[PATCH net v2 0/3] Check if FIPS mode is enabled when running selftests

List overview All Threads
Download

newer

older

[PATCH v2 tracing 0/6] tracing:...

kselftest/next build: 3 builds: 0...

Magali Lemes

9 Jun 2023 9 Jun '23

4:43 p.m.

Some test cases from net/tls, net/fcnal-test and net/vrf-xfrm-tests that rely on cryptographic functions to work and use non-compliant FIPS algorithms fail in FIPS mode.

In order to allow these tests to pass in a wider set of kernels, - for net/tls, skip the test variants that use the ChaCha20-Poly1305 and SM4 algorithms, when FIPS mode is enabled; - for net/fcnal-test, skip the MD5 tests, when FIPS mode is enabled; - for net/vrf-xfrm-tests, replace the algorithms that are not FIPS-compliant with compliant ones.

Changes in v2: - Add R-b tags. - Put fips_non_compliant into the variants. - Turn fips_enabled into a static global variable. - Read /proc/sys/crypto/fips_enabled only once at main().

v1: https://lore.kernel.org/netdev/20230607174302.19542-1-magali.lemes@canonical...

Magali Lemes (3): selftests: net: tls: check if FIPS mode is enabled selftests: net: vrf-xfrm-tests: change authentication and encryption algos selftests: net: fcnal-test: check if FIPS mode is enabled

tools/testing/selftests/net/fcnal-test.sh | 27 ++- tools/testing/selftests/net/tls.c | 175 +++++++++++++++++- tools/testing/selftests/net/vrf-xfrm-tests.sh | 32 ++-- 3 files changed, 209 insertions(+), 25 deletions(-)

-- 2.34.1

Show replies by date

Magali Lemes

9 Jun 9 Jun

4:43 p.m.

New subject: [PATCH net v2 1/3] selftests: net: tls: check if FIPS mode is enabled

TLS selftests use the ChaCha20-Poly1305 and SM4 algorithms, which are not FIPS compliant. When fips=1, this set of tests fails. Add a check and only run these tests if not in FIPS mode.

Fixes: 4f336e88a870 ("selftests/tls: add CHACHA20-POLY1305 to tls selftests") Fixes: e506342a03c7 ("selftests/tls: add SM4 GCM/CCM to tls selftests") Signed-off-by: Magali Lemes magali.lemes@canonical.com --- Changes in v2: - Put fips_non_compliant into the variants. - Turn fips_enabled into a static global variable. - Read /proc/sys/crypto/fips_enabled only once at main().

tools/testing/selftests/net/tls.c | 175 +++++++++++++++++++++++++++++- 1 file changed, 174 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c index e699548d4247..0725c60f227c 100644 --- a/tools/testing/selftests/net/tls.c +++ b/tools/testing/selftests/net/tls.c @@ -25,6 +25,8 @@ #define TLS_PAYLOAD_MAX_LEN 16384 #define SOL_TLS 282

+static int fips_enabled = 0; + struct tls_crypto_info_keys { union { struct tls12_crypto_info_aes_gcm_128 aes128; @@ -235,7 +237,7 @@ FIXTURE_VARIANT(tls) { uint16_t tls_version; uint16_t cipher_type; - bool nopad; + bool nopad, fips_non_compliant; };

FIXTURE_VARIANT_ADD(tls, 12_aes_gcm) @@ -254,24 +256,28 @@ FIXTURE_VARIANT_ADD(tls, 12_chacha) { .tls_version = TLS_1_2_VERSION, .cipher_type = TLS_CIPHER_CHACHA20_POLY1305, + .fips_non_compliant = true, };

FIXTURE_VARIANT_ADD(tls, 13_chacha) { .tls_version = TLS_1_3_VERSION, .cipher_type = TLS_CIPHER_CHACHA20_POLY1305, + .fips_non_compliant = true, };

FIXTURE_VARIANT_ADD(tls, 13_sm4_gcm) { .tls_version = TLS_1_3_VERSION, .cipher_type = TLS_CIPHER_SM4_GCM, + .fips_non_compliant = true, };

FIXTURE_VARIANT_ADD(tls, 13_sm4_ccm) { .tls_version = TLS_1_3_VERSION, .cipher_type = TLS_CIPHER_SM4_CCM, + .fips_non_compliant = true, };

FIXTURE_VARIANT_ADD(tls, 12_aes_ccm) @@ -311,6 +317,9 @@ FIXTURE_SETUP(tls) int one = 1; int ret;

+ if (fips_enabled && variant->fips_non_compliant) + return; + tls_crypto_info_init(variant->tls_version, variant->cipher_type, &tls12);

@@ -343,6 +352,9 @@ TEST_F(tls, sendfile) int filefd = open("/proc/self/exe", O_RDONLY); struct stat st;

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_GE(filefd, 0); fstat(filefd, &st); EXPECT_GE(sendfile(self->fd, filefd, 0, st.st_size), 0); @@ -357,6 +369,9 @@ TEST_F(tls, send_then_sendfile) struct stat st; char *buf;

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_GE(filefd, 0); fstat(filefd, &st); buf = (char *)malloc(st.st_size); @@ -406,6 +421,10 @@ static void chunked_sendfile(struct __test_metadata *_metadata,

TEST_F(tls, multi_chunk_sendfile) { + + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + chunked_sendfile(_metadata, self, 4096, 4096); chunked_sendfile(_metadata, self, 4096, 0); chunked_sendfile(_metadata, self, 4096, 1); @@ -433,6 +452,9 @@ TEST_F(tls, recv_max) char recv_mem[TLS_PAYLOAD_MAX_LEN]; char buf[TLS_PAYLOAD_MAX_LEN];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(buf, sizeof(buf));

EXPECT_GE(send(self->fd, buf, send_len, 0), 0); @@ -446,6 +468,9 @@ TEST_F(tls, recv_small) int send_len = 10; char buf[10];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + send_len = strlen(test_str) + 1; EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); EXPECT_NE(recv(self->cfd, buf, send_len, 0), -1); @@ -458,6 +483,9 @@ TEST_F(tls, msg_more) int send_len = 10; char buf[10 * 2];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, test_str, send_len, MSG_MORE), send_len); EXPECT_EQ(recv(self->cfd, buf, send_len, MSG_DONTWAIT), -1); EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); @@ -472,6 +500,9 @@ TEST_F(tls, msg_more_unsent) int send_len = 10; char buf[10];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, test_str, send_len, MSG_MORE), send_len); EXPECT_EQ(recv(self->cfd, buf, send_len, MSG_DONTWAIT), -1); } @@ -485,6 +516,9 @@ TEST_F(tls, sendmsg_single) struct iovec vec; char buf[13];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + vec.iov_base = (char *)test_str; vec.iov_len = send_len; memset(&msg, 0, sizeof(struct msghdr)); @@ -505,6 +539,9 @@ TEST_F(tls, sendmsg_fragmented) struct msghdr msg; int i, frags;

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + for (frags = 1; frags <= MAX_FRAGS; frags++) { for (i = 0; i < frags; i++) { vec[i].iov_base = (char *)test_str; @@ -536,6 +573,9 @@ TEST_F(tls, sendmsg_large) size_t recvs = 0; size_t sent = 0;

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memset(&msg, 0, sizeof(struct msghdr)); while (sent++ < sends) { struct iovec vec = { (void *)mem, send_len }; @@ -564,6 +604,9 @@ TEST_F(tls, sendmsg_multiple) char *buf; int i;

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memset(&msg, 0, sizeof(struct msghdr)); for (i = 0; i < iov_len; i++) { test_strs[i] = (char *)malloc(strlen(test_str) + 1); @@ -601,6 +644,9 @@ TEST_F(tls, sendmsg_multiple_stress) int len_cmp = 0; int i;

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memset(&msg, 0, sizeof(struct msghdr)); for (i = 0; i < iov_len; i++) { test_strs[i] = (char *)malloc(strlen(test_str) + 1); @@ -629,6 +675,9 @@ TEST_F(tls, splice_from_pipe) char mem_recv[TLS_PAYLOAD_MAX_LEN]; int p[2];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + ASSERT_GE(pipe(p), 0); EXPECT_GE(write(p[1], mem_send, send_len), 0); EXPECT_GE(splice(p[0], NULL, self->fd, NULL, send_len, 0), 0); @@ -644,6 +693,9 @@ TEST_F(tls, splice_from_pipe2) int p2[2]; int p[2];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(mem_send, sizeof(mem_send));

ASSERT_GE(pipe(p), 0); @@ -666,6 +718,9 @@ TEST_F(tls, send_and_splice) char buf[10]; int p[2];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + ASSERT_GE(pipe(p), 0); EXPECT_EQ(send(self->fd, test_str, send_len2, 0), send_len2); EXPECT_EQ(recv(self->cfd, buf, send_len2, MSG_WAITALL), send_len2); @@ -685,6 +740,9 @@ TEST_F(tls, splice_to_pipe) char mem_recv[TLS_PAYLOAD_MAX_LEN]; int p[2];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(mem_send, sizeof(mem_send));

ASSERT_GE(pipe(p), 0); @@ -705,6 +763,9 @@ TEST_F(tls, splice_cmsg_to_pipe) if (self->notls) SKIP(return, "no TLS support");

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + ASSERT_GE(pipe(p), 0); EXPECT_EQ(tls_send_cmsg(self->fd, 100, test_str, send_len, 0), 10); EXPECT_EQ(splice(self->cfd, NULL, p[1], NULL, send_len, 0), -1); @@ -728,6 +789,9 @@ TEST_F(tls, splice_dec_cmsg_to_pipe) if (self->notls) SKIP(return, "no TLS support");

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + ASSERT_GE(pipe(p), 0); EXPECT_EQ(tls_send_cmsg(self->fd, 100, test_str, send_len, 0), 10); EXPECT_EQ(recv(self->cfd, buf, send_len, 0), -1); @@ -748,6 +812,9 @@ TEST_F(tls, recv_and_splice) int half = send_len / 2; int p[2];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + ASSERT_GE(pipe(p), 0); EXPECT_EQ(send(self->fd, mem_send, send_len, 0), send_len); /* Recv hald of the record, splice the other half */ @@ -766,6 +833,9 @@ TEST_F(tls, peek_and_splice) int chunk = TLS_PAYLOAD_MAX_LEN / 4; int n, i, p[2];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(mem_send, sizeof(mem_send));

ASSERT_GE(pipe(p), 0); @@ -797,6 +867,9 @@ TEST_F(tls, recvmsg_single) struct msghdr hdr; struct iovec vec;

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memset(&hdr, 0, sizeof(hdr)); EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); vec.iov_base = (char *)buf; @@ -815,6 +888,9 @@ TEST_F(tls, recvmsg_single_max) struct iovec vec; struct msghdr hdr;

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(send_mem, sizeof(send_mem));

EXPECT_EQ(send(self->fd, send_mem, send_len, 0), send_len); @@ -840,6 +916,9 @@ TEST_F(tls, recvmsg_multiple)

memrnd(buf, sizeof(buf));

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, buf, send_len, 0), send_len); for (i = 0; i < msg_iovlen; i++) { iov_base[i] = (char *)malloc(iov_len); @@ -862,6 +941,9 @@ TEST_F(tls, single_send_multiple_recv) char send_mem[TLS_PAYLOAD_MAX_LEN * 2]; char recv_mem[TLS_PAYLOAD_MAX_LEN * 2];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(send_mem, sizeof(send_mem));

EXPECT_GE(send(self->fd, send_mem, total_len, 0), 0); @@ -879,6 +961,9 @@ TEST_F(tls, multiple_send_single_recv) char recv_mem[2 * 10]; char send_mem[10];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(send_mem, sizeof(send_mem));

EXPECT_GE(send(self->fd, send_mem, send_len, 0), 0); @@ -897,6 +982,9 @@ TEST_F(tls, single_send_multiple_recv_non_align) char recv_mem[recv_len * 2]; char send_mem[total_len];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(send_mem, sizeof(send_mem));

EXPECT_GE(send(self->fd, send_mem, total_len, 0), 0); @@ -915,6 +1003,9 @@ TEST_F(tls, recv_partial) int send_len = strlen(test_str) + 1; char recv_mem[18];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memset(recv_mem, 0, sizeof(recv_mem)); EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); EXPECT_NE(recv(self->cfd, recv_mem, strlen(test_str_first), @@ -932,6 +1023,9 @@ TEST_F(tls, recv_nonblock) char buf[4096]; bool err;

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(recv(self->cfd, buf, sizeof(buf), MSG_DONTWAIT), -1); err = (errno == EAGAIN || errno == EWOULDBLOCK); EXPECT_EQ(err, true); @@ -943,6 +1037,9 @@ TEST_F(tls, recv_peek) int send_len = strlen(test_str) + 1; char buf[15];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); EXPECT_EQ(recv(self->cfd, buf, send_len, MSG_PEEK), send_len); EXPECT_EQ(memcmp(test_str, buf, send_len), 0); @@ -959,6 +1056,9 @@ TEST_F(tls, recv_peek_multiple) char buf[15]; int i;

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); for (i = 0; i < num_peeks; i++) { EXPECT_NE(recv(self->cfd, buf, send_len, MSG_PEEK), -1); @@ -977,6 +1077,9 @@ TEST_F(tls, recv_peek_multiple_records) int len; char buf[64];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + len = strlen(test_str_first); EXPECT_EQ(send(self->fd, test_str_first, len, 0), len);

@@ -1026,6 +1129,9 @@ TEST_F(tls, recv_peek_large_buf_mult_recs) int len; char buf[64];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + len = strlen(test_str_first); EXPECT_EQ(send(self->fd, test_str_first, len, 0), len);

@@ -1046,6 +1152,9 @@ TEST_F(tls, recv_lowat) char recv_mem[20]; int lowat = 8;

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, send_mem, 10, 0), 10); EXPECT_EQ(send(self->fd, send_mem, 5, 0), 5);

@@ -1067,6 +1176,9 @@ TEST_F(tls, bidir) char buf[10]; int ret;

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + if (!self->notls) { struct tls_crypto_info_keys tls12;

@@ -1102,6 +1214,9 @@ TEST_F(tls, pollin) char buf[10]; int send_len = 10;

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); fd.fd = self->cfd; fd.events = POLLIN; @@ -1120,6 +1235,9 @@ TEST_F(tls, poll_wait) struct pollfd fd = { 0, 0, 0 }; char recv_mem[15];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + fd.fd = self->cfd; fd.events = POLLIN; EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); @@ -1135,6 +1253,9 @@ TEST_F(tls, poll_wait_split) char send_mem[20] = {}; char recv_mem[15];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + fd.fd = self->cfd; fd.events = POLLIN; /* Send 20 bytes */ @@ -1160,6 +1281,9 @@ TEST_F(tls, blocking) size_t data = 100000; int res = fork();

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_NE(res, -1);

if (res) { @@ -1202,6 +1326,9 @@ TEST_F(tls, nonblocking) int flags; int res;

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + flags = fcntl(self->fd, F_GETFL, 0); fcntl(self->fd, F_SETFL, flags | O_NONBLOCK); fcntl(self->cfd, F_SETFL, flags | O_NONBLOCK); @@ -1343,31 +1470,49 @@ test_mutliproc(struct __test_metadata *_metadata, struct _test_data_tls *self,

TEST_F(tls, mutliproc_even) { + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + test_mutliproc(_metadata, self, false, 6, 6); }

TEST_F(tls, mutliproc_readers) { + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + test_mutliproc(_metadata, self, false, 4, 12); }

TEST_F(tls, mutliproc_writers) { + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + test_mutliproc(_metadata, self, false, 10, 2); }

TEST_F(tls, mutliproc_sendpage_even) { + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + test_mutliproc(_metadata, self, true, 6, 6); }

TEST_F(tls, mutliproc_sendpage_readers) { + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + test_mutliproc(_metadata, self, true, 4, 12); }

TEST_F(tls, mutliproc_sendpage_writers) { + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + test_mutliproc(_metadata, self, true, 10, 2); }

@@ -1378,6 +1523,9 @@ TEST_F(tls, control_msg) int send_len = 10; char buf[10];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + if (self->notls) SKIP(return, "no TLS support");

@@ -1406,6 +1554,9 @@ TEST_F(tls, shutdown) int send_len = 10; char buf[10];

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + ASSERT_EQ(strlen(test_str) + 1, send_len);

EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); @@ -1421,6 +1572,9 @@ TEST_F(tls, shutdown_unsent) char const *test_str = "test_read"; int send_len = 10;

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, test_str, send_len, MSG_MORE), send_len);

shutdown(self->fd, SHUT_RDWR); @@ -1432,6 +1586,9 @@ TEST_F(tls, shutdown_reuse) struct sockaddr_in addr; int ret;

+ if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + shutdown(self->fd, SHUT_RDWR); shutdown(self->cfd, SHUT_RDWR); close(self->cfd); @@ -1865,4 +2022,20 @@ TEST(prequeue) { close(cfd); }

+#define main test_main TEST_HARNESS_MAIN +#undef main +int main(int argc, char **argv) { + int res; + FILE *f; + + f = fopen("/proc/sys/crypto/fips_enabled", "r"); + if (f) { + res = fscanf(f, "%d", &fips_enabled); + if (res != 1) + ksft_print_msg("ERROR: Couldn't read /proc/sys/crypto/fips_enabled\n"); + fclose(f); + } + + return test_main(argc, argv); +}

-- 2.34.1

Jakub Kicinski

5:53 p.m.

New subject: [PATCH net v2 1/3] selftests: net: tls: check if FIPS mode is enabled

On Fri, 9 Jun 2023 13:43:22 -0300 Magali Lemes wrote:

...

diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c index e699548d4247..0725c60f227c 100644 --- a/tools/testing/selftests/net/tls.c +++ b/tools/testing/selftests/net/tls.c @@ -25,6 +25,8 @@ #define TLS_PAYLOAD_MAX_LEN 16384 #define SOL_TLS 282 +static int fips_enabled = 0;

No need to zero init static variables, but really instead of doing the main() hack you should init this to a return value of a function. And have that function read the value.

...

struct tls_crypto_info_keys { union { struct tls12_crypto_info_aes_gcm_128 aes128;

...

@@ -311,6 +317,9 @@ FIXTURE_SETUP(tls) int one = 1; int ret;
if (fips_enabled && variant->fips_non_compliant)
return;

Eh, let me help you, this should really be part of the SETUP() function but SETUP() doesn't currently handle SKIP(). So you'll need to add this to your series:

diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h index d8bff2005dfc..3091c345452e 100644 --- a/tools/testing/selftests/kselftest_harness.h +++ b/tools/testing/selftests/kselftest_harness.h @@ -249,7 +249,7 @@

/** * FIXTURE_SETUP() - Prepares the setup function for the fixture. - * *_metadata* is included so that EXPECT_* and ASSERT_* work correctly. + * *_metadata* is included so that EXPECT_*, ASSERT_* etc. work correctly. * * @fixture_name: fixture name * @@ -275,7 +275,7 @@

/** * FIXTURE_TEARDOWN() - * *_metadata* is included so that EXPECT_* and ASSERT_* work correctly. + * *_metadata* is included so that EXPECT_*, ASSERT_* etc. work correctly. * * @fixture_name: fixture name * @@ -388,7 +388,7 @@ if (setjmp(_metadata->env) == 0) { \ fixture_name##_setup(_metadata, &self, variant->data); \ /* Let setup failure terminate early. */ \ - if (!_metadata->passed) \ + if (!_metadata->passed || _metadata->skip) \ return; \ _metadata->setup_completed = true; \ fixture_name##_##test_name(_metadata, &self, variant->data); \

Magali Lemes do Sacramento

6:52 p.m.

New subject: [PATCH net v2 1/3] selftests: net: tls: check if FIPS mode is enabled

Hi!

On Fri, Jun 9, 2023 at 2:53 PM Jakub Kicinski kuba@kernel.org wrote:

...

On Fri, 9 Jun 2023 13:43:22 -0300 Magali Lemes wrote:

...
diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c index e699548d4247..0725c60f227c 100644 --- a/tools/testing/selftests/net/tls.c +++ b/tools/testing/selftests/net/tls.c @@ -25,6 +25,8 @@ #define TLS_PAYLOAD_MAX_LEN 16384 #define SOL_TLS 282

+static int fips_enabled = 0;

No need to zero init static variables, but really instead of doing the main() hack you should init this to a return value of a function. And have that function read the value.

I'm not sure I understand what you mean here. I agree we want to avoid reading the /proc/sys/crypto/fips_enabled file for every test. However, correct me where I'm wrong, if we want to have fips_enabled as a static global variable I don't think we can directly initialize it from the return value of a function. Could you clarify that, please?

Best regards, Magali

...

...
struct tls_crypto_info_keys { union { struct tls12_crypto_info_aes_gcm_128 aes128;

...
@@ -311,6 +317,9 @@ FIXTURE_SETUP(tls) int one = 1; int ret;
if (fips_enabled && variant->fips_non_compliant)
        return;
Eh, let me help you, this should really be part of the SETUP() function but SETUP() doesn't currently handle SKIP(). So you'll need to add this to your series:

diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h index d8bff2005dfc..3091c345452e 100644 --- a/tools/testing/selftests/kselftest_harness.h +++ b/tools/testing/selftests/kselftest_harness.h @@ -249,7 +249,7 @@

/**

FIXTURE_SETUP() - Prepares the setup function for the fixture.

*_metadata* is included so that EXPECT_* and ASSERT_* work correctly.

*_metadata* is included so that EXPECT_*, ASSERT_* etc. work correctly.

@fixture_name: fixture name

@@ -275,7 +275,7 @@

/**

FIXTURE_TEARDOWN()

*_metadata* is included so that EXPECT_* and ASSERT_* work correctly.

*_metadata* is included so that EXPECT_*, ASSERT_* etc. work correctly.

@fixture_name: fixture name

@@ -388,7 +388,7 @@ if (setjmp(_metadata->env) == 0) { \ fixture_name##_setup(_metadata, &self, variant->data); \ /* Let setup failure terminate early. */ \
                  if (!_metadata->passed) \
                  if (!_metadata->passed || _metadata->skip) \
                          return; \
                  _metadata->setup_completed = true; \
                  fixture_name##_##test_name(_metadata, &self, variant->data); \

Jakub Kicinski

7:21 p.m.

New subject: [PATCH net v2 1/3] selftests: net: tls: check if FIPS mode is enabled

On Fri, 9 Jun 2023 15:52:10 -0300 Magali Lemes do Sacramento wrote:

...

...
No need to zero init static variables, but really instead of doing the main() hack you should init this to a return value of a function. And have that function read the value.

I'm not sure I understand what you mean here. I agree we want to avoid reading the /proc/sys/crypto/fips_enabled file for every test. However, correct me where I'm wrong, if we want to have fips_enabled as a static global variable I don't think we can directly initialize it from the return value of a function. Could you clarify that, please?

Hm, I thought that worked, I must be misremembering. If it doesn't - let's steal the trick that the harness itself uses and put the init in a function decorated with __attribute__((constructor)).

Magali Lemes do Sacramento

8:15 p.m.

New subject: [PATCH net v2 1/3] selftests: net: tls: check if FIPS mode is enabled

Hi, Jakub.

On Fri, Jun 9, 2023 at 2:53 PM Jakub Kicinski kuba@kernel.org wrote:

...

On Fri, 9 Jun 2023 13:43:22 -0300 Magali Lemes wrote:

...
diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c index e699548d4247..0725c60f227c 100644 --- a/tools/testing/selftests/net/tls.c +++ b/tools/testing/selftests/net/tls.c @@ -25,6 +25,8 @@ #define TLS_PAYLOAD_MAX_LEN 16384 #define SOL_TLS 282

+static int fips_enabled = 0;

No need to zero init static variables, but really instead of doing the main() hack you should init this to a return value of a function. And have that function read the value.

...
struct tls_crypto_info_keys { union { struct tls12_crypto_info_aes_gcm_128 aes128;

...
@@ -311,6 +317,9 @@ FIXTURE_SETUP(tls) int one = 1; int ret;
if (fips_enabled && variant->fips_non_compliant)
        return;
Eh, let me help you, this should really be part of the SETUP() function but SETUP() doesn't currently handle SKIP(). So you'll need to add this to your series:

May I add your Suggested-by tag to this upcoming patch in this patchset v3?

Jakub Kicinski

9:08 p.m.

New subject: [PATCH net v2 1/3] selftests: net: tls: check if FIPS mode is enabled

On Fri, 9 Jun 2023 17:15:38 -0300 Magali Lemes do Sacramento wrote:

...

...
Eh, let me help you, this should really be part of the SETUP() function but SETUP() doesn't currently handle SKIP(). So you'll need to add this to your series:

May I add your Suggested-by tag to this upcoming patch in this patchset v3?

No strong preference but sure, why not :)

Magali Lemes

4:43 p.m.

New subject: [PATCH net v2 2/3] selftests: net: vrf-xfrm-tests: change authentication and encryption algos

The vrf-xfrm-tests tests use the hmac(md5) and cbc(des3_ede) algorithms for performing authentication and encryption, respectively. This causes the tests to fail when fips=1 is set, since these algorithms are not allowed in FIPS mode. Therefore, switch from hmac(md5) and cbc(des3_ede) to hmac(sha1) and cbc(aes), which are FIPS compliant.

Fixes: 3f251d741150 ("selftests: Add tests for vrf and xfrms") Reviewed-by: David Ahern dsahern@kernel.org Signed-off-by: Magali Lemes magali.lemes@canonical.com --- Changes in v2: - Add R-b tag.

tools/testing/selftests/net/vrf-xfrm-tests.sh | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/tools/testing/selftests/net/vrf-xfrm-tests.sh b/tools/testing/selftests/net/vrf-xfrm-tests.sh index 184da81f554f..452638ae8aed 100755 --- a/tools/testing/selftests/net/vrf-xfrm-tests.sh +++ b/tools/testing/selftests/net/vrf-xfrm-tests.sh @@ -264,60 +264,60 @@ setup_xfrm() ip -netns host1 xfrm state add src ${HOST1_4} dst ${HOST2_4} \ proto esp spi ${SPI_1} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ - enc 'cbc(des3_ede)' ${ENC_1} \ + auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \ + enc 'cbc(aes)' ${ENC_1} \ sel src ${h1_4} dst ${h2_4} ${devarg}

ip -netns host2 xfrm state add src ${HOST1_4} dst ${HOST2_4} \ proto esp spi ${SPI_1} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ - enc 'cbc(des3_ede)' ${ENC_1} \ + auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \ + enc 'cbc(aes)' ${ENC_1} \ sel src ${h1_4} dst ${h2_4}

ip -netns host1 xfrm state add src ${HOST2_4} dst ${HOST1_4} \ proto esp spi ${SPI_2} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ - enc 'cbc(des3_ede)' ${ENC_2} \ + auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \ + enc 'cbc(aes)' ${ENC_2} \ sel src ${h2_4} dst ${h1_4} ${devarg}

ip -netns host2 xfrm state add src ${HOST2_4} dst ${HOST1_4} \ proto esp spi ${SPI_2} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ - enc 'cbc(des3_ede)' ${ENC_2} \ + auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \ + enc 'cbc(aes)' ${ENC_2} \ sel src ${h2_4} dst ${h1_4}

ip -6 -netns host1 xfrm state add src ${HOST1_6} dst ${HOST2_6} \ proto esp spi ${SPI_1} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ - enc 'cbc(des3_ede)' ${ENC_1} \ + auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \ + enc 'cbc(aes)' ${ENC_1} \ sel src ${h1_6} dst ${h2_6} ${devarg}

ip -6 -netns host2 xfrm state add src ${HOST1_6} dst ${HOST2_6} \ proto esp spi ${SPI_1} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ - enc 'cbc(des3_ede)' ${ENC_1} \ + auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \ + enc 'cbc(aes)' ${ENC_1} \ sel src ${h1_6} dst ${h2_6}

ip -6 -netns host1 xfrm state add src ${HOST2_6} dst ${HOST1_6} \ proto esp spi ${SPI_2} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ - enc 'cbc(des3_ede)' ${ENC_2} \ + auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \ + enc 'cbc(aes)' ${ENC_2} \ sel src ${h2_6} dst ${h1_6} ${devarg}

ip -6 -netns host2 xfrm state add src ${HOST2_6} dst ${HOST1_6} \ proto esp spi ${SPI_2} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ - enc 'cbc(des3_ede)' ${ENC_2} \ + auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \ + enc 'cbc(aes)' ${ENC_2} \ sel src ${h2_6} dst ${h1_6} }

-- 2.34.1

Magali Lemes

4:43 p.m.

New subject: [PATCH net v2 3/3] selftests: net: fcnal-test: check if FIPS mode is enabled

There are some MD5 tests which fail when the kernel is in FIPS mode, since MD5 is not FIPS compliant. Add a check and only run those tests if FIPS mode is not enabled.

Fixes: f0bee1ebb5594 ("fcnal-test: Add TCP MD5 tests") Fixes: 5cad8bce26e01 ("fcnal-test: Add TCP MD5 tests for VRF") Reviewed-by: David Ahern dsahern@kernel.org Signed-off-by: Magali Lemes magali.lemes@canonical.com --- Changes in v2: - Add R-b tag.

tools/testing/selftests/net/fcnal-test.sh | 27 ++++++++++++++++------- 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh index 21ca91473c09..ee6880ac3e5e 100755 --- a/tools/testing/selftests/net/fcnal-test.sh +++ b/tools/testing/selftests/net/fcnal-test.sh @@ -92,6 +92,13 @@ NSC_CMD="ip netns exec ${NSC}"

which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)

+# Check if FIPS mode is enabled +if [ -f /proc/sys/crypto/fips_enabled ]; then + fips_enabled=`cat /proc/sys/crypto/fips_enabled` +else + fips_enabled=0 +fi + ################################################################################ # utilities

@@ -1216,7 +1223,7 @@ ipv4_tcp_novrf() run_cmd nettest -d ${NSA_DEV} -r ${a} log_test_addr ${a} $? 1 "No server, device client, local conn"

- ipv4_tcp_md5_novrf + [ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf }

ipv4_tcp_vrf() @@ -1270,9 +1277,11 @@ ipv4_tcp_vrf() log_test_addr ${a} $? 1 "Global server, local connection"

# run MD5 tests - setup_vrf_dup - ipv4_tcp_md5 - cleanup_vrf_dup + if [ "$fips_enabled" = "0" ]; then + setup_vrf_dup + ipv4_tcp_md5 + cleanup_vrf_dup + fi

# # enable VRF global server @@ -2772,7 +2781,7 @@ ipv6_tcp_novrf() log_test_addr ${a} $? 1 "No server, device client, local conn" done

- ipv6_tcp_md5_novrf + [ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf }

ipv6_tcp_vrf() @@ -2842,9 +2851,11 @@ ipv6_tcp_vrf() log_test_addr ${a} $? 1 "Global server, local connection"

# run MD5 tests - setup_vrf_dup - ipv6_tcp_md5 - cleanup_vrf_dup + if [ "$fips_enabled" = "0" ]; then + setup_vrf_dup + ipv6_tcp_md5 + cleanup_vrf_dup + fi

# # enable VRF global server

-- 2.34.1

562

days inactive

562

days old

linux-kselftest-mirror@lists.linaro.org

8 comments

participants

tags (0)

participants (3)

Jakub Kicinski
Magali Lemes
Magali Lemes do Sacramento