[PATCH net 0/3] Check if FIPS mode is enabled when running selftests

[PATCH net 0/3] Check if FIPS mode is enabled when running selftests

[Magali Lemes]

Some test cases from net/tls, net/fcnal-test and net/vrf-xfrm-tests
that rely on cryptographic functions to work and use non-compliant FIPS
algorithms fail in FIPS mode.

In order to allow these tests to pass in a wider set of kernels,
 - for net/tls, skip the test variants that use the ChaCha20-Poly1305
and SM4 algorithms, when FIPS mode is enabled;
 - for net/fcnal-test, skip the MD5 tests, when FIPS mode is enabled;
 - for net/vrf-xfrm-tests, replace the algorithms that are not
FIPS-compliant with compliant ones.

Magali Lemes (3):
  selftests: net: tls: check if FIPS mode is enabled
  selftests: net: vrf-xfrm-tests: change authentication and encryption
    algos
  selftests: net: fcnal-test: check if FIPS mode is enabled

 tools/testing/selftests/net/fcnal-test.sh     |  27 +-
 tools/testing/selftests/net/tls.c             | 265 +++++++++++++++++-
 tools/testing/selftests/net/vrf-xfrm-tests.sh |  32 +--
 3 files changed, 298 insertions(+), 26 deletions(-)

-- 
2.34.1

[PATCH net 1/3] selftests: net: tls: check if FIPS mode is enabled

[Magali Lemes]

TLS selftests use the ChaCha20-Poly1305 and SM4 algorithms, which are not
FIPS compliant. When fips=1, this set of tests fails. Add a check and only
run these tests if not in FIPS mode.

Fixes: 4f336e88a870 ("selftests/tls: add CHACHA20-POLY1305 to tls selftests")
Fixes: e506342a03c7 ("selftests/tls: add SM4 GCM/CCM to tls selftests")
Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
---
 tools/testing/selftests/net/tls.c | 265 +++++++++++++++++++++++++++++-
 1 file changed, 263 insertions(+), 2 deletions(-)

diff --git a/tools/testing/selftests/net/tls.c b/tools/testing/selftests/net/tls.c
index e699548d4247..44cb145a32fd 100644
--- a/tools/testing/selftests/net/tls.c
+++ b/tools/testing/selftests/net/tls.c
@@ -227,7 +227,7 @@ TEST_F(tls_basic, base_base)
 
 FIXTURE(tls)
 {
-	int fd, cfd;
+	int fd, cfd, fips_enabled;
 	bool notls;
 };
 
@@ -309,7 +309,22 @@ FIXTURE_SETUP(tls)
 {
 	struct tls_crypto_info_keys tls12;
 	int one = 1;
-	int ret;
+	int ret, res;
+	FILE *f;
+
+	self->fips_enabled = 0;
+	f = fopen("/proc/sys/crypto/fips_enabled", "r");
+	if (f) {
+		res = fscanf(f, "%d", &self->fips_enabled);
+		if (res != 1)
+			ksft_print_msg("ERROR: Couldn't read /proc/sys/crypto/fips_enabled\n");
+		fclose(f);
+	}
+
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		return;
 
 	tls_crypto_info_init(variant->tls_version, variant->cipher_type,
 			     &tls12);
@@ -343,6 +358,11 @@ TEST_F(tls, sendfile)
 	int filefd = open("/proc/self/exe", O_RDONLY);
 	struct stat st;
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	EXPECT_GE(filefd, 0);
 	fstat(filefd, &st);
 	EXPECT_GE(sendfile(self->fd, filefd, 0, st.st_size), 0);
@@ -357,6 +377,11 @@ TEST_F(tls, send_then_sendfile)
 	struct stat st;
 	char *buf;
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	EXPECT_GE(filefd, 0);
 	fstat(filefd, &st);
 	buf = (char *)malloc(st.st_size);
@@ -406,6 +431,12 @@ static void chunked_sendfile(struct __test_metadata *_metadata,
 
 TEST_F(tls, multi_chunk_sendfile)
 {
+
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	chunked_sendfile(_metadata, self, 4096, 4096);
 	chunked_sendfile(_metadata, self, 4096, 0);
 	chunked_sendfile(_metadata, self, 4096, 1);
@@ -433,6 +464,11 @@ TEST_F(tls, recv_max)
 	char recv_mem[TLS_PAYLOAD_MAX_LEN];
 	char buf[TLS_PAYLOAD_MAX_LEN];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	memrnd(buf, sizeof(buf));
 
 	EXPECT_GE(send(self->fd, buf, send_len, 0), 0);
@@ -446,6 +482,11 @@ TEST_F(tls, recv_small)
 	int send_len = 10;
 	char buf[10];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	send_len = strlen(test_str) + 1;
 	EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
 	EXPECT_NE(recv(self->cfd, buf, send_len, 0), -1);
@@ -458,6 +499,11 @@ TEST_F(tls, msg_more)
 	int send_len = 10;
 	char buf[10 * 2];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	EXPECT_EQ(send(self->fd, test_str, send_len, MSG_MORE), send_len);
 	EXPECT_EQ(recv(self->cfd, buf, send_len, MSG_DONTWAIT), -1);
 	EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
@@ -472,6 +518,11 @@ TEST_F(tls, msg_more_unsent)
 	int send_len = 10;
 	char buf[10];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	EXPECT_EQ(send(self->fd, test_str, send_len, MSG_MORE), send_len);
 	EXPECT_EQ(recv(self->cfd, buf, send_len, MSG_DONTWAIT), -1);
 }
@@ -485,6 +536,11 @@ TEST_F(tls, sendmsg_single)
 	struct iovec vec;
 	char buf[13];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	vec.iov_base = (char *)test_str;
 	vec.iov_len = send_len;
 	memset(&msg, 0, sizeof(struct msghdr));
@@ -505,6 +561,11 @@ TEST_F(tls, sendmsg_fragmented)
 	struct msghdr msg;
 	int i, frags;
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	for (frags = 1; frags <= MAX_FRAGS; frags++) {
 		for (i = 0; i < frags; i++) {
 			vec[i].iov_base = (char *)test_str;
@@ -536,6 +597,11 @@ TEST_F(tls, sendmsg_large)
 	size_t recvs = 0;
 	size_t sent = 0;
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	memset(&msg, 0, sizeof(struct msghdr));
 	while (sent++ < sends) {
 		struct iovec vec = { (void *)mem, send_len };
@@ -564,6 +630,11 @@ TEST_F(tls, sendmsg_multiple)
 	char *buf;
 	int i;
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	memset(&msg, 0, sizeof(struct msghdr));
 	for (i = 0; i < iov_len; i++) {
 		test_strs[i] = (char *)malloc(strlen(test_str) + 1);
@@ -601,6 +672,11 @@ TEST_F(tls, sendmsg_multiple_stress)
 	int len_cmp = 0;
 	int i;
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	memset(&msg, 0, sizeof(struct msghdr));
 	for (i = 0; i < iov_len; i++) {
 		test_strs[i] = (char *)malloc(strlen(test_str) + 1);
@@ -629,6 +705,11 @@ TEST_F(tls, splice_from_pipe)
 	char mem_recv[TLS_PAYLOAD_MAX_LEN];
 	int p[2];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	ASSERT_GE(pipe(p), 0);
 	EXPECT_GE(write(p[1], mem_send, send_len), 0);
 	EXPECT_GE(splice(p[0], NULL, self->fd, NULL, send_len, 0), 0);
@@ -644,6 +725,11 @@ TEST_F(tls, splice_from_pipe2)
 	int p2[2];
 	int p[2];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	memrnd(mem_send, sizeof(mem_send));
 
 	ASSERT_GE(pipe(p), 0);
@@ -666,6 +752,11 @@ TEST_F(tls, send_and_splice)
 	char buf[10];
 	int p[2];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	ASSERT_GE(pipe(p), 0);
 	EXPECT_EQ(send(self->fd, test_str, send_len2, 0), send_len2);
 	EXPECT_EQ(recv(self->cfd, buf, send_len2, MSG_WAITALL), send_len2);
@@ -685,6 +776,11 @@ TEST_F(tls, splice_to_pipe)
 	char mem_recv[TLS_PAYLOAD_MAX_LEN];
 	int p[2];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	memrnd(mem_send, sizeof(mem_send));
 
 	ASSERT_GE(pipe(p), 0);
@@ -705,6 +801,11 @@ TEST_F(tls, splice_cmsg_to_pipe)
 	if (self->notls)
 		SKIP(return, "no TLS support");
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	ASSERT_GE(pipe(p), 0);
 	EXPECT_EQ(tls_send_cmsg(self->fd, 100, test_str, send_len, 0), 10);
 	EXPECT_EQ(splice(self->cfd, NULL, p[1], NULL, send_len, 0), -1);
@@ -728,6 +829,11 @@ TEST_F(tls, splice_dec_cmsg_to_pipe)
 	if (self->notls)
 		SKIP(return, "no TLS support");
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	ASSERT_GE(pipe(p), 0);
 	EXPECT_EQ(tls_send_cmsg(self->fd, 100, test_str, send_len, 0), 10);
 	EXPECT_EQ(recv(self->cfd, buf, send_len, 0), -1);
@@ -748,6 +854,11 @@ TEST_F(tls, recv_and_splice)
 	int half = send_len / 2;
 	int p[2];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	ASSERT_GE(pipe(p), 0);
 	EXPECT_EQ(send(self->fd, mem_send, send_len, 0), send_len);
 	/* Recv hald of the record, splice the other half */
@@ -766,6 +877,11 @@ TEST_F(tls, peek_and_splice)
 	int chunk = TLS_PAYLOAD_MAX_LEN / 4;
 	int n, i, p[2];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	memrnd(mem_send, sizeof(mem_send));
 
 	ASSERT_GE(pipe(p), 0);
@@ -797,6 +913,11 @@ TEST_F(tls, recvmsg_single)
 	struct msghdr hdr;
 	struct iovec vec;
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	memset(&hdr, 0, sizeof(hdr));
 	EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
 	vec.iov_base = (char *)buf;
@@ -815,6 +936,11 @@ TEST_F(tls, recvmsg_single_max)
 	struct iovec vec;
 	struct msghdr hdr;
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	memrnd(send_mem, sizeof(send_mem));
 
 	EXPECT_EQ(send(self->fd, send_mem, send_len, 0), send_len);
@@ -840,6 +966,11 @@ TEST_F(tls, recvmsg_multiple)
 
 	memrnd(buf, sizeof(buf));
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	EXPECT_EQ(send(self->fd, buf, send_len, 0), send_len);
 	for (i = 0; i < msg_iovlen; i++) {
 		iov_base[i] = (char *)malloc(iov_len);
@@ -862,6 +993,11 @@ TEST_F(tls, single_send_multiple_recv)
 	char send_mem[TLS_PAYLOAD_MAX_LEN * 2];
 	char recv_mem[TLS_PAYLOAD_MAX_LEN * 2];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	memrnd(send_mem, sizeof(send_mem));
 
 	EXPECT_GE(send(self->fd, send_mem, total_len, 0), 0);
@@ -879,6 +1015,11 @@ TEST_F(tls, multiple_send_single_recv)
 	char recv_mem[2 * 10];
 	char send_mem[10];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	memrnd(send_mem, sizeof(send_mem));
 
 	EXPECT_GE(send(self->fd, send_mem, send_len, 0), 0);
@@ -897,6 +1038,11 @@ TEST_F(tls, single_send_multiple_recv_non_align)
 	char recv_mem[recv_len * 2];
 	char send_mem[total_len];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	memrnd(send_mem, sizeof(send_mem));
 
 	EXPECT_GE(send(self->fd, send_mem, total_len, 0), 0);
@@ -915,6 +1061,11 @@ TEST_F(tls, recv_partial)
 	int send_len = strlen(test_str) + 1;
 	char recv_mem[18];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	memset(recv_mem, 0, sizeof(recv_mem));
 	EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
 	EXPECT_NE(recv(self->cfd, recv_mem, strlen(test_str_first),
@@ -932,6 +1083,11 @@ TEST_F(tls, recv_nonblock)
 	char buf[4096];
 	bool err;
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	EXPECT_EQ(recv(self->cfd, buf, sizeof(buf), MSG_DONTWAIT), -1);
 	err = (errno == EAGAIN || errno == EWOULDBLOCK);
 	EXPECT_EQ(err, true);
@@ -943,6 +1099,11 @@ TEST_F(tls, recv_peek)
 	int send_len = strlen(test_str) + 1;
 	char buf[15];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
 	EXPECT_EQ(recv(self->cfd, buf, send_len, MSG_PEEK), send_len);
 	EXPECT_EQ(memcmp(test_str, buf, send_len), 0);
@@ -959,6 +1120,11 @@ TEST_F(tls, recv_peek_multiple)
 	char buf[15];
 	int i;
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
 	for (i = 0; i < num_peeks; i++) {
 		EXPECT_NE(recv(self->cfd, buf, send_len, MSG_PEEK), -1);
@@ -977,6 +1143,11 @@ TEST_F(tls, recv_peek_multiple_records)
 	int len;
 	char buf[64];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	len = strlen(test_str_first);
 	EXPECT_EQ(send(self->fd, test_str_first, len, 0), len);
 
@@ -1026,6 +1197,11 @@ TEST_F(tls, recv_peek_large_buf_mult_recs)
 	int len;
 	char buf[64];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	len = strlen(test_str_first);
 	EXPECT_EQ(send(self->fd, test_str_first, len, 0), len);
 
@@ -1046,6 +1222,11 @@ TEST_F(tls, recv_lowat)
 	char recv_mem[20];
 	int lowat = 8;
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	EXPECT_EQ(send(self->fd, send_mem, 10, 0), 10);
 	EXPECT_EQ(send(self->fd, send_mem, 5, 0), 5);
 
@@ -1067,6 +1248,11 @@ TEST_F(tls, bidir)
 	char buf[10];
 	int ret;
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	if (!self->notls) {
 		struct tls_crypto_info_keys tls12;
 
@@ -1102,6 +1288,11 @@ TEST_F(tls, pollin)
 	char buf[10];
 	int send_len = 10;
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
 	fd.fd = self->cfd;
 	fd.events = POLLIN;
@@ -1120,6 +1311,11 @@ TEST_F(tls, poll_wait)
 	struct pollfd fd = { 0, 0, 0 };
 	char recv_mem[15];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	fd.fd = self->cfd;
 	fd.events = POLLIN;
 	EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
@@ -1135,6 +1331,11 @@ TEST_F(tls, poll_wait_split)
 	char send_mem[20] = {};
 	char recv_mem[15];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	fd.fd = self->cfd;
 	fd.events = POLLIN;
 	/* Send 20 bytes */
@@ -1160,6 +1361,11 @@ TEST_F(tls, blocking)
 	size_t data = 100000;
 	int res = fork();
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	EXPECT_NE(res, -1);
 
 	if (res) {
@@ -1202,6 +1408,11 @@ TEST_F(tls, nonblocking)
 	int flags;
 	int res;
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	flags = fcntl(self->fd, F_GETFL, 0);
 	fcntl(self->fd, F_SETFL, flags | O_NONBLOCK);
 	fcntl(self->cfd, F_SETFL, flags | O_NONBLOCK);
@@ -1343,31 +1554,61 @@ test_mutliproc(struct __test_metadata *_metadata, struct _test_data_tls *self,
 
 TEST_F(tls, mutliproc_even)
 {
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	test_mutliproc(_metadata, self, false, 6, 6);
 }
 
 TEST_F(tls, mutliproc_readers)
 {
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	test_mutliproc(_metadata, self, false, 4, 12);
 }
 
 TEST_F(tls, mutliproc_writers)
 {
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	test_mutliproc(_metadata, self, false, 10, 2);
 }
 
 TEST_F(tls, mutliproc_sendpage_even)
 {
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	test_mutliproc(_metadata, self, true, 6, 6);
 }
 
 TEST_F(tls, mutliproc_sendpage_readers)
 {
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	test_mutliproc(_metadata, self, true, 4, 12);
 }
 
 TEST_F(tls, mutliproc_sendpage_writers)
 {
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	test_mutliproc(_metadata, self, true, 10, 2);
 }
 
@@ -1378,6 +1619,11 @@ TEST_F(tls, control_msg)
 	int send_len = 10;
 	char buf[10];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	if (self->notls)
 		SKIP(return, "no TLS support");
 
@@ -1406,6 +1652,11 @@ TEST_F(tls, shutdown)
 	int send_len = 10;
 	char buf[10];
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	ASSERT_EQ(strlen(test_str) + 1, send_len);
 
 	EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len);
@@ -1421,6 +1672,11 @@ TEST_F(tls, shutdown_unsent)
 	char const *test_str = "test_read";
 	int send_len = 10;
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	EXPECT_EQ(send(self->fd, test_str, send_len, MSG_MORE), send_len);
 
 	shutdown(self->fd, SHUT_RDWR);
@@ -1432,6 +1688,11 @@ TEST_F(tls, shutdown_reuse)
 	struct sockaddr_in addr;
 	int ret;
 
+	if (self->fips_enabled && (variant->cipher_type ==
+	    TLS_CIPHER_CHACHA20_POLY1305 || variant->cipher_type ==
+	    TLS_CIPHER_SM4_GCM || variant->cipher_type == TLS_CIPHER_SM4_CCM))
+		SKIP(return, "Unsupported cipher in FIPS mode");
+
 	shutdown(self->fd, SHUT_RDWR);
 	shutdown(self->cfd, SHUT_RDWR);
 	close(self->cfd);
-- 
2.34.1

[PATCH net 2/3] selftests: net: vrf-xfrm-tests: change authentication and encryption algos

[Magali Lemes]

The vrf-xfrm-tests tests use the hmac(md5) and cbc(des3_ede)
algorithms for performing authentication and encryption, respectively.
This causes the tests to fail when fips=1 is set, since these algorithms
are not allowed in FIPS mode. Therefore, switch from hmac(md5) and
cbc(des3_ede) to hmac(sha1) and cbc(aes), which are FIPS compliant.

Fixes: 3f251d741150 ("selftests: Add tests for vrf and xfrms")
Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
---
 tools/testing/selftests/net/vrf-xfrm-tests.sh | 32 +++++++++----------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/tools/testing/selftests/net/vrf-xfrm-tests.sh b/tools/testing/selftests/net/vrf-xfrm-tests.sh
index 184da81f554f..452638ae8aed 100755
--- a/tools/testing/selftests/net/vrf-xfrm-tests.sh
+++ b/tools/testing/selftests/net/vrf-xfrm-tests.sh
@@ -264,60 +264,60 @@ setup_xfrm()
 	ip -netns host1 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
 	    proto esp spi ${SPI_1} reqid 0 mode tunnel \
 	    replay-window 4 replay-oseq 0x4 \
-	    auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
-	    enc 'cbc(des3_ede)' ${ENC_1} \
+	    auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
+	    enc 'cbc(aes)' ${ENC_1} \
 	    sel src ${h1_4} dst ${h2_4} ${devarg}
 
 	ip -netns host2 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
 	    proto esp spi ${SPI_1} reqid 0 mode tunnel \
 	    replay-window 4 replay-oseq 0x4 \
-	    auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
-	    enc 'cbc(des3_ede)' ${ENC_1} \
+	    auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
+	    enc 'cbc(aes)' ${ENC_1} \
 	    sel src ${h1_4} dst ${h2_4}
 
 
 	ip -netns host1 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
 	    proto esp spi ${SPI_2} reqid 0 mode tunnel \
 	    replay-window 4 replay-oseq 0x4 \
-	    auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
-	    enc 'cbc(des3_ede)' ${ENC_2} \
+	    auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
+	    enc 'cbc(aes)' ${ENC_2} \
 	    sel src ${h2_4} dst ${h1_4} ${devarg}
 
 	ip -netns host2 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
 	    proto esp spi ${SPI_2} reqid 0 mode tunnel \
 	    replay-window 4 replay-oseq 0x4 \
-	    auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
-	    enc 'cbc(des3_ede)' ${ENC_2} \
+	    auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
+	    enc 'cbc(aes)' ${ENC_2} \
 	    sel src ${h2_4} dst ${h1_4}
 
 
 	ip -6 -netns host1 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
 	    proto esp spi ${SPI_1} reqid 0 mode tunnel \
 	    replay-window 4 replay-oseq 0x4 \
-	    auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
-	    enc 'cbc(des3_ede)' ${ENC_1} \
+	    auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
+	    enc 'cbc(aes)' ${ENC_1} \
 	    sel src ${h1_6} dst ${h2_6} ${devarg}
 
 	ip -6 -netns host2 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
 	    proto esp spi ${SPI_1} reqid 0 mode tunnel \
 	    replay-window 4 replay-oseq 0x4 \
-	    auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
-	    enc 'cbc(des3_ede)' ${ENC_1} \
+	    auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
+	    enc 'cbc(aes)' ${ENC_1} \
 	    sel src ${h1_6} dst ${h2_6}
 
 
 	ip -6 -netns host1 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
 	    proto esp spi ${SPI_2} reqid 0 mode tunnel \
 	    replay-window 4 replay-oseq 0x4 \
-	    auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
-	    enc 'cbc(des3_ede)' ${ENC_2} \
+	    auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
+	    enc 'cbc(aes)' ${ENC_2} \
 	    sel src ${h2_6} dst ${h1_6} ${devarg}
 
 	ip -6 -netns host2 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
 	    proto esp spi ${SPI_2} reqid 0 mode tunnel \
 	    replay-window 4 replay-oseq 0x4 \
-	    auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
-	    enc 'cbc(des3_ede)' ${ENC_2} \
+	    auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
+	    enc 'cbc(aes)' ${ENC_2} \
 	    sel src ${h2_6} dst ${h1_6}
 }
 
-- 
2.34.1

[PATCH net 3/3] selftests: net: fcnal-test: check if FIPS mode is enabled

[Magali Lemes]

There are some MD5 tests which fail when the kernel is in FIPS mode,
since MD5 is not FIPS compliant. Add a check and only run those tests
if FIPS mode is not enabled.

Fixes: f0bee1ebb5594 ("fcnal-test: Add TCP MD5 tests")
Fixes: 5cad8bce26e01 ("fcnal-test: Add TCP MD5 tests for VRF")
Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
---
 tools/testing/selftests/net/fcnal-test.sh | 27 ++++++++++++++++-------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh
index 21ca91473c09..ee6880ac3e5e 100755
--- a/tools/testing/selftests/net/fcnal-test.sh
+++ b/tools/testing/selftests/net/fcnal-test.sh
@@ -92,6 +92,13 @@ NSC_CMD="ip netns exec ${NSC}"
 
 which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
 
+# Check if FIPS mode is enabled
+if [ -f /proc/sys/crypto/fips_enabled ]; then
+	fips_enabled=`cat /proc/sys/crypto/fips_enabled`
+else
+	fips_enabled=0
+fi
+
 ################################################################################
 # utilities
 
@@ -1216,7 +1223,7 @@ ipv4_tcp_novrf()
 	run_cmd nettest -d ${NSA_DEV} -r ${a}
 	log_test_addr ${a} $? 1 "No server, device client, local conn"
 
-	ipv4_tcp_md5_novrf
+	[ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf
 }
 
 ipv4_tcp_vrf()
@@ -1270,9 +1277,11 @@ ipv4_tcp_vrf()
 	log_test_addr ${a} $? 1 "Global server, local connection"
 
 	# run MD5 tests
-	setup_vrf_dup
-	ipv4_tcp_md5
-	cleanup_vrf_dup
+	if [ "$fips_enabled" = "0" ]; then
+		setup_vrf_dup
+		ipv4_tcp_md5
+		cleanup_vrf_dup
+	fi
 
 	#
 	# enable VRF global server
@@ -2772,7 +2781,7 @@ ipv6_tcp_novrf()
 		log_test_addr ${a} $? 1 "No server, device client, local conn"
 	done
 
-	ipv6_tcp_md5_novrf
+	[ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf
 }
 
 ipv6_tcp_vrf()
@@ -2842,9 +2851,11 @@ ipv6_tcp_vrf()
 	log_test_addr ${a} $? 1 "Global server, local connection"
 
 	# run MD5 tests
-	setup_vrf_dup
-	ipv6_tcp_md5
-	cleanup_vrf_dup
+	if [ "$fips_enabled" = "0" ]; then
+		setup_vrf_dup
+		ipv6_tcp_md5
+		cleanup_vrf_dup
+	fi
 
 	#
 	# enable VRF global server
-- 
2.34.1

Re: [PATCH net 2/3] selftests: net: vrf-xfrm-tests: change authentication and encryption algos

[David Ahern]

On 6/7/23 11:43 AM, Magali Lemes wrote:
> The vrf-xfrm-tests tests use the hmac(md5) and cbc(des3_ede)
> algorithms for performing authentication and encryption, respectively.
> This causes the tests to fail when fips=1 is set, since these algorithms
> are not allowed in FIPS mode. Therefore, switch from hmac(md5) and
> cbc(des3_ede) to hmac(sha1) and cbc(aes), which are FIPS compliant.
> 
> Fixes: 3f251d741150 ("selftests: Add tests for vrf and xfrms")
> Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
> ---
>  tools/testing/selftests/net/vrf-xfrm-tests.sh | 32 +++++++++----------
>  1 file changed, 16 insertions(+), 16 deletions(-)

Reviewed-by: David Ahern <dsahern@kernel.org>

Re: [PATCH net 3/3] selftests: net: fcnal-test: check if FIPS mode is enabled

[David Ahern]

On 6/7/23 11:43 AM, Magali Lemes wrote:
> There are some MD5 tests which fail when the kernel is in FIPS mode,
> since MD5 is not FIPS compliant. Add a check and only run those tests
> if FIPS mode is not enabled.
> 
> Fixes: f0bee1ebb5594 ("fcnal-test: Add TCP MD5 tests")
> Fixes: 5cad8bce26e01 ("fcnal-test: Add TCP MD5 tests for VRF")
> Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
> ---
>  tools/testing/selftests/net/fcnal-test.sh | 27 ++++++++++++++++-------
>  1 file changed, 19 insertions(+), 8 deletions(-)
> 

Reviewed-by: David Ahern <dsahern@kernel.org>

Re: [PATCH net 1/3] selftests: net: tls: check if FIPS mode is enabled

[Jakub Kicinski]

On Wed,  7 Jun 2023 14:43:00 -0300 Magali Lemes wrote:
>  FIXTURE(tls)
>  {
> -	int fd, cfd;
> +	int fd, cfd, fips_enabled;

put bool fips_non_compliant into the variant, and mark down
the cases which need to be skipped. There is fewer variants
than tests

>  	bool notls;
>  };
>  
> @@ -309,7 +309,22 @@ FIXTURE_SETUP(tls)
>  {
>  	struct tls_crypto_info_keys tls12;
>  	int one = 1;
> -	int ret;
> +	int ret, res;
> +	FILE *f;
> +
> +	self->fips_enabled = 0;
> +	f = fopen("/proc/sys/crypto/fips_enabled", "r");
> +	if (f) {
> +		res = fscanf(f, "%d", &self->fips_enabled);
> +		if (res != 1)
> +			ksft_print_msg("ERROR: Couldn't read /proc/sys/crypto/fips_enabled\n");
> +		fclose(f);
> +	}

Cache the fips_enabled in a static global variable, no point reading 
it every time.
-- 
pw-bot: cr