Skip to content

Commit d113c39

Browse files
magalilemeskuba-moo
magalilemes
authored and
kuba-moo
committed
selftests: net: tls: check if FIPS mode is enabled
TLS selftests use the ChaCha20-Poly1305 and SM4 algorithms, which are not FIPS compliant. When fips=1, this set of tests fails. Add a check and only run these tests if not in FIPS mode. Fixes: 4f336e8 ("selftests/tls: add CHACHA20-POLY1305 to tls selftests") Fixes: e506342 ("selftests/tls: add SM4 GCM/CCM to tls selftests") Reviewed-by: Jakub Kicinski <[email protected]> Signed-off-by: Magali Lemes <[email protected]> Signed-off-by: Jakub Kicinski <[email protected]>
1 parent 372b304 commit d113c39

File tree

1 file changed

+23
-1
lines changed
  • tools/testing/selftests/net

1 file changed

+23
-1
lines changed

tools/testing/selftests/net/tls.c

Lines changed: 23 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,8 @@
2525
#define TLS_PAYLOAD_MAX_LEN 16384
2626
#define SOL_TLS 282
2727

28+
static int fips_enabled;
29+
2830
struct tls_crypto_info_keys {
2931
union {
3032
struct tls12_crypto_info_aes_gcm_128 aes128;
@@ -235,7 +237,7 @@ FIXTURE_VARIANT(tls)
235237
{
236238
uint16_t tls_version;
237239
uint16_t cipher_type;
238-
bool nopad;
240+
bool nopad, fips_non_compliant;
239241
};
240242

241243
FIXTURE_VARIANT_ADD(tls, 12_aes_gcm)
@@ -254,24 +256,28 @@ FIXTURE_VARIANT_ADD(tls, 12_chacha)
254256
{
255257
.tls_version = TLS_1_2_VERSION,
256258
.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
259+
.fips_non_compliant = true,
257260
};
258261

259262
FIXTURE_VARIANT_ADD(tls, 13_chacha)
260263
{
261264
.tls_version = TLS_1_3_VERSION,
262265
.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
266+
.fips_non_compliant = true,
263267
};
264268

265269
FIXTURE_VARIANT_ADD(tls, 13_sm4_gcm)
266270
{
267271
.tls_version = TLS_1_3_VERSION,
268272
.cipher_type = TLS_CIPHER_SM4_GCM,
273+
.fips_non_compliant = true,
269274
};
270275

271276
FIXTURE_VARIANT_ADD(tls, 13_sm4_ccm)
272277
{
273278
.tls_version = TLS_1_3_VERSION,
274279
.cipher_type = TLS_CIPHER_SM4_CCM,
280+
.fips_non_compliant = true,
275281
};
276282

277283
FIXTURE_VARIANT_ADD(tls, 12_aes_ccm)
@@ -311,6 +317,9 @@ FIXTURE_SETUP(tls)
311317
int one = 1;
312318
int ret;
313319

320+
if (fips_enabled && variant->fips_non_compliant)
321+
SKIP(return, "Unsupported cipher in FIPS mode");
322+
314323
tls_crypto_info_init(variant->tls_version, variant->cipher_type,
315324
&tls12);
316325

@@ -1865,4 +1874,17 @@ TEST(prequeue) {
18651874
close(cfd);
18661875
}
18671876

1877+
static void __attribute__((constructor)) fips_check(void) {
1878+
int res;
1879+
FILE *f;
1880+
1881+
f = fopen("/proc/sys/crypto/fips_enabled", "r");
1882+
if (f) {
1883+
res = fscanf(f, "%d", &fips_enabled);
1884+
if (res != 1)
1885+
ksft_print_msg("ERROR: Couldn't read /proc/sys/crypto/fips_enabled\n");
1886+
fclose(f);
1887+
}
1888+
}
1889+
18681890
TEST_HARNESS_MAIN

0 commit comments

Comments
 (0)