Skip to content

L
linux
Commit d113c395 authored by Magali Lemes's avatar Magali Lemes Committed by Jakub Kicinski
Browse files
Options

selftests: net: tls: check if FIPS mode is enabled 

TLS selftests use the ChaCha20-Poly1305 and SM4 algorithms, which are not
FIPS compliant. When fips=1, this set of tests fails. Add a check and only
run these tests if not in FIPS mode.

Fixes: 4f336e88 ("selftests/tls: add CHACHA20-POLY1305 to tls selftests")
Fixes: e506342a ("selftests/tls: add SM4 GCM/CCM to tls selftests")
Reviewed-by: default avatarJakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarMagali Lemes <magali.lemes@canonical.com>
Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 372b304c
Hide whitespace changes
Inline Side-by-side
Showing with 23 additions and 1 deletion
tools/testing/selftests/net/tls.c
View file @ d113c395
...@@ -25,6 +25,8 @@ ...@@ -25,6 +25,8 @@
#define TLS_PAYLOAD_MAX_LEN 16384 #define TLS_PAYLOAD_MAX_LEN 16384
#define SOL_TLS 282 #define SOL_TLS 282
static int fips_enabled;
struct tls_crypto_info_keys { struct tls_crypto_info_keys {
union { union {
struct tls12_crypto_info_aes_gcm_128 aes128; struct tls12_crypto_info_aes_gcm_128 aes128;
...@@ -235,7 +237,7 @@ FIXTURE_VARIANT(tls) ...@@ -235,7 +237,7 @@ FIXTURE_VARIANT(tls)
{ {
uint16_t tls_version; uint16_t tls_version;
uint16_t cipher_type; uint16_t cipher_type;
bool nopad; bool nopad, fips_non_compliant;
}; };
FIXTURE_VARIANT_ADD(tls, 12_aes_gcm) FIXTURE_VARIANT_ADD(tls, 12_aes_gcm)
...@@ -254,24 +256,28 @@ FIXTURE_VARIANT_ADD(tls, 12_chacha) ...@@ -254,24 +256,28 @@ FIXTURE_VARIANT_ADD(tls, 12_chacha)
{ {
.tls_version = TLS_1_2_VERSION, .tls_version = TLS_1_2_VERSION,
.cipher_type = TLS_CIPHER_CHACHA20_POLY1305, .cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
.fips_non_compliant = true,
}; };
FIXTURE_VARIANT_ADD(tls, 13_chacha) FIXTURE_VARIANT_ADD(tls, 13_chacha)
{ {
.tls_version = TLS_1_3_VERSION, .tls_version = TLS_1_3_VERSION,
.cipher_type = TLS_CIPHER_CHACHA20_POLY1305, .cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
.fips_non_compliant = true,
}; };
FIXTURE_VARIANT_ADD(tls, 13_sm4_gcm) FIXTURE_VARIANT_ADD(tls, 13_sm4_gcm)
{ {
.tls_version = TLS_1_3_VERSION, .tls_version = TLS_1_3_VERSION,
.cipher_type = TLS_CIPHER_SM4_GCM, .cipher_type = TLS_CIPHER_SM4_GCM,
.fips_non_compliant = true,
}; };
FIXTURE_VARIANT_ADD(tls, 13_sm4_ccm) FIXTURE_VARIANT_ADD(tls, 13_sm4_ccm)
{ {
.tls_version = TLS_1_3_VERSION, .tls_version = TLS_1_3_VERSION,
.cipher_type = TLS_CIPHER_SM4_CCM, .cipher_type = TLS_CIPHER_SM4_CCM,
.fips_non_compliant = true,
}; };
FIXTURE_VARIANT_ADD(tls, 12_aes_ccm) FIXTURE_VARIANT_ADD(tls, 12_aes_ccm)
...@@ -311,6 +317,9 @@ FIXTURE_SETUP(tls) ...@@ -311,6 +317,9 @@ FIXTURE_SETUP(tls)
int one = 1; int one = 1;
int ret; int ret;
if (fips_enabled && variant->fips_non_compliant)
SKIP(return, "Unsupported cipher in FIPS mode");
tls_crypto_info_init(variant->tls_version, variant->cipher_type, tls_crypto_info_init(variant->tls_version, variant->cipher_type,
&tls12); &tls12);
...@@ -1865,4 +1874,17 @@ TEST(prequeue) { ...@@ -1865,4 +1874,17 @@ TEST(prequeue) {
close(cfd); close(cfd);
} }
static void __attribute__((constructor)) fips_check(void) {
int res;
FILE *f;
f = fopen("/proc/sys/crypto/fips_enabled", "r");
if (f) {
res = fscanf(f, "%d", &fips_enabled);
if (res != 1)
ksft_print_msg("ERROR: Couldn't read /proc/sys/crypto/fips_enabled\n");
fclose(f);
}
}
TEST_HARNESS_MAIN TEST_HARNESS_MAIN
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7