Some test cases from net/tls, net/fcnal-test and net/vrf-xfrm-tests that rely on cryptographic functions to work and use non-compliant FIPS algorithms fail in FIPS mode.
In order to allow these tests to pass in a wider set of kernels, - for net/tls, skip the test variants that use the ChaCha20-Poly1305 and SM4 algorithms, when FIPS mode is enabled; - for net/fcnal-test, skip the MD5 tests, when FIPS mode is enabled; - for net/vrf-xfrm-tests, replace the algorithms that are not FIPS-compliant with compliant ones.
Changes in v3: - Add new commit to allow skipping test directly from test setup. - No need to initialize static variable to zero. - Skip tests during test setup only. - Use the constructor attribute to set fips_enabled before entering main().
Changes in v2: - Add R-b tags. - Put fips_non_compliant into the variants. - Turn fips_enabled into a static global variable. - Read /proc/sys/crypto/fips_enabled only once at main().
v1: https://lore.kernel.org/netdev/20230607174302.19542-1-magali.lemes@canonical... v2: https://lore.kernel.org/netdev/20230609164324.497813-1-magali.lemes@canonica...
Magali Lemes (4): selftests/harness: allow tests to be skipped during setup selftests: net: tls: check if FIPS mode is enabled selftests: net: vrf-xfrm-tests: change authentication and encryption algos selftests: net: fcnal-test: check if FIPS mode is enabled
tools/testing/selftests/kselftest_harness.h | 6 ++-- tools/testing/selftests/net/fcnal-test.sh | 27 +++++++++++----- tools/testing/selftests/net/tls.c | 25 ++++++++++++++- tools/testing/selftests/net/vrf-xfrm-tests.sh | 32 +++++++++---------- 4 files changed, 62 insertions(+), 28 deletions(-)