[SRU][J][PATCH v2 2/3] selftests: net: tls: check if FIPS mode is enabled

Magali Lemes magali.lemes at canonical.com
Wed Aug 23 20:20:09 UTC 2023 

BugLink: https://bugs.launchpad.net/bugs/2019868

TLS selftests use the ChaCha20-Poly1305 and SM4 algorithms, which are not
FIPS compliant. When fips=1, this set of tests fails. Add a check and only
run these tests if not in FIPS mode.

Fixes: 4f336e88a870 ("selftests/tls: add CHACHA20-POLY1305 to tls selftests")
Fixes: e506342a03c7 ("selftests/tls: add SM4 GCM/CCM to tls selftests")
Reviewed-by: Jakub Kicinski <kuba at kernel.org>
Signed-off-by: Magali Lemes <magali.lemes at canonical.com>
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
(backported from commit d113c395c67b62fc0d3f2004c0afc406aca0a2b7)
[magalilemes: since there's no SM4 support for TLS in 5.15, only apply the
change to the ChaCha20-Poly1305 test case]
Signed-off-by: Magali Lemes <magali.lemes at canonical.com>
---
 tools/testing/selftests/net/tls.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c
index d9d423052290..e0bfb8d61d17 100644
--- a/tools/testing/selftests/net/tls.c
+++ b/tools/testing/selftests/net/tls.c
@@ -25,6 +25,8 @@
 #define TLS_PAYLOAD_MAX_LEN 16384
 #define SOL_TLS 282
 
+static int fips_enabled;
+
 struct tls_crypto_info_keys {
 	union {
 		struct tls12_crypto_info_aes_gcm_128 aes128;
@@ -146,6 +148,7 @@ FIXTURE_VARIANT(tls)
 {
 	uint16_t tls_version;
 	uint16_t cipher_type;
+	bool fips_non_compliant;
 };
 
 FIXTURE_VARIANT_ADD(tls, 12_gcm)
@@ -164,12 +167,14 @@ FIXTURE_VARIANT_ADD(tls, 12_chacha)
 {
 	.tls_version = TLS_1_2_VERSION,
 	.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
+	.fips_non_compliant = true,
 };
 
 FIXTURE_VARIANT_ADD(tls, 13_chacha)
 {
 	.tls_version = TLS_1_3_VERSION,
 	.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
+	.fips_non_compliant = true,
 };
 
 FIXTURE_SETUP(tls)
@@ -182,6 +187,9 @@ FIXTURE_SETUP(tls)
 	self->notls = false;
 	len = sizeof(addr);
 
+	if (fips_enabled && variant->fips_non_compliant)
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	tls_crypto_info_init(variant->tls_version, variant->cipher_type,
 			     &tls12);
 
@@ -1336,4 +1344,17 @@ TEST(keysizes) {
 	close(cfd);
 }
 
+static void __attribute__((constructor)) fips_check(void) {
+	int res;
+	FILE *f;
+
+	f = fopen("/proc/sys/crypto/fips_enabled", "r");
+	if (f) {
+		res = fscanf(f, "%d", &fips_enabled);
+		if (res != 1)
+			ksft_print_msg("ERROR: Couldn't read /proc/sys/crypto/fips_enabled\n");
+		fclose(f);
+	}
+}
+
 TEST_HARNESS_MAIN
-- 
2.34.1

More information about the kernel-team mailing list