-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
rhel-8.7.0
Problem:
TLS using ChaCha20-Poly1305 is broken for Openjdk (11, 17) in FIPS mode, where it uses NSS backend. This was discovered by ssl-tests [1] testsuite.
Steps to reproduce (using ssl-tests [1], system in FIPS mode):
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk
make SSLTESTS_SSL_CONFIG_FILTER=SunJSSE,TLS,TLSv1.2,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TEST_PKCS11_FIPS=1 SSLTESTS_CUSTOM_JAVA_PARAMS=-Djdk.tls.ephemeralDHKeySize=2048
Exceptions:
SEVERE: null
java.net.SocketException: Broken pipe (Write failed)
at java.base/java.net.SocketOutputStream.socketWrite0(Native Method)
at java.base/java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:110)
at java.base/java.net.SocketOutputStream.write(SocketOutputStream.java:150)
at java.base/sun.security.ssl.SSLSocketOutputRecord.deliver(SSLSocketOutputRecord.java:345)
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1305)
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1264)
at SSLSocketClient$1.run(SSLSocketClient.java:81)
Jan 12, 2023 2:05:36 AM SSLSocketServer$1 run
SEVERE: null
javax.net.ssl.SSLException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ENCRYPTED_DATA_INVALID
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:296)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:291)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:123)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
at java.base/sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1477)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1066)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:973)
at SSLSocketServer.serverLoop(SSLSocketServer.java:133)
at SSLSocketServer$1.run(SSLSocketServer.java:75)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: javax.crypto.AEADBadTagException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ENCRYPTED_DATA_INVALID
at jdk.crypto.cryptoki/sun.security.pkcs11.P11AEADCipher.handleException(P11AEADCipher.java:822)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11AEADCipher.implDoFinal(P11AEADCipher.java:795)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11AEADCipher.engineDoFinal(P11AEADCipher.java:619)
at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2497)
at java.base/sun.security.ssl.SSLCipher$T12CC20P1305ReadCipherGenerator$CC20P1305ReadCipher.decrypt(SSLCipher.java:2204)
at java.base/sun.security.ssl.SSLSocketInputRecord.decodeInputRecord(SSLSocketInputRecord.java:264)
at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:181)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)
... 7 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ENCRYPTED_DATA_INVALID
at jdk.crypto.cryptoki/sun.security.pkcs11.wrapper.PKCS11.C_Decrypt(Native Method)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11AEADCipher.implDoFinal(P11AEADCipher.java:780)
... 13 more
Jan 12, 2023 2:05:36 AM SSLSocketTester testConfiguration
SEVERE: null
javax.net.ssl.SSLException: Received fatal alert: bad_record_mac
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:340)
at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:186)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
at java.base/sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1477)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1066)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:973)
at SSLSocketClient.test(SSLSocketClient.java:101)
at SSLSocketTester.testConfiguration(SSLSocketTester.java:392)
at SSLSocketTester.testConfigurations(SSLSocketTester.java:322)
at SSLSocketTester.testProvider(SSLSocketTester.java:234)
at SSLSocketTester.testProviders(SSLSocketTester.java:190)
at Main.main(Main.java:30)
NSS nvrs:
nss-3.79.0-10.el8_6.ppc64le
nss-softokn-3.79.0-10.el8_6.ppc64le
nss-softokn-freebl-3.79.0-10.el8_6.ppc64le
nss-sysinit-3.79.0-10.el8_6.ppc64le
nss-tools-3.79.0-10.el8_6.ppc64le
nss-util-3.79.0-10.el8_6.ppc64le
Openjdk nvrs:
java-11-openjdk-11.0.18.0.10-2.el8_7.ppc64le
java-11-openjdk-devel-11.0.18.0.10-2.el8_7.ppc64le
java-11-openjdk-headless-11.0.18.0.10-2.el8_7.ppc64le
Additional info:
Problem goes away if ppc acceleration is disabled using env. variable [2]:
export NSS_DISABLE_PPC_GHASH=1
[1] https://github.com/rh-openjdk/ssl-tests
[2] https://github.com/nss-dev/nss/blob/dd30b5402fbe5c42f506db1c4d2920791f498d43/lib/freebl/blinit.c#L518
