[LTP] [PATCH] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled

Petr Vorel pvorel@suse.cz
Wed Jun 21 00:24:10 CEST 2023 

Hi Ashwin,

> MD5 is not FIPS compliant. But still md5 is used as the default algorithm for sctp
> even when fips is enabled. Due to this, sctp_big_chunk testcase is failing because listen()
> system call in setup_server() is failing in fips environment.

> Fix is to not use md5 algorithm while setting up server.
> Instead use sha1 as algorithm if it's supported or else set it to none.

> Signed-Off by: Ashwin Dayanand Kamat <kashwindayan@vmware.com>
> ---
>  testcases/network/sctp/sctp_big_chunk.c | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)

> diff --git a/testcases/network/sctp/sctp_big_chunk.c b/testcases/network/sctp/sctp_big_chunk.c
> index a6a326ea2..267f1cb45 100644
> --- a/testcases/network/sctp/sctp_big_chunk.c
> +++ b/testcases/network/sctp/sctp_big_chunk.c
> @@ -133,11 +133,15 @@ static void setup_client(void)
>  }

>  static const char mtu_path[] = "/sys/class/net/lo/mtu";
> +static const char hmac_algo_path[] = "/proc/sys/net/sctp/cookie_hmac_alg";
>  static const unsigned int max_mtu = 65535;
>  static unsigned int mtu;

>  static void setup(void)
>  {
> +	char hmac_algo[CHAR_MAX];
> +	int fips_enabled = tst_fips_enabled();
> +
>  	if (tst_parse_int(addr_param, &addr_num, 1, INT_MAX))
>  		tst_brk(TBROK, "wrong address number '%s'", addr_param);

> @@ -146,8 +150,18 @@ static void setup(void)
>  	if (mtu < max_mtu)
>  		tst_brk(TCONF, "Test needs that 'lo' MTU has %d", max_mtu);

> +	SAFE_FILE_SCANF(hmac_algo_path, "%s", hmac_algo);
> +
> +	if (fips_enabled) {
fips_enabled is used only here => if (tst_fips_enabled()) {

> +		if (!system("grep hmac\\(sha1\\) /proc/crypto"))
This would not be acceptable. We have SAFE_FILE_LINES_SCANF()

Something like would do:
SAFE_FILE_LINES_SCANF("/proc/crypto", "hmac(sha1)");

But I wonder if just setting "none" on FIPS would be enough.

Also, shouldn't this be set in setup_server() before SAFE_LISTEN(),
to be obvious what needs it?

Kind regards,
Petr

> +			SAFE_FILE_PRINTF(hmac_algo_path, "%s", "sha1");
> +		else
> +			SAFE_FILE_PRINTF(hmac_algo_path, "%s", "none");
> +	}
> +
>  	setup_server();
>  	setup_client();
> +	SAFE_FILE_PRINTF(hmac_algo_path, "%s", hmac_algo);
>  }

More information about the ltp mailing list