selftests: net: tls: check if FIPS mode is enabled
TLS selftests use the ChaCha20-Poly1305 and SM4 algorithms, which are not FIPS compliant. When fips=1, this set of tests fails. Add a check and only run these tests if not in FIPS mode. Fixes:4f336e88a8
("selftests/tls: add CHACHA20-POLY1305 to tls selftests") Fixes:e506342a03
("selftests/tls: add SM4 GCM/CCM to tls selftests") Reviewed-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Magali Lemes <magali.lemes@canonical.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
parent
372b304c1e
commit
d113c395c6
|
@ -25,6 +25,8 @@
|
|||
#define TLS_PAYLOAD_MAX_LEN 16384
|
||||
#define SOL_TLS 282
|
||||
|
||||
static int fips_enabled;
|
||||
|
||||
struct tls_crypto_info_keys {
|
||||
union {
|
||||
struct tls12_crypto_info_aes_gcm_128 aes128;
|
||||
|
@ -235,7 +237,7 @@ FIXTURE_VARIANT(tls)
|
|||
{
|
||||
uint16_t tls_version;
|
||||
uint16_t cipher_type;
|
||||
bool nopad;
|
||||
bool nopad, fips_non_compliant;
|
||||
};
|
||||
|
||||
FIXTURE_VARIANT_ADD(tls, 12_aes_gcm)
|
||||
|
@ -254,24 +256,28 @@ FIXTURE_VARIANT_ADD(tls, 12_chacha)
|
|||
{
|
||||
.tls_version = TLS_1_2_VERSION,
|
||||
.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
|
||||
.fips_non_compliant = true,
|
||||
};
|
||||
|
||||
FIXTURE_VARIANT_ADD(tls, 13_chacha)
|
||||
{
|
||||
.tls_version = TLS_1_3_VERSION,
|
||||
.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
|
||||
.fips_non_compliant = true,
|
||||
};
|
||||
|
||||
FIXTURE_VARIANT_ADD(tls, 13_sm4_gcm)
|
||||
{
|
||||
.tls_version = TLS_1_3_VERSION,
|
||||
.cipher_type = TLS_CIPHER_SM4_GCM,
|
||||
.fips_non_compliant = true,
|
||||
};
|
||||
|
||||
FIXTURE_VARIANT_ADD(tls, 13_sm4_ccm)
|
||||
{
|
||||
.tls_version = TLS_1_3_VERSION,
|
||||
.cipher_type = TLS_CIPHER_SM4_CCM,
|
||||
.fips_non_compliant = true,
|
||||
};
|
||||
|
||||
FIXTURE_VARIANT_ADD(tls, 12_aes_ccm)
|
||||
|
@ -311,6 +317,9 @@ FIXTURE_SETUP(tls)
|
|||
int one = 1;
|
||||
int ret;
|
||||
|
||||
if (fips_enabled && variant->fips_non_compliant)
|
||||
SKIP(return, "Unsupported cipher in FIPS mode");
|
||||
|
||||
tls_crypto_info_init(variant->tls_version, variant->cipher_type,
|
||||
&tls12);
|
||||
|
||||
|
@ -1865,4 +1874,17 @@ TEST(prequeue) {
|
|||
close(cfd);
|
||||
}
|
||||
|
||||
static void __attribute__((constructor)) fips_check(void) {
|
||||
int res;
|
||||
FILE *f;
|
||||
|
||||
f = fopen("/proc/sys/crypto/fips_enabled", "r");
|
||||
if (f) {
|
||||
res = fscanf(f, "%d", &fips_enabled);
|
||||
if (res != 1)
|
||||
ksft_print_msg("ERROR: Couldn't read /proc/sys/crypto/fips_enabled\n");
|
||||
fclose(f);
|
||||
}
|
||||
}
|
||||
|
||||
TEST_HARNESS_MAIN
|
||||
|
|
Loading…
Reference in New Issue