* [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled
@ 2023-06-22 14:50 Ashwin Dayanand Kamat via ltp
2023-06-27 11:04 ` Petr Vorel
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Ashwin Dayanand Kamat via ltp @ 2023-06-22 14:50 UTC (permalink / raw)
To: ltp, kashwindayan, akaher, tkundu, vsirnapalli, pvorel
MD5 is not FIPS compliant. But still md5 is used as the default algorithm for sctp
even when fips is enabled. Due to this, sctp_big_chunk testcase is failing because listen()
system call in setup_server() is failing in fips environment.
Fix is to not use md5 algorithm while setting up server, instead set it to none
Signed-Off by: Ashwin Dayanand Kamat <kashwindayan@vmware.com>
----
v2:
As per the review comments given by Petr, did below changes in v2,
* Moved the logic to sctp_server() function
* Setting none as the default algo
* make sure cookie_hmac_alg file is present before accessing it
---
testcases/network/sctp/sctp_big_chunk.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/testcases/network/sctp/sctp_big_chunk.c b/testcases/network/sctp/sctp_big_chunk.c
index a6a326ea2..31786dd39 100644
--- a/testcases/network/sctp/sctp_big_chunk.c
+++ b/testcases/network/sctp/sctp_big_chunk.c
@@ -34,6 +34,24 @@ static int addr_num = 3273;
static void setup_server(void)
{
+ const char *const cmd_modprobe[] = {"modprobe", "sctp", NULL};
+ const char hmac_algo_path[] = "/proc/sys/net/sctp/cookie_hmac_alg";
+ char hmac_algo[CHAR_MAX];
+ int hmac_algo_changed = 0;
+
+ /* Disable md5 if fips is enabled. Set it to none */
+ if (tst_fips_enabled()) {
+ if (access(hmac_algo_path, F_OK) < 0) {
+ SAFE_CMD(cmd_modprobe, NULL, NULL);
+ }
+
+ if (!access(hmac_algo_path, F_OK)) {
+ SAFE_FILE_SCANF(hmac_algo_path, "%s", hmac_algo);
+ SAFE_FILE_PRINTF(hmac_algo_path, "%s", "none");
+ hmac_algo_changed = 1;
+ }
+ }
+
loc.sin6_family = AF_INET6;
loc.sin6_addr = in6addr_loopback;
@@ -46,6 +64,9 @@ static void setup_server(void)
SAFE_LISTEN(sfd, 1);
srand(port);
+
+ if (hmac_algo_changed)
+ SAFE_FILE_PRINTF(hmac_algo_path, "%s", hmac_algo);
}
static void update_packet_field(size_t *off, void *buf, size_t buf_len)
--
2.39.0
--
Mailing list info: https://lists.linux.it/listinfo/ltp
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled 2023-06-22 14:50 [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled Ashwin Dayanand Kamat via ltp @ 2023-06-27 11:04 ` Petr Vorel 2023-06-27 11:09 ` Petr Vorel 2023-06-27 12:58 ` Petr Vorel 2 siblings, 0 replies; 6+ messages in thread From: Petr Vorel @ 2023-06-27 11:04 UTC (permalink / raw) To: Ashwin Dayanand Kamat; +Cc: tkundu, akaher, vsirnapalli, ltp Hi Ashwin, LGTM now. Reviewed-by: Petr Vorel <pvorel@suse.cz> Kind regards, Petr -- Mailing list info: https://lists.linux.it/listinfo/ltp ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled 2023-06-22 14:50 [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled Ashwin Dayanand Kamat via ltp 2023-06-27 11:04 ` Petr Vorel @ 2023-06-27 11:09 ` Petr Vorel 2023-06-27 11:20 ` Petr Vorel 2023-06-27 12:58 ` Petr Vorel 2 siblings, 1 reply; 6+ messages in thread From: Petr Vorel @ 2023-06-27 11:09 UTC (permalink / raw) To: Ashwin Dayanand Kamat; +Cc: tkundu, akaher, vsirnapalli, ltp Hi, > MD5 is not FIPS compliant. But still md5 is used as the default algorithm for sctp > even when fips is enabled. Due to this, sctp_big_chunk testcase is failing because listen() > system call in setup_server() is failing in fips environment. > Fix is to not use md5 algorithm while setting up server, instead set it to none > Signed-Off by: Ashwin Dayanand Kamat <kashwindayan@vmware.com> > ---- > v2: > As per the review comments given by Petr, did below changes in v2, > * Moved the logic to sctp_server() function > * Setting none as the default algo > * make sure cookie_hmac_alg file is present before accessing it BTW I suggested modprobe, because I'm not aware of other way to trigger it. But maybe creating SCTP socket would trigger it, e.g. socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP); If yes, IMHO it'd be more elegant solution and (likely) we would not depend on modprobe. Kind regards, Petr > --- > testcases/network/sctp/sctp_big_chunk.c | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > diff --git a/testcases/network/sctp/sctp_big_chunk.c b/testcases/network/sctp/sctp_big_chunk.c > index a6a326ea2..31786dd39 100644 > --- a/testcases/network/sctp/sctp_big_chunk.c > +++ b/testcases/network/sctp/sctp_big_chunk.c > @@ -34,6 +34,24 @@ static int addr_num = 3273; > static void setup_server(void) > { > + const char *const cmd_modprobe[] = {"modprobe", "sctp", NULL}; > + const char hmac_algo_path[] = "/proc/sys/net/sctp/cookie_hmac_alg"; > + char hmac_algo[CHAR_MAX]; > + int hmac_algo_changed = 0; > + > + /* Disable md5 if fips is enabled. Set it to none */ > + if (tst_fips_enabled()) { > + if (access(hmac_algo_path, F_OK) < 0) { > + SAFE_CMD(cmd_modprobe, NULL, NULL); > + } > + > + if (!access(hmac_algo_path, F_OK)) { > + SAFE_FILE_SCANF(hmac_algo_path, "%s", hmac_algo); > + SAFE_FILE_PRINTF(hmac_algo_path, "%s", "none"); > + hmac_algo_changed = 1; > + } > + } > + > loc.sin6_family = AF_INET6; > loc.sin6_addr = in6addr_loopback; > @@ -46,6 +64,9 @@ static void setup_server(void) > SAFE_LISTEN(sfd, 1); > srand(port); > + > + if (hmac_algo_changed) > + SAFE_FILE_PRINTF(hmac_algo_path, "%s", hmac_algo); > } > static void update_packet_field(size_t *off, void *buf, size_t buf_len) -- Mailing list info: https://lists.linux.it/listinfo/ltp ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled 2023-06-27 11:09 ` Petr Vorel @ 2023-06-27 11:20 ` Petr Vorel 0 siblings, 0 replies; 6+ messages in thread From: Petr Vorel @ 2023-06-27 11:20 UTC (permalink / raw) To: Ashwin Dayanand Kamat, ltp, akaher, tkundu, vsirnapalli, Cyril Hrubis > Hi, > > MD5 is not FIPS compliant. But still md5 is used as the default algorithm for sctp > > even when fips is enabled. Due to this, sctp_big_chunk testcase is failing because listen() > > system call in setup_server() is failing in fips environment. > > Fix is to not use md5 algorithm while setting up server, instead set it to none > > Signed-Off by: Ashwin Dayanand Kamat <kashwindayan@vmware.com> > > ---- > > v2: > > As per the review comments given by Petr, did below changes in v2, > > * Moved the logic to sctp_server() function > > * Setting none as the default algo > > * make sure cookie_hmac_alg file is present before accessing it > BTW I suggested modprobe, because I'm not aware of other way to trigger it. > But maybe creating SCTP socket would trigger it, e.g. > socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP); Yes, this simple socket call loads sctp module. Could we use something like this: int fd; fd = SAFE_SOCKET(PF_INET, SOCK_STREAM, IPPROTO_SCTP); SAFE_CLOSE(fd); to make sure sctp is loaded instead of directly calling modprobe? I'm sorry I didn't find this before. Kind regards, Petr > If yes, IMHO it'd be more elegant solution and (likely) we would not depend on > modprobe. > Kind regards, > Petr > > --- > > testcases/network/sctp/sctp_big_chunk.c | 21 +++++++++++++++++++++ > > 1 file changed, 21 insertions(+) > > diff --git a/testcases/network/sctp/sctp_big_chunk.c b/testcases/network/sctp/sctp_big_chunk.c > > index a6a326ea2..31786dd39 100644 > > --- a/testcases/network/sctp/sctp_big_chunk.c > > +++ b/testcases/network/sctp/sctp_big_chunk.c > > @@ -34,6 +34,24 @@ static int addr_num = 3273; > > static void setup_server(void) > > { > > + const char *const cmd_modprobe[] = {"modprobe", "sctp", NULL}; > > + const char hmac_algo_path[] = "/proc/sys/net/sctp/cookie_hmac_alg"; > > + char hmac_algo[CHAR_MAX]; > > + int hmac_algo_changed = 0; > > + > > + /* Disable md5 if fips is enabled. Set it to none */ > > + if (tst_fips_enabled()) { > > + if (access(hmac_algo_path, F_OK) < 0) { > > + SAFE_CMD(cmd_modprobe, NULL, NULL); > > + } > > + > > + if (!access(hmac_algo_path, F_OK)) { > > + SAFE_FILE_SCANF(hmac_algo_path, "%s", hmac_algo); > > + SAFE_FILE_PRINTF(hmac_algo_path, "%s", "none"); > > + hmac_algo_changed = 1; > > + } > > + } > > + > > loc.sin6_family = AF_INET6; > > loc.sin6_addr = in6addr_loopback; > > @@ -46,6 +64,9 @@ static void setup_server(void) > > SAFE_LISTEN(sfd, 1); > > srand(port); > > + > > + if (hmac_algo_changed) > > + SAFE_FILE_PRINTF(hmac_algo_path, "%s", hmac_algo); > > } > > static void update_packet_field(size_t *off, void *buf, size_t buf_len) -- Mailing list info: https://lists.linux.it/listinfo/ltp ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled 2023-06-22 14:50 [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled Ashwin Dayanand Kamat via ltp 2023-06-27 11:04 ` Petr Vorel 2023-06-27 11:09 ` Petr Vorel @ 2023-06-27 12:58 ` Petr Vorel 2023-06-28 6:05 ` Ashwin Dayanand Kamat via ltp 2 siblings, 1 reply; 6+ messages in thread From: Petr Vorel @ 2023-06-27 12:58 UTC (permalink / raw) To: Ashwin Dayanand Kamat; +Cc: tkundu, akaher, vsirnapalli, ltp Hi Ashwin, Tested-by: Petr Vorel <pvorel@suse.cz> LGTM, but as I wrote, I'd prefer so load with SAFE_SOCKET(). Will you please send v3? Kind regards, Petr -- Mailing list info: https://lists.linux.it/listinfo/ltp ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled 2023-06-27 12:58 ` Petr Vorel @ 2023-06-28 6:05 ` Ashwin Dayanand Kamat via ltp 0 siblings, 0 replies; 6+ messages in thread From: Ashwin Dayanand Kamat via ltp @ 2023-06-28 6:05 UTC (permalink / raw) To: Petr Vorel; +Cc: Tapas Kundu, Ajay Kaher, Vasavi Sirnapalli, ltp@lists.linux.it > On 27-Jun-2023, at 6:28 PM, Petr Vorel <pvorel@suse.cz> wrote: > > !! External Email > > Hi Ashwin, > > Tested-by: Petr Vorel <pvorel@suse.cz> > > LGTM, but as I wrote, I'd prefer so load with SAFE_SOCKET(). > Will you please send v3? > Hi Petr, Thanks for your inputs. I have sent the v3 patch and have made changes as suggested by you. Thanks, Ashwin > Kind regards, > Petr > > !! External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender. -- Mailing list info: https://lists.linux.it/listinfo/ltp ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-06-28 6:06 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-06-22 14:50 [LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled Ashwin Dayanand Kamat via ltp 2023-06-27 11:04 ` Petr Vorel 2023-06-27 11:09 ` Petr Vorel 2023-06-27 11:20 ` Petr Vorel 2023-06-27 12:58 ` Petr Vorel 2023-06-28 6:05 ` Ashwin Dayanand Kamat via ltp
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox