Closed sharkcz closed 3 years ago
And there is same failure with --with-libica-cex
too.
Hi, I can only reproduce this with libica in FIPS mode and a damaged .hmac file. Could you please check your syslog/journalctl to see if you find a message like "Libica FIPS library integrity check failed."? If so, this is not (really) a problem in ibmca but in your libica package. Arguably the ibmca test could check if libica is reporting some FIPS error and skip these tests, but that would cause some problems in the test setup as it is since the test does not even know which libica is used by ibmca.
To be a bit more precise regarding which information I need:
I can reproduce this problem when answering question 1 with yes and question 3 with no (or with "the content is invalid"). In this case, that error is expected since the ibmca is installed/tested on a broken setup.
yes, libica is built in FIPS mode, installed as /usr/lib64/libica.so.3
and the hmac file is present (/usr/lib64/.libica.so.3.hmac
)
You are right, there is something wrong with libica, the journal has
May 31 11:41:46 rock-kvmlp-fedora.z14.bos.redhat.com eckey[999983]: Libica RSA test failed.
after running the ibmca test-suite. libica test-suite runs OK
I have tried building ibmca against libica without FIPS support, and I get the same failure in the eckey
test ...
What is your OpenSSL EC configuration? Do you have OPENSSL_NO_EC
defined in /usr/include/openssl/opensslconf-s390x.h? If so, that explains the problem and we should probably skip the test in this case. I was assuming nobody has this define on s390x anymore. Otherwise I cannot reproduce this problem. Would it be possible to get access to the packages? I have a F34 running on a machine and would like to have a look at the problem. If possible, please provide the libica 3.8.0, the used openssl package, and the ibmca package. Preferably of course with debugging information.
Actually there is a problem with the HMAC. I will open a separate libica issue for it. Now to double check the non-FIPS scenario ...
from /usr/include/openssl/opensslconf-s390x.h
#ifndef OPENSSL_NO_EC2M
# define OPENSSL_NO_EC2M
#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
# define OPENSSL_NO_EC_NISTP_64_GCC_128
I have retested again with the non-FIPS build of libica after a reboot and still getting the failure. Please download the rpm I used from https://fedora.danny.cz/s390/libica/
I see the problem now. You are running on a z14 without crypto cards assigned to your machine. In that case, ibmca does not register for the EC_KEY subsystem. So the test should actually be skipped. However, I do not see an easy way to detect this setting from within the test. When testing either with crypto cards or on a z15 the test passes for me.
OK, makes sense
I have a - well, lets call it workaround in the linked PR. I do not really like it since it now just says "If the engine did not register for the EC_KEY subsystem, just skip the test" without actually checking that is is okay not to register with the EC_KEY subsystem. But that is the best I could come up with.
I am in the process of updating libica and openssl-ibmca in Fedora and I have encountered a new test failure in
eckey
. The system is Fedora 34 on z14 LPAR, with libica 3.8.0 and openssl-1.1.1k-1.fc34.s390x installed. Will retry with--with-libica-cex
too.test log