search

sonic-net / sonic-fips

SONiC FIPS module
Other
0 stars 9 forks source link

Non FIPS Approved Ciphers/Algorithms Should not be allowed when FIPS is enabled #62

Open wumiaont opened 1 month ago

wumiaont commented 1 month ago

FIPS requires non FIPS approved Ciphers/Algorithms should not be allowed when FIPS is enabled on Sonic platform. It's found that Algorithms such as Chacha20 etc are still supported by Openssl under FIPS mode.

Solution could be taking back openssl-fips.conf back. Adding the following into openssl-fips.conf.

[openssl_init] providers = provider_sect alg_section = evp_properties

[evp_properties] default_properties = "fips=yes"

Another approach could be adding EVP_default_properties_enable_fips(NULL, 1) to the 30-load-symcrypt-engine-provider.patch which will do the same work with the above configuration to enable FIPS for he default properties.

xumia commented 1 month ago

@wumiaont , after enabled the config, 65 UTs failed.

Test Summary Report

02-test_internal_context.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 03-test_internal_curve448.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 03-test_internal_ffc.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 03-test_internal_sm2.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 03-test_property.t (Wstat: 256 (exited 1) Tests: 2 Failed: 1) Failed test: 1 Non-zero exit status: 1 04-test_encoder_decoder.t (Wstat: 256 (exited 1) Tests: 2 Failed: 1) Failed test: 1 Non-zero exit status: 1 04-test_encoder_decoder_legacy.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 04-test_nodefltctx.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 04-test_pem_read_depr.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 04-test_provider_fallback.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 05-test_des.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 05-test_hmac.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 05-test_pbe.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 05-test_rand.t (Wstat: 256 (exited 1) Tests: 4 Failed: 1) Failed test: 1 Non-zero exit status: 1 06-test_algorithmid.t (Wstat: 256 (exited 1) Tests: 11 Failed: 1) Failed test: 3 Non-zero exit status: 1 15-test_dh.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 15-test_dsa.t (Wstat: 512 (exited 2) Tests: 7 Failed: 2) Failed tests: 2-3 Non-zero exit status: 2 15-test_dsaparam.t (Wstat: 2048 (exited 8) Tests: 28 Failed: 8) Failed tests: 5-6, 11-14, 21-22 Non-zero exit status: 8 15-test_ec.t (Wstat: 768 (exited 3) Tests: 15 Failed: 3) Failed tests: 2, 12-13 Non-zero exit status: 3 15-test_gendh.t (Wstat: 768 (exited 3) Tests: 9 Failed: 3) Failed tests: 3-5 Non-zero exit status: 3 15-test_gendhparam.t (Wstat: 2304 (exited 9) Tests: 16 Failed: 9) Failed tests: 1, 3-5, 8, 11-14 Non-zero exit status: 9 15-test_gendsa.t (Wstat: 2304 (exited 9) Tests: 11 Failed: 9) Failed tests: 1-5, 7-10 Non-zero exit status: 9 15-test_genec.t (Wstat: 65024 (exited 254) Tests: 1144 Failed: 1081) Failed tests: 4-117, 124-141, 148-153, 160-165, 172-237 244-969, 976-981, 988-993, 1000-1005, 1012-1017 1024-1144 Non-zero exit status: 254 15-test_genrsa.t (Wstat: 512 (exited 2) Tests: 15 Failed: 2) Failed tests: 14-15 Non-zero exit status: 2 15-test_rsa.t (Wstat: 256 (exited 1) Tests: 12 Failed: 1) Failed test: 12 Non-zero exit status: 1 15-test_sha.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 20-test_dgst.t (Wstat: 1536 (exited 6) Tests: 13 Failed: 6) Failed tests: 3, 8-12 Non-zero exit status: 6 20-test_dhparam.t (Wstat: 1536 (exited 6) Tests: 21 Failed: 6) Failed tests: 9-13, 16 Non-zero exit status: 6 20-test_enc_more.t (Wstat: 29440 (exited 115) Tests: 132 Failed: 115) Failed tests: 5, 7, 9, 12, 14, 16, 19, 21, 23, 27-132 Non-zero exit status: 115 20-test_kdf.t (Wstat: 2816 (exited 11) Tests: 19 Failed: 11) Failed tests: 4-7, 12-15, 17-19 Non-zero exit status: 11 20-test_mac.t (Wstat: 512 (exited 2) Tests: 13 Failed: 4) Failed tests: 3-4, 8, 11 Non-zero exit status: 2 Parse errors: Bad plan. You planned 26 tests but ran 13. 20-test_pkeyutl.t (Wstat: 2816 (exited 11) Tests: 14 Failed: 11) Failed tests: 1-8, 11, 13-14 Non-zero exit status: 11 20-test_spkac.t (Wstat: 512 (exited 2) Tests: 4 Failed: 2) Failed tests: 1-2 Non-zero exit status: 2 25-test_req.t (Wstat: 1024 (exited 4) Tests: 46 Failed: 4) Failed tests: 11, 13-14, 16 Non-zero exit status: 4 25-test_verify.t (Wstat: 1280 (exited 5) Tests: 166 Failed: 5) Failed tests: 108, 110, 155, 161-162 Non-zero exit status: 5 25-test_x509.t (Wstat: 512 (exited 2) Tests: 28 Failed: 2) Failed tests: 6, 17 Non-zero exit status: 2 30-test_aesgcm.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 30-test_defltfips.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 30-test_evp.t (Wstat: 768 (exited 3) Tests: 72 Failed: 3) Failed tests: 2, 16, 20 Non-zero exit status: 3 30-test_evp_kdf.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 30-test_evp_libctx.t (Wstat: 512 (exited 2) Tests: 2 Failed: 2) Failed tests: 1-2 Non-zero exit status: 2 30-test_evp_pkey_provided.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 30-test_pkey_meth_kdf.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 65-test_cmp_msg.t (Wstat: 256 (exited 1) Tests: 2 Failed: 1) Failed test: 2 Non-zero exit status: 1 70-test_asyncio.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 70-test_bad_dtls.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 70-test_clienthello.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 70-test_comp.t (Wstat: 256 (exited 1) Tests: 4 Failed: 1) Failed test: 1 Non-zero exit status: 1 70-test_key_share.t (Wstat: 2304 (exited 9) Tests: 23 Failed: 9) Failed tests: 1, 4, 6-7, 13-14, 20-21, 23 Non-zero exit status: 9 70-test_recordlen.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 70-test_renegotiation.t (Wstat: 512 (exited 2) Tests: 5 Failed: 2) Failed tests: 1, 3 Non-zero exit status: 2 70-test_servername.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 70-test_sslcertstatus.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 70-test_sslextension.t (Wstat: 1024 (exited 4) Tests: 8 Failed: 4) Failed tests: 3, 5-6, 8 Non-zero exit status: 4 70-test_sslmessages.t (Wstat: 7424 (exited 29) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 29 Parse errors: Bad plan. You planned 21 tests but ran 1. 70-test_sslrecords.t (Wstat: 2560 (exited 10) Tests: 20 Failed: 10) Failed tests: 2, 5, 7, 11, 14-15, 17-20 Non-zero exit status: 10 70-test_sslsessiontick.t (Wstat: 7424 (exited 29) Tests: 3 Failed: 3) Failed tests: 1-3 Non-zero exit status: 29 Parse errors: Bad plan. You planned 10 tests but ran 3. 70-test_sslsigalgs.t (Wstat: 3072 (exited 12) Tests: 26 Failed: 12) Failed tests: 1, 6, 9-10, 15-16, 19, 21-23, 25-26 Non-zero exit status: 12 70-test_sslsignature.t (Wstat: 256 (exited 1) Tests: 4 Failed: 1) Failed test: 1 Non-zero exit status: 1 70-test_sslversions.t (Wstat: 1024 (exited 4) Tests: 8 Failed: 4) Failed tests: 3, 5-7 Non-zero exit status: 4 70-test_sslvertol.t (Wstat: 512 (exited 2) Tests: 3 Failed: 2) Failed tests: 1-2 Non-zero exit status: 2 70-test_tls13alerts.t (Wstat: 65280 (exited 255) Tests: 0 Failed: 0) Non-zero exit status: 255 Parse errors: No plan found in TAP output 70-test_tls13cookie.t (Wstat: 512 (exited 2) Tests: 2 Failed: 2) Failed tests: 1-2 Non-zero exit status: 2 70-test_tls13downgrade.t (Wstat: 512 (exited 2) Tests: 6 Failed: 2) Failed tests: 5-6 Non-zero exit status: 2 70-test_tls13hrr.t (Wstat: 28416 (exited 111) Tests: 3 Failed: 0) Non-zero exit status: 111 Parse errors: Bad plan. You planned 4 tests but ran 3. 70-test_tls13kexmodes.t (Wstat: 7424 (exited 29) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 29 Parse errors: Bad plan. You planned 11 tests but ran 1. 70-test_tls13messages.t (Wstat: 7424 (exited 29) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 29 Parse errors: Bad plan. You planned 17 tests but ran 1. 70-test_tls13psk.t (Wstat: 7424 (exited 29) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 29 Parse errors: Bad plan. You planned 5 tests but ran 1. 70-test_tlsextms.t (Wstat: 7424 (exited 29) Tests: 4 Failed: 4) Failed tests: 1-4 Non-zero exit status: 29 Parse errors: Bad plan. You planned 10 tests but ran 4. 80-test_cipherlist.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_cmp_http.t (Wstat: 1280 (exited 5) Tests: 6 Failed: 5) Failed tests: 1-5 Non-zero exit status: 5 80-test_cms.t (Wstat: 512 (exited 2) Tests: 17 Failed: 2) Failed tests: 4-5 Non-zero exit status: 2 80-test_dtls.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_dtls_mtu.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 80-test_pkcs12.t (Wstat: 3328 (exited 13) Tests: 13 Failed: 13) Failed tests: 1-13 Non-zero exit status: 13 80-test_ssl_new.t (Wstat: 7168 (exited 28) Tests: 30 Failed: 28) Failed tests: 1-21, 23-28, 30 Non-zero exit status: 28 80-test_ssl_old.t (Wstat: 768 (exited 3) Tests: 6 Failed: 3) Failed tests: 1, 3-4 Non-zero exit status: 3 80-test_sslcorrupt.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 90-test_bio_enc.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 90-test_sslapi.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 90-test_sslbuffers.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 90-test_store.t (Wstat: 512 (exited 2) Tests: 8 Failed: 0) Non-zero exit status: 2 Parse errors: Bad plan. You planned 434 tests but ran 8. 90-test_threads.t (Wstat: 256 (exited 1) Tests: 2 Failed: 1) Failed test: 1 Non-zero exit status: 1 90-test_tls13ccs.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 90-test_tls13secrets.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=245, Tests=2696, 685 wallclock secs ( 4.60 usr 0.68 sys + 269.83 cusr 49.67 csys = 324.78 CPU) Result: FAIL make[1]: [Makefile:3261: run_tests] Error 1 make[1]: Leaving directory '/home/xumia/fips3/src/openssl/build_shared' make: [Makefile:3256: tests] Error 2

wumiaont commented 2 weeks ago

I tried openssl 3.0 and run self-test. When the above config is made to make fips mode enabled for openssl, lots of self test failed.

This makes sense as many self-tests are not fips compliant so disable those non fips compliant algorithms/ciphers will make tests using those algorithms to fail.