[LTP] [PATCH] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled

[LTP] [PATCH] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled

[Ashwin Dayanand Kamat via ltp]

MD5 is not FIPS compliant. But still md5 is used as the default algorithm for sctp
even when fips is enabled. Due to this, sctp_big_chunk testcase is failing because listen()
system call in setup_server() is failing in fips environment.

Fix is to not use md5 algorithm while setting up server.
Instead use sha1 as algorithm if it's supported or else set it to none.

Signed-Off by: Ashwin Dayanand Kamat <kashwindayan@vmware.com>
---
 testcases/network/sctp/sctp_big_chunk.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/testcases/network/sctp/sctp_big_chunk.c b/testcases/network/sctp/sctp_big_chunk.c
index a6a326ea2..267f1cb45 100644
--- a/testcases/network/sctp/sctp_big_chunk.c
+++ b/testcases/network/sctp/sctp_big_chunk.c
@@ -133,11 +133,15 @@ static void setup_client(void)
 }
 
 static const char mtu_path[] = "/sys/class/net/lo/mtu";
+static const char hmac_algo_path[] = "/proc/sys/net/sctp/cookie_hmac_alg";
 static const unsigned int max_mtu = 65535;
 static unsigned int mtu;
 
 static void setup(void)
 {
+	char hmac_algo[CHAR_MAX];
+	int fips_enabled = tst_fips_enabled();
+
 	if (tst_parse_int(addr_param, &addr_num, 1, INT_MAX))
 		tst_brk(TBROK, "wrong address number '%s'", addr_param);
 
@@ -146,8 +150,18 @@ static void setup(void)
 	if (mtu < max_mtu)
 		tst_brk(TCONF, "Test needs that 'lo' MTU has %d", max_mtu);
 
+	SAFE_FILE_SCANF(hmac_algo_path, "%s", hmac_algo);
+
+	if (fips_enabled) {
+		if (!system("grep hmac\\(sha1\\) /proc/crypto"))
+			SAFE_FILE_PRINTF(hmac_algo_path, "%s", "sha1");
+		else
+			SAFE_FILE_PRINTF(hmac_algo_path, "%s", "none");
+	}
+
 	setup_server();
 	setup_client();
+	SAFE_FILE_PRINTF(hmac_algo_path, "%s", hmac_algo);
 }
 
 static void run(void)
-- 
2.39.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled

[Petr Vorel]

Hi Ashwin,

> MD5 is not FIPS compliant. But still md5 is used as the default algorithm for sctp
> even when fips is enabled. Due to this, sctp_big_chunk testcase is failing because listen()
> system call in setup_server() is failing in fips environment.

> Fix is to not use md5 algorithm while setting up server.
> Instead use sha1 as algorithm if it's supported or else set it to none.

> Signed-Off by: Ashwin Dayanand Kamat <kashwindayan@vmware.com>
> ---
>  testcases/network/sctp/sctp_big_chunk.c | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)

> diff --git a/testcases/network/sctp/sctp_big_chunk.c b/testcases/network/sctp/sctp_big_chunk.c
> index a6a326ea2..267f1cb45 100644
> --- a/testcases/network/sctp/sctp_big_chunk.c
> +++ b/testcases/network/sctp/sctp_big_chunk.c
> @@ -133,11 +133,15 @@ static void setup_client(void)
>  }

>  static const char mtu_path[] = "/sys/class/net/lo/mtu";
> +static const char hmac_algo_path[] = "/proc/sys/net/sctp/cookie_hmac_alg";
>  static const unsigned int max_mtu = 65535;
>  static unsigned int mtu;

>  static void setup(void)
>  {
> +	char hmac_algo[CHAR_MAX];
> +	int fips_enabled = tst_fips_enabled();
> +
>  	if (tst_parse_int(addr_param, &addr_num, 1, INT_MAX))
>  		tst_brk(TBROK, "wrong address number '%s'", addr_param);

> @@ -146,8 +150,18 @@ static void setup(void)
>  	if (mtu < max_mtu)
>  		tst_brk(TCONF, "Test needs that 'lo' MTU has %d", max_mtu);

> +	SAFE_FILE_SCANF(hmac_algo_path, "%s", hmac_algo);
> +
> +	if (fips_enabled) {
fips_enabled is used only here => if (tst_fips_enabled()) {

> +		if (!system("grep hmac\\(sha1\\) /proc/crypto"))
This would not be acceptable. We have SAFE_FILE_LINES_SCANF()

Something like would do:
SAFE_FILE_LINES_SCANF("/proc/crypto", "hmac(sha1)");

But I wonder if just setting "none" on FIPS would be enough.

Also, shouldn't this be set in setup_server() before SAFE_LISTEN(),
to be obvious what needs it?

Kind regards,
Petr

> +			SAFE_FILE_PRINTF(hmac_algo_path, "%s", "sha1");
> +		else
> +			SAFE_FILE_PRINTF(hmac_algo_path, "%s", "none");
> +	}
> +
>  	setup_server();
>  	setup_client();
> +	SAFE_FILE_PRINTF(hmac_algo_path, "%s", hmac_algo);
>  }

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled

[Petr Vorel]

> MD5 is not FIPS compliant. But still md5 is used as the default algorithm for sctp
> even when fips is enabled. Due to this, sctp_big_chunk testcase is failing because listen()
> system call in setup_server() is failing in fips environment.

Out of curiosity, which errno is reported on listen?

In our case in FIPS ENOSYS is returned, thus handled as TCONF.

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled

[Ashwin Dayanand Kamat via ltp]

> On 21-Jun-2023, at 3:56 AM, Petr Vorel <pvorel@suse.cz> wrote:
> 
> !! External Email
> 
>> MD5 is not FIPS compliant. But still md5 is used as the default algorithm for sctp
>> even when fips is enabled. Due to this, sctp_big_chunk testcase is failing because listen()
>> system call in setup_server() is failing in fips environment.
> 
> Out of curiosity, which errno is reported on listen?
> 
> In our case in FIPS ENOSYS is returned, thus handled as TCONF.
> 
I am seeing the ENOSYS (38) error and it’s true that it is handled as TCONF. The intention of the patch is to fix the same.

Thanks,
Ashwin 

> Kind regards,
> Petr
> 
> !! External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender.


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled

[Petr Vorel]

Hi Ashwin,

> > Out of curiosity, which errno is reported on listen?

> > In our case in FIPS ENOSYS is returned, thus handled as TCONF.

> I am seeing the ENOSYS (38) error and it’s true that it is handled as TCONF. The intention of the patch is to fix the same.

TCONF means skipped, i.e. OK. I suppose your patch allows to do testing, which
is an enhancement. But, at least on one FIPS system I get failure due missing
proc file:

tst_fips.c:22: TINFO: FIPS: on
sctp_big_chunk.c:153: TBROK: Failed to open FILE '/proc/sys/net/sctp/cookie_hmac_alg' for reading: ENOENT (2)

The system has CONFIG_IP_SCTP=m, I don't know why module is not loaded.
Maybe it's not installed on the system (would require package with extra
modules), but still this would be a regression, we should check for presence of
the file.

NOTE We have .save_restore [1] helper, generally we'd use it with
TST_SR_TCONF_MISSING, but in this case I'd use access() to check,
because whole SAFE_FILE_SCANF() should be applied only when needed
(in tst_fips_enabled()).

Kind regards,
Petr

[1] https://github.com/linux-test-project/ltp/wiki/C-Test-API#127-saving--restoring-procsys-values

> Thanks,
> Ashwin 

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled

[Petr Vorel]

> Hi Ashwin,

> > > Out of curiosity, which errno is reported on listen?

> > > In our case in FIPS ENOSYS is returned, thus handled as TCONF.

> > I am seeing the ENOSYS (38) error and it’s true that it is handled as TCONF. The intention of the patch is to fix the same.

> TCONF means skipped, i.e. OK. I suppose your patch allows to do testing, which
> is an enhancement. But, at least on one FIPS system I get failure due missing
> proc file:

> tst_fips.c:22: TINFO: FIPS: on
> sctp_big_chunk.c:153: TBROK: Failed to open FILE '/proc/sys/net/sctp/cookie_hmac_alg' for reading: ENOENT (2)

OK, this problem is on all systems which haven't used sctp so far. We really
need to somehow modprobe sctp before reading /proc/sys/net/sctp/cookie_hmac_alg.
Maybe using .needs_drivers?

Kind regards,
Petr

> The system has CONFIG_IP_SCTP=m, I don't know why module is not loaded.
> Maybe it's not installed on the system (would require package with extra
> modules), but still this would be a regression, we should check for presence of
> the file.

> NOTE We have .save_restore [1] helper, generally we'd use it with
> TST_SR_TCONF_MISSING, but in this case I'd use access() to check,
> because whole SAFE_FILE_SCANF() should be applied only when needed
> (in tst_fips_enabled()).

> Kind regards,
> Petr

> [1] https://github.com/linux-test-project/ltp/wiki/C-Test-API#127-saving--restoring-procsys-values

> > Thanks,
> > Ashwin 

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled

[Ashwin Dayanand Kamat via ltp]

On 21-Jun-2023, at 6:18 PM, Petr Vorel <pvorel@suse.cz<mailto:pvorel@suse.cz>> wrote:

!! External Email

Hi Ashwin,

Out of curiosity, which errno is reported on listen?

In our case in FIPS ENOSYS is returned, thus handled as TCONF.

I am seeing the ENOSYS (38) error and it’s true that it is handled as TCONF. The intention of the patch is to fix the same.

TCONF means skipped, i.e. OK. I suppose your patch allows to do testing, which
is an enhancement. But, at least on one FIPS system I get failure due missing
proc file:

tst_fips.c:22: TINFO: FIPS: on
sctp_big_chunk.c:153: TBROK: Failed to open FILE '/proc/sys/net/sctp/cookie_hmac_alg' for reading: ENOENT (2)

OK, this problem is on all systems which haven't used sctp so far. We really
need to somehow modprobe sctp before reading /proc/sys/net/sctp/cookie_hmac_alg.
Maybe using .needs_drivers?

Thank you for your valuable input. I will look into these and handle it
accordingly in the next patch.

Kind regards,
Ashwin Kamat
Kind regards,
Petr

The system has CONFIG_IP_SCTP=m, I don't know why module is not loaded.
Maybe it's not installed on the system (would require package with extra
modules), but still this would be a regression, we should check for presence of
the file.

NOTE We have .save_restore [1] helper, generally we'd use it with
TST_SR_TCONF_MISSING, but in this case I'd use access() to check,
because whole SAFE_FILE_SCANF() should be applied only when needed
(in tst_fips_enabled()).

Kind regards,
Petr

[1] https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Flinux-test-project%2Fltp%2Fwiki%2FC-Test-API%23127-saving--restoring-procsys-values&data=05%7C01%7Ckashwindayan%40vmware.com%7C2db661163d9a47a4720308db7255ccb5%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C638229485080061558%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KfYPwUd%2FyEyfHC0AN%2BHv32qWUGa3I3V%2BTnQ0KuGQoLQ%3D&reserved=0<https://github.com/linux-test-project/ltp/wiki/C-Test-API#127-saving--restoring-procsys-values>

Thanks,
Ashwin

!! External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender.


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled

[Ashwin Dayanand Kamat via ltp]

> On 21-Jun-2023, at 6:18 PM, Petr Vorel <pvorel@suse.cz> wrote:
>
> !! External Email
>
>> Hi Ashwin,
>
>>>> Out of curiosity, which errno is reported on listen?
>
>>>> In our case in FIPS ENOSYS is returned, thus handled as TCONF.
>
>>> I am seeing the ENOSYS (38) error and it’s true that it is handled as TCONF. The intention of the patch is to fix the same.
>
>> TCONF means skipped, i.e. OK. I suppose your patch allows to do testing, which
>> is an enhancement. But, at least on one FIPS system I get failure due missing
>> proc file:
>
>> tst_fips.c:22: TINFO: FIPS: on
>> sctp_big_chunk.c:153: TBROK: Failed to open FILE '/proc/sys/net/sctp/cookie_hmac_alg' for reading: ENOENT (2)
>
> OK, this problem is on all systems which haven't used sctp so far. We really
> need to somehow modprobe sctp before reading /proc/sys/net/sctp/cookie_hmac_alg.
> Maybe using .needs_drivers?
>
> Kind regards,
> Petr
>

Thank you for your valuable input. I will look into these and handle accordingly in next patchset.

Regards,
Ashwin

>> The system has CONFIG_IP_SCTP=m, I don't know why module is not loaded.
>> Maybe it's not installed on the system (would require package with extra
>> modules), but still this would be a regression, we should check for presence of
>> the file.
>
>> NOTE We have .save_restore [1] helper, generally we'd use it with
>> TST_SR_TCONF_MISSING, but in this case I'd use access() to check,
>> because whole SAFE_FILE_SCANF() should be applied only when needed
>> (in tst_fips_enabled()).
>
>> Kind regards,
>> Petr
>
>> [1] https://github.com/linux-test-project/ltp/wiki/C-Test-API#127-saving--restoring-procsys-values <https://github.com/linux-test-project/ltp/wiki/C-Test-API#127-saving--restoring-procsys-values> <https://github.com/linux-test-project/ltp/wiki/C-Test-API#127-saving--restoring-procsys-values> <https://github.com/linux-test-project/ltp/wiki/C-Test-API#127-saving--restoring-procsys-values&gt;>
>
>>> Thanks,
>>> Ashwin
>
> !! External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender.














-- 
Mailing list info: https://lists.linux.it/listinfo/ltp