-
Bug
-
Resolution: Duplicate
-
Normal
-
None
-
rhel-9.0.0
-
None
-
Moderate
-
rhel-sst-security-crypto
-
ssg_security
-
None
-
False
-
-
None
-
None
-
None
-
None
-
If docs needed, set a value
-
-
All
-
None
Description of problem:
There are many failures in libkcapi self-test in FIPS mode. When FIPS mode is disabled the all tests pass. Self-test is actually testing kcapi and hence it might indicate problems in Kernel Crypto API itself.
Version-Release number of selected component (if applicable):
libkcapi-1.3.1-3.el9
How reproducible:
100% when FIPS mode is enabled.
Steps to Reproduce:
1. Install likcapi-tests (from the buildroot repository).
2. Disable 3DES cases
- sed -i 's/HASHEXEC\="1 2/HASHEXEC\="2/g' /usr/libexec/libkcapi/test.sh
- sed -i 's/SYMEXEC\="1 2 3 4 5 6 7/SYMEXEC\="1 2 3/g' /usr/libexec/libkcapi/test.sh
3. Execute all tests:
- /usr/libexec/libkcapi/test.sh
- /usr/libexec/libkcapi/kcapi-enc-test.sh
- /usr/libexec/libkcapi/kcapi-enc-test-large.sh
- /usr/libexec/libkcapi/kcapi-dgst-test.sh
- /usr/libexec/libkcapi/hasher-test.sh
- /usr/libexec/libkcapi/kcapi-convenience.sh
- /usr/libexec/libkcapi/kcapi-fuzz-test.sh
Actual results:
- /usr/libexec/libkcapi/test.sh
...
<fail>
- /usr/libexec/libkcapi/kcapi-enc-test.sh
...
Number of failures: 60
- /usr/libexec/libkcapi/kcapi-enc-test-large.sh
Number of failures: 0
- /usr/libexec/libkcapi/kcapi-dgst-test.sh
...
Number of failures: 64
- /usr/libexec/libkcapi/hasher-test.sh
...
Number of failures: 8
- /usr/libexec/libkcapi/kcapi-convenience.sh
...
Number of failures: 1
- /usr/libexec/libkcapi/kcapi-fuzz-test.sh
...
Number of failures: 0
Expected results:
All tests should pass.
Additional info:
The first test (test.sh) fails because is uses too short keys for SHA tests (for some reason RHEL-9 kernel needs longer keys in FIPS than in RHEL-8 FIPS or RHEL-9 non-FIPS):
- strace /usr/libexec/libkcapi/kcapi -m -x 8 -c 'hmac(sha1)' -k 73616c74 -p "70617373776f7264" -d 1 -b 20
...
setsockopt(3, SOL_ALG, ALG_SET_KEY, "password", 8) = -1 EINVAL (Invalid argument)
...
With longer password it will work (worked with 'RedHatEnterpriseLinux'). However, the other tests fails for different reasons I had no time to investigate.
