eessppeelllloo/cryptsetup
1
0
Fork 0
mirror of https://gitlab.com/cryptsetup/cryptsetup.git synced 2025-12-05 16:00:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

tests: use utility to detect FIPS mode

Browse Source 
Also try to use crypto lib/kernel check where appropriate.

This can be useful for local testing (non-FIPS kernel) byt
should not break real FIPS systems.
This commit is contained in:
Milan Broz
2025-11-13 22:06:52 +01:00
parent e4c498d15b
commit 11a4fc6790
12 changed files with 25 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
tests/00modules-test
View File

@@ -17,6 +17,9 @@ if [ "$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)" = "1" ] ; then
echo "Kernel running in FIPS mode." echo "Kernel running in FIPS mode."
fi fi
./crypto-check fips_mode && echo "Crypto backend running in FIPS mode."
./crypto-check fips_mode_kernel && echo "Kernel running in FIPS mode."
if [ -f /etc/os-release ] ; then if [ -f /etc/os-release ] ; then
source /etc/os-release source /etc/os-release
echo "$PRETTY_NAME ($NAME) $VERSION" echo "$PRETTY_NAME ($NAME) $VERSION"

4
tests/align-test
View File

@@ -10,8 +10,6 @@ PWD1="93R4P4pIqAH8"
PWD2="mymJeD8ivEhE" PWD2="mymJeD8ivEhE"
FAST_PBKDF="--pbkdf-force-iterations 1000" FAST_PBKDF="--pbkdf-force-iterations 1000"
FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then if [ -n "$CRYPTSETUP_TESTS_RUN_IN_MESON" ]; then
CRYPTSETUP_VALGRIND=$CRYPTSETUP CRYPTSETUP_VALGRIND=$CRYPTSETUP
else else
@@ -22,7 +20,7 @@ fi
fips_mode() fips_mode()
{ {
[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] ./crypto-check fips_mode
} }
cleanup() { cleanup() {

6
tests/api-test.c
View File

@@ -64,6 +64,7 @@
#define LUKS_PHDR_SIZE_B 1024 #define LUKS_PHDR_SIZE_B 1024
static int _fips_mode = 0; static int _fips_mode = 0;
static int _fips_mode_kernel = 0;
static char *DEVICE_1 = NULL; static char *DEVICE_1 = NULL;
static char *DEVICE_2 = NULL; static char *DEVICE_2 = NULL;
@@ -293,8 +294,9 @@ static int _setup(void)
return 1; return 1;
_fips_mode = fips_mode(); _fips_mode = fips_mode();
_fips_mode_kernel = fips_mode_kernel();
if (_debug) if (_debug)
printf("FIPS MODE: %d\n", _fips_mode); printf("FIPS MODE: LIB %d, KERNEL %d\n", _fips_mode, _fips_mode_kernel);
/* Use default log callback */ /* Use default log callback */
crypt_set_log_callback(NULL, &global_log_callback, NULL); crypt_set_log_callback(NULL, &global_log_callback, NULL);
@@ -1833,7 +1835,7 @@ static void TcryptTest(void)
CRYPT_FREE(cd); CRYPT_FREE(cd);
// Following test uses non-FIPS algorithms in the cipher chain // Following test uses non-FIPS algorithms in the cipher chain
if(_fips_mode) if(_fips_mode || _fips_mode_kernel)
return; return;
OK_(crypt_init(&cd, tcrypt_dev2)); OK_(crypt_init(&cd, tcrypt_dev2));

1
tests/api_test.h
View File

@@ -31,6 +31,7 @@ int t_dm_capi_string_supported(void);
int t_set_readahead(const char *device, unsigned value); int t_set_readahead(const char *device, unsigned value);
int fips_mode(void); int fips_mode(void);
int fips_mode_kernel(void);
int create_dmdevice_over_device(const char *dm_name, const char *device, uint64_t size, uint64_t offset); int create_dmdevice_over_device(const char *dm_name, const char *device, uint64_t size, uint64_t offset);

3
tests/compat-test
View File

@@ -50,7 +50,6 @@ KEY_MATERIAL5_EXT="S331776-395264"
TEST_UUID="12345678-1234-1234-1234-123456789abc" TEST_UUID="12345678-1234-1234-1234-123456789abc"
LOOPDEV=$(losetup -f 2>/dev/null) LOOPDEV=$(losetup -f 2>/dev/null)
FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
remove_mapping() remove_mapping()
{ {
@@ -83,7 +82,7 @@ trap _sigchld CHLD
fips_mode() fips_mode()
{ {
[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] ./crypto-check fips_mode
} }
can_fail_fips() can_fail_fips()

4
tests/compat-test-opal
View File

@@ -42,8 +42,6 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
TEST_UUID="12345678-1234-1234-1234-123456789abc" TEST_UUID="12345678-1234-1234-1234-123456789abc"
FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
remove_mapping() remove_mapping()
{ {
[ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2 [ -b /dev/mapper/$DEV_NAME2 ] && dmsetup remove --retry $DEV_NAME2
@@ -73,7 +71,7 @@ trap _sigchld CHLD
fips_mode() fips_mode()
{ {
[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] ./crypto-check fips_mode
} }
can_fail_fips() can_fail_fips()

3
tests/compat-test2
View File

@@ -48,7 +48,6 @@ FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
TEST_UUID="12345678-1234-1234-1234-123456789abc" TEST_UUID="12345678-1234-1234-1234-123456789abc"
LOOPDEV=$(losetup -f 2>/dev/null) LOOPDEV=$(losetup -f 2>/dev/null)
FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
remove_mapping() remove_mapping()
{ {
@@ -88,7 +87,7 @@ trap _sigchld CHLD
fips_mode() fips_mode()
{ {
[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] ./crypto-check fips_mode
} }
can_fail_fips() can_fail_fips()

28
tests/crypto-vectors.c
View File

@@ -18,8 +18,6 @@
# define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0])) # define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]))
#endif #endif
static bool fips_active = false;
static void printhex(const char *s, const char *buf, size_t len) static void printhex(const char *s, const char *buf, size_t len)
{ {
size_t i; size_t i;
@@ -31,24 +29,6 @@ static void printhex(const char *s, const char *buf, size_t len)
fflush(stdout); fflush(stdout);
} }
static bool fips_mode(void)
{
int fd;
char buf = 0;
fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY);
if (fd < 0)
return false;
if (read(fd, &buf, 1) != 1)
buf = '0';
close(fd);
return (buf == '1');
}
/* /*
* KDF tests * KDF tests
*/ */
@@ -1043,7 +1023,7 @@ static int pbkdf_test_vectors(void)
vec->salt, vec->salt_length, vec->salt, vec->salt_length,
result, vec->output_length, result, vec->output_length,
vec->iterations, vec->memory, vec->parallelism) < 0) { vec->iterations, vec->memory, vec->parallelism) < 0) {
if (vec->can_fail_fips && fips_mode()) { if (vec->can_fail_fips && crypt_fips_mode()) {
printf("[API FAILED, IGNORED (FIPS mode)]\n"); printf("[API FAILED, IGNORED (FIPS mode)]\n");
continue; continue;
} }
@@ -1552,7 +1532,7 @@ static int kernel_capi_check_test(void)
if (!r) if (!r)
printf("[OK]\n"); printf("[OK]\n");
else if (r == -ENOENT || r == -ENOTSUP || else if (r == -ENOENT || r == -ENOTSUP ||
(fips_active && !capi_test_vectors[i].fips)) (crypt_fips_mode_kernel() && !capi_test_vectors[i].fips))
printf("[N/A]\n"); printf("[N/A]\n");
else else
return EXIT_FAILURE; return EXIT_FAILURE;
@@ -1580,8 +1560,6 @@ int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[]
} }
#endif #endif
fips_active = fips_mode();
if (crypt_backend_init()) if (crypt_backend_init())
exit_test("Crypto backend init error.", EXIT_FAILURE); exit_test("Crypto backend init error.", EXIT_FAILURE);
@@ -1615,7 +1593,7 @@ int main(__attribute__ ((unused)) int argc, __attribute__ ((unused))char *argv[]
exit_test("Kernel CAPI test failed.", EXIT_FAILURE); exit_test("Kernel CAPI test failed.", EXIT_FAILURE);
if (default_alg_test()) { if (default_alg_test()) {
if (fips_mode()) if (crypt_fips_mode())
printf("\nDefault compiled-in algorithms test ignored (FIPS mode on).\n"); printf("\nDefault compiled-in algorithms test ignored (FIPS mode on).\n");
else else
exit_test("\nDefault compiled-in algorithms test failed.", EXIT_FAILURE); exit_test("\nDefault compiled-in algorithms test failed.", EXIT_FAILURE);

8
tests/keyring-compat-test
View File

@@ -33,8 +33,6 @@ else
CRYPTSETUP_LIB_VALGRIND=../.libs CRYPTSETUP_LIB_VALGRIND=../.libs
fi fi
FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
remove_mapping() remove_mapping()
{ {
[ -b /dev/mapper/$NAME ] && dmsetup remove --retry $NAME [ -b /dev/mapper/$NAME ] && dmsetup remove --retry $NAME
@@ -115,9 +113,9 @@ test_and_prepare_keyring() {
load_key "$HEXKEY_16" user test_key "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped." load_key "$HEXKEY_16" user test_key "$TEST_KEYRING" || skip "Kernel keyring service is useless on this system, test skipped."
} }
fips_mode() fips_mode_kernel()
{ {
[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] ./crypto-check fips_mode_kernel
} }
add_device() { add_device() {
@@ -205,7 +203,7 @@ diff $CHKS_DMCRYPT $CHKS_KEYRING || fail "Plaintext checksums mismatch (corrupti
echo "OK" echo "OK"
#test serpent cipher, cbc mode, tcw IV #test serpent cipher, cbc mode, tcw IV
fips_mode || { fips_mode_kernel || {
echo -n "Testing $CIPHER_CBC_TCW..." echo -n "Testing $CIPHER_CBC_TCW..."
dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail dmsetup create $NAME --table "0 $DEVSECTORS crypt $CIPHER_CBC_TCW $HEXKEY_64 0 $DEV 0" || fail
sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail sha256sum /dev/mapper/$NAME > $CHKS_DMCRYPT || fail

4
tests/luks2-reencryption-test
View File

@@ -54,8 +54,6 @@ HAVE_KEYRING=0
JSON_MSIZE=16384 JSON_MSIZE=16384
IMG_JSON=luks2-digest-1.json IMG_JSON=luks2-digest-1.json
FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
dm_crypt_features() dm_crypt_features()
{ {
VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv) VER_STR=$(dmsetup targets | grep crypt | cut -f2 -dv)
@@ -163,7 +161,7 @@ skip()
fips_mode() fips_mode()
{ {
[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] ./crypto-check fips_mode || ./crypto-check fips_mode_kernel
} }
add_scsi_device() { add_scsi_device() {

3
tests/reencryption-compat-test
View File

@@ -30,11 +30,10 @@ LUKS1_DECRYPT="LUKS-$LUKS1_DECRYPT_UUID"
MNT_DIR=./mnt_luks MNT_DIR=./mnt_luks
START_DIR=$(pwd) START_DIR=$(pwd)
FIPS_MODE=$(cat /proc/sys/crypto/fips_enabled 2>/dev/null)
fips_mode() fips_mode()
{ {
[ -n "$FIPS_MODE" ] && [ "$FIPS_MODE" -gt 0 ] ./crypto-check fips_mode || ./crypto-check fips_mode_kernel
} }
del_scsi_device() del_scsi_device()

18
tests/test_utils.c
View File

@@ -165,20 +165,12 @@ int t_set_readahead(const char *device, unsigned value)
int fips_mode(void) int fips_mode(void)
{ {
int fd; return _system("./crypto-check fips_mode", 1) == 0;
char buf = 0; }
fd = open("/proc/sys/crypto/fips_enabled", O_RDONLY); int fips_mode_kernel(void)
{
if (fd < 0) return _system("./crypto-check fips_mode_kernel", 1) == 0;
return 0;
if (read(fd, &buf, 1) != 1)
buf = '0';
close(fd);
return (buf == '1');
} }
/* /*