Merge branch 'check-if-fips-mode-is-enabled-when-running-selftests'
Magali Lemes says: ==================== Check if FIPS mode is enabled when running selftests Some test cases from net/tls, net/fcnal-test and net/vrf-xfrm-tests that rely on cryptographic functions to work and use non-compliant FIPS algorithms fail in FIPS mode. In order to allow these tests to pass in a wider set of kernels, - for net/tls, skip the test variants that use the ChaCha20-Poly1305 and SM4 algorithms, when FIPS mode is enabled; - for net/fcnal-test, skip the MD5 tests, when FIPS mode is enabled; - for net/vrf-xfrm-tests, replace the algorithms that are not FIPS-compliant with compliant ones. v1: https://lore.kernel.org/netdev/20230607174302.19542-1-magali.lemes@canonical.com/ v2: https://lore.kernel.org/netdev/20230609164324.497813-1-magali.lemes@canonical.com/ v3: https://lore.kernel.org/netdev/20230612125107.73795-1-magali.lemes@canonical.com/ ==================== Link: https://lore.kernel.org/r/20230613123222.631897-1-magali.lemes@canonical.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
commit
d4e067287b
|
@ -249,7 +249,7 @@
|
|||
|
||||
/**
|
||||
* FIXTURE_SETUP() - Prepares the setup function for the fixture.
|
||||
* *_metadata* is included so that EXPECT_* and ASSERT_* work correctly.
|
||||
* *_metadata* is included so that EXPECT_*, ASSERT_* etc. work correctly.
|
||||
*
|
||||
* @fixture_name: fixture name
|
||||
*
|
||||
|
@ -275,7 +275,7 @@
|
|||
|
||||
/**
|
||||
* FIXTURE_TEARDOWN()
|
||||
* *_metadata* is included so that EXPECT_* and ASSERT_* work correctly.
|
||||
* *_metadata* is included so that EXPECT_*, ASSERT_* etc. work correctly.
|
||||
*
|
||||
* @fixture_name: fixture name
|
||||
*
|
||||
|
@ -388,7 +388,7 @@
|
|||
if (setjmp(_metadata->env) == 0) { \
|
||||
fixture_name##_setup(_metadata, &self, variant->data); \
|
||||
/* Let setup failure terminate early. */ \
|
||||
if (!_metadata->passed) \
|
||||
if (!_metadata->passed || _metadata->skip) \
|
||||
return; \
|
||||
_metadata->setup_completed = true; \
|
||||
fixture_name##_##test_name(_metadata, &self, variant->data); \
|
||||
|
|
|
@ -92,6 +92,13 @@ NSC_CMD="ip netns exec ${NSC}"
|
|||
|
||||
which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
|
||||
|
||||
# Check if FIPS mode is enabled
|
||||
if [ -f /proc/sys/crypto/fips_enabled ]; then
|
||||
fips_enabled=`cat /proc/sys/crypto/fips_enabled`
|
||||
else
|
||||
fips_enabled=0
|
||||
fi
|
||||
|
||||
################################################################################
|
||||
# utilities
|
||||
|
||||
|
@ -1216,7 +1223,7 @@ ipv4_tcp_novrf()
|
|||
run_cmd nettest -d ${NSA_DEV} -r ${a}
|
||||
log_test_addr ${a} $? 1 "No server, device client, local conn"
|
||||
|
||||
ipv4_tcp_md5_novrf
|
||||
[ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf
|
||||
}
|
||||
|
||||
ipv4_tcp_vrf()
|
||||
|
@ -1270,9 +1277,11 @@ ipv4_tcp_vrf()
|
|||
log_test_addr ${a} $? 1 "Global server, local connection"
|
||||
|
||||
# run MD5 tests
|
||||
setup_vrf_dup
|
||||
ipv4_tcp_md5
|
||||
cleanup_vrf_dup
|
||||
if [ "$fips_enabled" = "0" ]; then
|
||||
setup_vrf_dup
|
||||
ipv4_tcp_md5
|
||||
cleanup_vrf_dup
|
||||
fi
|
||||
|
||||
#
|
||||
# enable VRF global server
|
||||
|
@ -2772,7 +2781,7 @@ ipv6_tcp_novrf()
|
|||
log_test_addr ${a} $? 1 "No server, device client, local conn"
|
||||
done
|
||||
|
||||
ipv6_tcp_md5_novrf
|
||||
[ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf
|
||||
}
|
||||
|
||||
ipv6_tcp_vrf()
|
||||
|
@ -2842,9 +2851,11 @@ ipv6_tcp_vrf()
|
|||
log_test_addr ${a} $? 1 "Global server, local connection"
|
||||
|
||||
# run MD5 tests
|
||||
setup_vrf_dup
|
||||
ipv6_tcp_md5
|
||||
cleanup_vrf_dup
|
||||
if [ "$fips_enabled" = "0" ]; then
|
||||
setup_vrf_dup
|
||||
ipv6_tcp_md5
|
||||
cleanup_vrf_dup
|
||||
fi
|
||||
|
||||
#
|
||||
# enable VRF global server
|
||||
|
|
|
@ -25,6 +25,8 @@
|
|||
#define TLS_PAYLOAD_MAX_LEN 16384
|
||||
#define SOL_TLS 282
|
||||
|
||||
static int fips_enabled;
|
||||
|
||||
struct tls_crypto_info_keys {
|
||||
union {
|
||||
struct tls12_crypto_info_aes_gcm_128 aes128;
|
||||
|
@ -235,7 +237,7 @@ FIXTURE_VARIANT(tls)
|
|||
{
|
||||
uint16_t tls_version;
|
||||
uint16_t cipher_type;
|
||||
bool nopad;
|
||||
bool nopad, fips_non_compliant;
|
||||
};
|
||||
|
||||
FIXTURE_VARIANT_ADD(tls, 12_aes_gcm)
|
||||
|
@ -254,24 +256,28 @@ FIXTURE_VARIANT_ADD(tls, 12_chacha)
|
|||
{
|
||||
.tls_version = TLS_1_2_VERSION,
|
||||
.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
|
||||
.fips_non_compliant = true,
|
||||
};
|
||||
|
||||
FIXTURE_VARIANT_ADD(tls, 13_chacha)
|
||||
{
|
||||
.tls_version = TLS_1_3_VERSION,
|
||||
.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
|
||||
.fips_non_compliant = true,
|
||||
};
|
||||
|
||||
FIXTURE_VARIANT_ADD(tls, 13_sm4_gcm)
|
||||
{
|
||||
.tls_version = TLS_1_3_VERSION,
|
||||
.cipher_type = TLS_CIPHER_SM4_GCM,
|
||||
.fips_non_compliant = true,
|
||||
};
|
||||
|
||||
FIXTURE_VARIANT_ADD(tls, 13_sm4_ccm)
|
||||
{
|
||||
.tls_version = TLS_1_3_VERSION,
|
||||
.cipher_type = TLS_CIPHER_SM4_CCM,
|
||||
.fips_non_compliant = true,
|
||||
};
|
||||
|
||||
FIXTURE_VARIANT_ADD(tls, 12_aes_ccm)
|
||||
|
@ -311,6 +317,9 @@ FIXTURE_SETUP(tls)
|
|||
int one = 1;
|
||||
int ret;
|
||||
|
||||
if (fips_enabled && variant->fips_non_compliant)
|
||||
SKIP(return, "Unsupported cipher in FIPS mode");
|
||||
|
||||
tls_crypto_info_init(variant->tls_version, variant->cipher_type,
|
||||
&tls12);
|
||||
|
||||
|
@ -1865,4 +1874,17 @@ TEST(prequeue) {
|
|||
close(cfd);
|
||||
}
|
||||
|
||||
static void __attribute__((constructor)) fips_check(void) {
|
||||
int res;
|
||||
FILE *f;
|
||||
|
||||
f = fopen("/proc/sys/crypto/fips_enabled", "r");
|
||||
if (f) {
|
||||
res = fscanf(f, "%d", &fips_enabled);
|
||||
if (res != 1)
|
||||
ksft_print_msg("ERROR: Couldn't read /proc/sys/crypto/fips_enabled\n");
|
||||
fclose(f);
|
||||
}
|
||||
}
|
||||
|
||||
TEST_HARNESS_MAIN
|
||||
|
|
|
@ -264,60 +264,60 @@ setup_xfrm()
|
|||
ip -netns host1 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
|
||||
proto esp spi ${SPI_1} reqid 0 mode tunnel \
|
||||
replay-window 4 replay-oseq 0x4 \
|
||||
auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
|
||||
enc 'cbc(des3_ede)' ${ENC_1} \
|
||||
auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
|
||||
enc 'cbc(aes)' ${ENC_1} \
|
||||
sel src ${h1_4} dst ${h2_4} ${devarg}
|
||||
|
||||
ip -netns host2 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
|
||||
proto esp spi ${SPI_1} reqid 0 mode tunnel \
|
||||
replay-window 4 replay-oseq 0x4 \
|
||||
auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
|
||||
enc 'cbc(des3_ede)' ${ENC_1} \
|
||||
auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
|
||||
enc 'cbc(aes)' ${ENC_1} \
|
||||
sel src ${h1_4} dst ${h2_4}
|
||||
|
||||
|
||||
ip -netns host1 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
|
||||
proto esp spi ${SPI_2} reqid 0 mode tunnel \
|
||||
replay-window 4 replay-oseq 0x4 \
|
||||
auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
|
||||
enc 'cbc(des3_ede)' ${ENC_2} \
|
||||
auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
|
||||
enc 'cbc(aes)' ${ENC_2} \
|
||||
sel src ${h2_4} dst ${h1_4} ${devarg}
|
||||
|
||||
ip -netns host2 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
|
||||
proto esp spi ${SPI_2} reqid 0 mode tunnel \
|
||||
replay-window 4 replay-oseq 0x4 \
|
||||
auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
|
||||
enc 'cbc(des3_ede)' ${ENC_2} \
|
||||
auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
|
||||
enc 'cbc(aes)' ${ENC_2} \
|
||||
sel src ${h2_4} dst ${h1_4}
|
||||
|
||||
|
||||
ip -6 -netns host1 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
|
||||
proto esp spi ${SPI_1} reqid 0 mode tunnel \
|
||||
replay-window 4 replay-oseq 0x4 \
|
||||
auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
|
||||
enc 'cbc(des3_ede)' ${ENC_1} \
|
||||
auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
|
||||
enc 'cbc(aes)' ${ENC_1} \
|
||||
sel src ${h1_6} dst ${h2_6} ${devarg}
|
||||
|
||||
ip -6 -netns host2 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
|
||||
proto esp spi ${SPI_1} reqid 0 mode tunnel \
|
||||
replay-window 4 replay-oseq 0x4 \
|
||||
auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
|
||||
enc 'cbc(des3_ede)' ${ENC_1} \
|
||||
auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
|
||||
enc 'cbc(aes)' ${ENC_1} \
|
||||
sel src ${h1_6} dst ${h2_6}
|
||||
|
||||
|
||||
ip -6 -netns host1 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
|
||||
proto esp spi ${SPI_2} reqid 0 mode tunnel \
|
||||
replay-window 4 replay-oseq 0x4 \
|
||||
auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
|
||||
enc 'cbc(des3_ede)' ${ENC_2} \
|
||||
auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
|
||||
enc 'cbc(aes)' ${ENC_2} \
|
||||
sel src ${h2_6} dst ${h1_6} ${devarg}
|
||||
|
||||
ip -6 -netns host2 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
|
||||
proto esp spi ${SPI_2} reqid 0 mode tunnel \
|
||||
replay-window 4 replay-oseq 0x4 \
|
||||
auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
|
||||
enc 'cbc(des3_ede)' ${ENC_2} \
|
||||
auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
|
||||
enc 'cbc(aes)' ${ENC_2} \
|
||||
sel src ${h2_6} dst ${h1_6}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue