There are some MD5 tests which fail when the kernel is in FIPS mode,
since MD5 is not FIPS compliant. Add a check and only run those tests
if FIPS mode is not enabled.
Fixes: f0bee1ebb5594 ("fcnal-test: Add TCP MD5 tests")
Fixes: 5cad8bce26e01 ("fcnal-test: Add TCP MD5 tests for VRF")
Reviewed-by: David Ahern <[email protected]>
Signed-off-by: Magali Lemes <[email protected]>
---
No change in v4.
No change in v3.
Changes in v2:
- Add R-b tag.
tools/testing/selftests/net/fcnal-test.sh | 27 ++++++++++++++++-------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh
index 21ca91473c09..ee6880ac3e5e 100755
--- a/tools/testing/selftests/net/fcnal-test.sh
+++ b/tools/testing/selftests/net/fcnal-test.sh
@@ -92,6 +92,13 @@ NSC_CMD="ip netns exec ${NSC}"
which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
+# Check if FIPS mode is enabled
+if [ -f /proc/sys/crypto/fips_enabled ]; then
+ fips_enabled=`cat /proc/sys/crypto/fips_enabled`
+else
+ fips_enabled=0
+fi
+
################################################################################
# utilities
@@ -1216,7 +1223,7 @@ ipv4_tcp_novrf()
run_cmd nettest -d ${NSA_DEV} -r ${a}
log_test_addr ${a} $? 1 "No server, device client, local conn"
- ipv4_tcp_md5_novrf
+ [ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf
}
ipv4_tcp_vrf()
@@ -1270,9 +1277,11 @@ ipv4_tcp_vrf()
log_test_addr ${a} $? 1 "Global server, local connection"
# run MD5 tests
- setup_vrf_dup
- ipv4_tcp_md5
- cleanup_vrf_dup
+ if [ "$fips_enabled" = "0" ]; then
+ setup_vrf_dup
+ ipv4_tcp_md5
+ cleanup_vrf_dup
+ fi
#
# enable VRF global server
@@ -2772,7 +2781,7 @@ ipv6_tcp_novrf()
log_test_addr ${a} $? 1 "No server, device client, local conn"
done
- ipv6_tcp_md5_novrf
+ [ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf
}
ipv6_tcp_vrf()
@@ -2842,9 +2851,11 @@ ipv6_tcp_vrf()
log_test_addr ${a} $? 1 "Global server, local connection"
# run MD5 tests
- setup_vrf_dup
- ipv6_tcp_md5
- cleanup_vrf_dup
+ if [ "$fips_enabled" = "0" ]; then
+ setup_vrf_dup
+ ipv6_tcp_md5
+ cleanup_vrf_dup
+ fi
#
# enable VRF global server
--
2.34.1
Hi Magali,
On 13/06/2023 14:32, Magali Lemes wrote:
> There are some MD5 tests which fail when the kernel is in FIPS mode,
> since MD5 is not FIPS compliant. Add a check and only run those tests
> if FIPS mode is not enabled.
>
> Fixes: f0bee1ebb5594 ("fcnal-test: Add TCP MD5 tests")
> Fixes: 5cad8bce26e01 ("fcnal-test: Add TCP MD5 tests for VRF")
> Reviewed-by: David Ahern <[email protected]>
> Signed-off-by: Magali Lemes <[email protected]>
Thank you for your patch!
FYI, we got a small conflict when merging 'net' in 'net-next' in the
MPTCP tree due to this patch applied in 'net':
d7a2fc1437f7 ("selftests: net: fcnal-test: check if FIPS mode is enabled")
and this one from 'net-next':
dd017c72dde6 ("selftests: fcnal: Test SO_DONTROUTE on TCP sockets.")
----- Generic Message -----
The best is to avoid conflicts between 'net' and 'net-next' trees but if
they cannot be avoided when preparing patches, a note about how to fix
them is much appreciated.
The conflict has been resolved on our side[1] and the resolution we
suggest is attached to this email. Please report any issues linked to
this conflict resolution as it might be used by others. If you worked on
the mentioned patches, don't hesitate to ACK this conflict resolution.
---------------------------
Regarding this conflict, I simply took the modifications from both sides.
Cheers,
Matt
[1] https://github.com/multipath-tcp/mptcp_net-next/commit/502f061b9a02
--
Tessares | Belgium | Hybrid Access Solutions
http://www.tessares.net
Hi Jakub, Stephen,
On 16/06/2023 21:33, Matthieu Baerts wrote:
> Hi Magali,
>
> On 13/06/2023 14:32, Magali Lemes wrote:
>> There are some MD5 tests which fail when the kernel is in FIPS mode,
>> since MD5 is not FIPS compliant. Add a check and only run those tests
>> if FIPS mode is not enabled.
>>
>> Fixes: f0bee1ebb5594 ("fcnal-test: Add TCP MD5 tests")
>> Fixes: 5cad8bce26e01 ("fcnal-test: Add TCP MD5 tests for VRF")
>> Reviewed-by: David Ahern <[email protected]>
>> Signed-off-by: Magali Lemes <[email protected]>
>
> Thank you for your patch!
>
> FYI, we got a small conflict when merging 'net' in 'net-next' in the
> MPTCP tree due to this patch applied in 'net':
Just in case, I'm starting to publish the Git rerere resolutions for the
conflicts we have when syncing the MPTCP trees with Netdev's "net" and
"net-next" trees. They are available there:
https://github.com/multipath-tcp/mptcp-upstream-rr-cache
For this specific conflict, the new files are available there:
https://github.com/multipath-tcp/mptcp-upstream-rr-cache/commit/5091dd
Don't hesitate to tell me if I need to change anything to this repo.
Cheers,
Matt
--
Tessares | Belgium | Hybrid Access Solutions
http://www.tessares.net