[LTP] [PATCH v3 1/2] tst_af_alg: Moving tst_res(TCONF) to tst_have_alg()

[LTP] [PATCH v3 1/2] tst_af_alg: Moving tst_res(TCONF) to tst_have_alg()

[Petr Vorel]

+ introduce tst_try_alg() for cases where tst_res(TCONF) cannot be used.

It reduces duplicity for tst_have_alg() use.

Suggested-by: Cyril Hrubis <chrubis@suse.cz>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
New in v3.

 include/tst_af_alg.h               | 16 ++++++++++--
 lib/tst_af_alg.c                   | 41 ++++++++++++++++++++++--------
 testcases/kernel/crypto/af_alg01.c | 14 ++++------
 testcases/kernel/crypto/af_alg03.c |  3 ++-
 testcases/kernel/crypto/af_alg04.c |  6 ++---
 5 files changed, 53 insertions(+), 27 deletions(-)

diff --git a/include/tst_af_alg.h b/include/tst_af_alg.h
index fd2ff06478..93ff5715b7 100644
--- a/include/tst_af_alg.h
+++ b/include/tst_af_alg.h
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * Copyright 2019 Google LLC
+ * Copyright (c) Linux Test Project, 2021
  */
 /**
  * @file tst_af_alg.h
@@ -60,8 +61,19 @@ void tst_alg_bind(int algfd, const char *algtype, const char *algname);
  * @param algtype The type of algorithm, such as "hash" or "skcipher"
  * @param algname The name of the algorithm, such as "sha256" or "xts(aes)"
  *
- * Return true if the algorithm is available, or false if unavailable.
- * If another error occurs, tst_brk() is called with TBROK.
+ * Return 0 if the algorithm is available, or errno if unavailable.
+ */
+int tst_try_alg(const char *algtype, const char *algname);
+
+/**
+ * Check for the availability of an algorithm.
+ *
+ * @param algtype The type of algorithm, such as "hash" or "skcipher"
+ * @param algname The name of the algorithm, such as "sha256" or "xts(aes)"
+ *
+ * Return true if the algorithm is available, or false if unavailable
+ * and call tst_res() with TCONF. If another error occurs, tst_brk() is called
+ * with TBROK.
  */
 bool tst_have_alg(const char *algtype, const char *algname);
 
diff --git a/lib/tst_af_alg.c b/lib/tst_af_alg.c
index 05caa63016..d99a9ee2ef 100644
--- a/lib/tst_af_alg.c
+++ b/lib/tst_af_alg.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * Copyright 2019 Google LLC
+ * Copyright (c) Linux Test Project, 2019-2021
  */
 
 #include <errno.h>
@@ -64,29 +65,47 @@ void tst_alg_bind(int algfd, const char *algtype, const char *algname)
 	tst_alg_bind_addr(algfd, &addr);
 }
 
-bool tst_have_alg(const char *algtype, const char *algname)
+int tst_try_alg(const char *algtype, const char *algname)
 {
 	long ret;
+	int retval = 0;
 	int algfd;
 	struct sockaddr_alg addr;
-	bool have_alg = true;
 
 	algfd = tst_alg_create();
 
 	init_sockaddr_alg(&addr, algtype, algname);
 
 	ret = bind(algfd, (const struct sockaddr *)&addr, sizeof(addr));
-	if (ret != 0) {
-		if (errno != ENOENT) {
-			tst_brk(TBROK | TERRNO,
-				"unexpected error binding AF_ALG socket to %s algorithm '%s'",
-				algtype, algname);
-		}
-		have_alg = false;
-	}
+
+	if (ret != 0)
+		retval = errno;
 
 	close(algfd);
-	return have_alg;
+	return retval;
+}
+
+bool tst_have_alg(const char *algtype, const char *algname)
+{
+	int ret;
+
+	ret = tst_try_alg(algtype, algname);
+
+	switch (ret) {
+	case 0:
+		return true;
+	case ENOENT:
+		tst_res(TCONF, "kernel doesn't have %s algorithm '%s'",
+			algtype, algname);
+		return false;
+	default:
+		errno = ret;
+		tst_brk(TBROK | TERRNO,
+			"unexpected error binding AF_ALG socket to %s algorithm '%s'",
+			algtype, algname);
+		return false;
+	break;
+	}
 }
 
 void tst_require_alg(const char *algtype, const char *algname)
diff --git a/testcases/kernel/crypto/af_alg01.c b/testcases/kernel/crypto/af_alg01.c
index 47292ee328..7cefe59461 100644
--- a/testcases/kernel/crypto/af_alg01.c
+++ b/testcases/kernel/crypto/af_alg01.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * Copyright 2019 Google LLC
+ * Copyright (c) Linux Test Project, 2019-2021
  */
 
 /*
@@ -21,20 +22,15 @@ static void test_with_hash_alg(const char *hash_algname)
 	char hmac_algname[64];
 	char key[4096] = { 0 };
 
-	if (!tst_have_alg("hash", hash_algname)) {
-		tst_res(TCONF, "kernel doesn't have hash algorithm '%s'",
-			hash_algname);
+	if (!tst_have_alg("hash", hash_algname))
 		return;
-	}
+
 	sprintf(hmac_algname, "hmac(%s)", hash_algname);
-	if (!tst_have_alg("hash", hmac_algname)) {
-		tst_res(TCONF, "kernel doesn't have hash algorithm '%s'",
-			hmac_algname);
+	if (!tst_have_alg("hash", hmac_algname))
 		return;
-	}
 
 	sprintf(hmac_algname, "hmac(hmac(%s))", hash_algname);
-	if (tst_have_alg("hash", hmac_algname)) {
+	if (tst_try_alg("hash", hmac_algname) != ENOENT) {
 		int algfd;
 
 		tst_res(TFAIL, "instantiated nested hmac algorithm ('%s')!",
diff --git a/testcases/kernel/crypto/af_alg03.c b/testcases/kernel/crypto/af_alg03.c
index 5f214e48ba..bb8d480e28 100644
--- a/testcases/kernel/crypto/af_alg03.c
+++ b/testcases/kernel/crypto/af_alg03.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * Copyright 2019 Google LLC
+ * Copyright (c) Linux Test Project, 2019-2021
  */
 
 /*
@@ -17,7 +18,7 @@ static void run(void)
 	tst_require_alg("aead", "rfc7539(chacha20,poly1305)");
 	tst_require_alg("hash", "sha256");
 
-	if (tst_have_alg("aead", "rfc7539(chacha20,sha256)")) {
+	if (tst_try_alg("aead", "rfc7539(chacha20,sha256)") != ENOENT) {
 		tst_res(TFAIL,
 			"instantiated rfc7539 template with wrong digest size");
 	} else {
diff --git a/testcases/kernel/crypto/af_alg04.c b/testcases/kernel/crypto/af_alg04.c
index 112afcd527..7b665f89a3 100644
--- a/testcases/kernel/crypto/af_alg04.c
+++ b/testcases/kernel/crypto/af_alg04.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * Copyright 2019 Google LLC
+ * Copyright (c) Linux Test Project, 2019-2021
  */
 
 /*
@@ -28,11 +29,8 @@ static void test_with_symm_enc_algs(const char *symm_enc_algname)
 	sprintf(vmac_algname, "vmac64(%s)", symm_enc_algname);
 	if (!tst_have_alg("hash", vmac_algname)) {
 		sprintf(vmac_algname, "vmac(%s)", symm_enc_algname);
-		if (!tst_have_alg("hash", vmac_algname)) {
-			tst_res(TCONF, "kernel doesn't have hash algorithm '%s'",
-				vmac_algname);
+		if (!tst_have_alg("hash", vmac_algname))
 			return;
-		}
 	}
 	algfd = tst_alg_setup("hash", vmac_algname, NULL, 16);
 
-- 
2.34.1


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH v3 2/2] tst_af_alg: TCONF on ciphers disabled by FIPS

[Petr Vorel]

Similar fix to 4fa302ef9d. It fixes:

./af_alg01
tst_af_alg.c:84: TBROK: unexpected error binding AF_ALG socket to hash algorithm 'md5': ELIBBAD (80)
become
tst_fips.c:22: TINFO: FIPS: on
tst_af_alg.c:111: TCONF: FIPS enabled => hash algorithm 'md5' disabled
tst_fips.c:22: TINFO: FIPS: on
tst_af_alg.c:111: TCONF: FIPS enabled => hash algorithm 'md5-generic' disabled

./af_alg02
tst_af_alg.c:37: TBROK: unexpected error binding AF_ALG socket to skcipher algorithm 'salsa20': ELIBBAD (80)
become
tst_fips.c:22: TINFO: FIPS: on
tst_af_alg.c:36: TCONF: FIPS enabled => skcipher algorithm 'salsa20' disabled

./af_alg04
tst_af_alg.c:81: TBROK: unexpected error binding AF_ALG socket to hash algorithm 'vmac64(aes)': ELIBBAD (80)
become
tst_fips.c:22: TINFO: FIPS: on
tst_af_alg.c:111: TCONF: FIPS enabled => hash algorithm 'vmac64(aes)' disabled

Tested on Debian stable bullseye and SLES 15-SP4.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
NOTE: I asked Herbert Xu for confirmation that my code understanding is
correct and ELIBBAD is expected for ciphers disabled by FIPS.

 include/tst_af_alg.h |  2 +-
 lib/tst_af_alg.c     | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/include/tst_af_alg.h b/include/tst_af_alg.h
index 93ff5715b7..86df18eb81 100644
--- a/include/tst_af_alg.h
+++ b/include/tst_af_alg.h
@@ -73,7 +73,7 @@ int tst_try_alg(const char *algtype, const char *algname);
  *
  * Return true if the algorithm is available, or false if unavailable
  * and call tst_res() with TCONF. If another error occurs, tst_brk() is called
- * with TBROK.
+ * with TBROK unless algorithm is disabled due FIPS mode (errno ELIBBAD).
  */
 bool tst_have_alg(const char *algtype, const char *algname);
 
diff --git a/lib/tst_af_alg.c b/lib/tst_af_alg.c
index d99a9ee2ef..52c0b0abb4 100644
--- a/lib/tst_af_alg.c
+++ b/lib/tst_af_alg.c
@@ -31,10 +31,18 @@ void tst_alg_bind_addr(int algfd, const struct sockaddr_alg *addr)
 
 	if (ret == 0)
 		return;
+
+	if (errno == ELIBBAD && tst_fips_enabled()) {
+		tst_brk(TCONF,
+			"FIPS enabled => %s algorithm '%s' disabled",
+			addr->salg_type, addr->salg_name);
+	}
+
 	if (errno == ENOENT) {
 		tst_brk(TCONF, "kernel doesn't support %s algorithm '%s'",
 			addr->salg_type, addr->salg_name);
 	}
+
 	tst_brk(TBROK | TERRNO,
 		"unexpected error binding AF_ALG socket to %s algorithm '%s'",
 		addr->salg_type, addr->salg_name);
@@ -98,6 +106,14 @@ bool tst_have_alg(const char *algtype, const char *algname)
 		tst_res(TCONF, "kernel doesn't have %s algorithm '%s'",
 			algtype, algname);
 		return false;
+	case ELIBBAD:
+		if (tst_fips_enabled()) {
+			tst_res(TCONF,
+				"FIPS enabled => %s algorithm '%s' disabled",
+				algtype, algname);
+			return false;
+		}
+	/* fallthrough */
 	default:
 		errno = ret;
 		tst_brk(TBROK | TERRNO,
-- 
2.34.1


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v3 1/2] tst_af_alg: Moving tst_res(TCONF) to tst_have_alg()

[Cyril Hrubis]

Hi!
> +bool tst_have_alg(const char *algtype, const char *algname)
> +{
> +	int ret;
> +
> +	ret = tst_try_alg(algtype, algname);
> +
> +	switch (ret) {
> +	case 0:
> +		return true;
> +	case ENOENT:
> +		tst_res(TCONF, "kernel doesn't have %s algorithm '%s'",
> +			algtype, algname);
> +		return false;
> +	default:
> +		errno = ret;
> +		tst_brk(TBROK | TERRNO,
> +			"unexpected error binding AF_ALG socket to %s algorithm '%s'",
> +			algtype, algname);
> +		return false;
> +	break;

This break is useless, otherwise:

Reviewed-by: Cyril Hrubis <chrubis@suse.cz>

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v3 2/2] tst_af_alg: TCONF on ciphers disabled by FIPS

[Cyril Hrubis]

Hi!
Reviewed-by: Cyril Hrubis <chrubis@suse.cz>

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v3 1/2] tst_af_alg: Moving tst_res(TCONF) to tst_have_alg()

[Eric Biggers]

On Wed, Dec 22, 2021 at 08:26:03PM +0100, Petr Vorel wrote:
> + introduce tst_try_alg() for cases where tst_res(TCONF) cannot be used.
> 
> It reduces duplicity for tst_have_alg() use.
> 
> Suggested-by: Cyril Hrubis <chrubis@suse.cz>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>

Reviewed-by: Eric Biggers <ebiggers@google.com>

- Eric

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v3 2/2] tst_af_alg: TCONF on ciphers disabled by FIPS

[Eric Biggers]

On Wed, Dec 22, 2021 at 08:26:04PM +0100, Petr Vorel wrote:
> Similar fix to 4fa302ef9d. It fixes:
> 
> ./af_alg01
> tst_af_alg.c:84: TBROK: unexpected error binding AF_ALG socket to hash algorithm 'md5': ELIBBAD (80)
> become
> tst_fips.c:22: TINFO: FIPS: on
> tst_af_alg.c:111: TCONF: FIPS enabled => hash algorithm 'md5' disabled
> tst_fips.c:22: TINFO: FIPS: on
> tst_af_alg.c:111: TCONF: FIPS enabled => hash algorithm 'md5-generic' disabled
> 
> ./af_alg02
> tst_af_alg.c:37: TBROK: unexpected error binding AF_ALG socket to skcipher algorithm 'salsa20': ELIBBAD (80)
> become
> tst_fips.c:22: TINFO: FIPS: on
> tst_af_alg.c:36: TCONF: FIPS enabled => skcipher algorithm 'salsa20' disabled
> 
> ./af_alg04
> tst_af_alg.c:81: TBROK: unexpected error binding AF_ALG socket to hash algorithm 'vmac64(aes)': ELIBBAD (80)
> become
> tst_fips.c:22: TINFO: FIPS: on
> tst_af_alg.c:111: TCONF: FIPS enabled => hash algorithm 'vmac64(aes)' disabled
> 
> Tested on Debian stable bullseye and SLES 15-SP4.
> 
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> NOTE: I asked Herbert Xu for confirmation that my code understanding is
> correct and ELIBBAD is expected for ciphers disabled by FIPS.

Can you link to the mailing list thread where it was established that ELIBBAD is
the "expected" behavior?  Otherwise I guess this is fine.

Reviewed-by: Eric Biggers <ebiggers@google.com>

- Eric

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v3 2/2] tst_af_alg: TCONF on ciphers disabled by FIPS

[Petr Vorel]

Hi Eric, Cyril,

> > NOTE: I asked Herbert Xu for confirmation that my code understanding is
> > correct and ELIBBAD is expected for ciphers disabled by FIPS.

> Can you link to the mailing list thread where it was established that ELIBBAD is
> the "expected" behavior?  Otherwise I guess this is fine.

Link added, fixed useless break and merged.
Thank you both!

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp