* [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled
@ 2023-06-22 14:50 Ashwin Dayanand Kamat via ltp
2023-06-27 11:04 ` Petr Vorel
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Ashwin Dayanand Kamat via ltp @ 2023-06-22 14:50 UTC (permalink / raw)
To: ltp, kashwindayan, akaher, tkundu, vsirnapalli, pvorel
MD5 is not FIPS compliant. But still md5 is used as the default algorithm for sctp
even when fips is enabled. Due to this, sctp_big_chunk testcase is failing because listen()
system call in setup_server() is failing in fips environment.
Fix is to not use md5 algorithm while setting up server, instead set it to none
Signed-Off by: Ashwin Dayanand Kamat <kashwindayan@vmware.com>
----
v2:
As per the review comments given by Petr, did below changes in v2,
* Moved the logic to sctp_server() function
* Setting none as the default algo
* make sure cookie_hmac_alg file is present before accessing it
---
testcases/network/sctp/sctp_big_chunk.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/testcases/network/sctp/sctp_big_chunk.c b/testcases/network/sctp/sctp_big_chunk.c
index a6a326ea2..31786dd39 100644
--- a/testcases/network/sctp/sctp_big_chunk.c
+++ b/testcases/network/sctp/sctp_big_chunk.c
@@ -34,6 +34,24 @@ static int addr_num = 3273;
static void setup_server(void)
{
+ const char *const cmd_modprobe[] = {"modprobe", "sctp", NULL};
+ const char hmac_algo_path[] = "/proc/sys/net/sctp/cookie_hmac_alg";
+ char hmac_algo[CHAR_MAX];
+ int hmac_algo_changed = 0;
+
+ /* Disable md5 if fips is enabled. Set it to none */
+ if (tst_fips_enabled()) {
+ if (access(hmac_algo_path, F_OK) < 0) {
+ SAFE_CMD(cmd_modprobe, NULL, NULL);
+ }
+
+ if (!access(hmac_algo_path, F_OK)) {
+ SAFE_FILE_SCANF(hmac_algo_path, "%s", hmac_algo);
+ SAFE_FILE_PRINTF(hmac_algo_path, "%s", "none");
+ hmac_algo_changed = 1;
+ }
+ }
+
loc.sin6_family = AF_INET6;
loc.sin6_addr = in6addr_loopback;
@@ -46,6 +64,9 @@ static void setup_server(void)
SAFE_LISTEN(sfd, 1);
srand(port);
+
+ if (hmac_algo_changed)
+ SAFE_FILE_PRINTF(hmac_algo_path, "%s", hmac_algo);
}
static void update_packet_field(size_t *off, void *buf, size_t buf_len)
--
2.39.0
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled
2023-06-22 14:50 [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled Ashwin Dayanand Kamat via ltp
@ 2023-06-27 11:04 ` Petr Vorel
2023-06-27 11:09 ` Petr Vorel
2023-06-27 12:58 ` Petr Vorel
2 siblings, 0 replies; 6+ messages in thread
From: Petr Vorel @ 2023-06-27 11:04 UTC (permalink / raw)
To: Ashwin Dayanand Kamat; +Cc: tkundu, akaher, vsirnapalli, ltp
Hi Ashwin,
LGTM now.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Kind regards,
Petr
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled
2023-06-22 14:50 [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled Ashwin Dayanand Kamat via ltp
2023-06-27 11:04 ` Petr Vorel
@ 2023-06-27 11:09 ` Petr Vorel
2023-06-27 11:20 ` Petr Vorel
2023-06-27 12:58 ` Petr Vorel
2 siblings, 1 reply; 6+ messages in thread
From: Petr Vorel @ 2023-06-27 11:09 UTC (permalink / raw)
To: Ashwin Dayanand Kamat; +Cc: tkundu, akaher, vsirnapalli, ltp
Hi,
> MD5 is not FIPS compliant. But still md5 is used as the default algorithm for sctp
> even when fips is enabled. Due to this, sctp_big_chunk testcase is failing because listen()
> system call in setup_server() is failing in fips environment.
> Fix is to not use md5 algorithm while setting up server, instead set it to none
> Signed-Off by: Ashwin Dayanand Kamat <kashwindayan@vmware.com>
> ----
> v2:
> As per the review comments given by Petr, did below changes in v2,
> * Moved the logic to sctp_server() function
> * Setting none as the default algo
> * make sure cookie_hmac_alg file is present before accessing it
BTW I suggested modprobe, because I'm not aware of other way to trigger it.
But maybe creating SCTP socket would trigger it, e.g.
socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);
If yes, IMHO it'd be more elegant solution and (likely) we would not depend on
modprobe.
Kind regards,
Petr
> ---
> testcases/network/sctp/sctp_big_chunk.c | 21 +++++++++++++++++++++
> 1 file changed, 21 insertions(+)
> diff --git a/testcases/network/sctp/sctp_big_chunk.c b/testcases/network/sctp/sctp_big_chunk.c
> index a6a326ea2..31786dd39 100644
> --- a/testcases/network/sctp/sctp_big_chunk.c
> +++ b/testcases/network/sctp/sctp_big_chunk.c
> @@ -34,6 +34,24 @@ static int addr_num = 3273;
> static void setup_server(void)
> {
> + const char *const cmd_modprobe[] = {"modprobe", "sctp", NULL};
> + const char hmac_algo_path[] = "/proc/sys/net/sctp/cookie_hmac_alg";
> + char hmac_algo[CHAR_MAX];
> + int hmac_algo_changed = 0;
> +
> + /* Disable md5 if fips is enabled. Set it to none */
> + if (tst_fips_enabled()) {
> + if (access(hmac_algo_path, F_OK) < 0) {
> + SAFE_CMD(cmd_modprobe, NULL, NULL);
> + }
> +
> + if (!access(hmac_algo_path, F_OK)) {
> + SAFE_FILE_SCANF(hmac_algo_path, "%s", hmac_algo);
> + SAFE_FILE_PRINTF(hmac_algo_path, "%s", "none");
> + hmac_algo_changed = 1;
> + }
> + }
> +
> loc.sin6_family = AF_INET6;
> loc.sin6_addr = in6addr_loopback;
> @@ -46,6 +64,9 @@ static void setup_server(void)
> SAFE_LISTEN(sfd, 1);
> srand(port);
> +
> + if (hmac_algo_changed)
> + SAFE_FILE_PRINTF(hmac_algo_path, "%s", hmac_algo);
> }
> static void update_packet_field(size_t *off, void *buf, size_t buf_len)
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled
2023-06-27 11:09 ` Petr Vorel
@ 2023-06-27 11:20 ` Petr Vorel
0 siblings, 0 replies; 6+ messages in thread
From: Petr Vorel @ 2023-06-27 11:20 UTC (permalink / raw)
To: Ashwin Dayanand Kamat, ltp, akaher, tkundu, vsirnapalli, Cyril Hrubis
> Hi,
> > MD5 is not FIPS compliant. But still md5 is used as the default algorithm for sctp
> > even when fips is enabled. Due to this, sctp_big_chunk testcase is failing because listen()
> > system call in setup_server() is failing in fips environment.
> > Fix is to not use md5 algorithm while setting up server, instead set it to none
> > Signed-Off by: Ashwin Dayanand Kamat <kashwindayan@vmware.com>
> > ----
> > v2:
> > As per the review comments given by Petr, did below changes in v2,
> > * Moved the logic to sctp_server() function
> > * Setting none as the default algo
> > * make sure cookie_hmac_alg file is present before accessing it
> BTW I suggested modprobe, because I'm not aware of other way to trigger it.
> But maybe creating SCTP socket would trigger it, e.g.
> socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);
Yes, this simple socket call loads sctp module. Could we use something like
this:
int fd;
fd = SAFE_SOCKET(PF_INET, SOCK_STREAM, IPPROTO_SCTP);
SAFE_CLOSE(fd);
to make sure sctp is loaded instead of directly calling modprobe?
I'm sorry I didn't find this before.
Kind regards,
Petr
> If yes, IMHO it'd be more elegant solution and (likely) we would not depend on
> modprobe.
> Kind regards,
> Petr
> > ---
> > testcases/network/sctp/sctp_big_chunk.c | 21 +++++++++++++++++++++
> > 1 file changed, 21 insertions(+)
> > diff --git a/testcases/network/sctp/sctp_big_chunk.c b/testcases/network/sctp/sctp_big_chunk.c
> > index a6a326ea2..31786dd39 100644
> > --- a/testcases/network/sctp/sctp_big_chunk.c
> > +++ b/testcases/network/sctp/sctp_big_chunk.c
> > @@ -34,6 +34,24 @@ static int addr_num = 3273;
> > static void setup_server(void)
> > {
> > + const char *const cmd_modprobe[] = {"modprobe", "sctp", NULL};
> > + const char hmac_algo_path[] = "/proc/sys/net/sctp/cookie_hmac_alg";
> > + char hmac_algo[CHAR_MAX];
> > + int hmac_algo_changed = 0;
> > +
> > + /* Disable md5 if fips is enabled. Set it to none */
> > + if (tst_fips_enabled()) {
> > + if (access(hmac_algo_path, F_OK) < 0) {
> > + SAFE_CMD(cmd_modprobe, NULL, NULL);
> > + }
> > +
> > + if (!access(hmac_algo_path, F_OK)) {
> > + SAFE_FILE_SCANF(hmac_algo_path, "%s", hmac_algo);
> > + SAFE_FILE_PRINTF(hmac_algo_path, "%s", "none");
> > + hmac_algo_changed = 1;
> > + }
> > + }
> > +
> > loc.sin6_family = AF_INET6;
> > loc.sin6_addr = in6addr_loopback;
> > @@ -46,6 +64,9 @@ static void setup_server(void)
> > SAFE_LISTEN(sfd, 1);
> > srand(port);
> > +
> > + if (hmac_algo_changed)
> > + SAFE_FILE_PRINTF(hmac_algo_path, "%s", hmac_algo);
> > }
> > static void update_packet_field(size_t *off, void *buf, size_t buf_len)
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled
2023-06-22 14:50 [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled Ashwin Dayanand Kamat via ltp
2023-06-27 11:04 ` Petr Vorel
2023-06-27 11:09 ` Petr Vorel
@ 2023-06-27 12:58 ` Petr Vorel
2023-06-28 6:05 ` Ashwin Dayanand Kamat via ltp
2 siblings, 1 reply; 6+ messages in thread
From: Petr Vorel @ 2023-06-27 12:58 UTC (permalink / raw)
To: Ashwin Dayanand Kamat; +Cc: tkundu, akaher, vsirnapalli, ltp
Hi Ashwin,
Tested-by: Petr Vorel <pvorel@suse.cz>
LGTM, but as I wrote, I'd prefer so load with SAFE_SOCKET().
Will you please send v3?
Kind regards,
Petr
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled
2023-06-27 12:58 ` Petr Vorel
@ 2023-06-28 6:05 ` Ashwin Dayanand Kamat via ltp
0 siblings, 0 replies; 6+ messages in thread
From: Ashwin Dayanand Kamat via ltp @ 2023-06-28 6:05 UTC (permalink / raw)
To: Petr Vorel; +Cc: Tapas Kundu, Ajay Kaher, Vasavi Sirnapalli, ltp
> On 27-Jun-2023, at 6:28 PM, Petr Vorel <pvorel@suse.cz> wrote:
>
> !! External Email
>
> Hi Ashwin,
>
> Tested-by: Petr Vorel <pvorel@suse.cz>
>
> LGTM, but as I wrote, I'd prefer so load with SAFE_SOCKET().
> Will you please send v3?
>
Hi Petr,
Thanks for your inputs. I have sent the v3 patch and have made changes as suggested by you.
Thanks,
Ashwin
> Kind regards,
> Petr
>
> !! External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender.
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-06-28 6:06 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-22 14:50 [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled Ashwin Dayanand Kamat via ltp
2023-06-27 11:04 ` Petr Vorel
2023-06-27 11:09 ` Petr Vorel
2023-06-27 11:20 ` Petr Vorel
2023-06-27 12:58 ` Petr Vorel
2023-06-28 6:05 ` Ashwin Dayanand Kamat via ltp
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).