); EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); @@ -1421,6 +1672,11 @@ TEST_F(tls, shutdown_unsent) char const *test_str = "test_read"; int send_len = 10; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, test_str, send_len, MSG_MORE), send_len); shutdown(self->fd, SHUT_RDWR); @@ -1432,6 +1688,11 @@ TEST_F(tls, shutdown_reuse) struct sockaddr_in addr; int ret; + if (self->fips_enabled && (variant->cipher_type == + TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type == + TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM)) + SKIP(return, "Unsupported cipher in FIPS mode"); + shutdown(self->fd, SHUT_RDWR); shutdown(self->cfd, SHUT_RDWR); close(self->cfd); From patchwork Wed Jun 7 17:43:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Magali Lemes X-Patchwork-Id: 13271047 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E79E2C7EE25 for ; Wed, 7 Jun 2023 17:43:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232152AbjFGRnc (ORCPT ); Wed, 7 Jun 2023 13:43:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42664 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232130AbjFGRn3 (ORCPT ); Wed, 7 Jun 2023 13:43:29 -0400 Received: from smtp-relay-internal-0.canonical.com (smtp-relay-internal-0.canonical.com [185.125.188.122]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D349E1BFF for ; Wed, 7 Jun 2023 10:43:27 -0700 (PDT) Received: from mail-oa1-f70.google.com (mail-oa1-f70.google.com [209.85.160.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id F3A043F160 for ; Wed, 7 Jun 2023 17:43:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1686159801; bh=j90adpv5OKiVekqJ11PzWX+ZuuCToGInj5AleNVe4gc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=aEG9nzeqRsjdnYd0u//bDNaVPdmN639egE3lRSdvCcV1ChA+N/i3hZkyr6GEeRqXJ YfU+gV0PbvkD+lgWQuJgms9REtUFs5V9oG0kuv9IRY/CAXXebtS6h5hcgAF61QA+9r fIQ0HDk4MR2kO/FgceNboKRlV7HsSKB6SDDavet12aRny4w5LFp2gcuaD0utLO33Yk v8pgqQKGcs36PYrd4xlX86MYjKt41b2m2KZZWHLAeJa0hejfY+DGnp9nuWZbdFLYFz gNth1RU5MF01YnwredKfjpBP2zuiodv9gQ7IhXlBT3jUPXLQYf4DT61T45AmrIcmfE ObjrNVRg25RVw== Received: by mail-oa1-f70.google.com with SMTP id 586e51a60fabf-1a27bd23178so687150fac.0 for ; Wed, 07 Jun 2023 10:43:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686159799; x=1688751799; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=j90adpv5OKiVekqJ11PzWX+ZuuCToGInj5AleNVe4gc=; b=ITW5X9Q/0axBTfFjMJj9PbC69zD2GUtWB8D5MvG/jrbMwM+SJ1gBEczdRQ13NG772h 0DbsW6REz+/fsbJ6Ic15KQhXRoJlTARXbfwVX8SHEzq7D8RGMvvpR77roAsrnK9COL9D iSTuomCdlBqRqBRMPFm3/QwtEzgkpDMNMMgKVjOjEsjhK6i/4t5FVZUCX2kvD/IF5kmf zBAvUdalX159n6ET0grXQGyxVOcucV1ObuG5aahxkb9RoAmz3eairzbCyXfANIqdZgB7 jPzUOOcrjtuL744Y1jgmjvbA9MrfpYlz7CoHNm9GYZd/Pwol+czWgdXgsDNkp7uaiTbv Lhxw== X-Gm-Message-State: AC+VfDy1OLz3y7JycnCmCVjJmWVzc/lx+A7cgrpv+HJR7YTDo6qfL5Kv HeQCQ+/Grh7a7H48GnAPw148CKeQAS0DyHv8uO6yobwiAvnPcU+Nu2NQNoIiiVBPuVeoCAoex/+ 1sPzVDlQt4hOVbcHacqVkNqY869PXyDhCvEK6nqLUymoLbw== X-Received: by 2002:a05:6871:8a2:b0:187:f238:3db with SMTP id r34-20020a05687108a200b00187f23803dbmr3957461oaq.19.1686159798818; Wed, 07 Jun 2023 10:43:18 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5Q6h6dt4/RiTKf1tR/dQriarGmiD9rFRMH89s6DTR+wZ0SPHzVr2XppuFz/KJ0MZgC6mZZPw== X-Received: by 2002:a05:6871:8a2:b0:187:f238:3db with SMTP id r34-20020a05687108a200b00187f23803dbmr3957402oaq.19.1686159797103; Wed, 07 Jun 2023 10:43:17 -0700 (PDT) Received: from mingau.. ([2804:7f0:b443:8cea:efdc:2496:54f7:d884]) by smtp.gmail.com with ESMTPSA id c10-20020a9d75ca000000b006ac75cff491sm2176016otl.3.2023.06.07.10.43.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jun 2023 10:43:16 -0700 (PDT) From: Magali Lemes To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, shuah@kernel.org, dsahern@gmail.com Cc: andrei.gherzan@canonical.com, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH net 2/3] selftests: net: vrf-xfrm-tests: change authentication and encryption algos Date: Wed, 7 Jun 2023 14:43:01 -0300 Message-Id: <20230607174302.19542-3-magali.lemes@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230607174302.19542-1-magali.lemes@canonical.com> References: <20230607174302.19542-1-magali.lemes@canonical.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org The vrf-xfrm-tests tests use the hmac(md5) and cbc(des3_ede) algorithms for performing authentication and encryption, respectively. This causes the tests to fail when fips=1 is set, since these algorithms are not allowed in FIPS mode. Therefore, switch from hmac(md5) and cbc(des3_ede) to hmac(sha1) and cbc(aes), which are FIPS compliant. Fixes: 3f251d741150 ("selftests: Add tests for vrf and xfrms") Signed-off-by: Magali Lemes Reviewed-by: David Ahern --- tools/testing/selftests/net/vrf-xfrm-tests.sh | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/tools/testing/selftests/net/vrf-xfrm-tests.sh b/tools/testing/selftests/net/vrf-xfrm-tests.sh index 184da81f554f..452638ae8aed 100755 --- a/tools/testing/selftests/net/vrf-xfrm-tests.sh +++ b/tools/testing/selftests/net/vrf-xfrm-tests.sh @@ -264,60 +264,60 @@ setup_xfrm() ip -netns host1 xfrm state add src ${HOST1_4} dst ${HOST2_4} \ proto esp spi ${SPI_1} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ - enc 'cbc(des3_ede)' ${ENC_1} \ + auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \ + enc 'cbc(aes)' ${ENC_1} \ sel src ${h1_4} dst ${h2_4} ${devarg} ip -netns host2 xfrm state add src ${HOST1_4} dst ${HOST2_4} \ proto esp spi ${SPI_1} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ - enc 'cbc(des3_ede)' ${ENC_1} \ + auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \ + enc 'cbc(aes)' ${ENC_1} \ sel src ${h1_4} dst ${h2_4} ip -netns host1 xfrm state add src ${HOST2_4} dst ${HOST1_4} \ proto esp spi ${SPI_2} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ - enc 'cbc(des3_ede)' ${ENC_2} \ + auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \ + enc 'cbc(aes)' ${ENC_2} \ sel src ${h2_4} dst ${h1_4} ${devarg} ip -netns host2 xfrm state add src ${HOST2_4} dst ${HOST1_4} \ proto esp spi ${SPI_2} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ - enc 'cbc(des3_ede)' ${ENC_2} \ + auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \ + enc 'cbc(aes)' ${ENC_2} \ sel src ${h2_4} dst ${h1_4} ip -6 -netns host1 xfrm state add src ${HOST1_6} dst ${HOST2_6} \ proto esp spi ${SPI_1} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ - enc 'cbc(des3_ede)' ${ENC_1} \ + auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \ + enc 'cbc(aes)' ${ENC_1} \ sel src ${h1_6} dst ${h2_6} ${devarg} ip -6 -netns host2 xfrm state add src ${HOST1_6} dst ${HOST2_6} \ proto esp spi ${SPI_1} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ - enc 'cbc(des3_ede)' ${ENC_1} \ + auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \ + enc 'cbc(aes)' ${ENC_1} \ sel src ${h1_6} dst ${h2_6} ip -6 -netns host1 xfrm state add src ${HOST2_6} dst ${HOST1_6} \ proto esp spi ${SPI_2} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ - enc 'cbc(des3_ede)' ${ENC_2} \ + auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \ + enc 'cbc(aes)' ${ENC_2} \ sel src ${h2_6} dst ${h1_6} ${devarg} ip -6 -netns host2 xfrm state add src ${HOST2_6} dst ${HOST1_6} \ proto esp spi ${SPI_2} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ - enc 'cbc(des3_ede)' ${ENC_2} \ + auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \ + enc 'cbc(aes)' ${ENC_2} \ sel src ${h2_6} dst ${h1_6} } From patchwork Wed Jun 7 17:43:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Magali Lemes X-Patchwork-Id: 13271048 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 00722C7EE25 for ; Wed, 7 Jun 2023 17:43:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232195AbjFGRnc (ORCPT ); Wed, 7 Jun 2023 13:43:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42748 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232071AbjFGRn3 (ORCPT ); Wed, 7 Jun 2023 13:43:29 -0400 Received: from smtp-relay-internal-1.canonical.com (smtp-relay-internal-1.canonical.com [185.125.188.123]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D65521FD7 for ; Wed, 7 Jun 2023 10:43:27 -0700 (PDT) Received: from mail-oa1-f72.google.com (mail-oa1-f72.google.com [209.85.160.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 30D583F1D1 for ; Wed, 7 Jun 2023 17:43:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1686159804; bh=29oAQXm1vubqWw6n+W3ki/F3nkC70PmxLYid2aXxsMY=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=JqMc/SXTQbCtI6T704W/CdgiNpjSwaWFgDjyAU4DsrKmsS9zxOMN7K1Qh5AhJfeKQ UjS1T91fv8qGjKSZE+p8F/nBUBkLEp7EAswgBNSSzc+lST8ODntOHxev9mwVs4yak+ 9Dv7PG+fYgckDB0EA6sRJCL3wsbgL1HBfwkHq9vnGr5rgQ4dQvhv9umlNCZHhKQrkr Kuye1A5GUJTXKO6GqjjLIEG9yTC1mWzyhYBG4DPI1TL1UKA8rKcD3ABT5TFCVCL8By E4rY25Z612Tuvxbu4JPy2GIZ24+GVIdu37I7x13+CGgbReUXCB6ZoZGs1l03PVa+ie /k1y2+Rv/cx+A== Received: by mail-oa1-f72.google.com with SMTP id 586e51a60fabf-19f1f3aaae6so7296836fac.1 for ; Wed, 07 Jun 2023 10:43:24 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686159800; x=1688751800; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=29oAQXm1vubqWw6n+W3ki/F3nkC70PmxLYid2aXxsMY=; b=MBELOzBy5Q+B5QVf4BST+awyDJpKtX998URwpyAVE4jDeDQfbiHw/3GYl5kQkN86mf Hi15cxqmcHShPAGDl1ktGpMQluuiW9+r1ijSrNGbtQdOOZ9LEj62kcSxBtgOITOIVEYF Tm7gNeIJJ0iXyy4ptBkj6EfS8fod0G4CX/JO0ZkfQIG2P8UUnc61aromZGEq4ifnBPFk yGexCppg2+1tKQKHf+5CZ41V94lwEin30Qx2BWndcqhgGxWHDgxW8npjkItyHGjZpC43 Ny3334xfkIsajs4RE5m2jcjmyb7MnOzqwBt3X8G3JfGwpJyuiBKbTRzAWiCGFfA8Ogf7 CrxA== X-Gm-Message-State: AC+VfDxDkYAxvfUaPZh+mJcBOBKQDvphWGfhEHQ6HWgwQGtz4/8it5Ia AnxwjwPNBaNyzxdHwICjxzxlJPUST22u/FzoeiZZvSgKKz3tADFaItGVjf5OHYqhEa8LcM7t9aJ Gb1Qbk5KgKwoUOYWkSzpjsiJv/5QIv4kj2I1yqvR6IffIqA== X-Received: by 2002:a05:6870:d343:b0:1a3:b43:9c88 with SMTP id h3-20020a056870d34300b001a30b439c88mr5870242oag.34.1686159800625; Wed, 07 Jun 2023 10:43:20 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ766oAJ56zMbU7HSmkwtI2C3rOqyJHM8UGEwfRspDmam1gxj9T7PZk5HFQWFzUo+t+bKzFXUg== X-Received: by 2002:a05:6870:d343:b0:1a3:b43:9c88 with SMTP id h3-20020a056870d34300b001a30b439c88mr5870234oag.34.1686159800416; Wed, 07 Jun 2023 10:43:20 -0700 (PDT) Received: from mingau.. ([2804:7f0:b443:8cea:efdc:2496:54f7:d884]) by smtp.gmail.com with ESMTPSA id c10-20020a9d75ca000000b006ac75cff491sm2176016otl.3.2023.06.07.10.43.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 07 Jun 2023 10:43:20 -0700 (PDT) From: Magali Lemes To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, shuah@kernel.org, dsahern@gmail.com Cc: andrei.gherzan@canonical.com, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH net 3/3] selftests: net: fcnal-test: check if FIPS mode is enabled Date: Wed, 7 Jun 2023 14:43:02 -0300 Message-Id: <20230607174302.19542-4-magali.lemes@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230607174302.19542-1-magali.lemes@canonical.com> References: <20230607174302.19542-1-magali.lemes@canonical.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org There are some MD5 tests which fail when the kernel is in FIPS mode, since MD5 is not FIPS compliant. Add a check and only run those tests if FIPS mode is not enabled. Fixes: f0bee1ebb5594 ("fcnal-test: Add TCP MD5 tests") Fixes: 5cad8bce26e01 ("fcnal-test: Add TCP MD5 tests for VRF") Signed-off-by: Magali Lemes Reviewed-by: David Ahern --- tools/testing/selftests/net/fcnal-test.sh | 27 ++++++++++++++++------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh index 21ca91473c09..ee6880ac3e5e 100755 --- a/tools/testing/selftests/net/fcnal-test.sh +++ b/tools/testing/selftests/net/fcnal-test.sh @@ -92,6 +92,13 @@ NSC_CMD="ip netns exec ${NSC}" which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) +# Check if FIPS mode is enabled +if [ -f /proc/sys/crypto/fips_enabled ]; then + fips_enabled=`cat /proc/sys/crypto/fips_enabled` +else + fips_enabled=0 +fi + ################################################################################ # utilities @@ -1216,7 +1223,7 @@ ipv4_tcp_novrf() run_cmd nettest -d ${NSA_DEV} -r ${a} log_test_addr ${a} $? 1 "No server, device client, local conn" - ipv4_tcp_md5_novrf + [ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf } ipv4_tcp_vrf() @@ -1270,9 +1277,11 @@ ipv4_tcp_vrf() log_test_addr ${a} $? 1 "Global server, local connection" # run MD5 tests - setup_vrf_dup - ipv4_tcp_md5 - cleanup_vrf_dup + if [ "$fips_enabled" = "0" ]; then + setup_vrf_dup + ipv4_tcp_md5 + cleanup_vrf_dup + fi # # enable VRF global server @@ -2772,7 +2781,7 @@ ipv6_tcp_novrf() log_test_addr ${a} $? 1 "No server, device client, local conn" done - ipv6_tcp_md5_novrf + [ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf } ipv6_tcp_vrf() @@ -2842,9 +2851,11 @@ ipv6_tcp_vrf() log_test_addr ${a} $? 1 "Global server, local connection" # run MD5 tests - setup_vrf_dup - ipv6_tcp_md5 - cleanup_vrf_dup + if [ "$fips_enabled" = "0" ]; then + setup_vrf_dup + ipv6_tcp_md5 + cleanup_vrf_dup + fi # # enable VRF global server