Merge branch 'check-if-fips-mode-is-enabled-when-running-selftests' (d4e06728) · Commits · EulixOS / Software / Kernel

tools/testing/selftests/kselftest_harness.h

+3 −3

Original line number	Diff line number	Diff line
		@@ -249,7 +249,7 @@

		/**
		* FIXTURE_SETUP() - Prepares the setup function for the fixture.
		* _metadata is included so that EXPECT_* and ASSERT_* work correctly.
		* _metadata is included so that EXPECT_, ASSERT_ etc. work correctly.
		*
		* @fixture_name: fixture name
		*
		@@ -275,7 +275,7 @@

		/**
		* FIXTURE_TEARDOWN()
		* _metadata is included so that EXPECT_* and ASSERT_* work correctly.
		* _metadata is included so that EXPECT_, ASSERT_ etc. work correctly.
		*
		* @fixture_name: fixture name
		*
		@@ -388,7 +388,7 @@
		if (setjmp(_metadata->env) == 0) { \
		fixture_name##_setup(_metadata, &self, variant->data); \
		/* Let setup failure terminate early. */ \
		if (!_metadata->passed) \
		if (!_metadata->passed \|\| _metadata->skip) \
		return; \
		_metadata->setup_completed = true; \
		fixture_name##_##test_name(_metadata, &self, variant->data); \

tools/testing/selftests/net/fcnal-test.sh

+19 −8

Original line number	Diff line number	Diff line
		@@ -92,6 +92,13 @@ NSC_CMD="ip netns exec ${NSC}"

		which ping6 > /dev/null 2>&1 && ping6=$(which ping6) \|\| ping6=$(which ping)

		# Check if FIPS mode is enabled
		if [ -f /proc/sys/crypto/fips_enabled ]; then
		fips_enabled=`cat /proc/sys/crypto/fips_enabled`
		else
		fips_enabled=0
		fi

		################################################################################
		# utilities

		@@ -1216,7 +1223,7 @@ ipv4_tcp_novrf()
		run_cmd nettest -d ${NSA_DEV} -r ${a}
		log_test_addr ${a} $? 1 "No server, device client, local conn"

		ipv4_tcp_md5_novrf
		[ "$fips_enabled" = "1" ] \|\| ipv4_tcp_md5_novrf
		}

		ipv4_tcp_vrf()
		@@ -1270,9 +1277,11 @@ ipv4_tcp_vrf()
		log_test_addr ${a} $? 1 "Global server, local connection"

		# run MD5 tests
		if [ "$fips_enabled" = "0" ]; then
		setup_vrf_dup
		ipv4_tcp_md5
		cleanup_vrf_dup
		fi

		#
		# enable VRF global server
		@@ -2772,7 +2781,7 @@ ipv6_tcp_novrf()
		log_test_addr ${a} $? 1 "No server, device client, local conn"
		done

		ipv6_tcp_md5_novrf
		[ "$fips_enabled" = "1" ] \|\| ipv6_tcp_md5_novrf
		}

		ipv6_tcp_vrf()
		@@ -2842,9 +2851,11 @@ ipv6_tcp_vrf()
		log_test_addr ${a} $? 1 "Global server, local connection"

		# run MD5 tests
		if [ "$fips_enabled" = "0" ]; then
		setup_vrf_dup
		ipv6_tcp_md5
		cleanup_vrf_dup
		fi

		#
		# enable VRF global server

tools/testing/selftests/net/tls.c

+23 −1

Original line number	Diff line number	Diff line
		@@ -25,6 +25,8 @@
		#define TLS_PAYLOAD_MAX_LEN 16384
		#define SOL_TLS 282

		static int fips_enabled;

		struct tls_crypto_info_keys {
		union {
		struct tls12_crypto_info_aes_gcm_128 aes128;
		@@ -235,7 +237,7 @@ FIXTURE_VARIANT(tls)
		{
		uint16_t tls_version;
		uint16_t cipher_type;
		bool nopad;
		bool nopad, fips_non_compliant;
		};

		FIXTURE_VARIANT_ADD(tls, 12_aes_gcm)
		@@ -254,24 +256,28 @@ FIXTURE_VARIANT_ADD(tls, 12_chacha)
		{
		.tls_version = TLS_1_2_VERSION,
		.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
		.fips_non_compliant = true,
		};

		FIXTURE_VARIANT_ADD(tls, 13_chacha)
		{
		.tls_version = TLS_1_3_VERSION,
		.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
		.fips_non_compliant = true,
		};

		FIXTURE_VARIANT_ADD(tls, 13_sm4_gcm)
		{
		.tls_version = TLS_1_3_VERSION,
		.cipher_type = TLS_CIPHER_SM4_GCM,
		.fips_non_compliant = true,
		};

		FIXTURE_VARIANT_ADD(tls, 13_sm4_ccm)
		{
		.tls_version = TLS_1_3_VERSION,
		.cipher_type = TLS_CIPHER_SM4_CCM,
		.fips_non_compliant = true,
		};

		FIXTURE_VARIANT_ADD(tls, 12_aes_ccm)
		@@ -311,6 +317,9 @@ FIXTURE_SETUP(tls)
		int one = 1;
		int ret;

		if (fips_enabled && variant->fips_non_compliant)
		SKIP(return, "Unsupported cipher in FIPS mode");

		tls_crypto_info_init(variant->tls_version, variant->cipher_type,
		&tls12);

		@@ -1865,4 +1874,17 @@ TEST(prequeue) {
		close(cfd);
		}

		static void __attribute__((constructor)) fips_check(void) {
		int res;
		FILE *f;

		f = fopen("/proc/sys/crypto/fips_enabled", "r");
		if (f) {
		res = fscanf(f, "%d", &fips_enabled);
		if (res != 1)
		ksft_print_msg("ERROR: Couldn't read /proc/sys/crypto/fips_enabled\n");
		fclose(f);
		}
		}

		TEST_HARNESS_MAIN

tools/testing/selftests/net/vrf-xfrm-tests.sh

+16 −16

Original line number	Diff line number	Diff line
		@@ -264,60 +264,60 @@ setup_xfrm()
		ip -netns host1 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
		proto esp spi ${SPI_1} reqid 0 mode tunnel \
		replay-window 4 replay-oseq 0x4 \
		auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
		enc 'cbc(des3_ede)' ${ENC_1} \
		auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
		enc 'cbc(aes)' ${ENC_1} \
		sel src ${h1_4} dst ${h2_4} ${devarg}

		ip -netns host2 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
		proto esp spi ${SPI_1} reqid 0 mode tunnel \
		replay-window 4 replay-oseq 0x4 \
		auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
		enc 'cbc(des3_ede)' ${ENC_1} \
		auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
		enc 'cbc(aes)' ${ENC_1} \
		sel src ${h1_4} dst ${h2_4}


		ip -netns host1 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
		proto esp spi ${SPI_2} reqid 0 mode tunnel \
		replay-window 4 replay-oseq 0x4 \
		auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
		enc 'cbc(des3_ede)' ${ENC_2} \
		auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
		enc 'cbc(aes)' ${ENC_2} \
		sel src ${h2_4} dst ${h1_4} ${devarg}

		ip -netns host2 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
		proto esp spi ${SPI_2} reqid 0 mode tunnel \
		replay-window 4 replay-oseq 0x4 \
		auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
		enc 'cbc(des3_ede)' ${ENC_2} \
		auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
		enc 'cbc(aes)' ${ENC_2} \
		sel src ${h2_4} dst ${h1_4}


		ip -6 -netns host1 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
		proto esp spi ${SPI_1} reqid 0 mode tunnel \
		replay-window 4 replay-oseq 0x4 \
		auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
		enc 'cbc(des3_ede)' ${ENC_1} \
		auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
		enc 'cbc(aes)' ${ENC_1} \
		sel src ${h1_6} dst ${h2_6} ${devarg}

		ip -6 -netns host2 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
		proto esp spi ${SPI_1} reqid 0 mode tunnel \
		replay-window 4 replay-oseq 0x4 \
		auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
		enc 'cbc(des3_ede)' ${ENC_1} \
		auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
		enc 'cbc(aes)' ${ENC_1} \
		sel src ${h1_6} dst ${h2_6}


		ip -6 -netns host1 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
		proto esp spi ${SPI_2} reqid 0 mode tunnel \
		replay-window 4 replay-oseq 0x4 \
		auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
		enc 'cbc(des3_ede)' ${ENC_2} \
		auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
		enc 'cbc(aes)' ${ENC_2} \
		sel src ${h2_6} dst ${h1_6} ${devarg}

		ip -6 -netns host2 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
		proto esp spi ${SPI_2} reqid 0 mode tunnel \
		replay-window 4 replay-oseq 0x4 \
		auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
		enc 'cbc(des3_ede)' ${ENC_2} \
		auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
		enc 'cbc(aes)' ${ENC_2} \
		sel src ${h2_6} dst ${h1_6}
		}