[Swan-dev] fips test results

Andrew Cagney andrew.cagney at gmail.com
Wed Jul 15 22:06:00 EEST 2015 

On 15 July 2015 at 13:07, Paul Wouters <paul at nohats.ca> wrote:
> On Wed, 15 Jul 2015, Andrew Cagney wrote:
>
>> fips-04-ikev2-md5 failed east:different
>> - just needs an output tweak; missed this
>
>
> It would need to fail properly due to md5 not being allowed.

The known-good output includes the line:
  002 "westnet-eastnet-md5" #1: STATE_PARENT_I1: received
unauthenticated v2N_NO_PROPOSAL_CHOSEN - ignored
I think that's sufficient.  The tweak was to add:
  certutil out:Password changed successfully.
to east.

>> fips-01-ikev1-default incomplete east:truncated west:truncated
>> fips-03-ikev1-md5 failed east:unchecked west:unchecked
>> fips-06-ikev1-sha1 incomplete east:truncated west:truncated
>> - the good news is that they no longer crash
>> - sends back SITUATION_NOT_SUPPORTED
>> - I suspect IKEv1 lacks logic to filter out non-FIPS tests?
>
>
> Ideally, the first and third one should work, using sha1. Only the md5
> hardcoded one should fail.

I'm beginning to suspect that, at least for fips-06-ikev1-sha1, west
is the one messing up.   It seems to ignore the proposal from east?

>> - IKEv1 uses MD5 to check for NAT and FIPS doesn't have MD5 so I'm not
>> sure how far the test will get

I added some tracing and it looks like the MD5 code is working.
Probably because it uses PK11_CreateDigestContext(SEC_OID_MD5) and
that doesn't seem to require an NSS SLOT.

> > fips-05-ikev1-gcm failed east:unchecked west:unchecked
> > - "westnet-eastnet-gcm" #1: unsupported OAKLEY attribute.  Attribute OAKLEY_PRF
> > - sends back NO_PROPOSAL_CHOSEN

> Ideally, this would also pick sha1 and not md5 as prf and then work. It
> related to the default proposal set I think.

I suspect it is.  West sends:

| ******emit ISAKMP Oakley attribute:
|    af+type: OAKLEY_PRF (0x800d)
|    length/value: 2 (0x2)
|     [2 is 2??]

and the other end responds with:
| ******parse ISAKMP Oakley attribute:
|    af+type: OAKLEY_PRF (0x800d)
|    length/value: 2 (0x2)
"westnet-eastnet-gcm" #1: unsupported OAKLEY attribute.  Attribute OAKLEY_PRF

so it may simply be general confusion?

> Tests should always run with the fipscheck and labeled ipsec and audit
> support enabled. The only reason we have not made those the default is
> that debian/ubuntu was missing those packages. I am not sure if they are
> still missing or not.

So all fedora builds should, by default, have those options enabled?

Andrew

More information about the Swan-dev mailing list