From nobody Mon Feb 9 03:16:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B9774C7EE29 for ; Fri, 9 Jun 2023 16:43:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229671AbjFIQnt (ORCPT ); Fri, 9 Jun 2023 12:43:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47592 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229530AbjFIQnp (ORCPT ); Fri, 9 Jun 2023 12:43:45 -0400 Received: from smtp-relay-internal-1.canonical.com (smtp-relay-internal-1.canonical.com [185.125.188.123]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC8E3E57 for ; Fri, 9 Jun 2023 09:43:41 -0700 (PDT) Received: from mail-oa1-f69.google.com (mail-oa1-f69.google.com [209.85.160.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id D53243F36B for ; Fri, 9 Jun 2023 16:43:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1686329019; bh=C88w+6qUNZ4o8QU4MF6cbHvjs9SCcqgrH5QPb8qWgeM=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Zc9bID7PKO8ijHMQkYn4lsPjbXZUt9rCENZpJJybcTMsx5bMysEjQSDAjPYni9TPy yhQvzbVM2MGpQEyQDoKLrqlQm7xXdBi7x/Sq+G+ls29h/9uNhYmB8/NcUnoM9Hnd42 70DGZY1effo+Bl8zUPN4rK4ZBbqbxxtwq+wkZg5pdBQ91R63Eo9RQgYvn7zK8Ieq65 QudgJsz/dAmiYKoK15wVMA3zWkwCZPerx3E6GrNXHj8Xl9I++KzdxBmVoBp0uacVOZ 8/s10Scef4dq2Sl6x9dZOQg7ARld/c5eCRstPne5Rb+Ho4zN7sHDgmouxfknTIqdog 2yhpJMtL4Wi+g== Received: by mail-oa1-f69.google.com with SMTP id 586e51a60fabf-19fa21dd7d2so907458fac.2 for ; Fri, 09 Jun 2023 09:43:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686329017; x=1688921017; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=C88w+6qUNZ4o8QU4MF6cbHvjs9SCcqgrH5QPb8qWgeM=; b=JBKwk4mle2bQyM9rXr4HKIbWTPhr590pV2kJRdNJTGfhu6kGtMMvjkxGyOn+QIqX9j bCAMd/V/s37x2XhJKKTu/B3vJnTB4d4a0y8zAS41buxgKeoD/WRJ1vq1aua8MbsAgWpo h6eQWWMXbLmhED6FgezIfEWiLZWdiVmlN+79ytvvRV/htLk4jWa+J2tcevBURMf2BWB1 K+CWmWMVZGhLop1OdMy0E3U4NtsAuVBhGGduKNe7so8Z1RKYmB8NUTwXiHScil9Tb710 UjlhRvvydHjgm0u+IumTd6ERV+kY2YkD2STkvKegeMA7Ja1hshgUf4JKHMSDaOzm17/F ty+A== X-Gm-Message-State: AC+VfDz3/9oy7fhK01oCV12i2Brd6iSzDBtdUAclbLXa2uT+g+/vIPSA IGfrJSsFN69ogwLx0UfLd70hs7YWYAkTNYjIIR29zFL4GZdOgM5M+1cT07OSdrSXe4ELOUwJvwQ wLa1+YF26n0H9il2+iZFrnkCO6hDHoqx3ZIq9VcSyGQ== X-Received: by 2002:a05:6870:7304:b0:1a2:c29a:29ad with SMTP id q4-20020a056870730400b001a2c29a29admr1874714oal.0.1686329016975; Fri, 09 Jun 2023 09:43:36 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4SZgmMeYg9SaTfI8/LPvB5TGmD63kB5M9UrAOoKmOjU0OpJie/syYn/pXZwfeY0DaoyYZYnQ== X-Received: by 2002:a05:6870:7304:b0:1a2:c29a:29ad with SMTP id q4-20020a056870730400b001a2c29a29admr1874705oal.0.1686329016688; Fri, 09 Jun 2023 09:43:36 -0700 (PDT) Received: from magali.. ([2804:14c:bbe3:4606:db64:8f3b:3c73:e436]) by smtp.gmail.com with ESMTPSA id g17-20020a056870c39100b001726cfeea97sm2360707oao.29.2023.06.09.09.43.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jun 2023 09:43:36 -0700 (PDT) From: Magali Lemes To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, shuah@kernel.org, vfedorenko@novek.ru, tianjia.zhang@linux.alibaba.com Cc: andrei.gherzan@canonical.com, netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH net v2 1/3] selftests: net: tls: check if FIPS mode is enabled Date: Fri, 9 Jun 2023 13:43:22 -0300 Message-Id: <20230609164324.497813-2-magali.lemes@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230609164324.497813-1-magali.lemes@canonical.com> References: <20230609164324.497813-1-magali.lemes@canonical.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" TLS selftests use the ChaCha20-Poly1305 and SM4 algorithms, which are not FIPS compliant. When fips=3D1, this set of tests fails. Add a check and only run these tests if not in FIPS mode. Fixes: 4f336e88a870 ("selftests/tls: add CHACHA20-POLY1305 to tls selftests= ") Fixes: e506342a03c7 ("selftests/tls: add SM4 GCM/CCM to tls selftests") Signed-off-by: Magali Lemes --- Changes in v2: - Put fips_non_compliant into the variants. - Turn fips_enabled into a static global variable. - Read /proc/sys/crypto/fips_enabled only once at main(). tools/testing/selftests/net/tls.c | 175 +++++++++++++++++++++++++++++- 1 file changed, 174 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/ne= t/tls.c index e699548d4247..0725c60f227c 100644 --- a/tools/testing/selftests/net/tls.c +++ b/tools/testing/selftests/net/tls.c @@ -25,6 +25,8 @@ #define TLS_PAYLOAD_MAX_LEN 16384 #define SOL_TLS 282 =20 +static int fips_enabled =3D 0; + struct tls_crypto_info_keys { union { struct tls12_crypto_info_aes_gcm_128 aes128; @@ -235,7 +237,7 @@ FIXTURE_VARIANT(tls) { uint16_t tls_version; uint16_t cipher_type; - bool nopad; + bool nopad, fips_non_compliant; }; =20 FIXTURE_VARIANT_ADD(tls, 12_aes_gcm) @@ -254,24 +256,28 @@ FIXTURE_VARIANT_ADD(tls, 12_chacha) { .tls_version =3D TLS_1_2_VERSION, .cipher_type =3D TLS_CIPHER_CHACHA20_POLY1305, + .fips_non_compliant =3D true, }; =20 FIXTURE_VARIANT_ADD(tls, 13_chacha) { .tls_version =3D TLS_1_3_VERSION, .cipher_type =3D TLS_CIPHER_CHACHA20_POLY1305, + .fips_non_compliant =3D true, }; =20 FIXTURE_VARIANT_ADD(tls, 13_sm4_gcm) { .tls_version =3D TLS_1_3_VERSION, .cipher_type =3D TLS_CIPHER_SM4_GCM, + .fips_non_compliant =3D true, }; =20 FIXTURE_VARIANT_ADD(tls, 13_sm4_ccm) { .tls_version =3D TLS_1_3_VERSION, .cipher_type =3D TLS_CIPHER_SM4_CCM, + .fips_non_compliant =3D true, }; =20 FIXTURE_VARIANT_ADD(tls, 12_aes_ccm) @@ -311,6 +317,9 @@ FIXTURE_SETUP(tls) int one =3D 1; int ret; =20 + if (fips_enabled && variant->fips_non_compliant) + return; + tls_crypto_info_init(variant->tls_version, variant->cipher_type, &tls12); =20 @@ -343,6 +352,9 @@ TEST_F(tls, sendfile) int filefd =3D open("/proc/self/exe", O_RDONLY); struct stat st; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_GE(filefd, 0); fstat(filefd, &st); EXPECT_GE(sendfile(self->fd, filefd, 0, st.st_size), 0); @@ -357,6 +369,9 @@ TEST_F(tls, send_then_sendfile) struct stat st; char *buf; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_GE(filefd, 0); fstat(filefd, &st); buf =3D (char *)malloc(st.st_size); @@ -406,6 +421,10 @@ static void chunked_sendfile(struct __test_metadata *_= metadata, =20 TEST_F(tls, multi_chunk_sendfile) { + + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + chunked_sendfile(_metadata, self, 4096, 4096); chunked_sendfile(_metadata, self, 4096, 0); chunked_sendfile(_metadata, self, 4096, 1); @@ -433,6 +452,9 @@ TEST_F(tls, recv_max) char recv_mem[TLS_PAYLOAD_MAX_LEN]; char buf[TLS_PAYLOAD_MAX_LEN]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(buf, sizeof(buf)); =20 EXPECT_GE(send(self->fd, buf, send_len, 0), 0); @@ -446,6 +468,9 @@ TEST_F(tls, recv_small) int send_len =3D 10; char buf[10]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + send_len =3D strlen(test_str) + 1; EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); EXPECT_NE(recv(self->cfd, buf, send_len, 0), -1); @@ -458,6 +483,9 @@ TEST_F(tls, msg_more) int send_len =3D 10; char buf[10 * 2]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, test_str, send_len, MSG_MORE), send_len); EXPECT_EQ(recv(self->cfd, buf, send_len, MSG_DONTWAIT), -1); EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); @@ -472,6 +500,9 @@ TEST_F(tls, msg_more_unsent) int send_len =3D 10; char buf[10]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, test_str, send_len, MSG_MORE), send_len); EXPECT_EQ(recv(self->cfd, buf, send_len, MSG_DONTWAIT), -1); } @@ -485,6 +516,9 @@ TEST_F(tls, sendmsg_single) struct iovec vec; char buf[13]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + vec.iov_base =3D (char *)test_str; vec.iov_len =3D send_len; memset(&msg, 0, sizeof(struct msghdr)); @@ -505,6 +539,9 @@ TEST_F(tls, sendmsg_fragmented) struct msghdr msg; int i, frags; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + for (frags =3D 1; frags <=3D MAX_FRAGS; frags++) { for (i =3D 0; i < frags; i++) { vec[i].iov_base =3D (char *)test_str; @@ -536,6 +573,9 @@ TEST_F(tls, sendmsg_large) size_t recvs =3D 0; size_t sent =3D 0; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memset(&msg, 0, sizeof(struct msghdr)); while (sent++ < sends) { struct iovec vec =3D { (void *)mem, send_len }; @@ -564,6 +604,9 @@ TEST_F(tls, sendmsg_multiple) char *buf; int i; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memset(&msg, 0, sizeof(struct msghdr)); for (i =3D 0; i < iov_len; i++) { test_strs[i] =3D (char *)malloc(strlen(test_str) + 1); @@ -601,6 +644,9 @@ TEST_F(tls, sendmsg_multiple_stress) int len_cmp =3D 0; int i; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memset(&msg, 0, sizeof(struct msghdr)); for (i =3D 0; i < iov_len; i++) { test_strs[i] =3D (char *)malloc(strlen(test_str) + 1); @@ -629,6 +675,9 @@ TEST_F(tls, splice_from_pipe) char mem_recv[TLS_PAYLOAD_MAX_LEN]; int p[2]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + ASSERT_GE(pipe(p), 0); EXPECT_GE(write(p[1], mem_send, send_len), 0); EXPECT_GE(splice(p[0], NULL, self->fd, NULL, send_len, 0), 0); @@ -644,6 +693,9 @@ TEST_F(tls, splice_from_pipe2) int p2[2]; int p[2]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(mem_send, sizeof(mem_send)); =20 ASSERT_GE(pipe(p), 0); @@ -666,6 +718,9 @@ TEST_F(tls, send_and_splice) char buf[10]; int p[2]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + ASSERT_GE(pipe(p), 0); EXPECT_EQ(send(self->fd, test_str, send_len2, 0), send_len2); EXPECT_EQ(recv(self->cfd, buf, send_len2, MSG_WAITALL), send_len2); @@ -685,6 +740,9 @@ TEST_F(tls, splice_to_pipe) char mem_recv[TLS_PAYLOAD_MAX_LEN]; int p[2]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(mem_send, sizeof(mem_send)); =20 ASSERT_GE(pipe(p), 0); @@ -705,6 +763,9 @@ TEST_F(tls, splice_cmsg_to_pipe) if (self->notls) SKIP(return, "no TLS support"); =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + ASSERT_GE(pipe(p), 0); EXPECT_EQ(tls_send_cmsg(self->fd, 100, test_str, send_len, 0), 10); EXPECT_EQ(splice(self->cfd, NULL, p[1], NULL, send_len, 0), -1); @@ -728,6 +789,9 @@ TEST_F(tls, splice_dec_cmsg_to_pipe) if (self->notls) SKIP(return, "no TLS support"); =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + ASSERT_GE(pipe(p), 0); EXPECT_EQ(tls_send_cmsg(self->fd, 100, test_str, send_len, 0), 10); EXPECT_EQ(recv(self->cfd, buf, send_len, 0), -1); @@ -748,6 +812,9 @@ TEST_F(tls, recv_and_splice) int half =3D send_len / 2; int p[2]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + ASSERT_GE(pipe(p), 0); EXPECT_EQ(send(self->fd, mem_send, send_len, 0), send_len); /* Recv hald of the record, splice the other half */ @@ -766,6 +833,9 @@ TEST_F(tls, peek_and_splice) int chunk =3D TLS_PAYLOAD_MAX_LEN / 4; int n, i, p[2]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(mem_send, sizeof(mem_send)); =20 ASSERT_GE(pipe(p), 0); @@ -797,6 +867,9 @@ TEST_F(tls, recvmsg_single) struct msghdr hdr; struct iovec vec; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memset(&hdr, 0, sizeof(hdr)); EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); vec.iov_base =3D (char *)buf; @@ -815,6 +888,9 @@ TEST_F(tls, recvmsg_single_max) struct iovec vec; struct msghdr hdr; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(send_mem, sizeof(send_mem)); =20 EXPECT_EQ(send(self->fd, send_mem, send_len, 0), send_len); @@ -840,6 +916,9 @@ TEST_F(tls, recvmsg_multiple) =20 memrnd(buf, sizeof(buf)); =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, buf, send_len, 0), send_len); for (i =3D 0; i < msg_iovlen; i++) { iov_base[i] =3D (char *)malloc(iov_len); @@ -862,6 +941,9 @@ TEST_F(tls, single_send_multiple_recv) char send_mem[TLS_PAYLOAD_MAX_LEN * 2]; char recv_mem[TLS_PAYLOAD_MAX_LEN * 2]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(send_mem, sizeof(send_mem)); =20 EXPECT_GE(send(self->fd, send_mem, total_len, 0), 0); @@ -879,6 +961,9 @@ TEST_F(tls, multiple_send_single_recv) char recv_mem[2 * 10]; char send_mem[10]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(send_mem, sizeof(send_mem)); =20 EXPECT_GE(send(self->fd, send_mem, send_len, 0), 0); @@ -897,6 +982,9 @@ TEST_F(tls, single_send_multiple_recv_non_align) char recv_mem[recv_len * 2]; char send_mem[total_len]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memrnd(send_mem, sizeof(send_mem)); =20 EXPECT_GE(send(self->fd, send_mem, total_len, 0), 0); @@ -915,6 +1003,9 @@ TEST_F(tls, recv_partial) int send_len =3D strlen(test_str) + 1; char recv_mem[18]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + memset(recv_mem, 0, sizeof(recv_mem)); EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); EXPECT_NE(recv(self->cfd, recv_mem, strlen(test_str_first), @@ -932,6 +1023,9 @@ TEST_F(tls, recv_nonblock) char buf[4096]; bool err; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(recv(self->cfd, buf, sizeof(buf), MSG_DONTWAIT), -1); err =3D (errno =3D=3D EAGAIN || errno =3D=3D EWOULDBLOCK); EXPECT_EQ(err, true); @@ -943,6 +1037,9 @@ TEST_F(tls, recv_peek) int send_len =3D strlen(test_str) + 1; char buf[15]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); EXPECT_EQ(recv(self->cfd, buf, send_len, MSG_PEEK), send_len); EXPECT_EQ(memcmp(test_str, buf, send_len), 0); @@ -959,6 +1056,9 @@ TEST_F(tls, recv_peek_multiple) char buf[15]; int i; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); for (i =3D 0; i < num_peeks; i++) { EXPECT_NE(recv(self->cfd, buf, send_len, MSG_PEEK), -1); @@ -977,6 +1077,9 @@ TEST_F(tls, recv_peek_multiple_records) int len; char buf[64]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + len =3D strlen(test_str_first); EXPECT_EQ(send(self->fd, test_str_first, len, 0), len); =20 @@ -1026,6 +1129,9 @@ TEST_F(tls, recv_peek_large_buf_mult_recs) int len; char buf[64]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + len =3D strlen(test_str_first); EXPECT_EQ(send(self->fd, test_str_first, len, 0), len); =20 @@ -1046,6 +1152,9 @@ TEST_F(tls, recv_lowat) char recv_mem[20]; int lowat =3D 8; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, send_mem, 10, 0), 10); EXPECT_EQ(send(self->fd, send_mem, 5, 0), 5); =20 @@ -1067,6 +1176,9 @@ TEST_F(tls, bidir) char buf[10]; int ret; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + if (!self->notls) { struct tls_crypto_info_keys tls12; =20 @@ -1102,6 +1214,9 @@ TEST_F(tls, pollin) char buf[10]; int send_len =3D 10; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); fd.fd =3D self->cfd; fd.events =3D POLLIN; @@ -1120,6 +1235,9 @@ TEST_F(tls, poll_wait) struct pollfd fd =3D { 0, 0, 0 }; char recv_mem[15]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + fd.fd =3D self->cfd; fd.events =3D POLLIN; EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); @@ -1135,6 +1253,9 @@ TEST_F(tls, poll_wait_split) char send_mem[20] =3D {}; char recv_mem[15]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + fd.fd =3D self->cfd; fd.events =3D POLLIN; /* Send 20 bytes */ @@ -1160,6 +1281,9 @@ TEST_F(tls, blocking) size_t data =3D 100000; int res =3D fork(); =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_NE(res, -1); =20 if (res) { @@ -1202,6 +1326,9 @@ TEST_F(tls, nonblocking) int flags; int res; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + flags =3D fcntl(self->fd, F_GETFL, 0); fcntl(self->fd, F_SETFL, flags | O_NONBLOCK); fcntl(self->cfd, F_SETFL, flags | O_NONBLOCK); @@ -1343,31 +1470,49 @@ test_mutliproc(struct __test_metadata *_metadata, s= truct _test_data_tls *self, =20 TEST_F(tls, mutliproc_even) { + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + test_mutliproc(_metadata, self, false, 6, 6); } =20 TEST_F(tls, mutliproc_readers) { + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + test_mutliproc(_metadata, self, false, 4, 12); } =20 TEST_F(tls, mutliproc_writers) { + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + test_mutliproc(_metadata, self, false, 10, 2); } =20 TEST_F(tls, mutliproc_sendpage_even) { + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + test_mutliproc(_metadata, self, true, 6, 6); } =20 TEST_F(tls, mutliproc_sendpage_readers) { + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + test_mutliproc(_metadata, self, true, 4, 12); } =20 TEST_F(tls, mutliproc_sendpage_writers) { + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + test_mutliproc(_metadata, self, true, 10, 2); } =20 @@ -1378,6 +1523,9 @@ TEST_F(tls, control_msg) int send_len =3D 10; char buf[10]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + if (self->notls) SKIP(return, "no TLS support"); =20 @@ -1406,6 +1554,9 @@ TEST_F(tls, shutdown) int send_len =3D 10; char buf[10]; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + ASSERT_EQ(strlen(test_str) + 1, send_len); =20 EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); @@ -1421,6 +1572,9 @@ TEST_F(tls, shutdown_unsent) char const *test_str =3D "test_read"; int send_len =3D 10; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + EXPECT_EQ(send(self->fd, test_str, send_len, MSG_MORE), send_len); =20 shutdown(self->fd, SHUT_RDWR); @@ -1432,6 +1586,9 @@ TEST_F(tls, shutdown_reuse) struct sockaddr_in addr; int ret; =20 + if (fips_enabled && variant->fips_non_compliant) + SKIP(return, "Unsupported cipher in FIPS mode"); + shutdown(self->fd, SHUT_RDWR); shutdown(self->cfd, SHUT_RDWR); close(self->cfd); @@ -1865,4 +2022,20 @@ TEST(prequeue) { close(cfd); } =20 +#define main test_main TEST_HARNESS_MAIN +#undef main +int main(int argc, char **argv) { + int res; + FILE *f; + + f =3D fopen("/proc/sys/crypto/fips_enabled", "r"); + if (f) { + res =3D fscanf(f, "%d", &fips_enabled); + if (res !=3D 1) + ksft_print_msg("ERROR: Couldn't read /proc/sys/crypto/fips_enabled\n"); + fclose(f); + } + + return test_main(argc, argv); +} --=20 2.34.1 From nobody Mon Feb 9 03:16:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 60DC9C7EE29 for ; Fri, 9 Jun 2023 16:43:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229683AbjFIQnv (ORCPT ); Fri, 9 Jun 2023 12:43:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47668 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229597AbjFIQns (ORCPT ); Fri, 9 Jun 2023 12:43:48 -0400 Received: from smtp-relay-internal-1.canonical.com (smtp-relay-internal-1.canonical.com [185.125.188.123]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 84DD93A8E for ; Fri, 9 Jun 2023 09:43:46 -0700 (PDT) Received: from mail-oa1-f70.google.com (mail-oa1-f70.google.com [209.85.160.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 82A4A3F36C for ; Fri, 9 Jun 2023 16:43:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1686329024; bh=qqgm58iJEv79RzcN8RR1scUpAZ0NnXsIaGK+gNwjMmw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=u+9iToDnxuDpYel2usT+OT2E+10GxQtz8uS9roT7qct3Ljsf6VfeoYI7lrFTp8noT dyvDhP54IfmrCqTCgtJdrXv+NG5iOATASDCpuOF/c9qi2SXtIQoJ+6dCnWPM/BFJwd 1g8PKOHqQytCEvClcOsJJJVED1u5WFM4LPB28lES5n6pSKjw7FbpQRX3Lvho25iGvd jDFXEpqSjgEIhOvaFFdOGbhsT497j35TRj9ZF1yOhW7FfPFuA7UTb5Gew/oaNgW6ZT Km8Y3geUnq4cDUFTEZ/DcUuUwArzWKCMeD9A0Re+YUg0vd5X0NdsTSLRPzh6M+aWR9 ZhExmyZhlYL+A== Received: by mail-oa1-f70.google.com with SMTP id 586e51a60fabf-1a31a9ddd87so944650fac.3 for ; Fri, 09 Jun 2023 09:43:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686329021; x=1688921021; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=qqgm58iJEv79RzcN8RR1scUpAZ0NnXsIaGK+gNwjMmw=; b=Q9mfO6eplHUgvCmd1tvgil0VzPyp+yuxXR/I8q7cLtNdXRw07CzD5s/7VDuf8s5Gwa Hff4MT9ixk+Vs4sLt4uor1FXcZQQIqm81Ssy1UGKBqHjuBo8ocBG3LNx6Z0tHHOILVPI FjeWInTdqXWKDrtGL06XRs2lfHlIyvD5qasd5uQg3awml1sUX29akKhhkNe5J1pS6pMc v3Eyu6Xe30GGup0ArxNfqRiFzAOGCx9HO7EAKTAk1yRk9TO34JhZktHpB8OWmYq/TPf7 XFWdv004teGW6f3VA/JXHmUW89YXP1nqaOxtry5UxkcfByot/6bgec5+J4F8aMJYUQF/ Kxqg== X-Gm-Message-State: AC+VfDwpNFjUvxHIgGHPo2HFnwDUOBxW7Vf562ZlgDnjKQZ9pecSJ4oM +PfXSRyhNYC8ZjzKUPxu459HBhDu9YL1G3OsovLa5rUMuO1SX5+vxzOBq3KFQIn1sXC4d4nso5w 4LPCOScCiqT9lQ6uHATJQfZDL/hc824+z3i1J2xw1hw== X-Received: by 2002:a05:6870:87c3:b0:19e:c567:6020 with SMTP id s3-20020a05687087c300b0019ec5676020mr1614046oam.38.1686329021549; Fri, 09 Jun 2023 09:43:41 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4uH6tKIGMNieoUffmzBU5/CNGNHITxys0HB5d3gCp4Uf9lxEL0azP6HQX2WZQNiVSulkbLPQ== X-Received: by 2002:a05:6870:87c3:b0:19e:c567:6020 with SMTP id s3-20020a05687087c300b0019ec5676020mr1614039oam.38.1686329021320; Fri, 09 Jun 2023 09:43:41 -0700 (PDT) Received: from magali.. ([2804:14c:bbe3:4606:db64:8f3b:3c73:e436]) by smtp.gmail.com with ESMTPSA id g17-20020a056870c39100b001726cfeea97sm2360707oao.29.2023.06.09.09.43.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jun 2023 09:43:41 -0700 (PDT) From: Magali Lemes To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, shuah@kernel.org, dsahern@gmail.com Cc: andrei.gherzan@canonical.com, David Ahern , netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH net v2 2/3] selftests: net: vrf-xfrm-tests: change authentication and encryption algos Date: Fri, 9 Jun 2023 13:43:23 -0300 Message-Id: <20230609164324.497813-3-magali.lemes@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230609164324.497813-1-magali.lemes@canonical.com> References: <20230609164324.497813-1-magali.lemes@canonical.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" The vrf-xfrm-tests tests use the hmac(md5) and cbc(des3_ede) algorithms for performing authentication and encryption, respectively. This causes the tests to fail when fips=3D1 is set, since these algorithms are not allowed in FIPS mode. Therefore, switch from hmac(md5) and cbc(des3_ede) to hmac(sha1) and cbc(aes), which are FIPS compliant. Fixes: 3f251d741150 ("selftests: Add tests for vrf and xfrms") Reviewed-by: David Ahern Signed-off-by: Magali Lemes --- Changes in v2: - Add R-b tag. tools/testing/selftests/net/vrf-xfrm-tests.sh | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/tools/testing/selftests/net/vrf-xfrm-tests.sh b/tools/testing/= selftests/net/vrf-xfrm-tests.sh index 184da81f554f..452638ae8aed 100755 --- a/tools/testing/selftests/net/vrf-xfrm-tests.sh +++ b/tools/testing/selftests/net/vrf-xfrm-tests.sh @@ -264,60 +264,60 @@ setup_xfrm() ip -netns host1 xfrm state add src ${HOST1_4} dst ${HOST2_4} \ proto esp spi ${SPI_1} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ - enc 'cbc(des3_ede)' ${ENC_1} \ + auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \ + enc 'cbc(aes)' ${ENC_1} \ sel src ${h1_4} dst ${h2_4} ${devarg} =20 ip -netns host2 xfrm state add src ${HOST1_4} dst ${HOST2_4} \ proto esp spi ${SPI_1} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ - enc 'cbc(des3_ede)' ${ENC_1} \ + auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \ + enc 'cbc(aes)' ${ENC_1} \ sel src ${h1_4} dst ${h2_4} =20 =20 ip -netns host1 xfrm state add src ${HOST2_4} dst ${HOST1_4} \ proto esp spi ${SPI_2} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ - enc 'cbc(des3_ede)' ${ENC_2} \ + auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \ + enc 'cbc(aes)' ${ENC_2} \ sel src ${h2_4} dst ${h1_4} ${devarg} =20 ip -netns host2 xfrm state add src ${HOST2_4} dst ${HOST1_4} \ proto esp spi ${SPI_2} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ - enc 'cbc(des3_ede)' ${ENC_2} \ + auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \ + enc 'cbc(aes)' ${ENC_2} \ sel src ${h2_4} dst ${h1_4} =20 =20 ip -6 -netns host1 xfrm state add src ${HOST1_6} dst ${HOST2_6} \ proto esp spi ${SPI_1} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ - enc 'cbc(des3_ede)' ${ENC_1} \ + auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \ + enc 'cbc(aes)' ${ENC_1} \ sel src ${h1_6} dst ${h2_6} ${devarg} =20 ip -6 -netns host2 xfrm state add src ${HOST1_6} dst ${HOST2_6} \ proto esp spi ${SPI_1} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_1} 96 \ - enc 'cbc(des3_ede)' ${ENC_1} \ + auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \ + enc 'cbc(aes)' ${ENC_1} \ sel src ${h1_6} dst ${h2_6} =20 =20 ip -6 -netns host1 xfrm state add src ${HOST2_6} dst ${HOST1_6} \ proto esp spi ${SPI_2} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ - enc 'cbc(des3_ede)' ${ENC_2} \ + auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \ + enc 'cbc(aes)' ${ENC_2} \ sel src ${h2_6} dst ${h1_6} ${devarg} =20 ip -6 -netns host2 xfrm state add src ${HOST2_6} dst ${HOST1_6} \ proto esp spi ${SPI_2} reqid 0 mode tunnel \ replay-window 4 replay-oseq 0x4 \ - auth-trunc 'hmac(md5)' ${AUTH_2} 96 \ - enc 'cbc(des3_ede)' ${ENC_2} \ + auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \ + enc 'cbc(aes)' ${ENC_2} \ sel src ${h2_6} dst ${h1_6} } =20 --=20 2.34.1 From nobody Mon Feb 9 03:16:32 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D3589C7EE2E for ; Fri, 9 Jun 2023 16:43:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229764AbjFIQny (ORCPT ); Fri, 9 Jun 2023 12:43:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47772 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229586AbjFIQnv (ORCPT ); Fri, 9 Jun 2023 12:43:51 -0400 Received: from smtp-relay-internal-0.canonical.com (smtp-relay-internal-0.canonical.com [185.125.188.122]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E49633A8D for ; Fri, 9 Jun 2023 09:43:49 -0700 (PDT) Received: from mail-oa1-f72.google.com (mail-oa1-f72.google.com [209.85.160.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 339763F462 for ; Fri, 9 Jun 2023 16:43:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1686329028; bh=bcQsjAMHkUSKApX68ZuYeihjuMej/C2tdQeqg1IYyqk=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=WN7X8Otwe4suha9jy/rgf1uUshqQZzimPp31tySHzLM0fD377AT5qHRhLEIn/4cgn P+FN61YaLUxSLLPg4g9Beosc2ymCC2IwYGwcFzQ3QjHQqwZWRCrhuYe8I2cZ84s1py YSB+OAnrb08f8Yledo2JA1frDfoR2A3Xs3N8EaEzIcpYuKra7Ub8q0S571tX6xmMLZ 3LtfLTwvVK0X1Jv7xzc0rYxs+LDz2UeudnsBJqYbRtYo3DMuX/kASFptQmy4YA23Rb cbaFzoj4lmikHBYJa2k68AwYqb9ayrViOueL/MqvI7fVJhx6Mz1wagEYcMifT+8RLu FMADzMlWPAotw== Received: by mail-oa1-f72.google.com with SMTP id 586e51a60fabf-1a3434578b3so1027881fac.3 for ; Fri, 09 Jun 2023 09:43:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686329026; x=1688921026; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bcQsjAMHkUSKApX68ZuYeihjuMej/C2tdQeqg1IYyqk=; b=YU1WCUJv0XlkRzf4ZVpSOJOFA2xhdkf9rffsIvf7FGIb57Yh7dqoYHxEwl3uSjOElw Cobh/zxUedv/Q7Re6bXRvES69QUidAODo36fxDE1jovIXmvntBvJ+5jpth1bSoy/yiwQ d4Q57nmUewudI28Ka3IZk2o7k9118b9ze8QnYcokLprkMArlxXuVdUKRNijN2RB02phH dJowd5dsquaSN94KRUkZjL6qfBb7wXukvMOinxvra5jQ2FYF26T5O6fnePJ4+RgKOjHH RnvjQsFCcKerEoTQ39t5/tJwUodkuhx80S9tI9A4fLVtvKtGWH1tOipOGiZRNQXSADK3 sQww== X-Gm-Message-State: AC+VfDyUXvsgWI5nk8upaD+8+pqs9S+DRdvPNB/NMrqLUWeCRKVa8XPf ZFhhJfufyRs8yDprp4p0NwX76vE8pCL9a+Vu/9XuHD4v9YTR842WVW3w/PciIh8yO5RGSSU72BD xUDq6MFvo+hDofKb6PZ4U0fxn4aO/ZCdDlY+EJp2h7Q== X-Received: by 2002:a05:6870:d8a5:b0:1a3:5bb2:8e98 with SMTP id dv37-20020a056870d8a500b001a35bb28e98mr1489053oab.47.1686329025951; Fri, 09 Jun 2023 09:43:45 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4UB4ZzJdwHORXrTeXhKVpTBySccm2pIJnH4b0ycLeDnxw0Yx/fCbGcBs3FEC93LCefV2pmrg== X-Received: by 2002:a05:6870:d8a5:b0:1a3:5bb2:8e98 with SMTP id dv37-20020a056870d8a500b001a35bb28e98mr1489044oab.47.1686329025687; Fri, 09 Jun 2023 09:43:45 -0700 (PDT) Received: from magali.. ([2804:14c:bbe3:4606:db64:8f3b:3c73:e436]) by smtp.gmail.com with ESMTPSA id g17-20020a056870c39100b001726cfeea97sm2360707oao.29.2023.06.09.09.43.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jun 2023 09:43:45 -0700 (PDT) From: Magali Lemes To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, shuah@kernel.org, dsahern@gmail.com Cc: andrei.gherzan@canonical.com, David Ahern , netdev@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH net v2 3/3] selftests: net: fcnal-test: check if FIPS mode is enabled Date: Fri, 9 Jun 2023 13:43:24 -0300 Message-Id: <20230609164324.497813-4-magali.lemes@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230609164324.497813-1-magali.lemes@canonical.com> References: <20230609164324.497813-1-magali.lemes@canonical.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" There are some MD5 tests which fail when the kernel is in FIPS mode, since MD5 is not FIPS compliant. Add a check and only run those tests if FIPS mode is not enabled. Fixes: f0bee1ebb5594 ("fcnal-test: Add TCP MD5 tests") Fixes: 5cad8bce26e01 ("fcnal-test: Add TCP MD5 tests for VRF") Reviewed-by: David Ahern Signed-off-by: Magali Lemes --- Changes in v2: - Add R-b tag. tools/testing/selftests/net/fcnal-test.sh | 27 ++++++++++++++++------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/self= tests/net/fcnal-test.sh index 21ca91473c09..ee6880ac3e5e 100755 --- a/tools/testing/selftests/net/fcnal-test.sh +++ b/tools/testing/selftests/net/fcnal-test.sh @@ -92,6 +92,13 @@ NSC_CMD=3D"ip netns exec ${NSC}" =20 which ping6 > /dev/null 2>&1 && ping6=3D$(which ping6) || ping6=3D$(which = ping) =20 +# Check if FIPS mode is enabled +if [ -f /proc/sys/crypto/fips_enabled ]; then + fips_enabled=3D`cat /proc/sys/crypto/fips_enabled` +else + fips_enabled=3D0 +fi + ##########################################################################= ###### # utilities =20 @@ -1216,7 +1223,7 @@ ipv4_tcp_novrf() run_cmd nettest -d ${NSA_DEV} -r ${a} log_test_addr ${a} $? 1 "No server, device client, local conn" =20 - ipv4_tcp_md5_novrf + [ "$fips_enabled" =3D "1" ] || ipv4_tcp_md5_novrf } =20 ipv4_tcp_vrf() @@ -1270,9 +1277,11 @@ ipv4_tcp_vrf() log_test_addr ${a} $? 1 "Global server, local connection" =20 # run MD5 tests - setup_vrf_dup - ipv4_tcp_md5 - cleanup_vrf_dup + if [ "$fips_enabled" =3D "0" ]; then + setup_vrf_dup + ipv4_tcp_md5 + cleanup_vrf_dup + fi =20 # # enable VRF global server @@ -2772,7 +2781,7 @@ ipv6_tcp_novrf() log_test_addr ${a} $? 1 "No server, device client, local conn" done =20 - ipv6_tcp_md5_novrf + [ "$fips_enabled" =3D "1" ] || ipv6_tcp_md5_novrf } =20 ipv6_tcp_vrf() @@ -2842,9 +2851,11 @@ ipv6_tcp_vrf() log_test_addr ${a} $? 1 "Global server, local connection" =20 # run MD5 tests - setup_vrf_dup - ipv6_tcp_md5 - cleanup_vrf_dup + if [ "$fips_enabled" =3D "0" ]; then + setup_vrf_dup + ipv6_tcp_md5 + cleanup_vrf_dup + fi =20 # # enable VRF global server --=20 2.34.1