Commit d113c395 authored by Magali Lemes's avatar Magali Lemes Committed by Jakub Kicinski
Browse files

selftests: net: tls: check if FIPS mode is enabled 



TLS selftests use the ChaCha20-Poly1305 and SM4 algorithms, which are not
FIPS compliant. When fips=1, this set of tests fails. Add a check and only
run these tests if not in FIPS mode.

Fixes: 4f336e88 ("selftests/tls: add CHACHA20-POLY1305 to tls selftests")
Fixes: e506342a ("selftests/tls: add SM4 GCM/CCM to tls selftests")
Reviewed-by: default avatarJakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarMagali Lemes <magali.lemes@canonical.com>
Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 372b304c

tools/testing/selftests/net/tls.c

+23 −1
Original line number Diff line number Diff line
@@ -25,6 +25,8 @@ 
#define TLS_PAYLOAD_MAX_LEN 16384

#define SOL_TLS 282



static int fips_enabled;



struct tls_crypto_info_keys {

	union {

		struct tls12_crypto_info_aes_gcm_128 aes128;
@@ -235,7 +237,7 @@ FIXTURE_VARIANT(tls) 
{

	uint16_t tls_version;

	uint16_t cipher_type;

	bool nopad;

	bool nopad, fips_non_compliant;

};



FIXTURE_VARIANT_ADD(tls, 12_aes_gcm)
@@ -254,24 +256,28 @@ FIXTURE_VARIANT_ADD(tls, 12_chacha) 
{

	.tls_version = TLS_1_2_VERSION,

	.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,

	.fips_non_compliant = true,

};



FIXTURE_VARIANT_ADD(tls, 13_chacha)

{

	.tls_version = TLS_1_3_VERSION,

	.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,

	.fips_non_compliant = true,

};



FIXTURE_VARIANT_ADD(tls, 13_sm4_gcm)

{

	.tls_version = TLS_1_3_VERSION,

	.cipher_type = TLS_CIPHER_SM4_GCM,

	.fips_non_compliant = true,

};



FIXTURE_VARIANT_ADD(tls, 13_sm4_ccm)

{

	.tls_version = TLS_1_3_VERSION,

	.cipher_type = TLS_CIPHER_SM4_CCM,

	.fips_non_compliant = true,

};



FIXTURE_VARIANT_ADD(tls, 12_aes_ccm)
@@ -311,6 +317,9 @@ FIXTURE_SETUP(tls) 
	int one = 1;

	int ret;



	if (fips_enabled && variant->fips_non_compliant)

		SKIP(return, "Unsupported cipher in FIPS mode");



	tls_crypto_info_init(variant->tls_version, variant->cipher_type,

			     &tls12);
@@ -1865,4 +1874,17 @@ TEST(prequeue) { 
	close(cfd);

}



static void __attribute__((constructor)) fips_check(void) {

	int res;

	FILE *f;



	f = fopen("/proc/sys/crypto/fips_enabled", "r");

	if (f) {

		res = fscanf(f, "%d", &fips_enabled);

		if (res != 1)

			ksft_print_msg("ERROR: Couldn't read /proc/sys/crypto/fips_enabled\n");

		fclose(f);

	}

}



TEST_HARNESS_MAIN