eclipse-openj9 / openj9

Eclipse OpenJ9: A Java Virtual Machine for OpenJDK that's optimized for small footprint, fast start-up, and high throughput. Builds on Eclipse OMR (https://github.com/eclipse/omr) and combines with the Extensions for OpenJDK for OpenJ9 repo.
Other
3.28k stars 722 forks source link

jdk_security3_0_FAILED error:0609D0C8:digital envelope routines:int_ctx_new:disabled for FIPS #18254

Open JasonFengJ9 opened 1 year ago

JasonFengJ9 commented 1 year ago

Failure link

From an internal build(rhel84s390x-fips2):

openjdk version "11.0.21" 2023-10-17
IBM Semeru Runtime Open Edition 11.0.21.0-m2 (build 11.0.21+8)
Eclipse OpenJ9 VM 11.0.21.0-m2 (build v0.41.0-release-3ede3b5a4, JRE 11 Linux s390x-64-Bit Compressed References 20231003_750 (JIT enabled, AOT enabled)
OpenJ9   - 3ede3b5a4
OMR      - fa7b6ddc7
JCL      - 9a8aed1286 based on jdk-11.0.21+8)

Rerun in Grinder - Change TARGET to run only the failed test targets.

Optional info

Failure output (captured from console output)

[2023-10-03T19:01:51.755Z] variation: Mode150
[2023-10-03T19:01:51.755Z] JVM_OPTIONS:  -XX:+UseCompressedOops

[2023-10-03T19:08:43.610Z] TEST: javax/net/ssl/DTLS/DTLSRehandshakeWithCipherChangeTest.java

[2023-10-03T19:08:43.623Z] STDERR:
[2023-10-03T19:08:43.623Z] An OpenSSL error occurred
[2023-10-03T19:08:43.623Z] error:0609D0C8:digital envelope routines:int_ctx_new:disabled for FIPS
[2023-10-03T19:08:43.623Z] error:0609D0C8:digital envelope routines:int_ctx_new:disabled for FIPS
[2023-10-03T19:08:43.623Z] error:0609D0C8:digital envelope routines:int_ctx_new:disabled for FIPS
[2023-10-03T19:08:43.623Z] error:0609D0C8:digital envelope routines:int_ctx_new:disabled for FIPS
[2023-10-03T19:08:43.623Z] error:0609D0C8:digital envelope routines:int_ctx_new:disabled for FIPS
[2023-10-03T19:08:43.623Z] error:0609D0C8:digital envelope routines:int_ctx_new:disabled for FIPS
[2023-10-03T19:08:43.623Z] error:0609D0C8:digital envelope routines:int_ctx_new:disabled for FIPS
[2023-10-03T19:08:43.623Z] error:0609D0C8:digital envelope routines:int_ctx_new:disabled for FIPS
[2023-10-03T19:08:43.623Z] error:0609D0C8:digital envelope routines:int_ctx_new:disabled for FIPS
[2023-10-03T19:08:43.623Z] error:0609D0C8:digital envelope routines:int_ctx_new:disabled for FIPS
[2023-10-03T19:08:43.624Z] error:0609D0C8:digital envelope routines:int_ctx_new:disabled for FIPS
[2023-10-03T19:08:43.624Z] error:0609D0C8:digital envelope routines:int_ctx_new:disabled for FIPS
[2023-10-03T19:08:43.624Z] error:0609D0C8:digital envelope routines:int_ctx_new:disabled for FIPS
[2023-10-03T19:08:43.624Z] error:0609D0C8:digital envelope routines:int_ctx_new:disabled for FIPS
[2023-10-03T19:08:43.624Z] error:0607B0C8:digital envelope routines:EVP_CipherInit_ex:disabled for FIPS
[2023-10-03T19:08:43.624Z] Test Exception for TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
[2023-10-03T19:08:43.624Z] javax.net.ssl.SSLException: Fail to wrap application data
[2023-10-03T19:08:43.624Z]  at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:133)
[2023-10-03T19:08:43.624Z]  at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:360)
[2023-10-03T19:08:43.624Z]  at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:303)
[2023-10-03T19:08:43.624Z]  at java.base/sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:145)
[2023-10-03T19:08:43.624Z]  at java.base/sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:116)
[2023-10-03T19:08:43.624Z]  at java.base/javax.net.ssl.SSLEngine.wrap(SSLEngine.java:482)
[2023-10-03T19:08:43.624Z]  at SSLEngineTestCase.doWrap(SSLEngineTestCase.java:415)
[2023-10-03T19:08:43.624Z]  at SSLEngineTestCase.doWrap(SSLEngineTestCase.java:346)
[2023-10-03T19:08:43.624Z]  at SSLEngineTestCase.handshakeProcess(SSLEngineTestCase.java:1030)
[2023-10-03T19:08:43.624Z]  at SSLEngineTestCase.doHandshake(SSLEngineTestCase.java:598)
[2023-10-03T19:08:43.624Z]  at SSLEngineTestCase.doHandshake(SSLEngineTestCase.java:531)
[2023-10-03T19:08:43.624Z]  at RehandshakeWithCipherChangeTest.testOneCipher(RehandshakeWithCipherChangeTest.java:59)
[2023-10-03T19:08:43.624Z]  at SSLEngineTestCase.testSomeCiphers(SSLEngineTestCase.java:931)
[2023-10-03T19:08:43.624Z]  at SSLEngineTestCase.runTests(SSLEngineTestCase.java:720)
[2023-10-03T19:08:43.624Z]  at RehandshakeWithCipherChangeTest.main(RehandshakeWithCipherChangeTest.java:40)
[2023-10-03T19:08:43.624Z]  at DTLSRehandshakeWithCipherChangeTest.main(DTLSRehandshakeWithCipherChangeTest.java:50)
[2023-10-03T19:08:43.624Z]  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[2023-10-03T19:08:43.624Z]  at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[2023-10-03T19:08:43.624Z]  at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[2023-10-03T19:08:43.624Z]  at java.base/java.lang.reflect.Method.invoke(Method.java:566)
[2023-10-03T19:08:43.624Z]  at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
[2023-10-03T19:08:43.624Z]  at java.base/java.lang.Thread.run(Thread.java:839)
[2023-10-03T19:08:43.624Z] Caused by: java.security.ProviderException: Error in Native ChaCha20Cipher
[2023-10-03T19:08:43.624Z]  at java.base/com.sun.crypto.provider.NativeChaCha20Cipher.init(NativeChaCha20Cipher.java:616)
[2023-10-03T19:08:43.624Z]  at java.base/com.sun.crypto.provider.NativeChaCha20Cipher.engineInit(NativeChaCha20Cipher.java:361)
[2023-10-03T19:08:43.624Z]  at java.base/javax.crypto.Cipher.implInit(Cipher.java:843)
[2023-10-03T19:08:43.624Z]  at java.base/javax.crypto.Cipher.chooseProvider(Cipher.java:901)
[2023-10-03T19:08:43.624Z]  at java.base/javax.crypto.Cipher.init(Cipher.java:1433)
[2023-10-03T19:08:43.624Z]  at java.base/sun.security.ssl.SSLCipher$T12CC20P1305WriteCipherGenerator$CC20P1305WriteCipher.encrypt(SSLCipher.java:2305)
[2023-10-03T19:08:43.624Z]  at java.base/sun.security.ssl.OutputRecord.d10Encrypt(OutputRecord.java:364)
[2023-10-03T19:08:43.624Z]  at java.base/sun.security.ssl.OutputRecord.encrypt(OutputRecord.java:335)
[2023-10-03T19:08:43.624Z]  at java.base/sun.security.ssl.DTLSOutputRecord$DTLSFragmenter.acquireCiphertext(DTLSOutputRecord.java:508)
[2023-10-03T19:08:43.624Z]  at java.base/sun.security.ssl.DTLSOutputRecord.acquireCiphertext(DTLSOutputRecord.java:302)
[2023-10-03T19:08:43.624Z]  at java.base/sun.security.ssl.DTLSOutputRecord.encode(DTLSOutputRecord.java:216)
[2023-10-03T19:08:43.624Z]  at java.base/sun.security.ssl.DTLSOutputRecord.encode(DTLSOutputRecord.java:197)
[2023-10-03T19:08:43.624Z]  at java.base/sun.security.ssl.SSLEngineImpl.encode(SSLEngineImpl.java:285)
[2023-10-03T19:08:43.624Z]  at java.base/sun.security.ssl.SSLEngineImpl.writeRecord(SSLEngineImpl.java:226)
[2023-10-03T19:08:43.624Z]  at java.base/sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:136)
[2023-10-03T19:08:43.624Z]  ... 18 more
[2023-10-03T19:08:43.624Z] An OpenSSL error occurred

[2023-10-03T21:01:47.268Z] jdk_security3_0_FAILED

Is this because a non-FIPS test running in an FIPS-enabled machine?

FYI @jasonkatonica

jasonkatonica commented 1 year ago

Reading above it appears that this test is not running with the FIPS flag turned on and is expecting non fips results. The openssl library is running in FIPS mode and reports this failure correctly since CHACHA is not supported in FIPS mode. Do we know if the machine that is failing in this case is really set to run in FIPS mode ? By the name rhel84s390x-fips2 i would assume this is the case. This can explain why openssl fails when running chacha test cases.

JasonFengJ9 commented 1 year ago

Reading above it appears that this test is not running with the FIPS flag turned on and is expecting non fips results.

Correct

The openssl library is running in FIPS mode and reports this failure correctly since CHACHA is not supported in FIPS mode.

Is the openssl library hardcoded running in FIPS mode in this FIPS machine rhel84s390x-fips2 regardless the JVM running w/o FIPS flag enabled?

jasonkatonica commented 1 year ago

Is the openssl library hardcoded running in FIPS mode in this FIPS machine rhel84s390x-fips2 regardless the JVM running w/o FIPS flag enabled?

The JVM code which calls openssl does so without checking if the library is, or is not, running in FIPS mode. It simply loads the library and calls the various openssl APIs. In this case the openssl library seems to be configured in FIPS mode on the system and calls to CHACHA fail since that is not a FIPS certified algorithm.

JasonFengJ9 commented 7 months ago

JDK11 x86-64_linux_fips140_2(rhel8x86-svl-rtfips7-1)

[2024-04-06T01:55:40.378Z] variation: NoOptions
[2024-04-06T01:55:40.378Z] JVM_OPTIONS:   -Dsemeru.fips=true

[2024-04-06T01:58:17.681Z]      [test]     [junit] A: Generate EC keypair ...
[2024-04-06T01:58:17.681Z]      [test]     [junit] Shared secrets are the same
[2024-04-06T01:58:17.681Z]      [test]     [junit] AES in CBC mode recovered text is same as cleartext
[2024-04-06T01:58:20.683Z]      [test]     [junit] An OpenSSL error occurred
[2024-04-06T01:58:20.683Z]      [test]     [junit] error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS

[2024-04-06T02:16:29.913Z]      [test]     [junit] Tests run: 1698, Failures: 0, Errors: 11, Skipped: 0, Time elapsed: 1,184.23 sec
[2024-04-06T02:16:29.913Z]      [test] 
[2024-04-06T02:16:29.913Z]      [test] BUILD FAILED
[2024-04-06T02:16:29.913Z]      [test] /home/jenkins/workspace/Test_openjdk11_j9_extended.functional_x86-64_linux_fips140_2_testList_0/jvmtest/functional/OpenJcePlusTests/test.xml:44: Test ibm.jceplus.junit.TestAll failed
[2024-04-06T02:16:29.913Z]      [test] 
[2024-04-06T02:16:29.913Z]      [test] Total time: 20 minutes 45 seconds
[2024-04-06T02:16:29.913Z] 
[2024-04-06T02:16:29.913Z] BUILD FAILED
[2024-04-06T02:16:29.913Z] /home/jenkins/workspace/Test_openjdk11_j9_extended.functional_x86-64_linux_fips140_2_testList_0/jvmtest/functional/OpenJcePlusTests/test.xml:33: Java returned: 1
[2024-04-06T02:16:29.913Z] 
[2024-04-06T02:16:29.913Z] Total time: 20 minutes 48 seconds
[2024-04-06T02:16:29.913Z] -----------------------------------
[2024-04-06T02:16:29.913Z] openJcePlusTests_0_FAILED