[Swan-dev] fips test results
Andrew Cagney
andrew.cagney at gmail.com
Wed Jul 15 22:06:00 EEST 2015
On 15 July 2015 at 13:07, Paul Wouters <paul at nohats.ca> wrote:
> On Wed, 15 Jul 2015, Andrew Cagney wrote:
>
>> fips-04-ikev2-md5 failed east:different
>> - just needs an output tweak; missed this
>
>
> It would need to fail properly due to md5 not being allowed.
The known-good output includes the line:
002 "westnet-eastnet-md5" #1: STATE_PARENT_I1: received
unauthenticated v2N_NO_PROPOSAL_CHOSEN - ignored
I think that's sufficient. The tweak was to add:
certutil out:Password changed successfully.
to east.
>> fips-01-ikev1-default incomplete east:truncated west:truncated
>> fips-03-ikev1-md5 failed east:unchecked west:unchecked
>> fips-06-ikev1-sha1 incomplete east:truncated west:truncated
>> - the good news is that they no longer crash
>> - sends back SITUATION_NOT_SUPPORTED
>> - I suspect IKEv1 lacks logic to filter out non-FIPS tests?
>
>
> Ideally, the first and third one should work, using sha1. Only the md5
> hardcoded one should fail.
I'm beginning to suspect that, at least for fips-06-ikev1-sha1, west
is the one messing up. It seems to ignore the proposal from east?
>> - IKEv1 uses MD5 to check for NAT and FIPS doesn't have MD5 so I'm not
>> sure how far the test will get
I added some tracing and it looks like the MD5 code is working.
Probably because it uses PK11_CreateDigestContext(SEC_OID_MD5) and
that doesn't seem to require an NSS SLOT.
> > fips-05-ikev1-gcm failed east:unchecked west:unchecked
> > - "westnet-eastnet-gcm" #1: unsupported OAKLEY attribute. Attribute OAKLEY_PRF
> > - sends back NO_PROPOSAL_CHOSEN
> Ideally, this would also pick sha1 and not md5 as prf and then work. It
> related to the default proposal set I think.
I suspect it is. West sends:
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_PRF (0x800d)
| length/value: 2 (0x2)
| [2 is 2??]
and the other end responds with:
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_PRF (0x800d)
| length/value: 2 (0x2)
"westnet-eastnet-gcm" #1: unsupported OAKLEY attribute. Attribute OAKLEY_PRF
so it may simply be general confusion?
> Tests should always run with the fipscheck and labeled ipsec and audit
> support enabled. The only reason we have not made those the default is
> that debian/ubuntu was missing those packages. I am not sure if they are
> still missing or not.
So all fedora builds should, by default, have those options enabled?
Andrew
More information about the Swan-dev
mailing list