All of lore.kernel.org
 help / color / mirror / Atom feed
* [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled
@ 2023-06-22 14:50 Ashwin Dayanand Kamat via ltp
  2023-06-27 11:04 ` Petr Vorel
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Ashwin Dayanand Kamat via ltp @ 2023-06-22 14:50 UTC (permalink / raw)
  To: ltp, kashwindayan, akaher, tkundu, vsirnapalli, pvorel

MD5 is not FIPS compliant. But still md5 is used as the default algorithm for sctp
even when fips is enabled. Due to this, sctp_big_chunk testcase is failing because listen()
system call in setup_server() is failing in fips environment.

Fix is to not use md5 algorithm while setting up server, instead set it to none

Signed-Off by: Ashwin Dayanand Kamat <kashwindayan@vmware.com>
----
v2:
As per the review comments given by Petr, did below changes in v2,
        * Moved the logic to sctp_server() function
        * Setting none as the default algo
        * make sure cookie_hmac_alg file is present before accessing it
---
 testcases/network/sctp/sctp_big_chunk.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/testcases/network/sctp/sctp_big_chunk.c b/testcases/network/sctp/sctp_big_chunk.c
index a6a326ea2..31786dd39 100644
--- a/testcases/network/sctp/sctp_big_chunk.c
+++ b/testcases/network/sctp/sctp_big_chunk.c
@@ -34,6 +34,24 @@ static int addr_num = 3273;
 
 static void setup_server(void)
 {
+	const char *const cmd_modprobe[] = {"modprobe", "sctp", NULL};
+	const char hmac_algo_path[] = "/proc/sys/net/sctp/cookie_hmac_alg";
+	char hmac_algo[CHAR_MAX];
+	int hmac_algo_changed = 0;
+
+	/* Disable md5 if fips is enabled. Set it to none */
+	if (tst_fips_enabled()) {
+		if (access(hmac_algo_path, F_OK) < 0) {
+			SAFE_CMD(cmd_modprobe, NULL, NULL);
+		}
+
+		if (!access(hmac_algo_path, F_OK)) {
+			SAFE_FILE_SCANF(hmac_algo_path, "%s", hmac_algo);
+			SAFE_FILE_PRINTF(hmac_algo_path, "%s", "none");
+			hmac_algo_changed = 1;
+		}
+	}
+
 	loc.sin6_family = AF_INET6;
 	loc.sin6_addr = in6addr_loopback;
 
@@ -46,6 +64,9 @@ static void setup_server(void)
 	SAFE_LISTEN(sfd, 1);
 
 	srand(port);
+
+	if (hmac_algo_changed)
+		SAFE_FILE_PRINTF(hmac_algo_path, "%s", hmac_algo);
 }
 
 static void update_packet_field(size_t *off, void *buf, size_t buf_len)
-- 
2.39.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled
  2023-06-22 14:50 [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled Ashwin Dayanand Kamat via ltp
@ 2023-06-27 11:04 ` Petr Vorel
  2023-06-27 11:09 ` Petr Vorel
  2023-06-27 12:58 ` Petr Vorel
  2 siblings, 0 replies; 6+ messages in thread
From: Petr Vorel @ 2023-06-27 11:04 UTC (permalink / raw)
  To: Ashwin Dayanand Kamat; +Cc: tkundu, akaher, vsirnapalli, ltp

Hi Ashwin,

LGTM now.

Reviewed-by: Petr Vorel <pvorel@suse.cz>

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled
  2023-06-22 14:50 [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled Ashwin Dayanand Kamat via ltp
  2023-06-27 11:04 ` Petr Vorel
@ 2023-06-27 11:09 ` Petr Vorel
  2023-06-27 11:20   ` Petr Vorel
  2023-06-27 12:58 ` Petr Vorel
  2 siblings, 1 reply; 6+ messages in thread
From: Petr Vorel @ 2023-06-27 11:09 UTC (permalink / raw)
  To: Ashwin Dayanand Kamat; +Cc: tkundu, akaher, vsirnapalli, ltp

Hi,

> MD5 is not FIPS compliant. But still md5 is used as the default algorithm for sctp
> even when fips is enabled. Due to this, sctp_big_chunk testcase is failing because listen()
> system call in setup_server() is failing in fips environment.

> Fix is to not use md5 algorithm while setting up server, instead set it to none

> Signed-Off by: Ashwin Dayanand Kamat <kashwindayan@vmware.com>
> ----
> v2:
> As per the review comments given by Petr, did below changes in v2,
>         * Moved the logic to sctp_server() function
>         * Setting none as the default algo
>         * make sure cookie_hmac_alg file is present before accessing it
BTW I suggested modprobe, because I'm not aware of other way to trigger it.
But maybe creating SCTP socket would trigger it, e.g.
socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);

If yes, IMHO it'd be more elegant solution and (likely) we would not depend on
modprobe.

Kind regards,
Petr

> ---
>  testcases/network/sctp/sctp_big_chunk.c | 21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)

> diff --git a/testcases/network/sctp/sctp_big_chunk.c b/testcases/network/sctp/sctp_big_chunk.c
> index a6a326ea2..31786dd39 100644
> --- a/testcases/network/sctp/sctp_big_chunk.c
> +++ b/testcases/network/sctp/sctp_big_chunk.c
> @@ -34,6 +34,24 @@ static int addr_num = 3273;

>  static void setup_server(void)
>  {
> +	const char *const cmd_modprobe[] = {"modprobe", "sctp", NULL};
> +	const char hmac_algo_path[] = "/proc/sys/net/sctp/cookie_hmac_alg";
> +	char hmac_algo[CHAR_MAX];
> +	int hmac_algo_changed = 0;
> +
> +	/* Disable md5 if fips is enabled. Set it to none */
> +	if (tst_fips_enabled()) {
> +		if (access(hmac_algo_path, F_OK) < 0) {
> +			SAFE_CMD(cmd_modprobe, NULL, NULL);
> +		}
> +
> +		if (!access(hmac_algo_path, F_OK)) {
> +			SAFE_FILE_SCANF(hmac_algo_path, "%s", hmac_algo);
> +			SAFE_FILE_PRINTF(hmac_algo_path, "%s", "none");
> +			hmac_algo_changed = 1;
> +		}
> +	}
> +
>  	loc.sin6_family = AF_INET6;
>  	loc.sin6_addr = in6addr_loopback;

> @@ -46,6 +64,9 @@ static void setup_server(void)
>  	SAFE_LISTEN(sfd, 1);

>  	srand(port);
> +
> +	if (hmac_algo_changed)
> +		SAFE_FILE_PRINTF(hmac_algo_path, "%s", hmac_algo);
>  }

>  static void update_packet_field(size_t *off, void *buf, size_t buf_len)

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled
  2023-06-27 11:09 ` Petr Vorel
@ 2023-06-27 11:20   ` Petr Vorel
  0 siblings, 0 replies; 6+ messages in thread
From: Petr Vorel @ 2023-06-27 11:20 UTC (permalink / raw)
  To: Ashwin Dayanand Kamat, ltp, akaher, tkundu, vsirnapalli, Cyril Hrubis

> Hi,

> > MD5 is not FIPS compliant. But still md5 is used as the default algorithm for sctp
> > even when fips is enabled. Due to this, sctp_big_chunk testcase is failing because listen()
> > system call in setup_server() is failing in fips environment.

> > Fix is to not use md5 algorithm while setting up server, instead set it to none

> > Signed-Off by: Ashwin Dayanand Kamat <kashwindayan@vmware.com>
> > ----
> > v2:
> > As per the review comments given by Petr, did below changes in v2,
> >         * Moved the logic to sctp_server() function
> >         * Setting none as the default algo
> >         * make sure cookie_hmac_alg file is present before accessing it
> BTW I suggested modprobe, because I'm not aware of other way to trigger it.
> But maybe creating SCTP socket would trigger it, e.g.
> socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);

Yes, this simple socket call loads sctp module. Could we use something like
this:

	int fd;

	fd = SAFE_SOCKET(PF_INET, SOCK_STREAM, IPPROTO_SCTP);
	SAFE_CLOSE(fd);

to make sure sctp is loaded instead of directly calling modprobe?

I'm sorry I didn't find this before.

Kind regards,
Petr

> If yes, IMHO it'd be more elegant solution and (likely) we would not depend on
> modprobe.

> Kind regards,
> Petr

> > ---
> >  testcases/network/sctp/sctp_big_chunk.c | 21 +++++++++++++++++++++
> >  1 file changed, 21 insertions(+)

> > diff --git a/testcases/network/sctp/sctp_big_chunk.c b/testcases/network/sctp/sctp_big_chunk.c
> > index a6a326ea2..31786dd39 100644
> > --- a/testcases/network/sctp/sctp_big_chunk.c
> > +++ b/testcases/network/sctp/sctp_big_chunk.c
> > @@ -34,6 +34,24 @@ static int addr_num = 3273;

> >  static void setup_server(void)
> >  {
> > +	const char *const cmd_modprobe[] = {"modprobe", "sctp", NULL};
> > +	const char hmac_algo_path[] = "/proc/sys/net/sctp/cookie_hmac_alg";
> > +	char hmac_algo[CHAR_MAX];
> > +	int hmac_algo_changed = 0;
> > +
> > +	/* Disable md5 if fips is enabled. Set it to none */
> > +	if (tst_fips_enabled()) {
> > +		if (access(hmac_algo_path, F_OK) < 0) {
> > +			SAFE_CMD(cmd_modprobe, NULL, NULL);
> > +		}
> > +
> > +		if (!access(hmac_algo_path, F_OK)) {
> > +			SAFE_FILE_SCANF(hmac_algo_path, "%s", hmac_algo);
> > +			SAFE_FILE_PRINTF(hmac_algo_path, "%s", "none");
> > +			hmac_algo_changed = 1;
> > +		}
> > +	}
> > +
> >  	loc.sin6_family = AF_INET6;
> >  	loc.sin6_addr = in6addr_loopback;

> > @@ -46,6 +64,9 @@ static void setup_server(void)
> >  	SAFE_LISTEN(sfd, 1);

> >  	srand(port);
> > +
> > +	if (hmac_algo_changed)
> > +		SAFE_FILE_PRINTF(hmac_algo_path, "%s", hmac_algo);
> >  }

> >  static void update_packet_field(size_t *off, void *buf, size_t buf_len)

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled
  2023-06-22 14:50 [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled Ashwin Dayanand Kamat via ltp
  2023-06-27 11:04 ` Petr Vorel
  2023-06-27 11:09 ` Petr Vorel
@ 2023-06-27 12:58 ` Petr Vorel
  2023-06-28  6:05   ` Ashwin Dayanand Kamat via ltp
  2 siblings, 1 reply; 6+ messages in thread
From: Petr Vorel @ 2023-06-27 12:58 UTC (permalink / raw)
  To: Ashwin Dayanand Kamat; +Cc: tkundu, akaher, vsirnapalli, ltp

Hi Ashwin,

Tested-by: Petr Vorel <pvorel@suse.cz>

LGTM, but as I wrote, I'd prefer so load with SAFE_SOCKET().
Will you please send v3?

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled
  2023-06-27 12:58 ` Petr Vorel
@ 2023-06-28  6:05   ` Ashwin Dayanand Kamat via ltp
  0 siblings, 0 replies; 6+ messages in thread
From: Ashwin Dayanand Kamat via ltp @ 2023-06-28  6:05 UTC (permalink / raw)
  To: Petr Vorel; +Cc: Tapas Kundu, Ajay Kaher, Vasavi Sirnapalli, ltp



> On 27-Jun-2023, at 6:28 PM, Petr Vorel <pvorel@suse.cz> wrote:
> 
> !! External Email
> 
> Hi Ashwin,
> 
> Tested-by: Petr Vorel <pvorel@suse.cz>
> 
> LGTM, but as I wrote, I'd prefer so load with SAFE_SOCKET().
> Will you please send v3?
> 
Hi Petr,
Thanks for your inputs. I have sent the v3 patch and have made changes as suggested by you.

Thanks,
Ashwin
> Kind regards,
> Petr
> 
> !! External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender.


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-06-28  6:06 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-22 14:50 [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled Ashwin Dayanand Kamat via ltp
2023-06-27 11:04 ` Petr Vorel
2023-06-27 11:09 ` Petr Vorel
2023-06-27 11:20   ` Petr Vorel
2023-06-27 12:58 ` Petr Vorel
2023-06-28  6:05   ` Ashwin Dayanand Kamat via ltp

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.