| Message ID | 20230613123222.631897-5-magali.lemes@canonical.com |
|---|---|
| State | Accepted |
| Commit | d7a2fc1437f71cb058c7b11bc33dfc19e4bf277a |
| Headers | show |
| Series | Check if FIPS mode is enabled when running selftests | expand |
Hi Magali, On 13/06/2023 14:32, Magali Lemes wrote: > There are some MD5 tests which fail when the kernel is in FIPS mode, > since MD5 is not FIPS compliant. Add a check and only run those tests > if FIPS mode is not enabled. > > Fixes: f0bee1ebb5594 ("fcnal-test: Add TCP MD5 tests") > Fixes: 5cad8bce26e01 ("fcnal-test: Add TCP MD5 tests for VRF") > Reviewed-by: David Ahern <dsahern@kernel.org> > Signed-off-by: Magali Lemes <magali.lemes@canonical.com> Thank you for your patch! FYI, we got a small conflict when merging 'net' in 'net-next' in the MPTCP tree due to this patch applied in 'net': d7a2fc1437f7 ("selftests: net: fcnal-test: check if FIPS mode is enabled") and this one from 'net-next': dd017c72dde6 ("selftests: fcnal: Test SO_DONTROUTE on TCP sockets.") ----- Generic Message ----- The best is to avoid conflicts between 'net' and 'net-next' trees but if they cannot be avoided when preparing patches, a note about how to fix them is much appreciated. The conflict has been resolved on our side[1] and the resolution we suggest is attached to this email. Please report any issues linked to this conflict resolution as it might be used by others. If you worked on the mentioned patches, don't hesitate to ACK this conflict resolution. --------------------------- Regarding this conflict, I simply took the modifications from both sides. Cheers, Matt [1] https://github.com/multipath-tcp/mptcp_net-next/commit/502f061b9a02
Hi Jakub, Stephen, On 16/06/2023 21:33, Matthieu Baerts wrote: > Hi Magali, > > On 13/06/2023 14:32, Magali Lemes wrote: >> There are some MD5 tests which fail when the kernel is in FIPS mode, >> since MD5 is not FIPS compliant. Add a check and only run those tests >> if FIPS mode is not enabled. >> >> Fixes: f0bee1ebb5594 ("fcnal-test: Add TCP MD5 tests") >> Fixes: 5cad8bce26e01 ("fcnal-test: Add TCP MD5 tests for VRF") >> Reviewed-by: David Ahern <dsahern@kernel.org> >> Signed-off-by: Magali Lemes <magali.lemes@canonical.com> > > Thank you for your patch! > > FYI, we got a small conflict when merging 'net' in 'net-next' in the > MPTCP tree due to this patch applied in 'net': Just in case, I'm starting to publish the Git rerere resolutions for the conflicts we have when syncing the MPTCP trees with Netdev's "net" and "net-next" trees. They are available there: https://github.com/multipath-tcp/mptcp-upstream-rr-cache For this specific conflict, the new files are available there: https://github.com/multipath-tcp/mptcp-upstream-rr-cache/commit/5091dd Don't hesitate to tell me if I need to change anything to this repo. Cheers, Matt
diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh index 21ca91473c09..ee6880ac3e5e 100755 --- a/tools/testing/selftests/net/fcnal-test.sh +++ b/tools/testing/selftests/net/fcnal-test.sh @@ -92,6 +92,13 @@ NSC_CMD="ip netns exec ${NSC}" which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) +# Check if FIPS mode is enabled +if [ -f /proc/sys/crypto/fips_enabled ]; then + fips_enabled=`cat /proc/sys/crypto/fips_enabled` +else + fips_enabled=0 +fi + ################################################################################ # utilities @@ -1216,7 +1223,7 @@ ipv4_tcp_novrf() run_cmd nettest -d ${NSA_DEV} -r ${a} log_test_addr ${a} $? 1 "No server, device client, local conn" - ipv4_tcp_md5_novrf + [ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf } ipv4_tcp_vrf() @@ -1270,9 +1277,11 @@ ipv4_tcp_vrf() log_test_addr ${a} $? 1 "Global server, local connection" # run MD5 tests - setup_vrf_dup - ipv4_tcp_md5 - cleanup_vrf_dup + if [ "$fips_enabled" = "0" ]; then + setup_vrf_dup + ipv4_tcp_md5 + cleanup_vrf_dup + fi # # enable VRF global server @@ -2772,7 +2781,7 @@ ipv6_tcp_novrf() log_test_addr ${a} $? 1 "No server, device client, local conn" done - ipv6_tcp_md5_novrf + [ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf } ipv6_tcp_vrf() @@ -2842,9 +2851,11 @@ ipv6_tcp_vrf() log_test_addr ${a} $? 1 "Global server, local connection" # run MD5 tests - setup_vrf_dup - ipv6_tcp_md5 - cleanup_vrf_dup + if [ "$fips_enabled" = "0" ]; then + setup_vrf_dup + ipv6_tcp_md5 + cleanup_vrf_dup + fi # # enable VRF global server
There are some MD5 tests which fail when the kernel is in FIPS mode, since MD5 is not FIPS compliant. Add a check and only run those tests if FIPS mode is not enabled. Fixes: f0bee1ebb5594 ("fcnal-test: Add TCP MD5 tests") Fixes: 5cad8bce26e01 ("fcnal-test: Add TCP MD5 tests for VRF") Reviewed-by: David Ahern <dsahern@kernel.org> Signed-off-by: Magali Lemes <magali.lemes@canonical.com> --- No change in v4. No change in v3. Changes in v2: - Add R-b tag. tools/testing/selftests/net/fcnal-test.sh | 27 ++++++++++++++++------- 1 file changed, 19 insertions(+), 8 deletions(-)