[PATCH v4 2/4] selftests: net: tls: check if FIPS mode is enabled

From: Magali Lemes
Date: Tue Jun 13 2023 - 08:32:57 EST

Next message: Magali Lemes: "[PATCH v4 3/4] selftests: net: vrf-xfrm-tests: change authentication and encryption algos"
Previous message: Magali Lemes: "[PATCH v4 1/4] selftests/harness: allow tests to be skipped during setup"
In reply to: Magali Lemes: "[PATCH v4 1/4] selftests/harness: allow tests to be skipped during setup"
Next in thread: Magali Lemes: "[PATCH v4 3/4] selftests: net: vrf-xfrm-tests: change authentication and encryption algos"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

TLS selftests use the ChaCha20-Poly1305 and SM4 algorithms, which are not
FIPS compliant. When fips=1, this set of tests fails. Add a check and only
run these tests if not in FIPS mode.

Fixes: 4f336e88a870 ("selftests/tls: add CHACHA20-POLY1305 to tls selftests")
Fixes: e506342a03c7 ("selftests/tls: add SM4 GCM/CCM to tls selftests")
Reviewed-by: Jakub Kicinski <kuba@xxxxxxxxxx>
Signed-off-by: Magali Lemes <magali.lemes@xxxxxxxxxxxxx>
---
Changes in v4:
- Add R-b tag.
- Remove extra newline.

Changes in v3:
- No need to initialize static variable to zero.
- Skip tests during test setup only.
- Use the constructor attribute to set fips_enabled before entering
main().

Changes in v2:
- Put fips_non_compliant into the variants.
- Turn fips_enabled into a static global variable.
- Read /proc/sys/crypto/fips_enabled only once at main().

tools/testing/selftests/net/tls.c | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c
index e699548d4247..ff36844d14b4 100644
--- a/tools/testing/selftests/net/tls.c
+++ b/tools/testing/selftests/net/tls.c
@@ -25,6 +25,8 @@
#define TLS_PAYLOAD_MAX_LEN 16384
#define SOL_TLS 282

+static int fips_enabled;
+
struct tls_crypto_info_keys {
union {
struct tls12_crypto_info_aes_gcm_128 aes128;
@@ -235,7 +237,7 @@ FIXTURE_VARIANT(tls)
{
uint16_t tls_version;
uint16_t cipher_type;
- bool nopad;
+ bool nopad, fips_non_compliant;
};

FIXTURE_VARIANT_ADD(tls, 12_aes_gcm)
@@ -254,24 +256,28 @@ FIXTURE_VARIANT_ADD(tls, 12_chacha)
{
.tls_version = TLS_1_2_VERSION,
.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
+ .fips_non_compliant = true,
};

FIXTURE_VARIANT_ADD(tls, 13_chacha)
{
.tls_version = TLS_1_3_VERSION,
.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
+ .fips_non_compliant = true,
};

FIXTURE_VARIANT_ADD(tls, 13_sm4_gcm)
{
.tls_version = TLS_1_3_VERSION,
.cipher_type = TLS_CIPHER_SM4_GCM,
+ .fips_non_compliant = true,
};

FIXTURE_VARIANT_ADD(tls, 13_sm4_ccm)
{
.tls_version = TLS_1_3_VERSION,
.cipher_type = TLS_CIPHER_SM4_CCM,
+ .fips_non_compliant = true,
};

FIXTURE_VARIANT_ADD(tls, 12_aes_ccm)
@@ -311,6 +317,9 @@ FIXTURE_SETUP(tls)
int one = 1;
int ret;

+ if (fips_enabled && variant->fips_non_compliant)
+ SKIP(return, "Unsupported cipher in FIPS mode");
+
tls_crypto_info_init(variant->tls_version, variant->cipher_type,
&tls12);

@@ -1865,4 +1874,17 @@ TEST(prequeue) {
close(cfd);
}

+static void __attribute__((constructor)) fips_check(void) {
+ int res;
+ FILE *f;
+
+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
+ if (f) {
+ res = fscanf(f, "%d", &fips_enabled);
+ if (res != 1)
+ ksft_print_msg("ERROR: Couldn't read /proc/sys/crypto/fips_enabled\n");
+ fclose(f);
+ }
+}
+
TEST_HARNESS_MAIN
--
2.34.1

Next message: Magali Lemes: "[PATCH v4 3/4] selftests: net: vrf-xfrm-tests: change authentication and encryption algos"
Previous message: Magali Lemes: "[PATCH v4 1/4] selftests/harness: allow tests to be skipped during setup"
In reply to: Magali Lemes: "[PATCH v4 1/4] selftests/harness: allow tests to be skipped during setup"
Next in thread: Magali Lemes: "[PATCH v4 3/4] selftests: net: vrf-xfrm-tests: change authentication and encryption algos"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]