-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-9.2.0
-
libkcapi-1.4.0-2.el9
-
None
-
None
-
ZStream
-
1
-
rhel-sst-security-crypto
-
ssg_security
-
15
-
20
-
3
-
QE ack, Dev ack
-
False
-
-
No
-
Crypto23Q4
-
Approved Blocker
-
-
Pass
-
Enabled
-
Automated
-
Release Note Not Required
-
-
All
-
None
Description of problem:
Recent changes in RHEL-9 kerne break the tests in FIPS mode. Since 5.14.0-78.el9 HMAC keys require at least 112 bits and various tests are using 64 bit keys (password / 70617373776f726464 in hex). The following tests fail:
- /usr/libexec/libkcapi/test.sh
- /usr/libexec/libkcapi/kcapi-enc-test.sh
- /usr/libexec/libkcapi/kcapi-dgst-test.sh
- /usr/libexec/libkcapi/hasher-test.sh
- /usr/libexec/libkcapi/kcapi-convenience.sh
It is not a bug, the kernel is now more restrictive about key sizes in FIPS mode because FIPS 140-3 requires it. Tests can be modified to use longer keys.
Version-Release number of selected component (if applicable):
libkcapi-1.3.1-3.el9
5.14.0-283.el9
How reproducible:
100% in FIPS mode
Steps to Reproduce:
1. Enable FIPS mode
- fips-mode-setup --enable && reboot
2. Disable 3DES cases for test.sh
- sed -i 's/HASHEXEC="1 2/HASHEXEC="2/g' /usr/libexec/libkcapi/test.sh
- sed -i 's/SYMEXEC="1 2 3 4 5 6 7/SYMEXEC="1 2 3/g' /usr/libexec/libkcapi/test.sh
3. Run the tests
- /usr/libexec/libkcapi/test.sh
- /usr/libexec/libkcapi/kcapi-enc-test.sh
- /usr/libexec/libkcapi/kcapi-dgst-test.sh
- /usr/libexec/libkcapi/hasher-test.sh
- /usr/libexec/libkcapi/kcapi-convenience.sh
Actual results:
All tests failed (see attached taskout.log).
Expected results:
All Test passed.
Additional info:
+++ This bug was initially created as a clone of Bug #2180552 +++
- is blocked by
-
-
- Closed
-
- external trackers
- links to
-
RHBA-2023:123581
libkcapi bug fix and enhancement update
-
RHBA-2023:123582
libkcapi bug fix and enhancement update
-
RHBA-2023:123586
libkcapi bug fix and enhancement update
- mentioned on
