[Swan-dev] fips test results

Paul Wouters paul at nohats.ca
Thu Jul 16 00:08:55 EEST 2015 

On Wed, 15 Jul 2015, Andrew Cagney wrote:

> The known-good output includes the line:
>  002 "westnet-eastnet-md5" #1: STATE_PARENT_I1: received
> unauthenticated v2N_NO_PROPOSAL_CHOSEN - ignored
> I think that's sufficient.  The tweak was to add:
>  certutil out:Password changed successfully.
> to east.

Ahh good.

>>> fips-01-ikev1-default incomplete east:truncated west:truncated
>>> fips-03-ikev1-md5 failed east:unchecked west:unchecked
>>> fips-06-ikev1-sha1 incomplete east:truncated west:truncated
>>> - the good news is that they no longer crash
>>> - sends back SITUATION_NOT_SUPPORTED
>>> - I suspect IKEv1 lacks logic to filter out non-FIPS tests?
>>
>>
>> Ideally, the first and third one should work, using sha1. Only the md5
>> hardcoded one should fail.
>
> I'm beginning to suspect that, at least for fips-06-ikev1-sha1, west
> is the one messing up.   It seems to ignore the proposal from east?

guess that needs fixing still then.

>>> - IKEv1 uses MD5 to check for NAT and FIPS doesn't have MD5 so I'm not
>>> sure how far the test will get
>
> I added some tracing and it looks like the MD5 code is working.
> Probably because it uses PK11_CreateDigestContext(SEC_OID_MD5) and
> that doesn't seem to require an NSS SLOT.

Oh okay. That's perfect then.

>>> fips-05-ikev1-gcm failed east:unchecked west:unchecked
>>> - "westnet-eastnet-gcm" #1: unsupported OAKLEY attribute.  Attribute OAKLEY_PRF
>>> - sends back NO_PROPOSAL_CHOSEN
>
>> Ideally, this would also pick sha1 and not md5 as prf and then work. It
>> related to the default proposal set I think.
>
> I suspect it is.  West sends:
>
> | ******emit ISAKMP Oakley attribute:
> |    af+type: OAKLEY_PRF (0x800d)
> |    length/value: 2 (0x2)
> |     [2 is 2??]

I think that's sha1.

>> Tests should always run with the fipscheck and labeled ipsec and audit
>> support enabled. The only reason we have not made those the default is
>> that debian/ubuntu was missing those packages. I am not sure if they are
>> still missing or not.
>
> So all fedora builds should, by default, have those options enabled?

Yes. If you look at the packaging/fedora|rhel/*spec files, you see we
build with all of those enabled.

Paul

More information about the Swan-dev mailing list