| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Jan 2024 19:59:32 +0000
From: Dmitry Safonov <dima@...sta.com>
To: Jakub Kicinski <kuba@...nel.org>
Cc: "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>,
Shuah Khan <shuah@...nel.org>, Dmitry Safonov <0x7f454c46@...il.com>,
Mohammad Nassiri <mnassiri@...na.com>, netdev@...r.kernel.org,
linux-kselftest@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 0/3] selftests/net: A couple of typos fixes in
key-management test
On 1/24/24 19:04, Jakub Kicinski wrote:
> On Wed, 24 Jan 2024 17:46:10 +0000 Dmitry Safonov wrote:
>>>> Thanks!
>>>>
>>>> I'll send a patch for it in version 2 (as I anyway need to address
>>>> Simon's feedback).
>>>
>>> Hi Dmitry!
>>>
>>> I put TCP_AO and VETH in the config and the tests seem to fail with
>>
>> Thanks for wiring it up and for https://netdev.bots.linux.dev/status.html!
>>
>>> selftests: net/tcp_ao: rst_ipv4
>>> not ok 1 # error 834[lib/kconfig.c:143] Failed to initialize kconfig 2: No such file or directory
>>> # Planned tests != run tests (0 != 1)
>>> # Totals: pass:0 fail:0 xfail:0 xpass:0 skip:0 error:1
>>
>> Hehe, yeah I wanted to detect kernels with !CONFIG_TCP_AO, to SKIP the
>> test, rather than FAIL it, which this lib/kconfig.c does.
>> But from a glance, I think it's failing in your run because there are
>> checks with and without TCP_AO, but I didn't think of checking for
>> the hashing algorithms support.
>>
>> I think what happens is has_tcp_ao():
>> : strcpy(tmp.alg_name, "hmac(sha1)");
>> ...
>> : if (setsockopt(sk, IPPROTO_TCP, TCP_AO_ADD_KEY, &tmp, sizeof(tmp)) < 0)
>>
>> Could you check that what I suppose is failing, is actually failing?
>> [dima@...dolluin linux-master]$ grep -e '\<CONFIG_CRYPTO_SHA1\>' -e
>> '\<CONFIG_CRYPTO_HMAC\>' .config
>> CONFIG_CRYPTO_HMAC=y
>> CONFIG_CRYPTO_SHA1=y
>
> FWIW the config used is uploaded with the results. If you click on
> the remote it should take you to a location like this:
>
> https://netdev-2.bots.linux.dev/vmksft-tcp-ao/results/435369/
>
> and there should be a config file in there.
>
>> If that's the case, I'll add the detection for hashing algorithms to
>> lib/kconfig.c (together with a patch for
>> tools/testing/selftests/net/config).
>> And also heads up for key-management.c - that tries a bunch of hashing
>> algorithms to check that the work and that the key rotation between
>> different algorithms works:
>>
>> : const char *test_algos[] = {
>> : "cmac(aes128)",
>> : "hmac(sha1)", "hmac(sha512)", "hmac(sha384)", "hmac(sha256)",
>> : "hmac(sha224)", "hmac(sha3-512)",
>> : /* only if !CONFIG_FIPS */
>> : #define TEST_NON_FIPS_ALGOS 2
>> : "hmac(rmd160)", "hmac(md5)"
>> : };
>
> I was stuck in a meeting and I started playing around with the options
> for TCP-AO :)
Haha, the same: 3 hour-long meetings for today :-/
> I added these options now:
>
> CONFIG_CRYPTO_HMAC=y
> CONFIG_CRYPTO_SHA1=y
> CONFIG_CRYPTO_RMD160=y
> CONFIG_IPV6=y
> CONFIG_TCP_AO=y
> CONFIG_TCP_MD5SIG=y
> CONFIG_VETH=m
>
> And it looks much better! There are still some failures:
>
> https://netdev.bots.linux.dev/contest.html?branch=net-next-2024-01-24--18-00&executor=vmksft-tcp-ao
Wow! Nice, thank you!
>
> I added VRF so that should hopefully take care of the MD5 skips
> on the next run. But the failures of the rst-ip* tests don't look
> like an obvious config problem.
Yep, I'll look into this this week.
Thanks,
Dmitry
Powered by blists - more mailing lists