Open JasonFengJ9 opened 1 year ago
Reading above it appears that this test is not running with the FIPS flag turned on and is expecting non fips results. The openssl library is running in FIPS mode and reports this failure correctly since CHACHA is not supported in FIPS mode. Do we know if the machine that is failing in this case is really set to run in FIPS mode ? By the name rhel84s390x-fips2
i would assume this is the case. This can explain why openssl fails when running chacha test cases.
Reading above it appears that this test is not running with the FIPS flag turned on and is expecting non fips results.
Correct
The openssl library is running in FIPS mode and reports this failure correctly since CHACHA is not supported in FIPS mode.
Is the openssl library hardcoded running in FIPS mode in this FIPS machine rhel84s390x-fips2
regardless the JVM running w/o FIPS flag enabled?
Is the openssl library hardcoded running in FIPS mode in this FIPS machine
rhel84s390x-fips2
regardless the JVM running w/o FIPS flag enabled?
The JVM code which calls openssl does so without checking if the library is, or is not, running in FIPS mode. It simply loads the library and calls the various openssl APIs. In this case the openssl library seems to be configured in FIPS mode on the system and calls to CHACHA fail since that is not a FIPS certified algorithm.
JDK11 x86-64_linux_fips140_2(rhel8x86-svl-rtfips7-1
)
[2024-04-06T01:55:40.378Z] variation: NoOptions
[2024-04-06T01:55:40.378Z] JVM_OPTIONS: -Dsemeru.fips=true
[2024-04-06T01:58:17.681Z] [test] [junit] A: Generate EC keypair ...
[2024-04-06T01:58:17.681Z] [test] [junit] Shared secrets are the same
[2024-04-06T01:58:17.681Z] [test] [junit] AES in CBC mode recovered text is same as cleartext
[2024-04-06T01:58:20.683Z] [test] [junit] An OpenSSL error occurred
[2024-04-06T01:58:20.683Z] [test] [junit] error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS
[2024-04-06T02:16:29.913Z] [test] [junit] Tests run: 1698, Failures: 0, Errors: 11, Skipped: 0, Time elapsed: 1,184.23 sec
[2024-04-06T02:16:29.913Z] [test]
[2024-04-06T02:16:29.913Z] [test] BUILD FAILED
[2024-04-06T02:16:29.913Z] [test] /home/jenkins/workspace/Test_openjdk11_j9_extended.functional_x86-64_linux_fips140_2_testList_0/jvmtest/functional/OpenJcePlusTests/test.xml:44: Test ibm.jceplus.junit.TestAll failed
[2024-04-06T02:16:29.913Z] [test]
[2024-04-06T02:16:29.913Z] [test] Total time: 20 minutes 45 seconds
[2024-04-06T02:16:29.913Z]
[2024-04-06T02:16:29.913Z] BUILD FAILED
[2024-04-06T02:16:29.913Z] /home/jenkins/workspace/Test_openjdk11_j9_extended.functional_x86-64_linux_fips140_2_testList_0/jvmtest/functional/OpenJcePlusTests/test.xml:33: Java returned: 1
[2024-04-06T02:16:29.913Z]
[2024-04-06T02:16:29.913Z] Total time: 20 minutes 48 seconds
[2024-04-06T02:16:29.913Z] -----------------------------------
[2024-04-06T02:16:29.913Z] openJcePlusTests_0_FAILED
Failure link
From an internal build(
rhel84s390x-fips2
):Rerun in Grinder - Change TARGET to run only the failed test targets.
Optional info
Failure output (captured from console output)
Is this because a non-FIPS test running in an FIPS-enabled machine?
FYI @jasonkatonica