[LTP] [PATCH v2] sctp_big_chunk: Do not use md5 hmac algo if fips is enabled

Tue Jun 27 13:20:01 CEST 2023

> Hi,

> > MD5 is not FIPS compliant. But still md5 is used as the default algorithm for sctp
> > even when fips is enabled. Due to this, sctp_big_chunk testcase is failing because listen()
> > system call in setup_server() is failing in fips environment.

> > Fix is to not use md5 algorithm while setting up server, instead set it to none

> > Signed-Off by: Ashwin Dayanand Kamat <kashwindayan@vmware.com>
> > ----
> > v2:
> > As per the review comments given by Petr, did below changes in v2,
> >         * Moved the logic to sctp_server() function
> >         * Setting none as the default algo
> >         * make sure cookie_hmac_alg file is present before accessing it
> BTW I suggested modprobe, because I'm not aware of other way to trigger it.
> But maybe creating SCTP socket would trigger it, e.g.
> socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP);

Yes, this simple socket call loads sctp module. Could we use something like
this:

	int fd;

	fd = SAFE_SOCKET(PF_INET, SOCK_STREAM, IPPROTO_SCTP);
	SAFE_CLOSE(fd);

to make sure sctp is loaded instead of directly calling modprobe?

I'm sorry I didn't find this before.

Kind regards,
Petr

> If yes, IMHO it'd be more elegant solution and (likely) we would not depend on
> modprobe.

> Kind regards,
> Petr

> > ---
> >  testcases/network/sctp/sctp_big_chunk.c | 21 +++++++++++++++++++++
> >  1 file changed, 21 insertions(+)

> > diff --git a/testcases/network/sctp/sctp_big_chunk.c b/testcases/network/sctp/sctp_big_chunk.c
> > index a6a326ea2..31786dd39 100644
> > --- a/testcases/network/sctp/sctp_big_chunk.c
> > +++ b/testcases/network/sctp/sctp_big_chunk.c
> > @@ -34,6 +34,24 @@ static int addr_num = 3273;

> >  static void setup_server(void)
> >  {
> > +	const char *const cmd_modprobe[] = {"modprobe", "sctp", NULL};
> > +	const char hmac_algo_path[] = "/proc/sys/net/sctp/cookie_hmac_alg";
> > +	char hmac_algo[CHAR_MAX];
> > +	int hmac_algo_changed = 0;
> > +
> > +	/* Disable md5 if fips is enabled. Set it to none */
> > +	if (tst_fips_enabled()) {
> > +		if (access(hmac_algo_path, F_OK) < 0) {
> > +			SAFE_CMD(cmd_modprobe, NULL, NULL);
> > +		}
> > +
> > +		if (!access(hmac_algo_path, F_OK)) {
> > +			SAFE_FILE_SCANF(hmac_algo_path, "%s", hmac_algo);
> > +			SAFE_FILE_PRINTF(hmac_algo_path, "%s", "none");
> > +			hmac_algo_changed = 1;
> > +		}
> > +	}
> > +
> >  	loc.sin6_family = AF_INET6;
> >  	loc.sin6_addr = in6addr_loopback;

> > @@ -46,6 +64,9 @@ static void setup_server(void)
> >  	SAFE_LISTEN(sfd, 1);

> >  	srand(port);
> > +
> > +	if (hmac_algo_changed)
> > +		SAFE_FILE_PRINTF(hmac_algo_path, "%s", hmac_algo);
> >  }

> >  static void update_packet_field(size_t *off, void *buf, size_t buf_len)