Bug 2077799 - self-test fails in FIPS mode
Summary: self-test fails in FIPS mode
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: libkcapi
Version: 9.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Zoltan Fridrich
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-04-22 09:38 UTC by Ondrej Moriš
Modified: 2023-08-07 12:38 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker CRYPTO-11449 0 None None None 2023-08-07 12:38:06 UTC
Red Hat Issue Tracker RHELPLAN-119665 0 None None None 2022-04-22 09:45:07 UTC

Description Ondrej Moriš 2022-04-22 09:38:02 UTC 
Description of problem:

There are many failures in libkcapi self-test in FIPS mode. When FIPS mode is disabled the all tests pass. Self-test is actually testing kcapi and hence it might indicate problems in Kernel Crypto API itself.

Version-Release number of selected component (if applicable):

libkcapi-1.3.1-3.el9

How reproducible:

100% when FIPS mode is enabled.

Steps to Reproduce:

1. Install likcapi-tests (from the buildroot repository).

2. Disable 3DES cases 
   # sed -i 's/HASHEXEC\="1 2/HASHEXEC\="2/g' /usr/libexec/libkcapi/test.sh
   # sed -i 's/SYMEXEC\="1 2 3 4 5 6 7/SYMEXEC\="1 2 3/g' /usr/libexec/libkcapi/test.sh

3. Execute all tests:

   # /usr/libexec/libkcapi/test.sh 
   # /usr/libexec/libkcapi/kcapi-enc-test.sh 
   # /usr/libexec/libkcapi/kcapi-enc-test-large.sh
   # /usr/libexec/libkcapi/kcapi-dgst-test.sh
   # /usr/libexec/libkcapi/hasher-test.sh
   # /usr/libexec/libkcapi/kcapi-convenience.sh
   # /usr/libexec/libkcapi/kcapi-fuzz-test.sh

Actual results:

   # /usr/libexec/libkcapi/test.sh
   ...
   <fail>

   # /usr/libexec/libkcapi/kcapi-enc-test.sh
   ...
   Number of failures: 60

   # /usr/libexec/libkcapi/kcapi-enc-test-large.sh
   Number of failures: 0

   # /usr/libexec/libkcapi/kcapi-dgst-test.sh
   ...
   Number of failures: 64

   # /usr/libexec/libkcapi/hasher-test.sh
   ...
   Number of failures: 8

   # /usr/libexec/libkcapi/kcapi-convenience.sh
   ...
   Number of failures: 1

   # /usr/libexec/libkcapi/kcapi-fuzz-test.sh
   ...
   Number of failures: 0

Expected results:

All tests should pass.

Additional info:

The first test (test.sh) fails because is uses too short keys for SHA tests (for some reason RHEL-9 kernel needs longer keys in FIPS than in RHEL-8 FIPS or RHEL-9 non-FIPS):

# strace /usr/libexec/libkcapi/kcapi -m -x 8 -c 'hmac(sha1)' -k 73616c74 -p "70617373776f7264" -d 1 -b 20
...
setsockopt(3, SOL_ALG, ALG_SET_KEY, "password", 8) = -1 EINVAL (Invalid argument)
...

With longer password it will work (worked with 'RedHatEnterpriseLinux'). However, the other tests fails for different reasons I had no time to investigate.
Comment 1 Ondrej Moriš 2023-08-07 12:35:27 UTC 
Update for kernel 5.14.0-347.el9 and the same version of libkcapi (1.3.1-3.el9) on RHEL-9.3 nightly compose - the only failing test in FIPS mode is now test.sh with the following failure:

libkcapi - Error: AF_ALG: bind failed (errno: -2)
libkcapi - Error: AF_ALG: bind failed (errno: -2)
libkcapi - Error: AF_ALG: bind failed (errno: -2)
[FAILED: 64-bit - 5.14.0-347.el9.x86_64] Auxiliary test failure detected

All the other tests are passing again.
Note You need to log in before you can comment on or make changes to this bug.