-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-8.8.0
-
libkcapi-1.4.0-2.el8
-
None
-
None
-
1
-
rhel-sst-security-crypto
-
14
-
20
-
3
-
QE ack, Dev ack
-
False
-
-
No
-
Crypto23Q4
-
-
Pass
-
Enabled
-
Automated
-
Release Note Not Required
-
-
All
-
None
Description of problem:
Recent changes in RHEL-8 kernel (see BZ#166715) break the tests in FIPS mode. Since kernel-4.18.0-473.el8 HMAC keys require at least 112 bits and various tests are using 64 bit keys (password / 70617373776f726464 in hex). The following tests fail:
- /usr/libexec/libkcapi/test.sh
- /usr/libexec/libkcapi/kcapi-enc-test.sh
- /usr/libexec/libkcapi/kcapi-dgst-test.sh
- /usr/libexec/libkcapi/hasher-test.sh
- /usr/libexec/libkcapi/kcapi-convenience.sh
It is not a bug, the kernel is now more restrictive about key sizes in FIPS mode because FIPS 140-3 requires it. Tests can be modified to use longer keys.
Version-Release number of selected component (if applicable):
libkcapi-1.2.0-2.el8
kernel-4.18.0-473.el8
How reproducible:
100% in FIPS mode
Steps to Reproduce:
1. Enable FIPS mode
- fips-mode-setup --enable && reboot
2. Disable 3DES cases for test.sh
- sed -i 's/HASHEXEC="1 2/HASHEXEC="2/g' /usr/libexec/libkcapi/test.sh
- sed -i 's/SYMEXEC="1 2 3 4 5 6 7/SYMEXEC="1 2 3/g' /usr/libexec/libkcapi/test.sh
3. Run the tests
- /usr/libexec/libkcapi/test.sh
- /usr/libexec/libkcapi/kcapi-enc-test.sh
- /usr/libexec/libkcapi/kcapi-dgst-test.sh
- /usr/libexec/libkcapi/hasher-test.sh
- /usr/libexec/libkcapi/kcapi-convenience.sh
Actual results:
All tests failed (see attached taskout.log).
Expected results:
All Test passed.
Additional info:
All tests pass with the same libkcapi version and with kernel-4.18.0-472.el8.
- blocks
-
-
- Closed
-
- external trackers
- links to
-
RHBA-2023:123713
libkcapi bug fix and enhancement update
-
RHEA-2023:123716
libkcapi bug fix and enhancement update
- mentioned on
