tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'check-if-fips-mode-is-enabled-when-running-selftests'
Magali Lemes says:
====================
Check if FIPS mode is enabled when running selftests
Some test cases from net/tls, net/fcnal-test and net/vrf-xfrm-tests
that rely on cryptographic functions to work and use non-compliant FIPS
algorithms fail in FIPS mode.
In order to allow these tests to pass in a wider set of kernels,
- for net/tls, skip the test variants that use the ChaCha20-Poly1305
and SM4 algorithms, when FIPS mode is enabled;
- for net/fcnal-test, skip the MD5 tests, when FIPS mode is enabled;
- for net/vrf-xfrm-tests, replace the algorithms that are not
FIPS-compliant with compliant ones.
v1: https://lore.kernel.org/netdev/20230607174302.19542-1-magali.lemes@canonical.com/
v2: https://lore.kernel.org/netdev/20230609164324.497813-1-magali.lemes@canonical.com/
v3: https://lore.kernel.org/netdev/20230612125107.73795-1-magali.lemes@canonical.com/
====================
Link: https://lore.kernel.org/r/20230613123222.631897-1-magali.lemes@canonical.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+61
-28
+3
-3
tools/testing/selftests/kselftest_harness.h
+3
-3
tools/testing/selftests/kselftest_harness.h
···
249
249
250
250
/**
251
251
* FIXTURE_SETUP() - Prepares the setup function for the fixture.
252
-
* *_metadata* is included so that EXPECT_* and ASSERT_* work correctly.
252
+
* *_metadata* is included so that EXPECT_*, ASSERT_* etc. work correctly.
253
253
*
254
254
* @fixture_name: fixture name
255
255
*
···
275
275
276
276
/**
277
277
* FIXTURE_TEARDOWN()
278
-
* *_metadata* is included so that EXPECT_* and ASSERT_* work correctly.
278
+
* *_metadata* is included so that EXPECT_*, ASSERT_* etc. work correctly.
279
279
*
280
280
* @fixture_name: fixture name
281
281
*
···
388
388
if (setjmp(_metadata->env) == 0) { \
389
389
fixture_name##_setup(_metadata, &self, variant->data); \
390
390
/* Let setup failure terminate early. */ \
391
-
if (!_metadata->passed) \
391
+
if (!_metadata->passed || _metadata->skip) \
392
392
return; \
393
393
_metadata->setup_completed = true; \
394
394
fixture_name##_##test_name(_metadata, &self, variant->data); \
+19
-8
tools/testing/selftests/net/fcnal-test.sh
+19
-8
tools/testing/selftests/net/fcnal-test.sh
···
92
92
93
93
which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
94
94
95
+
# Check if FIPS mode is enabled
96
+
if [ -f /proc/sys/crypto/fips_enabled ]; then
97
+
fips_enabled=`cat /proc/sys/crypto/fips_enabled`
98
+
else
99
+
fips_enabled=0
100
+
fi
101
+
95
102
################################################################################
96
103
# utilities
97
104
···
1223
1216
run_cmd nettest -d ${NSA_DEV} -r ${a}
1224
1217
log_test_addr ${a} $? 1 "No server, device client, local conn"
1225
1218
1226
-
ipv4_tcp_md5_novrf
1219
+
[ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf
1227
1220
}
1228
1221
1229
1222
ipv4_tcp_vrf()
···
1277
1270
log_test_addr ${a} $? 1 "Global server, local connection"
1278
1271
1279
1272
# run MD5 tests
1280
-
setup_vrf_dup
1281
-
ipv4_tcp_md5
1282
-
cleanup_vrf_dup
1273
+
if [ "$fips_enabled" = "0" ]; then
1274
+
setup_vrf_dup
1275
+
ipv4_tcp_md5
1276
+
cleanup_vrf_dup
1277
+
fi
1283
1278
1284
1279
#
1285
1280
# enable VRF global server
···
2781
2772
log_test_addr ${a} $? 1 "No server, device client, local conn"
2782
2773
done
2783
2774
2784
-
ipv6_tcp_md5_novrf
2775
+
[ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf
2785
2776
}
2786
2777
2787
2778
ipv6_tcp_vrf()
···
2851
2842
log_test_addr ${a} $? 1 "Global server, local connection"
2852
2843
2853
2844
# run MD5 tests
2854
-
setup_vrf_dup
2855
-
ipv6_tcp_md5
2856
-
cleanup_vrf_dup
2845
+
if [ "$fips_enabled" = "0" ]; then
2846
+
setup_vrf_dup
2847
+
ipv6_tcp_md5
2848
+
cleanup_vrf_dup
2849
+
fi
2857
2850
2858
2851
#
2859
2852
# enable VRF global server
+23
-1
tools/testing/selftests/net/tls.c
+23
-1
tools/testing/selftests/net/tls.c
···
25
25
#define TLS_PAYLOAD_MAX_LEN 16384
26
26
#define SOL_TLS 282
27
27
28
+
static int fips_enabled;
29
+
28
30
struct tls_crypto_info_keys {
29
31
union {
30
32
struct tls12_crypto_info_aes_gcm_128 aes128;
···
237
235
{
238
236
uint16_t tls_version;
239
237
uint16_t cipher_type;
240
-
bool nopad;
238
+
bool nopad, fips_non_compliant;
241
239
};
242
240
243
241
FIXTURE_VARIANT_ADD(tls, 12_aes_gcm)
···
256
254
{
257
255
.tls_version = TLS_1_2_VERSION,
258
256
.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
257
+
.fips_non_compliant = true,
259
258
};
260
259
261
260
FIXTURE_VARIANT_ADD(tls, 13_chacha)
262
261
{
263
262
.tls_version = TLS_1_3_VERSION,
264
263
.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
264
+
.fips_non_compliant = true,
265
265
};
266
266
267
267
FIXTURE_VARIANT_ADD(tls, 13_sm4_gcm)
268
268
{
269
269
.tls_version = TLS_1_3_VERSION,
270
270
.cipher_type = TLS_CIPHER_SM4_GCM,
271
+
.fips_non_compliant = true,
271
272
};
272
273
273
274
FIXTURE_VARIANT_ADD(tls, 13_sm4_ccm)
274
275
{
275
276
.tls_version = TLS_1_3_VERSION,
276
277
.cipher_type = TLS_CIPHER_SM4_CCM,
278
+
.fips_non_compliant = true,
277
279
};
278
280
279
281
FIXTURE_VARIANT_ADD(tls, 12_aes_ccm)
···
316
310
struct tls_crypto_info_keys tls12;
317
311
int one = 1;
318
312
int ret;
313
+
314
+
if (fips_enabled && variant->fips_non_compliant)
315
+
SKIP(return, "Unsupported cipher in FIPS mode");
319
316
320
317
tls_crypto_info_init(variant->tls_version, variant->cipher_type,
321
318
&tls12);
···
1872
1863
1873
1864
close(fd);
1874
1865
close(cfd);
1866
+
}
1867
+
1868
+
static void __attribute__((constructor)) fips_check(void) {
1869
+
int res;
1870
+
FILE *f;
1871
+
1872
+
f = fopen("/proc/sys/crypto/fips_enabled", "r");
1873
+
if (f) {
1874
+
res = fscanf(f, "%d", &fips_enabled);
1875
+
if (res != 1)
1876
+
ksft_print_msg("ERROR: Couldn't read /proc/sys/crypto/fips_enabled\n");
1877
+
fclose(f);
1878
+
}
1875
1879
}
1876
1880
1877
1881
TEST_HARNESS_MAIN
+16
-16
tools/testing/selftests/net/vrf-xfrm-tests.sh
+16
-16
tools/testing/selftests/net/vrf-xfrm-tests.sh
···
264
264
ip -netns host1 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
265
265
proto esp spi ${SPI_1} reqid 0 mode tunnel \
266
266
replay-window 4 replay-oseq 0x4 \
267
-
auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
268
-
enc 'cbc(des3_ede)' ${ENC_1} \
267
+
auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
268
+
enc 'cbc(aes)' ${ENC_1} \
269
269
sel src ${h1_4} dst ${h2_4} ${devarg}
270
270
271
271
ip -netns host2 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
272
272
proto esp spi ${SPI_1} reqid 0 mode tunnel \
273
273
replay-window 4 replay-oseq 0x4 \
274
-
auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
275
-
enc 'cbc(des3_ede)' ${ENC_1} \
274
+
auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
275
+
enc 'cbc(aes)' ${ENC_1} \
276
276
sel src ${h1_4} dst ${h2_4}
277
277
278
278
279
279
ip -netns host1 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
280
280
proto esp spi ${SPI_2} reqid 0 mode tunnel \
281
281
replay-window 4 replay-oseq 0x4 \
282
-
auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
283
-
enc 'cbc(des3_ede)' ${ENC_2} \
282
+
auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
283
+
enc 'cbc(aes)' ${ENC_2} \
284
284
sel src ${h2_4} dst ${h1_4} ${devarg}
285
285
286
286
ip -netns host2 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
287
287
proto esp spi ${SPI_2} reqid 0 mode tunnel \
288
288
replay-window 4 replay-oseq 0x4 \
289
-
auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
290
-
enc 'cbc(des3_ede)' ${ENC_2} \
289
+
auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
290
+
enc 'cbc(aes)' ${ENC_2} \
291
291
sel src ${h2_4} dst ${h1_4}
292
292
293
293
294
294
ip -6 -netns host1 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
295
295
proto esp spi ${SPI_1} reqid 0 mode tunnel \
296
296
replay-window 4 replay-oseq 0x4 \
297
-
auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
298
-
enc 'cbc(des3_ede)' ${ENC_1} \
297
+
auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
298
+
enc 'cbc(aes)' ${ENC_1} \
299
299
sel src ${h1_6} dst ${h2_6} ${devarg}
300
300
301
301
ip -6 -netns host2 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
302
302
proto esp spi ${SPI_1} reqid 0 mode tunnel \
303
303
replay-window 4 replay-oseq 0x4 \
304
-
auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
305
-
enc 'cbc(des3_ede)' ${ENC_1} \
304
+
auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
305
+
enc 'cbc(aes)' ${ENC_1} \
306
306
sel src ${h1_6} dst ${h2_6}
307
307
308
308
309
309
ip -6 -netns host1 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
310
310
proto esp spi ${SPI_2} reqid 0 mode tunnel \
311
311
replay-window 4 replay-oseq 0x4 \
312
-
auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
313
-
enc 'cbc(des3_ede)' ${ENC_2} \
312
+
auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
313
+
enc 'cbc(aes)' ${ENC_2} \
314
314
sel src ${h2_6} dst ${h1_6} ${devarg}
315
315
316
316
ip -6 -netns host2 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
317
317
proto esp spi ${SPI_2} reqid 0 mode tunnel \
318
318
replay-window 4 replay-oseq 0x4 \
319
-
auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
320
-
enc 'cbc(des3_ede)' ${ENC_2} \
319
+
auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
320
+
enc 'cbc(aes)' ${ENC_2} \
321
321
sel src ${h2_6} dst ${h1_6}
322
322
}
323
323