[Swan-dev] fips test results
Paul Wouters
paul at nohats.ca
Thu Jul 16 00:08:55 EEST 2015
On Wed, 15 Jul 2015, Andrew Cagney wrote:
> The known-good output includes the line:
> 002 "westnet-eastnet-md5" #1: STATE_PARENT_I1: received
> unauthenticated v2N_NO_PROPOSAL_CHOSEN - ignored
> I think that's sufficient. The tweak was to add:
> certutil out:Password changed successfully.
> to east.
Ahh good.
>>> fips-01-ikev1-default incomplete east:truncated west:truncated
>>> fips-03-ikev1-md5 failed east:unchecked west:unchecked
>>> fips-06-ikev1-sha1 incomplete east:truncated west:truncated
>>> - the good news is that they no longer crash
>>> - sends back SITUATION_NOT_SUPPORTED
>>> - I suspect IKEv1 lacks logic to filter out non-FIPS tests?
>>
>>
>> Ideally, the first and third one should work, using sha1. Only the md5
>> hardcoded one should fail.
>
> I'm beginning to suspect that, at least for fips-06-ikev1-sha1, west
> is the one messing up. It seems to ignore the proposal from east?
guess that needs fixing still then.
>>> - IKEv1 uses MD5 to check for NAT and FIPS doesn't have MD5 so I'm not
>>> sure how far the test will get
>
> I added some tracing and it looks like the MD5 code is working.
> Probably because it uses PK11_CreateDigestContext(SEC_OID_MD5) and
> that doesn't seem to require an NSS SLOT.
Oh okay. That's perfect then.
>>> fips-05-ikev1-gcm failed east:unchecked west:unchecked
>>> - "westnet-eastnet-gcm" #1: unsupported OAKLEY attribute. Attribute OAKLEY_PRF
>>> - sends back NO_PROPOSAL_CHOSEN
>
>> Ideally, this would also pick sha1 and not md5 as prf and then work. It
>> related to the default proposal set I think.
>
> I suspect it is. West sends:
>
> | ******emit ISAKMP Oakley attribute:
> | af+type: OAKLEY_PRF (0x800d)
> | length/value: 2 (0x2)
> | [2 is 2??]
I think that's sha1.
>> Tests should always run with the fipscheck and labeled ipsec and audit
>> support enabled. The only reason we have not made those the default is
>> that debian/ubuntu was missing those packages. I am not sure if they are
>> still missing or not.
>
> So all fedora builds should, by default, have those options enabled?
Yes. If you look at the packaging/fedora|rhel/*spec files, you see we
build with all of those enabled.
Paul
More information about the Swan-dev
mailing list