ltp.lists.linux.it archive mirror
 help / color / mirror / Atom feed
* [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled
@ 2023-06-22 14:50 Ashwin Dayanand Kamat via ltp
  2023-06-27 11:04 ` Petr Vorel
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Ashwin Dayanand Kamat via ltp @ 2023-06-22 14:50 UTC (permalink / raw)
  To: ltp, kashwindayan, akaher, tkundu, vsirnapalli, pvorel

MD5 is not FIPS compliant. But still md5 is used as the default algorithm for sctp
even when fips is enabled. Due to this, sctp_big_chunk testcase is failing because listen()
system call in setup_server() is failing in fips environment.

Fix is to not use md5 algorithm while setting up server, instead set it to none

Signed-Off by: Ashwin Dayanand Kamat <kashwindayan@vmware.com>
----
v2:
As per the review comments given by Petr, did below changes in v2,
        * Moved the logic to sctp_server() function
        * Setting none as the default algo
        * make sure cookie_hmac_alg file is present before accessing it
---
 testcases/network/sctp/sctp_big_chunk.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/testcases/network/sctp/sctp_big_chunk.c b/testcases/network/sctp/sctp_big_chunk.c
index a6a326ea2..31786dd39 100644
--- a/testcases/network/sctp/sctp_big_chunk.c
+++ b/testcases/network/sctp/sctp_big_chunk.c
@@ -34,6 +34,24 @@ static int addr_num = 3273;
 
 static void setup_server(void)
 {
+	const char *const cmd_modprobe[] = {"modprobe", "sctp", NULL};
+	const char hmac_algo_path[] = "/proc/sys/net/sctp/cookie_hmac_alg";
+	char hmac_algo[CHAR_MAX];
+	int hmac_algo_changed = 0;
+
+	/* Disable md5 if fips is enabled. Set it to none */
+	if (tst_fips_enabled()) {
+		if (access(hmac_algo_path, F_OK) < 0) {
+			SAFE_CMD(cmd_modprobe, NULL, NULL);
+		}
+
+		if (!access(hmac_algo_path, F_OK)) {
+			SAFE_FILE_SCANF(hmac_algo_path, "%s", hmac_algo);
+			SAFE_FILE_PRINTF(hmac_algo_path, "%s", "none");
+			hmac_algo_changed = 1;
+		}
+	}
+
 	loc.sin6_family = AF_INET6;
 	loc.sin6_addr = in6addr_loopback;
 
@@ -46,6 +64,9 @@ static void setup_server(void)
 	SAFE_LISTEN(sfd, 1);
 
 	srand(port);
+
+	if (hmac_algo_changed)
+		SAFE_FILE_PRINTF(hmac_algo_path, "%s", hmac_algo);
 }
 
 static void update_packet_field(size_t *off, void *buf, size_t buf_len)
-- 
2.39.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled
  2023-06-22 14:50 [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled Ashwin Dayanand Kamat via ltp
@ 2023-06-27 11:04 ` Petr Vorel
  2023-06-27 11:09 ` Petr Vorel
  2023-06-27 12:58 ` Petr Vorel
  2 siblings, 0 replies; 6+ messages in thread
From: Petr Vorel @ 2023-06-27 11:04 UTC (permalink / raw)
  To: Ashwin Dayanand Kamat; +Cc: tkundu, akaher, vsirnapalli, ltp

Hi Ashwin,

LGTM now.

Reviewed-by: Petr Vorel <pvorel@suse.cz>

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled
  2023-06-22 14:50 [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled Ashwin Dayanand Kamat via ltp
  2023-06-27 11:04 ` Petr Vorel
@ 2023-06-27 11:09 ` Petr Vorel
  2023-06-27 11:20   ` Petr Vorel
  2023-06-27 12:58 ` Petr Vorel
  2 siblings, 1 reply; 6+ messages in thread
From: Petr Vorel @ 2023-06-27 11:09 UTC (permalink / raw)
  To: Ashwin Dayanand Kamat; +Cc: tkundu, akaher, vsirnapalli, ltp

Hi,

> MD5 is not FIPS compliant. But still md5 is used as the default algorithm for sctp
> even when fips is enabled. Due to this, sctp_big_chunk testcase is failing because listen()
> system call in setup_server() is failing in fips environment.

> Fix is to not use md5 algorithm while setting up server, instead set it to none

> Signed-Off by: Ashwin Dayanand Kamat <kashwindayan@vmware.com>
> ----
> v2:
> As per the review comments given by Petr, did below changes in v2,
>         * Moved the logic to sctp_server() function
>         * Setting none as the default algo
>         * make sure cookie_hmac_alg file is present before accessing it
BTW I suggested modprobe, because I'm not aware of other way to trigger it.
But maybe creating SCTP socket would trigger it, e.g.
socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);

If yes, IMHO it'd be more elegant solution and (likely) we would not depend on
modprobe.

Kind regards,
Petr

> ---
>  testcases/network/sctp/sctp_big_chunk.c | 21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)

> diff --git a/testcases/network/sctp/sctp_big_chunk.c b/testcases/network/sctp/sctp_big_chunk.c
> index a6a326ea2..31786dd39 100644
> --- a/testcases/network/sctp/sctp_big_chunk.c
> +++ b/testcases/network/sctp/sctp_big_chunk.c
> @@ -34,6 +34,24 @@ static int addr_num = 3273;

>  static void setup_server(void)
>  {
> +	const char *const cmd_modprobe[] = {"modprobe", "sctp", NULL};
> +	const char hmac_algo_path[] = "/proc/sys/net/sctp/cookie_hmac_alg";
> +	char hmac_algo[CHAR_MAX];
> +	int hmac_algo_changed = 0;
> +
> +	/* Disable md5 if fips is enabled. Set it to none */
> +	if (tst_fips_enabled()) {
> +		if (access(hmac_algo_path, F_OK) < 0) {
> +			SAFE_CMD(cmd_modprobe, NULL, NULL);
> +		}
> +
> +		if (!access(hmac_algo_path, F_OK)) {
> +			SAFE_FILE_SCANF(hmac_algo_path, "%s", hmac_algo);
> +			SAFE_FILE_PRINTF(hmac_algo_path, "%s", "none");
> +			hmac_algo_changed = 1;
> +		}
> +	}
> +
>  	loc.sin6_family = AF_INET6;
>  	loc.sin6_addr = in6addr_loopback;

> @@ -46,6 +64,9 @@ static void setup_server(void)
>  	SAFE_LISTEN(sfd, 1);

>  	srand(port);
> +
> +	if (hmac_algo_changed)
> +		SAFE_FILE_PRINTF(hmac_algo_path, "%s", hmac_algo);
>  }

>  static void update_packet_field(size_t *off, void *buf, size_t buf_len)

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled
  2023-06-27 11:09 ` Petr Vorel
@ 2023-06-27 11:20   ` Petr Vorel
  0 siblings, 0 replies; 6+ messages in thread
From: Petr Vorel @ 2023-06-27 11:20 UTC (permalink / raw)
  To: Ashwin Dayanand Kamat, ltp, akaher, tkundu, vsirnapalli, Cyril Hrubis

> Hi,

> > MD5 is not FIPS compliant. But still md5 is used as the default algorithm for sctp
> > even when fips is enabled. Due to this, sctp_big_chunk testcase is failing because listen()
> > system call in setup_server() is failing in fips environment.

> > Fix is to not use md5 algorithm while setting up server, instead set it to none

> > Signed-Off by: Ashwin Dayanand Kamat <kashwindayan@vmware.com>
> > ----
> > v2:
> > As per the review comments given by Petr, did below changes in v2,
> >         * Moved the logic to sctp_server() function
> >         * Setting none as the default algo
> >         * make sure cookie_hmac_alg file is present before accessing it
> BTW I suggested modprobe, because I'm not aware of other way to trigger it.
> But maybe creating SCTP socket would trigger it, e.g.
> socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);

Yes, this simple socket call loads sctp module. Could we use something like
this:

	int fd;

	fd = SAFE_SOCKET(PF_INET, SOCK_STREAM, IPPROTO_SCTP);
	SAFE_CLOSE(fd);

to make sure sctp is loaded instead of directly calling modprobe?

I'm sorry I didn't find this before.

Kind regards,
Petr

> If yes, IMHO it'd be more elegant solution and (likely) we would not depend on
> modprobe.

> Kind regards,
> Petr

> > ---
> >  testcases/network/sctp/sctp_big_chunk.c | 21 +++++++++++++++++++++
> >  1 file changed, 21 insertions(+)

> > diff --git a/testcases/network/sctp/sctp_big_chunk.c b/testcases/network/sctp/sctp_big_chunk.c
> > index a6a326ea2..31786dd39 100644
> > --- a/testcases/network/sctp/sctp_big_chunk.c
> > +++ b/testcases/network/sctp/sctp_big_chunk.c
> > @@ -34,6 +34,24 @@ static int addr_num = 3273;

> >  static void setup_server(void)
> >  {
> > +	const char *const cmd_modprobe[] = {"modprobe", "sctp", NULL};
> > +	const char hmac_algo_path[] = "/proc/sys/net/sctp/cookie_hmac_alg";
> > +	char hmac_algo[CHAR_MAX];
> > +	int hmac_algo_changed = 0;
> > +
> > +	/* Disable md5 if fips is enabled. Set it to none */
> > +	if (tst_fips_enabled()) {
> > +		if (access(hmac_algo_path, F_OK) < 0) {
> > +			SAFE_CMD(cmd_modprobe, NULL, NULL);
> > +		}
> > +
> > +		if (!access(hmac_algo_path, F_OK)) {
> > +			SAFE_FILE_SCANF(hmac_algo_path, "%s", hmac_algo);
> > +			SAFE_FILE_PRINTF(hmac_algo_path, "%s", "none");
> > +			hmac_algo_changed = 1;
> > +		}
> > +	}
> > +
> >  	loc.sin6_family = AF_INET6;
> >  	loc.sin6_addr = in6addr_loopback;

> > @@ -46,6 +64,9 @@ static void setup_server(void)
> >  	SAFE_LISTEN(sfd, 1);

> >  	srand(port);
> > +
> > +	if (hmac_algo_changed)
> > +		SAFE_FILE_PRINTF(hmac_algo_path, "%s", hmac_algo);
> >  }

> >  static void update_packet_field(size_t *off, void *buf, size_t buf_len)

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled
  2023-06-22 14:50 [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled Ashwin Dayanand Kamat via ltp
  2023-06-27 11:04 ` Petr Vorel
  2023-06-27 11:09 ` Petr Vorel
@ 2023-06-27 12:58 ` Petr Vorel
  2023-06-28  6:05   ` Ashwin Dayanand Kamat via ltp
  2 siblings, 1 reply; 6+ messages in thread
From: Petr Vorel @ 2023-06-27 12:58 UTC (permalink / raw)
  To: Ashwin Dayanand Kamat; +Cc: tkundu, akaher, vsirnapalli, ltp

Hi Ashwin,

Tested-by: Petr Vorel <pvorel@suse.cz>

LGTM, but as I wrote, I'd prefer so load with SAFE_SOCKET().
Will you please send v3?

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled
  2023-06-27 12:58 ` Petr Vorel
@ 2023-06-28  6:05   ` Ashwin Dayanand Kamat via ltp
  0 siblings, 0 replies; 6+ messages in thread
From: Ashwin Dayanand Kamat via ltp @ 2023-06-28  6:05 UTC (permalink / raw)
  To: Petr Vorel; +Cc: Tapas Kundu, Ajay Kaher, Vasavi Sirnapalli, ltp



> On 27-Jun-2023, at 6:28 PM, Petr Vorel <pvorel@suse.cz> wrote:
> 
> !! External Email
> 
> Hi Ashwin,
> 
> Tested-by: Petr Vorel <pvorel@suse.cz>
> 
> LGTM, but as I wrote, I'd prefer so load with SAFE_SOCKET().
> Will you please send v3?
> 
Hi Petr,
Thanks for your inputs. I have sent the v3 patch and have made changes as suggested by you.

Thanks,
Ashwin
> Kind regards,
> Petr
> 
> !! External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender.


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-06-28  6:06 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-22 14:50 [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled Ashwin Dayanand Kamat via ltp
2023-06-27 11:04 ` Petr Vorel
2023-06-27 11:09 ` Petr Vorel
2023-06-27 11:20   ` Petr Vorel
2023-06-27 12:58 ` Petr Vorel
2023-06-28  6:05   ` Ashwin Dayanand Kamat via ltp

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).